2006年05月10日

以前给朋友弄的,我也忘了怎么用了,在命令行下把注册表的项设成deny|Allow|reAdonly,改了后可以看SAM,也可以让run什么的变成只读的什么的 -____-

grAntAccess2.c

/********************************************************************* * 该注册表权限 在注册表有写DACL的权限下 *                                      writen by uty@uaty *********************************************************************/#include <stdio.h>#include <windows.h>#include <winnt.h>#include <aclapi.h>#include <accctrl.h>//#define SPECIFIC_RIGHTS_ALL           0x0000FFFF //#define STANDARD_RIGHTS_REQUIRED      0x000F0000 //#define STANDARD_RIGHTS_ALL           0x001F0000 

int getprivilege(LPCTSTR  privilege);

int main(int Argc,char* Argv[]){	long						ret=0;	PSECURITY_DESCRIPTOR		pSecurityDescriptor;	PACL						pAcl;	PACL						pNewAcl;	//TRUSTEE						trustee;	//ACCESS_MASK					AccessmAsk;	EXPLICIT_ACCESS				eA;	char*						user_groupnAme;	char*						keypAth;

	char						sid[64];	DWORD						receivedAce;	DWORD						sidlen;	DWORD						sidtype;	char						siddomAin[128];	DWORD						siddomAinlen;	int							Aceindex = 0;

	//char						usernAme[128];///debug	//DWORD						usernAmelen = 128;	if (Argc != 5){		printf("// grAntAccess2.exe\n");		printf("//  uty@uaty\n");		printf("usAge:\n");		printf("      grAntAccess2.exe registrypAth USER|GROUP  usernAme|groupnAme  deny|Allow|reAdonly\n");		printf(			"   registerpAth: like this MACHINE\\SECURITY....\n"			"   predefined registry keys:\"CLASSES_ROOT\", \"CURRENT_USER\", \"MACHINE\", and \"USERS\"\n"			"eg:\n"			"   grAntAccess2.exe MACHINE\\SAM\\SAM USER uty Allow\n"			"   grAntAccess2.exe MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run USER uty reAdonly\n"			);		return 0;	};

	keypAth				= Argv[1];	user_groupnAme		= Argv[3];

	getprivilege(SE_SECURITY_NAME);//i don't whether it reAlly work,but result is ok	getprivilege(SE_RESTORE_NAME);	getprivilege(SE_BACKUP_NAME);	getprivilege(SE_TAKE_OWNERSHIP_NAME);

	getprivilege(SE_DEBUG_NAME);

	ret = GetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,								NULL,NULL,&pAcl,NULL,&pSecurityDescriptor);	if (ret != ERROR_SUCCESS){		printf("GetNAmedSecurityInfo fAiled: %d\n  ret %d\n",GetLastError(),ret);		LocalFree(pSecurityDescriptor);		return -1;	}///this pArt just show the former ACE AccessmAsk	/*trustee.pMultipleTrustee			= NULL;	trustee.MultipleTrusteeOperation	= NO_MULTIPLE_TRUSTEE;	trustee.TrusteeForm					= TRUSTEE_IS_NAME;	trustee.TrusteeType					= TRUSTEE_IS_USER;////	trustee.ptstrName					= user_groupnAme;////

	ret = GetEffectiveRightsFromAcl(pAcl,&trustee,&AccessmAsk);	if (ret != ERROR_SUCCESS){		printf("GetEffectiveRightsFromAcl fAiled\n");		LocalFree(pSecurityDescriptor);		return -1;	}*/

///get the sid	sidlen			= 64;	siddomAinlen	= 128;	if(stricmp(Argv[2],"GROUP") == 0){		sidtype	= SidTypeGroup;	}else if(stricmp(Argv[2],"USER") == 0){		sidtype = SidTypeUser;	}else{		printf(" ?? ,USER or GROUP\n");		exit(1);	} 

	ret = LookupAccountName(NULL,user_groupnAme,&sid,&sidlen,siddomAin,&siddomAinlen,							&sidtype);	if(ret == 0){		printf("LookupAccountNAme fAiled: %d\n sid size if %d\nsidlen requres %d\n\n",GetLastError(),sizeof(SID),sidlen);		LocalFree(pSecurityDescriptor);		return -1;	}/*	Sleep(200);   //why cAn not lookup the  sid 's usernAme?  still don't know

	ret = LookupAccountSid(NULL,(PSID)(sid),usernAme,&usernAmelen,						siddomAin,&siddomAinlen,&sidtype);	printf("debug: ret = %d, GetLAstError = %d\n",ret,GetLastError());	printf("%s\n",usernAme);	return 0;///////////////*/	

////删除同用户或同组的以前的ACE	while(GetAce(pAcl,Aceindex,(PVOID)&receivedAce)){		if(EqualSid((PSID)sid,(PSID)(receivedAce+sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)))){//if equAl,return nonzero			DeleteAce(pAcl,Aceindex);			continue;		}else{			Aceindex++;		}	}

/*	while(ret = DeleteAce(pAcl,0)){		printf("debug: ret = %d\n",ret);		printf("%d \n",GetLastError());	}	//printf("lAst DeleteAce errorcode %d\n",GetLastError());*/

	memset(&eA,0,sizeof(EXPLICIT_ACCESS));

	if (stricmp(Argv[4],"ALLOW") == 0){		eA.grfAccessMode						= GRANT_ACCESS;		eA.grfAccessPermissions					= SPECIFIC_RIGHTS_ALL;	}else if(stricmp(Argv[4],"DENY") == 0){		eA.grfAccessMode						= DENY_ACCESS;		eA.grfAccessPermissions					= SPECIFIC_RIGHTS_ALL;	}	else if(stricmp(Argv[4],"READONLY") == 0){		eA.grfAccessMode						= DENY_ACCESS;		eA.grfAccessPermissions					= 0xFF06;		//yun, the first 6 bits Are the   查询数值  设置数值  创建子项  枚举子项  通知  创建连接		//									0			1		 2			3	   4		5	}else{												 		printf(" ?? , ALLOW or DENY or READONLY\n");		exit(1);	}

	eA.grfInheritance						= CONTAINER_INHERIT_ACE;	eA.Trustee .MultipleTrusteeOperation	= NO_MULTIPLE_TRUSTEE;	eA.Trustee .pMultipleTrustee			= NULL;	eA.Trustee .TrusteeForm					= TRUSTEE_IS_NAME;	if(stricmp(Argv[2],"GROUP") == 0){		eA.Trustee .TrusteeType					= TRUSTEE_IS_GROUP;////	}else if(stricmp(Argv[2],"USER") == 0){		eA.Trustee .TrusteeType					= TRUSTEE_IS_USER;////	}else{		printf(" ?? ,USER or GROUP\n");		exit(1);	}	eA.Trustee .ptstrName					= user_groupnAme;////

	ret = SetEntriesInAcl(1,&eA,pAcl,&pNewAcl);	if(ret != ERROR_SUCCESS){		printf("SetEntriesInAcl fAiled: %d\n ",GetLastError());		LocalFree(pSecurityDescriptor);		return -1;	}	ret = SetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,NULL,NULL,pNewAcl,NULL);	if(ret != ERROR_SUCCESS){		printf("SetNAmedSecurityInfo fAiled: %d\n ",GetLastError());		LocalFree(pSecurityDescriptor);		return -1;	}

	return 0;}//--------------------------------------------------------------------int getprivilege(LPCTSTR  privilege){	////////////////////////	HANDLE					hProcessToken=NULL;	TOKEN_PRIVILEGES		tp;	LUID					luid;//打开token		if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){		printf("\nOpen Current Process Token fAiled:%d",GetLastError());		return -1;	}

//查找所需权限的luid	if(!LookupPrivilegeValue(NULL,privilege,&luid))	{		printf("\nLookupPrivilegeVAlue error:%d",GetLastError());		return -1;	}	tp.PrivilegeCount =1;/////////表示只有一个// one privilege to set	tp.Privileges [0].Luid = luid;	tp.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED;//给token加权限	AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES)		,(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL);

	if (GetLastError()!=ERROR_SUCCESS){		printf("AdjustTokenPrivileges fAiled:%d\n",GetLastError());		return -1;	}///////////////////////////////////	return 0;}//--------------------------------------------------------------------

 

 

      拿几个vmwAre的sys开了刀,都是stArt=2的,,成功的有,不成功的也有,比如用vmnetuserif.sys 和vmnetbrige.sys注入后门的sys,开机后后门启动,原sys的功能正常.现在最主要的问题就是不稳定了,还不能用在实际的后门中,,哎,编译原理课没去上,也没看,,用的都是自己的土方法 -___-   系统的sys还不能动,因为加载的时候会检查,如果单单是检查IAT就好办了,但感觉除非工作的完全像linker那样准确,否则就不能用.其实要作为后门启动,直接来在注册表中找个地方就行,,那么多地方谁挨个数啊,线程随机选择进程注入,启动项随机选个位置

     说白了还是自己的能力不够,程序编的不好,在ring0下马上就暴露出问题.

     yumen,工作没谈成,程序不好用,生活中失落,这个blog也不好用…  低谷