参考了论坛中 combojiang 大虾的一段代码
见 http://bbs.pediy.com/showthread.php?t=62020&highlight=Rootkit
我翻译成 Delphi 后执行 提示没有特权
调试了大虾的Demo 好像也使用了 驱动,既然题目叫直接访问硬件,为什么还要用驱动呢?
既然能用驱动 又何必饶这么大的一个弯子呢?迷惘中,有可能是我代码翻译错误,特意贴出来供大家指正
unit EnableIO;
interface
uses
Windows, SysUtils,JwaNtSecApi,JwaWinNT;
function EnableProcPrivilege:Boolean;
function EnableUserModeHardwareIO:Boolean;
function ZwSetInformationProcess(cs1:THandle;cs2:ULONG;cs3:Pointer;cs4:ULONG):ULONG;stdcall;external 'ntdll.dll';
implementation
function EnablePrivilege(Privilege:PChar):Boolean;
var
Rc:Boolean;
hToken:THandle;
luid:Int64;
tokenPrivilege:windows.TOKEN_PRIVILEGES;
dwProcID:DWORD;
hProc:THandle;
a: DWORD;
begin
dwProcID:=GetCurrentProcessId;
hProc:=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcID);
//
// Open the current process' token.
//
rc:=OpenProcessToken(
GetCurrentProcess,
TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,
hToken);
if rc then
begin
rc:=LookupPrivilegeValue(nil, Privilege, luid);
if rc then
begin
tokenPrivilege.PrivilegeCount:=1;
tokenPrivilege.Privileges[0].Luid:=luid;
tokenPrivilege.Privileges[0].Attributes:=SE_PRIVILEGE_ENABLED;
//
// Assign the given privilege.
//
a:=0;
rc:=AdjustTokenPrivileges(
hToken,
FALSE,
tokenPrivilege,
sizeof(tokenPrivilege),
nil,
a);
end;
end;
if Boolean(hToken) then CloseHandle(hToken);
if Boolean(hProc) then CloseHandle(hProc);
Result:=Rc;
end;
function EnableProcPrivilege:Boolean;
var
rc:Boolean;
PolicyHandle:LSA_HANDLE;
Sid:array[0..499] of Char;
cbSid:DWORD;
ReferencedDomainName:array[0..99] of Char;
cbReferencedDomainName:DWORD;
peUse:DWORD;
UserRights:PLSA_UNICODE_STRING;
Count:DWORD;
token:THandle;
TokenInformation:PTOKEN_PRIVILEGES;
owned:Boolean;
osv:Windows._OSVERSIONINFOA;
username:array[0..29] of Char;
cb:DWORD;
ObjectAttributes:LSA_OBJECT_ATTRIBUTES;
begin
rc:=True;
cb:=30;
ZeroMemory(@ObjectAttributes,sizeof(ObjectAttributes));
ZeroMemory(@osv,sizeof(osv));
osv.dwOSVersionInfoSize:=sizeof(osv);
//
//判断当前系统是否为nt及以上
//
GetVersionEx(osv);
if not (Boolean(osv.dwPlatformId) and Boolean(VER_PLATFORM_WIN32_NT)) then rc:=False;
//
// 判断当前用户是否为administrator
//
GetUserName(username,cb);
if username<>'administrator' then rc:=False;
//
//First open LSA policy database
//the call returns a NTSTATUS. NTSTATUS 0 means everything is OK.
//
if
boolean(LsaOpenPolicy(
nil,
ObjectAttributes,
GENERIC_EXECUTE or GENERIC_READ or GENERIC_WRITE,
PolicyHandle
))
then
begin
rc:=False;
end;
cbSid:=500;
cbReferencedDomainName:=100;
//
//Show Administrator SID
//
if not LookupAccountName(
nil,
'Administrator',
@sid,
cbSid,
@ReferencedDomainName,
cbReferencedDomainName,
peUse
)
then
begin
rc:=False;
end;
new(UserRights);
UserRights.Buffer:='SeTcbPrivilege';
UserRights.MaximumLength:=28;
UserRights.Length:=28;
if boolean(LsaAddAccountRights(
PolicyHandle,
@sid,
UserRights,
1
))
then
begin
rc:=False;
end;
if boolean(PolicyHandle) then
LsaClose(PolicyHandle);
rc:=EnablePrivilege(SE_TCB_NAME);
Result:=rc;
end;
function EnableUserModeHardwareIO:Boolean;
var
rc:Boolean;
dwProcessID:DWORD;
hProc:DWORD;
ProcessUserModeIOPL:Integer;
IOPL:ULONG;
begin
IOPL:=1;
ProcessUserModeIOPL:=16;
dwProcessID:=GetCurrentProcessId;
hProc:=OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwProcessID);
rc:=EnableProcPrivilege;
if rc then
begin
rc:=boolean(ZwSetInformationProcess(
hProc,
ProcessUserModeIOPL,
@IOPL,
sizeof(IOPL)
));
if not rc then rc:=True;
end;
Result:=rc;
end;
end.
调用如下
procedure TForm1.Button1Click(Sender: TObject);
begin
if EnableUserModeHardwareIO then
begin
asm
mov dx, $64
mov al, $FE
out dx, al
end;
end;
end;
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法