📄 debploitoffdll.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#define _CRTIMP __declspec(dllimport)
#include <windows.h>
#include <NtSecApi.h>
//#define AW_STATIC_LINKING
//#include <NtApiWorks.h>
#include <ApiHooks.h>
#define STATUS_ACCESS_DENIED 0xC0000022L
#define NtFn extern "C" __declspec(dllimport) LONG WINAPI
#define SS_CREATE_PROCESS_REQUEST 2
typedef struct _DBG_SS_CP_LPC_MESSAGE {
USHORT DataSize; //00
USHORT MessageSize; //02
USHORT MessageType; //04
USHORT VirtualRangesOffset; //06
DWORD CallerPid; //08
DWORD CallerTid; //0C
ULONG MessageId; //10
ULONG SectionSize; //14
DWORD dwSsDebugEventRequest;//18
DWORD Status; //1C
DWORD DebuggeePID; //20
DWORD DebuggeeTID; //24
PVOID pDbgSsKmMsg; //28 //size ~ 0x78
DWORD DebuggerPID; //2C
DWORD DebuggerTID; //30
} DBG_SS_CP_LPC_MESSAGE, *PDBG_SS_CP_LPC_MESSAGE;
#define NtCurrentThread ((HANDLE)-2)
NtFn NtSetInformationThread (HANDLE ThreadHandle, DWORD ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength);
#define NtRevertToSelf() HANDLE hToken = NULL; NtSetInformationThread(NtCurrentThread, 5, &hToken, sizeof(hToken));
NtFn NtOpenThread(PHANDLE pThreadHandle, DWORD DesiredAccess, PLSA_OBJECT_ATTRIBUTES poa, PDWORD pClientId);
NtFn NtImpersonateThread(HANDLE ImpersonatingThreadHandle, HANDLE ImpersonatedThreadHandle, PSECURITY_QUALITY_OF_SERVICE pQoS);
NtFn NtOpenProcess(PHANDLE pProcessHandle, DWORD DesiredAccess, PLSA_OBJECT_ATTRIBUTES poa, PDWORD pClientId);
NtFn NtClose(HANDLE hObject);
NtFn NtQueryObject (HANDLE ObjectHandle, DWORD ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
#define DbgSsApiPortNameW L"\\DbgSsApiPort"
typedef struct _OBJECT_NAME_PRIVATE {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
WCHAR ObjName[sizeof(DbgSsApiPortNameW)/sizeof(WCHAR)];
} OBJECT_NAME_PRIVATE, *POBJECT_NAME_PRIVATE;
ADDR_CONTENTS OldNtRWRP[1];
API_UNHOOK UNtRWRP = {1, 0, OldNtRWRP};
typedef LONG (WINAPI *TNtRWRP)(HANDLE, PVOID, PVOID, PVOID);
LONG WINAPI NewNtReplyWaitReceivePort(HANDLE hPort, PVOID *pClientInfo, PVOID LpcMsgIn, PDBG_SS_CP_LPC_MESSAGE LpcMsgOut) {
LONG Status = ((TNtRWRP)OldNtRWRP[0].ReturnWhat)(hPort, pClientInfo, LpcMsgIn, LpcMsgOut);
if(Status >= 0) {
static HANDLE hDbgSsApiPort = NULL;
if(hDbgSsApiPort == NULL) {
OBJECT_NAME_PRIVATE ObjNamePriv;
ObjNamePriv.Buffer = NULL;
if(NtQueryObject(hPort, 1, &ObjNamePriv, sizeof(ObjNamePriv), NULL) >= 0) {
ObjNamePriv.Buffer[sizeof(ObjNamePriv.ObjName)/sizeof(WCHAR)-1] = '\0';
if(wcscmp(ObjNamePriv.Buffer, DbgSsApiPortNameW) == 0)
hDbgSsApiPort = hPort;
}
}
if((hPort == hDbgSsApiPort) && LpcMsgOut &&
(LpcMsgOut->MessageType != 10) && // not connection request
(LpcMsgOut->MessageType != 5) // not client port closed
) {
if(LpcMsgOut->dwSsDebugEventRequest == SS_CREATE_PROCESS_REQUEST) {
Status = STATUS_ACCESS_DENIED;
LSA_OBJECT_ATTRIBUTES oa = {sizeof(oa)};
HANDLE hClientThread;
// if(NtOpenThread(&hClientThread, THREAD_DIRECT_IMPERSONATION, &oa, &LpcMsgOut->CallerPid) >= 0) {
if(NtOpenThread(&hClientThread, THREAD_DIRECT_IMPERSONATION, &oa, &LpcMsgOut->DebuggerPID) >= 0) {
static SECURITY_QUALITY_OF_SERVICE QoS =
{sizeof(QoS), DEFAULT_IMPERSONATION_LEVEL, SECURITY_DYNAMIC_TRACKING, FALSE};
if(NtImpersonateThread(NtCurrentThread, hClientThread, &QoS) >= 0) {
HANDLE hDebuggeeProcess;
if((Status = NtOpenProcess(&hDebuggeeProcess, PROCESS_ALL_ACCESS, &oa, &LpcMsgOut->DebuggeePID)) >= 0) {
NtClose(hDebuggeeProcess);
}
NtRevertToSelf();
}
NtClose(hClientThread);
}
}
if((Status < 0) // NT4 doesn't check for Status
|| ((LONG)LpcMsgOut->dwSsDebugEventRequest < 0)) // NT4 makes signed comparisons
LpcMsgOut->dwSsDebugEventRequest = 0x12345678; // I have to cripple SsApi in the request
}
}
return(Status);
}
__EXPORT API_HOOK ApiHookChain[2] = {
{"ntdll.dll", "NtReplyWaitReceivePort", HOOK_BY_NAME, "smss.exe", &UNtRWRP, NewNtReplyWaitReceivePort},
{HOOKS_END}
};⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -