• Ring3层代码提权

    BOOL EnableDebugPri64()
{
    typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
    pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;

    DWORD                  dwRetVal    = 0;
    LPTHREAD_START_ROUTINE FuncAddress = NULL;
#ifdef _UNICODE
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif

    if (FuncAddress==NULL)
    {
        return FALSE;
    }


    RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");

    if (RtlAdjustPrivilege==NULL)
    {
        return FALSE;
    }
    RtlAdjustPrivilege(20,1,0,&dwRetVal);
}
    BOOL EnableDebugPri32()
{

    HANDLE hToken;
    TOKEN_PRIVILEGES pTP;
    LUID uID;

    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
    {
        printf("OpenProcessToken is Error
");

        return FALSE;
    }

    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
    {
        printf("LookupPrivilegeValue is Error
");

        return FALSE;
    }


    pTP.PrivilegeCount = 1;
    pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    pTP.Privileges[0].Luid = uID;


    //在这里我们进行调整权限
    if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        printf("AdjuestTokenPrivileges is Error
");
        return  FALSE;
    }


    return TRUE;

}
  • 相关阅读:
    [Leetcode] Count and Say
    [Leetcode] Set Matrix Zeroes
    推荐系统
    异常检测
    维度约间
    聚类
    SVM的简单介绍
    tiled卷积神经网络(tiled CNN)
    数据驱动概念的复杂事件检测
    Topographic ICA as a Model of Natural Image Statistics(作为自然图像统计模型的拓扑独立成分分析)
  • 原文地址:https://www.cnblogs.com/yifi/p/6527700.html
Copyright © 2020-2023  润新知