Create a 64bit Process From a x86/32bit One


On Vista and above there is a Windows ‘Redirector’ (A redirector is basically a Symlink or fake directory that’s there but not in Windows) (more info here) that allows a 32bit process create a 64bit one. For anyone who has tried to run ’execute -H -c -f notepad.exe’, they know that if they are in a 32bit process, they get a 32bit notepad even if they are on a 64bit system, which is annoying. So if you don’t want to read the link above you can create a stable 64bit notepad.exe by doing the following:

execute -H -c -f "C:\\WINDOWS\\Sysnative\\notepad.exe"

Now you can migrate into that notepad, Metasploit/Meterpreter will handle not only the network socket switch but the upgrade to a 64bit process. Now, you should be able to dump hashes like I talked about (here).

Of course you need to change the drive and windows directory to match your target (Language changes and base drive changes apply), but the rest should work as perscribed.