【推荐】Win32 汇编 强制关机源码实现
转 自: ARTeam整 理: Playboysen
原作者:ragdog/Nacho_dj/mia/Gunther
Before you make shutdown must you set the AdjustToken privilege; For NT Type Platforms get the privilege for a Shutdown/Restart.
AdjustToken proc
LOCAL hdlProcessHandle:DWORD
LOCAL hdlTokenHandle:DWORD
LOCAL tmpLuid:LUIDCUST
LOCAL tkp:TOKEN_PRIVS
LOCAL tkpNewButIgnored:TOKEN_PRIVS
LOCAL lBufferNeeded:DWORD
LOCAL tBuff:BYTE
LOCAL ptBuff:DWORD
invoke GetCurrentProcess ; get the current process handle
mov hdlProcessHandle,eax ; save it to hdlProcessHandle
lea eax, tBuff ; address of temp buffer into eax
mov ptBuff, eax ; set pointer to temp buffer
mov BYTE PTR , 0 ; initialize the buffer
invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
invoke LookupPrivilegeValue,ptBuff, SADD("SeShutdownPrivilege"), ADDR tmpLuid
lea eax, tmpLuid ; address of tmpLuid into eax
; Contents of tmpLuid into ecx:edx
mov ecx, (LUIDCUST PTR ).usedpart
mov edx, (LUIDCUST PTR ).ignorehigh32bitpart
lea eax, tkp ; address of tkp into eax
mov (TOKEN_PRIVS PTR ).privilegecount, 1
mov (TOKEN_PRIVS PTR ).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR ).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR ).attributes, 2
invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded
ret
AdjustToken endp
LogoutNOW proc
invoke ExitWindowsEx,EWX_LOGOFF,0 ; Logout the machine
ret
LogoutNOW endp
ShutdownNOW proc
invoke ExitWindowsEx,EWX_SHUTDOWN + EWX_FORCE + EWX_POWEROFF,NULL ; Shutdown the machine
ret
ShutdownNOW endp
RestartNOW proc
invoke ExitWindowsEx,EWX_REBOOT,0 ; Restart the machine
ret
RestartNOW endp***********************************************************************************************************************
The simply way for code cave can you write this shutdown function in a dllDllEntryPoint proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
mov eax,reason
.if eax == DLL_PROCESS_ATTACH; Called when our dll loaded
invoke AdjustToken
invoke ShutdownNOW
.endif
ret
DllEntryPoint endp
; For NT Type Platforms get the privilege for a Shutdown/Restart.
AdjustToken proc
LOCAL hdlProcessHandle:DWORD
LOCAL hdlTokenHandle:DWORD
LOCAL tmpLuid:LUIDCUST
LOCAL tkp:TOKEN_PRIVS
LOCAL tkpNewButIgnored:TOKEN_PRIVS
LOCAL lBufferNeeded:DWORD
LOCAL tBuff:BYTE
LOCAL ptBuff:DWORD
invoke GetCurrentProcess ; get the current process handle
mov hdlProcessHandle,eax ; save it to hdlProcessHandle
lea eax, tBuff ; address of temp buffer into eax
mov ptBuff, eax ; set pointer to temp buffer
mov BYTE PTR , 0 ; initialize the buffer
invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
invoke LookupPrivilegeValue,ptBuff, SADD("SeShutdownPrivilege"), ADDR tmpLuid
lea eax, tmpLuid ; address of tmpLuid into eax
; Contents of tmpLuid into ecx:edx
mov ecx, (LUIDCUST PTR ).usedpart
mov edx, (LUIDCUST PTR ).ignorehigh32bitpart
lea eax, tkp ; address of tkp into eax
mov (TOKEN_PRIVS PTR ).privilegecount, 1
mov (TOKEN_PRIVS PTR ).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR ).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR ).attributes, 2
invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded
ret
AdjustToken endp
LogoutNOW proc
invoke ExitWindowsEx,EWX_LOGOFF,0; Logout the machine
ret
LogoutNOW endp
ShutdownNOW proc
invoke ExitWindowsEx,EWX_SHUTDOWN + EWX_FORCE + EWX_POWEROFF,NULL; Shutdown the machine
ret
ShutdownNOW endp
RestartNOW proc
invoke ExitWindowsEx,EWX_REBOOT,0; Restart the machine
ret
RestartNOW endpIn the target add this code
push 00401155
Call LoadLibraryA
00401155 . 53 68 75 74 6>ASCII "Shutdown.dll",0
***********************************************************************************************************************
There is one undocumented api in ntdll.dll. Its "NtShutdownSystem", which can be used for really quick(instant) shutdown and restart. It accepts one parameter 0 for shutdown and 1 for restart.
***********************************************************************************************************************
Well...this is from FASM forums...hope it's useful to u.;tested only in XP SP2
;/-----------------------------------------------------------------------------\
; File : shutdown.asm.
; Author : Ancient One.
;\-----------------------------------------------------------------------------/
define imageBase 0x10000
ShutdownPowerOff=2
SeShutdownPrivilege=0x13
SE_PRIVILEGE_ENABLED=0x2
TOKEN_ADJUST_PRIVILEGES=0x20
NtAdjustPrivilegesToken=011
NtOpenProcessToken=123
NtShutdownSystem=249
use32
dosHeader:
dw 'MZ'
dw 0
ntHeader:
dd 'PE'
dw 0x14c
dw 0
entryPoint:
_12_bytes :
mov edi, _sysEnter+imageBase
;store 0xCC at _12_bytes
mov ebx, esp
push ebx
push TOKEN_ADJUST_PRIVILEGES
jmp _08_bytes_a
dw sizeof.optionalHeader
dw 0x102
optionalHeader:
dw 0x10b
_14_bytes :
call edi
push ShutdownPowerOff eax SeShutdownPrivilege 1
mov ebp, esp
push eax
jmp _06_bytes
dd entryPoint
_08_bytes_a :
push (-1) ebx NtOpenProcessToken
pop eax
jmp _14_bytes
dd imageBase
dd 4
dd 4
_08_bytes_b :
push ebp
mov al, NtAdjustPrivilegesToken
call edi
leave
jmp _xx_bytes
dw 3
_06_bytes :
push eax eax ebp eax
jmp _04_bytes
dd sizeof.image
dd sizeof.peHeaders
_04_bytes :
push dword
jmp _08_bytes_b
dw 2
sizeof.optionalHeader = $-optionalHeader
sizeof.peHeaders = sizeof.optionalHeader
_xx_bytes:
mov al, NtShutdownSystem
_sysEnter:
mov edx, esp
sysenter
sizeof.image=$
or this one? Hope it helps.
CODE
.686
.model flat,stdcall
include ntdll.inc
include kernel32.inc
.code
start: push esp
invoke RtlAdjustPrivilege,19,2,0,esp
invoke NtShutdownSystem,2
jmp ExitProcess
end start
[ 本帖最后由 playboysen 于 2008-10-4 08:59 编辑 ] 看不懂!!!!/:010 感谢了,努力学习汇编中/:001 我比你还菜!/:17 英文的解释,哎!! 谢谢楼主发布分享
学习之
页:
[1]