MiniPlasma
README
MiniPlasma
After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago.
I'm not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as CVE-2020-17103.
However, a research who's a friend of mine pointed out that the routine might still have a vulnerability, which is something I considered but brushed off because I thought it was impossible for Microsoft to just not patch this or rollback the patch.
After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched. I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.
To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines but success rate may vary since it's a race condition.
I believe all Windows versions are affected by this vulnerability.
source code
files
- LICENSE
- PoC_AbortHydration_ArbitraryRegKey_EoP.sln
- PoC_AbortHydration_ArbitraryRegKey_EoP/App.config
- PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xml
- PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd
- PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj
- PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user
- PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs
- PoC_AbortHydration_ArbitraryRegKey_EoP/Properties/AssemblyInfo.cs
- PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config
- README.md
- packages/Costura.Fody.6.2.0/.signature.p7s
- packages/Costura.Fody.6.2.0/Costura.Fody.6.2.0.nupkg
- packages/Costura.Fody.6.2.0/build/Costura.Fody.props
- packages/Costura.Fody.6.2.0/build/Costura.Fody.targets
- packages/Costura.Fody.6.2.0/icon.png
- packages/Costura.Fody.6.2.0/lib/netstandard2.0/Costura.pdb
- packages/Costura.Fody.6.2.0/lib/netstandard2.0/Costura.xml
- packages/Costura.Fody.6.2.0/netclassicweaver/Costura.Fody.xcf
- packages/Costura.Fody.6.2.0/netstandardweaver/Costura.Fody.xcf
- packages/Fody.6.9.3/.signature.p7s
- packages/Fody.6.9.3/Fody.6.9.3.nupkg
- packages/Fody.6.9.3/build/Fody.targets
- packages/Fody.6.9.3/package_icon.png
- packages/Fody.6.9.3/package_readme.md
- packages/Fody.6.9.3/tasks/net472/FodyHelpers.xml
- packages/Fody.6.9.3/tasks/net472/Mono.Cecil.Pdb.pdb
- packages/Fody.6.9.3/tasks/net472/Mono.Cecil.Rocks.pdb
- packages/Fody.6.9.3/tasks/net472/Mono.Cecil.pdb
- packages/Fody.6.9.3/tasks/netstandard2.0/FodyHelpers.xml
- packages/Fody.6.9.3/tasks/netstandard2.0/Mono.Cecil.Pdb.pdb
- packages/Fody.6.9.3/tasks/netstandard2.0/Mono.Cecil.Rocks.pdb
- packages/Fody.6.9.3/tasks/netstandard2.0/Mono.Cecil.pdb
- packages/NtApiDotNet.1.1.33/.signature.p7s
- packages/NtApiDotNet.1.1.33/NtApiDotNet.1.1.33.nupkg
- packages/NtApiDotNet.1.1.33/lib/net461/NtApiDotNet.xml
- packages/NtApiDotNet.1.1.33/lib/netstandard2.0/NtApiDotNet.xml
- packages/TaskScheduler.2.12.2/.signature.p7s
- packages/TaskScheduler.2.12.2/TaskScheduler.2.12.2.nupkg
- packages/TaskScheduler.2.12.2/TaskService.md
- packages/TaskScheduler.2.12.2/lib/net45/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/net48/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/net6.0-windows7.0/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/net7.0-windows7.0/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/net8.0-windows7.0/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/net9.0-windows7.0/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/netcoreapp3.1/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/netstandard2.0/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/lib/netstandard2.1/Microsoft.Win32.TaskScheduler.xml
- packages/TaskScheduler.2.12.2/tsnew48.png
viewer
// click a file to view source
license
Copyright (c) 2026 Nightmare Eclipse / Church of Malware
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.