Four methods to obtain SYSTEM permissions from the Administrator identity

This article summarizes four methods to obtain the SYSTEM permission to run the regedit.exe file,
The source code can be easily modified to run the specified program in the command line mode.

1. Run as a service
2. Add an ACL
3. HOOK ZwCreateProcessEx Function
4. Remote thread method

I did not come up with these methods. I just summarized them and used Win32ASM to rewrite the code.
For more information, see references at the end of the article. The following is a simple analysis of each method.

1. Run as a service

When running a program as a service, the system process is equivalent to running the program,
The specified program naturally inherits the SYSTEM process permission, that is, the SYSTEM permission.

; @ Echo off
; Goto make

; ========================================================== ========================================================== ====
RMB 3 million
Http://zhongts.yeah.net
Zhongts@163.com
; 2005.1.15
;
; Run the program with the SYSTEM permission-GetSys1
;
; Use the method of running as a service
;
; ========================================================== ========================================================== ====
. 386
. Model flat, stdcall
Option casemap: none

Include c: masm32demodewindows. inc
Include c: masm321_dekernel32. inc
Include c: masm321_deadvapi32. inc
Include c: masm321_demasm32. inc

Includelib c: masm32libkernel32. lib
Includelib c: masm32libadvapi32. lib
Includelib c: masm32libmasm32. lib

_ ReLaunch proto

Ctxt macro text
Local lbl
. Const
Lbl db text, 0
. Code
Exitm
ENDM

. Code
Start proc
LOCAL stStartupInfo: STARTUPINFO
LOCAL procinfo: PROCESS_INFORMATION

Invoke CreateMutex, NULL, TRUE, CTXT ("getsys‑mutex ")
Invoke GetLastError
. If eax = ERROR_ALREADY_EXISTS
Invoke RtlZeroMemory, addr stStartupInfo, sizeof stStartupInfo
Mov stStartupInfo. cb, sizeof stStartupInfo
Invoke CreateProcess, 0, CTXT ("regedit.exe"), 0, 0, 0, 0, 0, 0,
Addr stStartupInfo, addr procinfo
Invoke CloseHandle, procinfo. hProcess
Invoke CloseHandle, procinfo. hThread
. Else
Invoke _ ReLaunch
. Endif

Invoke ExitProcess, NULL
Start endp

_ ReLaunch proc
LOCAL hSCManager
LOCAL hService
LOCAL szName [MAX_PATH]: byte

Invoke OpenSCManager, NULL, NULL, SC _MANAGER_CREATE_SERVICE
. If eax! = 0
Mov hSCManager, eax

Invoke OpenService, hSCManager, CTXT ("GetSys1Temp"), DELETE
. If eax! = 0
Push eax
Invoke DeleteService, eax
Call CloseServiceHandle
. Endif

Invoke GetModuleFileName, NULL, addr szName, MAX_PATH
Invoke CreateService, hSCManager, CTXT ("GetSys1Temp"), CTXT ("GetSys1 Temp Service "),
SERVICE_START + SERVICE_QUERY_STATUS + DELETE,
SERVICE_WIN32_OWN_PROCESS + SERVICE_INTERACTIVE_PROCESS, SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE, addr szName, NULL
. If eax! = 0
Mov hService, eax
Invoke StartService, hService, 0, NULL
Invoke DeleteService, hService
Invoke CloseServiceHandle, hService
. Endif
Invoke CloseServiceHandle, hSCManager
. Endif
Ret
_ ReLaunch endp

End start

: Make

Set path = % path %; c: masm32in
Set appname = GetSys1

Ml/nologo/c/coff % appname %. bat
Link/nologo/subsystem: windows % appname %. obj
Del % appname %. obj
Echo.
Pause
GetSys1 (the first running process GetSys1 is called A) creates A mutex when it starts running,
Then restart yourself as a service.
(The re-running process GetSys1 is called B). After re-running, B already has the SYSTEM permission.
B then runs the regedit.exe program through the CreateProcess function,
Because B has the SYSTEM permission, regedit.exe inherits the SYSTEM permission from it.
After regedit.exe is run, B stops running,
Then the StartService function in