<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>管理員組獲取系統(tǒng)權(quán)限的完美解決方案 </title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><meta name="Keywords" content="安全焦點(diǎn), xfocus, 陷阱網(wǎng)絡(luò), honeynet, honeypot, 調(diào)查取證, forensic, 入侵檢測(cè), intrusion detection, 無(wú)線安全, wireless security, 安全論壇, security forums, 安全工具, security tools, 攻擊程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培訓(xùn), security training, 安全幫助, security help, 安全標(biāo)準(zhǔn), security standards, 安全代碼, security code, 安全資源, security resources, 安全編程, security programming, 加密, cryptography," /><link rel="stylesheet" href="../../css/plone.css" type="text/css"></head><body bgcolor="#FFFFFF" text="#000000"><div class="top">  <div class="searchBox">    <form name="searchform" action="http://www.google.com/search" method="get">      <input type="hidden" name="domains" value="www.xfocus.net">      <input type="hidden" name="sitesearch" value="www.xfocus.net">      <input type="text" name="q" size="20">      <input type="submit" name="btnG" value="Google Search">    </form>  </div>  <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">  <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title"></div><div class="tabs">  <a href="../../index.html" class="plain">首頁(yè)</a>  <a href="../../releases/index.html" class="plain">焦點(diǎn)原創(chuàng)</a>  <a href="../../articles/index.html" class="selected">安全文摘</a>  <a href="../../tools/index.html" class="plain">安全工具</a>  <a href="../../vuls/index.html" class="plain">安全漏洞</a>  <a href="../../projects/index.html" class="plain">焦點(diǎn)項(xiàng)目</a>  <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦點(diǎn)論壇</a>  <a href="../../about/index.html" class="plain">關(guān)于我們</a></div><div class="personalBar">  <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a></div><table class="columns">
  <tr>
    <td class="left">
<div class="box">
  <h5>&nbsp;文章分類&nbsp;</h5>
  <div class="body">
    <div class="content odd">
       <div style="white-space: nowrap;">
	    <img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'><b>專題文章 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教學(xué)</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>編程技術(shù)</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介紹</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墻技術(shù)</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵檢測(cè)</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解專題</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦點(diǎn)公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦點(diǎn)峰會(huì)</a><br>
       </div>
	    
    </div>
  </div>
</div>

<div class="box">
  <h5>&nbsp;文章推薦&nbsp;</h5>
  <div class="body">
    <div class="content odd">
	    <img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>補(bǔ)丁管理最佳安全實(shí)踐之資產(chǎn)評(píng)估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>國(guó)內(nèi)網(wǎng)絡(luò)安全風(fēng)險(xiǎn)評(píng)估市場(chǎng)與技術(shù)操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>協(xié)作的信息系統(tǒng)風(fēng)險(xiǎn)評(píng)估</a><br>
    </div>
  </div>
</div>
	</td>
    <td class="main">
	  <h1>管理員組獲取系統(tǒng)權(quán)限的完美解決方案</h1><br>創(chuàng)建時(shí)間：2005-04-28<br>文章屬性：原創(chuàng)<br>文章提交：<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35303'>suei8423</a> (suei8423_at_163.com)<br><br>管理員組獲取系統(tǒng)權(quán)限的完美解決方案<br />
<br />
Author : ZwelL<br />
Blog&nbsp;&nbsp; : <a href='http://www.donews.net/zwell' target='_blank'>http://www.donews.net/zwell</a><br />
Date&nbsp;&nbsp; : 2005.4.28<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;關(guān)于管理員組(administrators)獲取系統(tǒng)(SYSTEM)權(quán)限的方法其實(shí)已經(jīng)有很多種了.<br />
小四哥就提到了一些:&quot;MSDN系列(3)--Administrator用戶直接獲取SYSTEM權(quán)限&quot;和&quot;遠(yuǎn)程線程注入版獲取SYSTEM權(quán)限&quot;.<br />
這里,我先踩在前輩的肩上列一些可行的方法:<br />
<br />
1. &quot;利用ZwCreateToken()自己創(chuàng)建一個(gè)SYSTEM令牌(Token)&quot; <br />
2. HOOK掉創(chuàng)建進(jìn)程的函數(shù)ZwCreateProcess(Ex),用winlogon ID 創(chuàng)建<br />
3. 遠(yuǎn)線程插入，插入線程到系統(tǒng)進(jìn)程，創(chuàng)建一新進(jìn)程<br />
<br />
這上面三種方法都是scz提到的,也存在一些問(wèn)題.其實(shí)除此這外,我們還可以:<br />
4. 將程序做成服務(wù)，帶參數(shù)運(yùn)行新進(jìn)程<br />
<br />
做為服務(wù)來(lái)講就是SYSTEM了,再創(chuàng)建的進(jìn)程也是SYSTEM權(quán)限.<br />
<br />
當(dāng)然,這里我都不會(huì)用到上面提到的方法.因?yàn)榫W(wǎng)上都能找到現(xiàn)成的實(shí)現(xiàn)代碼.而且考慮一些復(fù)雜性以及存在的一些問(wèn)題都不是很好的解決方案.<br />
<br />
這里,我拿出兩種新的方案來(lái)實(shí)現(xiàn)該功能:<br />
<br />
第一種方法.我們先來(lái)看一下系統(tǒng)是如何進(jìn)行權(quán)限檢測(cè)的，<br />
舉個(gè)例子,在調(diào)用了OpenProcessToken,我們知道會(huì)進(jìn)行權(quán)限的驗(yàn)證：<br />
OpenProcessToken-&gt;NtOpenProcessToken－&gt;PsOpenTokenOfProcess-&gt;PsReferencePrimaryToken-&gt;找到這一句Token = Process-&gt;Token;<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|-&gt;ObOpenObjectByPointer調(diào)用上面返回的TOKEN進(jìn)行檢查<br />
<br />
也就是說(shuō)，系統(tǒng)在檢測(cè)權(quán)限時(shí)僅僅通過(guò)從進(jìn)程的EPROCESS結(jié)構(gòu)種拿出Token項(xiàng)進(jìn)行操作.因此我們不需要繼續(xù)往ObOpenObjectByPointer里面跟進(jìn)了。<br />
思路已經(jīng)很明顯：直接將System進(jìn)程的Token拿過(guò)來(lái)，放到我們進(jìn)程的Token位置。那么系統(tǒng)就認(rèn)為我們是SYSTEM權(quán)限.<br />
而這時(shí)我們的進(jìn)程創(chuàng)建的子進(jìn)程也就是SYSTEM權(quán)限了。(以上分析過(guò)程請(qǐng)參考WINDOWS源代碼...^_^)<br />
<br />
實(shí)現(xiàn)代碼:<br />
===========================================================================================================<br />
#include&lt;windows.h&gt;<br />
#include&lt;stdio.h&gt;<br />
#include&lt;Accctrl.h&gt;<br />
#include&lt;Aclapi.h&gt;<br />
<br />
#define TOKEN_OFFSET 0xc8 //In windows 2003, it&#39;s 0xc8, if others&#39; version, change it<br />
#define NT_SUCCESS(Status)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;((NTSTATUS)(Status) &gt;= 0)<br />
#define STATUS_INFO_LENGTH_MISMATCH&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;((NTSTATUS)0xC0000004L)<br />
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)<br />
<br />
typedef LONG&nbsp;&nbsp;NTSTATUS;<br />
typedef struct _IO_STATUS_BLOCK<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;NTSTATUS&nbsp;&nbsp;&nbsp;&nbsp;Status;<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Information;<br />
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;<br />
<br />
typedef struct _UNICODE_STRING<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Length;<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MaximumLength;<br />
&nbsp;&nbsp;&nbsp;&nbsp;PWSTR&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Buffer;<br />
} UNICODE_STRING, *PUNICODE_STRING;<br />
<br />
#define OBJ_INHERIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000002L<br />
#define OBJ_PERMANENT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000010L<br />
#define OBJ_EXCLUSIVE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000020L<br />
#define OBJ_CASE_INSENSITIVE&nbsp;&nbsp;&nbsp;&nbsp;0x00000040L<br />
#define OBJ_OPENIF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x00000080L<br />
#define OBJ_OPENLINK&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x00000100L<br />
#define OBJ_KERNEL_HANDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000200L<br />
#define OBJ_VALID_ATTRIBUTES&nbsp;&nbsp;&nbsp;&nbsp;0x000003F2L<br />
<br />
typedef struct _OBJECT_ATTRIBUTES<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Length;<br />
&nbsp;&nbsp;&nbsp;&nbsp;HANDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;RootDirectory;<br />
&nbsp;&nbsp;&nbsp;&nbsp;PUNICODE_STRING ObjectName;<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Attributes;<br />
&nbsp;&nbsp;&nbsp;&nbsp;PVOID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SecurityDescriptor;<br />
&nbsp;&nbsp;&nbsp;&nbsp;PVOID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SecurityQualityOfService;<br />
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;&nbsp;&nbsp;<br />
<br />
typedef struct _SYSTEM_MODULE_INFORMATION<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG Reserved[2];<br />
&nbsp;&nbsp;&nbsp;&nbsp;PVOID Base;<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG Size;<br />
&nbsp;&nbsp;&nbsp;&nbsp;ULONG Flags;<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT Index;<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT Unknown;<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT LoadCount;<br />
&nbsp;&nbsp;&nbsp;&nbsp;USHORT ModuleNameOffset;<br />
&nbsp;&nbsp;&nbsp;&nbsp;CHAR ImageName[256];<br />
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;<br />
<br />
typedef enum _SYSTEM_INFORMATION_CLASS<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemBasicInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemProcessorInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemPerformanceInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemTimeOfDayInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented1,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemProcessesAndThreadsInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemCallCounts,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemConfigurationInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemProcessorTimes,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemGlobalFlag,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented2,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemModuleInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemLockInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented3,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented4,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented5,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemHandleInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemObjectInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemPagefileInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemInstructionEmulationCounts,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemInvalidInfoClass1,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemCacheInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemPoolTagInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemProcessorStatistics,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemDpcInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented6,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemLoadImage,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemUnloadImage,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemTimeAdjustment,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented7,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented8,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented9,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemCrashDumpInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemExceptionInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemCrashDumpStateInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemKernelDebuggerInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemContextSwitchInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemRegistryQuotaInformation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemLoadAndCallImage,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemPrioritySeparation,<br />
&nbsp;&nbsp;&nbsp;&nbsp;SystemNotImplemented10,<br />