13 Security Lab

출처 : http://blog.daum.net/aswip/8429343 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 #include #include #include // for IsUserAnAdmin() function.#pragma comment(lib, "shell32.lib") // for IsUserAnAdmin() function. BOOL GetProcessElevation(TOKEN_ELEVATION_TYPE *pElevationType, BOOL *pIsAdmin)..

System 권한여부체크 1234567891011121314151617181920212223242526272829signed int __thiscall Check_ProcessSID(void *this){ Flag = 0; hToken = 0; if ( OpenProcessToken(this, 8, &hToken) ) { v5 = 0x44; if ( CreateWellKnownSid(22, 0, &SystemSID_INFO, &v5) )// 22 : WinLocalSystemSid { v7 = 0; GetTokenInformation(hToken, 1, 0); if ( GetLastError() == 122 ) { LocalMem_Var = HeapAlloc(dword_405048); // Get loc..

Processes User mode Kernel mode NtTerminateProcess PsTerminateProcess/PspTerminateProcess NtOpenProcess PsLookupProcessByProcessId, ObOpenObjectByPointer Threads User mode Kernel mode NtTerminateThread PspTerminateThreadByPointer NtOpenThread PsLookupThreadByThreadId, ObOpenObjectByPointer NtGetContextThread PsGetContextThread NtSetContextThread PsSetContextThread Virtual memory User mode Kernel..

Process Win32 Native API OpenProcess NtOpenProcess TerminateProcess NtTerminateProcess CreateProcess NtCreateProcess(Ex)/NtCreateUserProcess, RtlCreateUserProcess GetProcessId NtQueryInformationProcess (ProcessBasicInformation) ExitProcess RtlExitUserProcess (Windows Vista and later) GetPriorityClass NtQueryInformationProcess (ProcessPriorityClass) SetPriorityClass NtSetInformationProcess (Proce..

SHFileOperation wFunc Type: UINT A value that indicates which operation to perform. One of the following values: FO_COPY Copy the files specified in the pFrom member to the location specified in the pTo member. FO_DELETE Delete the files specified in pFrom. FO_MOVE Move the files specified in pFrom to the location specified in pTo. FO_RENAME Rename the file specified in pFrom. You cannot use thi..

# SHGetFolderPath 출처 : http://msdn.microsoft.com/library/en-us/shellcc/platform/shell/reference/enums/csidl.asp CSIDL values provide a unique system-independent way to identify special folders used frequently by applications, but which may not have the same name or location on any given system. For example, the system folder may be "C:\Windows" on one system and "C:\Winnt" on another. These cons..

권한 설정 해줄 파일에 대해 쉘에서 아래 명령어를 통해 권한 획득 후 진행 takeown /f "path” && icacls "path” /grant administrators:F

input : url output: ip DNS Query로 Url에 해당하는 IP를 얻음

MoveFileEx 함수 "MOVEFILE_DELAY_UNTIL_REBOOT" 파일 이름 변경이나 삭제를 컴퓨터가 재시작할 때 까지 지연시킬 수 있는 유용한 옵션 If dwFlags specifies MOVEFILE_DELAY_UNTIL_REBOOT and lpNewFileName is NULL, MoveFileEx registers the lpExistingFileName file to be deleted when the system restarts. If lpExistingFileName refers to a directory, the system removes the directory at restart only if the directory is empty. 재부팅 후 삭제

REF. http://www.experts-exchange.com/Programming/Microsoft_Development/A_3216-Fast-Base64-Encode-and-Decode.html Windows CryptoAPI: CryptBinaryToString and CryptStringToBinary The Windows CryptoAPI provides a set of general-purpose functions (CryptBinaryToString and CryptStringToBinary) that support base64 encoding and decoding. The following is a pair of functions that wrap that API: #include #..