本文为看雪论坛优秀文章
看雪论坛作者ID:0346954
#include <Windows.h>#include <iostream>#include <Psapi.h>#include <Tlhelp32.h>#include <sddl.h>#include <Shlwapi.h>using namespace std;#pragma comment (lib,"advapi32.lib")#pragma comment (lib,"Shlwapi.lib")VOID InjectToWinLogon(){PROCESSENTRY32 entry;HANDLE snapshot = NULL, proc = NULL;entry.dwSize = sizeof(PROCESSENTRY32);snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);INT pid = -1;if (Process32First(snapshot, &entry)){while (Process32Next(snapshot, &entry)){if (wcscmp(entry.szExeFile, L"winlogon.exe") == 0){pid = entry.th32ProcessID;break;}}}CloseHandle(snapshot);if (pid < 0){//puts("[-] Could not find winlogon.exe");return;}proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);if (proc == NULL){DWORD error = GetLastError();puts("[-] Failed to open process.");printf("error %d\n", error);return;}TCHAR buffDll[MAX_PATH] = { 0 };GetModuleFileName(NULL, buffDll, _countof(buffDll));PathRemoveFileSpec(buffDll);_tcscat_s(buffDll, _countof(buffDll), L"\\DllHookExitWindowsEx.dll");LPVOID buffer = VirtualAllocEx(proc, NULL, sizeof(buffDll), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (buffer == NULL){printf("[-] Failed to allocate remote memory");}if (!WriteProcessMemory(proc, buffer, buffDll, sizeof(buffDll), 0)){puts("[-] Failed to write to remote memory");return;}LPTHREAD_START_ROUTINE start = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryW");HANDLE hthread = CreateRemoteThread(proc, 0, 0, (LPTHREAD_START_ROUTINE)start, buffer, 0, 0);DWORD error = GetLastError();if (hthread == INVALID_HANDLE_VALUE){puts("[-] Failed to create remote thread");return;}}void EnableSeDebugPrivilegePrivilege(){LUID luid;HANDLE currentProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetCurrentProcessId());if (currentProc){HANDLE TokenHandle = NULL;BOOL hProcessToken = OpenProcessToken(currentProc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle);if (hProcessToken){BOOL checkToken = LookupPrivilegeValue(NULL, L"SeDebugPrivilege", &luid);if (!checkToken){//std::cout << "[+] Current process token already includes SeDebugPrivilege\n" << std::endl;}else{TOKEN_PRIVILEGES tokenPrivs;tokenPrivs.PrivilegeCount = 1;tokenPrivs.Privileges[0].Luid = luid;tokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;BOOL adjustToken = AdjustTokenPrivileges(TokenHandle, FALSE, &tokenPrivs, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);if (adjustToken != 0){//std::cout << "[+] Added SeDebugPrivilege to the current process token" << std::endl;}}CloseHandle(TokenHandle);}}CloseHandle(currentProc);}int _tmain(int argc, _TCHAR* argv[]){//开启权限 使之可以注入到syetem进程EnableSeDebugPrivilegePrivilege();//注入dllInjectToWinLogon();getchar();return 0;}
#include <Windows.h>#include <Psapi.h>#include <Tlhelp32.h>#include "warningUser.h"#include <Shlwapi.h>#include <stdlib.h>#include <tchar.h>#pragma comment (lib,"Shlwapi.lib")LPVOID _copyNtShutdownSystem = NULL;LPVOID _ExitWindowsExAddTwoByte = NULL;HMODULE _gloDllModule = NULL;#pragma warning(disable:4996)/*__declspec(naked)*/ void MyExitWindowsEx(){/*__asm{call testMsgBox;jmp _ExitWindowsExAddTwoByte}*/}typedef BOOL(WINAPI* FuncExitWindowsEx)(_In_ UINT uFlags, _In_ DWORD dwReason);FuncExitWindowsEx _OldExitWindowsEx = NULL;HANDLE gloCreateProcessHandle = NULL;BOOL WINAPI IATHookExitWindowsEx(_In_ UINT uFlags, _In_ DWORD dwReason){BOOL bRet = FALSE;static BOOL bNeedWarning = FALSE;//__asm int 3//DebugBreak();/*if (uFlags & 0x200000)//win7 x86可以通过这句来判断是否是第二次调用 通过调试获得的 需要测试{}*/if (bNeedWarning){TCHAR wszProcessName[MAX_PATH] = { 0 };GetModuleFileName(_gloDllModule, wszProcessName, _countof(wszProcessName));PathRemoveFileSpec(wszProcessName);_tcscat_s(wszProcessName, _countof(wszProcessName), L"\\LogOffWillRun.exe");useTokenCreateProcess(gloCreateProcessHandle, wszProcessName);}bRet = _OldExitWindowsEx(uFlags, dwReason);if (bRet){bNeedWarning = TRUE;}return bRet;}//这是 win7 x86上的 Iniline Hookvoid hook_ExitWindowsEx(){HMODULE hUser32 = GetModuleHandle(L"user32.dll");char* pOldExitWindowsEx = (char*)GetProcAddress(hUser32, "ExitWindowsEx");char* pOldAddr = pOldExitWindowsEx;//00540000 8bff mov edi, ediint iLengthCopy = 7;if (NULL != pOldAddr){_copyNtShutdownSystem = VirtualAlloc(0, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);char* pNewAddr = (char*)_copyNtShutdownSystem;char* pnop = pOldAddr - 5; //有5个字节的NOPchar aa = *pOldAddr;char bb = *(pOldAddr+1);if ((char)0x8b == *pOldAddr && (char)0xff == *(pOldAddr+1)){DWORD oldshutdownProtect = 0;if (VirtualProtect(pOldAddr-5, iLengthCopy, PAGE_EXECUTE_READWRITE, &oldshutdownProtect)){//*pOldNtShutdownSyetem = (char)0xe9;//jmp*pOldExitWindowsEx = (char)0xeB;//jmp 短跳转*(UCHAR*)(pOldExitWindowsEx + 1) = (USHORT)(-0x7); //addr*pnop = (char)0xe9;//jmp*(int*)(pnop + 1) = (int)MyExitWindowsEx-(int)(pnop + 5); //addr_ExitWindowsExAddTwoByte = pOldExitWindowsEx + 2;VirtualProtect(pOldAddr-5, iLengthCopy, oldshutdownProtect, NULL);}}}return;}BYTE* getNtHdrs(BYTE* pe_buffer){if (pe_buffer == NULL) return NULL;IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)pe_buffer;if (idh->e_magic != IMAGE_DOS_SIGNATURE) {return NULL;}const LONG kMaxOffset = 1024;LONG pe_offset = idh->e_lfanew;if (pe_offset > kMaxOffset) return NULL;IMAGE_NT_HEADERS32* inh = (IMAGE_NT_HEADERS32*)((BYTE*)pe_buffer + pe_offset);if (inh->Signature != IMAGE_NT_SIGNATURE) return NULL;return (BYTE*)inh;}IMAGE_DATA_DIRECTORY* getPeDir(PVOID pe_buffer, size_t dir_id){if (dir_id >= IMAGE_NUMBEROF_DIRECTORY_ENTRIES) return NULL;BYTE* nt_headers = getNtHdrs((BYTE*)pe_buffer);if (nt_headers == NULL) return NULL;IMAGE_DATA_DIRECTORY* peDir = NULL;IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)nt_headers;peDir = &(nt_header->OptionalHeader.DataDirectory[dir_id]);if (peDir->VirtualAddress == NULL) {return NULL;}return peDir;}bool FixDelayIATHook(PVOID modulePtr){IMAGE_DATA_DIRECTORY* importsDir = getPeDir(modulePtr, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);if (importsDir == NULL) return false;size_t maxSize = importsDir->Size;size_t impAddr = importsDir->VirtualAddress;IMAGE_DELAYLOAD_DESCRIPTOR* lib_desc = NULL;size_t parsedSize = 0;bool bFound = TRUE;size_t addrExitWindowsEx = (size_t)GetProcAddress(GetModuleHandle(L"User32"), "ExitWindowsEx");for (; parsedSize < maxSize; parsedSize += sizeof(IMAGE_DELAYLOAD_DESCRIPTOR)) {lib_desc = (IMAGE_DELAYLOAD_DESCRIPTOR*)(impAddr + parsedSize + (ULONG_PTR)modulePtr);if (lib_desc->ImportAddressTableRVA == NULL && lib_desc->ImportNameTableRVA == NULL) break;LPSTR lib_name = (LPSTR)((ULONGLONG)modulePtr + lib_desc->DllNameRVA);size_t call_via = lib_desc->ImportAddressTableRVA;size_t thunk_addr = lib_desc->ImportNameTableRVA;if (thunk_addr == NULL) thunk_addr = lib_desc->ImportAddressTableRVA;size_t offsetField = 0;size_t offsetThunk = 0;for (;; offsetField += sizeof(IMAGE_THUNK_DATA), offsetThunk += sizeof(IMAGE_THUNK_DATA)){IMAGE_THUNK_DATA* fieldThunk = (IMAGE_THUNK_DATA*)(size_t(modulePtr) + offsetField + call_via);IMAGE_THUNK_DATA* orginThunk = (IMAGE_THUNK_DATA*)(size_t(modulePtr) + offsetThunk + thunk_addr);if (0 == fieldThunk->u1.Function && 0 == orginThunk->u1.Function){break;}PIMAGE_IMPORT_BY_NAME by_name = NULL;LPSTR func_name = NULL;size_t addrOld = NULL;if (orginThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32 || orginThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64) // check if using ordinal (both x86 && x64){addrOld = (size_t)GetProcAddress(LoadLibraryA(lib_name), (char*)(orginThunk->u1.Ordinal & 0xFFFF));//通过序号也可以获取到 获取低两个字节 也可以获取到函数地址//printf(" [V] API %x at %x\n", orginThunk->u1.Ordinal, addr);//fieldThunk->u1.Function = addr;continue;}else{by_name = (PIMAGE_IMPORT_BY_NAME)(size_t(modulePtr) + orginThunk->u1.AddressOfData);func_name = (LPSTR)by_name->Name;addrOld = (size_t)GetProcAddress(LoadLibraryA(lib_name), func_name);}//printf(" [V] API %s at %x\n", func_name, addr);OutputDebugStringA("\r\n");OutputDebugStringA(func_name);//HOOKif (strcmpi(func_name, "ExitWindowsEx") == 0){//DebugBreak();DWORD dOldProtect = 0;size_t* pFuncAddr = (size_t*)&fieldThunk->u1.Function;if (VirtualProtect(pFuncAddr, sizeof(size_t), PAGE_EXECUTE_READWRITE, &dOldProtect)){fieldThunk->u1.Function = (size_t)IATHookExitWindowsEx;VirtualProtect(pFuncAddr, sizeof(size_t), dOldProtect, &dOldProtect);_OldExitWindowsEx = (FuncExitWindowsEx)addrExitWindowsEx;bFound = true;return bFound;}break;}}}return true;}bool FixIATHook(PVOID modulePtr){IMAGE_DATA_DIRECTORY* importsDir = getPeDir(modulePtr, IMAGE_DIRECTORY_ENTRY_IMPORT);if (importsDir == NULL) return false;size_t maxSize = importsDir->Size;size_t impAddr = importsDir->VirtualAddress;IMAGE_IMPORT_DESCRIPTOR* lib_desc = NULL;size_t parsedSize = 0;bool bFound = TRUE;size_t addrExitWindowsEx = (size_t)GetProcAddress(GetModuleHandle(L"User32"), "ExitWindowsEx");for (; parsedSize < maxSize; parsedSize += sizeof(IMAGE_IMPORT_DESCRIPTOR)) {lib_desc = (IMAGE_IMPORT_DESCRIPTOR*)(impAddr + parsedSize + (ULONG_PTR)modulePtr);if (lib_desc->OriginalFirstThunk == NULL && lib_desc->FirstThunk == NULL)break;LPSTR lib_name = (LPSTR)((size_t)modulePtr + lib_desc->Name);size_t call_via = lib_desc->FirstThunk;size_t thunk_addr = lib_desc->OriginalFirstThunk;if (thunk_addr == NULL)thunk_addr = lib_desc->FirstThunk;size_t offsetField = 0;size_t offsetThunk = 0;for (;; offsetField += sizeof(IMAGE_THUNK_DATA), offsetThunk += sizeof(IMAGE_THUNK_DATA)){IMAGE_THUNK_DATA* fieldThunk = (IMAGE_THUNK_DATA*)(size_t(modulePtr) + offsetField + call_via);IMAGE_THUNK_DATA* orginThunk = (IMAGE_THUNK_DATA*)(size_t(modulePtr) + offsetThunk + thunk_addr);if (0 == fieldThunk->u1.Function && 0 == orginThunk->u1.Function){break;}PIMAGE_IMPORT_BY_NAME by_name = NULL;LPSTR func_name = NULL;size_t addrOld = NULL;if (orginThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32 || orginThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64) // check if using ordinal (both x86 && x64){addrOld = (size_t)GetProcAddress(LoadLibraryA(lib_name), (char*)(orginThunk->u1.Ordinal & 0xFFFF));//通过序号?//printf(" [V] API %x at %x\n", orginThunk->u1.Ordinal, addr);//fieldThunk->u1.Function = addr;//DebugBreak();continue;}else{by_name = (PIMAGE_IMPORT_BY_NAME)(size_t(modulePtr) + orginThunk->u1.AddressOfData);func_name = (LPSTR)by_name->Name;addrOld = (size_t)GetProcAddress(LoadLibraryA(lib_name), func_name);}//printf(" [V] API %s at %x\n", func_name, addr);OutputDebugStringA("\r\n");OutputDebugStringA(func_name);//HOOKif (strcmpi(func_name, "ExitWindowsEx") == 0){//DebugBreak();DWORD dOldProtect = 0;size_t* pFuncAddr = (size_t*)&fieldThunk->u1.Function;if (VirtualProtect(pFuncAddr, sizeof(size_t), PAGE_EXECUTE_READWRITE, &dOldProtect)){fieldThunk->u1.Function = (size_t)IATHookExitWindowsEx;VirtualProtect(pFuncAddr, sizeof(size_t), dOldProtect, &dOldProtect);_OldExitWindowsEx = (FuncExitWindowsEx)addrExitWindowsEx;bFound = true;return bFound;}}}}return true;}BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{//DebugBreak();_gloDllModule = hModule;gloCreateProcessHandle = getMediumProcessToken();HMODULE exeModule = GetModuleHandle(NULL);FixIATHook(exeModule);FixDelayIATHook(exeModule);break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:{if (gloCreateProcessHandle != NULL){CloseHandle(gloCreateProcessHandle);gloCreateProcessHandle = NULL;}}break;}return TRUE;}
HANDLE getMediumProcessToken();void useTokenCreateProcess(HANDLE hToken, TCHAR* szProcessName);
#include "warningUser.h"#include <Windows.h>#include <sddl.h>#include <tchar.h>#include <Shlwapi.h>#include <stdlib.h>#pragma comment(lib, "Advapi32.lib")#pragma comment (lib,"Shlwapi.lib")HANDLE getMediumProcessToken(){WCHAR* wszIntegritySid = L"S-1-16-8192";//CreateIntegritySidProcess(L"S-1-16-4096");//low权限进程//CreateIntegritySidProcess(L"S-1-16-8192");//medium权限进程//CreateIntegritySidProcess(L"S-1-16-12288");//high权限进程//CreateIntegritySidProcess(L"S-1-16-16384");//system权限进程HANDLE mediumToken = NULL;HANDLE hToken = NULL;HANDLE hNewToken = NULL;PSID pIntegritySid = NULL;TOKEN_MANDATORY_LABEL TIL = { 0 };__try{if (FALSE == OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &hToken)){__leave;}if (FALSE == DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,SecurityImpersonation, TokenPrimary, &hNewToken)){__leave;}if (FALSE == ConvertStringSidToSid(wszIntegritySid, &pIntegritySid)){__leave;}TIL.Label.Attributes = SE_GROUP_INTEGRITY;TIL.Label.Sid = pIntegritySid;// Set the process integrity levelif (FALSE == SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL,sizeof(TOKEN_MANDATORY_LABEL)+GetLengthSid(pIntegritySid))){__leave;}mediumToken = hNewToken;}__finally{if (NULL != pIntegritySid){LocalFree(pIntegritySid);pIntegritySid = NULL;}if (NULL != hToken){CloseHandle(hToken);hToken = NULL;}}return mediumToken;}void useTokenCreateProcess(HANDLE hToken, TCHAR* szProcessName){//LogOffWillRun//WCHAR wszProcessName[MAX_PATH] = L"C:\\Windows\\System32\\CMD.exe";PROCESS_INFORMATION ProcInfo = { 0 };STARTUPINFO StartupInfo = { 0 };StartupInfo.cb = sizeof(STARTUPINFO);//si.dwXSize = 120;//StartupInfo.lpDesktop = L"WinSta0\\Default";StartupInfo.lpDesktop = L"WinSta0\\winlogon";StartupInfo.dwFlags = STARTF_USESHOWWINDOW;StartupInfo.wShowWindow = SW_SHOWNORMAL;BOOL bRet = CreateProcessAsUser(hToken, NULL,szProcessName, NULL, NULL, FALSE,0, NULL, NULL, &StartupInfo, &ProcInfo);if (bRet){WaitForSingleObject(ProcInfo.hProcess, INFINITE);}if (ProcInfo.hProcess){CloseHandle(ProcInfo.hProcess);ProcInfo.hProcess = NULL;}if (ProcInfo.hThread){CloseHandle(ProcInfo.hThread);ProcInfo.hThread = NULL;}}
#include <Windows.h>#pragma comment(lib, "User32.lib")int _tmain(int argc, _TCHAR* argv[]){MessageBox(GetConsoleWindow(), _TEXT("调用了ExitWindowsEx进行关机或者注销"), _TEXT("提示"), MB_OK);return 0;}
if (bNeedWarning){MessageBox(NULL, _TEXT("弹框提示"), _TEXT("提示"), MB_OK);}
如果是通过启动一个新进程的方式,优点是更加灵活,自己编写新进程,不需要修改DLL。
看雪ID:0346954
https://bbs.pediy.com/user-home-762319.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458498692&idx=2&sn=8b60d605528f4f16b9b4c6b95327526d&chksm=b18e860e86f90f18a4a150e64707345411a67092579011bfa05c5d3ec3cb651dd159f47eb946#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh