windbg更改cmd的token提升其特权
采用windbg 调试xp。
执行cmd。whoami检查权限如下面:
以下要做的就是把cmd.exe 的token值用system的token替换。
1、 Ctrl + break ,windbg进入调试模式
。process 0 0 查看xp全部进程,结果例如以下:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284.
Image: System PROCESS 8609d1a8 SessionId: none Cid: 0218 Peb: 7ffde000 ParentCid: 0004
DirBase: 0dd40020 ObjectTable: e13c8760 HandleCount: 19.
Image: smss.exe PROCESS 8650d020 SessionId: 0 Cid: 0260 Peb: 7ffd5000 ParentCid: 0218
DirBase: 0dd40040 ObjectTable: e162f868 HandleCount: 398.
Image: csrss.exe PROCESS 8650cc98 SessionId: 0 Cid: 0278 Peb: 7ffd7000 ParentCid: 0218
DirBase: 0dd40060 ObjectTable: e160f820 HandleCount: 457.
Image: winlogon.exe PROCESS 86264aa0 SessionId: 0 Cid: 02a4 Peb: 7ffde000 ParentCid: 0278
DirBase: 0dd40080 ObjectTable: e186d3e8 HandleCount: 267.
Image: services.exe PROCESS 86086a28 SessionId: 0 Cid: 02b0 Peb: 7ffdb000 ParentCid: 0278
DirBase: 0dd400a0 ObjectTable: e17fc6b0 HandleCount: 340.
Image: lsass.exe PROCESS 85fdbda0 SessionId: 0 Cid: 0350 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd400c0 ObjectTable: e186dcd8 HandleCount: 25.
Image: vmacthlp.exe PROCESS 8622fc38 SessionId: 0 Cid: 0360 Peb: 7ffd8000 ParentCid: 02a4
DirBase: 0dd400e0 ObjectTable: e199c948 HandleCount: 231.
Image: svchost.exe PROCESS 864ba978 SessionId: 0 Cid: 03b0 Peb: 7ffd8000 ParentCid: 02a4
DirBase: 0dd40100 ObjectTable: e1966278 HandleCount: 237.
Image: svchost.exe PROCESS 8607eda0 SessionId: 0 Cid: 040c Peb: 7ffdf000 ParentCid: 02a4
DirBase: 0dd40120 ObjectTable: e1c067a8 HandleCount: 1384.
Image: svchost.exe PROCESS 864b7560 SessionId: 0 Cid: 0448 Peb: 7ffdc000 ParentCid: 02a4
DirBase: 0dd40140 ObjectTable: e19e2688 HandleCount: 65.
Image: svchost.exe PROCESS 85fe5558 SessionId: 0 Cid: 0498 Peb: 7ffdf000 ParentCid: 02a4
DirBase: 0dd40160 ObjectTable: e13796e0 HandleCount: 223.
Image: svchost.exe PROCESS 85fe77e8 SessionId: 0 Cid: 0560 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd401a0 ObjectTable: e1c10610 HandleCount: 131.
Image: spoolsv.exe PROCESS 85ff0da0 SessionId: 0 Cid: 0668 Peb: 7ffd9000 ParentCid: 02a4
DirBase: 0dd401c0 ObjectTable: e20bc5a0 HandleCount: 292.
Image: vmtoolsd.exe PROCESS 8623a650 SessionId: 0 Cid: 0798 Peb: 7ffde000 ParentCid: 02a4
DirBase: 0dd40220 ObjectTable: e1fece98 HandleCount: 99.
Image: TPAutoConnSvc.exe PROCESS 863c5658 SessionId: 0 Cid: 00d4 Peb: 7ffdc000 ParentCid: 02a4
DirBase: 0dd40260 ObjectTable: e1e2c7a8 HandleCount: 102.
Image: alg.exe PROCESS 864b6020 SessionId: 0 Cid: 0238 Peb: 7ffdb000 ParentCid: 02a4
DirBase: 0dd40280 ObjectTable: e1c680a8 HandleCount: 92.
Image: svchost.exe PROCESS 86061da0 SessionId: 0 Cid: 05c8 Peb: 7ffd4000 ParentCid: 040c
DirBase: 0dd40240 ObjectTable: e1deae48 HandleCount: 35.
Image: wscntfy.exe PROCESS 860541d0 SessionId: 0 Cid: 05a0 Peb: 7ffdd000 ParentCid: 071c
DirBase: 0dd40200 ObjectTable: e214c838 HandleCount: 418.
Image: explorer.exe PROCESS 863d94b0 SessionId: 0 Cid: 070c Peb: 7ffdf000 ParentCid: 0798
DirBase: 0dd402a0 ObjectTable: e214ce98 HandleCount: 67.
Image: TPAutoConnect.exe PROCESS 863e69a0 SessionId: 0 Cid: 02f8 Peb: 7ffdb000 ParentCid: 05a0
DirBase: 0dd402c0 ObjectTable: e1683fb8 HandleCount: 226.
Image: vmtoolsd.exe PROCESS 86012310 SessionId: 0 Cid: 06b8 Peb: 7ffd8000 ParentCid: 05a0
DirBase: 0dd402e0 ObjectTable: e1d22848 HandleCount: 69.
Image: ctfmon.exe PROCESS 864ef228 SessionId: 0 Cid: 0200 Peb: 7ffd6000 ParentCid: 02a4
DirBase: 0dd40180 ObjectTable: e1df5458 HandleCount: 118.
Image: imapi.exe PROCESS 863d85d0 SessionId: 0 Cid: 01b8 Peb: 7ffd8000 ParentCid: 05a0
DirBase: 0dd40300 ObjectTable: e1f02670 HandleCount: 80.
Image: taskmgr.exe PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe PROCESS 85fe1788 SessionId: 0 Cid: 01a4 Peb: 7ffd3000 ParentCid: 01c4
DirBase: 0dd40340 ObjectTable: e1dc3260 HandleCount: 36.
Image: conime.exe
2、 执行!process 01 cmd.exe 查看cmd进程信息:
kd> !process 0 1 cmd.exe
PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe
VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
DeviceMap e1e5c300
Token e1653d48
ElapsedTime 00:02:15.109
UserTime 00:00:00.031
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 60444
QuotaPoolUsage[NonPagedPool] 2440
Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB)
PeakWorkingSetSize 713
VirtualSize 30 Mb
PeakVirtualSize 36 Mb
PageFaultCount 773
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 516
可知进程cmd.exe的eprocess结构地址为:8623bc10。
dt _eprocess查看eprocess的结构例如以下:
kd> dt _eprocess
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : [3] Uint4B
+0x09c QuotaPeak : [3] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [16] UChar
+0x184 JobLinks : _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages : Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 HasPhysicalVad : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace : Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 Unused3 : Pos 22, 1 Bit
+0x248 Unused4 : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 5 Bits
+0x248 Unused1 : Pos 30, 1 Bit
+0x248 Unused2 : Pos 31, 1 Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
可知Token的偏移位于eprocess的c8偏移处。查看cmd.exe的eprocess得token例如以下:
kd> dd 8623bc10+c8
8623bcd8 e1653d4d 00000001 ee4edca0 00000000
8623bce8 00040001 00000000 8623bcf0 8623bcf0
8623bcf8 00000000 0001f55b 00000001 ee4edca0
8623bd08 00000000 00040001 00000000 8623bd14
8623bd18 8623bd14 00000000 00000000 00000000
8623bd28 00000000 8605bbe8 86484fd8 00000000
8623bd38 0000009a 00000000 e18da658 00000000
8623bd48 e1f33840 4ad00000 85feab08 00000000
3、 执行!process 01 system 查看system进程信息
kd> !process 0 1 system
PROCESS 865b7830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00343000 ObjectTable: e1000c98 HandleCount: 284.
Image: System
VadRoot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0.
DeviceMap e1004428
Token e10017c8
ElapsedTime 00:30:22.218
UserTime 00:00:00.000
KernelTime 00:00:11.437
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (74, 0, 345) (296KB, 0KB, 1380KB)
PeakWorkingSetSize 527
VirtualSize 1 Mb
PeakVirtualSize 2 Mb
PageFaultCount 5146
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 7
kd> dd 865b7830+c8
865b78f8 e10017cd 00000001 f7a38654 00000000
865b7908 00040001 00000000 865b7910 865b7910
865b7918 00000000 00000000 00000001 f7a38658
865b7928 00000000 00040001 00000000 865b7934
865b7938 865b7934 00000000 00000000 00000000
865b7948 00000000 865b0a50 865b0a50 00000000
865b7958 00000003 00000000 00000000 00000000
865b7968 00000000 00000000 8055b200 00000000
4、 将cmd的token值用system的token值替换
kd> ed 8623bcd8 e10017cd
kd> dd 8623bc10+c8
8623bcd8 e10017cd 00000001 ee4edca0 00000000
8623bce8 00040001 00000000 8623bcf0 8623bcf0
8623bcf8 00000000 0001f55b 00000001 ee4edca0
8623bd08 00000000 00040001 00000000 8623bd14
8623bd18 8623bd14 00000000 00000000 00000000
8623bd28 00000000 8605bbe8 86484fd8 00000000
8623bd38 0000009a 00000000 e18da658 00000000
8623bd48 e1f33840 4ad00000 85feab08 00000000
5、 查看cmd进程的token
kd> !process 0 1 cmd.exe
PROCESS 8623bc10 SessionId: 0 Cid: 01c4 Peb: 7ffd9000 ParentCid: 05a0
DirBase: 0dd40320 ObjectTable: e1fd04b0 HandleCount: 34.
Image: cmd.exe
VadRoot 8605bbe8 Vads 61 Clone 0 Private 154. Modified 1. Locked 0.
DeviceMap e1e5c300
Token e10017c8
ElapsedTime 00:02:15.109
UserTime 00:00:00.031
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 60444
QuotaPoolUsage[NonPagedPool] 2440
Working Set Sizes (now,min,max) (710, 50, 345) (2840KB, 200KB, 1380KB)
PeakWorkingSetSize 713
VirtualSize 30 Mb
PeakVirtualSize 36 Mb
PageFaultCount 773
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 516
可见,改动后cmd.exe进程的token 值和system进程的Token值同样,在cmd.exe进程測试whoami查看结果:
此时cmd.exe执行whoami它已成为nt\system才干
版权声明:本文博主原创文章,博客,未经同意不得转载。
windbg更改cmd的token提升其特权的更多相关文章
- Python 更改cmd中的字色
没有gui的python程序是在cmd窗口中运行的,黑色背景,灰色的字,确实很复古,不符合现代人的使用习惯-同事在用我写的小工具时,清一色的字色,看起来会没有重点性,因此我就想通过更改cmd中的字色来 ...
- 更改cmd代码页,修正语言显示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 rem 英文 chcp 437 rem 日文 chcp 932 rem 简体中文 chcp 936 re ...
- 更改cmd语言(chcp)
chcp 437 更改为英文 chcp 936 更改为简体中文 mode con cp select=437 mode con cp /status chcp cmd /c "chcp 43 ...
- 将CMD命令提示符的起始位置进行更改 / CMD起始位置发生改变后如何修改回来
具体步骤如下: 1.首先我们需要先找到命令提示符所在的文件目录.可以在开始运行程序中输入CMD,一般回自动搜索匹配. 2.右键点击命令提示符,在弹出菜单中,选择“打开文件位置”: 3.然后我们就可以进 ...
- 如何更改cmd 编码为UTF-8
如何将cmd编码改为UTF—8 如图输入chcp 65001即可更改 改完之后是这样的 更改回GBK 输入 CHCP 936即可
- windows 获取以及更改CMD控制台编码[转]
本文转自 http://blog.sina.com.cn/s/blog_794b1d96010136yy.html 命令 chcp 功能:显示或设置活动代码页编号 CHCP [nnn] nnn ...
- 更改CMD默认的初始路径
一直用CMD开启本地服务,每一次都得切换路径,有点尴尬.记录一下,修改CMD默认路径 1.打开注册表编辑器(WIN+R打开运行.输入regedit,或者直接找到路径,双击打开C:\Windows\re ...
- Win10更改CMD控制台的代码页和字体和字号
注意:936(简体中文)时,指定Consolas等英文字体将无效,会自动变为“新宋体”. 代码页:若是UTF8(65001)应改为:0000fde9 字号:000e0000 -> 12 cmd_ ...
- Windows下提升进程权限
windows的每个用户登录系统后,系统会产生一个访问令牌(access token) ,其中关联了当前用户的权限信息,用户登录后创建的每一个进程都含有用户access token的拷贝,当进程试图执 ...
随机推荐
- Codeforces325-B(二分搜索)
题目:B. Stadium and Games 分析:问题可以转化为下面的等式求解问题: 由于n在10^18范围内,所以k的范围是从0到63即可,这样就可以枚举k,二分m,然后所有符合条件的就是答案了 ...
- [Oracle] 常用工具集之 - SQL*Loader
SQL*Loader原理 SQL*Loader是Oracle提供的用于数据加载的一种工具,它比较适合业务分析类型数据库(数据仓库),能处理多种格式的平面文件,批量数据装载比传统的数据插入效率更高.其示 ...
- 魔棒工具--RegionGrow算法简介
原地址:http://www.cnblogs.com/easymind223/archive/2012/07/04/2576964.html ps里面的魔棒工具非常好用,是图像处理中非常常用的一个工具 ...
- php编码
原文:php编码 PHP 页面编码声明与用header或meta实现PHP页面编码的区别 php的header来定义一个php页面为utf编码或GBK编码 php页面为utf编码 header ...
- JavaScript 中的继承(读书笔记思维导图)
继承是 OO 语言中的一个最为人津津乐道的概念.许多 OO 语言都支持两种继承方式:接口继承和实现继承.接口继承只继承方法签名,而实现继承则继承实际的方法.由于函数没有签名,在 ECMAScript ...
- WebService的相关使用
近期公司项目使用WebService ,这里简单做个总结. 事实上详细使用细节有些情况下须要改,还须要看实际情况,须要与server联调,详细沟通. 比方公司连接,非要把envelope.dotNet ...
- Eclipse 未开始 【Ubuntu】
/usr/lib/eclipse/configuration/1408532831122.log : !SESSION 2014-08-20 19:07:11.055 ---------------- ...
- LVS+Keepalived实现高可用负载均衡(转)
LVS+Keepalived实现高可用负载均衡 一.原理 1.概要介绍 如果将TCP/IP划分为5层,则Keepalived就是一个类似于3~5层交换机制的软件,具 ...
- CSS selectors for Selenium with example,selenium IDE
CSS selectors for Selenium with example http://seleniumeasy.com/selenium-tutorials/css-selectors-tut ...
- WPF遮蔽层的实现
在一些项目中,难免会有耗时的加载,如果加载时没有提示,给人一种假死的感觉,很不友好,那么现在福利来啦,WPF版的模态窗体,先上效果图 实际效果指针是转动的,话不多说,一大批干货来袭 XMAL的代码 W ...