我是否需要调整令牌权限才能成功调用 CreateRemoteThread? [英] Do I need to adjust token privileges in order to successfully call CreateRemoteThread?
问题描述
我正在为我的应用程序开发调试工具以帮助我诊断死锁.该应用程序在我客户的机器上运行,因此我期望使用各种操作系统、安全策略等.
I'm developing a debugging facility for my application to help me diagnose deadlocks. The application runs on my client's machines and so I expect a wide range of operating systems, security policies etc.
我使用的技术是在目标应用程序中实现一个函数,该函数为所有线程生成堆栈跟踪,以及其他诊断信息.然后将其写入内存映射文件.我还创建了一个实用程序应用程序,用于触发诊断报告的创建,然后从内存映射文件中读取它.
The technique I am using is to implement a function in the target application which generates stack traces for all threads, together with other diagnostics information. This is then written to a memory mapped file. I am also creating a utility application that is used to trigger the creation of the diagnostics report, and then read it from the memory mapped file.
因为预期目标应用程序已死,实用程序无法向其发送消息以触发诊断收集.相反,我使用 CreateRemoteThread 以便我可以确保获得一个活动线程来完成工作.
Because the target application is expected to be dead, the utility program can't send it a message to trigger the diagnostics collection. Instead I am using CreateRemoteThread so that I can be sure to get a live thread to do the work.
请注意,这与 DLL 注入方法不同,后者通常使用 LoadLibrary 作为 CreateRemoteThread 的线程过程.我的线程过程是目标应用程序的入口点.所以,我不需要调用 WriteProcessMemory.
Note that this is different from DLL injection methods which typically use LoadLibrary as the thread proc for CreateRemoteThread. My thread proc is an entry point in the target application. So, I don't need to call WriteProcessMemory.
我已经实现了这个并且在我的测试环境中它运行良好.根据CreateRemoteThread,我需要一个具有以下访问权限的进程句柄:
I've implemented this and in my test environments it works well. According to the documentation of CreateRemoteThread, I need a process handle with the following access rights:
PROCESS_CREATE_THREAD、PROCESS_QUERY_INFORMATION、PROCESS_VM_OPERATION、PROCESS_VM_WRITE 和 PROCESS_VM_READ>
所以,我在调用 OpenProcess 时传递了这些标志.
So, I passed those flags when calling OpenProcess.
现在,最后,我的问题是:为了成功调用 OpenProcess,我需要我的令牌具有什么权限?
Now, at last, to my question: what privileges do I need my token to have in order for the call to OpenProcess to succeed?
在我的测试环境(Windows 7、启用 UAC、管理员用户)中,我没有遇到仅使用默认令牌的问题.我看过各种示例代码,它们在调用 OpenProcess 之前获取 SE_DEBUG_NAME 权限.我的猜测是在进行 DLL 注入时 WriteProcessMemory 需要它,而我不需要该特权.是否存在需要调整令牌权限的情况?
In my test environment (Windows 7, UAC enabled, admin user), I have encountered no problems with just a default token. I have seen various sample code that acquires the SE_DEBUG_NAME privilege before calling OpenProcess. My guess is that is needed for WriteProcessMemory when doing DLL injection and that I don't need that privilege. Are there scenarios where I would need to adjust my token's privileges?
我对 Windows 安全一无所知,所以我真的很感激任何知道的人的明智之言!
I know precisely nothing about Windows security so I would really appreciate wise words from anyone that does!
推荐答案
通常,如果目标进程与调试器在相同的上下文中运行(即作为相同的用户),则 OpenProcess 或 CreateRemoteThread 不需要任何权限.
Ordinarily, if the target process is running in the same context (i.e., as the same user) as the debugger, no privileges are required for either OpenProcess or CreateRemoteThread.
如果目标进程以不同的用户身份运行,或者进程权限已被修改,您可能需要在调用 OpenProcess 之前启用 SE_DEBUG_NAME.此权限允许您打开任何进程,绕过分配给该进程的安全权限.(这类似于备份/恢复权限允许您绕过文件和目录的安全权限的方式.)
If the target process is running as a different user, or if the process permissions have been modified, you might need to enable SE_DEBUG_NAME before calling OpenProcess. This privilege allows you to open any process, bypassing the security permissions assigned to the process. (This is analogous to the way that the backup/restore privileges allow you to bypass the security permissions on files and directories.)
某些应用程序会修改自己的进程权限,例如,用户无法使用任务管理器终止进程.在这种情况下,它是您自己的代码,因此不会有问题.原则上其他一些软件(例如防病毒软件)可以修改您进程的权限,但我从未听说过这种情况发生,因此您可能无需担心启用 SE_DEBUG_NAME.
Some applications modify their own process permissions so that, e.g., the user can't use Task Manager to kill the process. In this case, it's your own code, so that won't be a problem. It is possible in principle for some other software (anti-virus software, for example) to modify the permissions on your process, but I've never heard of it happening, so you probably don't need to worry about enabling SE_DEBUG_NAME.
这篇关于我是否需要调整令牌权限才能成功调用 CreateRemoteThread?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
