I injected my code into csrss and hijack their thread to gain shellcode execution and it is text book from there.