Ring3层代码提权
BOOL EnableDebugPri64() { typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID); pfnRtlAdjustPrivilege64 RtlAdjustPrivilege; DWORD dwRetVal = 0; LPTHREAD_START_ROUTINE FuncAddress = NULL; #ifdef _UNICODE FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); #else FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA"); #endif if (FuncAddress==NULL) { return FALSE; } RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege"); if (RtlAdjustPrivilege==NULL) { return FALSE; } RtlAdjustPrivilege(20,1,0,&dwRetVal); }
BOOL EnableDebugPri32() { HANDLE hToken; TOKEN_PRIVILEGES pTP; LUID uID; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) { printf("OpenProcessToken is Error\n"); return FALSE; } if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) { printf("LookupPrivilegeValue is Error\n"); return FALSE; } pTP.PrivilegeCount = 1; pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; pTP.Privileges[0].Luid = uID; //在这里我们进行调整权限 if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) { printf("AdjuestTokenPrivileges is Error\n"); return FALSE; } return TRUE; }
爱程序 不爱bug
爱生活 不爱黑眼圈
我和你们一样 我和你们不一样
我不是凡客 我要做geek