Kernel mode WinDbg extension and PoCs for token privilege investigation.

Overview

PrivFu

Kernel mode WinDbg extension and PoCs for testing how token privileges work.

There are notable repository and articles about token privilege abuse such Grzegorz Tworek's Priv2Admin. Codes in this repository are intended to help investigate how token privileges work.

Table Of Contents

PrivEditor

PrivEditor is kernel mode WinDbg extension to manipulate token privilege of specific process. This extension makes it easy to configure the token privilege you want to investigate.

0: kd> .load C:\dev\PrivEditor\x64\Release\PrivEditor.dll

PrivEditor - Kernel Mode WinDbg extension for token privilege edit.

Commands :
    + !getps       : List processes in target system.
    + !getpriv     : List privileges of a process.
    + !addpriv     : Add privilege(s) to a process.
    + !rmpriv      : Remove privilege(s) from a process.
    + !enablepriv  : Enable privilege(s) of a process.
    + !disablepriv : Disable privilege(s) of a process.
    + !enableall   : Enable all privileges available to a process.
    + !disableall  : Disable all privileges available to a process.

[*] To see command help, execute "!<Command> help" or "!<Command> /?".

WARNING This extension supports both x64 and x86 OS as debug target, but not supports x86 WinDbg.

getps Command

This command is to list processes in your target system.

0: kd> !getps /?

!getps - List processes in target system.

Usage : !getps [Process Name]

    Process Name : (OPTIONAL) Specifies filter string for process name.

If you execute this command without any arguments, this command list all processes in your target system as follows:

0: kd> !getps

   PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
====== =================== ======================== ============
     0 0xfffff801`3a633630      0x00000000`00000000 System Idle Process
     4 0xffffe588`db068380      0xffffa68a`fd007a40 System
     8 0xffffe588`e0833440      0xffffa68b`016db7b0 vmtoolsd.exe
    88 0xffffe588`db0ea080      0xffffa68a`fd00d080 Registry
   312 0xffffe588`de396400      0xffffa68a`fd0aa990 smss.exe
   348 0xffffe588`db0b4080      0xffffa68b`01fc4770 svchost.exe
   380 0xffffe588`df5c73c0      0xffffa68b`00a640a0 svchost.exe
   396 0xffffe588`de4f3140      0xffffa68a`fda5a630 csrss.exe
   464 0xffffe588`df5be340      0xffffa68b`00a14a40 svchost.exe

--snip--

If you want to know specific processes, set string filter as follows. The filter works with forward matching and case insensitive.

0: kd> !getps micro

   PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
====== =================== ======================== ============
  4456 0xffffe588`e04cd080      0xffffa68b`020617b0 MicrosoftEdge.exe
  4912 0xffffe588`e06832c0      0xffffa68b`02607930 MicrosoftEdgeCP.exe
  4944 0xffffe588`e06ad080      0xffffa68b`0255b2c0 MicrosoftEdgeSH.exe

getriv Command

This command is to list token privileges of a specific process.

0: kd> !getpriv /?

!getpriv - List privileges of a process.

Usage : !getpriv <PID>

    PID : Specifies target process ID.

To use this command, you need to set a target process ID in decimal format as follows:

0: kd> !getpriv 5328

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5328
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffe588`e043b480
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffa68b`029ab7f0

addpriv Command

This command is to add token privilege(s) to a specific process.

0: kd> !addpriv /?

!addpriv - Add privilege(s) to a process.

Usage : !addpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.
        + IncreaseQuota                  : SeIncreaseQuotaPrivilege.
        + MachineAccount                 : SeMachineAccountPrivilege.
        + Tcb                            : SeTcbPrivilege.
        + Security                       : SeSecurityPrivilege.
        + TakeOwnership                  : SeTakeOwnershipPrivilege.
        + LoadDriver                     : SeLoadDriverPrivilege.
        + SystemProfile                  : SeSystemProfilePrivilege.
        + Systemtime                     : SeSystemtimePrivilege.
        + ProfileSingleProcess           : SeProfileSingleProcessPrivilege.
        + IncreaseBasePriority           : SeIncreaseBasePriorityPrivilege.
        + CreatePagefile                 : SeCreatePagefilePrivilege.
        + CreatePermanent                : SeCreatePermanentPrivilege.
        + Backup                         : SeBackupPrivilege.
        + Restore                        : SeRestorePrivilege.
        + Shutdown                       : SeShutdownPrivilege.
        + Debug                          : SeDebugPrivilege.
        + Audit                          : SeAuditPrivilege.
        + SystemEnvironment              : SeSystemEnvironmentPrivilege.
        + ChangeNotify                   : SeChangeNotifyPrivilege.
        + RemoteShutdown                 : SeRemoteShutdownPrivilege.
        + Undock                         : SeUndockPrivilege.
        + SyncAgent                      : SeSyncAgentPrivilege.
        + EnableDelegation               : SeEnableDelegationPrivilege.
        + ManageVolume                   : SeManageVolumePrivilege.
        + Impersonate                    : SeImpersonatePrivilege.
        + CreateGlobal                   : SeCreateGlobalPrivilege.
        + TrustedCredManAccess           : SeTrustedCredManAccessPrivilege.
        + Relabel                        : SeRelabelPrivilege.
        + IncreaseWorkingSet             : SeIncreaseWorkingSetPrivilege.
        + TimeZone                       : SeTimeZonePrivilege.
        + CreateSymbolicLink             : SeCreateSymbolicLinkPrivilege.
        + DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
        + All                            : All privileges.

For example, if you want to set SeDebugPrivilege to a specific process, set a target process ID for the first argument and shorten privilege name debug as listed in the help message for second argument as follows:

0: kd> !getpriv 5768

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5768
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffb386`47e584c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffff9f04`76caa0a0

0: kd> !addpriv 5768 debug

[>] Trying to add the requested privilege(s).
[*] Completed.

0: kd> !getpriv 5768

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5768
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffb386`47e584c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffff9f04`76caa0a0

The privilege name argument is case insensitive.

If you want to add all token privileges at a time, set all as the privilege name argument:

0: kd> !addpriv 6488 all

[>] Trying to add the requested privilege(s).
[*] Completed.

0: kd> !getpriv 6488

Privilege Name                             State
========================================== ========
SeCreateTokenPrivilege                     Disabled
SeAssignPrimaryTokenPrivilege              Disabled
SeLockMemoryPrivilege                      Disabled
SeIncreaseQuotaPrivilege                   Disabled
SeMachineAccountPrivilege                  Disabled
SeTcbPrivilege                             Disabled
SeSecurityPrivilege                        Disabled

--snip--

rmpriv Command

This command is to remove token privilege(s) from a specific process.

0: kd> !rmpriv /?

!rmpriv - Remove privilege(s) from a process.

Usage : !rmpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

If you want to remove SeChangeNotifyPrivilege, execute this command as follows:

0: kd> !getpriv 6792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 6792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`ab755080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d69c2930

0: kd> !rmpriv 6792 changenotify

[>] Trying to delete the requested privilege(s).
[*] Completed.

0: kd> !getpriv 6792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 6792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`ab755080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d69c2930

As !addpriv command, you can remove all token privileges at a time by setting all as the privilege name argument:

0: kd> !rmpriv 6792 all

[>] Trying to delete the requested privilege(s).
[*] Completed.

0: kd> !getpriv 6792

Privilege Name                             State
========================================== ========

[*] PID                      : 6792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`ab755080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d69c2930

enablepriv Command

This command is to enable token privilege(s) of a specific process.

0: kd> !enablepriv /?

!enablepriv - Enable privilege(s) of a process.

Usage : !enablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

The first argument is for process ID, and the second is for token privilege name.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !enablepriv 3792 timezone

[>] Trying to enable the requested privilege(s).
[*] Completed.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

If you tried to enable privilege(s), not added yet, this command adds it automatically.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !enablepriv 3792 debug

[*] Requested privilege is not present.
[>] Adding the requested privilege(s).
[>] Trying to enable the requested privilege(s).
[*] Completed.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

disablepriv Command

This command is to disable token privilege(s) of a specific process.

0: kd> !disablepriv /?

!disablepriv - Disable privilege(s) of a process.

Usage : !disablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

To use this command, set a target process ID for the first argument and token privilege name for the second argument.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !disablepriv 3792 changenotify

[>] Trying to disable the requested privilege(s).
[*] Completed.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

enableall Command

This command is to enable all token privilege(s) available for a specific process.

0: kd> !enableall /?

!enableall - Enable all privileges available to a process.

Usage : !enableall <PID>

    PID       : Specifies target process ID.

It works as follows:

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !enableall 3792

[>] Trying to enable all available privileges.
[*] Completed.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

disableall Command

This command is to disable all token privilege(s) for a specific process.

0: kd> !disableall /?

!disableall - Disable all privileges available to a process.

Usage : !disableall <PID>

    PID : Specifies target process ID.

This command is equivalent to !disablepriv <PID> all. Works as follows:

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !disableall 3792

[>] Trying to disable all available privileges.
[*] Completed.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

PrivilegedOperations

This project is PoCs for sensitive token privileges such SeDebugPrivilege. Currently, released PoCs for a part of them.

Program Name Description
SeCreateTokenPrivilegePoC This PoC creates a elevated token by SeCreateTokenPrivilege.
SeRestorePrivilegePoC This PoC opens a handle to privileged registry key (HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice\Parameters) with REG_OPTION_BACKUP_RESTORE flag by SeRestorePrivilege.
SeDebugPrivilegePoC This PoC opens a handle to winlogon.exe by SeDebugPrivilege.

Reference

Acknowledgments

Thanks for your advices about WinDbg extension programming:

Thanks for your notable research:

Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

null 2 Jun 15, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 103 Jun 20, 2022
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 4 Oct 5, 2021
Protect your Discord token from malicious grabbers!

Discord Token Protector Protect your Discord token from malicious grabbers! This project is still under development! You might face some unstability i

Andro24 147 Jun 23, 2022
Advanced C++ Discord Token Grabber ( FUD )

DTGPlusPlus C++ Discord Token Grabber ( FUD ) ?? Features » High Speed High Execution Rate Using Win32 API Low Size Without Dependence ( Support Win X

null 6 Nov 9, 2021
Stop getting your token grabbed.

DiscordAntiScam Stop getting your token grabbed. The general idea is this is a MiniFilter, which intercepts file operations, and will block programs a

null 9 Jun 17, 2022
Advanced discord token grabber builder with GUI

Token-Grabber-Builder Advanced discord token grabber builder with GUI Screenshot Features Hidden console High execution speed Grab discord tokens Stea

RadonCoding 2 Dec 2, 2021
The Kernel-Mode Winsock library, supporting TCP, UDP and Unix sockets (DGRAM and STREAM).

libwsk 简体中文 About libwsk is a wrapper for the WSK (Winsock-Kernel) interface. With libwsk, kernel-mode software modules can perform network I/O operat

MeeSong 101 Jun 14, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 134 Jun 17, 2022
privacier - cs:go kernel mode cheat

privacier - cs:go kernel mode cheat Simple CS:GO Cheat based on IOCTL driver with pretty simple features to practice in development. Goals Using lazy_

Stepan Kuznetsov 19 Jun 24, 2022
Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel-mode driver emulating well-known USB game controllers.

Virtual Gamepad Emulation Framework 1.4k Jun 24, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 329 Jun 15, 2022
Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

Jacob Baines 206 Jun 16, 2022
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

倾旋 36 Jun 14, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 406 Jun 21, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 24 May 1, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 406 Jun 21, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

null 1.1k Jun 24, 2022
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.6k Jun 22, 2022