One way to create a system with a system-level access to Windows OS 7 is by exploring KPRC or Kernel Processor Control and scrolling to ProcbData, which is at ntdll! _KPCR + 0x120, and to ProcbData + 0x004. Get the CurrentThread value,

mov eax, [fs: eax + 0x124]

In the next step of _KTHREAD structure we obtain and explore the ApcState value at position + 0x040, while exploring _KAPC_STATE at position + 0x010 we can store the process kernel value in EAX for 1 bit and RAX for 1 bit ,

mov eax, [eax + 0x50]

Next, we have to process UniqueProcessId for the process we want to upgrade using the PsGetCurrentProcess function. Finally, we need to get the EPROCESS construct where the tokens are considered and use the Prink Flink pointer. Apply before and after to find a system token and replace it with our CurrentThread token …

By Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service