The technique I used in the final exploit was a classic process token swap (described in this post by [hasherezade](https://hshrzd.wordpress.com/2017/06/22/starting-with-windows-kernel-exploitation-part-3-stealing-the-access-token/)). I walked the list of processes running on the system by reading the `PsActiveProcessHead` global in the kernel. Once I found a privileged process in the list, I recorded the address of its token object. I then walked the process list again to find my exploit process, and replaced its token with the token from the privileged process. Once this was done I called `CreateProcess` to pop up a shiny new [command prompt window running as NT AUTHORITY\SYSTEM](https://mastodon.social/@gabe_k/111268225173075808)!
0 commit comments