Medium Severity
Published: Jun 24, 2025
abusing signed pdfwkrnl.sys for kernel function calling from usermode.
# pdfwkrnl-exploit
## prologue
I saw this driver on loldrivers.io and thought nothing of it at first but then i realized all we need is vulnerable memcpy to copy kernel to call kernel functions.
After remembering how a basic data pointer swap hook work's i found one in ntoskrnl.exe called "**NtCompareSigningLevels**" and this was perfect for exploiting.
sub rsp, 28h
mov r8, cs:function_pointer
boom! that's the big ol bug, it loads a pointer from a variable inside ntoskrnl's **.data** section which can be easily modified to any kernel function which is a big no no.
.data:0000000140C1DA00 function_pointer // ntoskrnl.exe
## exploiting the pointer
I wrote a simple library for pdfwkrnl.sys after taking a little code from another project (https://github.com/Legcsnaec/driverMapper) *"Originally forked from ia-32-Sudo's project, his account is deleted or terminated".* Then the exploit time i decided to use an offset for the **function_pointer** then i used **EnumDeviceDrivers** to get ntoskrnl's base then used the driver to walk the ntoskrnl's pe headers for exports then we got our export address then wrote over the **function_pointer** to our selected export then called the user-mode component **NtCompareSigningLevels** (exported by ntdll.dll) while passing our custom then after execution we swapped back the old pointer as nothing had happened.
## final notes
This was cool as i racked my brain for this cool little project it took around 5 hours.
this only work's for windows 10 22h2 but this method can appiled to any function inside ntoskrnl or win32k drivers.
a ntstatus of STATUS_INVALID_IMAGE_HASH or 0xC0000428 will always be returned as NtCompareSigningLevels always returns it if returned value by the called function is not equal then 0.
all i ask for is credits for my idea, thanks for the small read feel free to leave a follow or fork to show