HideMyAss

basically rewrite from SpikySabra/Kernel-Cactus to abuse CVE-2021-21551 (Vulnerable DELL Driver) to arbitrary read/write in the kernel, then unlink the current process from nt!_EPROCESS to hide itself.

Step 1.

Use an elevated UAC console to load DELL’s driver:

sc.exe create dbutil_2_3 binpath= C:\path\to\dbutil_2_3.sys type= filesys
sc.exe start dbutil_2_3

Step 2.

Use an elevated UAC console to use Radare2 debugger to extract _EPROCESS offsets of current Ntoskrnl. It’s a necessary step, because the offsets always change up to the Windows Build version.

set PATH=%PATH%; C:\radare2-5.7.4-w64\bin
python offsetExtract.py -i C:\Windows\System32\ntoskrnl.exe

After executing the python script, it will drop a CVS file (NtoskrnlCSV.csv) containing current Ntoskrnl offsets. Open it with Notepad, copy those offsets, and use them to replace the number at line 111 of HideMyAss.cpp

Step 3.

Build the project and run the binary with elevated UAC privilege. Enjoy 🙂