Update index.md

exploits-forsale · Apr 26, 2024 · c8354e9 · c8354e9
1 parent d69d1c9
commit c8354e9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/content/24h2-nt-exploit/index.md b/content/24h2-nt-exploit/index.md
@@ -58,7 +58,7 @@ As shown above, the change to treating the attribute as volatile results in what
 
 This bug is similar to the previous one in that it is once again double-fetching a length field in code that previously only contained a single fetch. In contrast to the previous bug this bug does not lead to a buffer overflow, but rather to the bypass of the probe of a user provided address. Bypassing a probe allows a user to specify a completely arbitrary address, including a kernel address, to be written to.
 
-`NtQueryInformationThread`, like other `NtQueryInformation`* syscalls, contains a gigantic switch statement for handling different information classes that can be passed in to query information about kernel objects from user mode. This specific bug is in the handling of the `ThreadTebInformation` information class, which allows reading of parts of the thread’s [TEB](https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb). The input for this specific case is a [`THREAD_TEB_INFORMATION`](https://ntdoc.m417z.com/thread_teb_information) structure residing in user mode memory. This struct contains a destination pointer for where to store the TEB data, as well as a size specifying how much data to read from the TEB.
+[`NtQueryInformationThread`](https://ntdoc.m417z.com/ntqueryinformationthread), like other `NtQueryInformation`* syscalls, contains a gigantic switch statement for handling different information classes that can be passed in to query information about kernel objects from user mode. This specific bug is in the handling of the `ThreadTebInformation` information class, which allows reading of parts of the thread’s [TEB](https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb). The input for this specific case is a [`THREAD_TEB_INFORMATION`](https://ntdoc.m417z.com/thread_teb_information) structure residing in user mode memory. This struct contains a destination pointer for where to store the TEB data, as well as a size specifying how much data to read from the TEB.
 
 The code for this bug is less straightforward than the previous one. In this bug the user supplied struct is copied entirely into kernel mode, however, when performing a call to `ProbeForWrite`, the struct in user mode memory is dereferenced again to pass the size. For all uses of the user input after the call to `ProbeForWrite` the kernel copy of the structure is used. `ProbeForWrite` contains a little-known quirk: if a size of zero is passed the function will return immediately without checking the passed address. **This means that if a kernel address is passed to `ProbeForWrite` with a size of zero, no exception will be raised, thereby essentially bypassing the probe.**