【推荐】Win32 汇编强制关机源码实现

playboysen · 发表于 2008-10-4 08:57:55

转自： ARTeam
整理： Playboysen
原作者：ragdog/Nacho_dj/mia/Gunther

Before you make shutdown must you set the AdjustToken privilege

; For NT Type Platforms get the privilege for a Shutdown/Restart.
AdjustToken proc
LOCAL hdlProcessHandle:DWORD
LOCAL hdlTokenHandle:DWORD
LOCAL tmpLuid:LUIDCUST
LOCAL tkp:TOKEN_PRIVS
LOCAL tkpNewButIgnored:TOKEN_PRIVS
LOCAL lBufferNeeded:DWORD
LOCAL tBuff[32]:BYTE
LOCAL ptBuff:DWORD
invoke GetCurrentProcess ; get the current process handle
mov hdlProcessHandle,eax ; save it to hdlProcessHandle
lea eax, tBuff ; address of temp buffer into eax
mov ptBuff, eax ; set pointer to temp buffer
mov BYTE PTR [eax], 0 ; initialize the buffer
invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
invoke LookupPrivilegeValue,ptBuff, SADD("SeShutdownPrivilege"), ADDR tmpLuid
lea eax, tmpLuid ; address of tmpLuid into eax
; Contents of tmpLuid into ecx:edx
mov ecx, (LUIDCUST PTR [eax]).usedpart
mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
lea eax, tkp ; address of tkp into eax
mov (TOKEN_PRIVS PTR [eax]).privilegecount, 1
mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR [eax]).attributes, 2
invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded
ret
AdjustToken endp
LogoutNOW proc
invoke ExitWindowsEx,EWX_LOGOFF,0 ; Logout the machine
ret
LogoutNOW endp
ShutdownNOW proc
invoke ExitWindowsEx,EWX_SHUTDOWN + EWX_FORCE + EWX_POWEROFF,NULL ; Shutdown the machine
ret
ShutdownNOW endp
RestartNOW proc
invoke ExitWindowsEx,EWX_REBOOT,0 ; Restart the machine
ret
RestartNOW endp

复制代码

***********************************************************************************************************************

The simply way for code cave can you write this shutdown function in a dll

DllEntryPoint proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
mov eax,reason
.if eax == DLL_PROCESS_ATTACH; Called when our dll loaded
invoke AdjustToken
invoke ShutdownNOW
.endif
ret
DllEntryPoint endp
; For NT Type Platforms get the privilege for a Shutdown/Restart.
AdjustToken proc
LOCAL hdlProcessHandle:DWORD
LOCAL hdlTokenHandle:DWORD
LOCAL tmpLuid:LUIDCUST
LOCAL tkp:TOKEN_PRIVS
LOCAL tkpNewButIgnored:TOKEN_PRIVS
LOCAL lBufferNeeded:DWORD
LOCAL tBuff[32]:BYTE
LOCAL ptBuff:DWORD
invoke GetCurrentProcess ; get the current process handle
mov hdlProcessHandle,eax ; save it to hdlProcessHandle
lea eax, tBuff ; address of temp buffer into eax
mov ptBuff, eax ; set pointer to temp buffer
mov BYTE PTR [eax], 0 ; initialize the buffer
invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
invoke LookupPrivilegeValue,ptBuff, SADD("SeShutdownPrivilege"), ADDR tmpLuid
lea eax, tmpLuid ; address of tmpLuid into eax
; Contents of tmpLuid into ecx:edx
mov ecx, (LUIDCUST PTR [eax]).usedpart
mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
lea eax, tkp ; address of tkp into eax
mov (TOKEN_PRIVS PTR [eax]).privilegecount, 1
mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
mov (TOKEN_PRIVS PTR [eax]).attributes, 2
invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded
ret
AdjustToken endp
LogoutNOW proc
invoke ExitWindowsEx,EWX_LOGOFF,0; Logout the machine
ret
LogoutNOW endp
ShutdownNOW proc
invoke ExitWindowsEx,EWX_SHUTDOWN + EWX_FORCE + EWX_POWEROFF,NULL; Shutdown the machine
ret
ShutdownNOW endp
RestartNOW proc
invoke ExitWindowsEx,EWX_REBOOT,0; Restart the machine
ret
RestartNOW endp

复制代码

In the target add this code

push 00401155
Call LoadLibraryA

00401155 . 53 68 75 74 6>ASCII "Shutdown.dll",0

***********************************************************************************************************************
There is one undocumented api in ntdll.dll. Its "NtShutdownSystem", which can be used for really quick(instant) shutdown and restart. It accepts one parameter 0 for shutdown and 1 for restart.

***********************************************************************************************************************
Well...this is from FASM forums...hope it's useful to u.

;tested only in XP SP2
;/-----------------------------------------------------------------------------\
; File : shutdown.asm.
; Author : Ancient One.
;\-----------------------------------------------------------------------------/
define imageBase 0x10000
ShutdownPowerOff=2
SeShutdownPrivilege=0x13
SE_PRIVILEGE_ENABLED=0x2
TOKEN_ADJUST_PRIVILEGES=0x20
NtAdjustPrivilegesToken=011
NtOpenProcessToken=123
NtShutdownSystem=249
use32
dosHeader:
dw 'MZ'
dw 0
ntHeader:
dd 'PE'
dw 0x14c
dw 0
entryPoint:
_12_bytes :
mov edi, _sysEnter+imageBase
;store 0xCC at _12_bytes
mov ebx, esp
push ebx
push TOKEN_ADJUST_PRIVILEGES
jmp _08_bytes_a
dw sizeof.optionalHeader
dw 0x102
optionalHeader:
dw 0x10b
_14_bytes :
call edi
push ShutdownPowerOff eax SeShutdownPrivilege 1
mov ebp, esp
push eax
jmp _06_bytes
dd entryPoint
_08_bytes_a :
push (-1) ebx NtOpenProcessToken
pop eax
jmp _14_bytes
dd imageBase
dd 4
dd 4
_08_bytes_b :
push ebp
mov al, NtAdjustPrivilegesToken
call edi
leave
jmp _xx_bytes
dw 3
_06_bytes :
push eax eax ebp eax
jmp _04_bytes
dd sizeof.image
dd sizeof.peHeaders
_04_bytes :
push dword [ebx]
jmp _08_bytes_b
dw 2
sizeof.optionalHeader = $-optionalHeader
sizeof.peHeaders = sizeof.optionalHeader
_xx_bytes:
mov al, NtShutdownSystem
_sysEnter:
mov edx, esp
sysenter
sizeof.image=$
or this one? Hope it helps.
CODE
.686
.model flat,stdcall
include ntdll.inc
include kernel32.inc
.code
start: push esp
invoke RtlAdjustPrivilege,19,2,0,esp
invoke NtShutdownSystem,2
jmp ExitProcess
end start

复制代码

[ 本帖最后由 playboysen 于 2008-10-4 08:59 编辑 ]

文润之 · 发表于 2008-10-16 18:36:00

看不懂！！！！/:010

xxxfree · 发表于 2009-4-28 20:22:36

感谢了，努力学习汇编中/:001

上海雨人 · 发表于 2009-5-1 07:23:57

我比你还菜!/:17

mengqiu · 发表于 2009-5-23 23:29:49

英文的解释，哎！！

alan001 · 发表于 2009-5-27 09:45:01

谢谢楼主发布分享

学习之

		自动登录	找回密码
密码			加入我们

【推荐】Win32 汇编 强制关机源码实现

相关帖子

【推荐】Win32 汇编强制关机源码实现