windbg修改cmd的token提升其权限

使用windbg 调试xp。

运行cmd,whoami查看权限如下:

下面要做的就是把cmd.exe 的token值用system的token替换。

1、  Ctrl + break ,windbg进入调试模式

!process 0 0 查看xp所有进程,结果如下:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 865b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00343000  ObjectTable: e1000c98  HandleCount: 284.
    Image: System

PROCESS 8609d1a8  SessionId: none  Cid: 0218    Peb: 7ffde000  ParentCid: 0004
    DirBase: 0dd40020  ObjectTable: e13c8760  HandleCount:  19.
    Image: smss.exe

PROCESS 8650d020  SessionId: 0  Cid: 0260    Peb: 7ffd5000  ParentCid: 0218
    DirBase: 0dd40040  ObjectTable: e162f868  HandleCount: 398.
    Image: csrss.exe

PROCESS 8650cc98  SessionId: 0  Cid: 0278    Peb: 7ffd7000  ParentCid: 0218
    DirBase: 0dd40060  ObjectTable: e160f820  HandleCount: 457.
    Image: winlogon.exe

PROCESS 86264aa0  SessionId: 0  Cid: 02a4    Peb: 7ffde000  ParentCid: 0278
    DirBase: 0dd40080  ObjectTable: e186d3e8  HandleCount: 267.
    Image: services.exe

PROCESS 86086a28  SessionId: 0  Cid: 02b0    Peb: 7ffdb000  ParentCid: 0278
    DirBase: 0dd400a0  ObjectTable: e17fc6b0  HandleCount: 340.
    Image: lsass.exe

PROCESS 85fdbda0  SessionId: 0  Cid: 0350    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd400c0  ObjectTable: e186dcd8  HandleCount:  25.
    Image: vmacthlp.exe

PROCESS 8622fc38  SessionId: 0  Cid: 0360    Peb: 7ffd8000  ParentCid: 02a4
    DirBase: 0dd400e0  ObjectTable: e199c948  HandleCount: 231.
    Image: svchost.exe

PROCESS 864ba978  SessionId: 0  Cid: 03b0    Peb: 7ffd8000  ParentCid: 02a4
    DirBase: 0dd40100  ObjectTable: e1966278  HandleCount: 237.
    Image: svchost.exe

PROCESS 8607eda0  SessionId: 0  Cid: 040c    Peb: 7ffdf000  ParentCid: 02a4
    DirBase: 0dd40120  ObjectTable: e1c067a8  HandleCount: 1384.
    Image: svchost.exe

PROCESS 864b7560  SessionId: 0  Cid: 0448    Peb: 7ffdc000  ParentCid: 02a4
    DirBase: 0dd40140  ObjectTable: e19e2688  HandleCount:  65.
    Image: svchost.exe

PROCESS 85fe5558  SessionId: 0  Cid: 0498    Peb: 7ffdf000  ParentCid: 02a4
    DirBase: 0dd40160  ObjectTable: e13796e0  HandleCount: 223.
    Image: svchost.exe

PROCESS 85fe77e8  SessionId: 0  Cid: 0560    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd401a0  ObjectTable: e1c10610  HandleCount: 131.
    Image: spoolsv.exe

PROCESS 85ff0da0  SessionId: 0  Cid: 0668    Peb: 7ffd9000  ParentCid: 02a4
    DirBase: 0dd401c0  ObjectTable: e20bc5a0  HandleCount: 292.
    Image: vmtoolsd.exe

PROCESS 8623a650  SessionId: 0  Cid: 0798    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd40220  ObjectTable: e1fece98  HandleCount:  99.
    Image: TPAutoConnSvc.exe

PROCESS 863c5658  SessionId: 0  Cid: 00d4    Peb: 7ffdc000  ParentCid: 02a4
    DirBase: 0dd40260  ObjectTable: e1e2c7a8  HandleCount: 102.
    Image: alg.exe

PROCESS 864b6020  SessionId: 0  Cid: 0238    Peb: 7ffdb000  ParentCid: 02a4
    DirBase: 0dd40280  ObjectTable: e1c680a8  HandleCount:  92.
    Image: svchost.exe

PROCESS 86061da0  SessionId: 0  Cid: 05c8    Peb: 7ffd4000  ParentCid: 040c
    DirBase: 0dd40240  ObjectTable: e1deae48  HandleCount:  35.
    Image: wscntfy.exe

PROCESS 860541d0  SessionId: 0  Cid: 05a0    Peb: 7ffdd000  ParentCid: 071c
    DirBase: 0dd40200  ObjectTable: e214c838  HandleCount: 418.
    Image: explorer.exe

PROCESS 863d94b0  SessionId: 0  Cid: 070c    Peb: 7ffdf000  ParentCid: 0798
    DirBase: 0dd402a0  ObjectTable: e214ce98  HandleCount:  67.
    Image: TPAutoConnect.exe

PROCESS 863e69a0  SessionId: 0  Cid: 02f8    Peb: 7ffdb000  ParentCid: 05a0
    DirBase: 0dd402c0  ObjectTable: e1683fb8  HandleCount: 226.
    Image: vmtoolsd.exe

PROCESS 86012310  SessionId: 0  Cid: 06b8    Peb: 7ffd8000  ParentCid: 05a0
    DirBase: 0dd402e0  ObjectTable: e1d22848  HandleCount:  69.
    Image: ctfmon.exe

PROCESS 864ef228  SessionId: 0  Cid: 0200    Peb: 7ffd6000  ParentCid: 02a4
    DirBase: 0dd40180  ObjectTable: e1df5458  HandleCount: 118.
    Image: imapi.exe

PROCESS 863d85d0  SessionId: 0  Cid: 01b8    Peb: 7ffd8000  ParentCid: 05a0
    DirBase: 0dd40300  ObjectTable: e1f02670  HandleCount:  80.
    Image: taskmgr.exe

PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe

PROCESS 85fe1788  SessionId: 0  Cid: 01a4    Peb: 7ffd3000  ParentCid: 01c4
    DirBase: 0dd40340  ObjectTable: e1dc3260  HandleCount:  36.
Image: conime.exe

2、  运行!process 01 cmd.exe 查看cmd进程信息:

kd> !process 0 1 cmd.exe
PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe
    VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
    DeviceMap e1e5c300
    Token                             e1653d48
    ElapsedTime                       00:02:15.109
    UserTime                          00:00:00.031
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         60444
    QuotaPoolUsage[NonPagedPool]      2440
    Working Set Sizes (now,min,max)  (710, 50, 345) (2840KB, 200KB, 1380KB)
    PeakWorkingSetSize                713
    VirtualSize                       30 Mb
    PeakVirtualSize                   36 Mb
    PageFaultCount                    773
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      516

可知进程cmd.exe的eprocess结构地址为:8623bc10。

dt _eprocess查看eprocess的结构如下:

kd> dt _eprocess
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x06c ProcessLock      : _EX_PUSH_LOCK
   +0x070 CreateTime       : _LARGE_INTEGER
   +0x078 ExitTime         : _LARGE_INTEGER
   +0x080 RundownProtect   : _EX_RUNDOWN_REF
   +0x084 UniqueProcessId  : Ptr32 Void
   +0x088 ActiveProcessLinks : _LIST_ENTRY
   +0x090 QuotaUsage       : [3] Uint4B
   +0x09c QuotaPeak        : [3] Uint4B
   +0x0a8 CommitCharge     : Uint4B
   +0x0ac PeakVirtualSize  : Uint4B
   +0x0b0 VirtualSize      : Uint4B
   +0x0b4 SessionProcessLinks : _LIST_ENTRY
   +0x0bc DebugPort        : Ptr32 Void
   +0x0c0 ExceptionPort    : Ptr32 Void
   +0x0c4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0c8 Token            : _EX_FAST_REF
   +0x0cc WorkingSetLock   : _FAST_MUTEX
   +0x0ec WorkingSetPage   : Uint4B
   +0x0f0 AddressCreationLock : _FAST_MUTEX
   +0x110 HyperSpaceLock   : Uint4B
   +0x114 ForkInProgress   : Ptr32 _ETHREAD
   +0x118 HardwareTrigger  : Uint4B
   +0x11c VadRoot          : Ptr32 Void
   +0x120 VadHint          : Ptr32 Void
   +0x124 CloneRoot        : Ptr32 Void
   +0x128 NumberOfPrivatePages : Uint4B
   +0x12c NumberOfLockedPages : Uint4B
   +0x130 Win32Process     : Ptr32 Void
   +0x134 Job              : Ptr32 _EJOB
   +0x138 SectionObject    : Ptr32 Void
   +0x13c SectionBaseAddress : Ptr32 Void
   +0x140 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x144 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x148 Win32WindowStation : Ptr32 Void
   +0x14c InheritedFromUniqueProcessId : Ptr32 Void
   +0x150 LdtInformation   : Ptr32 Void
   +0x154 VadFreeHint      : Ptr32 Void
   +0x158 VdmObjects       : Ptr32 Void
   +0x15c DeviceMap        : Ptr32 Void
   +0x160 PhysicalVadList  : _LIST_ENTRY
   +0x168 PageDirectoryPte : _HARDWARE_PTE_X86
   +0x168 Filler           : Uint8B
   +0x170 Session          : Ptr32 Void
   +0x174 ImageFileName    : [16] UChar
   +0x184 JobLinks         : _LIST_ENTRY
   +0x18c LockedPagesList  : Ptr32 Void
   +0x190 ThreadListHead   : _LIST_ENTRY
   +0x198 SecurityPort     : Ptr32 Void
   +0x19c PaeTop           : Ptr32 Void
   +0x1a0 ActiveThreads    : Uint4B
   +0x1a4 GrantedAccess    : Uint4B
   +0x1a8 DefaultHardErrorProcessing : Uint4B
   +0x1ac LastThreadExitStatus : Int4B
   +0x1b0 Peb              : Ptr32 _PEB
   +0x1b4 PrefetchTrace    : _EX_FAST_REF
   +0x1b8 ReadOperationCount : _LARGE_INTEGER
   +0x1c0 WriteOperationCount : _LARGE_INTEGER
   +0x1c8 OtherOperationCount : _LARGE_INTEGER
   +0x1d0 ReadTransferCount : _LARGE_INTEGER
   +0x1d8 WriteTransferCount : _LARGE_INTEGER
   +0x1e0 OtherTransferCount : _LARGE_INTEGER
   +0x1e8 CommitChargeLimit : Uint4B
   +0x1ec CommitChargePeak : Uint4B
   +0x1f0 AweInfo          : Ptr32 Void
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1f8 Vm               : _MMSUPPORT
   +0x238 LastFaultCount   : Uint4B
   +0x23c ModifiedPageCount : Uint4B
   +0x240 NumberOfVads     : Uint4B
   +0x244 JobStatus        : Uint4B
   +0x248 Flags            : Uint4B
   +0x248 CreateReported   : Pos 0, 1 Bit
   +0x248 NoDebugInherit   : Pos 1, 1 Bit
   +0x248 ProcessExiting   : Pos 2, 1 Bit
   +0x248 ProcessDelete    : Pos 3, 1 Bit
   +0x248 Wow64SplitPages  : Pos 4, 1 Bit
   +0x248 VmDeleted        : Pos 5, 1 Bit
   +0x248 OutswapEnabled   : Pos 6, 1 Bit
   +0x248 Outswapped       : Pos 7, 1 Bit
   +0x248 ForkFailed       : Pos 8, 1 Bit
   +0x248 HasPhysicalVad   : Pos 9, 1 Bit
   +0x248 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x248 SetTimerResolution : Pos 12, 1 Bit
   +0x248 BreakOnTermination : Pos 13, 1 Bit
   +0x248 SessionCreationUnderway : Pos 14, 1 Bit
   +0x248 WriteWatch       : Pos 15, 1 Bit
   +0x248 ProcessInSession : Pos 16, 1 Bit
   +0x248 OverrideAddressSpace : Pos 17, 1 Bit
   +0x248 HasAddressSpace  : Pos 18, 1 Bit
   +0x248 LaunchPrefetched : Pos 19, 1 Bit
   +0x248 InjectInpageErrors : Pos 20, 1 Bit
   +0x248 VmTopDown        : Pos 21, 1 Bit
   +0x248 Unused3          : Pos 22, 1 Bit
   +0x248 Unused4          : Pos 23, 1 Bit
   +0x248 VdmAllowed       : Pos 24, 1 Bit
   +0x248 Unused           : Pos 25, 5 Bits
   +0x248 Unused1          : Pos 30, 1 Bit
   +0x248 Unused2          : Pos 31, 1 Bit
   +0x24c ExitStatus       : Int4B
   +0x250 NextPageColor    : Uint2B
   +0x252 SubSystemMinorVersion : UChar
   +0x253 SubSystemMajorVersion : UChar
   +0x252 SubSystemVersion : Uint2B
   +0x254 PriorityClass    : UChar
   +0x255 WorkingSetAcquiredUnsafe : UChar
   +0x258 Cookie           : Uint4B

可知Token的偏移位于eprocess的c8偏移处,查看cmd.exe的eprocess得token如下:

kd> dd 8623bc10+c8
8623bcd8  e1653d4d 00000001 ee4edca0 00000000
8623bce8  00040001 00000000 8623bcf0 8623bcf0
8623bcf8  00000000 0001f55b 00000001 ee4edca0
8623bd08  00000000 00040001 00000000 8623bd14
8623bd18  8623bd14 00000000 00000000 00000000
8623bd28  00000000 8605bbe8 86484fd8 00000000
8623bd38  0000009a 00000000 e18da658 00000000
8623bd48  e1f33840 4ad00000 85feab08 00000000

3、  运行!process 01 system 查看system进程信息

kd> !process 0 1 system
PROCESS 865b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00343000  ObjectTable: e1000c98  HandleCount: 284.
    Image: System
    VadRoot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0.
    DeviceMap e1004428
    Token                             e10017c8
    ElapsedTime                       00:30:22.218
    UserTime                          00:00:00.000
    KernelTime                        00:00:11.437
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (74, 0, 345) (296KB, 0KB, 1380KB)
    PeakWorkingSetSize                527
    VirtualSize                       1 Mb
    PeakVirtualSize                   2 Mb
    PageFaultCount                    5146
    MemoryPriority                    BACKGROUND
    BasePriority                      8
CommitCharge                      7
kd> dd 865b7830+c8
865b78f8  e10017cd 00000001 f7a38654 00000000
865b7908  00040001 00000000 865b7910 865b7910
865b7918  00000000 00000000 00000001 f7a38658
865b7928  00000000 00040001 00000000 865b7934
865b7938  865b7934 00000000 00000000 00000000
865b7948  00000000 865b0a50 865b0a50 00000000
865b7958  00000003 00000000 00000000 00000000
865b7968  00000000 00000000 8055b200 00000000

4、  将cmd的token值用system的token值替换

kd> ed 8623bcd8 e10017cd
kd> dd 8623bc10+c8
8623bcd8  e10017cd 00000001 ee4edca0 00000000
8623bce8  00040001 00000000 8623bcf0 8623bcf0
8623bcf8  00000000 0001f55b 00000001 ee4edca0
8623bd08  00000000 00040001 00000000 8623bd14
8623bd18  8623bd14 00000000 00000000 00000000
8623bd28  00000000 8605bbe8 86484fd8 00000000
8623bd38  0000009a 00000000 e18da658 00000000
8623bd48  e1f33840 4ad00000 85feab08 00000000

5、  查看cmd进程的token

kd> !process 0 1 cmd.exe
PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe
    VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
    DeviceMap e1e5c300
    Token                             e10017c8
    ElapsedTime                       00:02:15.109
    UserTime                          00:00:00.031
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         60444
    QuotaPoolUsage[NonPagedPool]      2440
    Working Set Sizes (now,min,max)  (710, 50, 345) (2840KB, 200KB, 1380KB)
    PeakWorkingSetSize                713
    VirtualSize                       30 Mb
    PeakVirtualSize                   36 Mb
    PageFaultCount                    773
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      516

可见,修改后cmd.exe进程的token 值和system进程的Token值相同,在cmd.exe进程测试whoami查看结果:

此时cmd.exe运行whoami已经变成nt\system权限

时间: 2024-12-25 13:55:18

windbg修改cmd的token提升其权限的相关文章

C#修改文件或文件夹的权限,为指定用户、用户组添加完全控制权限

题目链接:11645 - Bits 题意:给定一个数字n,要求0-n的二进制形式下,连续11的个数. 思路:和 UVA 11038 这题类似,枚举中间,然后处理两边的情况. 不过本题最大的答案会超过longlong,要用高精度,不过借鉴http://www.cnblogs.com/TO-Asia/p/3214706.html这个人的方法,直接用两个数字来保存一个数字,这样能保存到2个longlong的长度,就足够存放这题的答案了. 代码: #include <stdio.h> #include

Ubuntu下如何修改文件或者文件夹的权限

Ubuntu下如何修改文件或者文件夹的权限------chmod的亲身测试 具体原理如下: Linux系统下如何修改文档及文件夹(含子文件夹)权限,我们来看一下.              一 介绍:     可以使用命令chmod来为文件或目录赋予权限.Linux/Unix 的档案存取权限分为三级 : 档案拥有者.群组.其他.利用 chmod 可以藉以控制档案如何被他人所存取二 详解1 此命令有两种使用方法,一种是chmod后加数字,后接文件名chmod abc file 其中a,b,c各为一

OpenProcessToken,LookupPrivilegeValue,AdjustTokenPrivileges提升进程权限

对于一些运行的程序,我们希望它们能尽可能的像操作系统能做的事情一样多,但是操作系统对于每个进程都有权限划分,那么此时我们就需要对期望中的进程进行提升权限,查看MSDN和一些其他资料之后,写了个可用于提升进程权限的函数,可被用在程序中直接调用.代码如下: //传入Privileges参数,用于取得想要获取的权限 //查看MSDN的LookupPrivilegeValue函数宏定义权限表可自行修改; BOOL GetPrivilege(TCHAR* Privileges)    {        H

修改文件的所有者和访问权限

原文链接: http://www.pfmboy.com/post/100.html 下面代码修改文件的所有者为当前用户并添加everyone完全控制权限.注意一定要先设置一下所有者(owner),然后再进行权限设置,二者一起执行是不会成功的. BOOL AdjustPrivileges(LPWSTR lpName){ HANDLE hToken = NULL; TOKEN_PRIVILEGES tp = {0}; TOKEN_PRIVILEGES oldtp = {0}; DWORD dwSiz

Linux 修改密码“ Authentication token manipulation err”

修改服务器root密码 错误 "passwd: Authentication token manipulation error" 百度了各种解决方案 总结 1. 权限问题 lsattr /etc/passwd/ -------------e- /etc/passwd lsattr /etc/shadow/ -------------e- /etc/passwd 用lsattr命令查看存放用户和密码的文件属性,发现有i选项: (i:不得任意更动文件或目录.)所以导致所有的用户都不能修改密

CentOS 普通用户提升root权限

1.sudo命令可以使普通用户具备root用户的权限,使用前,需要先配置/etc/sudoers文件. #sudoers文件是只读,一般情况下都是用visudo来修改,visudo也一定程度上可以保证修改sudoers文件是安全的,避免同时修改的冲突情况 [[email protected] ~]# ll /etc/sudoers -r--r----- 1 root root 4093 11月 28 22:35 /etc/sudoers [root@bigdata-senior01 ~]# vi

使用crs_setperm修改RAC资源的所有者及权限

Oracle RAC 集群中,对于各种资源的管理,也存在所有者与权限的问题.crs_getperm与crs_setperm则是这样的一对命令,主要用于查看与修改集群中resource的owner,group以及权限等,下面通过具体的演示来获得其使用方法. [python] view plain copy print? 1.查看当前集群中的资源 #下面的查询可知,当前集群环境中存在两个service [email protected]:~> crs_stat -ls | grep srv ora.

修改CMD字符编码

1.参考网址: 1.1.http://blog.useasp.net/archive/2012/04/24/how_to_use_UTF8_encoding_in_Windows_CMD.aspx 1.2.http://jingyan.baidu.com/article/e75aca85440f01142edac636.html 2.下面的修改 只应用到本CMD窗体 2. 输入 CHCP,回车查看当前的编码: 3. 输入 CHCP 65001,回车: ZC: 修改之后,可以通过 右键CMD菜单栏

修改 cmd 控制台字体、巧用 FontLink 使中英文独立设置

众所周知,Windows 中 cmd 控制台窗口的字体难看,但是修改注册表是可以实现修改其字体的,但很多很棒的编程字体是没有中文的,所以在显示中文时直接调用了宋体,这绝妙的反差实在是不忍直视.但是,用过 Mactype 的同学应该记得 Mactype 配置文件里有个字体替换吧,没错,就是 FontLink . 首先更改一下 cmd 的编码为 850 或别的什么,成功会显示 "Active code page: 850" . chcp 850 再将简单将字体设置为自己喜欢的编程字体,如