技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 702|回复: 3
收起左侧

ring0使用ZwCreateThread创建用户线程

[复制链接]

25

主题

81

帖子

1088

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
832 个
贡献
31 次
宅之契约
0 份
在线时间
196 小时
注册时间
2016-7-12
发表于 2016-8-4 05:07:15 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
本帖最后由 Ayala 于 2016-10-10 10:39 编辑

[Asm] 纯文本查看 复制代码
.386
.model flat,stdcall
option casemap:none




include 	..\..\..\masm32\include\w2k\ntstatus.inc
include 	..\..\..\masm32\include\w2k\ntddk.inc
include 	..\..\..\masm32\include\w2k\w2kundoc.inc

include 	..\..\..\masm32\include\w2k\hal.inc
includelib 	..\..\..\masm32\lib\w2k\hal.lib

include 	..\..\..\masm32\include\w2k\ntoskrnl.inc
includelib 	..\..\..\masm32\lib\w2k\ntoskrnl.lib

include 	..\..\..\masm32\Macros\Strings.mac


KGDT_R3_DATA equ 00020H
KGDT_R3_CODE equ 00018H
KGDT_R3_TEB equ 00038H


OBJ_KERNEL_HANDLE  equ 00000200H


IFNDEF INITIAL_TEB
INITIAL_TEB struc
	OldStackBase			DWORD ?
	OldStackLimit  			DWORD ?
	StackBase 				DWORD ?
	StackLimit 				DWORD ?
	StackAllocationBase		DWORD ?
INITIAL_TEB ends
ENDIF


IFNDEF CLIENT_ID
CLIENT_ID STRUCT	; sizeof = 8 
	UniqueProcess	HANDLE	?
	UniqueThread	HANDLE	?
CLIENT_ID ENDS
ENDIF

IFNDEF OBJECT_ATTRIBUTES
OBJECT_ATTRIBUTES STRUCT		; sizeof = 18h
	_Length						DWORD			? ; original name Length
	RootDirectory				HANDLE			?
	ObjectName					PUNICODE_STRING	?
	Attributes					DWORD			?
	SecurityDescriptor			PVOID			? ; Points to type SECURITY_DESCRIPTOR
	SecurityQualityOfService	PVOID			? ; Points to type SECURITY_QUALITY_OF_SERVICE
OBJECT_ATTRIBUTES ENDS
POBJECT_ATTRIBUTES typedef OBJECT_ATTRIBUTES
ENDIF


	PROTO@32 TYPEDEF PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
	PPROTO@32 TYPEDEF ptr PROTO@32
	
	externdef _imp__ZwCreateSymbolicLinkObject@16:DWORD 
	
.data
	ZwCreateThread PPROTO@32 0
	
	

.code


_RtlpCreateStack proc uses esi Process,MaximumStackSize,CommittedStackSize,ZeroBits,PINITIAL_TEB
						
	LOCAL Stack:DWORD
	
	and Stack,NULL
	invoke ZwAllocateVirtualMemory,Process,\
								addr Stack,\
								0,\
								addr CommittedStackSize,\
								MEM_COMMIT,\
								PAGE_READWRITE
	
	or eax,eax
	jnz done
	
	mov esi,PINITIAL_TEB
	assume esi:ptr INITIAL_TEB
	
	mov [esi].OldStackBase,0
	mov [esi].OldStackLimit,0
	
	mov eax,Stack
	mov [esi].StackLimit,eax
	mov [esi].StackAllocationBase,eax
	
	add eax,CommittedStackSize
	mov [esi].StackBase,eax
	
	assume esi:nothing
done:
	ret
_RtlpCreateStack endp

_RtlpFreeStack proc uses esi Process,InitialTeb
	LOCAL Zero:DWORD
	
	and Zero,0
	mov esi,InitialTeb
	assume esi:ptr INITIAL_TEB
	invoke ZwFreeVirtualMemory,Process,[esi].StackAllocationBase,addr Zero,MEM_RELEASE
	
	invoke RtlZeroMemory,esi,sizeof INITIAL_TEB
	assume esi:nothing
	ret
_RtlpFreeStack endp

_RtlInitializeContext proc uses esi process,Context,Parameter,StartAddress,StackBase
	
	mov esi,Context
	assume esi:ptr CONTEXT
	
	mov [esi].ContextFlags,10007h
	
	
	xor eax,eax
	mov [esi].regEax,eax
	mov [esi].regEcx,eax
	mov [esi].regEdx,eax
	mov [esi].regEbx,eax
	mov [esi].regEsi,eax
	mov [esi].regEdi,eax
	mov [esi].regEbp,eax

	mov [esi].regSegGs,eax
	mov [esi].regSegFs,KGDT_R3_TEB
	mov [esi].regSegEs,KGDT_R3_DATA
	mov [esi].regSegDs,KGDT_R3_DATA
	mov [esi].regSegSs,KGDT_R3_DATA
	mov [esi].regSegCs,KGDT_R3_CODE
	
	mov [esi].regEFlags,200h
	

	mov eax,StartAddress
	mov [esi].regEip,eax
	

	mov eax,StackBase
	and eax,-8
	mov [esi].regEsp,eax
		
	assume esi:nothing
	ret
_RtlInitializeContext endp

_RtlCreateUserThread proc uses esi edi Process,\
										SecurityDescriptor,\
										CreateSuspended,\
										StackZeroBits,\
										StackReserved,\
										StackCommit,\
										StartAddress,\
										StartParameter,\
										ThreadHandle,\
										ClientID
	LOCAL hThread:DWORD
	LOCAL context:CONTEXT
	LOCAL initteb:INITIAL_TEB
	LOCAL ThreadCid:CLIENT_ID
	LOCAL oa:OBJECT_ATTRIBUTES
	LOCAL tBase:DWORD
	LOCAL tSize:DWORD
	
	invoke _RtlpCreateStack,Process,StackReserved,StackCommit,StackZeroBits,addr initteb
	
	invoke _RtlInitializeContext,Process,addr context,StartParameter,StartAddress,initteb.StackBase
	
	mov oa._Length,sizeof oa
	mov oa.RootDirectory,NULL
	mov oa.ObjectName,NULL
	mov oa.Attributes,0
	mov eax,SecurityDescriptor
	mov oa.SecurityDescriptor,eax
	mov oa.SecurityQualityOfService,NULL
	mov ax,cs
	.if ax==8
		or oa.Attributes,OBJ_KERNEL_HANDLE	
	.endif
	
	invoke ZwCreateThread,addr hThread,\
						THREAD_ALL_ACCESS,\
						addr oa,\
						Process,\
						addr ThreadCid,\
						addr context,\
						addr initteb,\
						CreateSuspended
	mov esi,eax
	.if eax<SDWORD ptr 0
		invoke _RtlpFreeStack,Process,addr initteb
	.else
		mov ecx,ThreadHandle
		mov eax,hThread
		mov [ecx],eax
		
		lea ecx,ThreadCid
		assume ecx:ptr CLIENT_ID
		mov edx,ClientID
		assume edx:ptr CLIENT_ID
		
		mov eax,[edx].UniqueProcess
		mov [ecx].UniqueProcess,eax
		
		mov eax,[edx].UniqueThread
		mov [ecx].UniqueThread,eax
		
		assume edx:nothing
		assume ecx:nothing
	.endif
	mov eax,esi
	ret
_RtlCreateUserThread endp


_non proc

	ret
_non endp


thunk:
	mov eax,34h
	lea edx,[esp+4]
	pushfd
	push 8
	call $
	ret 10h
thunk_length equ $-offset thunk	


_drvmain proc uses esi edi ebx
	LOCAL process:DWORD
	LOCAL thread:DWORD
	LOCAL ClientId:CLIENT_ID
	LOCAL oa:OBJECT_ATTRIBUTES
	LOCAL tBase:DWORD
	
	mov eax,_imp__ZwCreateSymbolicLinkObject@16
	add eax,thunk_length
	mov ZwCreateThread,eax
	
	;
	mov tBase,0b50000h
	
	mov ClientId.UniqueProcess,02d0h
	and ClientId.UniqueThread,NULL

	mov oa._Length,sizeof oa
	mov oa.RootDirectory,NULL
	mov oa.ObjectName,NULL
	mov oa.Attributes,0
	mov oa.SecurityDescriptor,NULL
	mov oa.SecurityQualityOfService,NULL
	
	invoke ZwOpenProcess,addr process,PROCESS_ALL_ACCESS,addr oa,addr ClientId
	.if eax>=SDWORD ptr 0

		invoke _RtlCreateUserThread,process,NULL,FALSE,0,0,4000h,tBase,NULL,addr thread,addr ClientId
		
	
		
		invoke ZwClose,thread
		invoke ZwClose,process
		
	.endif
	mov eax,1
	ret
_drvmain endp

__DriverEntry proc pDriverObject:dword, pusRegistryPath:dword
	int 3
	call _drvmain
	ret
__DriverEntry endp
end __DriverEntry

0

主题

25

帖子

52

积分

用户组: 小·技术宅

UID
1741
精华
0
威望
2 点
宅币
23 个
贡献
0 次
宅之契约
0 份
在线时间
4 小时
注册时间
2016-6-3
发表于 2018-5-3 21:11:29 | 显示全部楼层
创建完以后,这个线程有什么强大特征吗??

25

主题

81

帖子

1088

积分

用户组: 版主

UID
1821
精华
6
威望
57 点
宅币
832 个
贡献
31 次
宅之契约
0 份
在线时间
196 小时
注册时间
2016-7-12
 楼主| 发表于 2018-5-3 21:21:58 | 显示全部楼层
誓不回头 发表于 2018-5-3 21:11
创建完以后,这个线程有什么强大特征吗??

没什么强大特征 没有通知csr 权限约等同于users权限 只是相对隐蔽的一种方式

0

主题

25

帖子

52

积分

用户组: 小·技术宅

UID
1741
精华
0
威望
2 点
宅币
23 个
贡献
0 次
宅之契约
0 份
在线时间
4 小时
注册时间
2016-6-3
发表于 2018-5-3 21:44:13 | 显示全部楼层
如果没有特征,如此就意义不大。。。

本版积分规则

QQ|申请友链|Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号|网站地图

GMT+8, 2018-9-19 02:22 , Processed in 0.095848 second(s), 34 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表