使用windbg 调试xp。
运行cmd,whoami查看权限如下:
下面要做的就是把cmd.exe 的token值用system的token替换。
1、 Ctrl + break ,windbg进入调试模式
!process 0 0 查看xp所有进程,结果如下:
kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284. Image: System PROCESS 8609d1a8 SessionId: none Cid: 0218 Peb: 7ffde000 ParentCid: 0004 DirBase: 0dd40020 ObjectTable: e13c8760 HandleCount: 19. Image: smss.exe PROCESS 8650d020 SessionId: 0 Cid: 0260 Peb: 7ffd5000 ParentCid: 0218 DirBase: 0dd40040 ObjectTable: e162f868 HandleCount: 398. Image: csrss.exe PROCESS 8650cc98 SessionId: 0 Cid: 0278 Peb: 7ffd7000 ParentCid: 0218 DirBase: 0dd40060 ObjectTable: e160f820 HandleCount: 457. Image: winlogon.exe PROCESS 86264aa0 SessionId: 0 Cid: 02a4 Peb: 7ffde000 ParentCid: 0278 DirBase: 0dd40080 ObjectTable: e186d3e8 HandleCount: 267. Image: services.exe PROCESS 86086a28 SessionId: 0 Cid: 02b0 Peb: 7ffdb000 ParentCid: 0278 DirBase: 0dd400a0 ObjectTable: e17fc6b0 HandleCount: 340. Image: lsass.exe PROCESS 85fdbda0 SessionId: 0 Cid: 0350 Peb: 7ffde000 ParentCid: 02a4 DirBase: 0dd400c0 ObjectTable: e186dcd8 HandleCount: 25. Image: vmacthlp.exe PROCESS 8622fc38 SessionId: 0 Cid: 0360 Peb: 7ffd8000 ParentCid: 02a4 DirBase: 0dd400e0 ObjectTable: e199c948 HandleCount: 231. Image: svchost.exe PROCESS 864ba978 SessionId: 0 Cid: 03b0 Peb: 7ffd8000 ParentCid: 02a4 DirBase: 0dd40100 ObjectTable: e1966278 HandleCount: 237. Image: svchost.exe PROCESS 8607eda0 SessionId: 0 Cid: 040c Peb: 7ffdf000 ParentCid: 02a4 DirBase: 0dd40120 ObjectTable: e1c067a8 HandleCount: 1384. Image: svchost.exe PROCESS 864b7560 SessionId: 0 Cid: 0448 Peb: 7ffdc000 ParentCid: 02a4 DirBase: 0dd40140 ObjectTable: e19e2688 HandleCount: 65. Image: svchost.exe PROCESS 85fe5558 SessionId: 0 Cid: 0498 Peb: 7ffdf000 ParentCid: 02a4 DirBase: 0dd40160 ObjectTable: e13796e0 HandleCount: 223. Image: svchost.exe PROCESS 85fe77e8 SessionId: 0 Cid: 0560 Peb: 7ffde000 ParentCid: 02a4 DirBase: 0dd401a0 ObjectTable: e1c10610 HandleCount: 131. Image: spoolsv.exe PROCESS 85ff0da0 SessionId: 0 Cid: 0668 Peb: 7ffd9000 ParentCid: 02a4 DirBase: 0dd401c0 ObjectTable: e20bc5a0 HandleCount: 292. Image: vmtoolsd.exe PROCESS 8623a650 SessionId: 0 Cid: 0798 Peb: 7ffde000 ParentCid: 02a4 DirBase: 0dd40220 ObjectTable: e1fece98 HandleCount: 99. Image: TPAutoConnSvc.exe PROCESS 863c5658 SessionId: 0 Cid: 00d4 Peb: 7ffdc000 ParentCid: 02a4 DirBase: 0dd40260 ObjectTable: e1e2c7a8 HandleCount: 102. Image: alg.exe PROCESS 864b6020 SessionId: 0 Cid: 0238 Peb: 7ffdb000 ParentCid: 02a4 DirBase: 0dd40280 ObjectTable: e1c680a8 HandleCount: 92. Image: svchost.exe PROCESS 86061da0 SessionId: 0 Cid: 05c8 Peb: 7ffd4000 ParentCid: 040c DirBase: 0dd40240 ObjectTable: e1deae48 HandleCount: 35. Image: wscntfy.exe PROCESS 860541d0 SessionId: 0 Cid: 05a0 Peb: 7ffdd000 ParentCid: 071c DirBase: 0dd40200 ObjectTable: e214c838 HandleCount: 418. Image: explorer.exe PROCESS 863d94b0 SessionId: 0 Cid: 070c Peb: 7ffdf000 ParentCid: 0798 DirBase: 0dd402a0 ObjectTable: e214ce98 HandleCount: 67. Image: TPAutoConnect.exe PROCESS 863e69a0 SessionId: 0 Cid: 02f8 Peb: 7ffdb000 ParentCid: 05a0 DirBase: 0dd402c0 ObjectTable: e1683fb8 HandleCount: 226. Image: vmtoolsd.exe PROCESS 86012310 SessionId: 0 Cid: 06b8 Peb: 7ffd8000 ParentCid: 05a0 DirBase: 0dd402e0 ObjectTable: e1d22848 HandleCount: 69. Image: ctfmon.exe PROCESS 864ef228 SessionId: 0 Cid: 0200 Peb: 7ffd6000 ParentCid: 02a4 DirBase: 0dd40180 ObjectTable: e1df5458 HandleCount: 118. Image: imapi.exe PROCESS 863d85d0 SessionId: 0 Cid: 01b8 Peb: 7ffd8000 ParentCid: 05a0 DirBase: 0dd40300 ObjectTable: e1f02670 HandleCount: 80. Image: taskmgr.exe PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0 DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34. Image: cmd.exe PROCESS 85fe1788 SessionId: 0 Cid: 01a4 Peb: 7ffd3000 ParentCid: 01c4 DirBase: 0dd40340 ObjectTable: e1dc3260 HandleCount: 36. Image: conime.exe
2、 运行!process 01 cmd.exe 查看cmd进程信息:
kd> !process 0 1 cmd.exe PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0 DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34. Image: cmd.exe VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0. DeviceMap e1e5c300 Token e1653d48 ElapsedTime 00:02:15.109 UserTime 00:00:00.031 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 60444 QuotaPoolUsage[NonPagedPool] 2440 Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB) PeakWorkingSetSize 713 VirtualSize 30 Mb PeakVirtualSize 36 Mb PageFaultCount 773 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 516
可知进程cmd.exe的eprocess结构地址为:8623bc10。
dt _eprocess查看eprocess的结构如下:
kd> dt _eprocess ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x090 QuotaUsage : [3] Uint4B +0x09c QuotaPeak : [3] Uint4B +0x0a8 CommitCharge : Uint4B +0x0ac PeakVirtualSize : Uint4B +0x0b0 VirtualSize : Uint4B +0x0b4 SessionProcessLinks : _LIST_ENTRY +0x0bc DebugPort : Ptr32 Void +0x0c0 ExceptionPort : Ptr32 Void +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE +0x0c8 Token : _EX_FAST_REF +0x0cc WorkingSetLock : _FAST_MUTEX +0x0ec WorkingSetPage : Uint4B +0x0f0 AddressCreationLock : _FAST_MUTEX +0x110 HyperSpaceLock : Uint4B +0x114 ForkInProgress : Ptr32 _ETHREAD +0x118 HardwareTrigger : Uint4B +0x11c VadRoot : Ptr32 Void +0x120 VadHint : Ptr32 Void +0x124 CloneRoot : Ptr32 Void +0x128 NumberOfPrivatePages : Uint4B +0x12c NumberOfLockedPages : Uint4B +0x130 Win32Process : Ptr32 Void +0x134 Job : Ptr32 _EJOB +0x138 SectionObject : Ptr32 Void +0x13c SectionBaseAddress : Ptr32 Void +0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK +0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY +0x148 Win32WindowStation : Ptr32 Void +0x14c InheritedFromUniqueProcessId : Ptr32 Void +0x150 LdtInformation : Ptr32 Void +0x154 VadFreeHint : Ptr32 Void +0x158 VdmObjects : Ptr32 Void +0x15c DeviceMap : Ptr32 Void +0x160 PhysicalVadList : _LIST_ENTRY +0x168 PageDirectoryPte : _HARDWARE_PTE_X86 +0x168 Filler : Uint8B +0x170 Session : Ptr32 Void +0x174 ImageFileName : [16] UChar +0x184 JobLinks : _LIST_ENTRY +0x18c LockedPagesList : Ptr32 Void +0x190 ThreadListHead : _LIST_ENTRY +0x198 SecurityPort : Ptr32 Void +0x19c PaeTop : Ptr32 Void +0x1a0 ActiveThreads : Uint4B +0x1a4 GrantedAccess : Uint4B +0x1a8 DefaultHardErrorProcessing : Uint4B +0x1ac LastThreadExitStatus : Int4B +0x1b0 Peb : Ptr32 _PEB +0x1b4 PrefetchTrace : _EX_FAST_REF +0x1b8 ReadOperationCount : _LARGE_INTEGER +0x1c0 WriteOperationCount : _LARGE_INTEGER +0x1c8 OtherOperationCount : _LARGE_INTEGER +0x1d0 ReadTransferCount : _LARGE_INTEGER +0x1d8 WriteTransferCount : _LARGE_INTEGER +0x1e0 OtherTransferCount : _LARGE_INTEGER +0x1e8 CommitChargeLimit : Uint4B +0x1ec CommitChargePeak : Uint4B +0x1f0 AweInfo : Ptr32 Void +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x1f8 Vm : _MMSUPPORT +0x238 LastFaultCount : Uint4B +0x23c ModifiedPageCount : Uint4B +0x240 NumberOfVads : Uint4B +0x244 JobStatus : Uint4B +0x248 Flags : Uint4B +0x248 CreateReported : Pos 0, 1 Bit +0x248 NoDebugInherit : Pos 1, 1 Bit +0x248 ProcessExiting : Pos 2, 1 Bit +0x248 ProcessDelete : Pos 3, 1 Bit +0x248 Wow64SplitPages : Pos 4, 1 Bit +0x248 VmDeleted : Pos 5, 1 Bit +0x248 OutswapEnabled : Pos 6, 1 Bit +0x248 Outswapped : Pos 7, 1 Bit +0x248 ForkFailed : Pos 8, 1 Bit +0x248 HasPhysicalVad : Pos 9, 1 Bit +0x248 AddressSpaceInitialized : Pos 10, 2 Bits +0x248 SetTimerResolution : Pos 12, 1 Bit +0x248 BreakOnTermination : Pos 13, 1 Bit +0x248 SessionCreationUnderway : Pos 14, 1 Bit +0x248 WriteWatch : Pos 15, 1 Bit +0x248 ProcessInSession : Pos 16, 1 Bit +0x248 OverrideAddressSpace : Pos 17, 1 Bit +0x248 HasAddressSpace : Pos 18, 1 Bit +0x248 LaunchPrefetched : Pos 19, 1 Bit +0x248 InjectInpageErrors : Pos 20, 1 Bit +0x248 VmTopDown : Pos 21, 1 Bit +0x248 Unused3 : Pos 22, 1 Bit +0x248 Unused4 : Pos 23, 1 Bit +0x248 VdmAllowed : Pos 24, 1 Bit +0x248 Unused : Pos 25, 5 Bits +0x248 Unused1 : Pos 30, 1 Bit +0x248 Unused2 : Pos 31, 1 Bit +0x24c ExitStatus : Int4B +0x250 NextPageColor : Uint2B +0x252 SubSystemMinorVersion : UChar +0x253 SubSystemMajorVersion : UChar +0x252 SubSystemVersion : Uint2B +0x254 PriorityClass : UChar +0x255 WorkingSetAcquiredUnsafe : UChar +0x258 Cookie : Uint4B
可知Token的偏移位于eprocess的c8偏移处,查看cmd.exe的eprocess得token如下:
kd> dd 8623bc10+c8 8623bcd8 e1653d4d 00000001 ee4edca0 00000000 8623bce8 00040001 00000000 8623bcf0 8623bcf0 8623bcf8 00000000 0001f55b 00000001 ee4edca0 8623bd08 00000000 00040001 00000000 8623bd14 8623bd18 8623bd14 00000000 00000000 00000000 8623bd28 00000000 8605bbe8 86484fd8 00000000 8623bd38 0000009a 00000000 e18da658 00000000 8623bd48 e1f33840 4ad00000 85feab08 00000000
3、 运行!process 01 system 查看system进程信息
kd> !process 0 1 system PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284. Image: System VadRoot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0. DeviceMap e1004428 Token e10017c8 ElapsedTime 00:30:22.218 UserTime 00:00:00.000 KernelTime 00:00:11.437 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (74, 0, 345) (296KB, 0KB, 1380KB) PeakWorkingSetSize 527 VirtualSize 1 Mb PeakVirtualSize 2 Mb PageFaultCount 5146 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 7 kd> dd 865b7830+c8 865b78f8 e10017cd 00000001 f7a38654 00000000 865b7908 00040001 00000000 865b7910 865b7910 865b7918 00000000 00000000 00000001 f7a38658 865b7928 00000000 00040001 00000000 865b7934 865b7938 865b7934 00000000 00000000 00000000 865b7948 00000000 865b0a50 865b0a50 00000000 865b7958 00000003 00000000 00000000 00000000 865b7968 00000000 00000000 8055b200 00000000
4、 将cmd的token值用system的token值替换
kd> ed 8623bcd8 e10017cd kd> dd 8623bc10+c8 8623bcd8 e10017cd 00000001 ee4edca0 00000000 8623bce8 00040001 00000000 8623bcf0 8623bcf0 8623bcf8 00000000 0001f55b 00000001 ee4edca0 8623bd08 00000000 00040001 00000000 8623bd14 8623bd18 8623bd14 00000000 00000000 00000000 8623bd28 00000000 8605bbe8 86484fd8 00000000 8623bd38 0000009a 00000000 e18da658 00000000 8623bd48 e1f33840 4ad00000 85feab08 00000000
5、 查看cmd进程的token
kd> !process 0 1 cmd.exe PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0 DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34. Image: cmd.exe VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0. DeviceMap e1e5c300 Token e10017c8 ElapsedTime 00:02:15.109 UserTime 00:00:00.031 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 60444 QuotaPoolUsage[NonPagedPool] 2440 Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB) PeakWorkingSetSize 713 VirtualSize 30 Mb PeakVirtualSize 36 Mb PageFaultCount 773 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 516
可见,修改后cmd.exe进程的token 值和system进程的Token值相同,在cmd.exe进程测试whoami查看结果:
此时cmd.exe运行whoami已经变成nt\system权限
时间: 2024-12-25 13:55:18