Exploit in WordPress, vulnerabilità AI in WebKit, bypass KASLR e backdoor via OpenAI segnano l’evoluzione delle minacce ibride nella cybersecurity moderna.
#backdoor #BigSleep #KASLR #SesameOP #Wordpress
www.matricedigitale.it/2025/11/04/e...
I created a library from prefetch-tool so you can more easily experiment with side-channel #KASLR bypasses on Windows:
github.com ->
For dogfooding I exploited HEVD on Windows 11 24H2:
github.com ->
Original->
ntoskrnl #kASLR 🚫:
r$t0=0;# and*77FFFF winload!MmArchInitialize L200;r$t0=@$exp;.while(by(@$t0)){r$t0=@$t0+1};ed@$t0-3 0;
ed MmArchKsegAddressRange 0 FFFFF800;
r$t0=SymCryptRngAesGenerate;ed@$t0 33CA8B48 E9D2;ed@$t0+6 memset-@$t0-A;
ed OslGatherEntropy C3C033;
ed BlArchGetPerformanceCounter C3C033
![Part1:
Decompilation of winload!MmArchInitialize, where MmArchKsegBias is selected as random value in the range [0; 0x77FFFF000]. So, from 0 to 30 GB (0x1E GB).
That value is used to bias MmArchKsegBase, which gets put into MmArchKsegAddressRange.Minimum. And that var is utilized for virtual address allocations, including VAs for images like ntoskrnl.exe.
Part2:
Part of nt!MiAssignTopLevelRanges decompile. There we can observe BaseVa for AssignedRegionSystemImages VA region type gets assigned as current imagebase of the ntoskrnl, aligned down by 512_GB. Since BaseVa is explicitly assigned, function will skip call to MiAssignSystemVa() for that region type.
So despite randomization of relative starts of most of the 0x12 regions in win11 24H2, we can assume that they all aligned by 512_GB (or 256_TB for LA57), and "AssignedRegionSystemImages" region type always starts at 0xFFFF_FF80_0000_0000.
And we can also assume ntoskrnl always starts in the first ~30.5_GB of that region.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:jxtkgvs5pvvanhchjvldmtvi/bafkreigkibtocovxghwzn4h4wlwhzaduljdb4m6rfi62wrjis4warlfsue)
Part1: Decompilation of winload!MmArchInitialize, where MmArchKsegBias is selected as random value in the range [0; 0x77FFFF000]. So, from 0 to 30 GB (0x1E GB). That value is used to bias MmArchKsegBase, which gets put into MmArchKsegAddressRange.Minimum. And that var is utilized for virtual address allocations, including VAs for images like ntoskrnl.exe. Part2: Part of nt!MiAssignTopLevelRanges decompile. There we can observe BaseVa for AssignedRegionSystemImages VA region type gets assigned as current imagebase of the ntoskrnl, aligned down by 512_GB. Since BaseVa is explicitly assigned, function will skip call to MiAssignSystemVa() for that region type. So despite randomization of relative starts of most of the 0x12 regions in win11 24H2, we can assume that they all aligned by 512_GB (or 256_TB for LA57), and "AssignedRegionSystemImages" region type always starts at 0xFFFF_FF80_0000_0000. And we can also assume ntoskrnl always starts in the first ~30.5_GB of that region.
Kernel VA region for system images has size 512_GB (256_TB LA57).
And nt!MiAssignTopLevelRanges shuffles regions order before VA assignment.
So why is ntoskrnl always in the first 31_GB from 0xFFFF_FF80_0000_0000?!
That's just how winload.efi randomizes MmArchKsegBias.
#KASLR #0xFFFFFF8000000000
Nice repository collecting techniques to infer the Linux kernel base virtual address (KASLR bypass)
github.com/bcoles/kasld
#Linux #kernel #kaslr #infosec #cybersecurity
