Windows Kernel
EPROCESS
EPROCESS holds all information about a user process from the kernels perspective.
Tokens
At 0xf8 in EPROCESS:
DuplicateTokenEx()
Create a new access token that duplicates an existing function
ImpersonateLoggedOnUser()
The hToken parameter is the handle to a primary or impersonation access token which is representation of a logged-on user. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.
RevertToSelf()
Will restore the original user context.
Get Token of Process
List processes:
!dml_proc
Show EPROCESS of a certain process:
!process <addr>
Get Token:
dt nt!_EX_FAST_REF <addr> + f8
Debugging Setup
VirtualKD-Redux + VMWare
Enable debug printing in Debugger:
To see debug in the client we can Dbgview.exe.
Check if symbol path is fine & everything is loaded in Wingdb (host):
Load Drivers
Use osrloader with "WLH" (short for vista).
Debugging
Running this will switch from source to assembly instruction stepping: l-t
!address
and .load Uext.dll;!vprot
work on user mode targets only. In kernel mode you can use !process to get the VAD root and then !vad to dump the VAD tree of a user process.
Attach on Driver Load:
Shellcode
Win 10 64 Token Stealing
https://gist.github.com/xpn/8f993b3c4cca474d8ebe553f0e36a3e0#file-win64_ring0_shellcode-asm
Compile:
Win 7 64 Token Stealing
Exploit Primitives
Write-What-Where
Write to nt!HalDispatchTable (Example: MS11-080,MS14-070)
Resources
Posts
Talks
https://www.youtube.com/watch?v=Gu_5kkErQ6Y DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
Other
Social Engineering the Windows Kernel - James Forshaw https://www.youtube.com/watch?v=eF-nJnPycXs
Lots of Information about Tokens
Last updated