D
DioProcess

Privilege Escalation

Enable all 40 Windows privileges for any process via direct_TOKEN structure modification.

Security Research Only

Token privilege escalation bypasses Windows security restrictions. Use only on test systems with proper authorization.

Overview

Windows privileges control what operations a process can perform. By directly modifying the _TOKEN.Privileges structure in kernel memory, DioProcess can grant all privileges to any process, bypassing AdjustTokenPrivileges restrictions.

Algorithm

  1. Call GetWindowsVersion() to detect current Windows build
  2. PsLookupProcessByProcessId() to get EPROCESS pointer
  3. PsReferencePrimaryToken(eProcess) to get TOKEN pointer
  4. Calculate privilege address: TOKEN + PROCESS_PRIVILEGE_OFFSET (0x40)
  5. Set all privilege bitmasks to 0xFF:
    tokenPrivs->Present[0-4] = 0xff;
tokenPrivs->Enabled[0-4] = 0xff;
tokenPrivs->EnabledByDefault[0-4] = 0xff;
  6. PsDereferencePrimaryToken(pToken)
  7. ObDereferenceObject(eProcess)

Privileges Enabled

All 40 Windows privileges are enabled, including:

High-Impact Privileges

  • SeDebugPrivilege — Debug any process
  • SeLoadDriverPrivilege — Load kernel drivers
  • SeTcbPrivilege — Act as part of OS
  • SeAssignPrimaryTokenPrivilege — Assign tokens
  • SeTakeOwnershipPrivilege — Take ownership

Other Key Privileges

  • SeBackupPrivilege — Bypass file ACLs (read)
  • SeRestorePrivilege — Bypass file ACLs (write)
  • SeImpersonatePrivilege — Impersonate tokens
  • SeCreateTokenPrivilege — Create tokens
  • SeSecurityPrivilege — Manage audit logs

Structure Offset

The token privilege offset is 0x40 across all Windows 10/11 versions — this is a very stable offset.

Usage

  1. Ensure the kernel driver is loaded
  2. Right-click on a process in the Process tab
  3. Navigate to Miscellaneous
  4. Select ⚡ Enable All Privileges

Use Cases

  • Grant unrestricted access — Without restarting the process
  • Bypass privilege checks — For security research
  • Test privilege escalation detection — EDR/SIEM testing
  • Enable SeDebugPrivilege — For process manipulation

Implementation

ItemLocation
Rust functioncallback::enable_all_privileges(pid)
IOCTLIOCTL_DIOPROCESS_ENABLE_PRIVILEGES (0x807)