A safety researcher has revealed an in depth evaluation demonstrating how Kernel Handle Area Structure Randomization (KASLR) protections could be circumvented on Home windows 11 24H2 techniques via exploitation of an HVCI-compatible driver with bodily reminiscence entry capabilities.
The analysis, revealed by safety researcher Yazid on June 9, 2025, presents a novel strategy to acquiring the Home windows kernel base handle by leveraging the eneio64.sys driver, which gives learn and write primitives on the system’s bodily reminiscence.
The demonstration represents a continuation of earlier analysis into exploiting HVCI-compatible kernel drivers, particularly specializing in how attackers or safety researchers can simulate the interpretation of bodily addresses into digital addresses utilizing paging constructions.
This system turns into significantly related given Microsoft’s current safety enhancements in Home windows 11 24H2, which now require SeDebugPrivilege for operations that beforehand labored from medium integrity processes, equivalent to utilizing EnumDeviceDrivers or NtQuerySystemInformation to leak kernel module addresses.
Xacone researchers famous that conventional KASLR bypass strategies have turn into more and more difficult on fashionable Home windows techniques, with instruments like prefetch-tool exhibiting inconsistent outcomes throughout completely different environments.
The researcher particularly mentions that whereas such instruments labored on host machines, they did not perform reliably on Home windows 11 24H2 digital machine environments used for testing.
The approach exploits the Low Stub, a knowledge construction constantly current initially of bodily reminiscence layouts on HVCI-enabled techniques, situated between bodily addresses 0x10000 and 0x20000.
This construction comprises numerous kernel addresses, together with these of non-exported features, although many are particular to the {Hardware} Abstraction Layer (HAL).
Technical Implementation and Reminiscence Scanning Methodology
The core innovation of this analysis lies in its strategy to figuring out the kernel’s entry level inside the Low Stub construction.
Quite than counting on hardcoded offsets or conventional enumeration strategies, the approach searches for the KiSystemStartup perform handle, which serves because the kernel’s entry level.
The researcher demonstrates the best way to parse the PE picture of ntoskrnl.exe to retrieve the Relative Digital Handle (RVA) of the entry level, then scan the Low Stub for addresses matching the final three bytes of this RVA.
Home windows 11 24H2 (Supply – GitHub)
The implementation entails a scientific reminiscence scan utilizing the next strategy: for (physical_offset = 0x10000; physical_offset < 0x20000; physical_offset += 8) to iterate via potential Low Stub areas, studying 64-bit values and evaluating them towards the recognized entry level sample.
When a match is discovered utilizing the situation if ((qword_value & 0xFFFFF) == (ntosEntryPoint & 0xFFFFF)), the kernel base handle could be calculated by subtracting the entry level’s RVA from the found handle.
The Home windows kernel’s alignment to 2MB boundaries, leveraging large-page reminiscence mappings, ensures constant handle patterns that facilitate this detection technique throughout completely different system configurations.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
