-
-
[囧]Ring3下把Windows XP SP2 弄蓝了……
-
发表于: 2008-10-5 22:12
-
原来只是在学习插APC远程LoadLibrary,结果蓝了
我以为是我很久没有扶老奶奶过马路的原因,于是又运行了一次,又蓝了
暴力了些,只是因为懒,结果Windows也懒……
// LoadDllByApc.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#define STR_TDLL_DLL 0x7C8807F5
int main(int argc, char* argv[])
{
HANDLE hThread;
HANDLE hSnap;
ULONG lLastPid=0;
THREADENTRY32 te;
te.dwSize=sizeof(THREADENTRY32);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
Thread32First(hSnap,&te);
while(Thread32Next(hSnap,&te))
{
if (lLastPid!=te.th32OwnerProcessID)
{
if((hThread=OpenThread(THREAD_SET_CONTEXT,FALSE,te.th32ThreadID))!=NULL)
{
ZwQueueApcThread(hThread,(PNormApcRoutine)LoadLibraryExA,STR_TDLL_DLL,0,0);
CloseHandle(hThread);
}
}
}
CloseHandle(hSnap);
return 0;
}
附上CrashDump。
希望能把牛都引出来,看看怎么回事。
说不定又有什么妙用……
我以为是我很久没有扶老奶奶过马路的原因,于是又运行了一次,又蓝了
暴力了些,只是因为懒,结果Windows也懒……
// LoadDllByApc.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#define STR_TDLL_DLL 0x7C8807F5
int main(int argc, char* argv[])
{
HANDLE hThread;
HANDLE hSnap;
ULONG lLastPid=0;
THREADENTRY32 te;
te.dwSize=sizeof(THREADENTRY32);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
Thread32First(hSnap,&te);
while(Thread32Next(hSnap,&te))
{
if (lLastPid!=te.th32OwnerProcessID)
{
if((hThread=OpenThread(THREAD_SET_CONTEXT,FALSE,te.th32ThreadID))!=NULL)
{
ZwQueueApcThread(hThread,(PNormApcRoutine)LoadLibraryExA,STR_TDLL_DLL,0,0);
CloseHandle(hThread);
}
}
}
CloseHandle(hSnap);
return 0;
}
附上CrashDump。
希望能把牛都引出来,看看怎么回事。
说不定又有什么妙用……
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
应该是
不过Ring3怎么能插到Ring0线程里? 我就怀疑这一点是不是能利用一下 还有,不知道为什么,往svchost里面插可以成功,但是notepad就不行 难道这东西是专门给干坏事的人准备的? 
|
|
|
|
|
|
确实 QueueUserAPC 也可以....囧,我刚按楼主的思路写了个程序,SP3也蓝了。
做法是反复调用 QueueUserAPC() 直到蓝屏  平时QueueUserAPC() 返回false,连续来几次就出问题 ,搞不懂啊...完整代码如下: program APC_Blue;
uses
Windows, SysUtils, TlHelp32;
{$APPTYPE CONSOLE}
const
THREAD_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or $3FF);
dllName: AnsiString = '随便写点什么,反正会出错.dll';
type
NTSTATUS = LongInt;
PVOID = Pointer;
PKNORMAL_ROUTINE = procedure (NormalContext, SystemArgument1, SystemArgument2: PVOID); stdcall;
function OpenThread(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwThreadId: DWORD): THANDLE; stdcall; external kernel32 name 'OpenThread';
// 提升权限
function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean;
var
hToken: THandle;
tp: TOKEN_PRIVILEGES;
a: DWORD;
const
SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
tp.PrivilegeCount := 1;
LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid);
if bEnabled then
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes := 0;
a := 0;
AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
var
hThread, hSnap: THandle;
lcPID: ULong;
thdEntry: TThreadEntry32;
pStrDll: PAnsiChar;
tmpStr: String;
begin
EnabledDebugPrivilege(True);
lcPID := GetCurrentProcessId();
// 用Apc插入DLL
thdEntry.dwSize := SizeOf(TThreadEntry32);
hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
WriteLn(Format('wait a few minutes...', [lcPID]));
try
if Thread32First(hSnap, thdEntry) then
while (Thread32Next(hSnap, thdEntry)) do
begin
if (lcPID <> thdEntry.th32OwnerProcessID) then
begin
WriteLn(Format('Lock Thread on Process[%4d], OpenThread()...', [lcPID]));
hThread := OpenThread(THREAD_ALL_ACCESS, False, thdEntry.th32ThreadID);
if hThread <> 0 then
begin
WriteLn(Format(' OpenThread() = %d, Ready for QueueUserAPC()...', [hThread]));
pStrDll := PAnsiChar(dllName);
QueueUserAPC(@LoadLibraryA, hThread, DWORD(pStrDll));
// QueueUserAPC 反复执行几次(一般返回的是False),然后就蓝屏了
CloseHandle(hThread);
end;
end;
end;
except on E: Exception do
// 里面直接蓝了,根本到不了这里
WriteLn('ERROR: ' + E.Message);
end;
CloseHandle(hSnap);
ReadLn;
end.附带编译好的程序和工程文件。 |
|
|
|
|
|
|
