Using CVE-2021-40449 to manual map kernel mode driver# voidmap
A very simple driver manual mapper that exploits CVE-2021-40449 to get arbitrary function executed at a given address with a single given argument. It's based on an [expoit PoC CallbackHell](https://github.com/ly4k/CallbackHell). Tested on Windows 10 Pro For Workstations 1809 17763.379 (64-bit), but realistically anything around that time should be supported.
It does the following:
- Disables SMEP (and possibly SMAP) by rewriting cr4 register value
- Jumps into usermode code that manual maps the desired driver
- Enables SMEP (and possibly SMAP) again
There are two main problems with this approach:
- Manual mapped driver will be in a pool allocated by ExAllocatePool. If you want to use this for anything more serious you should consider finding a better way of memory allocation so it can't be dumped so easily.
- There is no easy way to read the original cr4 value which means that I had to hardcode the value that was there on my system. While it *should* be the same for most modern CPUs, you should still double-check that the value is correct.
Video:
[](https://www.youtube.com/watch?v=9zHR2Lz1GrM)
[4.0K] /data/pocs/586e41d81225d3d0b7b649d320037ac036e4fb69
├── [1.1K] LICENSE.txt
├── [1.2K] README.md
└── [4.0K] voidmap
├── [4.0K] voidmap
│ ├── [8.0K] caller.c
│ ├── [ 721] caller.h
│ ├── [1.3K] console.c
│ ├── [ 552] console.h
│ ├── [ 195] general.h
│ ├── [3.8K] main.c
│ ├── [6.3K] mapper.c
│ ├── [2.1K] mapper.h
│ ├── [3.0K] utils.c
│ ├── [3.7K] utils.h
│ ├── [7.5K] voidmap.vcxproj
│ └── [1.2K] voidmap.vcxproj.filters
└── [ 887] voidmap.sln
2 directories, 15 files