API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 24th, 2016
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 2.45 KB | None | 0 0
raw download clone embed print report
  1. format PE64 GUI 5.0
  2. entry start
  3.  
  4. include 'win64a.inc'
  5.  
  6. section '.data' data readable writeable
  7.  
  8. struct CLIENT_SHELL
  9.  
  10.   .ddsocket                dd ?
  11.   .ddport                  dd ?
  12.   .dbsync                  db ?
  13.  
  14. ends
  15.  
  16. struct SECURITY_ATTRIBUTES
  17.         nLength                dd ?
  18.         lpSecurityDescriptor   dq ?
  19.         bInheritHandle         dd ?
  20. ends
  21.  
  22. start:
  23.  
  24. TOKEN_ADJUST_PRIVILEGES = 20h
  25. TOKEN_QUERY             = 8h
  26. SE_PRIVILEGE_ENABLED    = 2h
  27.  
  28. lpFileName              db 'C:\Windows\system32\test.exe'0
  29. dwDesiredAccess         = 80000000h + 40000000h 
  30. dwShareMode             =
  31. lpSecurityAttributes    =
  32. dwCreationDisposition   =
  33. dwFlagsAndAttributes    =
  34. hTemplateFile           =
  35.  
  36.  
  37. struct LUID
  38.   lowPart  dd ?
  39.   HighPart dq ?
  40. ends
  41.  
  42. struct LUID_AND_ATTRIBUTES
  43.   pLuid       LUID
  44.   Attributes  dd ?
  45. ends
  46.  
  47. struct _TOKEN_PRIVILEGES
  48.   PrivilegeCount   dd ?
  49.   Privileges       LUID_AND_ATTRIBUTES
  50. ends
  51.  
  52. TTokenHd dd ?
  53.  
  54. udtLUID  LUID
  55. tkp     _TOKEN_PRIVILEGES
  56.  
  57. SE_SHUTDOWN_NAME db 'SeShutdownPrivilege',0
  58.  
  59. section '.code' code readable executable
  60.  
  61.     stdcall    GetCurrentProcess
  62.  
  63.  
  64.     stdcall   OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES+TOKEN_QUERY,TTokenHd
  65.     or        rax,rax
  66.     jz        loc_exit
  67.  
  68.  
  69.     stdcall   LookupPrivilegeValueA, NULL, SE_SHUTDOWN_NAME, udtLUID
  70.     or        rax,rax
  71.     jz        loc_exit
  72.  
  73.  
  74.     mov       [tkp.PrivilegeCount],1
  75.     mov       [tkp.Privileges.Attributes],SE_PRIVILEGE_ENABLED
  76.     mov       eax,[udtLUID.lowPart]
  77.     mov       [tkp.Privileges.pLuid.lowPart],eax
  78.     mov       rax,[udtLUID.HighPart]
  79.     mov       [tkp.Privileges.pLuid.HighPart],rax
  80.     stdcall    AdjustTokenPrivileges,[TTokenHd],0,tkp,0,0,0
  81.  
  82.     fastcall CreateFileA,lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,\
  83.     dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile
  84.  
  85.     fastcall Shell,666d
  86.  
  87. loc_exit:
  88.     ret
  89.  
  90. proc Shell,dwsock:DWORD
  91.  
  92.  
  93.          ret
  94. endp
  95.  
  96. section '.idata' import data readable writeable
  97.  
  98.   library kernel,'KERNEL32.DLL',\
  99.           advapi32,'ADVAPI32.DLL'
  100.  
  101.   import kernel,\
  102.          GetCurrentProcess,'GetCurrentProcess',\
  103.          GetTickCount,'GetTickCount',\
  104.          ExitProcess,'ExitProcess',\
  105.          CreateFileA,'CreateFileA'
  106.  
  107.   import advapi32,\
  108.          OpenProcessToken,'OpenProcessToken',\
  109.          LookupPrivilegeValueA,'LookupPrivilegeValueA',\
  110.          AdjustTokenPrivileges,'AdjustTokenPrivileges'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!