R0Ak (The Ring 0 Army Knife) – A Command Line Utility To Read/Write/Execute Ring Zero On For Windows 10 Systems

R0Ak (The Ring 0 Army Knife) – A Command Line Utility To Read/Write/Execute Ring Zero On For Windows 10 Systems

r0ak is a Windows command-line utility that allows you to simply learn, write, and execute kernel-mode code (with some limitations) from the command immediate, with out requiring anything aside from Administrator privileges.

Quick Peek

r0ak v1.0.0 -- Ring 0 Army Knife
Copyright (c) 2018 Alex Ionescu [@aionescu]
http://www.home windows-internals.com

USAGE: r0ak.exe
       [--execute <Address | module.ext!function> <Argument>]
       [--write   <Address | module.ext!function> <Value>]
       [--read    <Address | module.ext!function> <Size>]


The Windows kernel is a wealthy surroundings through which a whole bunch of drivers execute on a typical system, and the place 1000’s of variables containing world state are current. For superior troubleshooting, IT consultants will usually use instruments such because the Windows Debugger (WinDbg), SysInternals Tools, or write their very own. Unfortunately, utilization of those instruments is getting more and more arduous, and they’re themselves restricted by their very own entry to Windows APIs and uncovered options.
Some of right now’s challenges embrace:

  • Windows eight and later assist Secure Boot, which prevents kernel debugging (together with native debugging) and loading of take a look at-signed driver code. This restricts troubleshooting instruments to people who have a signed kernel-mode driver.
  • Even on methods with out Secure Boot enabled, enabling native debugging or altering boot choices which ease debugging capabilities will usually set off BitLocker’s restoration mode.
  • Windows 10 Anniversary Update and later embrace a lot stricter driver signature necessities, which now implement Microsoft EV Attestation Signing. This restricts the liberty of software program builders as generic “read-write-everything” drivers are frowned upon.
  • Windows 10 Spring Update now consists of buyer-dealing with choices for enabling HyperVisor Code Integrity (HVCI) which additional restricts allowable drivers and blacklists a number of third get together drivers that had “read-write-everything” capabilities resulting from poorly written interfaces and safety dangers.
  • Technologies like Supervisor Mode Execution Prevention (SMEP), Kernel Control Flow Guard (KCFG) and HVCI with Second Level Address Translation (SLAT) are making conventional Ring 0 execution ‘tips’ obsoleted, so a brand new strategy is required.

In such an surroundings, it was clear {that a} easy device which can be utilized as an emergency band-support/hotfix and to shortly troubleshoot kernel/system-stage points which can be obvious by analyzing kernel state could be useful for the neighborhood.

How it Works

Basic Architecture

r0ak works by redirecting the execution movement of the window supervisor’s trusted font validation checks when trying to load a brand new font, by changing the trusted font desk’s comparator routine with an alternate perform which schedules an govt work merchandise (WORK_QUEUE_ITEM) saved within the enter node. Then, the trusted font desk’s proper baby (which serves as the foundation node) is overwritten with a named pipe’s write buffer (NP_DATA_ENTRY) through which a customized work merchandise is saved. This merchandise’s underlying employee perform and its parameter are what is going to ultimately be executed by a devoted ExpWorkerThread at PASSIVE_LEVEL as soon as a font load is tried and the comparator routine executes, receiving the title pipe-backed mother or father node as its enter. A actual-time Event Tracing for Windows (ETW) hint occasion is used to obtain an asynchronous notification that the work merchandise has completed executing, which makes it protected to tear down the buildings, free the kernel-mode buffers, and restore regular operation.

Supported Commands
When utilizing the --execute possibility, this perform and parameter are provided by the consumer.
When utilizing --write, a customized gadget is used to change arbitrary 32-bit values anyplace in kernel reminiscence.
When utilizing --read, the write gadget is used to change the system’s HSTI buffer pointer and measurement (N.B.: This is damaging habits by way of another purposes that can request the HSTI knowledge. As that is elective Windows habits, and this device is supposed for emergency debugging/experimentation, this lack of knowledge was thought of acceptable). Then, the HSTI Query API is used to repeat again into the device’s consumer-mode tackle house, and a hex dump is proven.
Because solely constructed-in, Microsoft-signed, Windows performance is used, and all referred to as capabilities are a part of the KCFG bitmap, there isn’t any violation of any safety checks, and no debugging flags are required, or utilization of third get together poorly-written drivers.


Is this a bug/vulnerability in Windows?
No. Since this device — and the underlying approach — require a SYSTEM-stage privileged token, which might solely be obtained by a consumer operating underneath the Administrator account, no safety boundaries are being bypassed so as to obtain the impact. The habits and utility of the device is simply potential because of the elevated/privileged safety context of the Administrator account on Windows, and is known to be a by-design habits.

Was Microsoft notified about this habits?
Of course! It’s necessary to at all times file safety points with Microsoft even when no violation of privileged boundaries appears to have occurred — their groups of researchers and builders may discover novel vectors and methods to succeed in sure code paths which an exterior researcher might not have considered.
As such, in November 2014, a safety case was filed with the Microsoft Security Research Centre (MSRC) which responded: “[…] would not fall into the scope of a safety situation we’d tackle by way of our conventional Security Bulletin car. It […] pre-supposes admin privileges — a spot the place architecturally, we don’t at the moment outline a defensible safety boundary. As such, we cannot be pursuing this to repair.
Furthermore, in April 2015 on the Infiltrate convention, a chat titled Insection : AWEsomely Exploiting Shared Memory Objects was introduced detailing this situation, together with to Microsoft builders in attendance, which agreed this was at the moment out of scope of Windows’s architectural safety boundaries. This is as a result of there are actually dozens — if no more — of different methods an Administrator can learn/write/execute Ring 0 reminiscence. This device merely permits a straightforward commodification of 1 such vector, for functions of debugging and troubleshooting system points.

Can’t this be packaged up as a part of finish-to-finish assault/exploit equipment?
Packaging this code up as a library would require fastidiously eradicating all interactive command-line parsing and normal output, at which level, with out main rewrites, the ‘equipment’ would:

  • Require the goal machine to be operating Windows 10 Anniversary Update x64 or later
  • Have already elevated privileges to SYSTEM
  • Require an lively Internet reference to a proxy/firewall permitting entry to Microsoft’s Symbol Server
  • Require the Windows SDK/WDK put in on the goal machine
  • Require a smart _NT_SYMBOL_PATH surroundings variable to have been configured on the goal machine, and for about 15MB of image knowledge to be downloaded and cached as PDB recordsdata someplace on the disk

Attackers concerned about utilizing this explicit strategy — versus very many others extra cross-appropriate, no-SYSTEM-proper-requiring methods — possible already tailored their very own code based mostly on the Proof-of-Concept from April 2015 — greater than three years in the past.


Due to the utilization of the Windows Symbol Engine, you have to have both the Windows Software Development Kit (SDK) or Windows Driver Kit (WDK) put in with the Debugging Tools for Windows. The device will lookup your set up path robotically, and leverage the DbgHelp.dll and SymSrv.dll which can be current in that listing. As these recordsdata are usually not re-distributable, they can’t be included with the discharge of the device.
Alternatively, when you receive these libraries by yourself, you may modify the supply-code to make use of them.
Usage of symbols requires an Internet connection, until you may have pre-cached them domestically. Additionally, it is best to setup the _NT_SYMBOL_PATH variable pointing to an acceptable image server and cached location.
It is assumed that an IT Expert or different troubleshooter which apparently has a have to learn/write/execute kernel reminiscence (and has information of the suitable kernel variables to entry) is already greater than intimately acquainted with the above setup necessities. Please don’t file points asking what the SDK is or easy methods to set an surroundings variable.

Use Cases

  • Some driver leaked kernel pool? Why not name ntoskrnl.exe!ExFreePool and move within the kernel tackle that is leaking? What about an object reference? Go name ntoskrnl.exe!ObfDereferenceObject and have that cleaned up.
  • Want to dump the kernel DbgPrint log? Why not dump the interior round buffer at ntoskrnl.exe!KdPrintCircularBuffer
  • Wondering how huge the kernel stacks are in your machine? Try taking a look at ntoskrnl.exe!KeKernelStackSize
  • Want to dump the system name desk to search for hooks? Go print out ntoskrnl.exe!KiServiceTable

These are only some examples — all Ring 0 addresses are accepted, both by module!image syntax or straight passing the kernel pointer if recognized. The Windows Symbol Engine is used to look these up.

The device requires sure kernel variables and capabilities which can be solely recognized to exist in trendy variations of Windows 10, and was solely meant to work on 64-bit methods. These limitations are resulting from the truth that on older methods (or x86 methods), these stricter safety necessities do not exist, and as such, extra conventional approaches can be utilized as a substitute. This is a private device which I’m making accessible, and I had no want for these older methods, the place I may use a easy driver as a substitute. That being stated, this repository accepts pull requests, if anybody is concerned about porting it.
Secondly, because of the use instances and my very own wants, the next restrictions apply:

  • Reads — Limited to four GB of information at a time
  • Writes — Limited to 32-bits of information at a time
  • Executes — Limited to capabilities which solely take 1 scalar parameter

Obviously, these limitations may very well be fastened by programmatically selecting a distinct strategy, however they match the wants of a command line device and my use instances. Again, pull requests are accepted if others want to contribute their very own additions.
Note that each one execution (together with execution of the --read and --write instructions) happens within the context of a System Worker Thread at PASSIVE_LEVEL. Therefore, consumer-mode addresses shouldn’t be handed in as parameters/arguments.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.