阅读:3125回复:5
Win 2003怎样获取SE_DEBUG_NAME权限?
在WinXP上获取SE_DEBUG_NAME权限的代码放到Win2003就不行了,各位老大有没有对2003熟悉的?求救~
还有ZwLoadDriver在Win2003上加载驱动也会失败(通过创建服务的方式可以加载成功),在2000/XP下没问题的~ /**************************************************************************** * * FUNCTION: BOOL LoadDriver( LPCTSTR szDriverName, LPCTSTR szPath, HANDLE *lphDevice ) * * PURPOSE: Load a driver * ****************************************************************************/ BOOL LoadDriver( LPCTSTR szDriverName, LPCTSTR szPath ) { // 修改注册表启动驱动程序 UNICODE_STRING usBuffer; ANSI_STRING asBuffer; TCHAR szSubKey[256]; HKEY hSubKey; DWORD dwBufLen; DWORD dwData; BOOL bRet; dwBufLen = _stprintf(szSubKey, _T(\"System\\\\CurrentControlSet\\\\Services\\\\%s\"), szDriverName); szSubKey[dwBufLen] = 0; if (RegCreateKey(HKEY_LOCAL_MACHINE, szSubKey, &hSubKey) != ERROR_SUCCESS) return FALSE; // // Service control type // // 0x0001 = SERVICE_KERNEL_DRIVER // 0x0002 = SERVICE_FILE_SYSTEM_DRIVER // 0x0004 = SERVICE_ADAPTER // 0x0008 = SERVICE_RECOGNIZER_DRIVER // 0x000B = SERVICE_DRIVER // 0x0010 = SERVICE_WIN32_OWN_PROCESS // 0x0020 = SERVICE_WIN32_SHARE_PROCESS // 0x0030 = SERVICE_WIN32 // 0x0100 = SERVICE_INTERACTIVE_PROCESS // 0x013F = SERVICE_TYPE_ALL dwData = SERVICE_KERNEL_DRIVER; RegSetValueEx(hSubKey, _T(\"Type\"), 0, REG_DWORD, (const unsigned char *)&dwData, 4); // // Error control type // // 0 = SERVICE_ERROR_IGNORE // 1 = SERVICE_ERROR_NORMAL // 2 = SERVICE_ERROR_SEVERE // 3 = SERVICE_ERROR_CRITICAL dwData = SERVICE_ERROR_NORMAL; RegSetValueEx(hSubKey, _T(\"ErrorControl\"), 0, REG_DWORD, (const unsigned char *)&dwData, 4); // // Start Type // // 0 = SERVICE_BOOT_START(ntldr) // 1 = SERVICE_SYSTEM_START(IO Manager) // 2 = SERVICE_AUTO_START(SCM) // 3 = SERVICE_DEMAND_START(manual) // 4 = SERVICE_DISABLED(stop) dwData = SERVICE_DEMAND_START; RegSetValueEx(hSubKey, _T(\"Start\"), 0, REG_DWORD, (const unsigned char *)&dwData, 4); dwBufLen = _tcslen(szDriverName); RegSetValueEx(hSubKey, _T(\"DisplayName\"), 0, REG_EXPAND_SZ, (const unsigned char *)szDriverName, dwBufLen); dwBufLen = _stprintf(szSubKey, _T(\"\\\\??\\\\%s\"), szPath); szSubKey[dwBufLen] = 0; RegSetValueEx(hSubKey, _T(\"ImagePath\"), 0, REG_EXPAND_SZ, (const unsigned char *)szSubKey, dwBufLen); RegCloseKey(hSubKey); HMODULE hNtdll = LoadLibrary( _T(\"ntdll.dll\") ); if ( !hNtdll ) return FALSE; RtlAnsiStringToUnicodeStringProc RtlAnsiStringToUnicodeString = (RtlAnsiStringToUnicodeStringProc) GetProcAddress( hNtdll, _T(\"RtlAnsiStringToUnicodeString\") ); RtlFreeUnicodeStringProc RtlFreeUnicodeString = (RtlFreeUnicodeStringProc) GetProcAddress( hNtdll, _T(\"RtlFreeUnicodeString\") ); ZwLoadDriverProc ZwLoadDriver = (ZwLoadDriverProc) GetProcAddress( hNtdll, _T(\"ZwLoadDriver\") ); RtlNtStatusToDosErrorProc RtlNtStatusToDosError = (RtlNtStatusToDosErrorProc) GetProcAddress( hNtdll, _T(\"RtlNtStatusToDosError\") ); if (RtlAnsiStringToUnicodeString == NULL || RtlFreeUnicodeString == NULL || ZwLoadDriver == NULL || RtlNtStatusToDosError == NULL ) return FALSE; dwBufLen = _stprintf(szSubKey, _T(\"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\%s\"), szDriverName); szSubKey[dwBufLen] = 0; asBuffer.Buffer = (PCHAR)szSubKey; asBuffer.Length = (USHORT)dwBufLen; RtlAnsiStringToUnicodeString(&usBuffer, &asBuffer, TRUE); // 加载驱动程序 bRet = ZwLoadDriver(&usBuffer); RtlFreeUnicodeString(&usBuffer); // 删除注册表项 dwBufLen = _stprintf(szSubKey, _T(\"%s%s\\\\Enum\"), _T(\"System\\\\CurrentControlSet\\\\Services\\\\\"), szDriverName); szSubKey[dwBufLen] = 0; RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); dwBufLen = _stprintf(szSubKey, _T(\"%s%s\\\\Security\"), _T(\"System\\\\CurrentControlSet\\\\Services\\\\\"), szDriverName); szSubKey[dwBufLen] = 0; RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); dwBufLen = _stprintf(szSubKey, _T(\"%s%s\"), _T(\"System\\\\CurrentControlSet\\\\Services\\\\\"), szDriverName); szSubKey[dwBufLen] = 0; RegDeleteKey(HKEY_LOCAL_MACHINE, szSubKey); if (NT_SUCCESS(bRet)) { bRet = TRUE; } else { bRet = FALSE; ::SetLastError( RtlNtStatusToDosError( bRet ) ); } if ( hNtdll != NULL ) FreeLibrary( hNtdll ); return bRet; } |
|
沙发#
发布于:2005-04-06 12:28
加上这个就可以了
piDebugPrivilege(TRUE) BOOL piDebugPrivilege(BOOL bEnable) { BOOL bResult = FALSE; HANDLE hToken; TOKEN_PRIVILEGES TokenPrivileges; if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0) { return FALSE; } TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0; bResult = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&TokenPrivileges.Privileges[0].Luid); if(!bResult) { CloseHandle(hToken); return FALSE; } bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL); if(GetLastError() != ERROR_SUCCESS || !bResult) { CloseHandle(hToken); return FALSE; } CloseHandle(hToken); return TRUE; } |
|
|
板凳#
发布于:2005-04-06 14:56
首先谢谢楼上的兄弟~
但是我的2003管理员的SE_DEBUG_NAME权限是没有分配的,所以上面的代码会失败~关键问题是怎么给管理员分配SE_DEBUG_NAME权限? |
|
地板#
发布于:2005-04-06 15:53
首先谢谢楼上的兄弟~ 对于administrator 而言SE_DEBUG_NAME是关闭的,这里只是打开罢了.你应该看看windows安全方面文章. 只要是administrator登陆,上面代码不会失败!! [编辑 - 4/6/05 by wywwwl] |
|
|
地下室#
发布于:2005-04-07 09:07
[quote]首先谢谢楼上的兄弟~ 对于administrator 而言SE_DEBUG_NAME是关闭的,这里只是打开罢了.你应该看看windows安全方面文章. 只要是administrator登陆,上面代码不会失败!! [编辑 - 4/6/05 by wywwwl] [/quote] 正确,对于administrator 而言SE_DEBUG_NAME是关闭的,关机Token也没有,是靠这段程序才能打开的 |
|
|
5楼#
发布于:2005-04-08 20:18
有可能会失败的~
我用DebPloit里面的ShowPriv.exe查看了一下, SE_DEBUG_NAME: Assigned:NO Enable:NO 上面的代码在Assigned:NO,也就是没有分配这个权限的时候会失败的~ 后来发现应该这样: ADJUST_CURRENT_PROCESS = 0 SE_DEBUG_PRIVILEGE = 20 RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, ADJUST_CURRENT_PROCESS, &bEnable); 然后再AdjustTokenPrivilege才搞定~ 谢谢大家~ |
|