ring0使用ZwCreateThread创建用户线程
本帖最后由 Ayala 于 2016-10-10 10:39 编辑.386
.model flat,stdcall
option casemap:none
include ..\..\..\masm32\include\w2k\ntstatus.inc
include ..\..\..\masm32\include\w2k\ntddk.inc
include ..\..\..\masm32\include\w2k\w2kundoc.inc
include ..\..\..\masm32\include\w2k\hal.inc
includelib ..\..\..\masm32\lib\w2k\hal.lib
include ..\..\..\masm32\include\w2k\ntoskrnl.inc
includelib ..\..\..\masm32\lib\w2k\ntoskrnl.lib
include ..\..\..\masm32\Macros\Strings.mac
KGDT_R3_DATA equ 00020H
KGDT_R3_CODE equ 00018H
KGDT_R3_TEB equ 00038H
OBJ_KERNEL_HANDLEequ 00000200H
IFNDEF INITIAL_TEB
INITIAL_TEB struc
OldStackBase DWORD ?
OldStackLimit DWORD ?
StackBase DWORD ?
StackLimit DWORD ?
StackAllocationBase DWORD ?
INITIAL_TEB ends
ENDIF
IFNDEF CLIENT_ID
CLIENT_ID STRUCT ; sizeof = 8
UniqueProcess HANDLE ?
UniqueThread HANDLE ?
CLIENT_ID ENDS
ENDIF
IFNDEF OBJECT_ATTRIBUTES
OBJECT_ATTRIBUTES STRUCT ; sizeof = 18h
_Length DWORD ? ; original name Length
RootDirectory HANDLE ?
ObjectName PUNICODE_STRING ?
Attributes DWORD ?
SecurityDescriptor PVOID ? ; Points to type SECURITY_DESCRIPTOR
SecurityQualityOfService PVOID ? ; Points to type SECURITY_QUALITY_OF_SERVICE
OBJECT_ATTRIBUTES ENDS
POBJECT_ATTRIBUTES typedef OBJECT_ATTRIBUTES
ENDIF
PROTO@32 TYPEDEF PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
PPROTO@32 TYPEDEF ptr PROTO@32
externdef _imp__ZwCreateSymbolicLinkObject@16:DWORD
.data
ZwCreateThread PPROTO@32 0
.code
_RtlpCreateStack proc uses esi Process,MaximumStackSize,CommittedStackSize,ZeroBits,PINITIAL_TEB
LOCAL Stack:DWORD
and Stack,NULL
invoke ZwAllocateVirtualMemory,Process,\
addr Stack,\
0,\
addr CommittedStackSize,\
MEM_COMMIT,\
PAGE_READWRITE
or eax,eax
jnz done
mov esi,PINITIAL_TEB
assume esi:ptr INITIAL_TEB
mov .OldStackBase,0
mov .OldStackLimit,0
mov eax,Stack
mov .StackLimit,eax
mov .StackAllocationBase,eax
add eax,CommittedStackSize
mov .StackBase,eax
assume esi:nothing
done:
ret
_RtlpCreateStack endp
_RtlpFreeStack proc uses esi Process,InitialTeb
LOCAL Zero:DWORD
and Zero,0
mov esi,InitialTeb
assume esi:ptr INITIAL_TEB
invoke ZwFreeVirtualMemory,Process,.StackAllocationBase,addr Zero,MEM_RELEASE
invoke RtlZeroMemory,esi,sizeof INITIAL_TEB
assume esi:nothing
ret
_RtlpFreeStack endp
_RtlInitializeContext proc uses esi process,Context,Parameter,StartAddress,StackBase
mov esi,Context
assume esi:ptr CONTEXT
mov .ContextFlags,10007h
xor eax,eax
mov .regEax,eax
mov .regEcx,eax
mov .regEdx,eax
mov .regEbx,eax
mov .regEsi,eax
mov .regEdi,eax
mov .regEbp,eax
mov .regSegGs,eax
mov .regSegFs,KGDT_R3_TEB
mov .regSegEs,KGDT_R3_DATA
mov .regSegDs,KGDT_R3_DATA
mov .regSegSs,KGDT_R3_DATA
mov .regSegCs,KGDT_R3_CODE
mov .regEFlags,200h
mov eax,StartAddress
mov .regEip,eax
mov eax,StackBase
and eax,-8
mov .regEsp,eax
assume esi:nothing
ret
_RtlInitializeContext endp
_RtlCreateUserThread proc uses esi edi Process,\
SecurityDescriptor,\
CreateSuspended,\
StackZeroBits,\
StackReserved,\
StackCommit,\
StartAddress,\
StartParameter,\
ThreadHandle,\
ClientID
LOCAL hThread:DWORD
LOCAL context:CONTEXT
LOCAL initteb:INITIAL_TEB
LOCAL ThreadCid:CLIENT_ID
LOCAL oa:OBJECT_ATTRIBUTES
LOCAL tBase:DWORD
LOCAL tSize:DWORD
invoke _RtlpCreateStack,Process,StackReserved,StackCommit,StackZeroBits,addr initteb
invoke _RtlInitializeContext,Process,addr context,StartParameter,StartAddress,initteb.StackBase
mov oa._Length,sizeof oa
mov oa.RootDirectory,NULL
mov oa.ObjectName,NULL
mov oa.Attributes,0
mov eax,SecurityDescriptor
mov oa.SecurityDescriptor,eax
mov oa.SecurityQualityOfService,NULL
mov ax,cs
.if ax==8
or oa.Attributes,OBJ_KERNEL_HANDLE
.endif
invoke ZwCreateThread,addr hThread,\
THREAD_ALL_ACCESS,\
addr oa,\
Process,\
addr ThreadCid,\
addr context,\
addr initteb,\
CreateSuspended
mov esi,eax
.if eax<SDWORD ptr 0
invoke _RtlpFreeStack,Process,addr initteb
.else
mov ecx,ThreadHandle
mov eax,hThread
mov ,eax
lea ecx,ThreadCid
assume ecx:ptr CLIENT_ID
mov edx,ClientID
assume edx:ptr CLIENT_ID
mov eax,.UniqueProcess
mov .UniqueProcess,eax
mov eax,.UniqueThread
mov .UniqueThread,eax
assume edx:nothing
assume ecx:nothing
.endif
mov eax,esi
ret
_RtlCreateUserThread endp
_non proc
ret
_non endp
thunk:
mov eax,34h
lea edx,
pushfd
push 8
call $
ret 10h
thunk_length equ $-offset thunk
_drvmain proc uses esi edi ebx
LOCAL process:DWORD
LOCAL thread:DWORD
LOCAL ClientId:CLIENT_ID
LOCAL oa:OBJECT_ATTRIBUTES
LOCAL tBase:DWORD
mov eax,_imp__ZwCreateSymbolicLinkObject@16
add eax,thunk_length
mov ZwCreateThread,eax
;
mov tBase,0b50000h
mov ClientId.UniqueProcess,02d0h
and ClientId.UniqueThread,NULL
mov oa._Length,sizeof oa
mov oa.RootDirectory,NULL
mov oa.ObjectName,NULL
mov oa.Attributes,0
mov oa.SecurityDescriptor,NULL
mov oa.SecurityQualityOfService,NULL
invoke ZwOpenProcess,addr process,PROCESS_ALL_ACCESS,addr oa,addr ClientId
.if eax>=SDWORD ptr 0
invoke _RtlCreateUserThread,process,NULL,FALSE,0,0,4000h,tBase,NULL,addr thread,addr ClientId
invoke ZwClose,thread
invoke ZwClose,process
.endif
mov eax,1
ret
_drvmain endp
__DriverEntry proc pDriverObject:dword, pusRegistryPath:dword
int 3
call _drvmain
ret
__DriverEntry endp
end __DriverEntry 创建完以后,这个线程有什么强大特征吗?? 誓不回头 发表于 2018-5-3 21:11
创建完以后,这个线程有什么强大特征吗??
没什么强大特征 没有通知csr 权限约等同于users权限 只是相对隐蔽的一种方式 如果没有特征,如此就意义不大。。。:L
页:
[1]