목록2015/05 (6)

13 Security Lab

Windows 7 dll Injection

CreateRemoteThread 이용 LoadLibrary 호출.... Fail-> NtCreateThreadEx 이용하여 호출 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 70 // NtCreateThreadEx 함수 원형 typedef DWORD (WINAPI *t_fNtCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lp..
Computer Science/Programming 2015. 5. 13. 13:36
토큰권한적용 AdjustTokenPrivileges

123456789101112131415161718192021222324int Adjust_Privilege_Func(){ int v0; int v1; int v2; int v4; char v5; int v6; int v7; v0 = 0; v1 = GetCurrentProcess(0x20); if ( OpenProcessToken(v1, v2, &v7) ) { v4 = 1; if ( LookupPrivilegeValueW(0, L"SeDebugPrivilege", &v5) )// if Process has "SeDebugPrivilege" { v6 = 2; v0 = AdjustTokenPrivileges(v7, 0, &v4, 16, 0, 0);// Enable SeDebugPrivilege } CloseH..
Computer Science/Windows Externals 2015. 5. 11. 18:27
System 권한여부체크 [2]

출처 : http://blog.daum.net/aswip/8429343 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 #include #include #include // for IsUserAnAdmin() function.#pragma comment(lib, "shell32.lib") // for IsUserAnAdmin() function. BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE *pElevationType, BOOL *pIsAdmin)..
Computer Science/Windows Externals 2015. 5. 11. 18:11
System 권한여부체크 [1]

System 권한여부체크 1234567891011121314151617181920212223242526272829signed int __thiscall Check_ProcessSID(void *this){ Flag = 0; hToken = 0; if ( OpenProcessToken(this, 8, &hToken) ) { v5 = 0x44; if ( CreateWellKnownSid(22, 0, &SystemSID_INFO, &v5) )// 22 : WinLocalSystemSid { v7 = 0; GetTokenInformation(hToken, 1, 0); if ( GetLastError() == 122 ) { LocalMem_Var = HeapAlloc(dword_405048); // Get loc..
Computer Science/Windows Externals 2015. 5. 11. 17:52
Windows API - User mode matched kernel mode

Processes User mode Kernel mode NtTerminateProcess PsTerminateProcess/PspTerminateProcess NtOpenProcess PsLookupProcessByProcessId, ObOpenObjectByPointer Threads User mode Kernel mode NtTerminateThread PspTerminateThreadByPointer NtOpenThread PsLookupThreadByThreadId, ObOpenObjectByPointer NtGetContextThread PsGetContextThread NtSetContextThread PsSetContextThread Virtual memory User mode Kernel..
Computer Science/Windows Externals 2015. 5. 1. 18:37
[API Referenc] Win32 matched Native API

Process Win32 Native API OpenProcess NtOpenProcess TerminateProcess NtTerminateProcess CreateProcess NtCreateProcess(Ex)/NtCreateUserProcess, RtlCreateUserProcess GetProcessId NtQueryInformationProcess (ProcessBasicInformation) ExitProcess RtlExitUserProcess (Windows Vista and later) GetPriorityClass NtQueryInformationProcess (ProcessPriorityClass) SetPriorityClass NtSetInformationProcess (Proce..
Computer Science/Windows Externals 2015. 5. 1. 18:36
Prev 1 Next