Playing with unsecured driver(s) allowing read/write to kernel memory.

For now, playing with EPROCESS :
-removing PPL flag
-stealing system token

memRW.exe load "%cd%\rtcore64.sys"
memRW.exe list
memRW.exe removeppl PID
memRW.exe makesystem PID
memRW.exe stealtoken from_pid to_pid
memRW.exe unload "%cd%\rtcore64.sys"

Greatly inspired by https://github.com/RedCursorSecurityConsulting/PPLKiller

Tools to check EPROCESS struct : https://ntdiff.github.io/

Detailed EPROCESS struc : https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/index.htm

Bunch of other drivers to look at : https://guidedhacking.com/threads/how-to-bypass-kernel-anticheat-develop-drivers.11325/

Must read (mimikatz 4 ever...) : https://posts.specterops.io/mimidrv-in-depth-4d273d19e148