从管理员身份获得SYSTEM 权限的四种方法.docx
《从管理员身份获得SYSTEM 权限的四种方法.docx》由会员分享,可在线阅读,更多相关《从管理员身份获得SYSTEM 权限的四种方法.docx(22页珍藏版)》请在冰豆网上搜索。
从管理员身份获得SYSTEM权限的四种方法
1.以服务方式运行
因为以服务方式运行程序时,相当于运行程序的是系统进程,所以,
被指定运行的程序自然而然的继承了系统进程的权限,也就是SYSTEM权限。
;@echooff
;gotomake
;====================================================================================
;以SYSTEM权限运行程序-GetSys1
;采用以服务方式运行的方法
;====================================================================================
.386
.modelflat,stdcall
optioncasemap:
none
includec:
\masm32\include\windows.inc
includec:
\masm32\include\kernel32.inc
includec:
\masm32\include\advapi32.inc
includec:
\masm32\include\masm32.inc
includelibc:
\masm32\lib\kernel32.lib
includelibc:
\masm32\lib\advapi32.lib
includelibc:
\masm32\lib\masm32.lib
_ReLaunchproto
CTXTMACROtext
locallbl
.const
lbldbtext,0
.code
exitm
ENDM
.code
startproc
LOCAL stStartupInfo:
STARTUPINFO
LOCAL procinfo:
PROCESS_INFORMATION
invoke CreateMutex,NULL,TRUE,CTXT("GetSys1_Mutex")
invoke GetLastError
.ifeax==ERROR_ALREADY_EXISTS
invoke RtlZeroMemory,addrstStartupInfo,sizeofstStartupInfo
mov stStartupInfo.cb,sizeofstStartupInfo
invoke CreateProcess,0,CTXT("regedit.exe"),0,0,0,0,0,0,
addrstStartupInfo,addrprocinfo
invoke CloseHandle,procinfo.hProcess
invoke CloseHandle,procinfo.hThread
.else
invoke _ReLaunch
.endif
invoke ExitProcess,NULL
startendp
_ReLaunchproc
LOCAL hSCManager
LOCAL hService
LOCAL szName[MAX_PATH]:
byte
invoke OpenSCManager,NULL,NULL,SC_MANAGER_CREATE_SERVICE
.ifeax!
=0
mov hSCManager,eax
invoke OpenService,hSCManager,CTXT("GetSys1Temp"),DELETE
.ifeax!
=0
push eax
invoke DeleteService,eax
call CloseServiceHandle
.endif
invoke GetModuleFileName,NULL,addrszName,MAX_PATH
invoke CreateService,hSCManager,CTXT("GetSys1Temp"),CTXT("GetSys1TempService"),\
SERVICE_START+SERVICE_QUERY_STATUS+DELETE,\
SERVICE_WIN32_OWN_PROCESS+SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,\
SERVICE_ERROR_IGNORE,addrszName,NULL,NULL,NULL,NULL,NULL
.ifeax!
=0
mov hService,eax
invoke StartService,hService,0,NULL
invoke DeleteService,hService
invoke CloseServiceHandle,hService
.endif
invoke CloseServiceHandle,hSCManager
.endif
ret
_ReLaunchendp
endstart
:
make
setpath=%path%;c:
\masm32\bin
setappname=GetSys1
ml/nologo/c/coff%appname%.bat
link/nologo/subsystem:
windows%appname%.obj
del%appname%.obj
echo.
pause
GetSys1(第一次运行的这个进程GetSys1我们称为A)开始运行时先创建一个互斥量,
接着以服务的方式重新启动自己
(又一次运行的进程GetSys1我们称为B),重新运行后的B已经具有了SYSTEM权限。
B再通过CreateProcess函数运行regedit.exe程序,
因为B具有SYSTEM权限,所以regedit.exe从中继承了SYSTEM权限。
运行完了regedit.exe后B结束运行,
然后A中的StartService函数返回,A结束运行。
就是因为StartService函数不会直接返回,
所以不能够直接通过服务的方式运行regedit.exe。
2.添加ACL的方法
主要思想是调用CreateProcessAsUser函数来运行程序,CreateProcessAsUser
函数的第一个参数是特定用户的令牌,
把这个参数设为具有SYSTEM权限的令牌即可。
;@echooff
;gotomake
;====================================================================================
;以SYSTEM权限运行程序-GetSys2
;采用添加ACL的方法
;====================================================================================
.386
.modelflat,stdcall
optioncasemap:
none
includec:
\masm32\include\windows.inc
includec:
\masm32\include\kernel32.inc
includec:
\masm32\include\advapi32.inc
includec:
\masm32\include\accctrl.inc
includec:
\masm32\include\masm32.inc
includelibc:
\masm32\lib\kernel32.lib
includelibc:
\masm32\lib\advapi32.lib
includelibc:
\masm32\lib\masm32.lib
_EnablePrivilegeproto
WORD,
WORD
_GetPidFromProcNameproto
WORD
_ModifySecurityproto
WORD,
WORD
CTXTMACROtext
locallbl
.const
lbldbtext,0
.code
exitm
ENDM
ACLSTRUCT
AclRevision BYTE ?
Sbz1 BYTE ?
AclSize WORD ?
AceCount WORD ?
Sbz2 WORD ?
ACLENDS
PACLtypedefPTRACL
SecurityImpersonation equ2
.code
startproc
LOCAL hProc
LOCAL hToken,hNewToken
LOCAL stStartupInfo:
STARTUPINFO
LOCAL procinfo:
PROCESS_INFORMATION
sub eax,eax
mov hProc,eax
mov hToken,eax
mov hNewToken,eax
invoke RtlZeroMemory,addrstStartupInfo,sizeofstStartupInfo
invoke RtlZeroMemory,addrprocinfo,sizeofprocinfo
invoke _EnablePrivilege,CTXT("SeDebugPrivilege"),TRUE
invoke _GetPidFromProcName,CTXT("lsass.exe")
invoke OpenProcess,PROCESS_QUERY_INFORMATION,0,eax
test eax,eax
jz _exit
mov hProc,eax
invoke OpenProcessToken,hProc,READ_CONTROL+WRITE_DAC,addrhToken
test eax,eax
jz _exit
invoke _ModifySecurity,hToken,TOKEN_ALL_ACCESS
test eax,eax
jz _exit
invoke CloseHandle,hToken
mov hToken,0
invoke OpenProcessToken,hProc,TOKEN_ALL_ACCESS,addrhToken
test eax,eax
jz _exit
invoke DuplicateTokenEx,hToken,TOKEN_ALL_ACCESS,0,
SecurityImpersonation,TokenPrimary,addrhNewToken
test eax,eax
jz _exit
invoke ImpersonateLoggedOnUser,hNewToken
test eax,eax
jz _exit
mov stStartupInfo.cb,sizeofstStartupInfo
invoke CreateProcessAsUser,hNewToken,0,CTXT("regedit.exe"),0,0,0,0,0,0,
addrstStartupInfo,addrprocinfo
test eax,eax
jz _exit
invoke CloseHandle,procinfo.hProcess
invoke CloseHandle,procinfo.hThread
_exit:
.ifhProc
invoke CloseHandle,hProc
.endif
.ifhToken
invoke CloseHandle,hToken
.endif
.ifhNewToken
invoke CloseHandle,hNewToken
.endif
invoke ExitProcess,NULL
startendp
_ModifySecurityprocusesebxesiedi,hToken:
DWORD,dwAccess:
DWORD
LOCAL pSD,pAbsSD
LOCAL dwSDLength
LOCAL bDaclPresent,bDaclDefaulted
LOCAL pAcl:
PACL
LOCAL pNewAcl:
PACL
LOCAL szName[1024]:
BYTE
LOCAL ea:
EXPLICIT_ACCESS
LOCAL pSacl,pOwner,pPrimaryGroup
LOCAL dwAclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroup
LOCAL bSuccess
sub eax,eax
mov pSD,eax
mov pAbsSD,eax
mov dwSDLength,eax
mov bDaclPresent,eax
mov bDaclDefaulted,eax
mov pAcl,eax
mov pNewAcl,eax
mov pSacl,eax
mov pOwner,eax
mov pPrimaryGroup,eax
mov dwAclSize,eax
mov dwSaclSize,eax
mov dwOwnerSize,eax
mov dwPrimaryGroup,eax
mov bSuccess,eax
invoke GetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pSD,0,addrdwSDLength
invoke LocalAlloc,LPTR,dwSDLength
test eax,eax
jz _exit
mov pSD,eax
invoke GetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pSD,
dwSDLength,addrdwSDLength
invoke GetSecurityDescriptorDacl,pSD,addrbDaclPresent,addrpAcl,addrbDaclDefaulted
mov eax,sizeofszName
push eax
invoke GetUserName,addrszName,esp
pop eax
invoke BuildExplicitAccessWithName,addrea,addrszName,dwAccess,GRANT_ACCESS,FALSE
invoke SetEntriesInAcl,1,addrea,pAcl,addrpNewAcl
cmp eax,ERROR_SUCCESS
jne _exit
invoke LocalFree,pAcl
mov pAcl,0
invoke MakeAbsoluteSD,pSD,pAbsSD,addrdwSDLength,pAcl,addrdwAclSize,pSacl,addrdwSaclSize,\
pOwner,addrdwOwnerSize,pPrimaryGroup,addrdwPrimaryGroup
invoke LocalAlloc,LPTR,dwSDLength
test eax,eax
jz _exit
mov pAbsSD,eax
invoke LocalAlloc,LPTR,dwAclSize
test eax,eax
jz _exit
mov pAcl,eax
invoke LocalAlloc,LPTR,dwSaclSize
test eax,eax
jz _exit
mov pSacl,eax
invoke LocalAlloc,LPTR,dwOwnerSize
test eax,eax
jz _exit
mov pOwner,eax
invoke LocalAlloc,LPTR,dwPrimaryGroup
test eax,eax
jz _exit
mov pPrimaryGroup,eax
invoke MakeAbsoluteSD,pSD,pAbsSD,addrdwSDLength,pAcl,addrdwAclSize,pSacl,addrdwSaclSize,\
pOwner,addrdwOwnerSize,pPrimaryGroup,addrdwPrimaryGroup
invoke SetSecurityDescriptorDacl,pAbsSD,bDaclPresent,pNewAcl,bDaclDefaulted
invoke SetKernelObjectSecurity,hToken,DACL_SECURITY_INFORMATION,pAbsSD
mov bSuccess,1
_exit:
.ifpSD
invoke LocalFree,pSD
.endif
.ifpAcl
invoke LocalFree,pAcl
.endif
.ifpNewAcl
invoke LocalFree,pNewAcl
.endif
.ifpAbsSD
invoke LocalFree,pAbsSD
.endif
.ifpSacl
invoke LocalFree,pSacl
.endif
.ifpOwner
invoke LocalFree,pOwner
.endif
.ifpPrimaryGroup
invoke LocalFree,pPrimaryGroup
.endif
mov eax,bSuccess
ret
_ModifySecurityendp
_EnablePrivilegeprocszPriv:
DWORD,bFlags:
DWORD
LOCAL hToken
LOCAL tkp:
TOKEN_PRIVILEGES