From ca2e5786ebaf926db747a1b316c6dac0e580987e Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 23 Feb 2021 22:09:00 +0000 Subject: [PATCH] Update README.md --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index f0c9081..94f5cbd 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,14 @@ msrexec is a small project that can be used to elevate arbitrary MSR writes to kernel execution on 64 bit Windows-10 systems. This project is part of the VDM (vulnerable driver manipulation) namespace and can be integrated into any prior VDM projects. Although this project falls under the VDM namespace, Voyager and bluepill can be used to provide arbitrary wrmsr writes. +#### Features + +* integration with VDM +* integration with Voyager and bluepill +* Use any vulnerable driver which exposes arbitrary WRMSR to obtain kernel exeuction +* Works under KVA shadowing (you will still need to run as admin however to load the driver, LSTAR points to KiSystemCall64Shadow though...) +* WARNING: does not work under most anti virus hypervisors or HVCI systems... + # Syscall - Fast System Call SYSCALL invokes an OS system-call handler at privilege level 0. It does so by ***loading RIP from the IA32_LSTAR MSR*** (after saving the address of the instruction following SYSCALL into RCX). (The WRMSR instruction ensures that the IA32_LSTAR MSR always contain a canonical address.)