xct's notes
Search…
Windows Kernel

EPROCESS

EPROCESS holds all information about a user process from the kernels perspective.
1
kd> dt nt!_EPROCESS
2
+0x000 Pcb : _KPROCESS
3
+0x098 ProcessLock : _EX_PUSH_LOCK
4
+0x0a0 CreateTime : _LARGE_INTEGER
5
+0x0a8 ExitTime : _LARGE_INTEGER
6
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
7
+0x0b4 UniqueProcessId : Ptr32 Void
8
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
9
+0x0c0 ProcessQuotaUsage : [2] Uint4B
10
+0x0c8 ProcessQuotaPeak : [2] Uint4B
11
+0x0d0 CommitCharge : Uint4B
12
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
13
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
14
+0x0dc PeakVirtualSize : Uint4B
15
+0x0e0 VirtualSize : Uint4B
16
+0x0e4 SessionProcessLinks : _LIST_ENTRY
17
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
18
+0x0f8 Token : _EX_FAST_REF
19
+0x0fc WorkingSetPage : Uint4B
20
+0x100 AddressCreationLock : _EX_PUSH_LOCK
Copied!

Tokens

At 0xf8 in EPROCESS:
1
kd> dt nt!_EX_FAST_REF
2
+0x000 Object : Ptr32 Void
3
+0x000 RefCnt : Pos 0, 3 Bits
4
+0x000 Value : Uint4B
Copied!

DuplicateTokenEx()

1
BOOL DuplicateTokenEx(
2
HANDLE hExistingToken,
3
DWORD dwDesiredAccess,
4
LPSECURITY_ATTRIBUTES lpTokenAttributes,
5
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
6
TOKEN_TYPE TokenType,
7
PHANDLE phNewToken
8
);
Copied!
Create a new access token that duplicates an existing function

ImpersonateLoggedOnUser()

1
BOOL ImpersonateLoggedOnUser(
2
HANDLE hToken
3
);
Copied!
The hToken parameter is the handle to a primary or impersonation access token which is representation of a logged-on user. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.

RevertToSelf()

Will restore the original user context.

Get Token of Process

  1. 1.
    List processes: !dml_proc
  2. 2.
    Show EPROCESS of a certain process: !process <addr>
  3. 3.
    Get Token: dt nt!_EX_FAST_REF <addr> + f8

Debugging Setup

VirtualKD-Redux + VMWare
Enable debug printing in Debugger:
1
ed nt!Kd_Default_Mask 8
Copied!
To see debug in the client we can Dbgview.exe.
Check if symbol path is fine & everything is loaded in Wingdb (host):
1
!sym noisy
2
.reload
3
lm m H*
Copied!

Load Drivers

Use osrloader with "WLH" (short for vista).

Debugging

Running this will switch from source to assembly instruction stepping: l-t
!address and .load Uext.dll;!vprot work on user mode targets only. In kernel mode you can use !process to get the VAD root and then !vad to dump the VAD tree of a user process.
Attach on Driver Load:
1
sxe ld <name>.sys
Copied!

Shellcode

Win 10 64 Token Stealing

Compile:
1
nasm shellcode.asm -o shellcode.bin -f bin
2
radare2 -b 32 -c 'pc' ./shellcode.bin
Copied!

Win 7 64 Token Stealing

Exploit Primitives

Write-What-Where

  • Write to nt!HalDispatchTable (Example: MS11-080,MS14-070)

Resources

Posts

Talks

Other