Skip to content

Commit

Permalink
Last minute bug fixes
Browse files Browse the repository at this point in the history 
Some weird things happened with the merge
  • Loading branch information
@0xbadjuju
0xbadjuju committed Jul 22, 2021
1 parent f6d9e83 commit 055b5dc
Show file tree
Hide file tree
Showing 10 changed files with 123 additions and 11 deletions.
0 KernelTokens/KernelTokens/Create.c → KernelTokens/Create.c
View file
File renamed without changes.
0 KernelTokens/KernelTokens/Driver.c → KernelTokens/Driver.c
View file
File renamed without changes.
0 KernelTokens/KernelTokens/Driver.h → KernelTokens/Driver.h
View file
File renamed without changes.
0 KernelTokens/KernelTokens/KernelTokens.inf → KernelTokens/KernelTokens.inf
View file
File renamed without changes.
0 ...lTokens/KernelTokens/KernelTokens.vcxproj → KernelTokens/KernelTokens.vcxproj
View file
File renamed without changes.
0 ...KernelTokens/KernelTokens.vcxproj.filters → KernelTokens/KernelTokens.vcxproj.filters
View file
File renamed without changes.
22 changes: 11 additions & 11 deletions KernelTokens/KernelTokens/Tokens.c → KernelTokens/Tokens.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ VOID UnFreezeToken(ULONGLONG output[5])
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", ptrEProcess));
output[0] = (uintptr_t)ptrEProcess;

ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x300));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x300));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x300);
ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x460));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x460));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x460);

KdPrint(("Flags2 Original Value : 0x%x\r\n", Flags2));
output[2] = (uintptr_t)Flags2;
Expand All @@ -47,9 +47,9 @@ VOID UnFreezeTokenByPid(ULONG ProcessId, ULONGLONG output[5])
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", ptrEProcess));
output[0] = (uintptr_t)ptrEProcess;

ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x300));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x300));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x300);
ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x460));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x460));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x460);

KdPrint(("Flags2 Original Value : 0x%x\r\n", Flags2));
output[2] = (uintptr_t)Flags2;
Expand All @@ -67,9 +67,9 @@ VOID _UnfreezeToken(PEPROCESS ptrEProcess, ULONGLONG output[5])
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", ptrEProcess));
output[0] = (uintptr_t)ptrEProcess;

ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x300));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x300));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x300);
ULONG Flags2 = *((int*)((char*)ptrEProcess + 0x460));
KdPrint(("PEPROCESS Flags2 Offset : 0x%llp\r\n", (char*)ptrEProcess + 0x460));
output[1] = (uintptr_t)((char*)ptrEProcess + 0x460);

KdPrint(("Flags2 Original Value : 0x%x\r\n", Flags2));
output[2] = (uintptr_t)Flags2;
Expand Down Expand Up @@ -141,7 +141,7 @@ VOID AddTokenPrivilegeByPid(ULONG ProcessId, PRIVILEGES privilege, ULONGLONG out
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", ptrEProcess));
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", output[0]));

PVOID* ptrFastRef = ((char*)ptrEProcess + 0x358);
PVOID* ptrFastRef = ((char*)ptrEProcess + 0x4b8);
KdPrint(("EX_FAST_REF Base Address : 0x%llp\r\n", ptrFastRef));
output[1] = (uintptr_t)ptrFastRef;

Expand Down Expand Up @@ -177,7 +177,7 @@ VOID _AddTokenPrivilege(PEPROCESS ptrEProcess, PRIVILEGES privilege, ULONGLONG o
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", ptrEProcess));
KdPrint(("PEPROCESS Base Address : 0x%llp\r\n", output[0]));

PVOID* ptrFastRef = ((char*)ptrEProcess + 0x358);
PVOID* ptrFastRef = ((char*)ptrEProcess + 0x4b8);
KdPrint(("EX_FAST_REF Base Address : 0x%llp\r\n", ptrFastRef));
output[1] = (uintptr_t)ptrFastRef;

Expand Down
0 KernelTokens/KernelTokens/Tokens.h → KernelTokens/Tokens.h
View file
File renamed without changes.
94 changes: 94 additions & 0 deletions Tokenvator.sln
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,34 +11,128 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
MSBuild.xml = MSBuild.xml
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelTokens", "KernelTokens\KernelTokens.vcxproj", "{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Debug-Net45|Any CPU = Debug-Net45|Any CPU
Debug-Net45|ARM = Debug-Net45|ARM
Debug-Net45|ARM64 = Debug-Net45|ARM64
Debug-Net45|x64 = Debug-Net45|x64
Debug-Net45|x86 = Debug-Net45|x86
Release|Any CPU = Release|Any CPU
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
Release-Net45|Any CPU = Release-Net45|Any CPU
Release-Net45|ARM = Release-Net45|ARM
Release-Net45|ARM64 = Release-Net45|ARM64
Release-Net45|x64 = Release-Net45|x64
Release-Net45|x86 = Release-Net45|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.ActiveCfg = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.Build.0 = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM.ActiveCfg = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM.Build.0 = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM64.Build.0 = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|x64.ActiveCfg = Debug|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|x64.Build.0 = Debug|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|x86.ActiveCfg = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|x86.Build.0 = Debug|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|Any CPU.ActiveCfg = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|Any CPU.Build.0 = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|ARM.ActiveCfg = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|ARM.Build.0 = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|ARM64.ActiveCfg = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|ARM64.Build.0 = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|x64.ActiveCfg = Debug-Net45|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|x64.Build.0 = Debug-Net45|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|x86.ActiveCfg = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug-Net45|x86.Build.0 = Debug-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|Any CPU.ActiveCfg = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|Any CPU.Build.0 = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|ARM.ActiveCfg = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|ARM.Build.0 = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|ARM64.ActiveCfg = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|ARM64.Build.0 = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|x64.ActiveCfg = Release|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|x64.Build.0 = Release|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|x86.ActiveCfg = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release|x86.Build.0 = Release|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|Any CPU.ActiveCfg = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|Any CPU.Build.0 = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|ARM.ActiveCfg = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|ARM.Build.0 = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|ARM64.ActiveCfg = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|ARM64.Build.0 = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|x64.ActiveCfg = Release-Net45|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|x64.Build.0 = Release-Net45|x64
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|x86.ActiveCfg = Release-Net45|Any CPU
{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Release-Net45|x86.Build.0 = Release-Net45|Any CPU
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|Any CPU.ActiveCfg = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM.ActiveCfg = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM.Build.0 = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM.Deploy.0 = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM64.ActiveCfg = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM64.Build.0 = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|ARM64.Deploy.0 = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x64.ActiveCfg = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x64.Build.0 = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x64.Deploy.0 = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x86.ActiveCfg = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x86.Build.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug|x86.Deploy.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|Any CPU.ActiveCfg = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|Any CPU.Build.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|Any CPU.Deploy.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM.ActiveCfg = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM.Build.0 = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM.Deploy.0 = Debug|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM64.ActiveCfg = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM64.Build.0 = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|ARM64.Deploy.0 = Debug|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x64.ActiveCfg = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x64.Build.0 = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x64.Deploy.0 = Debug|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x86.ActiveCfg = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x86.Build.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Debug-Net45|x86.Deploy.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|Any CPU.ActiveCfg = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM.ActiveCfg = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM.Build.0 = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM.Deploy.0 = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM64.ActiveCfg = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM64.Build.0 = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|ARM64.Deploy.0 = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x64.ActiveCfg = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x64.Build.0 = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x64.Deploy.0 = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x86.ActiveCfg = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x86.Build.0 = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release|x86.Deploy.0 = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|Any CPU.ActiveCfg = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|Any CPU.Build.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|Any CPU.Deploy.0 = Debug|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM.ActiveCfg = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM.Build.0 = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM.Deploy.0 = Release|ARM
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM64.ActiveCfg = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM64.Build.0 = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|ARM64.Deploy.0 = Release|ARM64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x64.ActiveCfg = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x64.Build.0 = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x64.Deploy.0 = Release|x64
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x86.ActiveCfg = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x86.Build.0 = Release|Win32
{AF8ED9C5-71DA-43CB-92CF-A67050947DFA}.Release-Net45|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down
18 changes: 18 additions & 0 deletions Tokenvator/Tokenvator.crproj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<project outputDir="bin\Confused" baseDir="." xmlns="http://confuser.codeplex.com">
<rule pattern="true" preset="maximum" inherit="false">
<protection id="anti debug" />
<protection id="anti dump" />
<protection id="anti ildasm" />
<protection id="anti tamper" />
<protection id="constants" />
<protection id="ctrl flow" />
<protection id="harden" />
<protection id="invalid metadata" />
<protection id="ref proxy" />
<protection id="resources" />
<protection id="typescramble" />
<protection id="rename" />
<protection id="watermark" />
</rule>
<module path="bin\x64\Release-Net45\Tokenvator.exe" />
</project>

0 comments on commit 055b5dc

Please sign in to comment.