Michael B. DownWithUp
DownWithUp
/ ProcessStateChangeTests.c
Created
August 20, 2020 01:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| // Looking at the disassembly, Unknown must be 0? | |
| typedef NTSTATUS (__fastcall* NtCreateProcessStateChange)(OUT PHANDLE StateChangeHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN INT Unknown); | |
| /* | |
| New type of object (and therefore handle) type PspProcessStateChangeType | |
| If wanting to suspend/resume: |
hfiref0x
/ akagi_58a.c
Created
October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef interface IEditionUpgradeManager IEditionUpgradeManager; | |
| typedef struct IEditionUpgradeManagerVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in IEditionUpgradeManager * This, | |
| __RPC__in REFIID riid, |
mattifestation
/ NiftyETWProviders.json
Created
December 21, 2018 19:27
ETW providers you never knew existed...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
| "ProviderName": "AccEventTool", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
| "AssociatedFilenames": [ | |
| "accevent.exe", | |
| "inspect.exe", | |
| "narrator.exe", | |
| "srh.dll" |
j00ru
/ WCTF_2018_searchme_exploit.cpp
Created
July 18, 2018 14:09
WCTF 2018 "searchme" exploit by Mateusz "j00ru" Jurczyk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // WCTF 2018 "searchme" task exploit | |
| // | |
| // Author: Mateusz "j00ru" Jurczyk | |
| // Date: 6 July 2018 | |
| // Tested on: Windows 10 1803 (10.0.17134.165) | |
| // | |
| // See also: https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/ | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <ntstatus.h> |