Windows Kernel

EPROCESS

EPROCESS holds all information about a user process from the kernels perspective.

 kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER
   +0x0a8 ExitTime         : _LARGE_INTEGER
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : Ptr32 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY
   +0x0c0 ProcessQuotaUsage : [2] Uint4B
   +0x0c8 ProcessQuotaPeak : [2] Uint4B
   +0x0d0 CommitCharge     : Uint4B
   +0x0d4 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : Ptr32 _PS_CPU_QUOTA_BLOCK
   +0x0dc PeakVirtualSize  : Uint4B
   +0x0e0 VirtualSize      : Uint4B
   +0x0e4 SessionProcessLinks : _LIST_ENTRY
   +0x0f4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : Uint4B
   +0x100 AddressCreationLock : _EX_PUSH_LOCK

Tokens

At 0xf8 in EPROCESS:

kd> dt nt!_EX_FAST_REF
   +0x000 Object           : Ptr32 Void
   +0x000 RefCnt           : Pos 0, 3 Bits
   +0x000 Value            : Uint4B

DuplicateTokenEx()

BOOL DuplicateTokenEx(
  HANDLE                       hExistingToken,
  DWORD                        dwDesiredAccess,
  LPSECURITY_ATTRIBUTES        lpTokenAttributes,
  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  TOKEN_TYPE                   TokenType,
  PHANDLE                      phNewToken
);

Create a new access token that duplicates an existing function

ImpersonateLoggedOnUser()

BOOL ImpersonateLoggedOnUser(
  HANDLE hToken
);

The hToken parameter is the handle to a primary or impersonation access token which is representation of a logged-on user. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.

RevertToSelf()

Will restore the original user context.

Get Token of Process

  1. List processes: !dml_proc

  2. Show EPROCESS of a certain process: !process <addr>

  3. Get Token: dt nt!_EX_FAST_REF <addr> + f8

Debugging Setup

VirtualKD-Redux + VMWare

Enable debug printing in Debugger:

ed nt!Kd_Default_Mask 8

To see debug in the client we can Dbgview.exe.

Check if symbol path is fine & everything is loaded in Wingdb (host):

!sym noisy
.reload
lm m H*

Load Drivers

Use osrloader with "WLH" (short for vista).

Debugging

Running this will switch from source to assembly instruction stepping: l-t

!address and .load Uext.dll;!vprot work on user mode targets only. In kernel mode you can use !process to get the VAD root and then !vad to dump the VAD tree of a user process.

Attach on Driver Load:

sxe ld <name>.sys

Shellcode

Win 10 64 Token Stealing

https://gist.github.com/xpn/8f993b3c4cca474d8ebe553f0e36a3e0#file-win64_ring0_shellcode-asm

Compile:

nasm shellcode.asm -o shellcode.bin -f bin
radare2 -b 32 -c 'pc' ./shellcode.bin

Win 7 64 Token Stealing

Exploit Primitives

Write-What-Where

  • Write to nt!HalDispatchTable (Example: MS11-080,MS14-070)

Resources

Posts

Talks

Other

Last updated