Shameless drive to load the Law of(ZT)-vulnerability warning-the black bar safety net

2008-01-01T00:00:00
ID MYHACK58:62200817965
Type myhack58
Reporter 佚名
Modified 2008-01-01T00:00:00

Description

| !

from : http : //www.debugman.com/read.php?tid=614

Method one: replace the win32k . sys In 2k3 the system under ZwSetSystemInformation banned user mode load the driver, only allows the SMSS . exe to load the win32k . sys. So we can use this features: 1. Injection SMSS . EXE 2. Open the SeLoadDriverPrivilege privilege 3. The original win32k . sys renamed 4. Copy our drive to the\systemroot\system32 under 5. In SMSS . EXE is loaded in\the\ \ SystemRoot\\System32\\win32k . sys 6. The\\SystemRoot\\System32\\win32k . sys renamed 7. The original win32k . sys file rename change back.

Method two: use third-party drivers for vulnerabilities Such drive should be a lot of, we can choose some of the Installed Capacity of a large drive to carry out this work, such as so-famous antivirus software that there is a local privilege elevation vulnerability.... and Get the ring0 privilege then ZwSetSystemInformation to load and voilà

Method three: infection start with the system drivers This method is similar to the viral infection, but need to wait until the next system restart in order to get control, you need some PE knowledge, this I will not say more.

Here by say say by ZwSetSystemInformation in fact, it is also possible to establish the Device, due to the ZwSetSystemInformation to load the driver when passed to the DriverEntry of the DriverObject pointer is wrong, therefore we cannot use it to create the Device , but we can assign yourself one of the DriverObject to create, as follows:

NTSTATUS DriverEntry ( IN PDRIVER_OBJECT DriverObject , IN PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus = STATUS_SUCCESS ; UNICODE_STRING ntUnicodeString ; UNICODE_STRING ntWin32NameString ; PDEVICE_OBJECT deviceObject = NULL ; ULONG i ;

DriverObject = ExAllocatePoolWithTag ( NonPagedPool , sizeof ( DRIVER_OBJECT ), 'clAS' ); // DriverObject

RtlZeroMemory ( DriverObject , sizeof ( DRIVER_OBJECT ));

RtlInitUnicodeString ( & ntUnicodeString , NT_DEVICE_NAME );

ntStatus = IoCreateDevice ( DriverObject , 0 , & ntUnicodeString , 0x8800 , //device type must be custom FILE_DEVICE_SECURE_OPEN , TRUE , & deviceObject );

if ( ! NT_SUCCESS ( ntStatus ) ) { DbgPrint ( "Couldn't create the device object\n" ); return ntStatus ; }

// Note that we need to own to clear INITIALIZING flag, otherwise the settings can not be opened ClearFlag ( deviceObject -> Flags , DO_DEVICE_INITIALIZING );

DriverObject -> MajorFunction [ IRP_MJ_CREATE ] = CreateClose ; DriverObject -> MajorFunction [ IRP_MJ_CLOSE ] = CreateClose ;

// Note, have to give IRP_MJ_CLEANUP dispatch a DispathRoutine, otherwise the device off when it will hang DriverObject -> MajorFunction [ IRP_MJ_CLEANUP ] = CreateClose ;

DriverObject -> MajorFunction [ IRP_MJ_DEVICE_CONTROL ] = DeviceControl ;

// Note, must be a Global symbol is connected, otherwise the program exits after connection will disappear RtlInitUnicodeString ( & ntWin32NameString , L "\\DosDevices\\Global\\RkrTest" );

ntStatus = IoCreateSymbolicLink ( & ntWin32NameString , & ntUnicodeString );

if ( ! NT_SUCCESS ( ntStatus ) ) { DbgPrint (( "Couldn't create symbolic link\n" )); IoDeleteDevice ( deviceObject ); }

return ntStatus ; }

If you are happy words in the allocated space when allocated a little more than the OBJECT_HEADER also count, so you can avoid some of the software scans the DriverObject object head hanging off .

Corresponding with CreateFile when open should be like this specified“\\\\ . \\The Global\\SymbolLink”

What a shameless way everyone can discuss it.