Vulnerable kernel drivers aren't a new thing. They allow regular uses to perform tasks that should be impossible from ring3. More specifically, the CPU-Z driver allows users to read and write directly to physical memory.
HandleMaster exploits that to perform some DKOM and change granted access rights for handles.
The idea is that you can open a handle with low access and then elevate its access rights later on when you want to use it.
This bypasses some Anti-Cheats that use ObRegisterCallbacks to strip access rights from handles at creation time cough BattleEye cough
I will add support for other versions later on. If you want to do it yourself here's what you need to find.
- HANDLE_TABLE_ENTRY structure;
- HANDLE_TABLE structure;
- ExpLookupHandleTableEntry;
- The DirectoryTableBase.
- Some kernel offsets (_KPROCESS::DirectoryTableBase, _EPROCESS::UniqueProcessId, _EPROCESS::ActiveProcessLinks, _EPROCESS::ObjectTable)
Numers 1, 2, 4 and 5 can be easily found with LiveKd (which you can download from here) and the Windows Debugging Tools.