windbg更改cmd的token提升其特权
采用windbg 调试xp。
执行cmd。whoami检查权限如下面:
以下要做的就是把cmd.exe 的token值用system的token替换。
1、 Ctrl + break ,windbg进入调试模式
。process 0 0 查看xp全部进程,结果例如以下:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284.
Image: System PROCESS 8609d1a8 SessionId: none Cid: 0218 Peb: 7ffde000 ParentCid: 0004
DirBase: 0dd40020 ObjectTable: e13c8760 HandleCount: 19.
Image: smss.exe PROCESS 8650d020 SessionId: 0 Cid: 0260 Peb: 7ffd5000 ParentCid: 0218
DirBase: 0dd40040 ObjectTable: e162f868 HandleCount: 398.
Image: csrss.exe PROCESS 8650cc98 SessionId: 0 Cid: 0278 Peb: 7ffd7000 ParentCid: 0218
DirBase: 0dd40060 ObjectTable: e160f820 HandleCount: 457.
Image: winlogon.exe PROCESS 86264aa0 SessionId: 0 Cid: 02a4 Peb: 7ffde000 ParentCid: 0278
DirBase: 0dd40080 ObjectTable: e186d3e8 HandleCount: 267.
Image: services.exe PROCESS 86086a28 SessionId: 0 Cid: 02b0 Peb: 7ffdb000 ParentCid: 0278
DirBase: 0dd400a0 ObjectTable: e17fc6b0 HandleCount: 340.
Image: lsass.exe PROCESS 85fdbda0 SessionId: 0 Cid: 0350 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd400c0 ObjectTable: e186dcd8 HandleCount: 25.
Image: vmacthlp.exe PROCESS 8622fc38 SessionId: 0 Cid: 0360 Peb: 7ffd8000 ParentCid: 02a4
DirBase: 0dd400e0 ObjectTable: e199c948 HandleCount: 231.
Image: svchost.exe PROCESS 864ba978 SessionId: 0 Cid: 03b0 Peb: 7ffd8000 ParentCid: 02a4
DirBase: 0dd40100 ObjectTable: e1966278 HandleCount: 237.
Image: svchost.exe PROCESS 8607eda0 SessionId: 0 Cid: 040c Peb: 7ffdf000 ParentCid: 02a4
DirBase: 0dd40120 ObjectTable: e1c067a8 HandleCount: 1384.
Image: svchost.exe PROCESS 864b7560 SessionId: 0 Cid: 0448 Peb: 7ffdc000 ParentCid: 02a4
DirBase: 0dd40140 ObjectTable: e19e2688 HandleCount: 65.
Image: svchost.exe PROCESS 85fe5558 SessionId: 0 Cid: 0498 Peb: 7ffdf000 ParentCid: 02a4
DirBase: 0dd40160 ObjectTable: e13796e0 HandleCount: 223.
Image: svchost.exe PROCESS 85fe77e8 SessionId: 0 Cid: 0560 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd401a0 ObjectTable: e1c10610 HandleCount: 131.
Image: spoolsv.exe PROCESS 85ff0da0 SessionId: 0 Cid: 0668 Peb: 7ffd9000 ParentCid: 02a4
DirBase: 0dd401c0 ObjectTable: e20bc5a0 HandleCount: 292.
Image: vmtoolsd.exe PROCESS 8623a650 SessionId: 0 Cid: 0798 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd40220 ObjectTable: e1fece98 HandleCount: 99.
Image: TPAutoConnSvc.exe PROCESS 863c5658 SessionId: 0 Cid: 00d4 Peb: 7ffdc000 ParentCid: 02a4
DirBase: 0dd40260 ObjectTable: e1e2c7a8 HandleCount: 102.
Image: alg.exe PROCESS 864b6020 SessionId: 0 Cid: 0238 Peb: 7ffdb000 ParentCid: 02a4
DirBase: 0dd40280 ObjectTable: e1c680a8 HandleCount: 92.
Image: svchost.exe PROCESS 86061da0 SessionId: 0 Cid: 05c8 Peb: 7ffd4000 ParentCid: 040c
DirBase: 0dd40240 ObjectTable: e1deae48 HandleCount: 35.
Image: wscntfy.exe PROCESS 860541d0 SessionId: 0 Cid: 05a0 Peb: 7ffdd000 ParentCid: 071c
DirBase: 0dd40200 ObjectTable: e214c838 HandleCount: 418.
Image: explorer.exe PROCESS 863d94b0 SessionId: 0 Cid: 070c Peb: 7ffdf000 ParentCid: 0798
DirBase: 0dd402a0 ObjectTable: e214ce98 HandleCount: 67.
Image: TPAutoConnect.exe PROCESS 863e69a0 SessionId: 0 Cid: 02f8 Peb: 7ffdb000 ParentCid: 05a0
DirBase: 0dd402c0 ObjectTable: e1683fb8 HandleCount: 226.
Image: vmtoolsd.exe PROCESS 86012310 SessionId: 0 Cid: 06b8 Peb: 7ffd8000 ParentCid: 05a0
DirBase: 0dd402e0 ObjectTable: e1d22848 HandleCount: 69.
Image: ctfmon.exe PROCESS 864ef228 SessionId: 0 Cid: 0200 Peb: 7ffd6000 ParentCid: 02a4
DirBase: 0dd40180 ObjectTable: e1df5458 HandleCount: 118.
Image: imapi.exe PROCESS 863d85d0 SessionId: 0 Cid: 01b8 Peb: 7ffd8000 ParentCid: 05a0
DirBase: 0dd40300 ObjectTable: e1f02670 HandleCount: 80.
Image: taskmgr.exe PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe PROCESS 85fe1788 SessionId: 0 Cid: 01a4 Peb: 7ffd3000 ParentCid: 01c4
DirBase: 0dd40340 ObjectTable: e1dc3260 HandleCount: 36.
Image: conime.exe
2、 执行!process 01 cmd.exe 查看cmd进程信息:
kd> !process 0 1 cmd.exe
PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe
VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
DeviceMap e1e5c300
Token e1653d48
ElapsedTime 00:02:15.109
UserTime 00:00:00.031
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 60444
QuotaPoolUsage[NonPagedPool] 2440
Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB)
PeakWorkingSetSize 713
VirtualSize 30 Mb
PeakVirtualSize 36 Mb
PageFaultCount 773
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 516
可知进程cmd.exe的eprocess结构地址为:8623bc10。
dt _eprocess查看eprocess的结构例如以下:
kd> dt _eprocess
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : [3] Uint4B
+0x09c QuotaPeak : [3] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [16] UChar
+0x184 JobLinks : _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages : Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 HasPhysicalVad : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace : Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 Unused3 : Pos 22, 1 Bit
+0x248 Unused4 : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 5 Bits
+0x248 Unused1 : Pos 30, 1 Bit
+0x248 Unused2 : Pos 31, 1 Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
可知Token的偏移位于eprocess的c8偏移处。查看cmd.exe的eprocess得token例如以下:
kd> dd 8623bc10+c8
8623bcd8 e1653d4d 00000001 ee4edca0 00000000
8623bce8 00040001 00000000 8623bcf0 8623bcf0
8623bcf8 00000000 0001f55b 00000001 ee4edca0
8623bd08 00000000 00040001 00000000 8623bd14
8623bd18 8623bd14 00000000 00000000 00000000
8623bd28 00000000 8605bbe8 86484fd8 00000000
8623bd38 0000009a 00000000 e18da658 00000000
8623bd48 e1f33840 4ad00000 85feab08 00000000
3、 执行!process 01 system 查看system进程信息
kd> !process 0 1 system
PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284.
Image: System
VadRoot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0.
DeviceMap e1004428
Token e10017c8
ElapsedTime 00:30:22.218
UserTime 00:00:00.000
KernelTime 00:00:11.437
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (74, 0, 345) (296KB, 0KB, 1380KB)
PeakWorkingSetSize 527
VirtualSize 1 Mb
PeakVirtualSize 2 Mb
PageFaultCount 5146
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 7
kd> dd 865b7830+c8
865b78f8 e10017cd 00000001 f7a38654 00000000
865b7908 00040001 00000000 865b7910 865b7910
865b7918 00000000 00000000 00000001 f7a38658
865b7928 00000000 00040001 00000000 865b7934
865b7938 865b7934 00000000 00000000 00000000
865b7948 00000000 865b0a50 865b0a50 00000000
865b7958 00000003 00000000 00000000 00000000
865b7968 00000000 00000000 8055b200 00000000
4、 将cmd的token值用system的token值替换
kd> ed 8623bcd8 e10017cd
kd> dd 8623bc10+c8
8623bcd8 e10017cd 00000001 ee4edca0 00000000
8623bce8 00040001 00000000 8623bcf0 8623bcf0
8623bcf8 00000000 0001f55b 00000001 ee4edca0
8623bd08 00000000 00040001 00000000 8623bd14
8623bd18 8623bd14 00000000 00000000 00000000
8623bd28 00000000 8605bbe8 86484fd8 00000000
8623bd38 0000009a 00000000 e18da658 00000000
8623bd48 e1f33840 4ad00000 85feab08 00000000
5、 查看cmd进程的token
kd> !process 0 1 cmd.exe
PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe
VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
DeviceMap e1e5c300
Token e10017c8
ElapsedTime 00:02:15.109
UserTime 00:00:00.031
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 60444
QuotaPoolUsage[NonPagedPool] 2440
Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB)
PeakWorkingSetSize 713
VirtualSize 30 Mb
PeakVirtualSize 36 Mb
PageFaultCount 773
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 516
可见,改动后cmd.exe进程的token 值和system进程的Token值同样,在cmd.exe进程測试whoami查看结果:
此时cmd.exe执行whoami它已成为nt\system才干
版权声明:本文博主原创文章,博客,未经同意不得转载。
windbg更改cmd的token提升其特权的更多相关文章
- Python 更改cmd中的字色
没有gui的python程序是在cmd窗口中运行的,黑色背景,灰色的字,确实很复古,不符合现代人的使用习惯-同事在用我写的小工具时,清一色的字色,看起来会没有重点性,因此我就想通过更改cmd中的字色来 ...
- 更改cmd代码页,修正语言显示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 rem 英文 chcp 437 rem 日文 chcp 932 rem 简体中文 chcp 936 re ...
- 更改cmd语言(chcp)
chcp 437 更改为英文 chcp 936 更改为简体中文 mode con cp select=437 mode con cp /status chcp cmd /c "chcp 43 ...
- 将CMD命令提示符的起始位置进行更改 / CMD起始位置发生改变后如何修改回来
具体步骤如下: 1.首先我们需要先找到命令提示符所在的文件目录.可以在开始运行程序中输入CMD,一般回自动搜索匹配. 2.右键点击命令提示符,在弹出菜单中,选择“打开文件位置”: 3.然后我们就可以进 ...
- 如何更改cmd 编码为UTF-8
如何将cmd编码改为UTF—8 如图输入chcp 65001即可更改 改完之后是这样的 更改回GBK 输入 CHCP 936即可
- windows 获取以及更改CMD控制台编码[转]
本文转自 http://blog.sina.com.cn/s/blog_794b1d96010136yy.html 命令 chcp 功能:显示或设置活动代码页编号 CHCP [nnn] nnn ...
- 更改CMD默认的初始路径
一直用CMD开启本地服务,每一次都得切换路径,有点尴尬.记录一下,修改CMD默认路径 1.打开注册表编辑器(WIN+R打开运行.输入regedit,或者直接找到路径,双击打开C:\Windows\re ...
- Win10更改CMD控制台的代码页和字体和字号
注意:936(简体中文)时,指定Consolas等英文字体将无效,会自动变为“新宋体”. 代码页:若是UTF8(65001)应改为:0000fde9 字号:000e0000 -> 12 cmd_ ...
- Windows下提升进程权限
windows的每个用户登录系统后,系统会产生一个访问令牌(access token) ,其中关联了当前用户的权限信息,用户登录后创建的每一个进程都含有用户access token的拷贝,当进程试图执 ...
随机推荐
- How to get the source code of the chromium of the specified revision
I'd like to get the source code of the chromium 34.0.1847.9. gclient config http://src.chromium.org/ ...
- 字符串转换为整数”123“->123
字符串转换为整数"123"->123 题目描写叙述: 输入一个由数字组成的字符串.把它转换成整数并输出. 比如:输入字符串"123".输出整数123. 给 ...
- Python语言总结 4.2. 和字符串(str,unicode等)处理有关的函数
4.2.7. 去除控制字符:removeCtlChr Python语言总结4.2. 和字符串(str,unicode等)处理有关的函数Sidebar Prev | Up | Next4.2.7 ...
- Java基础之数组序列化、反序列化 小发现(不知道 是不是有问题)
结论: 数组,无论是否声明为transient,都是可以序列化.反序列化的. 测试情况如下: 1.两种类型的数组:int .String: 2 声明为transient 或者不做任何修饰:. 3. ...
- H2O是开源基于大数据的机器学习库包
H2O是开源基于大数据的机器学习库包 H2O能够让Hadoop做数学,H2O是基于大数据的 统计分析 机器学习和数学库包,让用户基于核心的数学积木搭建应用块代码,采取类似R语言 Excel或JSON等 ...
- 找工作笔试面试那些事儿(8)---常问的CC++基础题
这一部分是C/C++程序员在面试的时候会被问到的一些题目的汇总.来源于基本笔试面试书籍,可能有一部分题比较老,但是这也算是基础中的基础,就归纳归纳放上来了.大牛们看到一笑而过就好,普通人看看要是能补上 ...
- HDU 4916 树分治
Mart Master II Time Limit: 12000/6000 MS (Java/Others) Memory Limit: 65536/65536 K (Java/Others) ...
- CrossBridge介绍
CrossBridge介绍 作者:chszs,转载需注明.博客主页: http://blog.csdn.net/chszs CrossBridge是Adobe FlasCC的开源版本,它提供了一个完整 ...
- 关于Platinum库的MediaRender具体C++代码实现探讨
接上篇博文 NDK下 将Platinum SDK 编译成so库 (android - upnp) 讲述了如何利用该代码库编译给android程序调用的so库,其中也提到了,在使用sample-upnp ...
- 【译】ASP.NET MVC 5 教程 - 4:添加模型
原文:[译]ASP.NET MVC 5 教程 - 4:添加模型 在本节中,我们将添加一些管理电影数据库的类,这些类在ASP.NET MVC 应用程序中扮演“Model”的角色. 我们将使用.NET F ...