- UID
- 2
- 精华
- 积分
- 7736
- 威望
- 点
- 宅币
- 个
- 贡献
- 次
- 宅之契约
- 份
- 最后登录
- 1970-1-1
- 在线时间
- 小时
|
本帖最后由 元始天尊 于 2014-9-20 21:32 编辑
2年前没解决的这个问题,就在今天解决了:正常情况下,Win7系统16扇区以后写操作是无效的,如果要破解这个通常会在驱动级实现,然而这里提供一种应用层实现方式:
-
- HANDLE handle=CreateFile("\\\\.\\c:",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
- //GENERIC_ALL有时不好使,不过权限最大,如果用GENERIC_ALL返回INVALID_HANDLE则改成GENERIC_READ|GENERIC_WRITE
- BOOL ret;
- ret=SetFilePointer(handle,0x0000CC00,NULL,FILE_BEGIN);
- BYTE buffer[512];
- memset(buffer,1,512);
- DWORD num;
- ret=DeviceIoControl(handle,FSCTL_DISMOUNT_VOLUME,NULL,0,NULL,0,&num,NULL);//注意FSCTL_LOCK_VOLUME无效
- //下面要写数据了,注意别把自己的数据写了,自己修改上面的偏移
- ret=WriteFile(handle,buffer,512,&num,NULL);//必须是扇区大小的倍数,否则报参数错
- CloseHandle(handle);
复制代码
当非Administrator和Administrators组的用户访问CreateFile时会失败,这时需要用到提权函数,下面是逆向出的unlocker的一部分代码用于提权
- bool SetACL(LPWSTR OjbectName)
- {
- PSID pEveryoneSID=NULL,pAdminSID=NULL;
- SID_IDENTIFIER_AUTHORITY SIDAuthWorld=SECURITY_WORLD_SID_AUTHORITY;
- if(!AllocateAndInitializeSid(&SIDAuthWorld,1,SECURITY_WORLD_RID,0,0,0,0,0,0,0,&pEveryoneSID))
- {//ERROR
- if(pEveryoneSID) FreeSid(pEveryoneSID);
- return FALSE;
- }
-
- SID_IDENTIFIER_AUTHORITY SIDAuthNT=SECURITY_NT_AUTHORITY;
- if(!AllocateAndInitializeSid(&SIDAuthNT,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_ADMINS,
- 0,0,0,0,0,0,&pAdminSID))
- {
- if(pAdminSID) FreeSid(pAdminSID);
- if(pEveryoneSID) FreeSid(pEveryoneSID);
- return FALSE;
- }
-
- EXPLICIT_ACCESS ea[2];
- ZeroMemory(ea,2*sizeof(EXPLICIT_ACCESS));
- ea[0].grfAccessPermissions=GENERIC_ALL;
- ea[0].grfAccessMode=SET_ACCESS;
- ea[0].grfInheritance=NO_INHERITANCE;
- ea[0].Trustee.TrusteeForm=TRUSTEE_IS_SID;
- ea[0].Trustee.TrusteeType=TRUSTEE_IS_WELL_KNOWN_GROUP;
- ea[0].Trustee.ptstrName=(LPSTR)pEveryoneSID;
- ea[1].grfAccessPermissions=GENERIC_ALL;
- ea[1].grfAccessMode=SET_ACCESS;
- ea[1].grfInheritance=NO_INHERITANCE;
- ea[1].Trustee.TrusteeForm=TRUSTEE_IS_SID;
- ea[1].Trustee.TrusteeType=TRUSTEE_IS_GROUP;
- ea[1].Trustee.ptstrName=(LPSTR)pAdminSID;
-
- PACL pACL=NULL;
- if(!SetEntriesInAcl(2,ea,NULL,&pACL))
- {
- DWORD nRet=SetNamedSecurityInfoW(OjbectName,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pACL,NULL);
-
- if(nRet == ERROR_ACCESS_DENIED)
- {
- SetNamedSecurityInfoW(OjbectName,SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,pAdminSID,NULL,NULL,NULL);
- SetNamedSecurityInfoW(OjbectName,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pACL,NULL);
- }
- }
-
- if(pACL) LocalFree(pACL);
- if(pAdminSID) FreeSid(pAdminSID);
- if(pEveryoneSID) FreeSid(pEveryoneSID);
- return 0;
- }
复制代码
|
|