This article walks through a proof-of-concept exploit for CVE-2020-12446 in the eneio64.sys driver (Trident Z Lighting Control v1.00.08), which exposes primitives to map, read and write physical memory and can be loaded on Windows 11 with HVCI enabled. The write-up details obtaining CR3 from the Low Stub, performing virtual-to-physical translations via mapped PhysicalMemory, and abusing those primitives to steal SYSTEMâs token and spawn a SYSTEM shell. #CVE-2020-12446 #eneio64.sys
Keypoints
- eneio64.sys (Trident Z Lighting Control v1.00.08) exposes IOCTLs that map physical memory into user space using ZwOpenSection/ZwMapViewOfSection, allowing read/write access to physical memory from user mode.
- The author loaded the driver on Windows 11 (22H2, 23H2, 24H2) despite HVCI, verified permissive security descriptor rights, and used IOCTL 0x80102040 to map physical memory and IOCTL 0x80102044 to unmap it.
- By mapping the physical memory section starting at physical address 0 and reading the Low Stub range (0x10000â0x20000), the exploit locates nt!HalpLMStub to derive the kernel CR3 value from the Low Stub structure.
- With CR3 and the mapped physical memory, the author implements a virtual-to-physical translation (page-table walk through PML4/PDPT/PDT/PT) to resolve physical addresses for kernel objects.
- The exploit leaks a threadâs KTHREAD via NtQuerySystemInformation(SystemHandleInformation), converts the KTHREAD->Process pointer to a physical address, locates the System EPROCESS via Big Pool scanning (tag âProcâ), and reads Systemâs token.
- System token is copied into the current process tokenâs physical location, granting NT AUTHORITYSYSTEM privileges and launching a SYSTEM shell; driver unmap is used for cleanup.
- The full exploit code and detailed implementation notes (offsets, structure layouts, and pitfalls such as drivers using MmMapIoSpace) are available in the referenced GitHub repository and blog post.
MITRE Techniques
- [T1612 ] Develop Capabilities â The author developed a proof-of-concept exploit leveraging eneio64.sys IOCTLs and custom virtual-to-physical translation code to read/write kernel memory. Quote: âThe complete exploit source code can be found here.â
- [T1210 ] Exploitation of Vulnerability â The driver exposes IOCTL 0x80102040 to map physical memory and IOCTL 0x80102044 to unmap it, which is exploited to gain read/write primitives. Quote: âIOCTL_WINIO_MAPPHYSTOLINâ and âIOCTL_WINIO_UNMAPPHYSADDRâ
- [T1003 ] OS Credential Dumping â The exploit locates and copies the SYSTEM process token into the current process token to elevate privileges to SYSTEM. Quote: âFinally, we take System.exeâs token and copy it to the physical address referencing our processâs token.â
- [T1547 ] Boot or Logon Autostart Execution (contextual mitigation discussion) â The article references Microsoft mitigations (Vulnerable Driver Blocklist, HVCI) that aim to prevent vulnerable drivers from loading, informing the attackerâs choice of driver. Quote: âMicrosoft has reinforced Windows preminution against the loading of vulnerable drivers with the Vulnerable Driver Blocklist⌠and reinforced with HVCI.â
- [T1082 ] System Information Discovery â The author uses System information APIs (EnumDeviceDrivers, NtQuerySystemInformation for Big Pool and Handles) to find ntoskrnl base, pool addresses, and kernel object addresses. Quote: âEnumDeviceDriversâ and âNtQuerySystemInformation2(SystemBigPoolInformation)â
Indicators of Compromise
- [File name ] vulnerable kernel driver used as exploit vector â eneio64.sys (Trident Z Lighting Control v1.00.08)
- [CVE ] vulnerability identifier â CVE-2020-12446
- [IOCTL ] driver control codes exploited â IOCTL 0x80102040 (IOCTL_WINIO_MAPPHYSTOLIN), IOCTL 0x80102044 (IOCTL_WINIO_UNMAPPHYSADDR)
- [Kernel symbol/offset ] ntoskrnl offset referenced â nt!HalpLMStub offset 0x00410890 (used to locate CR3), plus EPROCESS token offset (referenced as EPROCESS_TOKEN_OFFSET) and KTHREAD->Process offset (KTHREAD_PROCESS_OFFSET)
- [GitHub repo ] exploit source location â referenced as âThe full exploit is available on this Github repositoryâ (exact repo URL provided in the original article)
Read more: https://xacone.github.io/eneio-driver.html