Credit
Original Credit goes to @Dark_Puzzle whom disclosed Here the privileged registration. I only expanded upon this to use an additional IOCTL to open a thread (it calls ZwOpenThread())
Build
You can build the shellcode / executable using mingw-w64. To do so, just run from a Unix / MacOS X Installation : x86_64-w64-mingw32-gcc *.c -o ppldump.exe. Currently only supports x64, as I have not been able to obtain a 32 bit version of the zam.sys driver.
Written by Austin Hudson of GuidePoint Security
