码迷,mamicode.com
首页 > 数据库 > 详细

windbg修改cmd的token提升其权限

时间:2015-06-06 19:38:47      阅读:523      评论:0      收藏:0      [点我收藏+]

标签:windbg   权限提升   token   


使用windbg 调试xp。

运行cmd,whoami查看权限如下:

技术分享

下面要做的就是把cmd.exe 的token值用system的token替换。

1、  Ctrl + break ,windbg进入调试模式

!process 0 0 查看xp所有进程,结果如下:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 865b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00343000  ObjectTable: e1000c98  HandleCount: 284.
    Image: System

PROCESS 8609d1a8  SessionId: none  Cid: 0218    Peb: 7ffde000  ParentCid: 0004
    DirBase: 0dd40020  ObjectTable: e13c8760  HandleCount:  19.
    Image: smss.exe

PROCESS 8650d020  SessionId: 0  Cid: 0260    Peb: 7ffd5000  ParentCid: 0218
    DirBase: 0dd40040  ObjectTable: e162f868  HandleCount: 398.
    Image: csrss.exe

PROCESS 8650cc98  SessionId: 0  Cid: 0278    Peb: 7ffd7000  ParentCid: 0218
    DirBase: 0dd40060  ObjectTable: e160f820  HandleCount: 457.
    Image: winlogon.exe

PROCESS 86264aa0  SessionId: 0  Cid: 02a4    Peb: 7ffde000  ParentCid: 0278
    DirBase: 0dd40080  ObjectTable: e186d3e8  HandleCount: 267.
    Image: services.exe

PROCESS 86086a28  SessionId: 0  Cid: 02b0    Peb: 7ffdb000  ParentCid: 0278
    DirBase: 0dd400a0  ObjectTable: e17fc6b0  HandleCount: 340.
    Image: lsass.exe

PROCESS 85fdbda0  SessionId: 0  Cid: 0350    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd400c0  ObjectTable: e186dcd8  HandleCount:  25.
    Image: vmacthlp.exe

PROCESS 8622fc38  SessionId: 0  Cid: 0360    Peb: 7ffd8000  ParentCid: 02a4
    DirBase: 0dd400e0  ObjectTable: e199c948  HandleCount: 231.
    Image: svchost.exe

PROCESS 864ba978  SessionId: 0  Cid: 03b0    Peb: 7ffd8000  ParentCid: 02a4
    DirBase: 0dd40100  ObjectTable: e1966278  HandleCount: 237.
    Image: svchost.exe

PROCESS 8607eda0  SessionId: 0  Cid: 040c    Peb: 7ffdf000  ParentCid: 02a4
    DirBase: 0dd40120  ObjectTable: e1c067a8  HandleCount: 1384.
    Image: svchost.exe

PROCESS 864b7560  SessionId: 0  Cid: 0448    Peb: 7ffdc000  ParentCid: 02a4
    DirBase: 0dd40140  ObjectTable: e19e2688  HandleCount:  65.
    Image: svchost.exe

PROCESS 85fe5558  SessionId: 0  Cid: 0498    Peb: 7ffdf000  ParentCid: 02a4
    DirBase: 0dd40160  ObjectTable: e13796e0  HandleCount: 223.
    Image: svchost.exe

PROCESS 85fe77e8  SessionId: 0  Cid: 0560    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd401a0  ObjectTable: e1c10610  HandleCount: 131.
    Image: spoolsv.exe

PROCESS 85ff0da0  SessionId: 0  Cid: 0668    Peb: 7ffd9000  ParentCid: 02a4
    DirBase: 0dd401c0  ObjectTable: e20bc5a0  HandleCount: 292.
    Image: vmtoolsd.exe

PROCESS 8623a650  SessionId: 0  Cid: 0798    Peb: 7ffde000  ParentCid: 02a4
    DirBase: 0dd40220  ObjectTable: e1fece98  HandleCount:  99.
    Image: TPAutoConnSvc.exe

PROCESS 863c5658  SessionId: 0  Cid: 00d4    Peb: 7ffdc000  ParentCid: 02a4
    DirBase: 0dd40260  ObjectTable: e1e2c7a8  HandleCount: 102.
    Image: alg.exe

PROCESS 864b6020  SessionId: 0  Cid: 0238    Peb: 7ffdb000  ParentCid: 02a4
    DirBase: 0dd40280  ObjectTable: e1c680a8  HandleCount:  92.
    Image: svchost.exe

PROCESS 86061da0  SessionId: 0  Cid: 05c8    Peb: 7ffd4000  ParentCid: 040c
    DirBase: 0dd40240  ObjectTable: e1deae48  HandleCount:  35.
    Image: wscntfy.exe

PROCESS 860541d0  SessionId: 0  Cid: 05a0    Peb: 7ffdd000  ParentCid: 071c
    DirBase: 0dd40200  ObjectTable: e214c838  HandleCount: 418.
    Image: explorer.exe

PROCESS 863d94b0  SessionId: 0  Cid: 070c    Peb: 7ffdf000  ParentCid: 0798
    DirBase: 0dd402a0  ObjectTable: e214ce98  HandleCount:  67.
    Image: TPAutoConnect.exe

PROCESS 863e69a0  SessionId: 0  Cid: 02f8    Peb: 7ffdb000  ParentCid: 05a0
    DirBase: 0dd402c0  ObjectTable: e1683fb8  HandleCount: 226.
    Image: vmtoolsd.exe

PROCESS 86012310  SessionId: 0  Cid: 06b8    Peb: 7ffd8000  ParentCid: 05a0
    DirBase: 0dd402e0  ObjectTable: e1d22848  HandleCount:  69.
    Image: ctfmon.exe

PROCESS 864ef228  SessionId: 0  Cid: 0200    Peb: 7ffd6000  ParentCid: 02a4
    DirBase: 0dd40180  ObjectTable: e1df5458  HandleCount: 118.
    Image: imapi.exe

PROCESS 863d85d0  SessionId: 0  Cid: 01b8    Peb: 7ffd8000  ParentCid: 05a0
    DirBase: 0dd40300  ObjectTable: e1f02670  HandleCount:  80.
    Image: taskmgr.exe

PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe

PROCESS 85fe1788  SessionId: 0  Cid: 01a4    Peb: 7ffd3000  ParentCid: 01c4
    DirBase: 0dd40340  ObjectTable: e1dc3260  HandleCount:  36.
Image: conime.exe

2、  运行!process 01 cmd.exe 查看cmd进程信息:

kd> !process 0 1 cmd.exe
PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe
    VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
    DeviceMap e1e5c300
    Token                             e1653d48
    ElapsedTime                       00:02:15.109
    UserTime                          00:00:00.031
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         60444
    QuotaPoolUsage[NonPagedPool]      2440
    Working Set Sizes (now,min,max)  (710, 50, 345) (2840KB, 200KB, 1380KB)
    PeakWorkingSetSize                713
    VirtualSize                       30 Mb
    PeakVirtualSize                   36 Mb
    PageFaultCount                    773
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      516

可知进程cmd.exe的eprocess结构地址为:8623bc10。

dt _eprocess查看eprocess的结构如下:

kd> dt _eprocess
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x06c ProcessLock      : _EX_PUSH_LOCK
   +0x070 CreateTime       : _LARGE_INTEGER
   +0x078 ExitTime         : _LARGE_INTEGER
   +0x080 RundownProtect   : _EX_RUNDOWN_REF
   +0x084 UniqueProcessId  : Ptr32 Void
   +0x088 ActiveProcessLinks : _LIST_ENTRY
   +0x090 QuotaUsage       : [3] Uint4B
   +0x09c QuotaPeak        : [3] Uint4B
   +0x0a8 CommitCharge     : Uint4B
   +0x0ac PeakVirtualSize  : Uint4B
   +0x0b0 VirtualSize      : Uint4B
   +0x0b4 SessionProcessLinks : _LIST_ENTRY
   +0x0bc DebugPort        : Ptr32 Void
   +0x0c0 ExceptionPort    : Ptr32 Void
   +0x0c4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0c8 Token            : _EX_FAST_REF
   +0x0cc WorkingSetLock   : _FAST_MUTEX
   +0x0ec WorkingSetPage   : Uint4B
   +0x0f0 AddressCreationLock : _FAST_MUTEX
   +0x110 HyperSpaceLock   : Uint4B
   +0x114 ForkInProgress   : Ptr32 _ETHREAD
   +0x118 HardwareTrigger  : Uint4B
   +0x11c VadRoot          : Ptr32 Void
   +0x120 VadHint          : Ptr32 Void
   +0x124 CloneRoot        : Ptr32 Void
   +0x128 NumberOfPrivatePages : Uint4B
   +0x12c NumberOfLockedPages : Uint4B
   +0x130 Win32Process     : Ptr32 Void
   +0x134 Job              : Ptr32 _EJOB
   +0x138 SectionObject    : Ptr32 Void
   +0x13c SectionBaseAddress : Ptr32 Void
   +0x140 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x144 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x148 Win32WindowStation : Ptr32 Void
   +0x14c InheritedFromUniqueProcessId : Ptr32 Void
   +0x150 LdtInformation   : Ptr32 Void
   +0x154 VadFreeHint      : Ptr32 Void
   +0x158 VdmObjects       : Ptr32 Void
   +0x15c DeviceMap        : Ptr32 Void
   +0x160 PhysicalVadList  : _LIST_ENTRY
   +0x168 PageDirectoryPte : _HARDWARE_PTE_X86
   +0x168 Filler           : Uint8B
   +0x170 Session          : Ptr32 Void
   +0x174 ImageFileName    : [16] UChar
   +0x184 JobLinks         : _LIST_ENTRY
   +0x18c LockedPagesList  : Ptr32 Void
   +0x190 ThreadListHead   : _LIST_ENTRY
   +0x198 SecurityPort     : Ptr32 Void
   +0x19c PaeTop           : Ptr32 Void
   +0x1a0 ActiveThreads    : Uint4B
   +0x1a4 GrantedAccess    : Uint4B
   +0x1a8 DefaultHardErrorProcessing : Uint4B
   +0x1ac LastThreadExitStatus : Int4B
   +0x1b0 Peb              : Ptr32 _PEB
   +0x1b4 PrefetchTrace    : _EX_FAST_REF
   +0x1b8 ReadOperationCount : _LARGE_INTEGER
   +0x1c0 WriteOperationCount : _LARGE_INTEGER
   +0x1c8 OtherOperationCount : _LARGE_INTEGER
   +0x1d0 ReadTransferCount : _LARGE_INTEGER
   +0x1d8 WriteTransferCount : _LARGE_INTEGER
   +0x1e0 OtherTransferCount : _LARGE_INTEGER
   +0x1e8 CommitChargeLimit : Uint4B
   +0x1ec CommitChargePeak : Uint4B
   +0x1f0 AweInfo          : Ptr32 Void
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1f8 Vm               : _MMSUPPORT
   +0x238 LastFaultCount   : Uint4B
   +0x23c ModifiedPageCount : Uint4B
   +0x240 NumberOfVads     : Uint4B
   +0x244 JobStatus        : Uint4B
   +0x248 Flags            : Uint4B
   +0x248 CreateReported   : Pos 0, 1 Bit
   +0x248 NoDebugInherit   : Pos 1, 1 Bit
   +0x248 ProcessExiting   : Pos 2, 1 Bit
   +0x248 ProcessDelete    : Pos 3, 1 Bit
   +0x248 Wow64SplitPages  : Pos 4, 1 Bit
   +0x248 VmDeleted        : Pos 5, 1 Bit
   +0x248 OutswapEnabled   : Pos 6, 1 Bit
   +0x248 Outswapped       : Pos 7, 1 Bit
   +0x248 ForkFailed       : Pos 8, 1 Bit
   +0x248 HasPhysicalVad   : Pos 9, 1 Bit
   +0x248 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x248 SetTimerResolution : Pos 12, 1 Bit
   +0x248 BreakOnTermination : Pos 13, 1 Bit
   +0x248 SessionCreationUnderway : Pos 14, 1 Bit
   +0x248 WriteWatch       : Pos 15, 1 Bit
   +0x248 ProcessInSession : Pos 16, 1 Bit
   +0x248 OverrideAddressSpace : Pos 17, 1 Bit
   +0x248 HasAddressSpace  : Pos 18, 1 Bit
   +0x248 LaunchPrefetched : Pos 19, 1 Bit
   +0x248 InjectInpageErrors : Pos 20, 1 Bit
   +0x248 VmTopDown        : Pos 21, 1 Bit
   +0x248 Unused3          : Pos 22, 1 Bit
   +0x248 Unused4          : Pos 23, 1 Bit
   +0x248 VdmAllowed       : Pos 24, 1 Bit
   +0x248 Unused           : Pos 25, 5 Bits
   +0x248 Unused1          : Pos 30, 1 Bit
   +0x248 Unused2          : Pos 31, 1 Bit
   +0x24c ExitStatus       : Int4B
   +0x250 NextPageColor    : Uint2B
   +0x252 SubSystemMinorVersion : UChar
   +0x253 SubSystemMajorVersion : UChar
   +0x252 SubSystemVersion : Uint2B
   +0x254 PriorityClass    : UChar
   +0x255 WorkingSetAcquiredUnsafe : UChar
   +0x258 Cookie           : Uint4B

可知Token的偏移位于eprocess的c8偏移处,查看cmd.exe的eprocess得token如下:
kd> dd 8623bc10+c8
8623bcd8  e1653d4d 00000001 ee4edca0 00000000
8623bce8  00040001 00000000 8623bcf0 8623bcf0
8623bcf8  00000000 0001f55b 00000001 ee4edca0
8623bd08  00000000 00040001 00000000 8623bd14
8623bd18  8623bd14 00000000 00000000 00000000
8623bd28  00000000 8605bbe8 86484fd8 00000000
8623bd38  0000009a 00000000 e18da658 00000000
8623bd48  e1f33840 4ad00000 85feab08 00000000

3、  运行!process 01 system 查看system进程信息

kd> !process 0 1 system
PROCESS 865b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00343000  ObjectTable: e1000c98  HandleCount: 284.
    Image: System
    VadRoot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0.
    DeviceMap e1004428
    Token                             e10017c8
    ElapsedTime                       00:30:22.218
    UserTime                          00:00:00.000
    KernelTime                        00:00:11.437
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (74, 0, 345) (296KB, 0KB, 1380KB)
    PeakWorkingSetSize                527
    VirtualSize                       1 Mb
    PeakVirtualSize                   2 Mb
    PageFaultCount                    5146
    MemoryPriority                    BACKGROUND
    BasePriority                      8
CommitCharge                      7
kd> dd 865b7830+c8
865b78f8  e10017cd 00000001 f7a38654 00000000
865b7908  00040001 00000000 865b7910 865b7910
865b7918  00000000 00000000 00000001 f7a38658
865b7928  00000000 00040001 00000000 865b7934
865b7938  865b7934 00000000 00000000 00000000
865b7948  00000000 865b0a50 865b0a50 00000000
865b7958  00000003 00000000 00000000 00000000
865b7968  00000000 00000000 8055b200 00000000

4、  将cmd的token值用system的token值替换

kd> ed 8623bcd8 e10017cd
kd> dd 8623bc10+c8
8623bcd8  e10017cd 00000001 ee4edca0 00000000
8623bce8  00040001 00000000 8623bcf0 8623bcf0
8623bcf8  00000000 0001f55b 00000001 ee4edca0
8623bd08  00000000 00040001 00000000 8623bd14
8623bd18  8623bd14 00000000 00000000 00000000
8623bd28  00000000 8605bbe8 86484fd8 00000000
8623bd38  0000009a 00000000 e18da658 00000000
8623bd48  e1f33840 4ad00000 85feab08 00000000

5、  查看cmd进程的token

kd> !process 0 1 cmd.exe
PROCESS 8623bc10  SessionId: 0  Cid: 01c4    Peb: 7ffd9000  ParentCid: 05a0
    DirBase: 0dd40320  ObjectTable: e1fd04b0  HandleCount:  34.
    Image: cmd.exe
    VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
    DeviceMap e1e5c300
    Token                             e10017c8
    ElapsedTime                       00:02:15.109
    UserTime                          00:00:00.031
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         60444
    QuotaPoolUsage[NonPagedPool]      2440
    Working Set Sizes (now,min,max)  (710, 50, 345) (2840KB, 200KB, 1380KB)
    PeakWorkingSetSize                713
    VirtualSize                       30 Mb
    PeakVirtualSize                   36 Mb
    PageFaultCount                    773
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      516

可见,修改后cmd.exe进程的token 值和system进程的Token值相同,在cmd.exe进程测试whoami查看结果:

技术分享

此时cmd.exe运行whoami已经变成nt\system权限



windbg修改cmd的token提升其权限

标签:windbg   权限提升   token   

原文地址:http://blog.csdn.net/hjxyshell/article/details/46390683

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!