GhostKatz

Extract LSASS credentials directly from physical memory by abusing signed vulnerable drivers with physical memory read primitives via MmMapIoSpace, bypassing traditional user-mode detection capabilities.

This tool was developed in collaboration between Julian Peña and Eric Esquivel.

This release of GhostKatz uses drivers that have already been publicly disclosed as vulnerable. For best results, GhostKatz is intended to operate with kernel drivers that expose read-memory primitive vulnerabilities and are not blocked during loading / publicly known. This public release does not include exploits for previously undisclosed drivers. Instead, the project is designed to be modular and extensible, allowing users to research their own drivers and integrate them by extending the read-memory primitive functions in utils.c. Internally, we have automated the discovery and exploitation process and maintain several signed kernel drivers with written exploits.

If you would like to contribute, please see the contribution documentation.

Why did we make GhostKatz?

We wanted to start learning how to exploit kernel drivers and thought this would be a cool project. We were also inspired when we saw Outflank's KernelKatz tool and wanted to use it, but we do not have Outflank since we are students. So we made our own.

Usage

Run make to compile the BOFs.

Load the ghostkatz.cna Aggressor Script into your Script Manager.

To run GhostKatz, use the command ghostkatz [logonpasswords/wdigest] -prv <provider id>.

You can run the help command in your Beacon console with: help ghostkatz.

beacon> help ghostkatz
Synopsis: ghostkatz [logonpasswords/wdigest] -prv <provider id>
Description:
  Dump credentials from LSASS by using signed kernel drivers to read physical memory.

Examples:
  ghostkatz logonpasswords -prv 1
  ghostkatz wdigest

Demo

Tested Windows Versions

These are simply the versions we manually stress tested. Major versions such as 1607 should not have breaking changes across minor build updates.

• Windows Server 2012 R2
  • Version 6.3 (OS Build: 9600)
• Windows Server 2016
  • Version 1607 (OS Build: 14393.693)
• Windows Server 2019
  • Version 1809 (OS Build: 17763.3650)
• Windows 10
  • Version 21H2 (OS Build: 19044.6809)
  • Version 22H2 (OS Build: 19045.6466)
• Windows Server 2022
  • Version 21H2 (OS Build: 20348.587)

[!WARNING] While GhostKatz has been tested thoroughly, you should use discretion if deploying in production. GhostKatz leverages vulnerable kernel drivers. It is possible errors may result in a BSOD.

Providers

Drivers that can be exploited with GhostKatz

| Id | Vendor | Driver Name | SHA256 | |----|--------------------|----------------|------------------------------------------------------------------| | 1 | Toshiba | TPwSav | 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6 | | 2 | TechPowerUp | ThrottleStop | 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 |

Resources

• Outflank - Mapping Virtual to Physical Addresses Using Superfetch
• UnknownCheats - [Information] NtQuerySystemInformation SystemSuperfetchInformation by Midi12
• Physical Graffiti Lsass
• Dumping LSASS with WinDBG and PyKD
• Mimkatz structures, key offsets
• Dumping MSV1 logon credentials
• XPN Exploring Mimikatz WDigest

Special Thanks

Thank you to ch3rn0byl and Cedric for your time answering the dumb questions we had on the kernel, drivers, and Superfetch.