[讨论]One possible way to avoid UAC in Windows Vista
议题作者:rodream信息来源:rootkit.com
作者的站: [url]http://rodream.net[/url]
英语不好 但对此敢兴趣 各位可测试.
Windows Vista has UAC function and it protects hamful file system operation such as copying file to Windows directory or Program Files.
Users can turn off UAC, but people can not do this because they don't know about it or want to protect system.
In this situation, many system programer has got a headache. I wanna know how to kickout this damn protection.
Finally, I found one way to kickout.
The method which I found is use Native Application.
Native Application is user mode program which uses ntdll.dll and runs likes autochk.exe (scandisk's WindowsNT version)
You can get additional information from the SysInternals ([url]http://www.microsoft.com/technet/sysinternals/information/nativeapplications.mspx[/url])
You can setup Native Application to your system by registry. Following instruction is how to install Native Application to your system.
Intructions(How to install):
1. run regedit.exe
2. move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
3. Edit BootExecute (REG_MULTI_SZ value) like this :
-< BootExecute Value >------------
autocheck autochk *
NativeTest test!!!
-< BootExecute Value >------------
4. Copy NativeTest.exe file to 'C:\Windows\system32' (copy NativeTest.exe C:\Windows\System32\NativeTest.exe)
NativeTest.exe is sample code's output file name.
But, Native Application can not same as application and device driver. It has some different features between others.
Following requirements are differents.
The requirements are :
1. Native Application requires ddk to compile successfully.
2. You can use only ntdll.dll's function. You can't use any Win32 function.
3. You can't access all registry. because when Native Application executed the System don't load all registry yet. (You can use HKLM/SYSTEM)
4. You must setup heap memory space manually.
The problems is not hard. I think it's easy to you (rootkit user)
When you finished coding, you can compile it with Windows DDK console by 'build' command.
In my sample code's 'SOURCES' file contains all sources file. if you wanna add some your own file, you can edit it.
The sample code consists some functions which controls registry(NtReg.c NtReg.h) and file system(NtFile.c , NtFile.h).
If you using sample code, it setup heap memory space, so you can use heap memory without manual setup. :)
This is simple function tree of sample code.
(native.c)
- NtProcessStartup (entry point)
- UserMain (User main)
- RemoveEntryFromBootExecute (remove entry from bootexecute registry entry)
- FileTest (file access test)
This is my sample source code.
Thanks for reading and sorry for my english skill 谁来翻译一下,看代码心痒,想看看原文怎么说 一人翻译一句吧。
我先翻译一句哈。
-------------------------------------------------------------------------------------------------------------------
Thanks for reading and sorry for my english skill
太感谢你了,这么大老远的来看我的这东西,只是不好意思哇我英语不是很铞~ [s:269]
-------------------------------------------------------------------------------------------------------------------
PS:其实可以到Google的翻译站上去翻译。虽然翻译很多是错的。但是基本可以看得懂的了。
URL:[url]http://translate.google.com/translate_t[/url] 可惜仍然不是很完美,native application毕竟受到限制,而且好像还要重启吧
页:
[1]