This project demonstrates arbitrary kernel code execution on a Windows 11 system with kCET enabled, to create a keylogging tool by mapping kernel memory to userland.
You can find my blogpost about it here for more information.
This project uses the Meson build system, and is written in C23. MSVC does not yet support C23 (I think?), so I suggest using clang-cl as a compiler.
Setup the CC and LD environment variables (clang-cl and lld-link if using the LLVM tooclhain), then:
meson setup builddir
meson compile -C builddir
This project uses hardcoded offsets, that were taken on a Windows 11 22H2, build version 22261.4890. To target another version, updating the offsets is required.
All the offsets of the gadgets used are located within include/jop/offsets.h.
While not all gadgets have exact equivalents on other version, the most crucial elements do, and others have remplacements (pop rax ; ... ; jmp XXX, call XXX ; ... ; jmp XXX).
- rp++ (Axel Souchet) - A great tool to search for gadgets
- KexecDDPlus (Clément Labro / Romain Melchiorre) and KexecDD (floesen_) - The original admin-to-kernel arbitrary call primitive
- This Windows 10 keylogging implementation (eversinc33) and the original presentation of the technique (chompie / b33f)