Lucene search
K

Windows Kernel Pointer Exposure Enumerator

🗓️ 31 May 2026 19:02:05Reported by CharlesQuinnDevType 
metasploit
 metasploit
🔗 www.rapid7.com👁 255 Views

Enumerates kernel pointers via SystemExtendedHandleInformation and categorizes by object type for research.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Auxiliary::Report
  include Msf::Exploit::Local::WindowsKernel::HandleEnum

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Kernel Pointer Exposure Enumerator',
        'Description' => %q{
          This module enumerates kernel object pointers exposed via
          NtQuerySystemInformation with SystemExtendedHandleInformation.

          It categorizes exposed pointers by object type and provides
          observational data about kernel address space layout for
          research and educational purposes.
        },
        'License' => MSF_LICENSE,
        'Author' => ['CharlesQuinnDev'],
        'Platform' => 'win',
        'SessionTypes' => ['meterpreter'],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )

    register_options([
      OptInt.new('MAX_HANDLES', [true, 'Maximum handles to process (0 = unlimited)', 50000]),
      OptInt.new('TIMEOUT', [true, 'Timeout in seconds for enumeration', 30]),
      OptString.new('EXPORT_CSV', [false, 'Export results to CSV file'])
    ])
  end

  def run
    print_status('Windows Kernel Pointer Exposure Enumerator')
    print_line('=' * 80)

    fail_with(Failure::NotVulnerable, 'Unsupported environment') unless validate_environment

    print_status('Enumerating kernel object pointers...')

    @pointers = enum_system_handles(session, datastore['MAX_HANDLES'], datastore['TIMEOUT'])

    if @pointers.nil? || @pointers.empty?
      print_error('Failed to enumerate kernel pointers')
      return
    end

    print_good("Enumerated #{@pointers.size} kernel object pointers")

    display_results

    export_results if datastore['EXPORT_CSV']
  end

  def validate_environment
    sysinfo = session.sys.config.sysinfo
    @os = sysinfo['OS']
    @arch = sysinfo['Architecture']
    @computer = sysinfo['Computer']

    print_status("Target: #{@computer}")
    print_status("OS: #{@os}")
    print_status("Arch: #{@arch}")
    print_status("User: #{session.sys.config.getuid}")

    unless @arch =~ /x64|64|amd64/i
      print_error('This module only supports x64 systems')
      return false
    end

    true
  rescue StandardError => e
    print_error("Failed to get system info: #{e.message}")
    false
  end

  def display_results
    print_line
    print_line('=' * 80)
    print_line('KERNEL POINTER EXPOSURE RESULTS')
    print_line('=' * 80)

    print_line("\nSUMMARY STATISTICS:")
    print_line("  Total pointers: #{@pointers.size}")

    unique = @pointers.uniq { |p| p[:address] }.size
    print_line("  Unique addresses: #{unique}")

    if @pointers.any?
      min_addr = @pointers.map { |p| p[:address] }.min
      max_addr = @pointers.map { |p| p[:address] }.max
      print_line("  Address range: 0x#{min_addr.to_s(16)} - 0x#{max_addr.to_s(16)}")
    end

    by_type = @pointers.group_by { |p| p[:type_index] }

    print_line("\nOBJECT TYPE DISTRIBUTION:")
    by_type.sort.each do |type, ptrs|
      pct = (ptrs.size.to_f / @pointers.size * 100).round(2)
      type_name = get_type_hint(type)
      print_line("  Type #{type} (#{type_name}): #{ptrs.size} pointers (#{pct}%)")
    end

    alpc_pointers = @pointers.select { |p| (32..48).include?(p[:type_index]) }

    if alpc_pointers.any?
      print_line("\n" + '-' * 80)
      print_line('ALPC OBJECT ANALYSIS (Type Indices 32-48)')
      print_line('-' * 80)

      print_line("  Total ALPC pointers: #{alpc_pointers.size}")

      by_pid = alpc_pointers.group_by { |p| p[:pid] }
      print_line("  Found in #{by_pid.size} processes")

      print_line("\n  Processes with ALPC pointers:")
      by_pid.sort_by { |_, v| -v.size }.first(10).each do |pid, ptrs|
        proc_name = get_process_name(session, pid)
        print_line("    #{proc_name} (PID: #{pid}): #{ptrs.size} ALPC pointers")
      end

      print_line("\n  Sample ALPC kernel addresses:")
      alpc_pointers.first(10).each_with_index do |p, i|
        print_line("    #{i + 1}. Type #{p[:type_index]}: 0x#{p[:address].to_s(16)}")
      end
    end

    print_line("\n" + '=' * 80)
  end

  def export_results
    return unless datastore['EXPORT_CSV']

    timestamp = Time.now.strftime('%Y%m%d_%H%M%S')
    filename = "kernel_pointers_#{timestamp}.csv"

    csv = "PID,TypeIndex,TypeHint,Handle,Access,Address\n"
    @pointers.each do |p|
      type_hint = get_type_hint(p[:type_index])
      csv += "#{p[:pid]},#{p[:type_index]},#{type_hint},0x#{p[:handle].to_s(16)},0x#{p[:access].to_s(8)},0x#{p[:address].to_s(16)}\n"
    end

    size_str = format_file_size(csv.bytesize)

    stored_path = store_loot(
      'windows.kernel.pointers',
      'text/csv',
      session,
      csv,
      filename,
      'Windows Kernel Pointer Enumeration Results'
    )

    print_good("Results exported to: #{stored_path} (#{size_str})")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Jul 2026 19:05Current
5.9Medium risk
Vulners AI Score5.9
255