In a tweet by Alex Ionescu, Vice President of EDR Strategy at CrowdStrike, Inc., he announced the release of the Ring 0 Army Knife (r0ak) at GitHub just in time for the Black Hat USA 2018 information security conference. He described the tool to be driver-less and built-in for all Windows domain systems: Windows 8 and onwards. The tool allows for Ring 0 read, write, and debugging execution in Hypervisor Code Integrity (HVCI), Secure Boot, and Windows Defender Application Guard (WDAG) environments, a feat that is often difficult to achieve in these environments naturally.
Just in time for #BlackHat, I've released the Ring 0 Army Knife (r0ak) at https://t.co/ILcO7MoSw3. Full driver-less, built-in, Windows 8+ Ring 0 arbitrary read/write/execute debugging tool for HVCI/Secure Boot/WDAG environments where local debugging is often impossible to set up. pic.twitter.com/bPlSDBVoRr
— Alex Ionescu (@aionescu) August 6, 2018
Alex Ionescu is expected to speak at this year’s Black Hat USA conference scheduled for August 4 to 9 in Mandalay Bay, Las Vegas. August 4 to 7 will consist of the technical training workshops while August 8 and 9 will see the speeches, briefings, presentations, and business halls of some of the leading names in the IT security world including Ionescu in hopes of sharing the very latest in research, development, and trends amongst the IT security community. Alex Ionescu is presenting a talk titled “The Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet.” His pre-talk release seems right up the alley of what he’s looking to speak about.
Open source tools and zero day exploits are expected to be shared openly at this conference and it seems fitting that Ionescu has just come out with a free Ring 0 read, write, and debugging execution tool for Windows. Some of the greatest challenges faced on the Windows platform include the limitations of its Windows Debugger and SysInternal Tools which are paramount to IT troubleshooting. As they are limited in their own access of Windows APIs, Ionescu’s tool comes forward as a welcome emergency hotfix to quickly troubleshoot kernel and system-level issues which would normally be impossible to analyze.
Since only preexisting, built-in, and Microsoft signed Windows functionalities are employed with all said called functions being a part of the KCFG bitmap, this tool does not violate any security checks, demand any privilege escalation, or use any 3rd party drivers to carry out its operations. The tool operates on the fundamental structure of the operating system by redirecting the execution flow of the window manager’s trusted font validation checks to receive an Event Tracing for Windows (ETW) asynchronous notification of the complete execution of the work item (WORK_QUEUE_ITEM) for the freeing of kernel-mode buffers and the restoring of normal operation.
As this tool resolves the limitations of other such functionalities in Windows, it does come with its own set of limitations. These, however, are ones IT specialists are willing to deal with as the tool allows for the successful execution of the basic process required. These limitations are that the tool can only read 4GB of data at a time, write upto 32-bits of data at a time, and execute 1 scalar parameter functions only. These limitations could have been overcome easily had the tool been programmed in a different way, but Ionescu claims that he chose to keep the tool this way as it manages to perform what it’s set out to do efficiently and that’s all that matters.