Ring3层代码提权

BOOL EnableDebugPri64()
{
    typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
    pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;

    DWORD                  dwRetVal    = 0;
    LPTHREAD_START_ROUTINE FuncAddress = NULL;
#ifdef _UNICODE
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif

    if (FuncAddress==NULL)
    {
        return FALSE;
    }


    RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");

    if (RtlAdjustPrivilege==NULL)
    {
        return FALSE;
    }
    RtlAdjustPrivilege(20,1,0,&dwRetVal);
}

BOOL EnableDebugPri32()
{

    HANDLE hToken;
    TOKEN_PRIVILEGES pTP;
    LUID uID;

    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
    {
        printf("OpenProcessToken is Error\n");

        return FALSE;
    }

    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
    {
        printf("LookupPrivilegeValue is Error\n");

        return FALSE;
    }


    pTP.PrivilegeCount = 1;
    pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    pTP.Privileges[0].Luid = uID;


    //在这里我们进行调整权限
    if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        printf("AdjuestTokenPrivileges is Error\n");
        return  FALSE;
    }


    return TRUE;

}

posted on 2017-03-09 20:47 yifi 阅读(341) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Ring3层代码提权

导航

公告