Share
## https://sploitus.com/exploit?id=6FF86B95-3B7F-52AA-B6C9-4C223CBCCB9D
# ntoskrnl-metadata

An IDA Python script for extracting critical kernel metadata from Windows ntoskrnl.exe binaries. This tool automatically extracts function RVAs and `_EPROCESS` structure offsets required for developing exploits targeting **CVE-2026-40369** and other kernel vulnerabilities.

## Purpose

This tool aids in compiling successful exploits for **CVE-2026-40369** by automatically extracting version-specific kernel metadata that must be hardcoded into exploit payloads. The extracted values ensure proper function hooking and structure member access across different Windows builds and patch levels.

## Features

- **Automatic Function RVA Extraction**: Retrieves RVAs for key kernel functions:
  - `ExpGetProcessInformation`
  - `ExpQuerySystemInformation`
  - `CmpLayerVersionCount`
  - `CmpLayerVersions`
  - `PsInitialSystemProcess`

- **_EPROCESS Structure Offsets**: Extracts member offsets for:
  - `UniqueProcessId`
  - `ActiveProcessLinks`
  - `Token`
  - `ImageFileName`

- **Ready-to-Use Output**: Generates formatted output ready to paste directly into CVE-2026-40369 exploit code

## Requirements

- **IDA Pro** (with Python support)
- **Windows PDB symbols** loaded for ntoskrnl.exe
- **ida_typeinf module** (included with IDA Pro)

## Usage

1. Open ntoskrnl.exe in IDA Pro
2. Load the matching Windows PDB symbols:
   - File โ†’ Load File โ†’ PDB File
   - Select the ntoskrnl.pdb for your Windows version
3. Run the script:
   - File โ†’ Script File โ†’ Select `extract_metadata.py`
   - Or: File โ†’ Python โ†’ Run script

4. The script will output:
   - All function RVAs with their memory addresses
   - _EPROCESS structure member offsets
   - A formatted row ready for paste into exploit code

## Output Example

```
=== RVAs (image base = 0x140000000) ===
  ExpGetProcessInformation: ea=0x1400a1234  rva=0xa1234
  ExpQuerySystemInformation: ea=0x1400a5678  rva=0xa5678
  ...

=== _EPROCESS member offsets ===
  _EPROCESS.UniqueProcessId: 0x440
  _EPROCESS.ActiveProcessLinks: 0x448
  _EPROCESS.Token: 0x4d8
  _EPROCESS.ImageFileName: 0x5e8

=== g_builds[] row (paste at poc.c:146) ===
    { 26200, 8037, 0xA1234, 0xA5678, 0x440, 0x448, 0x4D8, 0x5E8 },
```

## Troubleshooting

| Error | Solution |
|-------|----------|
| "NOT FOUND (PDB not loaded?)" | Load the correct Windows PDB file for your ntoskrnl.exe version |
| "_EPROCESS not in Local Types" | Ensure PDB is properly loaded; try File โ†’ Load File โ†’ PDB File |
| Script runs but no output | Check that IDA Python console is open (Windows โ†’ Output windows โ†’ Python) |

## Supported Versions

This script works with any Windows ntoskrnl.exe version where PDB symbols are available. Tested with Windows 10 and Windows 11.

## Notes

- RVAs are calculated relative to the image base displayed in the output
- All offsets are in bytes (converted from IDA's bit offsets)
- The generated output format is compatible with CVE-2026-40369 exploit frameworks
- Ensure you have the correct PDB version matching your ntoskrnl.exe

## License

This tool is provided as-is for security research and authorized analysis purposes only.