# pdfwkrnl-exploit
## prologue
I saw this driver on loldrivers.io and thought nothing of it at first but then i realized all we need is vulnerable memcpy to copy kernel to call kernel functions.

After remembering how a basic data pointer swap hook work's i found one in ntoskrnl.exe called "**NtCompareSigningLevels**"  and this was perfect for exploiting.

    sub     rsp, 28h
    mov     r8, cs:function_pointer
boom! that's the big ol bug, it loads a pointer from a variable inside ntoskrnl's **.data** section which can be easily modified to any kernel function which is a big no no.

    .data:0000000140C1DA00 function_pointer // ntoskrnl.exe
## exploiting the pointer
I wrote a simple library for pdfwkrnl.sys after taking a little code from another project (https://github.com/Legcsnaec/driverMapper) *"Originally forked from ia-32-Sudo's project, his account is deleted or terminated".* Then the exploit time i decided to use an offset for the **function_pointer** then i used **EnumDeviceDrivers** to get ntoskrnl's base then used the driver to walk the ntoskrnl's pe headers for exports then we got our export address then wrote over the **function_pointer** to our selected export then called the user-mode component **NtCompareSigningLevels** (exported by ntdll.dll) while passing our custom then after execution we swapped back the old pointer as nothing had happened.

![exploit working](https://github.com/dpcpointer/pdfwkrnl-exploit/blob/main/image.png?raw=true)

## final notes
This was cool as i racked my brain for this cool little project it took around 5 hours. 

this only work's for windows 10 22h2 but this method can appiled to any function inside ntoskrnl or win32k drivers.

 a ntstatus of STATUS_INVALID_IMAGE_HASH or 0xC0000428 will always be returned as NtCompareSigningLevels always returns it if returned value by the called function is not equal then 0.
 
all i ask for is credits for my idea, thanks for the small read feel free to leave a follow or fork to show your support.

good bye and have a great day (: