xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Blog Posts & Research
Windows ASLR
Windows ROP
Windows SEH
Windows Stack
Windows Kernel
Windows Shellcode
Windbg
Linux Heap
Linux Kernel
Format String
GDB
Path Hijacking
Templates
Misc
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By GitBook
Windows Kernel

EPROCESS

EPROCESS holds all information about a user process from the kernels perspective.
1
kd> dt nt!_EPROCESS
2
+0x000 Pcb : _KPROCESS
3
+0x098 ProcessLock : _EX_PUSH_LOCK
4
+0x0a0 CreateTime : _LARGE_INTEGER
5
+0x0a8 ExitTime : _LARGE_INTEGER
6
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
7
+0x0b4 UniqueProcessId : Ptr32 Void
8
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
9
+0x0c0 ProcessQuotaUsage : [2] Uint4B
10
+0x0c8 ProcessQuotaPeak : [2] Uint4B
11
+0x0d0 CommitCharge : Uint4B
12
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
13
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
14
+0x0dc PeakVirtualSize : Uint4B
15
+0x0e0 VirtualSize : Uint4B
16
+0x0e4 SessionProcessLinks : _LIST_ENTRY
17
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
18
+0x0f8 Token : _EX_FAST_REF
19
+0x0fc WorkingSetPage : Uint4B
20
+0x100 AddressCreationLock : _EX_PUSH_LOCK
Copied!

Tokens

At 0xf8 in EPROCESS:
1
kd> dt nt!_EX_FAST_REF
2
+0x000 Object : Ptr32 Void
3
+0x000 RefCnt : Pos 0, 3 Bits
4
+0x000 Value : Uint4B
Copied!

DuplicateTokenEx()

1
BOOL DuplicateTokenEx(
2
HANDLE hExistingToken,
3
DWORD dwDesiredAccess,
4
LPSECURITY_ATTRIBUTES lpTokenAttributes,
5
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
6
TOKEN_TYPE TokenType,
7
PHANDLE phNewToken
8
);
Copied!
Create a new access token that duplicates an existing function

ImpersonateLoggedOnUser()

1
BOOL ImpersonateLoggedOnUser(
2
HANDLE hToken
3
);
Copied!
The hToken parameter is the handle to a primary or impersonation access token which is representation of a logged-on user. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.

RevertToSelf()

Will restore the original user context.

Get Token of Process

  1. 1.
    List processes: !dml_proc
  2. 2.
    Show EPROCESS of a certain process: !process <addr>
  3. 3.
    Get Token: dt nt!_EX_FAST_REF <addr> + f8

Debugging Setup

VirtualKD-Redux + VMWare
Enable debug printing in Debugger:
1
ed nt!Kd_Default_Mask 8
Copied!
To see debug in the client we can Dbgview.exe.
Check if symbol path is fine & everything is loaded in Wingdb (host):
1
!sym noisy
2
.reload
3
lm m H*
Copied!

Load Drivers

Use osrloader with "WLH" (short for vista).

Debugging

Running this will switch from source to assembly instruction stepping: l-t
!address and .load Uext.dll;!vprot work on user mode targets only. In kernel mode you can use !process to get the VAD root and then !vad to dump the VAD tree of a user process.
Attach on Driver Load:
1
sxe ld <name>.sys
Copied!

Shellcode

Win 10 64 Token Stealing

Compile:
1
nasm shellcode.asm -o shellcode.bin -f bin
2
radare2 -b 32 -c 'pc' ./shellcode.bin
Copied!

Win 7 64 Token Stealing

Exploit Primitives

Write-What-Where

  • Write to nt!HalDispatchTable (Example: MS11-080,MS14-070)

Resources

Posts

Talks

Other

Previous
Windows Stack
Next
Windows Shellcode
Last modified 11mo ago
Copy link
Contents
EPROCESS
Tokens
Get Token of Process
Debugging Setup
Load Drivers
Debugging
Shellcode
Exploit Primitives
Resources