RtlAdjustPrivilege(SE_DEBUG_NAME,1,0,NULL);

這玩意是在 NTDLL.DLL 里的一個不為人知的函數(shù),MS沒有公開,原因就是這玩意實在是太NB了,以至于不需要任何其他函數(shù)的幫助,僅憑這一個函數(shù)就可以獲得進(jìn)程ACL的任意權(quán)限!

先來看看這個函數(shù)的定義(Winehq給出)：
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
)

參數(shù)的含義：
Privilege [In] Privilege index to change.
// 所需要的權(quán)限名稱，可以到 MSDN 查找關(guān)于 Process Token & Privilege 內(nèi)容可以查到

Enable [In] If TRUE, then enable the privilege otherwise disable.
// 如果為True 就是打開相應(yīng)權(quán)限，如果為False 則是關(guān)閉相應(yīng)權(quán)限

CurrentThread [In] If TRUE, then enable in calling thread, otherwise process.
// 如果為True 則僅提升當(dāng)前線程權(quán)限，否則提升整個進(jìn)程的權(quán)限

Enabled [Out] Whether privilege was previously enabled or disabled.

權(quán)限ID對應(yīng)表
1.SeCreateTokenPrivilege 0x2
2.SeAssignPrimaryTokenPrivilege 0x3
3.SeLockMemoryPrivilege 0x4
4.SeIncreaseQuotaPrivilege 0x5
5.SeUnsolicitedInputPrivilege 0x0
6.SeMachineAccountPrivilege 0x6
7.SeTcbPrivilege 0x7
8.SeSecurityPrivilege 0x8
9.SeTakeOwnershipPrivilege 0x9
10.SeLoadDriverPrivilege 0xa
11.SeSystemProfilePrivilege 0xb
12.SeSystemtimePrivilege 0xc
13.SeProfileSingleProcessPrivilege 0xd
14.SeIncreaseBasePriorityPrivilege 0xe
15.SeCreatePagefilePrivilege 0xf
16.SeCreatePermanentPrivilege 0x10
17.SeBackupPrivilege 0x11
18.SeRestorePrivilege 0x12
19.SeShutdownPrivilege 0x13
20.SeDebugPrivilege 0x14
21.SeAuditPrivilege 0x15
22.SeSystemEnvironmentPrivilege 0x16
23.SeChangeNotifyPrivilege 0x17
24.SeRemoteShutdownPrivilege 0x18
25.SeUndockPrivilege 0x19
26.SeSyncAgentPrivilege 0x1a
27.SeEnableDelegationPrivilege 0x1b
28.SeManageVolumePrivilege 0x1c
29.SeImpersonatePrivilege 0x1d
30.SeCreateGlobalPrivilege 0x1e
31.SeTrustedCredManAccessPrivilege 0x1f
32.SeRelabelPrivilege 0x20
33.SeIncreaseWorkingSetPrivilege 0x21
34.SeTimeZonePrivilege 0x22
35.SeCreateSymbolicLinkPrivilege 0x23

• 使用重點

?

HMODULE hDll = ::LoadLibrary("ntdll.dll"); typedef int (* type_RtlAdjustPrivilege)(int, bool, bool, int*); type_RtlAdjustPrivilege RtlAdjustPrivilege = (type_RtlAdjustPrivilege)GetProcAddress(hDll, "RtlAdjustPrivilege"); RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, true, &nEn);

• 瞬間關(guān)機代碼VC++

?

#include <windows.h>const unsigned int SE_SHUTDOWN_PRIVILEGE = 0x13;int main() { HMODULE hDll = ::LoadLibrary("ntdll.dll"); typedef int (* type_RtlAdjustPrivilege)(int, bool, bool, int*); typedef int (* type_ZwShutdownSystem)(int); type_RtlAdjustPrivilege RtlAdjustPrivilege = (type_RtlAdjustPrivilege)GetProcAddress(hDll, "RtlAdjustPrivilege"); type_ZwShutdownSystem ZwShutdownSystem = (type_ZwShutdownSystem)GetProcAddress(hDll, "ZwShutdownSystem"); int nEn = 0; int nResult = RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, true, &nEn); if(nResult == 0x0c000007c) { nResult = RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, true, false, &nEn); } nResult = ZwShutdownSystem(2); FreeLibrary(hDll); return 0;}

關(guān)于返回值也需要特別說明下： 實驗了下 提權(quán)成功了 但是返回值還是NULL 如果這個時候驗證返回值將不準(zhǔn)確了 所以成功與否還是只能看后邊的打開進(jìn)程是否成功

作者：HAPPYers
鏈接：https://www.jianshu.com/p/0ab0349aa9ce
來源：簡書
著作權(quán)歸作者所有。商業(yè)轉(zhuǎn)載請聯(lián)系作者獲得授權(quán)，非商業(yè)轉(zhuǎn)載請注明出處。

總結(jié)

以上是生活随笔為你收集整理的RtlAdjustPrivilege() 提权函数的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。