2. What Were Covering:
• KPRCB structure
• ETHREAD structure
• EPROCESS structures
• ActiveProcessLinks
• Locating SYSTEM’s EPROCESS structure from Userland
• Stealing SYSTEM’s TOKEN and patching them over our
process’ EPROCESS for Priv Esc
• Read / Write Primitives
Extra Fun - Interactive Learning Exploit!
• DHA_Vuln_Driver_RW_Primitive.sys
• DHA_Userland_Exploit_PEEKPOKE.exe
• DHA_Userland_Find_SYSTEM_EPROCESS.exe
• DHA_PrivEsc_Demo.py
Windows Privilege Escalation
Token Theft @ A Low-Level
WOOHOO!
3. Goals of this presentation
• Explain how Token Theft Privilege Escalation Work
• Explain what Read-What-Where and Write-What-Where primitives are
• Provide you with a simplified vulnerable target driver and tool to exploit
the driver to practice with
• Walk through exploiting our demo kernel vulnerability
Windows Privilege Escalation
Token Theft @ A Low-Level
4. Before we start…
A quick note on pointers and memory addressing
Windows Privilege Escalation
Token Theft @ A Low-Level
5. Windows Privilege Escalation
Token Theft @ A Low-Level
What's this ‘pointer’ you speak of?
A pointer is a variable that stores the address of another variable.
Its an address stored at an address that points to somewhere else.
In the example above, the POINTER located at address 0x7fff98b499e8 POINTS to address 0x7fffa0757dd4 which
is where the Variable with the value “10” is located.
6. Setup : The Code
Windows Privilege Escalation
Token Theft @ A Low-Level
7. Setup : The Code
• I’ve provided compiled versions of the kernel driver, the executables used to exploit
them, and scripted exploit. Compiled Binaries and Source Codes:
http://sploit.online/0x2_KernelTalks_TokenTheftPrivEsc/
• If you don’t trust the code – or just wish to analyze it – the source has been provided
as well.
• To compile the code, you will need Visual Studio as well as the Windows SDK and
WDK. Instructions for installing these prerequisites can all be found here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
Windows Privilege Escalation
Token Theft @ A Low-Level
8. Windows Privilege Escalation
Token Theft @ A Low-Level
1
2 3
Setup : Loading the DHA_VulnDriver with
OSR Driver Loader
1) Select BROWSE to select the Driver
2) Select Register Service
( All Windows Drivers must have a entry in the
Registry in order to load )
3) Select Start Service
* ALTERNATIVELY, you could use an unsigned driver loader like KDU :D :D
9. Windows Privilege Escalation
Token Theft @ A Low-Level
+ SHIFT
Press F7
Select Startup Settings Select Restart
In order to load
The vulnerable
Driver, you must first
Disable Driver
Signature
Enforcement!
1 2 3 4
SETUP: DISABLE DRIVER SIGNING
11. Windows Internals:
KPRCB structure
The name KPRCB stands for (Kernel) Processor Control Block.
The kernel keeps one for each logical processor as the last
member of the processor’s KPCR.
The KPRCB (formally _KPRCB) holds most of what the kernel
needs ready access to while managing a processor and while
managing resources that are themselves managed more simply
and quickly per processor.
The KPRCB structure’s CurrentThread pointer connects the
structure to a _ETHREAD structure….
Windows Privilege Escalation
Token Theft @ A Low-Level
12. Windows Internals:
ETHREAD structure
• The ETHREAD structure is the kernel’s
representation of a thread object.
• In the Windows Kernel it is accessed by
referencing GS:0x188
• When writing Kernel Shellcode, this is the easiest
entry point path to work your way to the
EPROCESS list of linked structures
<----- %gs:0x188
( in assembly points here)
Windows Privilege Escalation
Token Theft @ A Low-Level
13. Windows Internals:
EPROCESS structures
Windows Privilege Escalation
Token Theft @ A Low-Level
• The EPROCESS structure is the kernel's representation
of a process object.
• Each running process has an associated
EPROCESS structure that Windows Uses to
keep track of it with.
14. A look inside an EPROCESS structure
• The Actual structure is 2944 bytes in length and host
a vast amount of information describing the running
process such as the process’s name, Image Base
Address of the loaded binary in Memory and a a whole
lot more.
• For this Exercise we’ll only be using 3 fields of this
Lengthy and detailed structure:
1) UniqueProcessId (PID)
2) ActiveProcessLinks (Links to the next/previous
EPROCESS structures)
3) Token (Security Token Assigned to process)
0:027> dt nt!_EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
...
+0x440 UniqueProcessId : Ptr64 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY
...
+0x4b8 Token : _EX_FAST_REF
...
...
+0x5a8 ImageFileName : [15] UChar
...
+0xb70 MitigationFlags3Values : <unnamed-tag>
0:024> ?? sizeof(nt!_EPROCESS)
unsigned int64 0xb80
Windows Privilege Escalation
Token Theft @ A Low-Level
15. Walking EPROCESS structures using ActiveProcessLinks
Windows Privilege Escalation
Token Theft @ A Low-Level
• Each EPROCESS structure contains a LIST_ENTRY substructure which is a pair of
pointers known as ActiveProcessLinks
• LIST_ENTRY structures are double-linked list that point to a identical structures
both preceding/proceeding the current structure
16. Walking EPROCESS structures using ActiveProcessLinks
Windows Privilege Escalation
Token Theft @ A Low-Level
• ActiveProcessLinks (LIST_ENTRY links) allow us to walk through a list of all the
system’s EPROCESS structures – each of which representing a running process –
in a circular manner – both forwards of backwards
18. READ-WHAT-WHERE & WRITE WHAT WHERE Primitives
READ-WHAT-WHERE – allows us to specify an address to a function
and return the value stored at that location in memory
WRITE-WHAT-WHERE – allows us to specify an address in memory
along with a value to store at that location in memory
* These terms are typically used when referring to kernel land
vulnerabilities but also can be used in describing userland bugs
Windows Privilege Escalation
Token Theft @ A Low-Level
19. Data-Driven Attacks
Due to VBS, HVCI, CI, DEP, Page Guard, and other mitigations the days of
running executable shellcode are largely over with
Data-Driven attacks involving modifying Process’ Handles, Structures, and
Objects is still fair game.
We can utilize Data-Driven Attacks to Escalate Privileges and get executable
code to run (example: LOL Driver attacks)
Windows Privilege Escalation
Token Theft @ A Low-Level
22. DHA_Userland_Exploit_PEEKPOKE.exe
Windows Privilege Escalation
Token Theft @ A Low-Level
Allows for us to READ or
WRITE to R/W Section of
memory by offering Read-
What-Where and Write-
What-Where primitives to
conduct Data-Driven attacks
against the kernel.
Usage:
PEEK [address]
POKE [address] [write-data]
Operates with UINT64
variables
24. Windows Privilege Escalation
Token Theft @ A Low-Level
DHA_Vuln_Driver_RW_Primitive.sys
BSOD-free kernel fun !
• The vulnerable driver was compiled with Exception Handling to not allow illegal
memory access attempts.
• Normally, if you tried to access an
unallocated, privately mapped, or
illegal address you would cause an
exception leading to something like…
25. The Privilege Escalation Attack – Step by Step
Windows Privilege Escalation
Token Theft @ A Low-Level
26. Locating SYSTEM’s EPROCESS structure from Userland
DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++)
STEP 1: Finding Windows Kernel Base
Windows Privilege Escalation
Token Theft @ A Low-Level
• The EnumDeviceDrivers() function will populate a list of loaded system modules
• The first entry [0] contains the loading address of ntosknrl.exe (windows kernel)
27. Locating SYSTEM’s EPROCESS structure from Userland
DHA_Userland_Find_SYSTEM_EPROCESS.exe explained… (c++)
STEP 2: Finding SYSTEM’s EPROCCESS structure offset
Windows Privilege Escalation
Token Theft @ A Low-Level
• We use LoadLibraryA() to load ntoskrnl.exe (Normally used for DLL’s – but .EXE, .SYS, and
.DLL are the same PE file format
• We use GetProcAddress() to find the export for PsInitialSystemProcess (EPROCESS pointer
offset)
( GetProcAddress() is normally used to look
up function addresses – but what it’s
ACTUALLY doing is looking up EXPORT
names/addresses )
• We Add Kernelbase + PsInitialSystemProcess together for pointer to EPROCESS in memory
28. Locating SYSTEM’s EPROCESS structure from Userland
STEP 1 & 2: Finding SYSTEM’s EPROCCESS structure offset
Note: KERNELBASE + OFFSET == POINTER to SYSTEM EPROCESS Structure (#4)
STEP3: Resolve the POINTER to SYSTEM’s EPROCESS structure
Now we have the location of SYSTEM’s EPROCESS structure and have entered the
double-linked list of EPROCESS structures!
ADDRESS: 0xffff848b9eafd040
Windows Privilege Escalation
Token Theft @ A Low-Level
29. Let’s Verify we have SYSTEM’s EPROCESS structure
SYSTEM’s EPROCESS structure ALWAYS has a PID of #4
Windows Privilege Escalation
Token Theft @ A Low-Level
EPROCESS Structure offsets
UniqueProcessId = 0x440 # PVOID
ActiveProcessLinks = 0x448 # LIST_ENTRY
Token = 0x4b8 # PVOID
EPROCESS ADDRESS = 0xffff848b9eafd040
UniqueProcessId = 0x440
0xffff848b9eafd040 + 0x440 = 0xffff848b9eafd480
YEP That’s SYSTEM!
31. Let’s adjust our recovered SYSTEM EPROCESS Token for use
Windows Privilege Escalation
Token Theft @ A Low-Level
All Windows internal OBJECTs have an attached ‘Reference Count’ (Ref Cnt) number to
keep copies of different instances of use of an object.
Were going to remove the Reference Count from the Token for our purposes
This simply means removing the lower 3 bits of our recovered token by using a logical
AND operation with the value 0xfffffffffffffff8
SYSTEM_TOKEN = 0xFFFFBE87F081E62F (BEFORE)
&
0xFFFFFFFFFFFFFFF7
=
SYSTEM_TOKEN = 0xFFFFBE87F081E628 (AFTER) * in this instance the lower 0xF (1111) becomes 0x8 (1000)
32. Windows Privilege Escalation
Token Theft @ A Low-Level
Let’s walk the EPROCESS list’s connecting LIST_ENTRYs
Remember, Each Link in a LIST_ENTRY structure just points to the next link (Flink/Blink)
0xffff848b9eb90488 0xffff848b9ebe2488 0xffff848ba0fda488
33. Let’s walk the EPROCESS list’s connecting LIST_ENTRYs to
find our process’ PID
Windows Privilege Escalation
Token Theft @ A Low-Level
We Add the ActiveProcessLinks offset
of +0x448 to the location address of
SYSTEM’s EPROCESS structure and
dereference (PEEK) the address there
to enter the double linked list
The LOOP:
We check (PEEK) the value of
ADDRESS – 0x8 to see if is equal to
our PID
If not: we (PEEK) the address of the
last address returned to walk the list
forward
34. Ounce we find our PID lets copy SYSTEM’s Token over Ours
Windows Privilege Escalation
Token Theft @ A Low-Level
Note: The difference
between the
UniqueProcessID offset and
Token offsets is 0x78 bytes
At this location we write our
stolen Token using the POKE
command supplying the
address of our PID’s Token
to write to and the SYSTEM
Token value
38. Final Notes on Professional Exploitation
Windows Privilege Escalation
Token Theft @ A Low-Level
39. Windows Privilege Escalation
Token Theft @ A Low-Level
Final notes on writing Profession Exploits…
The EPROESS Structure is what’s known as an “Opaque structure” basically meaning –
it’s meant to be internal and is subject to change in it’s layout.
The EPROCESS structure has changed many times in the last few versions of windows.
Offset changes can be observed in the structure here:
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm
In writing a professional exploit a exploit author would detect the OS version and adjust
to ensure these offsets match the version of the target OS and that the exploit could be
versatile if affecting multiple versions of the Operating system
40. Windows Privilege Escalation
Token Theft @ A Low-Level
Final notes on writing Profession Exploits…
To keep some of the math basic I explained to you that PID could be found 8 bytes
behind ActiveProcessLink’s LIST_ENTRY structure when walking EPROCESS structures.
A more structured exploit would have deducted the length of ActiveProcessLinks from
the ActiveProcessLink location to find the actual beginning of the EPROCESS structure
then use the offset values from the base of the structure.
This is the more elegant approach and makes exploits easier to port to multiple versions
of an OS and utilizes offsets more recognizable to other researchers vs our this-8=PID
styled tricks used.
41. Next Talk: Exploiting LOLDriver Vulnerabilities
DC214 – 7.13.23
Windows Privilege Escalation
Token Theft @ A Low-Level