不知道啥时候写的 用线程注入的方法得到system权限 配合pskill应该可以杀掉一些病毒的进程 呵呵
简单帖下代码吧
.386
.model flat, stdcall
option casemap :none
include windows.inc
include kernel32.inc
include advapi32.inc
include user32.inc
include masm32.inc
include _cmdline.asm ;来自罗云彬的《Windows 环境下32位汇编程序设计》一书
includelib kernel32.lib
includelib advapi32.lib
includelib user32.lib
includelib masm32.lib
include macro.asm
_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD
_getopt proto par:DWORD
;下面两个宏来源于罗云彬的《Windows 环境下32位汇编程序设计》一书
reverseArgs macro arglist:VARARG
local txt,count
txt TEXTEQU <>
count = 0
for i,<arglist>
count = count + 1
txt TEXTEQU @CatStr(i,<!,>,<%txt>)
endm
if count GT 0
txt SUBSTR txt,1,@SizeStr(%txt)-1
endif
exitm txt
endm
_invoke macro _Proc,args:VARARG
local count
count = 0
% for i,< reverseArgs( args ) >
count = count + 1
push i
endm
call DWORD ptr _Proc
endm
.data?
g_hProcess dd ?
g_lpRemoteCode dd ?
.code
Remote_code_start equ this BYTE
g_lpGetModuleHandleA dd ?
g_lpGetProcAddress dd ?
g_szKernel32 db "Kernel32.dll",0
g_szCreateProcessA db "CreateProcessA",0
g_lpCreateProcessA dd ?
g_szprocessname db 128 dup(?)
g_szDesktop db "WinSta0\Default",0
g_stStartupInfo STARTUPINFO <?>
g_procinfo PROCESS_INFORMATION <?>
g_out db 128 dup(?)
_RemoteThread proc
pushad
call delta
delta:
pop ebx
lea eax, [ebx+(g_szKernel32-delta)]
_invoke [ebx+(g_lpGetModuleHandleA-delta)], eax
mov esi, eax
lea eax, [ebx+(g_szCreateProcessA-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpCreateProcessA-delta)], eax
lea eax, [ebx+(g_szDesktop-delta)]
lea ecx, [ebx+(g_stStartupInfo-delta)]
mov DWORD ptr [ecx], sizeof g_stStartupInfo
mov DWORD ptr [ecx+8], eax
lea eax, [ebx+(g_szprocessname-delta)]
lea edx, [ebx+(g_procinfo-delta)]
_invoke [ebx+(g_lpCreateProcessA-delta)], 0, eax, 0, 0, 0, 0, 0, 0, ecx, edx
popad
ret
_RemoteThread endp
Remote_code_end equ this BYTE
Remote_code_length equ offset Remote_code_end - offset Remote_code_start
start:
invoke _getopt,offset g_szprocessname
invoke GetModuleHandle, CTXT("kernel32.dll")
mov ebx, eax
invoke GetProcAddress, ebx, CTXT("GetModuleHandleA")
mov g_lpGetModuleHandleA, eax
invoke GetProcAddress, ebx, CTXT("GetProcAddress")
mov g_lpGetProcAddress, eax
invoke _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUE
invoke _GetPidFromProcName, CTXT("winlogon.exe")
invoke OpenProcess, PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE, FALSE, eax
.if eax
mov g_hProcess, eax
invoke VirtualAllocEx, g_hProcess, NULL, Remote_code_length, MEM_COMMIT, PAGE_EXECUTE_READWRITE
.if eax
mov g_lpRemoteCode, eax
invoke WriteProcessMemory, g_hProcess, g_lpRemoteCode, offset Remote_code_start, Remote_code_length, NULL
mov eax, g_lpRemoteCode
add eax, offset _RemoteThread - offset Remote_code_start
invoke CreateRemoteThread, g_hProcess, NULL, 0, eax, 0, 0, NULL
invoke CloseHandle, eax
.endif
invoke CloseHandle, g_hProcess
.endif
invoke ExitProcess, NULL
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
LOCAL hToken
LOCAL tkp : TOKEN_PRIVILEGES
invoke GetCurrentProcess
mov edx, eax
invoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
invoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
mov tkp.PrivilegeCount, 1
xor eax, eax
.if bFlags
mov eax, SE_PRIVILEGE_ENABLED
.endif
mov tkp.Privileges.Attributes, eax
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
push eax
invoke CloseHandle, hToken
pop eax
ret
_EnablePrivilege endp
_GetPidFromProcName proc lpProcName:DWORD
LOCAL stProcess : PROCESSENTRY32
LOCAL hSnapshot
LOCAL dwProcessID
mov dwProcessID, 0
invoke RtlZeroMemory, addr stProcess, sizeof stProcess
mov stProcess.dwSize, sizeof stProcess
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot, eax
invoke Process32First, hSnapshot, addr stProcess
.while eax
invoke lstrcmpi, lpProcName, addr stProcess.szExeFile
.if eax==0
mov eax, stProcess.th32ProcessID
mov dwProcessID, eax
.break
.endif
invoke Process32Next, hSnapshot, addr stProcess
.endw
invoke CloseHandle, hSnapshot
mov eax, dwProcessID
ret
_GetPidFromProcName endp
_getopt proc par:DWORD
sub esp,128h
invoke _argc
cmp eax,2h
jnz _usage
invoke _argv,1,[ebp+8h],128
jmp _return
_usage:
lea eax,[ebp-128h]
invoke _argv,0,eax,128
invoke StdOut,CTXT("Run process as system privilege.",0dh,0ah,)
invoke StdOut,CTXT("by zklhp Email:zklhp@sina.com QQ:493165744",0dh,0ah)
lea eax,[ebp-128h]
invoke wsprintf,offset g_out,CTXT("Usage:%s [File]"),eax
lea eax,[ebp-128h]
invoke StdOut,offset g_out
invoke ExitProcess,NULL
_return:
add esp,128h
ret 4h
_getopt endp
end start
参考了 一块三毛钱 前辈的《从管理员身份获得 SYSTEM 权限的四种方法》(其实就是抄了一下)
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
