A recent security analysis has unveiled a method to bypass Kernel Address Space Layout Randomization (KASLR) protections in Windows 11 24H2 by exploiting an HVCI-compatible driver with physical memory access capabilities. This research, published by security expert Yazid on June 9, 2025, demonstrates how the
eneio64.sys driver can be leveraged to obtain the Windows kernel base address, effectively circumventing KASLR defenses.KASLR is a critical security feature designed to randomize the memory locations of key system components, thereby complicating the efforts of attackers aiming to exploit memory corruption vulnerabilities. However, the identified technique exploits the
eneio64.sys driver, which provides read and write access to the system's physical memory, to determine the kernel's base address.Technical Breakdown of the Exploit
The core of this exploit involves analyzing the Low Stub, a data structure consistently present at the beginning of physical memory layouts on HVCI-enabled systems, typically located between physical addresses 0x10000 and 0x20000. This structure contains various kernel addresses, including those of non-exported functions, many of which are specific to the Hardware Abstraction Layer (HAL).
The innovative aspect of this research lies in its approach to identifying the kernel’s entry point within the Low Stub structure. Instead of relying on hardcoded offsets or traditional enumeration methods, the technique searches for the
KiSystemStartup function address, which serves as the kernel’s entry point. By parsing the PE image of ntoskrnl.exe, the researcher retrieves the Relative Virtual Address (RVA) of the entry point and then scans the Low Stub for addresses matching the last three bytes of this RVA.The implementation involves a systematic memory scan using the following approach:
for (physical_offset = 0x10000; physical_offset < 0x20000; physical_offset += 8)This loop iterates through potential Low Stub locations, reading 64-bit values and comparing them against the known entry point pattern. When a match is found using the condition:
if ((qword_value & 0xFFFFF) == (ntosEntryPoint & 0xFFFFF))The kernel base address can be calculated by subtracting the entry point’s RVA from the discovered address. The Windows kernel’s alignment to 2MB boundaries, leveraging large-page memory mappings, ensures consistent address patterns that facilitate this detection method across different system configurations.
Implications and Security Considerations
This technique is particularly significant given Microsoft's recent security enhancements in Windows 11 24H2, which now require
SeDebugPrivilege for operations that previously worked from medium integrity processes, such as using EnumDeviceDrivers or NtQuerySystemInformation to leak kernel module addresses. Traditional KASLR bypass methods have become increasingly challenging on modern Windows systems, with tools like prefetch-based side-channel attacks showing inconsistent results across different environments.The exploitation of the
eneio64.sys driver underscores the risks associated with drivers that provide extensive access to system resources. While such drivers are often necessary for legitimate hardware interactions, they can become vectors for security breaches if not properly secured. This research highlights the need for rigorous validation and monitoring of drivers, especially those compatible with HVCI, to prevent potential exploitation.Mitigation Strategies
To mitigate such vulnerabilities, it is crucial to:
- Regularly Update Drivers: Ensure that all drivers are up-to-date and sourced from reputable vendors.
- Enable Memory Integrity Features: Utilize Windows security features like Memory Integrity and Virtualization-Based Security (VBS) to enhance protection against such exploits.
- Monitor Driver Behavior: Implement monitoring tools to detect unusual driver activities that could indicate exploitation attempts.
Source: CybersecurityNews Windows 11 24H2 KASLR Broken Using an HVCI-Compatible Driver with Physical Memory Access