Ring0VBA - Getting Ring0 Using a Goddamn Word Document

Jirehlov1234

https://disrel.com/posts/Ring0VB ... damn-Word-Document/

https://github.com/DISREL/Ring0VBA

wowocock

NTSTATUS __fastcall ZmnHmZwOpenProcess(void **a1, ACCESS_MASK a2, struct _OBJECT_ATTRIBUTES *a3, struct _CLIENT_ID *a4)
{
  __int64 v4; // rcx
  NTSTATUS result; // eax
  KPROCESSOR_MODE v6; // [rsp+30h] [rbp-18h]
  NTSTATUS v7; // [rsp+34h] [rbp-14h]

  v6 = ExGetPreviousMode();
  if ( (unsigned int)ZmnHmKeSetPreviousMode(0i64) )
  {
    DnsPrint_RpcZoneInfo(
      1,
      (unsigned int)"HookManager\\HookManager.c",
      1360,
      (unsigned int)"ZmnHmZwOpenProcess",
      0,
      "ZmnHmZwOpenProcess calling Nt* routine");
    v7 = NtOpenProcess(a1, a2, a3, a4);
    LOBYTE(v4) = v6;
    ZmnHmKeSetPreviousMode(v4);
    result = v7;
  }
  else
  {
    DnsPrint_RpcZoneInfo(
      1,
      (unsigned int)"HookManager\\HookManager.c",
      1370,
      (unsigned int)"ZmnHmZwOpenProcess",
      0,
      "ZmnHmZwOpenProcess calling Zw* routine");
    result = ZwOpenProcess(a1, a2, a3, a4);
  }
  return result;
}
看了下将ETHREAD里的PreviousMode强行设为0的内核模式，来绕过一些保护，打开WINLOGON进程句柄，然后创建远线程做事。

tdsskiller

zam64啊？这个驱动最近大手子已经公开了，但是是外{过}{滤}挂不过从word日出去还是挺抽象的