从管理员帐户模拟SYSTEM(或等效)
[英]Impersonate SYSTEM (or equivalent) from Administrator Account
问题描述
This question is a follow up and continuation of this question about a Privilege problem I'm dealing with currently. 
这个问题是关于我目前正在处理的特权问题的这个问题的后续和延续。
Problem Summary: 问题摘要:
I'm running a program under a Domain Administrator account that does not have Debug programs (SeDebugPrivilege) privilege, but I need it on the local machine. 我正在一个没有Debug programs (SeDebugPrivilege)权限的域管理员帐户下运行程序,但我需要在本地计算机上。
Klugey Solution: Klugey解决方案:
The program can install itself as a service on the local machine, and start the service. 程序可以将自身作为服务安装在本地计算机上,然后启动该服务。 Said service now runs under the SYSTEM account, which enables us to use our SeTCBPrivilege privilege to create a new access token which does have SeDebugPrivilege . 所述服务现在在SYSTEM帐户下运行,这使我们能够使用我们的SeTCBPrivilege权限来创建具有SeDebugPrivilege的新访问令牌。 We can then use the newly created token to re-launch the initial program with the elevated rights. 然后,我们可以使用新创建的令牌以提升的权限重新启动初始程序。
I personally do not like this solution. 我个人不喜欢这个解决方案。 I feel it should be possible to acquire the necessary privileges as an Administrator without having to make system modifications such as installing a service (even if it is only temporary). 我觉得应该可以作为管理员获得必要的权限, 而无需进行系统修改,例如安装服务(即使它只是临时的)。
I am hoping that there is a solution that minimizes system modifications and can preferably be done on the fly (ie: Not require restarting itself). 我希望有一个解决方案可以最大限度地减少系统修改,并且最好是在运行中完成(即:不需要重新启动)。 I have unsuccessfully tried to LogonUser as SYSTEM and tried to OpenProcessToken on a known SYSTEM process (such as csrss.exe) (which fails, because you cannot OpenProcess with PROCESS_QUERY_INFORMATION to get a handle to the process without the privileges I'm trying to acquire). 我没有成功尝试将LogonUser作为SYSTEM并在已知的SYSTEM进程(例如csrss.exe)上尝试OpenProcessToken (失败,因为你不能使用PROCESS_QUERY_INFORMATION OpenProcess来获取PROCESS_QUERY_INFORMATION的句柄而没有我试图获取的权限)。
I'm just at my wit's end trying to come up with an alternative solution to this problem. 我正在努力想出一个替代解决方案来解决这个问题。 I was hoping there was an easy way to grab a privileged token on the host machine and impersonate it for this program, but I haven't found a way. 我希望有一种简单的方法可以在主机上获取特权令牌并为此程序冒充它,但我还没找到办法。
If anyone knows of a way around this, or even has suggestions on things that might work, please let me know. 如果有人知道解决这个问题的方法,或者甚至对可能有用的事情有建议,请告诉我。 I really appreciate the help, thanks! 我非常感谢你的帮助,谢谢!
1 个解决方案
解决方案1
4 已采纳 2010-06-07 18:54:20
By design, no process is allowed to achieve NT AUTHORITY\\SYSTEM rights, unless it is started by another process with NT AUTHORITY\\SYSTEM rights. 根据设计,除非由具有NT AUTHORITY \\ SYSTEM权限的其他进程启动,否则不允许任何进程实现NT AUTHORITY \\ SYSTEM权限。 The service is a workaround because the Service Control Manager itself is started by the Kernel at system start. 该服务是一种解决方法,因为服务控制管理器本身是在系统启动时由内核启动的。
Unfortunately, the operating system is designed to prevent exactly what you're trying to do. 不幸的是,操作系统旨在完全阻止您尝试执行的操作。 If you want to be able to remove your service afterwards, simply grant the user in question SeDebugPrivilege for the local machine and then have the service uninstall itself. 如果您希望以后能够删除您的服务,只需向有问题的用户授予本地计算机的SeDebugPrivilege,然后让服务自行卸载。
Better yet, have the program whose memory is to be modified change DACLs to allow your administrator access to it's memory without SeDebugPrivilege. 更好的是,让要修改内存的程序更改DACL,以允许管理员在没有SeDebugPrivilege的情况下访问它的内存。 Then you don't need to take privilege at all. 然后你根本不需要获得特权。
EDIT2: And even better yet, just use shared memory in the first place. 编辑2:更好的是,首先只使用共享内存。 That's what it's for. 这就是它的用途。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.