这里主要是利用NTDLL.dll中未文档化的API:
RtlAdjustPrivilege
来实现提权、自动关机的功能。
RtlAdjustPrivilege定义如下:
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
)
参数含义如下:
Privilege [In] Privilege index to change.
// 所需要的权限名称,可以到MSDN查找关于Process Token & Privilege内容可以查到
Enable [In] If TRUE, then enable the privilege otherwise disable.
// 如果为True 就是打开相应权限,如果为False 则是关闭相应权限
CurrentThread [In] If TRUE, then enable in calling thread, otherwise process.
// 如果为True 则仅提升当前线程权限,否则提升整个进程的权限
Enabled [Out] Whether privilege was previously enabled or disabled.
// 输出原来相应权限的状态(打开 | 关闭)
#include <iostream> #include <windows.h> #include <string> using namespace std; const unsigned long SE_DEBUG_PRIVILEGE = 0x13; typedef int(_stdcall *_RtlAdjustPrivilege)(int, BOOL, BOOL, int *); typedef int(_stdcall *_ZwShutdownSystem)(int); int main(int argc, char* argv[]) { HMODULE hNtDll = LoadLibrary("NTDLL.dll"); if (!hNtDll) cout << "Error.." << endl; _RtlAdjustPrivilege pfnRtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(hNtDll, "RtlAdjustPrivilege"); _ZwShutdownSystem pfnZwShutdownSystem = (_ZwShutdownSystem)GetProcAddress(hNtDll, "ZwShutdownSystem"); int nEn = 0; pfnRtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &nEn); pfnZwShutdownSystem(2); return 0; }