-
-
[求助]进程提权的汇编代码出现问题
-
发表于: 2009-12-5 17:25
-
在研究如何将进程权限提升的问题时,我参考了网上的代码,打算将一段代码注入svchost.exe进程,注入代码的功能是弹出一个提示,但运行后的结果却是。。。。。。。
麻烦各位大哥指点下,该怎么解决,小弟在这先谢谢各位了!
代码如下:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
.data
pid dd ?
hProcess dd ? ;进程句柄
hThread dd ? ;线程句柄
lpCodeRemote dd ?
hSnapShot dd ?
szProcessName db 'svchost.exe',0
lpToken dd ?
SE_DEBUG_NAME0 db 'SeDebugPrivilege',0
.const
szMsg db 'MessageBox',0 ;用到的函数
Userdll db 'user32.dll',0 ;用到的动态连接库
.code
codebegin:
sz1 db '111',0
sz2 db '222',0
datalen =$-codebegin
Rproc proc Msg ;MessageBox函数的入口地址为参数
CALL @F ;push esi
@@:
POP EBX
SUB EBX,OFFSET @B
LEA ECX,[EBX+sz1]
LEA EDX,[EBX+sz2]
push NULL
push edx
push ecx
push NULL
call Msg
ret
Rproc endp
codelen =$-codebegin ;代码长度字节
GetID proc
local @stProcess:PROCESSENTRY32
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr @stProcess
.while eax
invoke lstrcmpi,addr @stProcess.szExeFile,offset szProcessName
.break .if eax == 0
invoke Process32Next,hSnapShot,addr @stProcess
.endw
push @stProcess.th32ProcessID
pop pid
invoke CloseHandle,hSnapShot
ret
GetID endp
Up proc
local hToken:dword
local @tkp:TOKEN_PRIVILEGES
mov @tkp.PrivilegeCount,1
mov @tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke GetCurrentProcess
mov ebx,eax
invoke OpenProcessToken,ebx,TOKEN_ALL_ACCESS,addr hToken
invoke LookupPrivilegeValue,NULL,addr SE_DEBUG_NAME0,addr @tkp.Privileges.Luid
invoke AdjustTokenPrivileges,hToken,FALSE,addr @tkp,sizeof @tkp,0,0
invoke CloseHandle,hToken
ret
Up endp
start:
invoke Up
invoke GetID
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid ;打开进程,得到进程句柄
mov hProcess,eax ;保存进程句柄
invoke VirtualAllocEx,hProcess,0, codelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE ;在进程里申请空间
mov lpCodeRemote,eax
invoke WriteProcessMemory,hProcess,lpCodeRemote,offset codebegin,codelen,NULL ;写入插入的代码
mov esi,lpCodeRemote
add esi,datalen
push esi
invoke LoadLibrary,offset Userdll ;加载USER32.dll
invoke GetProcAddress,eax,offset szMsg ;得到地址
pop esi
invoke CreateRemoteThread,hProcess,0,0,esi,eax,0,0 ;远程线程调用
mov hThread,eax ;保存线程句柄
.if hThread
invoke WaitForSingleObject,hThread, INFINITE ;等待线程结束
invoke CloseHandle,hThread ;关闭线程句柄
.endif
invoke VirtualFreeEx,hProcess,lpCodeRemote,codelen,MEM_RELEASE ;释放空间
invoke ExitProcess,0
end start
麻烦各位大哥指点下,该怎么解决,小弟在这先谢谢各位了!
代码如下:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
.data
pid dd ?
hProcess dd ? ;进程句柄
hThread dd ? ;线程句柄
lpCodeRemote dd ?
hSnapShot dd ?
szProcessName db 'svchost.exe',0
lpToken dd ?
SE_DEBUG_NAME0 db 'SeDebugPrivilege',0
.const
szMsg db 'MessageBox',0 ;用到的函数
Userdll db 'user32.dll',0 ;用到的动态连接库
.code
codebegin:
sz1 db '111',0
sz2 db '222',0
datalen =$-codebegin
Rproc proc Msg ;MessageBox函数的入口地址为参数
CALL @F ;push esi
@@:
POP EBX
SUB EBX,OFFSET @B
LEA ECX,[EBX+sz1]
LEA EDX,[EBX+sz2]
push NULL
push edx
push ecx
push NULL
call Msg
ret
Rproc endp
codelen =$-codebegin ;代码长度字节
GetID proc
local @stProcess:PROCESSENTRY32
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr @stProcess
.while eax
invoke lstrcmpi,addr @stProcess.szExeFile,offset szProcessName
.break .if eax == 0
invoke Process32Next,hSnapShot,addr @stProcess
.endw
push @stProcess.th32ProcessID
pop pid
invoke CloseHandle,hSnapShot
ret
GetID endp
Up proc
local hToken:dword
local @tkp:TOKEN_PRIVILEGES
mov @tkp.PrivilegeCount,1
mov @tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke GetCurrentProcess
mov ebx,eax
invoke OpenProcessToken,ebx,TOKEN_ALL_ACCESS,addr hToken
invoke LookupPrivilegeValue,NULL,addr SE_DEBUG_NAME0,addr @tkp.Privileges.Luid
invoke AdjustTokenPrivileges,hToken,FALSE,addr @tkp,sizeof @tkp,0,0
invoke CloseHandle,hToken
ret
Up endp
start:
invoke Up
invoke GetID
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid ;打开进程,得到进程句柄
mov hProcess,eax ;保存进程句柄
invoke VirtualAllocEx,hProcess,0, codelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE ;在进程里申请空间
mov lpCodeRemote,eax
invoke WriteProcessMemory,hProcess,lpCodeRemote,offset codebegin,codelen,NULL ;写入插入的代码
mov esi,lpCodeRemote
add esi,datalen
push esi
invoke LoadLibrary,offset Userdll ;加载USER32.dll
invoke GetProcAddress,eax,offset szMsg ;得到地址
pop esi
invoke CreateRemoteThread,hProcess,0,0,esi,eax,0,0 ;远程线程调用
mov hThread,eax ;保存线程句柄
.if hThread
invoke WaitForSingleObject,hThread, INFINITE ;等待线程结束
invoke CloseHandle,hThread ;关闭线程句柄
.endif
invoke VirtualFreeEx,hProcess,lpCodeRemote,codelen,MEM_RELEASE ;释放空间
invoke ExitProcess,0
end start
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 谢谢大哥的指教,让我又学习了!我改了代码运行,没报错,有弹出提示的声音,但没提示显示出来,请大哥继续指教下~!小弟的基础的确很差,刚学几天,主要是感觉到以前浪费的时间太多了,没能好好学习,现在要抓紧时间学习了,难免有疏漏,谢谢各位指教,也谢谢看雪,这里给了我很大帮助的哦!
|
|
|
|
|
|
谢谢各位大哥指教!
|
|
|
|
