.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
;include th32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib th32.lib
.data?
lpGetProcAddress dd ?;需要被写入远程线程的函数
lpGetModuleHandle dd ?
lplstrlen dd ?
lpSleep dd ?
lpFileName db 256 dup (?);写入远程线程的自身文件名,用于写入注册表
lpRemoteCode dd ?;远程线程开辟空间的起始地址
hModule dd ?
dwWinlogon dd ?;winlogon进程号
dwTemp dd ?
.const
szKernelDll db 'kernel32.dll',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szlstrlen db 'lstrlenA',0
szSleep db 'Sleep',0
szErrOpen db 'Can not open thread',0ah,0dh,0
szDebugName db 'SeDebugPrivilege',0
szWinlogonName db 'winlogon.exe',0
.code
include RemoteThread.asm
start:
jmp @F
hToken dd ?
hProcess dd ?
hToolHelp dd ?
stTkp TOKEN_PRIVILEGES <>;调整权限
stProcess PROCESSENTRY32 <>;查找winlogon进程
@@:
;*************************************************************************
;调整当前进程的权限,设置成调试权限,才能打开winlogon
invoke GetCurrentProcess
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hToken
invoke LookupPrivilegeValue,NULL,offset szDebugName,addr stTkp.Privileges[0].Luid
mov stTkp.PrivilegeCount,1
mov stTkp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE,addr stTkp,NULL,NULL,NULL
;***************************************************************************
;查找winlogon的进程号
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULL
mov hToolHelp,eax
mov stProcess.dwSize,sizeof stProcess
invoke Process32First,hToolHelp,addr stProcess
mov ebx,eax
.while ebx==TRUE
mov stProcess.dwSize,sizeof stProcess
invoke Process32Next,hToolHelp,addr stProcess
lea edx,stProcess.szExeFile
invoke lstrcmp,edx,offset szWinlogonName
.if eax==0
push stProcess.th32ProcessID
pop dwWinlogon
.break
.endif
.endw
;***************************************************************************
;打开winlogon进程
;开辟空间
;写入进程数据
invoke OpenProcess,PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_CREATE_THREAD,FALSE,dwWinlogon
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset REMOTE_CODE_START, REMOTE_CODE_LENGTH,addr dwTemp
invoke lstrlen,offset lpFileName
add eax,sizeof dword*4
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset lpGetProcAddress, eax,addr dwTemp
mov eax,lpRemoteCode
add eax,offset _RemoteThread-offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,NULL,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,offset szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
end start
;以上代码提权失败!AdjustTokenPrivileges返回0
;*************************************************************************************/
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
;include th32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib th32.lib
.data?
lpGetProcAddress dd ?;需要被写入远程线程的函数
lpGetModuleHandle dd ?
lplstrlen dd ?
lpSleep dd ?
lpFileName db 256 dup (?);写入远程线程的自身文件名,用于写入注册表
lpRemoteCode dd ?;远程线程开辟空间的起始地址
hModule dd ?
hToken dd ?
hProcess dd ?
hToolHelp dd ?
stTkp TOKEN_PRIVILEGES <>;调整权限
stProcess PROCESSENTRY32 <>;查找winlogon进程
dwWinlogon dd ?;winlogon进程号
dwTemp dd ?
.const
szKernelDll db 'kernel32.dll',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szlstrlen db 'lstrlenA',0
szSleep db 'Sleep',0
szErrOpen db 'Can not open thread',0ah,0dh,0
szDebugName db 'SeDebugPrivilege',0
szWinlogonName db 'winlogon.exe',0
.code
include RemoteThread.asm
start:
;*************************************************************************
;调整当前进程的权限,设置成调试权限,才能打开winlogon
invoke GetCurrentProcess
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hToken
invoke LookupPrivilegeValue,NULL,offset szDebugName,addr stTkp.Privileges[0].Luid
mov stTkp.PrivilegeCount,1
mov stTkp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE,addr stTkp,NULL,NULL,NULL
;***************************************************************************
;查找winlogon的进程号
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULL
mov hToolHelp,eax
mov stProcess.dwSize,sizeof stProcess
invoke Process32First,hToolHelp,addr stProcess
mov ebx,eax
.while ebx==TRUE
mov stProcess.dwSize,sizeof stProcess
invoke Process32Next,hToolHelp,addr stProcess
lea edx,stProcess.szExeFile
invoke lstrcmp,edx,offset szWinlogonName
.if eax==0
push stProcess.th32ProcessID
pop dwWinlogon
.break
.endif
.endw
;***************************************************************************
;打开winlogon进程
;开辟空间
;写入进程数据
invoke OpenProcess,PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_CREATE_THREAD,FALSE,dwWinlogon
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset REMOTE_CODE_START, REMOTE_CODE_LENGTH,addr dwTemp
invoke lstrlen,offset lpFileName
add eax,sizeof dword*4
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset lpGetProcAddress, eax,addr dwTemp
mov eax,lpRemoteCode
add eax,offset _RemoteThread-offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,NULL,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,offset szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
end start
;以上代码提权成功!AdjustTokenPrivileges返回1
这两段代码,除了红色部分的位置不同,其他全部一样,
如果把那几个变量定义在数据段,没问题,成功了
可是如果把那几个变量定义在代码段,编译后把代码节的属性修改为E0000020,
那么提权就失败了!
更奇怪的是,传入AdjustTokenPrivileges的参数是相同的,地址里的内容也是相同的.
但结果就是不一样,不知道为什么,请各位指点下,先谢谢了!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: