{“lastseen”:”2026-05-31T19:28:00″,”description”:”This module enumerates kernel object pointers exposed via NtQuerySystemInformation with SystemExtendedHandleInformation. It categorizes exposed pointers by object type and provides observational data about kernel address space layout for research and…”,”published”:”2026-05-31T19:02:05″,”modified”:”2026-05-31T19:02:05″,”type”:”metasploit”,”title”:”Windows Kernel Pointer Exposure Enumerator”,”source”:””,”references”:””,”id”:”MSF:POST-WINDOWS-GATHER-WINDOWS_KERNEL_POINTER_ENUM-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Post\\n include Msf::Post::Windows::Priv\\n include Msf::Post::Windows::Process\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Local::WindowsKernel::HandleEnum\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows Kernel Pointer Exposure Enumerator’,\\n ‘Description’ =\\u003e %q{\\n This module enumerates kernel object pointers exposed via\\n NtQuerySystemInformation with SystemExtendedHandleInformation.\\n\\n It categorizes exposed pointers by object type and provides\\n observational data about kernel address space layout for\\n research and educational purposes.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [‘CharlesQuinnDev’],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘SessionTypes’ =\\u003e [‘meterpreter’],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n OptInt.new(‘MAX_HANDLES’, [true, ‘Maximum handles to process (0 = unlimited)’, 50000]),\\n OptInt.new(‘TIMEOUT’, [true, ‘Timeout in seconds for enumeration’, 30]),\\n OptString.new(‘EXPORT_CSV’, [false, ‘Export results to CSV file’])\\n ])\\n end\\n\\n def run\\n print_status(‘Windows Kernel Pointer Exposure Enumerator’)\\n print_line(‘=’ * 80)\\n\\n fail_with(Failure::NotVulnerable, ‘Unsupported environment’) unless validate_environment\\n\\n print_status(‘Enumerating kernel object pointers…’)\\n\\n @pointers = enum_system_handles(session, datastore[‘MAX_HANDLES’], datastore[‘TIMEOUT’])\\n\\n if @pointers.nil? || @pointers.empty?\\n print_error(‘Failed to enumerate kernel pointers’)\\n return\\n end\\n\\n print_good(\\”Enumerated #{@pointers.size} kernel object pointers\\”)\\n\\n display_results\\n\\n export_results if datastore[‘EXPORT_CSV’]\\n end\\n\\n def validate_environment\\n sysinfo = session.sys.config.sysinfo\\n @os = sysinfo[‘OS’]\\n @arch = sysinfo[‘Architecture’]\\n @computer = sysinfo[‘Computer’]\\n\\n print_status(\\”Target: #{@computer}\\”)\\n print_status(\\”OS: #{@os}\\”)\\n print_status(\\”Arch: #{@arch}\\”)\\n print_status(\\”User: #{session.sys.config.getuid}\\”)\\n\\n unless @arch =~ \/x64|64|amd64\/i\\n print_error(‘This module only supports x64 systems’)\\n return false\\n end\\n\\n true\\n rescue StandardError =\\u003e e\\n print_error(\\”Failed to get system info: #{e.message}\\”)\\n false\\n end\\n\\n def display_results\\n print_line\\n print_line(‘=’ * 80)\\n print_line(‘KERNEL POINTER EXPOSURE RESULTS’)\\n print_line(‘=’ * 80)\\n\\n print_line(\\”\\\\nSUMMARY STATISTICS:\\”)\\n print_line(\\” Total pointers: #{@pointers.size}\\”)\\n\\n unique = @pointers.uniq { |p| p[:address] }.size\\n print_line(\\” Unique addresses: #{unique}\\”)\\n\\n if @pointers.any?\\n min_addr = @pointers.map { |p| p[:address] }.min\\n max_addr = @pointers.map { |p| p[:address] }.max\\n print_line(\\” Address range: 0x#{min_addr.to_s(16)} – 0x#{max_addr.to_s(16)}\\”)\\n end\\n\\n by_type = @pointers.group_by { |p| p[:type_index] }\\n\\n print_line(\\”\\\\nOBJECT TYPE DISTRIBUTION:\\”)\\n by_type.sort.each do |type, ptrs|\\n pct = (ptrs.size.to_f \/ @pointers.size * 100).round(2)\\n type_name = get_type_hint(type)\\n print_line(\\” Type #{type} (#{type_name}): #{ptrs.size} pointers (#{pct}%)\\”)\\n end\\n\\n alpc_pointers = @pointers.select { |p| (32..48).include?(p[:type_index]) }\\n\\n if alpc_pointers.any?\\n print_line(\\”\\\\n\\” + ‘-‘ * 80)\\n print_line(‘ALPC OBJECT ANALYSIS (Type Indices 32-48)’)\\n print_line(‘-‘ * 80)\\n\\n print_line(\\” Total ALPC pointers: #{alpc_pointers.size}\\”)\\n\\n by_pid = alpc_pointers.group_by { |p| p[:pid] }\\n print_line(\\” Found in #{by_pid.size} processes\\”)\\n\\n print_line(\\”\\\\n Processes with ALPC pointers:\\”)\\n by_pid.sort_by { |_, v| -v.size }.first(10).each do |pid, ptrs|\\n proc_name = get_process_name(session, pid)\\n print_line(\\” #{proc_name} (PID: #{pid}): #{ptrs.size} ALPC pointers\\”)\\n end\\n\\n print_line(\\”\\\\n Sample ALPC kernel addresses:\\”)\\n alpc_pointers.first(10).each_with_index do |p, i|\\n print_line(\\” #{i + 1}. Type #{p[:type_index]}: 0x#{p[:address].to_s(16)}\\”)\\n end\\n end\\n\\n print_line(\\”\\\\n\\” + ‘=’ * 80)\\n end\\n\\n def export_results\\n return unless datastore[‘EXPORT_CSV’]\\n\\n timestamp = Time.now.strftime(‘%Y%m%d_%H%M%S’)\\n filename = \\”kernel_pointers_#{timestamp}.csv\\”\\n\\n csv = \\”PID,TypeIndex,TypeHint,Handle,Access,Address\\\\n\\”\\n @pointers.each do |p|\\n type_hint = get_type_hint(p[:type_index])\\n csv += \\”#{p[:pid]},#{p[:type_index]},#{type_hint},0x#{p[:handle].to_s(16)},0x#{p[:access].to_s(8)},0x#{p[:address].to_s(16)}\\\\n\\”\\n end\\n\\n size_str = format_file_size(csv.bytesize)\\n\\n stored_path = store_loot(\\n ‘windows.kernel.pointers’,\\n ‘text\/csv’,\\n session,\\n csv,\\n filename,\\n ‘Windows Kernel Pointer Enumeration Results’\\n )\\n\\n print_good(\\”Results exported to: #{stored_path} (#{size_str})\\”)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/post\/windows\/gather\/windows_kernel_pointer_enum.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/post\/windows\/gather\/windows_kernel_pointer_enum\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-31T19:28:00″,”description”:”This module enumerates kernel object pointers exposed via NtQuerySystemInformation with SystemExtendedHandleInformation. It categorizes exposed pointers by object type and provides observational data about kernel address…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-58698","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n