|
|
|
|
|
|
by musjleman
285 days ago
|
|
|
I'm pretty sure it's just a small mistake in the article on the exact syscall used to query the token information. Checked a kernel from November 2024 vs a current one and from I can tell, this used to be the actual mechanism the exploit worked: Thread #1 looping
NtQueryInformationToken(TokenAccessInformation, InfoBuffer);
Thread #2 looping
Ptr = *(InfoBuffer + SidHashOffset);
if (IsValidCanonicalKernelPtr(Ptr))
done
|
|
|