?? 管理員組獲取系統權限的完美解決方案.html
字號:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>管理員組獲取系統權限的完美解決方案 </title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><meta name="Keywords" content="安全焦點, xfocus, 陷阱網絡, honeynet, honeypot, 調查取證, forensic, 入侵檢測, intrusion detection, 無線安全, wireless security, 安全論壇, security forums, 安全工具, security tools, 攻擊程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培訓, security training, 安全幫助, security help, 安全標準, security standards, 安全代碼, security code, 安全資源, security resources, 安全編程, security programming, 加密, cryptography," /><link rel="stylesheet" href="../../css/plone.css" type="text/css"></head><body bgcolor="#FFFFFF" text="#000000"><div class="top"> <div class="searchBox"> <form name="searchform" action="http://www.google.com/search" method="get"> <input type="hidden" name="domains" value="www.xfocus.net"> <input type="hidden" name="sitesearch" value="www.xfocus.net"> <input type="text" name="q" size="20"> <input type="submit" name="btnG" value="Google Search"> </form> </div> <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo"> <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title"></div><div class="tabs"> <a href="../../index.html" class="plain">首頁</a> <a href="../../releases/index.html" class="plain">焦點原創</a> <a href="../../articles/index.html" class="selected">安全文摘</a> <a href="../../tools/index.html" class="plain">安全工具</a> <a href="../../vuls/index.html" class="plain">安全漏洞</a> <a href="../../projects/index.html" class="plain">焦點項目</a> <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦點論壇</a> <a href="../../about/index.html" class="plain">關于我們</a></div><div class="personalBar"> <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a></div><table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分類 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'><b>專題文章 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教學</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>編程技術</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介紹</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墻技術</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵檢測</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解專題</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦點公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦點峰會</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推薦 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>補丁管理最佳安全實踐之資產評估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>國內網絡安全風險評估市場與技術操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>協作的信息系統風險評估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>管理員組獲取系統權限的完美解決方案</h1><br>創建時間:2005-04-28<br>文章屬性:原創<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35303'>suei8423</a> (suei8423_at_163.com)<br><br>管理員組獲取系統權限的完美解決方案<br />
<br />
Author : ZwelL<br />
Blog : <a href='http://www.donews.net/zwell' target='_blank'>http://www.donews.net/zwell</a><br />
Date : 2005.4.28<br />
<br />
關于管理員組(administrators)獲取系統(SYSTEM)權限的方法其實已經有很多種了.<br />
小四哥就提到了一些:"MSDN系列(3)--Administrator用戶直接獲取SYSTEM權限"和"遠程線程注入版獲取SYSTEM權限".<br />
這里,我先踩在前輩的肩上列一些可行的方法:<br />
<br />
1. "利用ZwCreateToken()自己創建一個SYSTEM令牌(Token)" <br />
2. HOOK掉創建進程的函數ZwCreateProcess(Ex),用winlogon ID 創建<br />
3. 遠線程插入,插入線程到系統進程,創建一新進程<br />
<br />
這上面三種方法都是scz提到的,也存在一些問題.其實除此這外,我們還可以:<br />
4. 將程序做成服務,帶參數運行新進程<br />
<br />
做為服務來講就是SYSTEM了,再創建的進程也是SYSTEM權限.<br />
<br />
當然,這里我都不會用到上面提到的方法.因為網上都能找到現成的實現代碼.而且考慮一些復雜性以及存在的一些問題都不是很好的解決方案.<br />
<br />
這里,我拿出兩種新的方案來實現該功能:<br />
<br />
第一種方法.我們先來看一下系統是如何進行權限檢測的,<br />
舉個例子,在調用了OpenProcessToken,我們知道會進行權限的驗證:<br />
OpenProcessToken->NtOpenProcessToken->PsOpenTokenOfProcess->PsReferencePrimaryToken->找到這一句Token = Process->Token;<br />
|->ObOpenObjectByPointer調用上面返回的TOKEN進行檢查<br />
<br />
也就是說,系統在檢測權限時僅僅通過從進程的EPROCESS結構種拿出Token項進行操作.因此我們不需要繼續往ObOpenObjectByPointer里面跟進了。<br />
思路已經很明顯:直接將System進程的Token拿過來,放到我們進程的Token位置。那么系統就認為我們是SYSTEM權限.<br />
而這時我們的進程創建的子進程也就是SYSTEM權限了。(以上分析過程請參考WINDOWS源代碼...^_^)<br />
<br />
實現代碼:<br />
===========================================================================================================<br />
#include<windows.h><br />
#include<stdio.h><br />
#include<Accctrl.h><br />
#include<Aclapi.h><br />
<br />
#define TOKEN_OFFSET 0xc8 //In windows 2003, it's 0xc8, if others' version, change it<br />
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)<br />
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)<br />
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)<br />
<br />
typedef LONG NTSTATUS;<br />
typedef struct _IO_STATUS_BLOCK<br />
{<br />
NTSTATUS Status;<br />
ULONG Information;<br />
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;<br />
<br />
typedef struct _UNICODE_STRING<br />
{<br />
USHORT Length;<br />
USHORT MaximumLength;<br />
PWSTR Buffer;<br />
} UNICODE_STRING, *PUNICODE_STRING;<br />
<br />
#define OBJ_INHERIT 0x00000002L<br />
#define OBJ_PERMANENT 0x00000010L<br />
#define OBJ_EXCLUSIVE 0x00000020L<br />
#define OBJ_CASE_INSENSITIVE 0x00000040L<br />
#define OBJ_OPENIF 0x00000080L<br />
#define OBJ_OPENLINK 0x00000100L<br />
#define OBJ_KERNEL_HANDLE 0x00000200L<br />
#define OBJ_VALID_ATTRIBUTES 0x000003F2L<br />
<br />
typedef struct _OBJECT_ATTRIBUTES<br />
{<br />
ULONG Length;<br />
HANDLE RootDirectory;<br />
PUNICODE_STRING ObjectName;<br />
ULONG Attributes;<br />
PVOID SecurityDescriptor;<br />
PVOID SecurityQualityOfService;<br />
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; <br />
<br />
typedef struct _SYSTEM_MODULE_INFORMATION<br />
{<br />
ULONG Reserved[2];<br />
PVOID Base;<br />
ULONG Size;<br />
ULONG Flags;<br />
USHORT Index;<br />
USHORT Unknown;<br />
USHORT LoadCount;<br />
USHORT ModuleNameOffset;<br />
CHAR ImageName[256];<br />
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;<br />
<br />
typedef enum _SYSTEM_INFORMATION_CLASS<br />
{<br />
SystemBasicInformation,<br />
SystemProcessorInformation,<br />
SystemPerformanceInformation,<br />
SystemTimeOfDayInformation,<br />
SystemNotImplemented1,<br />
SystemProcessesAndThreadsInformation,<br />
SystemCallCounts,<br />
SystemConfigurationInformation,<br />
SystemProcessorTimes,<br />
SystemGlobalFlag,<br />
SystemNotImplemented2,<br />
SystemModuleInformation,<br />
SystemLockInformation,<br />
SystemNotImplemented3,<br />
SystemNotImplemented4,<br />
SystemNotImplemented5,<br />
SystemHandleInformation,<br />
SystemObjectInformation,<br />
SystemPagefileInformation,<br />
SystemInstructionEmulationCounts,<br />
SystemInvalidInfoClass1,<br />
SystemCacheInformation,<br />
SystemPoolTagInformation,<br />
SystemProcessorStatistics,<br />
SystemDpcInformation,<br />
SystemNotImplemented6,<br />
SystemLoadImage,<br />
SystemUnloadImage,<br />
SystemTimeAdjustment,<br />
SystemNotImplemented7,<br />
SystemNotImplemented8,<br />
SystemNotImplemented9,<br />
SystemCrashDumpInformation,<br />
SystemExceptionInformation,<br />
SystemCrashDumpStateInformation,<br />
SystemKernelDebuggerInformation,<br />
SystemContextSwitchInformation,<br />
SystemRegistryQuotaInformation,<br />
SystemLoadAndCallImage,<br />
SystemPrioritySeparation,<br />
SystemNotImplemented10,<br />
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -