RtlAdjustPrivilege提权后NtRaiseHardError制造系统蓝屏

来源：互联网发布：我赢职场java视频网盘编辑：程序博客网时间：2024/05/21 10:04

函数RtlAdjustPrivliege封装在NtDll.dll中，不需要任何其他函数的帮助,仅凭这一个函数就可以获得进程ACL的任意权限。

函数原型为：

NTSTATUS RtlAdjustPrivilege(ULONG Privilege,BOOLEAN Enable,BOOLEAN CurrentThread,PBOOLEAN Enabled);

函数NtRaiseHardError同样封装在NtDll.dll中，属于Undocumented functions of NTDLL。

函数原型如下：

NTSYSAPI NTSTATUSNTAPINtRaiseHardError( IN NTSTATUS ErrorStatus, IN ULONG NumberOfParameters, IN PUNICODE_STRING UnicodeStringParameterMask OPTIONAL, IN PVOID *Parameters, IN HARDERROR_RESPONSE_OPTION ResponseOption, OUT PHARDERROR_RESPONSE Response );

相关类型详见代码。

（1）首先通过LoadLibrary加载NTDLL.DLL，随后通过GetProcAddress获取函数地址,函数声明如下

typedef UINT (CALLBACK* NTRAISEHARDERROR)(NTSTATUS, ULONG, PUNICODE_STRING, PVOID,HARDERROR_RESPONSE_OPTION, PHARDERROR_RESPONSE);typedef UINT (CALLBACK* RTLADJUSTPRIVILEGE)(ULONG, BOOL, BOOL, PINT);

调用RtlAdjustPrivliege获取SeShutdownPrivilege权限（SeShutdownPrivilege权限值为0x13）

RtlAdjustPrivilege(0x13, TRUE, FALSE, &nEn);

（2）随后调用NtRaiseHardError制造蓝屏

全部代码如下：

NTHeaders.h（声明相关结构与变量）：

//======================================================================//By TiKEY!//E-mail:tyk5555@hotmail.com//QQ:574436201//======================================================================#ifndef _NT_HDRS_#define _NT_HDRS_#include <windows.h>typedef /*__success(return >= 0)*/ LONG NTSTATUS; typedef NTSTATUS *PNTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;typedef enum _HARDERROR_RESPONSE_OPTION { OptionAbortRetryIgnore, OptionOk, OptionOkCancel, OptionRetryCancel, OptionYesNo, OptionYesNoCancel, OptionShutdownSystem} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;typedef enum _HARDERROR_RESPONSE { ResponseReturnToCaller, ResponseNotHandled, ResponseAbort, ResponseCancel, ResponseIgnore, ResponseNo, ResponseOk, ResponseRetry, ResponseYes} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;#endif

BlueScreen.cpp:

//======================================================================//By TiKEY!//E-mail:tyk5555@hotmail.com//QQ:574436201//======================================================================#include <Windows.h>#include "NTHeaders.h"HINSTANCE hInst;// 当前实例typedef UINT (CALLBACK* NTRAISEHARDERROR)(NTSTATUS, ULONG, PUNICODE_STRING, PVOID,HARDERROR_RESPONSE_OPTION, PHARDERROR_RESPONSE);typedef UINT (CALLBACK* RTLADJUSTPRIVILEGE)(ULONG, BOOL, BOOL, PINT);int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd){HINSTANCE hDLL = LoadLibrary(TEXT("ntdll.dll"));NTRAISEHARDERROR NtRaiseHardError;RTLADJUSTPRIVILEGE RtlAdjustPrivilege;int nEn = 0;HARDERROR_RESPONSE reResponse;if (hDLL != NULL){NtRaiseHardError = (NTRAISEHARDERROR)GetProcAddress(hDLL, "NtRaiseHardError");RtlAdjustPrivilege = (RTLADJUSTPRIVILEGE)GetProcAddress(hDLL, "RtlAdjustPrivilege");if (!NtRaiseHardError){// handle the errorFreeLibrary(hDLL);return 0;}if (!RtlAdjustPrivilege){// handle the errorFreeLibrary(hDLL);return 0;}RtlAdjustPrivilege(0x13, TRUE, FALSE, &nEn);//0x13 = SeShutdownPrivilegeNtRaiseHardError(0xC000021A,0,0,0,OptionShutdownSystem,&reResponse);}return 1;}

以上代码VS2010 SP1编译通过， Win7 SP1测试有效。