从管理员身份获得SYSTEM 权限的四种方法Word下载.docx
《从管理员身份获得SYSTEM 权限的四种方法Word下载.docx》由会员分享,可在线阅读,更多相关《从管理员身份获得SYSTEM 权限的四种方法Word下载.docx(22页珍藏版)》请在冰豆网上搜索。
locallbl
.const
lbldbtext,0
.code
exitm
ENDM
startproc
LOCAL
stStartupInfo:
STARTUPINFO
procinfo:
PROCESS_INFORMATION
invoke
CreateMutex,NULL,TRUE,CTXT("
GetSys1_Mutex"
)
GetLastError
.ifeax==ERROR_ALREADY_EXISTS
RtlZeroMemory,addrstStartupInfo,sizeofstStartupInfo
mov
stStartupInfo.cb,sizeofstStartupInfo
CreateProcess,0,CTXT("
regedit.exe"
),0,0,0,0,0,0,
addrstStartupInfo,addrprocinfo
CloseHandle,procinfo.hProcess
CloseHandle,procinfo.hThread
.else
_ReLaunch
.endif
ExitProcess,NULL
startendp
_ReLaunchproc
hSCManager
hService
szName[MAX_PATH]:
byte
OpenSCManager,NULL,NULL,SC_MANAGER_CREATE_SERVICE
.ifeax!
=0
hSCManager,eax
OpenService,hSCManager,CTXT("
GetSys1Temp"
),DELETE
push
eax
invoke
DeleteService,eax
call
CloseServiceHandle
GetModuleFileName,NULL,addrszName,MAX_PATH
CreateService,hSCManager,CTXT("
),CTXT("
GetSys1TempService"
),\
SERVICE_START+SERVICE_QUERY_STATUS+DELETE,\
SERVICE_WIN32_OWN_PROCESS+SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,\
SERVICE_ERROR_IGNORE,addrszName,NULL,NULL,NULL,NULL,NULL
mov
hService,eax
StartService,hService,0,NULL
DeleteService,hService
CloseServiceHandle,hService
CloseServiceHandle,hSCManager
ret
_ReLaunchendp
endstart
:
make
setpath=%path%;
c:
\masm32\bin
setappname=GetSys1
ml/nologo/c/coff%appname%.bat
link/nologo/subsystem:
windows%appname%.obj
del%appname%.obj
echo.
pause
GetSys1(第一次运行的这个进程GetSys1我们称为A)开始运行时先创建一个互斥量,
接着以服务的方式重新启动自己
(又一次运行的进程GetSys1我们称为B),重新运行后的B已经具有了SYSTEM权限。
B再通过CreateProcess函数运行regedit.exe程序,
因为B具有SYSTEM权限,所以regedit.exe从中继承了SYSTEM权限。
运行完了regedit.exe后B结束运行,
然后A中的StartService函数返回,A结束运行。
就是因为StartService函数不会直接返回,
所以不能够直接通过服务的方式运行regedit.exe。
2.添加ACL的方法
主要思想是调用CreateProcessAsUser函数来运行程序,CreateProcessAsUser
函数的第一个参数是特定用户的令牌,
把这个参数设为具有SYSTEM权限的令牌即可。
以SYSTEM权限运行程序-GetSys2
采用添加ACL的方法
\masm32\include\accctrl.inc
_EnablePrivilegeproto
WORD,
WORD
_GetPidFromProcNameproto
_ModifySecurityproto
ACLSTRUCT
AclRevision
BYTE
?
Sbz1
BYTE
AclSize
WORD
AceCount
Sbz2
ACLENDS
PACLtypedefPTRACL
SecurityImpersonation
equ2
hProc
hToken,hNewToken
sub
eax,eax
hProc,eax
hToken,eax
hNewToken,eax
RtlZeroMemory,addrprocinfo,sizeofprocinfo
_EnablePrivilege,CTXT("
SeDebugPrivilege"
),TRUE
_GetPidFromProcName,CTXT("
lsass.exe"
OpenProcess,PROCESS_QUERY_INFORMATION,0,eax
test
eax,eax
jz
_exit
OpenProcessToken,hProc,READ_CONTROL+WRITE_DAC,addrhToken
_ModifySecurity,hToken,TOKEN_ALL_ACCESS
CloseHandle,hToken
hToken,0
OpenProcessToken,hProc,TOKEN_ALL_ACCESS,addrhToken
DuplicateTokenEx,hToken,TOKEN_ALL_ACCESS,0,
SecurityImpersonation,TokenPrimary,addrhNewToken
ImpersonateLoggedOnUser,hNewToken
CreateProcessAsUser,hNewToken,0,CTXT("
_exit:
.ifhProc
CloseHandle,hProc
.ifhToken
.ifhNewToken
CloseHandle,hNewToken
_ModifySecurityprocusesebxesiedi,hToken:
DWORD,dwAccess:
DWORD
pSD,pAbsSD
dwSDLength
bDaclPresent,bDaclDefaulted
pAcl:
PACL
pNewAcl:
szName[1024]:
BYTE
ea:
EXPLICIT_ACCESS
pSacl,pOwner,pPrimaryGroup
dwAclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroup
bSuccess
pSD,eax
pAbsSD,eax
dwSDLength,eax
bDaclPresent,eax
bDaclDefaulted,eax
pAcl,eax
pNewAcl,eax
pSacl,eax
pOwner,eax
pPrimaryGroup,eax
dwAclSize,eax
dwSaclSize,eax
dwOwnerSize,eax
dwPrimaryGroup,eax
bSuccess,eax
GetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pSD,0,addrdwSDLength
LocalAlloc,LPTR,dwSDLength
GetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pSD,
dwSDLength,addrdwSDLength
GetSecurityDescriptorDacl,pSD,addrbDaclPresent,addrpAcl,addrbDaclDefaulted
eax,sizeofszName
push
GetUserName,addrszName,esp
pop
eax
BuildExplicitAccessWithName,addrea,addrszName,dwAccess,GRANT_ACCESS,FALSE
SetEntriesInAcl,1,addrea,pAcl,addrpNewAcl
cmp
eax,ERROR_SUCCESS
jne
LocalFree,pAcl
pAcl,0
MakeAbsoluteSD,pSD,pAbsSD,addrdwSDLength,pAcl,addrdwAclSize,pSacl,addrdwSaclSize,\
pOwner,addrdwOwnerSize,pPrimaryGroup,addrdwPrimaryGroup
LocalAlloc,LPTR,dwAclSize
LocalAlloc,LPTR,dwSaclSize
LocalAlloc,LPTR,dwOwnerSize
LocalAlloc,LPTR,dwPrimaryGroup
SetSecurityDescriptorDacl,pAbsSD,bDaclPresent,pNewAcl,bDaclDefaulted
SetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pAbsSD
bSuccess,1
.ifpSD
LocalFree,pSD
.ifpAcl
.ifpNewAcl
LocalFree,pNewAcl
.ifpAbsSD
LocalFree,pAbsSD
.ifpSacl
LocalFree,pSacl
.ifpOwner
LocalFree,pOwner
.ifpPrimaryGroup
LocalFree,pPrimaryGroup
eax,bSuccess
_ModifySecurityendp
_EnablePrivilegeprocszPriv:
DWORD,bFlags:
hToken
tkp:
TOKEN_PRIVILEGES
升级会员 