-
-
[原创] CE 句柄提权内核驱动源代码
-
发表于: 5小时前
-
22年的一个可以绕过CF检测的内核驱动提权代码,最近学习了一下
#include <ntifs.h>
#include <wdm.h>
// 全局变量
PVOID g_RegisterCallbackHandle = NULL;
HANDLE g_PromotePid = NULL; // 这里需要填入Cheat Engine的进程ID
// 驱动卸载函数
VOID UnLoadDriver(PDRIVER_OBJECT pObj)
{
if (NULL != g_RegisterCallbackHandle)
{
ObUnRegisterCallbacks(g_RegisterCallbackHandle);
DbgPrintEx(0, 77, "[+] 回调已注销\n");
}
DbgPrintEx(0, 77, "[+] 驱动卸载成功\n");
return;
}
// Ob预操作回调函数(核心提权逻辑)
OB_PREOP_CALLBACK_STATUS PobPreOperationCallback(
PVOID RegistrationContext,
POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
UNREFERENCED_PARAMETER(RegistrationContext);
// 只处理来自CE进程的句柄请求
if (g_PromotePid == PsGetCurrentProcessId())
{
DbgPrintEx(0, 77, "[+] 检测到CE进程发起句柄操作,正在提权\n");
// 处理句柄创建操作(OpenProcess)
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
DbgPrintEx(0, 77, "[+] 句柄创建权限已提升为PROCESS_ALL_ACCESS\n");
}
// 处理句柄复制操作(DuplicateHandle)
else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
DbgPrintEx(0, 77, "[+] 句柄复制权限已提升为PROCESS_ALL_ACCESS\n");
}
}
return OB_PREOP_SUCCESS;
}
// LDR数据表格结构体(用于修改驱动标志)
struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; // 0x00
struct _LIST_ENTRY InMemoryOrderLinks; // 0x10
struct _LIST_ENTRY InInitializationOrderLinks; // 0x20
VOID* DllBase; // 0x30
VOID* EntryPoint; // 0x38
ULONG SizeOfImage; // 0x40
struct _UNICODE_STRING FullDllName; // 0x48
struct _UNICODE_STRING BaseDllName; // 0x58
union
{
UCHAR FlagGroup[4]; // 0x68
ULONG Flags; // 0x68
struct
{
ULONG PackagedBinary : 1; // 0x68
ULONG MarkedForRemoval : 1; // 0x68
ULONG ImageDll : 1; // 0x68
ULONG LoadNotificationsSent : 1; // 0x68
ULONG TelemetryEntryProcessed : 1; // 0x68
ULONG ProcessStaticImport : 1; // 0x68
ULONG InLegacyLists : 1; // 0x68
ULONG InIndexes : 1; // 0x68
ULONG ShimDll : 1; // 0x68
ULONG InExceptionTable : 1; // 0x68
ULONG ReservedFlags1 : 2; // 0x68
ULONG LoadInProgress : 1; // 0x68
ULONG LoadConfigProcessed : 1; // 0x68
ULONG EntryProcessed : 1; // 0x68
ULONG ProtectDelayLoad : 1; // 0x68
ULONG ProcessAttachCalled : 1; // 0x68
ULONG ProcessAttachFailed : 1; // 0x68
ULONG CorDeferredValidate : 1; // 0x68
ULONG CorImage : 1; // 0x68
ULONG DontRelocate : 1; // 0x68
ULONG CorILOnly : 1; // 0x68
ULONG ChpeImage : 1; // 0x68
ULONG ReservedFlags5 : 2; // 0x68
ULONG Redirected : 1; // 0x68
ULONG ReservedFlags6 : 2; // 0x68
ULONG CompatDatabaseProcessed : 1; // 0x68
};
};
};
// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pObj, PUNICODE_STRING pReg)
{
UNREFERENCED_PARAMETER(pReg);
NTSTATUS ntStatus = STATUS_SUCCESS;
pObj->DriverUnload = UnLoadDriver;
// 关键:设置驱动标志,绕过MMP强制签名检查(仅测试模式有效)
((struct _LDR_DATA_TABLE_ENTRY*)pObj->DriverSection)->Flags |= 0x20;
DbgPrintEx(0, 77, "[+] 驱动标志已修改\n");
// 配置要监控的操作类型
OB_OPERATION_REGISTRATION obOperationRegistration = { 0 };
obOperationRegistration.ObjectType = PsProcessType;
obOperationRegistration.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
obOperationRegistration.PreOperation = PobPreOperationCallback;
// 配置回调注册信息
OB_CALLBACK_REGISTRATION obCallbackRegistration = { 0 };
UNICODE_STRING ustrAltitude = RTL_CONSTANT_STRING(L"316666"); // 回调高度:越高越晚调用
obCallbackRegistration.Version = ObGetFilterVersion();
obCallbackRegistration.OperationRegistrationCount = 1;
obCallbackRegistration.Altitude = ustrAltitude;
obCallbackRegistration.OperationRegistration = &obOperationRegistration;
// 注册Ob回调
ntStatus = ObRegisterCallbacks(&obCallbackRegistration, &g_RegisterCallbackHandle);
DbgPrintEx(0, 77, "[+] ObRegisterCallbacks 返回状态: 0x%X\n", ntStatus);
if (NT_SUCCESS(ntStatus))
{
DbgPrintEx(0, 77, "[+] 回调注册成功!\n");
DbgPrintEx(0, 77, "[!] 请将g_PromotePid设置为CE的进程ID\n");
}
else
{
DbgPrintEx(0, 77, "[-] 回调注册失败,错误码: 0x%X\n", ntStatus);
}
return ntStatus;
}结果截图:
|
|
|---|---|
