## https://sploitus.com/exploit?id=7004A1F2-9DB9-5904-9F61-0492A070C636
# MyPortIO-Exploit
Local privilege escalation via arbitrary physical memory read/write in
`MyPortIO_x64.sys` (Nuvoton Technology, bundled with ASRock Polychrome RGB).
See [docs/ANALYSIS.md](docs/ANALYSIS.md) for the vulnerability analysis
and [docs/ghidra_decompile.c](docs/ghidra_decompile.c) for the annotated
Ghidra decompilation of the vulnerable IOCTL handlers.
## Build
Requires `x86_64-w64-mingw32-gcc` with UCRT support (cross-compile from Linux).
```
make
```
## Usage
The vulnerable driver is included in `driver/`.
```
MyPortIO-POC.exe # full exploit chain
MyPortIO-POC.exe --load driver\MyPortIO_x64.sys
MyPortIO-POC.exe --elevate
MyPortIO-POC.exe --test-rw
MyPortIO-POC.exe --test-port
MyPortIO-POC.exe --dump 0x1000 256
MyPortIO-POC.exe --info
MyPortIO-POC.exe --unload
```
## Exploit Chain
1. Module stomp - map wmiutils.dll as SEC_IMAGE for memory cover
2. AMSI bypass - hardware breakpoint on AmsiScanBuffer via VEH
3. ETW blind - EtwEventWrite patched to ret
4. Superfetch VA-to-PA translation cache via NtQuerySystemInformation class 79
5. Leak System EPROCESS via handle table (NtOpenProcess + SystemHandleInformation)
6. Walk ActiveProcessLinks via Superfetch translate + physical read
7. Overwrite current process token with System token
8. PPL self-elevation to WinTcb-Light (0x61 to EPROCESS.PS_PROTECTION)
9. Spawn SYSTEM shell via NtCreateUserProcess
HVCI-safe. No page table walks or low stub scans via MmMapIoSpace. All
VA-to-PA translation uses the Superfetch PFN database.
All NT calls go through SysWhispers4 indirect syscall stubs with
RecycledGate SSN resolution. SSN table encrypted at rest with per-entry
layered cipher (XOR + ROL/ROR + ADD/SUB) and runtime environmental key
derived from ntdll .text. Each build produces unique cryptographic
material via `scripts/gen_ssn_cipher.py`.
## Evasion
- **SysWhispers4** - indirect syscalls, RIP in ntdll at kernel entry
- **Layered SSN cipher** - per-entry 3-layer encrypt + runtime env key
- **AMSI bypass** - hardware breakpoint on AmsiScanBuffer + VEH, no memory patches
- **ETW blind** - EtwEventWrite patched to ret, suppresses user-mode telemetry
- **PPL WinTcb-Light** - signer level 6, above Defender antimalware level 3
- **Module stomping** - wmiutils.dll mapped as SEC_IMAGE for memory cover
- **Superfetch VA-to-PA** - HVCI-safe address translation via PFN database
- **String elimination** - high-value strings built on stack at runtime
- **IAT minimization** - exploit code resolves APIs via PEB walk (CRT startup adds its own)
- **PE sanitization** - GCC/MinGW toolchain strings stripped, COFF timestamp zeroed
- **Build hygiene** - -fno-ident, -ffile-prefix-map, --no-insert-timestamp
## Disclaimer
This repository is published for educational and authorized security research
purposes only. The code, documentation, and driver binary are provided as-is
to demonstrate a vulnerability in a third-party kernel driver.
The author assumes no liability for misuse, damage, or any illegal activity
performed using this software. You are solely responsible for ensuring that
your use complies with all applicable local, state, national, and
international laws. Use on systems you do not own or have explicit written
authorization to test is prohibited.
The vulnerable driver (MyPortIO_x64.sys) is the intellectual property of
Nuvoton Technology Corporation and is included solely for reproducibility of
the documented vulnerability.
## Credits
- [SysWhispers4](https://github.com/JoasASantos/SysWhispers4) - indirect syscall stub generation
- [Cloakwork](https://github.com/ck0i/Cloakwork) - layered polymorphic encryption
- [obfuscxx](https://github.com/nevergiveupcpp/obfuscxx) - XTEA compile-time obfuscation
- [S12/0x12Dark Development](https://medium.com/@s12deff) - Cloakwork 2.0, PPL manipulation, in-memory driver loading
- [Outflank](https://www.outflank.nl/blog/2023/12/14/mapping-virtual-to-physical-adresses-using-superfetch/) - Superfetch VA-to-PA translation
- [I3r1h0n/SuperFetch](https://github.com/I3r1h0n/SuperFetch) - Superfetch PFN query implementation