从管理员帐户模拟SYSTEM(或等效版本) [英] Impersonate SYSTEM (or equivalent) from Administrator Account
问题描述
此问题是有关我当前正在处理的特权问题的此问题的跟进和继续.
This question is a follow up and continuation of this question about a Privilege problem I'm dealing with currently.
问题摘要:
我正在使用没有Debug programs (SeDebugPrivilege)特权的Domain Administrator帐户运行程序,但是我需要在本地计算机上使用它.
Problem Summary:
I'm running a program under a Domain Administrator account that does not have Debug programs (SeDebugPrivilege) privilege, but I need it on the local machine.
Klugey解决方案:
该程序可以将自身作为服务安装在本地计算机上,然后启动该服务.该服务现在在SYSTEM帐户下运行,这使我们能够使用SeTCBPrivilege特权来创建一个具有SeDebugPrivilege的新访问令牌.然后,我们可以使用新创建的令牌以提升的权限重新启动初始程序.
Klugey Solution:
The program can install itself as a service on the local machine, and start the service. Said service now runs under the SYSTEM account, which enables us to use our SeTCBPrivilege privilege to create a new access token which does have SeDebugPrivilege. We can then use the newly created token to re-launch the initial program with the elevated rights.
我个人不喜欢这种解决方案.我认为,作为管理员而无需进行系统修改(例如安装服务)(即使只是暂时的),应该可以获得必要的特权.
I personally do not like this solution. I feel it should be possible to acquire the necessary privileges as an Administrator without having to make system modifications such as installing a service (even if it is only temporary).
我希望有一个解决方案可以最大程度地减少系统修改,并且最好可以即时进行(即:不需要重新启动自身).我尝试将LogonUser用作SYSTEM并尝试在已知的SYSTEM进程(例如csrss.exe)上尝试将OpenProcessToken失败(失败,因为您无法使用PROCESS_QUERY_INFORMATION的OpenProcess来获取该文件的句柄.处理过程中没有我要获取的特权).
I am hoping that there is a solution that minimizes system modifications and can preferably be done on the fly (ie: Not require restarting itself). I have unsuccessfully tried to LogonUser as SYSTEM and tried to OpenProcessToken on a known SYSTEM process (such as csrss.exe) (which fails, because you cannot OpenProcess with PROCESS_QUERY_INFORMATION to get a handle to the process without the privileges I'm trying to acquire).
我才刚刚尝试解决这个问题.我希望有一种简单的方法可以在主机上获取特权令牌并为该程序模拟它,但是我还没有找到方法.
I'm just at my wit's end trying to come up with an alternative solution to this problem. I was hoping there was an easy way to grab a privileged token on the host machine and impersonate it for this program, but I haven't found a way.
如果有人知道解决此问题的方法,或者甚至对可能可行的事情提出建议,请告诉我.我非常感谢您的帮助,谢谢!
If anyone knows of a way around this, or even has suggestions on things that might work, please let me know. I really appreciate the help, thanks!
推荐答案
通过设计,除非具有NT AUTHORITY \ SYSTEM权限的另一个进程启动了该进程,否则不允许该进程获得NT AUTHORITY \ SYSTEM的权限.该服务是一种解决方法,因为服务控制管理器本身是在系统启动时由内核启动的.
By design, no process is allowed to achieve NT AUTHORITY\SYSTEM rights, unless it is started by another process with NT AUTHORITY\SYSTEM rights. The service is a workaround because the Service Control Manager itself is started by the Kernel at system start.
不幸的是,该操作系统旨在准确地防止.如果您希望以后能够删除服务,只需将有问题的用户SeDebugPrivilege授予本地计算机,然后卸载服务即可.
Unfortunately, the operating system is designed to prevent exactly what you're trying to do. If you want to be able to remove your service afterwards, simply grant the user in question SeDebugPrivilege for the local machine and then have the service uninstall itself.
更好的是,让要修改其内存的程序更改DACL,以使管理员无需SeDebugPrivilege即可访问其内存.然后,您根本不需要获得特权.
Better yet, have the program whose memory is to be modified change DACLs to allow your administrator access to it's memory without SeDebugPrivilege. Then you don't need to take privilege at all.
更好的是,首先使用共享内存.那就是它的目的.
And even better yet, just use shared memory in the first place. That's what it's for.
这篇关于从管理员帐户模拟SYSTEM(或等效版本)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
