远程线程注入版获取SYSTEM权
前段时间写〈〈exploit系列(6)--x86/Windows平台上的缓冲区溢出〉〉,其间涉及远程
线程注入,想到本篇,返回来补充一点内容。sysproc_now.c并不具备良好的可移植
性,为了区分2000/XP/2003,被迫用GetVersionEx()做精确的OS版本判断。相较之下
远程线程注入更易移植些。
如果试图向winlogon.exe进行远程线程注入,编程时需要指定恰当的WindowStation,
否则可能无法与派生的子进程正常交互。
在MSDN中查看GetProcessWindowStation、GetUserObjectInformation等相关函数。
参看Inside 2K([7])第五章的"Interactive Services"小节。
使用终端服务测试CreateRemoteThread_1.c时,可能得到如下错误信息:
"CreateRemoteThread() failed: 存储空间不足,无法处理此命令"
在主控台上测试则一切正常。开始以为是WindowStation的问题,转而动态获取其名
称,错误信息依旧。后来才想起MSDN中有如下信息:
Terminal Services isolates each terminal session by design. Therefore,
CreateRemoteThread fails if the target process is in a different session
than the calling process.
暂不清楚是否有办法解决,如果没有办法解决,那sysproc_now.c还有存在的必要。
--------------------------------------------------------------------------
/*
* Copyright (C) 2002, 2012
* The NSFOCUS INFORMATION TECHNOLOGY CO.,LTD.
* -----------------------------------------------------------------------
* Author : NSFocus Security Team 〈security@nsfocus.com〉
* : http://www.nsfocus.com
* Maintain : scz 〈scz@nsfocus.com〉
* Version : 2.02
* Compile : For x86/EWindows XP SP1 & VC 7
* : cl CreateRemoteThread_1.c /nologo /Os /G6 /Gs65536 /W3 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /MT /link /RELEASE
* :
* Create : 2003-10-08 13:37
* Modify : 2003-10-08 17:02
* -----------------------------------------------------------------------
* The only thing they cant take from us are our minds. !H
*/
/************************************************************************
* *
* Head File *
* *
************************************************************************/
#include 〈stdio.h〉
#include 〈stdlib.h〉
#include 〈string.h〉
#include 〈windows.h〉
/************************************************************************
* *
* Macro *
* *
************************************************************************/
#pragma comment( linker, "/INCREMENTAL:NO" )
#pragma comment( linker, "/subsystem:console" )
#pragma comment( lib, "kernel32.lib" )
#pragma comment( lib, "advapi32.lib" )
#define VERSION "2.02"
#define MAXBUFLEN 8192
#define CHARBASE A
#define CHARESCAPE _
#define CHARXOR ^
typedef LONG NTSTATUS;
#define NT_SUCCESS(status) ((NTSTATUS)(status)〉=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef LONG KPRIORITY;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemProcessesAndThreadsInformation = 5
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
/************************************************************************
* *
* Function Prototype *
* *
************************************************************************/
static size_t bufencode
(
unsigned char *src,
unsigned char *dst,
size_t srclen
);
static BOOL DisableCurrentProcessDebugPrivilege
(
void
);
static BOOL EnableCurrentProcessDebugPrivilege
(
void
);
static DWORD GetPidFromProcessName
(
wchar_t *ProcessName
);
static BOOL Loc