Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
PIQUE PoC Delivery
Final - Direct Kernel Object Manipulation (DKOM)
(U) Executive Summary
(U) Upon further research into using NtQuerySystemInformation() to obtain the NT KernelBase
Image address and ultimately the address of the Kernel Processor Control Region (KPCR) and
subsequent bypassing ASLR to modify kernel-based pointers to effect process hiding, we have
concluded this approach is no longer available for Windows 8.0 and later. Beginning with
Windows 8.0, Microsoft no longer allows the use of NtQuerySystemInformation() and its
replacement API does not support obtaining NT KernelBase Image address, which is crucial to
implementing user-mode DKOM. Figure 1 shows Microsoft’s warning that
NtQuerySystemInformation should not be used because it “may be altered or unavailable in
future versions of Windows.”
Figure 1. Microsoft Notification of Potential Deprecation
Raytheon Blackbird Technologies, Inc.
3
26 January 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED