_EPROCESS
is a kernel memory structure that describes system processes (or in other words - each process running on a system has its corresponding _EPROCESS
object somewhere in the kernel) as we know them as it contains details such as process image name, which desktop session it is running in, how many open handles to other kernel objects it has, what access token it has and much more. _TOKEN
is a kernel memory structure that describes process's security context and contains information such as process token privileges, logon id, session id, token type (i.e primary vs. impersonation) and much more. _TOKEN
structure:_EPROCESS
kernel structure_EPROCESS
structure contains a pointer to a _TOKEN
memory structure that describes process's security context_TOKEN
structure of a low privileged process - the one it wants to escalate from_TOKEN
structure of a privileged process, running as NT\SYSTEM
powershell
process with a high privileged token of the system
process (always a PID 4) following the above described process, except I will do it manually using WinDBG.MEDIUM
integrity process, running as WS02\spotless
WS02
is my lab machine name spotless
is a low privileged local user. SYSTEM
integrity process, effectively running as NT\SYSTEM
WS02$
is my lab computer account OFFENSE
is the domain the machine is a member ofpowershell
will assume the high privileged token from the process system
once the _TOKEN
kernel memory structure is manipulated._EPROCESS
structures for given processes:powershell
(this is the process for which we will replace the low privileged token with a high privileged token) as a medium integrity/non-elevated process (in my case running as a local non-admin user ws02\spotless
) and get its process ID:powershell
process with PID 2648 (0xa58):_EPROCESS
location ffffdc8fbe1f1080
:_EPROCESS
location in the kernel, we can inspect its contents like so:_EPROCESS
memory structure we are after is Token
located at offset 0x358
:0x358
suggests it's pointer to _EX_FAST_REF
memory structure and we will come back to this shortly._EPROCESS.Token
is pointing to, which is ffffc507`dab7799f
in my case:ffffc507`dab7799f
with !token ffffc507dab7799f
command, we are told that this address does not point to a token object, which we may find a bit odd:_EX_FAST_REF
comes into play. It was pointed out earlier that _EPROCESS.Token
actually points to a _EX_FAST_REF
structure rather than a _TOKEN
structure._EPROCESS.Token
which is ffffdc8f`be1f13d8
(_EPROCESS
location plus the Token
member offset (ffffdc8fbe1f1080+0x358
)) with the _EX_FAST_REF
structure and see what's inside:Object
and Value
are pointing to the same address, but the interesting piece is the RefCnt
with 4 bits on (equals to 0xF, which looks like it is the last digit of both Object
and Value
members are pointing to - 0xffffc507`dab7799f). _EX_FAST_REF
without data, based on the symbols, it's defined like so:Object
or Value
) of the value pointed to by members Object
and Value
(in my case 0xffffc507`dab7799f
) is used to denote the reference count to this token, which means it's not part of the token address, which means we should be able to zero it out and get an actual _TOKEN
structure address for our powershell process.Object
and Value
are 0xffffc507`dab7799f
, we should be able to just swap the last f
with 0
which would give us 0xffffc507`dab77990
and it should be our _TOKEN
address.Token
is pointing to 0xffffc507`dab77990
- note the last digit is 0
rather than f
, which confirms that we can always zero out the last digit pointed to by _EX_FAST_REF
to get the effective _TOKEN
structure address:AND
operation as shown below:!token
command again with the last digit of _EPROCESS.Token->Value
set to 0, we no longer see the error message suggesting there's no token at that address and we start seeing some actual token details like user group it belongs to, etc.:whoami /all
and the !token (ffffc507dab7799f & 0xFFFFFFF0)
match:_TOKEN
- the token that our low privileged powershell process will assume.SYSTEM
process - we're interested in it's _TOKEN
location which is at ffffc507d8818040
as shown below:ffffdc8fbe1f1080+0x358
) with that held by the SYSTEM
process (ffffc507d8818040
) by simply writing the SYSTEM
process's token address to the the _EPROCESS.Token
of our powershell process:ws02\spotless
and nt authority\system
after:_TOKEN
structure is Privileges
at offset 0x040
, defined as _SEP_TOKEN_PRIVILEGES
structure:_sep_token_privileges
structure:_sep_token_privileges
shows which privileges the token has and which of them are enabled/disabled - the info that we can also check from the userland with whoami /priv
. _sep_token_privileges
Present
and Enabled
values do not match and this is what results in Enabled/Disabled privileges that we see in the whoami /priv
State
column:Present
and Enabled
values match like so:Present
and Enabled
values, we can now see how all the privileges in the State
column of the whoami /priv
output are Enabled
:Present
field that would give us more/elevated privileges? We can get a good hint by inspecting the Present
value of the SYSTEM
process (PID 4) token:Present
value is 0x0000001f`f2ffffbc
- this represents all the privileges the SYSTEM process token has. Present
and Enabled
fields. If successful, we should have all the SYSTEM privileges enabled for our low privileged powershell process running in the context of the user ws02\spotless
:_sep_token_privileges
structure:whoami /priv
now shows that we have all the SYSTEM privileges and all of them are enabled: