This exploit targets the Throttlestop kernel driver, specifically leveraging a vulnerability identified as CVE-2025-7771. The flaw allows for kernel out-of-bounds write operations, which an attacker can use to escalate privileges on a Windows 11 system. By interacting with the driver via specific IOCTL codes, the exploit gains the ability to read and write to physical memory using the Superfetch mechanism.
The provided proof-of-concept code demonstrates how to locate the EPROCESS structure for lsass.exe and modify its protection flags. By zeroing out the Protection and SignatureLevel fields in the kernel, the exploit effectively disables Protected Process Light (PPL) protections. Finally, it uses AddSecurityPackageA to perform a DLL injection into the now-unprotected process, showcasing a practical red team technique for bypassing modern security mitigations.
Top comments (0)