An x86_64 Windows kernel implant exposing a read/write primitive for usermode, implemented using ROP (return oriented programming).
roprw is designed to provide a proof of concept for evading detection from video game anti-cheats using ROP.
git clone https://github.com/krispybyte/roprw.git
cd roprw
mkdir build/
cd build/
cmake ..
cmake --build . --config Release # Release build
cmake --build . --config Debug # Debug build- Ensure the vulnerable driver
athpexnt.sysis loaded (found indrivers/), this is required in order to bootstrap the implant. You are free to modify the project's code to support any other vulnerable driver. - Make sure your target process is running. The project's demo currently performs a memory read from
notepad.exeas a demo target. - Execute roprw, you may be required to run the project as an admin user on newer Windows builds.
ROP is used instead of traditional shellcode to minimize executable memory usage and explore limited detection surfaces related to control flow abuse rather than any injected code.
For most of the gadgets used, I have deliberately chosen gadgets which exist universally between all recent versions of ntoskrnl.exe ranging from version Windows 10 22H2 up until Windows 11 25H2 and some insider builds. The gadgets which are not present in some of these versions mentioned, have replacements using if-else statements comparing the build (e.g. this code example).
Currently, the offsets the project uses for the gadgets are hardcoded and so they must be manually replaced, this is expected to be resolved in the future. This means that currently the project only supports the latest Windows builds, unless you checkout to an older commit, or manually modify the offsets.
I recommend finding gadget offsets using ropper.
If you are interested in seeing examples of how I've updated gadget offsets in the past, see the PRs for issues 51 and 35.
This project uses a vulnerable driver (athpexnt.sys) to patch kernel code and be able to call arbitrary kernel functions from usermode (pretty much equivalent to the VDM project), this is needed to call into several functions which bootstrap our kernel ROP thread, such as ExAllocatePool2, PsCreateSystemThread etc...
Once a system thread is created, it executes our ROP chain, which performs the following:
- Open the usermode's event objects using
ZwOpenEvent, this is used for event synchronization - Await usermode client program to send the PID of the target process, all communications are done via a shared buffer being copied
- Pivot to a new stack (main stack) which is the equivalent to the body of a
while (true)loop, meaning it will continuously execute - Every iteration, this stack awaits a new request from usermode using the event synchronization
- Once a request is retrieved, it copies argument data needed such as source address, destination address etc, and calls
MmCopyVirtualMemoryusing them. This performs a memory read or a write according to the usermode client's choice
I will be updating this project with more technical documentation and a diagram. Regardless I recommend you read the source code and go through the comments to understand it better.
roprw currently loads a vulnerable driver and patches kernel code in order to bootstrap the implant. This is a violation of HVCI's W^X security policy, so the project is not HVCI compatible, but this may be fixable.
This project is intended for educational and research purposes only. It demonstrates kernel ROP techniques and detection surface exploration and is not intended for use in live environments.
The project is not yet complete, and there are still things left to be done, the major changes planned have descriptions in the GitHub page's issues tab.
Pull requests are welcome!