在另一个用户进程中的CreateRemoteThread() [英] CreateRemoteThread() in another users process
问题描述
我试图在以不同登录用户身份(即在不同会话中)运行的进程中调用CreateRemoteThread().我知道这不是严格允许的,但是我敢肯定有一种方法.
下面是代码的要点(我将python和ctypes一起使用,但API电话仍然是相同的).基本上,我是将debug priv分配给调用代码,在进程内分配一些内存空间,在要在进程上下文中运行的某些代码之间进行复制,然后调用该代码-对于我的会话中的进程而言,它工作得很好,但是我想在另一个登录的用户会话中使用流程.该代码以本地管理员身份运行.
#获取当前进程的句柄
advapi32.OpenProcessToken(kernel.GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,byref(h_token))
Hi,
I am trying to call CreateRemoteThread() within a process running as a different logged on user i.e within a different session. I understand that this is not strictly 'allowed' but I'm sure there is a way to do it.
The following is the gist of the code (I'm using python with ctypes but the API calls are still the same). Basically I am assigning debug priv's to the calling code, allocating some memory space within the process, copying across some code to be ran in the context of the process and then calling the code - it works fine for processes within my session but I would like to to work with processes in another logged on users session. This code is ran as local admin.
#Get a handle to the current process
advapi32.OpenProcessToken(kernel.GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, byref(h_token))
#Assign调试权限(代码中需要其他功能)
advapi32.LookupPrivilegeValueA(0,priv,byref(luid)):
#Assign debug rights (needed for other things within the code)
advapi32.LookupPrivilegeValueA(0, priv, byref(luid)):
token_state.PrivilegeCount = 1
token_state.Privileges [0] .Luid = luid
token_state.Privileges [0].属性= SE_PRIVILEGE_ENABLED
token_state.PrivilegeCount = 1
token_state.Privileges[0].Luid = luid
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED
advapi32.AdjustTokenPrivileges(h_token,0,byref(token_state),0,0,0):
advapi32.AdjustTokenPrivileges(h_token, 0, byref(token_state), 0, 0, 0):
#打开进程-PID由用户提供
h_process = kernel.OpenProcess(PROCESS_ALL_ACCESS,False,int(pid))
#Open the process - PID is user supplied
h_process = kernel.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
#在进程内分配一些内存
=内核.VirtualAllocEx(h_process,0,code_size,VIRTUAL_MEM,PAGE_EXECUTE_READWRITE)
#Allocate some memory within the process
address = kernel.VirtualAllocEx( h_process, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
#将代码写入内存空间
mem = c_int(0)
内核.WriteProcessMemory(h_process,arg_address,customcode,code_size,byref(mem))
#Write the code to memory space
mem = c_int(0)
kernel.WriteProcessMemory(h_process, arg_address, customcode, code_size, byref(mem))
以上所有内容均适用于系统上的任何进程,无论哪个用户拥有该进程,但以下内容仅适用于在我的(管理员)会话中运行的进程:
Everything above here works fine with any process on the system regardless of which user owns the process but the following only works for processes running in my (admins) session:
#创建远程线程并将入口点指向自定义代码
thread = c_ulong(0)
kernel.CreateRemoteThread(h_process,None,0,address,None,0,byref(thread) )
是否可以模拟已登录的用户并完全使用其令牌?如果可以,怎么办?这都是由具有管理员权限的人执行的.
感谢您的帮助.
# Create the remote thread and point entry point to the custom code
thread = c_ulong(0)
kernel.CreateRemoteThread(h_process,None,0,address,None,0,byref(thread))
Is it possible to impersonate a user that is logged on and use their token at all? If so how? This is all ran by someone with admin rights.
Thanks for any help.
推荐答案
对所有人的爱那是圣洁的,不要再做这些事了.对于将任意代码注入其他进程并执行它,CreateRemoteThread是不安全的.它有副作用.即使您所做的一切正确"(顺便说一下, 特别 很难做到).您可能没有想到他们的流程布局有所不同.它将单线程应用程序变成多线程应用程序.根据尝试的类型,您可能会死锁该过程.
For the love of of all that is holy, stop doing this stuff. CreateRemoteThread is not safe for injecting arbitrary code into other processes and executing it. It has side effects. It can crash things, even if you are doing everything 'right' (which, by the way, is spectacularly hard to do). There may be something different about their process layout you didn't expect. It turns single-threaded applications into multi-threaded ones. Depending on what sort of buffoonery you're attempting, you might deadlock the process.
这篇关于在另一个用户进程中的CreateRemoteThread()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
