Remote-Process-Cookie-for-Windows-7 icon indicating copy to clipboard operation
Remote-Process-Cookie-for-Windows-7 copied to clipboard

verified publisher icon changeofpace

Metadata

Obtain remote process cookies by performing a brute-force attack on ntdll.RtlDecodePointer using known pointer encodings.

trafficstars

Remote Process Cookie for Windows 7

Summary

Remote process cookies can be obtained by performing a brute-force attack on a recreated ntdll.RtlDecodePointer using known pointer encodings as control variables.

Usage

The project contains a simple debugger and a test program. The debugger creates a debugged process from a user-selected file, determines the created process's local cookie in the system breakpoint debug event, prints the cookie value, and then detaches. The test program calls NtQueryInformationProcess with PROCESS_INFORMATION_CLASS = 0x24 to print its local process cookie.

Issues

Cookie collisions are possible. If GetRemoteProcessCookie discovers multiple 'valid' cookies then it returns 0.

Notes

  • Designed for / tested on Windows 7 SP1 x64.
  • Absolute offsets are used to avoid loading symbols and may break in future OS updates.

Credits

Idea by mattiwatti from the issue 489 discussion for x64dbg.

Metadata

20
Stars
7
Forks
Watchers

Owner

verified publisher icon changeofpace

Metadata

Obtain remote process cookies by performing a brute-force attack on ntdll.RtlDecodePointer using known pointer encodings.

Back