GithubHelp home page GithubHelp logo

tokenizer's Introduction

Tokenizer

  • Tokenizer is a kernel mode driver project that allows the replacement of a process token in EPROCESS with a system token, effectively elevating the privileges of the process, The driver is designed to be used with a user-mode application that sends a process ID to the driver through an IOCTL.

technical details

  • When a process is created, it inherits the token of the user who created it, The token is used by the system to determine what actions the process can perform. The token contains information about the user's security identifier (SID), group memberships, and privileges.

    image

  • The Token member resides at offset 0x4b8 in the _EPROCESS structure, which is a data structure that represents a process object. The Token member is defined in _EX_FAST_REF structure, which is a union type that can store either a pointer to a kernel object or a reference count, depending on the size of the pointer , The offset of the _EX_FAST_REF structure within _EPROCESS depends on the specific version of Windows being used, but it is typically located at an offset of 0x4b8 in recent versions of Windows..

  • Windows Build Number token Offsets for x64 and x86 Architectures

    x64 offsets x86 offsets
    0x0160 (late 5.2) 0x0150 (3.10)
    0x0168 (6.0) 0x0108 (3.50 to 4.0)
    0x0208 (6.1) 0x012C (5.0)
    0x0348 (6.2 to 6.3) 0xC8 (5.1 to early 5.2)
    0x0358 (10.0 to 1809) 0xD8 (late 5.2)
    0x0360 (1903) 0xE0 (6.0)
    0x04B8 0xF8 (6.1)
    0xEC (6.2 to 6.3)
    0xF4 (10.0 to 1607)
    0xFC (1703 to 1903)
    0x012C

    image

  • The _EX_FAST_REF structure in Windows contains three members: Object and RefCount and Value

    image

  • To display the process token in _EX_FAST_REF,We pass the address of the _EX_FAST_REF structure that contains the token, which is typically located at an offset of 0x4b8 in the _EPROCESS structure."

    image

Usage

  • You can either spawn a privileged process or elevate an already existing process ID.

    image

  • For the sake of this explanation, we will focus on the second option and use CMD as an example

    image

  • inherited Token

    image

  • send the Process ID to the driver through an IOCTL

    image

  • After receiving the PID from the user mode application, the driver uses it to obtain a pointer to the _EPROCESS structure for the target process. The driver then accesses the Token member of the _EPROCESS structure to obtain a pointer to the process token, which it replaces with the system token, effectively changing the security context of the process to that of the system. However, if the driver does not correctly locate the Token member within the _EPROCESS structure or if the offset of the Token is other than 0x4b8 , the driver may crash the system or the target process ,this problem will be fixed in the next updates .

    image

  • cmd token after

    image

  • the process privileges, groups, rights

    image

DEMO

Tokenizer.mp4

tokenizer's People

Contributors

zeromemoryex avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.