本文介绍了如何使用Win32汇编语言来检查一个进程是否具有特定的Debug权限。作为《Win32汇编实现提升进程Debug权限的两种方法》的补充,该教程提供了一个实用的技术指南。
本文做为《Win32汇编实现提升进程Debug权限的两种方法 》的姊妹篇发布,希望在需要的时候为大家提供参考。
(声明:魏滔序原创,转贴请注明出处。)
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Win32汇编实现判断进程是否拥有某特殊权限
; Programmed by 魏滔序
; WebSite: http: // www.chenoe.com
; Blog: http: // blog.youkuaiyun.com / Modest
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
. 486
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include Advapi32.inc
includelib kernel32.lib
includelib Advapi32.lib
.code
Start:
IsPrivilege PROC hProcess,dwPrivilege
LOCAL hToken,BufferSize,i
LOCAL tPrivilege:LUID_AND_ATTRIBUTES
LOCAL pInfoBuffer,PrivilegeCount
Invoke OpenProcessToken,hProcess, TOKEN_QUERY, ADDR hToken
.If EAX == 0
MOV EAX, FALSE
RET
.EndIf
Invoke GetTokenInformation,hToken,TokenPrivileges, NULL , NULL , addr BufferSize
.If BufferSize == 0
MOV EAX, FALSE
RET
.EndIf
MOV EAX,BufferSize
Invoke GlobalAlloc,GMEM_FIXED,EAX
MOV pInfoBuffer,EAX
Invoke GetTokenInformation,hToken,TokenPrivileges, pInfoBuffer, BufferSize, addr BufferSize
PUSH EAX
Invoke CloseHandle,hToken
POP EAX
.If EAX == 0
MOV EAX, FALSE
RET
.EndIf
MOV i, 0
Invoke RtlMoveMemory, addr PrivilegeCount,pInfoBuffer, 4
.While TRUE
MOV EAX,SIZEOF LUID_AND_ATTRIBUTES
IMUL EAX,i
ADD EAX,pInfoBuffer
ADD EAX, 4
Invoke RtlMoveMemory, addr tPrivilege,EAX, SIZEOF LUID_AND_ATTRIBUTES
MOV EAX,dwPrivilege
.IF tPrivilege.Attributes ! = 0 && tPrivilege.Luid.LowPart == EAX
MOV EAX, TRUE
RET
.EndIf
ADD i, 1
MOV EAX,i
.Break .IF EAX == PrivilegeCount
.EndW
MOV EAX, FALSE
RET
IsPrivilege Endp
End Start
; Win32汇编实现判断进程是否拥有某特殊权限
; Programmed by 魏滔序
; WebSite: http: // www.chenoe.com
; Blog: http: // blog.youkuaiyun.com / Modest
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
. 486
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include Advapi32.inc
includelib kernel32.lib
includelib Advapi32.lib
.code
Start:
IsPrivilege PROC hProcess,dwPrivilege
LOCAL hToken,BufferSize,i
LOCAL tPrivilege:LUID_AND_ATTRIBUTES
LOCAL pInfoBuffer,PrivilegeCount
Invoke OpenProcessToken,hProcess, TOKEN_QUERY, ADDR hToken
.If EAX == 0
MOV EAX, FALSE
RET
.EndIf
Invoke GetTokenInformation,hToken,TokenPrivileges, NULL , NULL , addr BufferSize
.If BufferSize == 0
MOV EAX, FALSE
RET
.EndIf
MOV EAX,BufferSize
Invoke GlobalAlloc,GMEM_FIXED,EAX
MOV pInfoBuffer,EAX
Invoke GetTokenInformation,hToken,TokenPrivileges, pInfoBuffer, BufferSize, addr BufferSize
PUSH EAX
Invoke CloseHandle,hToken
POP EAX
.If EAX == 0
MOV EAX, FALSE
RET
.EndIf
MOV i, 0
Invoke RtlMoveMemory, addr PrivilegeCount,pInfoBuffer, 4
.While TRUE
MOV EAX,SIZEOF LUID_AND_ATTRIBUTES
IMUL EAX,i
ADD EAX,pInfoBuffer
ADD EAX, 4
Invoke RtlMoveMemory, addr tPrivilege,EAX, SIZEOF LUID_AND_ATTRIBUTES
MOV EAX,dwPrivilege
.IF tPrivilege.Attributes ! = 0 && tPrivilege.Luid.LowPart == EAX
MOV EAX, TRUE
RET
.EndIf
ADD i, 1
MOV EAX,i
.Break .IF EAX == PrivilegeCount
.EndW
MOV EAX, FALSE
RET
IsPrivilege Endp
End Start
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
