|
过节结束,回家继续努力,贡献看雪几个小工具(附源)!
愤怒菜板 好像连续沙发。。 |
|
过节结束,回家继续努力,贡献看雪几个小工具(附源)!
killproc.c cl killproc.c Shlwapi.lib advapi32.lib #include <stdio.h> #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #include <aclapi.h> #pragma comment(lib,"Shlwapi.lib") /* BOOL EnableDebugPriv( LPCTSTR szPrivilege ) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken ) ) { return FALSE; } if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) ) { CloseHandle( hToken ); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) ) { CloseHandle( hToken ); return FALSE; } return TRUE; } */ BOOL exploit(char* chProcessName) { HANDLE hProcessSnap = NULL; HANDLE hProcess = NULL; BOOL bFound = FALSE; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = {0}; UINT uExitCode = 0; DWORD dwExitCode = 0; LPDWORD lpExitCode = &dwExitCode; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) return (FALSE); pe32.dwSize = sizeof(PROCESSENTRY32); printf("Searching for process... \n"); while(!bFound && Process32Next(hProcessSnap, &pe32)) { if(lstrcmpi(pe32.szExeFile, chProcessName) == 0) bFound = TRUE; } CloseHandle(hProcessSnap); if(!bFound){ printf("Process not found. \n"); return(FALSE); } printf("Process found. \n"); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); if(hProcess == NULL){ printf("Write access denied for this process. \n"); printf("Exploit failed. \n"); return(FALSE); } printf("Write access is allowed \n"); printf("Send exploit to process...\n"); CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))100,0,0,0); printf("Success. \n"); return(pe32.th32ProcessID); } int main(int argc,char **argv) { char* chProcess = argv[1]; if(argc < 2) { printf("\n"); printf("Usage: killproc.exe <process name> \n"); } else { //if ( !EnableDebugPriv("SeDebugPrivilege") ) // printf("EnableDebugPriv() failed!\n"); exploit(chProcess); } } |
|
过节结束,回家继续努力,贡献看雪几个小工具(附源)!
继续发烧,贴上源码! sysrun.c cl sysrun.cpp Shlwapi.lib advapi32.lib #include <stdio.h> #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #include <aclapi.h> #pragma comment(lib,"Shlwapi.lib") BOOL EnableDebugPriv(LPCTSTR szPrivilege) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken)) { return FALSE; } if (!LookupPrivilegeValue(NULL, szPrivilege, &sedebugnameValue)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) { CloseHandle(hToken); return FALSE; } return TRUE; } DWORD GetProcessId(LPCTSTR szProcName) { PROCESSENTRY32 pe; DWORD dwPid; DWORD dwRet; BOOL bFound = FALSE; HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSP) { pe.dwSize = sizeof(pe); for (dwRet = Process32First(hSP, &pe); dwRet; dwRet = Process32Next(hSP, &pe)) { if (StrCmpNI(szProcName, pe.szExeFile, strlen(szProcName)) == 0) { dwPid = pe.th32ProcessID; bFound = TRUE; break; } } CloseHandle(hSP); if (bFound == TRUE) { return dwPid; } } return NULL; } BOOL CreateSystemProcess(LPTSTR szProcessName) { HANDLE hProcess; HANDLE hToken, hNewToken; DWORD dwPid; PACL pOldDAcl = NULL; PACL pNewDAcl = NULL; BOOL bDAcl; BOOL bDefDAcl; DWORD dwRet; PACL pSacl = NULL; PSID pSidOwner = NULL; PSID pSidPrimary = NULL; DWORD dwAclSize = 0; DWORD dwSaclSize = 0; DWORD dwSidOwnLen = 0; DWORD dwSidPrimLen = 0; DWORD dwSDLen; EXPLICIT_ACCESS ea; PSECURITY_DESCRIPTOR pOrigSd = NULL; PSECURITY_DESCRIPTOR pNewSd = NULL; STARTUPINFO si; PROCESS_INFORMATION pi; BOOL bRet = true; if (!EnableDebugPriv("SeDebugPrivilege")) { printf("EnableDebugPriv() failed!\n"); bRet = false; goto Cleanup; } if ((dwPid = GetProcessId("WINLOGON.EXE")) == NULL) { printf("GetProcessId() failed!\n"); bRet = false; goto Cleanup; } hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); if (hProcess == NULL) { printf("OpenProcess() = %d\n", GetLastError() ); bRet = false; goto Cleanup; } if (!OpenProcessToken( hProcess, READ_CONTROL|WRITE_DAC, &hToken )) { printf("OpenProcessToken() = %d\n", GetLastError()); bRet = false; goto Cleanup; } ZeroMemory(&ea, sizeof( EXPLICIT_ACCESS)); BuildExplicitAccessWithName(&ea, "Everyone", TOKEN_ALL_ACCESS, GRANT_ACCESS, 0); if (!GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOrigSd, 0, &dwSDLen)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pOrigSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSDLen); if (pOrigSd == NULL) { printf("HeapAlloc failed: pSd \n"); bRet = false; goto Cleanup; } if (!GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOrigSd, dwSDLen, &dwSDLen)) { printf("GetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } else { printf("GetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } if (!GetSecurityDescriptorDacl(pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl)) { printf("GetSecurityDescriptorDacl() = %d\n", GetLastError()); bRet = false; goto Cleanup; } dwRet = SetEntriesInAcl(1, &ea, pOldDAcl, &pNewDAcl); if (dwRet != ERROR_SUCCESS) { printf("SetEntriesInAcl() = %d\n", GetLastError()); pNewDAcl = NULL; bRet = false; goto Cleanup; } if (!MakeAbsoluteSD(pOrigSd, pNewSd, &dwSDLen, pOldDAcl, &dwAclSize, pSacl, &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pOldDAcl = (PACL) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwAclSize); pSacl = (PACL) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSaclSize); pSidOwner = (PSID) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSidOwnLen); pSidPrimary = (PSID) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSidPrimLen); pNewSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSDLen); if (pOldDAcl == NULL|| pSacl == NULL|| pSidOwner == NULL|| pSidPrimary == NULL|| pNewSd == NULL ) { printf("HeapAlloc SID or ACL failed!\n"); bRet = false; goto Cleanup; } if (!MakeAbsoluteSD(pOrigSd, pNewSd, &dwSDLen, pOldDAcl, &dwAclSize, pSacl, &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)) { printf("MakeAbsoluteSD() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } else { printf("MakeAbsoluteSD() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } if (!SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl)) { printf("SetSecurityDescriptorDacl() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd)) { printf("SetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken)) { printf("OpenProcessToken() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { printf("DuplicateTokenEx() = %d\n", GetLastError()); bRet = false; goto Cleanup; } ZeroMemory(&si, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); ImpersonateLoggedOnUser(hNewToken); if (!CreateProcessAsUser(hNewToken, NULL, szProcessName, NULL, NULL, FALSE, NULL,//NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("CreateProcessAsUser() = %d\n", GetLastError()); bRet = false; goto Cleanup; } WaitForSingleObject(pi.hProcess, INFINITE); Cleanup: if (pOrigSd) { HeapFree(GetProcessHeap(), 0, pOrigSd ); } if (pNewSd) { HeapFree(GetProcessHeap(), 0, pNewSd ); } if (pSidPrimary) { HeapFree(GetProcessHeap(), 0, pSidPrimary); } if (pSidOwner) { HeapFree(GetProcessHeap(), 0, pSidOwner); } if (pSacl) { HeapFree(GetProcessHeap(), 0, pSacl); } if (pOldDAcl) { HeapFree(GetProcessHeap(), 0, pOldDAcl); } CloseHandle(pi.hProcess); CloseHandle(pi.hThread); CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hProcess); return bRet; } void main(int argc, char** argv) { if (argc<2) { printf("Usage %s filename.exe\n", argv[0]); return; } char cmdLine[] = "\0"; strcpy(cmdLine,argv[1]); strcat(cmdLine," "); for(int i=1;i<(argc-1);i++) { strcat(cmdLine,argv[i+1]); strcat(cmdLine," "); } strcat(cmdLine,"\0"); printf(cmdLine); if (CreateSystemProcess(cmdLine) == FALSE) { printf("CreateSystemProcess() failed!\n"); } return; } |
|
过节结束,回家继续努力,贡献看雪几个小工具(附源)!
不能贴2个附件??? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值