#include <Windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <string>
BOOL FindProcessPid(LPCSTR ProcessName, DWORD& dwPid);
struct arg
{
INT64 pLoadLibrary;
INT64 pGetProcAddress;
char RAP[20];// = "RtlAdjustPrivilege"
char LL[7];// = "ntdll"
};
void __stdcall tfunc(arg* pArg)
{
HMODULE hdll;
typedef HMODULE(*lypLoadLibrary)(LPCSTR);
typedef FARPROC(*lypGetProcAddress)(HMODULE, LPCSTR);
BOOLEAN lyp = 0;
lypLoadLibrary OwnLoadLibrary = (lypLoadLibrary)pArg->pLoadLibrary;
lypGetProcAddress OwnGetProcAddress = (lypGetProcAddress)pArg->pGetProcAddress;
if (hdll = OwnLoadLibrary(pArg->LL))
{
typedef int(*lypRtlAdjustPrivilege)(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN);
lypRtlAdjustPrivilege RtlAdjustPrivilege;
RtlAdjustPrivilege = (lypRtlAdjustPrivilege)OwnGetProcAddress(hdll, pArg->RAP);
if (RtlAdjustPrivilege == NULL) return;
if (RtlAdjustPrivilege(0x13, FALSE, TRUE, &lyp) == 0x0c000007c)
{
RtlAdjustPrivilege(0x13, FALSE, FALSE, &lyp); //???
}
}
return;
}
int main()
{
DWORD dwwinlogon;
HANDLE hwinlogon;
HANDLE hRemoteTfunc;
void *pRemoteTfunc;
arg a = {0};
arg* p;
strcpy_s(a.LL, "ntdll");
strcpy_s(a.RAP, "RtlAdjustPrivilege");
a.pLoadLibrary = (INT64)GetProcAddress(LoadLibrary("Kernel32"), "LoadLibraryA");
a.pGetProcAddress = (INT64)GetProcAddress(LoadLibrary("Kernel32"), "GetProcAddress");
FindProcessPid("explorer.exe", dwwinlogon);
hwinlogon = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwwinlogon);
p = (arg*)VirtualAllocEx(hwinlogon, NULL, 1024, MEM_COMMIT, PAGE_READWRITE);
if (!p) return -1;
pRemoteTfunc = VirtualAllocEx(hwinlogon, NULL, 4 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteTfunc) return -2;
if (!WriteProcessMemory(hwinlogon, pRemoteTfunc, tfunc, 4 * 1024, NULL)) return -3;
if (!WriteProcessMemory(hwinlogon, p, &a, 1024, NULL)) return -4;
hRemoteTfunc = CreateRemoteThread(hwinlogon, NULL, NULL, (LPTHREAD_START_ROUTINE)pRemoteTfunc, p, 0, NULL);
if (!hRemoteTfunc) return -5;
WaitForSingleObject(hRemoteTfunc, INFINITE);
VirtualFreeEx(hwinlogon, pRemoteTfunc, 0, MEM_RELEASE);
VirtualFreeEx(hwinlogon, p, 0, MEM_RELEASE);
CloseHandle(hRemoteTfunc);
CloseHandle(hwinlogon);
system("pause");
return 0;
}
BOOL FindProcessPid(LPCSTR ProcessName, DWORD& dwPid)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return(FALSE);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // clean the snapshot object
return(FALSE);
}
BOOL bRet = FALSE;
do
{
if (!strcmp(ProcessName, pe32.szExeFile))
{
dwPid = pe32.th32ProcessID;
bRet = TRUE;
break;
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return bRet;
}上面为程序代码,功能是拦截关机操作。在调用 RtlAdjustPrivilege 时会导致注入的目标无响应,求各位大神帮忙看看问题何在?
编译环境vs2017,运行时有uac权限。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
