| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛
欢迎加入我们,一同切磋技术
用户名:   
 
密 码:  
共有 2765 人关注过本帖, 2 人收藏
标题:RunAsSystem v0.1 (Win32汇编)
只看楼主 加入收藏
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
结帖率:100%
收藏(2)
 问题点数:0 回复次数:8 
RunAsSystem v0.1 (Win32汇编)
不知道啥时候写的  用线程注入的方法得到system权限  配合pskill应该可以杀掉一些病毒的进程 呵呵

简单帖下代码吧

程序代码:

.386
.model flat, stdcall
option casemap :none

include windows.inc
include kernel32.inc
include advapi32.inc
include user32.inc
include masm32.inc
include _cmdline.asm    ;来自罗云彬的《Windows 环境下32位汇编程序设计》一书

includelib  kernel32.lib
includelib  advapi32.lib
includelib user32.lib
includelib  masm32.lib
include macro.asm

_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD
_getopt proto par:DWORD 

;下面两个宏来源于罗云彬的《Windows 环境下32位汇编程序设计》一书
reverseArgs macro arglist:VARARG
        local   txt,count
    
        txt     TEXTEQU <>
        count   = 0
        for     i,<arglist>
                count   = count + 1
                txt     TEXTEQU @CatStr(i,<!,>,<%txt>)
        endm
        if      count GT 0
                txt     SUBSTR  txt,1,@SizeStr(%txt)-1
        endif
        exitm   txt
endm
_invoke macro _Proc,args:VARARG
        local   count
    
        count   = 0
%       for     i,< reverseArgs( args ) >
                count   = count + 1
                push    i
        endm
        call    DWORD ptr _Proc    
    
endm

.data?
        g_hProcess      dd  ?
        g_lpRemoteCode  dd  ?

.code
Remote_code_start       equ this BYTE

g_lpGetModuleHandleA    dd  ?
g_lpGetProcAddress      dd  ?

g_szKernel32            db  "Kernel32.dll",0
g_szCreateProcessA      db  "CreateProcessA",0

g_lpCreateProcessA      dd  ?

g_szprocessname         db  128 dup(?)
g_szDesktop             db  "WinSta0\Default",0

g_stStartupInfo         STARTUPINFO <?>
g_procinfo              PROCESS_INFORMATION <?>

g_out                   db  128 dup(?)

_RemoteThread proc
        pushad
        call    delta
        delta:
        pop     ebx
        lea     eax, [ebx+(g_szKernel32-delta)]
        _invoke [ebx+(g_lpGetModuleHandleA-delta)], eax
        mov     esi, eax
        lea     eax, [ebx+(g_szCreateProcessA-delta)]
        _invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
        mov     [ebx+(g_lpCreateProcessA-delta)], eax
        lea     eax, [ebx+(g_szDesktop-delta)]
        lea     ecx, [ebx+(g_stStartupInfo-delta)]
        mov     DWORD ptr [ecx], sizeof g_stStartupInfo
        mov     DWORD ptr [ecx+8], eax
        lea     eax, [ebx+(g_szprocessname-delta)]
        lea     edx, [ebx+(g_procinfo-delta)]
        _invoke [ebx+(g_lpCreateProcessA-delta)], 0, eax, 0, 0, 0, 0, 0, 0, ecx, edx
        popad
        ret
_RemoteThread endp

Remote_code_end         equ this BYTE
Remote_code_length      equ offset Remote_code_end - offset Remote_code_start

start: 
        
        invoke _getopt,offset g_szprocessname
        invoke  GetModuleHandle, CTXT("kernel32.dll")
        mov     ebx, eax
        invoke  GetProcAddress, ebx, CTXT("GetModuleHandleA")
        mov     g_lpGetModuleHandleA, eax
        invoke  GetProcAddress, ebx, CTXT("GetProcAddress")
        mov     g_lpGetProcAddress, eax
        
        invoke  _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUE
        
        invoke  _GetPidFromProcName, CTXT("winlogon.exe")
        invoke  OpenProcess, PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE, FALSE, eax
        .if eax
                mov     g_hProcess, eax
                invoke  VirtualAllocEx, g_hProcess, NULL, Remote_code_length, MEM_COMMIT, PAGE_EXECUTE_READWRITE
                .if eax
                        mov     g_lpRemoteCode, eax
                        invoke  WriteProcessMemory, g_hProcess, g_lpRemoteCode, offset Remote_code_start, Remote_code_length, NULL
                        mov     eax, g_lpRemoteCode
                        add     eax, offset _RemoteThread - offset Remote_code_start
                        invoke  CreateRemoteThread, g_hProcess, NULL, 0, eax, 0, 0, NULL
                        invoke  CloseHandle, eax
                .endif
                invoke  CloseHandle, g_hProcess
        .endif
        invoke  ExitProcess, NULL

_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
        LOCAL   hToken
        LOCAL   tkp : TOKEN_PRIVILEGES
        
        invoke  GetCurrentProcess
        mov     edx, eax
        invoke  OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
        invoke  LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
        mov     tkp.PrivilegeCount, 1
        xor     eax, eax
        .if bFlags
                mov     eax, SE_PRIVILEGE_ENABLED
        .endif
        mov     tkp.Privileges.Attributes, eax
        invoke  AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
        push    eax
        invoke  CloseHandle, hToken
        pop     eax
        ret
_EnablePrivilege endp

_GetPidFromProcName proc lpProcName:DWORD
        LOCAL   stProcess : PROCESSENTRY32
        LOCAL   hSnapshot
        LOCAL   dwProcessID
        
        mov     dwProcessID, 0
        invoke  RtlZeroMemory, addr stProcess, sizeof stProcess
        mov     stProcess.dwSize, sizeof stProcess
        invoke  CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
        mov     hSnapshot, eax
        invoke  Process32First, hSnapshot, addr stProcess
        .while eax
                invoke  lstrcmpi, lpProcName, addr stProcess.szExeFile
                .if eax==0
                        mov     eax, stProcess.th32ProcessID
                        mov     dwProcessID, eax
                        .break
                .endif
                invoke  Process32Next, hSnapshot, addr stProcess
        .endw
        invoke  CloseHandle, hSnapshot
        mov     eax, dwProcessID
        ret
_GetPidFromProcName endp

_getopt proc par:DWORD 
        sub esp,128h
        invoke _argc
        cmp eax,2h
        jnz _usage
        invoke _argv,1,[ebp+8h],128
        jmp _return
        _usage:
        lea eax,[ebp-128h]
        invoke _argv,0,eax,128
        invoke StdOut,CTXT("Run process as system privilege.",0dh,0ah,)
        invoke StdOut,CTXT("by zklhp       Email:zklhp@,0dh,0ah)
        lea eax,[ebp-128h]
        invoke wsprintf,offset g_out,CTXT("Usage:%s [File]"),eax
        lea eax,[ebp-128h]
        invoke StdOut,offset g_out
        invoke ExitProcess,NULL
        _return:
        add esp,128h
        ret 4h
_getopt endp 
    
end start



参考了 一块三毛钱 前辈的《从管理员身份获得 SYSTEM 权限的四种方法》(其实就是抄了一下)

程序+源码  
RunAsSystem.rar (6.26 KB)
搜索更多相关主题的帖子: RunAsSystem 汇编 
2008-11-06 13:07
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
今天看到ONEPLOBLEM的问题 想起还有这个程序 就发上来了

要是用这个还杀不死进程 就得用点特殊手段了  

我记得在哪发过 不过用百度又找不到 就没发原创 呵呵
2008-11-06 13:10
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
注意序有一定危险弄不好winlogon.exe被“注死”样就重启了…
2008-11-06 13:12
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
前辈的文章也帖一下吧……
从管理员身份获得 SYSTEM 权限的四种方法


    从管理员身份获得 SYSTEM 权限的四种方法
      作者: 一块三毛钱
        邮件: zhongts@
      日期: 2005.1.15
       本文总结了 4 种方法获得 SYSTEM 权限来运行 regedit.exe 文件,源代码很容易修改成命令行方式运行指定的程序。
      1. 以服务方式运行
        2. 添加 ACL 的方法
        3. HOOK ZwCreateProcessEx 函数
        4. 远程线程的方法
        这几种方法都不是我想出来的,我只不过是总结了一下,用 Win32ASM 重写了代码而以。关于这个大家可以看文章末尾的参考资料。下面简单的分析每一种方法。
      1. 以服务方式运行
         因为以服务方式运行程序时,相当于运行程序的是系统进程,所以,被指定运行的程序自然而然的继承了系统进程的权限,也就是 SYSTEM 权限。
      
;@echo off
;goto make

;====================================================================================
; 一块三毛钱
; http://zhongts.
; zhongts@
; 2005.1.15
;
; 以 SYSTEM 权限运行程序 - GetSys1
;
; 采用以服务方式运行的方法
;
;====================================================================================
.386
.model flat, stdcall
option casemap :none

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\advapi32.inc
include c:\masm32\include\masm32.inc

includelib c:\masm32\lib\kernel32.lib
includelib c:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib

_ReLaunch proto

CTXT MACRO text
        local lbl
        .const
                lbl db text,0
        .code
        exitm   <offset lbl>
ENDM

.code
start proc
        LOCAL   stStartupInfo : STARTUPINFO
        LOCAL   procinfo : PROCESS_INFORMATION
        
        invoke  CreateMutex, NULL, TRUE, CTXT("GetSys1_Mutex")
        invoke  GetLastError
        .if eax==ERROR_ALREADY_EXISTS
                invoke  RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo
                mov     stStartupInfo.cb, sizeof stStartupInfo
                invoke  CreateProcess, 0, CTXT("regedit.exe"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr procinfo
                invoke  CloseHandle, procinfo.hProcess
                invoke  CloseHandle, procinfo.hThread
        .else
                invoke  _ReLaunch
        .endif
        
        invoke  ExitProcess, NULL
start endp

_ReLaunch proc
        LOCAL   hSCManager
        LOCAL   hService
        LOCAL   szName[MAX_PATH] : byte

        invoke  OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
        .if eax!=0
                mov     hSCManager, eax
               
                invoke  OpenService, hSCManager, CTXT("GetSys1Temp"), DELETE
                .if eax!=0
                        push    eax
                        invoke  DeleteService, eax
                        call    CloseServiceHandle
                .endif
               
                invoke  GetModuleFileName, NULL, addr szName, MAX_PATH
                invoke  CreateService, hSCManager, CTXT("GetSys1Temp"), CTXT("GetSys1 Temp Service"), \
                                SERVICE_START + SERVICE_QUERY_STATUS + DELETE, \
                                SERVICE_WIN32_OWN_PROCESS + SERVICE_INTERACTIVE_PROCESS, SERVICE_DEMAND_START, \
                                SERVICE_ERROR_IGNORE, addr szName, NULL, NULL, NULL, NULL, NULL
                .if eax!=0
                        mov     hService, eax
                        invoke  StartService, hService, 0, NULL
                        invoke  DeleteService, hService
                        invoke  CloseServiceHandle, hService
                .endif
                invoke  CloseServiceHandle, hSCManager
        .endif
        ret
_ReLaunch endp

end start

:make

set path=%path%;c:\masm32\bin
set appname=GetSys1

ml /nologo /c /coff %appname%.bat
link /nologo /subsystem:windows %appname%.obj
del %appname%.obj
echo.
pause
         GetSys1(第一次运行的这个进程 GetSys1 我们称为 A) 开始运行时先创建一个互斥量,接着以服务的方式重新启动自己(又一次运行的进程 GetSys1 我们称为 B),重新运行后的 B 已经具有了 SYSTEM 权限。B 再通过 CreateProcess 函数运行 regedit.exe 程序,因为 B 具有 SYSTEM 权限,所以 regedit.exe 从中继承了 SYSTEM 权限。运行完了 regedit.exe 后 B 结束运行,然后 A 中的 StartService 函数返回,A 结束运行。就是因为 StartService 函数不会直接返回,所以不能够直接通过服务的方式运行 regedit.exe。
      2. 添加 ACL 的方法
         主要思想是调用 CreateProcessAsUser 函数来运行程序,CreateProcessAsUser 函数的第一个参数是特定用户的令牌,把这个参数设为具有 SYSTEM 权限的令牌即可。
      
;@echo off
;goto make

;====================================================================================
; 一块三毛钱
; http://zhongts.
; zhongts@
; 2005.1.15
;
; 以 SYSTEM 权限运行程序 - GetSys2
;
; 采用添加 ACL 的方法
;
;====================================================================================
.386
.model flat, stdcall
option casemap :none

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\advapi32.inc
include c:\masm32\include\accctrl.inc
include c:\masm32\include\masm32.inc

includelib c:\masm32\lib\kernel32.lib
includelib c:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib

_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD
_ModifySecurity proto :DWORD,:DWORD

CTXT MACRO text
        local lbl
        .const
                lbl db text,0
        .code
        exitm   <offset lbl>
ENDM

ACL STRUCT
        AclRevision     BYTE  ?
        Sbz1            BYTE  ?
        AclSize         WORD  ?
        AceCount        WORD  ?
        Sbz2            WORD  ?
ACL ENDS
PACL typedef PTR ACL

SecurityImpersonation   equ 2

.code
start proc
        LOCAL   hProc
        LOCAL   hToken, hNewToken
        LOCAL   stStartupInfo : STARTUPINFO
        LOCAL   procinfo : PROCESS_INFORMATION
        
        sub     eax, eax
        mov     hProc, eax
        mov     hToken, eax
        mov     hNewToken, eax
        invoke  RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo
        invoke  RtlZeroMemory, addr procinfo, sizeof procinfo
        
        invoke  _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUE
        
        invoke  _GetPidFromProcName, CTXT("lsass.exe")
        invoke  OpenProcess, PROCESS_QUERY_INFORMATION, 0, eax
        test    eax, eax
        jz      _exit
        mov     hProc, eax
        invoke  OpenProcessToken, hProc, READ_CONTROL+WRITE_DAC, addr hToken
        test    eax, eax
        jz      _exit
        
        invoke  _ModifySecurity, hToken, TOKEN_ALL_ACCESS
        test    eax, eax
        jz      _exit
        
        invoke  CloseHandle, hToken
        mov     hToken, 0
        
        invoke  OpenProcessToken, hProc, TOKEN_ALL_ACCESS, addr hToken
        test    eax, eax
        jz      _exit
        
        invoke  DuplicateTokenEx, hToken, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, addr hNewToken
        test    eax, eax
        jz      _exit
        
        invoke  ImpersonateLoggedOnUser, hNewToken
        test    eax, eax
        jz      _exit
        
        mov     stStartupInfo.cb, sizeof stStartupInfo
        invoke  CreateProcessAsUser, hNewToken, 0, CTXT("regedit.exe"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr procinfo
        test    eax, eax
        jz      _exit
        invoke  CloseHandle, procinfo.hProcess
        invoke  CloseHandle, procinfo.hThread
        
_exit:
        .if hProc
                invoke  CloseHandle, hProc
        .endif
        .if hToken
                invoke  CloseHandle, hToken
        .endif
        .if hNewToken
                invoke  CloseHandle, hNewToken
        .endif
        invoke  ExitProcess, NULL
start endp

_ModifySecurity proc uses ebx esi edi, hToken:DWORD, dwAccess:DWORD
        LOCAL   pSD, pAbsSD
        LOCAL   dwSDLength
        LOCAL   bDaclPresent, bDaclDefaulted
        LOCAL   pAcl : PACL
        LOCAL   pNewAcl : PACL
        LOCAL   szName[1024] : BYTE
        LOCAL   ea : EXPLICIT_ACCESS
        LOCAL   pSacl, pOwner, pPrimaryGroup
        LOCAL   dwAclSize, dwSaclSize, dwOwnerSize, dwPrimaryGroup
        LOCAL   bSuccess
        
        sub     eax, eax
        mov     pSD, eax
        mov     pAbsSD, eax
        mov     dwSDLength, eax
        mov     bDaclPresent, eax
        mov     bDaclDefaulted, eax
        mov     pAcl, eax
        mov     pNewAcl, eax
        mov     pSacl, eax
        mov     pOwner, eax
        mov     pPrimaryGroup, eax
        mov     dwAclSize, eax
        mov     dwSaclSize, eax
        mov     dwOwnerSize, eax
        mov     dwPrimaryGroup, eax
        mov     bSuccess, eax

        invoke  GetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMATION, pSD, 0, addr dwSDLength
        invoke  LocalAlloc, LPTR, dwSDLength
        test    eax, eax
        jz      _exit
        mov     pSD, eax
        invoke  GetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMATION, pSD, dwSDLength, addr dwSDLength
        
        invoke  GetSecurityDescriptorDacl, pSD, addr bDaclPresent, addr pAcl, addr bDaclDefaulted
        
        mov     eax, sizeof szName
        push    eax
        invoke  GetUserName, addr szName, esp
        pop     eax
        
        invoke  BuildExplicitAccessWithName, addr ea, addr szName, dwAccess, GRANT_ACCESS, FALSE
        invoke  SetEntriesInAcl, 1, addr ea, pAcl, addr pNewAcl
        cmp     eax, ERROR_SUCCESS
        jne     _exit
        
        invoke  LocalFree, pAcl
        mov     pAcl, 0
        invoke  MakeAbsoluteSD, pSD, pAbsSD, addr dwSDLength, pAcl, addr dwAclSize, pSacl, addr dwSaclSize, \
                        pOwner, addr dwOwnerSize, pPrimaryGroup, addr dwPrimaryGroup
        
        invoke  LocalAlloc, LPTR, dwSDLength
        test    eax, eax
        jz      _exit
        mov     pAbsSD, eax
        
        invoke  LocalAlloc, LPTR, dwAclSize
        test    eax, eax
        jz      _exit
        mov     pAcl, eax
        
        invoke  LocalAlloc, LPTR, dwSaclSize
        test    eax, eax
        jz      _exit
        mov     pSacl, eax
        
        invoke  LocalAlloc, LPTR, dwOwnerSize
        test    eax, eax
        jz      _exit
        mov     pOwner, eax
        
        invoke  LocalAlloc, LPTR, dwPrimaryGroup
        test    eax, eax
        jz      _exit
        mov     pPrimaryGroup, eax
        
        invoke  MakeAbsoluteSD, pSD, pAbsSD, addr dwSDLength, pAcl, addr dwAclSize, pSacl, addr dwSaclSize, \
                        pOwner, addr dwOwnerSize, pPrimaryGroup, addr dwPrimaryGroup
        invoke  SetSecurityDescriptorDacl, pAbsSD, bDaclPresent, pNewAcl, bDaclDefaulted
        invoke  SetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMATION, pAbsSD
        
        mov     bSuccess, 1
        
_exit:
        .if pSD
                invoke  LocalFree, pSD
        .endif
        .if pAcl
                invoke  LocalFree, pAcl
        .endif
        .if pNewAcl
                invoke  LocalFree, pNewAcl
        .endif
        .if pAbsSD
                invoke  LocalFree, pAbsSD
        .endif
        .if pSacl
                invoke  LocalFree, pSacl
        .endif
        .if pOwner
                invoke  LocalFree, pOwner
        .endif
        .if pPrimaryGroup
                invoke  LocalFree, pPrimaryGroup
        .endif
        mov     eax, bSuccess
        ret
_ModifySecurity endp

_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
        LOCAL   hToken
        LOCAL   tkp : TOKEN_PRIVILEGES
        
        invoke  GetCurrentProcess
        mov     edx, eax
        invoke  OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
        invoke  LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
        mov     tkp.PrivilegeCount, 1
        xor     eax, eax
        .if bFlags
                mov     eax, SE_PRIVILEGE_ENABLED
        .endif
        mov     tkp.Privileges.Attributes, eax
        invoke  AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
        push    eax
        invoke  CloseHandle, hToken
        pop     eax
        ret
_EnablePrivilege endp

_GetPidFromProcName proc lpProcName:DWORD
        LOCAL   stProcess : PROCESSENTRY32
        LOCAL   hSnapshot
        LOCAL   dwProcessID
        
        mov     dwProcessID, 0
        invoke  RtlZeroMemory, addr stProcess, sizeof stProcess
        mov     stProcess.dwSize, sizeof stProcess
        invoke  CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
        mov     hSnapshot, eax
        invoke  Process32First, hSnapshot, addr stProcess
        .while eax
                invoke  lstrcmpi, lpProcName, addr stProcess.szExeFile
                .if eax==0
                        mov     eax, stProcess.th32ProcessID
                        mov     dwProcessID, eax
                        .break
                .endif
                invoke  Process32Next, hSnapshot, addr stProcess
        .endw
        invoke  CloseHandle, hSnapshot
        mov     eax, dwProcessID
        ret
_GetPidFromProcName endp

end start

:make

set path=%path%;c:\masm32\bin
set appname=GetSys2

ml /nologo /c /coff %appname%.bat
link /nologo /subsystem:windows %appname%.obj
del %appname%.obj
echo.
pause
         GetSys2 取得 lsass.exe 进程的令牌,缺省情况下操作这个令牌的权限很小,所以需要先取得操作这个令牌的所有权限。这个任务由函数 _ModifySecurity 来完成。有了权限后,复制一个主令牌,然后在当前线程中扮演 SYSTEM 用户,接着就可以调用 CreateProcessAsUser 函数运行 regedit.exe 程序了。有关安全性编程不清楚的地方可以参考[3]。
      3. HOOK ZwCreateProcessEx 函数
         有关这个[1]里面讲得很清楚了,下面直接给出源代码。
      
;@echo off
;goto make

;====================================================================================
; 一块三毛钱
; http://zhongts.
; zhongts@
; 2005.1.15
;
; 以 SYSTEM 权限运行程序 - GetSys3
;
; 采用 HOOK ZwCreateProcessEx 函数的方法
;
;====================================================================================

.386
.model flat, stdcall
option casemap :none

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\advapi32.inc
include c:\masm32\include\masm32.inc

includelib c:\masm32\lib\kernel32.lib
includelib c:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib

_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD
_HackedZwCreateProcessEx proto

CTXT MACRO text
        local lbl
        .const
                lbl db text,0
        .code
        exitm   <offset lbl>
ENDM

ASMJMP struct
        mov_eax         BYTE    ?
        address         DWORD   ?
        jmp_eax         WORD    ?
ASMJMP ends

.data?
        g_hProc dd  ?
        g_dwFunc        dd  ?

.code
start proc
        LOCAL   osvi : OSVERSIONINFO
        LOCAL   lpAsmJmp
        LOCAL   mbi : MEMORY_BASIC_INFORMATION
        LOCAL   stStartupInfo : STARTUPINFO
        LOCAL   procinfo : PROCESS_INFORMATION
        
        sub     eax, eax
        mov     lpAsmJmp, eax
        invoke  RtlZeroMemory, addr osvi, sizeof osvi
        invoke  RtlZeroMemory, addr mbi, sizeof mbi
        invoke  RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo
        invoke  RtlZeroMemory, addr procinfo, sizeof procinfo
        
        mov     osvi.dwOSVersionInfoSize, sizeof osvi
        invoke  GetVersionEx, addr osvi
        cmp     osvi.dwMajorVersion, 5
        jnz     _exit
        .if osvi.dwMinorVersion==1
                mov     g_dwFunc, 30h
        .elseif osvi.dwMinorVersion==2
                mov     g_dwFunc, 32h
        .endif
        
        invoke  _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUE
        
        invoke  _GetPidFromProcName, CTXT("lsass.exe")
        test    eax, eax
        jz      _exit
        
        invoke  OpenProcess, PROCESS_CREATE_PROCESS, TRUE, eax
        test    eax, eax
        jz      _exit
        mov     g_hProc, eax
        
        invoke  GetModuleHandle, CTXT("ntdll.dll")
        mov     edx, eax
        invoke  GetProcAddress, edx, CTXT("ZwCreateProcessEx")
        mov     lpAsmJmp, eax
        
        invoke  VirtualQuery, lpAsmJmp, addr mbi, sizeof mbi
        push    eax
        invoke  VirtualProtect, mbi.AllocationBase, mbi.RegionSize, PAGE_EXECUTE_READWRITE, esp
        pop     eax
        
        mov     edi, lpAsmJmp
        assume  edi : ptr ASMJMP
        mov     [edi].mov_eax, 0B8h
        mov     [edi].address, offset _HackedZwCreateProcessEx
        mov     [edi].jmp_eax, 0E0FFh
        
        mov     stStartupInfo.cb, sizeof stStartupInfo
        invoke  CreateProcess, 0, CTXT("regedit.exe"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr procinfo
        test    eax, eax
        jz      _exit
        invoke  CloseHandle, procinfo.hProcess
        invoke  CloseHandle, procinfo.hThread
        
_exit:
        invoke  ExitProcess, NULL
start endp

_HackedZwCreateProcessEx proc
        mov     eax, g_hProc
        mov     dword ptr [esp+16], eax
        mov     eax, g_dwFunc
        lea     edx, dword ptr [esp+4]
        int     2Eh
        retn    24h
_HackedZwCreateProcessEx endp

_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
        LOCAL   hToken
        LOCAL   tkp : TOKEN_PRIVILEGES
        
        invoke  GetCurrentProcess
        mov     edx, eax
        invoke  OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
        invoke  LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
        mov     tkp.PrivilegeCount, 1
        xor     eax, eax
        .if bFlags
                mov     eax, SE_PRIVILEGE_ENABLED
        .endif
        mov     tkp.Privileges.Attributes, eax
        invoke  AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
        push    eax
        invoke  CloseHandle, hToken
        pop     eax
        ret
_EnablePrivilege endp

_GetPidFromProcName proc lpProcName:DWORD
        LOCAL   stProcess : PROCESSENTRY32
        LOCAL   hSnapshot
        LOCAL   dwProcessID
        
        mov     dwProcessID, 0
        invoke  RtlZeroMemory, addr stProcess, sizeof stProcess
        mov     stProcess.dwSize, sizeof stProcess
        invoke  CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
        mov     hSnapshot, eax
        invoke  Process32First, hSnapshot, addr stProcess
        .while eax
                invoke  lstrcmpi, lpProcName, addr stProcess.szExeFile
                .if eax==0
                        mov     eax, stProcess.th32ProcessID
                        mov     dwProcessID, eax
                        .break
                .endif
                invoke  Process32Next, hSnapshot, addr stProcess
        .endw
        invoke  CloseHandle, hSnapshot
        mov     eax, dwProcessID
        ret
_GetPidFromProcName endp

end start

:make

set path=%path%;c:\masm32\bin
set appname=GetSys3

ml /nologo /c /coff %appname%.bat
link /nologo /subsystem:windows %appname%.obj
del %appname%.obj
echo.
pause
      4. 远程线程的方法
         通过注入远程线程的方法来运行指定的 regedit.exe 程序,也是相当于运行 regedit.exe 程序的是系统进程,那么 regedit.exe 也就自然而然的继承了系统进程的 SYSTEM 权限。
      
;@echo off
;goto make

;====================================================================================
; 一块三毛钱
; http://zhongts.
; zhongts@
; 2005.1.15
;
; 以 SYSTEM 权限运行程序 - GetSys4
;
; 采用远程线程的方法
;
;====================================================================================
.386
.model flat, stdcall
option casemap :none

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\advapi32.inc
include c:\masm32\include\masm32.inc

includelib c:\masm32\lib\kernel32.lib
includelib c:\masm32\lib\advapi32.lib
includelib c:\masm32\lib\masm32.lib

_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD

;下面两个宏来源于罗云彬的《Windows 环境下32位汇编程序设计》一书
reverseArgs macro arglist:VARARG
        local   txt,count
   
        txt     TEXTEQU <>
        count   = 0
        for     i,<arglist>
                count   = count + 1
                txt     TEXTEQU @CatStr(i,<!,>,<%txt>)
        endm
        if      count GT 0
                txt     SUBSTR  txt,1,@SizeStr(%txt)-1
        endif
        exitm   txt
endm
_invoke macro _Proc,args:VARARG
        local   count
   
        count   = 0
%       for     i,< reverseArgs( args ) >
                count   = count + 1
                push    i
        endm
        call    dword ptr _Proc   
   
endm

CTXT MACRO text
        local lbl
        .const
                lbl db text,0
        .code
        exitm   <offset lbl>
ENDM

.data?
        g_hProcess      dd  ?
        g_lpRemoteCode  dd  ?

.code
Remote_code_start       equ this byte

g_lpGetModuleHandleA    dd  ?
g_lpGetProcAddress      dd  ?

g_szKernel32            db  "Kernel32.dll",0
g_szCreateProcessA      db  "CreateProcessA",0

g_lpCreateProcessA      dd  ?

g_szRegedit             db  "Regedit.exe",0
g_szDesktop             db  "WinSta0\Default",0

g_stStartupInfo         STARTUPINFO <?>
g_procinfo              PROCESS_INFORMATION <?>

_RemoteThread proc
;       int     3
        pushad
        call    @F
        @@:
        pop     ebx
        sub     ebx, offset @B
        
        lea     eax, [ebx+g_szKernel32]
        _invoke [ebx+g_lpGetModuleHandleA], eax
        mov     esi, eax
        lea     eax, [ebx+g_szCreateProcessA]
        _invoke [ebx+g_lpGetProcAddress], esi, eax
        mov     [ebx+g_lpCreateProcessA], eax
        
        lea     eax, [ebx+g_szDesktop]
        lea     ecx, [ebx+g_stStartupInfo]
        mov     dword ptr [ecx], sizeof g_stStartupInfo
        mov     dword ptr [ecx+8], eax
        lea     eax, [ebx+g_szRegedit]
        lea     edx, [ebx+g_procinfo]
        
        _invoke [ebx+g_lpCreateProcessA], 0, eax, 0, 0, 0, 0, 0, 0, ecx, edx
        
        popad
        ret
_RemoteThread endp

Remote_code_end         equ this byte
Remote_code_length      equ offset Remote_code_end - offset Remote_code_start

start proc
        invoke  GetModuleHandle, CTXT("kernel32.dll")
        mov     ebx, eax
        invoke  GetProcAddress, ebx, CTXT("GetModuleHandleA")
        mov     g_lpGetModuleHandleA, eax
        invoke  GetProcAddress, ebx, CTXT("GetProcAddress")
        mov     g_lpGetProcAddress, eax
        
        invoke  _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUE
        
        invoke  _GetPidFromProcName, CTXT("lsass.exe")
        invoke  OpenProcess, PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE, FALSE, eax
        .if eax
                mov     g_hProcess, eax
                invoke  VirtualAllocEx, g_hProcess, NULL, Remote_code_length, MEM_COMMIT, PAGE_EXECUTE_READWRITE
                .if eax
                        mov     g_lpRemoteCode, eax
                        invoke  WriteProcessMemory, g_hProcess, g_lpRemoteCode, offset Remote_code_start, Remote_code_length, NULL
                        mov     eax, g_lpRemoteCode
                        add     eax, offset _RemoteThread - offset Remote_code_start
                        invoke  CreateRemoteThread, g_hProcess, NULL, 0, eax, 0, 0, NULL
                        invoke  CloseHandle, eax
                .endif
                invoke  CloseHandle, g_hProcess
        .endif
        invoke  ExitProcess, NULL
start endp

_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
        LOCAL   hToken
        LOCAL   tkp : TOKEN_PRIVILEGES
        
        invoke  GetCurrentProcess
        mov     edx, eax
        invoke  OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
        invoke  LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
        mov     tkp.PrivilegeCount, 1
        xor     eax, eax
        .if bFlags
                mov     eax, SE_PRIVILEGE_ENABLED
        .endif
        mov     tkp.Privileges.Attributes, eax
        invoke  AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
        push    eax
        invoke  CloseHandle, hToken
        pop     eax
        ret
_EnablePrivilege endp

_GetPidFromProcName proc lpProcName:DWORD
        LOCAL   stProcess : PROCESSENTRY32
        LOCAL   hSnapshot
        LOCAL   dwProcessID
        
        mov     dwProcessID, 0
        invoke  RtlZeroMemory, addr stProcess, sizeof stProcess
        mov     stProcess.dwSize, sizeof stProcess
        invoke  CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
        mov     hSnapshot, eax
        invoke  Process32First, hSnapshot, addr stProcess
        .while eax
                invoke  lstrcmpi, lpProcName, addr stProcess.szExeFile
                .if eax==0
                        mov     eax, stProcess.th32ProcessID
                        mov     dwProcessID, eax
                        .break
                .endif
                invoke  Process32Next, hSnapshot, addr stProcess
        .endw
        invoke  CloseHandle, hSnapshot
        mov     eax, dwProcessID
        ret
_GetPidFromProcName endp

end start

:make

set path=%path%;c:\masm32\bin
set appname=GetSys4

ml /nologo /c /coff %appname%.bat
link /nologo /subsystem:windows /section:.text,rwe %appname%.obj
del %appname%.obj
echo.
pause
         这段代码也没什么好解释的,唯一一个要注意的地方就是调用 CreateProcess 函数时,lpStartupInfo 参数指向的 STARTUPINFO 结构成员 lpDesktop 需要明确的指定 WinSta0\Default 为运行桌面。否则,程序 regedit.exe 运行后不知道跑到哪里去了。
      
参考资料

[1] scz MSDN系列(3)--Administrator用户直接获取SYSTEM权限
    http://www.
[2] wsu 1.0
    http://www.
[3] Keith Brown 《Windows 安全性编程》
[4] Token.Master
    Jeffrey Richter/Jason D.Clark 《Programming.Server-Side.Applications.for.MS.Windows.2000》
2008-11-06 13:13
dpa123
Rank: 1
等 级:新手上路
帖 子:7
专家分:0
注 册:2008-11-4
收藏
得分:0 
学习,前来学习的!!多关照啊,呵呵……
2008-11-06 17:42
ONEPROBLEM
Rank: 6Rank: 6
来 自:广西 南宁
等 级:贵宾
威 望:21
帖 子:1569
专家分:349
注 册:2008-7-11
收藏
得分:0 
嗯,好!
要是把这几个程序弄明白了,水平又提高一截了~~
2008-11-06 21:32
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
[bo][un]ONEPROBLEM[/un] 在 2008-11-6 21:32 的发言:[/bo]

嗯,好!
要是把这几个程序弄明白了,水平又提高一截了~~


看了你问的那个杀进程的帖子后想起来还有这个程序 就发上来了 呵呵
收到的鲜花
  • ONEPROBLEM2008-11-06 21:47 送鲜花  49朵   附言:热心~~
2008-11-06 21:43
cnhanxiao
Rank: 2
等 级:新手上路
威 望:4
帖 子:124
专家分:0
注 册:2008-10-17
收藏
得分:0 
好东西!

还有绑架成版主的?拒绝做版主——对不起啊!
2008-11-07 01:34
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
[bo][un]cnhanxiao[/un] 在 2008-11-7 01:34 的发言:[/bo]

好东西!


谢谢各位的肯定
2008-11-07 16:20
快速回复:RunAsSystem v0.1 (Win32汇编)
数据加载中...
 
   



关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.055898 second(s), 11 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved