Windows Kernel

EPROCESS
EPROCESS holds all information about a user process from the kernels perspective.
 kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER
   +0x0a8 ExitTime         : _LARGE_INTEGER
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : Ptr32 Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY
   +0x0c0 ProcessQuotaUsage : [2] Uint4B
   +0x0c8 ProcessQuotaPeak : [2] Uint4B
   +0x0d0 CommitCharge     : Uint4B
   +0x0d4 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : Ptr32 _PS_CPU_QUOTA_BLOCK
   +0x0dc PeakVirtualSize  : Uint4B
   +0x0e0 VirtualSize      : Uint4B
   +0x0e4 SessionProcessLinks : _LIST_ENTRY
   +0x0f4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : Uint4B
   +0x100 AddressCreationLock : _EX_PUSH_LOCK
Tokens
At 0xf8 in EPROCESS:
kd> dt nt!_EX_FAST_REF
   +0x000 Object           : Ptr32 Void
   +0x000 RefCnt           : Pos 0, 3 Bits
   +0x000 Value            : Uint4B
DuplicateTokenEx()
BOOL DuplicateTokenEx(
  HANDLE                       hExistingToken,
  DWORD                        dwDesiredAccess,
  LPSECURITY_ATTRIBUTES        lpTokenAttributes,
  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  TOKEN_TYPE                   TokenType,
  PHANDLE                      phNewToken
);
Create a new access token that duplicates an existing function
ImpersonateLoggedOnUser()
BOOL ImpersonateLoggedOnUser(
  HANDLE hToken
);
The hToken parameter is the handle to a primary or impersonation access token which is representation of a logged-on user. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.
RevertToSelf()
Will restore the original user context.
Get Token of Process
1.List processes: !dml_proc
2.Show EPROCESS of a certain process: !process <addr>
3.Get Token: dt nt!_EX_FAST_REF <addr> + f8
Debugging Setup
VirtualKD-Redux + VMWare
Enable debug printing in Debugger:
ed nt!Kd_Default_Mask 8
To see debug in the client we can Dbgview.exe.
Check if symbol path is fine & everything is loaded in Wingdb (host):
!sym noisy
.reload
lm m H*
Load Drivers
Use osrloader with "WLH" (short for vista).
Debugging
Running this will switch from source to assembly instruction stepping: l-t
!address and .load Uext.dll;!vprot work on user mode targets only. In kernel mode you can use !process to get the VAD root and then !vad to dump the VAD tree of a user process.
Attach on Driver Load:
sxe ld <name>.sys
Shellcode
Win 10 64 Token Stealing
​https://gist.github.com/xpn/8f993b3c4cca474d8ebe553f0e36a3e0#file-win64_ring0_shellcode-asm​
Compile:
nasm shellcode.asm -o shellcode.bin -f bin
radare2 -b 32 -c 'pc' ./shellcode.bin
Win 7 64 Token Stealing
Exploit Primitives
Write-What-Where
Write to nt!HalDispatchTable (Example: MS11-080,MS14-070)
Resources
Posts
​https://h0mbre.github.io/​
​https://connormcgarr.github.io/x64-Kernel-Shellcode-Revisited-and-SMEP-Bypass/​
​http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation​
​https://voidsec.com/exploiting-system-mechanic-driver/​
​https://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf​
​https://fluidattacks.com/blog/hevd-smep-bypass/​
Talks
​https://www.youtube.com/watch?v=Gu_5kkErQ6Y DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
Other
Social Engineering the Windows Kernel - James Forshaw https://www.youtube.com/watch?v=eF-nJnPycXs​
Lots of Information about Tokens
Windows Stack
Windows Shellcode
Last modified 6mo ago