RtlAdjustPrivilege() 提权函数

最新推荐文章于 2024-02-11 10:42:52 发布

mmmsss987

最新推荐文章于 2024-02-11 10:42:52 发布

阅读量3.9k

点赞数 1

原文链接：https://www.jianshu.com/p/0ab0349aa9ce

版权

RtlAdjustPrivilege(SE_DEBUG_NAME,1,0,NULL);

这玩意是在 NTDLL.DLL 里的一个不为人知的函数,MS没有公开,原因就是这玩意实在是太NB了,以至于不需要任何其他函数的帮助,仅凭这一个函数就可以获得进程ACL的任意权限!

先来看看这个函数的定义(Winehq给出)：
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
)

参数的含义：
Privilege [In] Privilege index to change.
// 所需要的权限名称，可以到 MSDN 查找关于 Process Token & Privilege 内容可以查到

Enable [In] If TRUE, then enable the privilege otherwise disable.
// 如果为True 就是打开相应权限，如果为False 则是关闭相应权限

CurrentThread [In] If TRUE, then enable in calling thread, otherwise process.
// 如果为True 则仅提升当前线程权限，否则提升整个进程的权限

Enabled [Out] Whether privilege was previously enabled or disabled.

权限ID对应表
1.SeCreateTokenPrivilege 0x2
2.SeAssignPrimaryTokenPrivilege 0x3
3.SeLockMemoryPrivilege 0x4
4.SeIncreaseQuotaPrivilege 0x5
5.SeUnsolicitedInputPrivilege 0x0
6.SeMachineAccountPrivilege 0x6
7.SeTcbPrivilege 0x7
8.SeSecurityPrivilege 0x8
9.SeTakeOwnershipPrivilege 0x9
10.SeLoadDriverPrivilege 0xa
11.SeSystemProfilePrivilege 0xb
12.SeSystemtimePrivilege 0xc
13.SeProfileSingleProcessPrivilege 0xd
14.SeIncreaseBasePriorityPrivilege 0xe
15.SeCreatePagefilePrivilege 0xf
16.SeCreatePermanentPrivilege 0x10
17.SeBackupPrivilege 0x11
18.SeRestorePrivilege 0x12
19.SeShutdownPrivilege 0x13
20.SeDebugPrivilege 0x14
21.SeAuditPrivilege 0x15
22.SeSystemEnvironmentPrivilege 0x16
23.SeChangeNotifyPrivilege 0x17
24.SeRemoteShutdownPrivilege 0x18
25.SeUndockPrivilege 0x19
26.SeSyncAgentPrivilege 0x1a
27.SeEnableDelegationPrivilege 0x1b
28.SeManageVolumePrivilege 0x1c
29.SeImpersonatePrivilege 0x1d
30.SeCreateGlobalPrivilege 0x1e
31.SeTrustedCredManAccessPrivilege 0x1f
32.SeRelabelPrivilege 0x20
33.SeIncreaseWorkingSetPrivilege 0x21
34.SeTimeZonePrivilege 0x22
35.SeCreateSymbolicLinkPrivilege 0x23

使用重点

HMODULE hDll = ::LoadLibrary("ntdll.dll");
typedef int (* type_RtlAdjustPrivilege)(int, bool, bool, int*);
type_RtlAdjustPrivilege RtlAdjustPrivilege = (type_RtlAdjustPrivilege)GetProcAddress(hDll, "RtlAdjustPrivilege");
RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, true, &nEn);

瞬间关机代码VC++

#include <windows.h>

const unsigned int SE_SHUTDOWN_PRIVILEGE = 0x13;

int main()
{
HMODULE hDll = ::LoadLibrary("ntdll.dll");
typedef int (* type_RtlAdjustPrivilege)(int, bool, bool, int*);
typedef int (* type_ZwShutdownSystem)(int);
type_RtlAdjustPrivilege RtlAdjustPrivilege = (type_RtlAdjustPrivilege)GetProcAddress(hDll, "RtlAdjustPrivilege");
type_ZwShutdownSystem ZwShutdownSystem = (type_ZwShutdownSystem)GetProcAddress(hDll, "ZwShutdownSystem");
int nEn = 0;
int nResult = RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, true, &nEn);
if(nResult == 0x0c000007c)
{
nResult = RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, false, &nEn);
}
nResult = ZwShutdownSystem(2);
FreeLibrary(hDll);
return 0;

}

关于返回值也需要特别说明下：实验了下提权成功了但是返回值还是NULL 如果这个时候验证返回值将不准确了所以成功与否还是只能看后边的打开进程是否成功

作者：HAPPYers
链接：https://www.jianshu.com/p/0ab0349aa9ce
来源：简书
著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。