13 Security Lab

출처 : http://blog.daum.net/aswip/8429343 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 #include #include #include // for IsUserAnAdmin() function.#pragma comment(lib, "shell32.lib") // for IsUserAnAdmin() function. BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE *pElevationType, BOOL *pIsAdmin)..

System 권한여부체크 1234567891011121314151617181920212223242526272829signed int __thiscall Check_ProcessSID(void *this){ Flag = 0; hToken = 0; if ( OpenProcessToken(this, 8, &hToken) ) { v5 = 0x44; if ( CreateWellKnownSid(22, 0, &SystemSID_INFO, &v5) )// 22 : WinLocalSystemSid { v7 = 0; GetTokenInformation(hToken, 1, 0); if ( GetLastError() == 122 ) { LocalMem_Var = HeapAlloc(dword_405048); // Get loc..

Processes User mode Kernel mode NtTerminateProcess PsTerminateProcess/PspTerminateProcess NtOpenProcess PsLookupProcessByProcessId, ObOpenObjectByPointer Threads User mode Kernel mode NtTerminateThread PspTerminateThreadByPointer NtOpenThread PsLookupThreadByThreadId, ObOpenObjectByPointer NtGetContextThread PsGetContextThread NtSetContextThread PsSetContextThread Virtual memory User mode Kernel..

Process Win32 Native API OpenProcess NtOpenProcess TerminateProcess NtTerminateProcess CreateProcess NtCreateProcess(Ex)/NtCreateUserProcess, RtlCreateUserProcess GetProcessId NtQueryInformationProcess (ProcessBasicInformation) ExitProcess RtlExitUserProcess (Windows Vista and later) GetPriorityClass NtQueryInformationProcess (ProcessPriorityClass) SetPriorityClass NtSetInformationProcess (Proce..

SHFileOperation wFunc Type: UINT A value that indicates which operation to perform. One of the following values: FO_COPY Copy the files specified in the pFrom member to the location specified in the pTo member. FO_DELETE Delete the files specified in pFrom. FO_MOVE Move the files specified in pFrom to the location specified in pTo. FO_RENAME Rename the file specified in pFrom. You cannot use thi..