Use WinDbg to debug XP.
Run Cmd,whoami View permissions as follows:
The next thing to do is to replace the token value of the Cmd.exe with the system token.
1, Ctrl + Break, WinDbg into debug mode
! Process 0 0 To view all the XP processes, the results are as follows:
kd>!process 0 0**** NT ACTIVE process DUMP ****process 865b7830 sessionid:none cid:0004 peb:00000000 PARENTCI d:0000 dirbase:00343000 objecttable:e1000c98 handlecount:284. Image:systemprocess 8609d1a8 sessionid:none cid:0218 peb:7ffde000 parentcid:0004 dirbase:0dd40020 ObjectTa ble:e13c8760 handlecount:19. Image:smss.exePROCESS 8650d020 sessionid:0 cid:0260 peb:7ffd5000 parentcid:0218 dirbase:0dd40040 objecttab le:e162f868 handlecount:398. Image:csrss.exePROCESS 8650cc98 sessionid:0 cid:0278 peb:7ffd7000 parentcid:0218 dirbase:0dd40060 Objectta ble:e160f820 handlecount:457. Image:winlogon.exePROCESS 86264aa0 sessionid:0 cid:02a4 peb:7ffde000 parentcid:0278 dirbase:0dd40080 objec Ttable:e186d3e8 handlecount:267. Image:services.exePROCESS 86086a28 sessionid:0 cid:02b0 peb:7ffdb000 parentcid:0278 dirbase:0dd400a0 objec Ttable:e17fc6b0 handlecount:340. Image:lsAss.exeprocess 85fdbda0 sessionid:0 cid:0350 peb:7ffde000 parentcid:02a4 dirbase:0dd400c0 objecttable:e186 DCD8 handlecount:25. Image:vmacthlp.exePROCESS 8622fc38 sessionid:0 cid:0360 peb:7ffd8000 parentcid:02a4 dirbase:0dd400e0 objec ttable:e199c948 handlecount:231. Image:svchost.exePROCESS 864ba978 sessionid:0 cid:03b0 peb:7ffd8000 parentcid:02a4 dirbase:0dd40100 Object table:e1966278 handlecount:237. Image:svchost.exePROCESS 8607eda0 sessionid:0 cid:040c peb:7ffdf000 parentcid:02a4 dirbase:0dd40120 Object Table:e1c067a8 handlecount:1384. Image:svchost.exePROCESS 864b7560 sessionid:0 cid:0448 peb:7ffdc000 parentcid:02a4 dirbase:0dd40140 Object table:e19e2688 handlecount:65. Image:svchost.exePROCESS 85fe5558 sessionid:0 cid:0498 peb:7ffdf000 parentcid:02a4 dirbase:0dd40160 Object Table:e13796e0 handlecount:223. Image:svchost.exePROCESS 85fe77e8 sessionid:0 cid:0560 peb:7ffde000 parentcid:02a4 dirbase:0dd401a0 objecttable:e1c10610 handlecount:131. Image:spoolsv.exePROCESS 85ff0da0 sessionid:0 cid:0668 peb:7ffd9000 parentcid:02a4 dirbase:0dd401c0 Object Table:e20bc5a0 handlecount:292. Image:vmtoolsd.exePROCESS 8623a650 sessionid:0 cid:0798 peb:7ffde000 parentcid:02a4 dirbase:0dd40220 objec Ttable:e1fece98 handlecount:99. Image:TPAutoConnSvc.exePROCESS 863c5658 sessionid:0 cid:00d4 peb:7ffdc000 parentcid:02a4 dirbase:0dd40260 Objecttable:e1e2c7a8 handlecount:102. Image:alg.exePROCESS 864b6020 sessionid:0 cid:0238 peb:7ffdb000 parentcid:02a4 dirbase:0dd40280 objecttabl E:e1c680a8 handlecount:92. Image:svchost.exePROCESS 86061da0 sessionid:0 cid:05c8 peb:7ffd4000 parentcid:040c dirbase:0dd40240 Object Table:e1deae48 handlecount:35. Image:wscntfy.exePROCESS 860541d0 sessionid:0 cid:05a0 peb:7ffdd000 PARENTCId:071c dirbase:0dd40200 objecttable:e214c838 handlecount:418. Image:explorer.exePROCESS 863d94b0 sessionid:0 cid:070c peb:7ffdf000 parentcid:0798 dirbase:0dd402a0 objec Ttable:e214ce98 handlecount:67. Image:TPAutoConnect.exePROCESS 863e69a0 sessionid:0 cid:02f8 peb:7ffdb000 parentcid:05a0 dirbase:0dd402c0 Objecttable:e1683fb8 handlecount:226. Image:vmtoolsd.exePROCESS 86012310 sessionid:0 cid:06b8 peb:7ffd8000 parentcid:05a0 dirbase:0dd402e0 objec ttable:e1d22848 handlecount:69. Image:ctfmon.exePROCESS 864ef228 sessionid:0 cid:0200 peb:7ffd6000 parentcid:02a4 dirbase:0dd40180 OBJECTT able:e1df5458 handlecount:118. Image:imapi.exePROCESS 863d85d0 sessionid:0 cid:01b8 peb:7ffd8000 parentcid:05a0 dirbase:0dd40300 Objectta ble:e1f02670 handlecount:80. Image:taskmgr.exePROCESS 8623bc10 sessionid:0 cid:01c4 peb:7ffd9000 parentcid:05a0 dirbase:0dd40320 objecTtable:e1fd04b0 handlecount:34. Image:cmd.exePROCESS 85fe1788 sessionid:0 cid:01a4 peb:7ffd3000 parentcid:01c4 dirbase:0dd40340 objecttabl e:e1dc3260 Handlecount:36.image:conime.exe
2, run!process cmd.exe view cmd process information:
kd>!process 0 1 cmd.exeprocess 8623bc10 sessionid:0 cid:01c4 peb:7ffd9000 parentcid:05a0 dirbase:0dd4032 0 objecttable:e1fd04b0 handlecount:34. Image:cmd.exe vadroot 8605bbe8 Vads, Clone 0 Private 154. Modified 1. Locked 0. DeviceMap e1e5c300 Token e1653d48 elapsedtime 00:02:15.109 User Time 00:00:00.031 kerneltime 00:00:00.000 Quotapoolusage[pagedpool] 60444 Quotapoolusage[nonpagedpool] 2440 working Set Sizes (Now,min,max) (710, 345) (2840KB, 200KB, 1380KB) peakworkingsetsize 713 virtualsize Mb peakvirtualsize * Mb pagefaultcount 773 memorypriority BACKGROUND basepriority 8 Commitcharge 516
The eprocess structure address of the process cmd.exe is: 8623BC10.
The structure of the
dt _eprocess view eprocess is as follows:
kd> DT _eprocessntdll!_eprocess +0x000 PCB: _kprocess +0x06c processlock: _ex_push_lock +0x07 0 createtime: _large_integer +0x078 exittime: _large_integer +0x080 rundownprotect: _ex_rundown_ref +0x084 uniqueprocessid:ptr32 Void +0x088 activeprocesslinks: _list_entry +0x090 quotausage: [3] Uint4B +0x09c quotapeak: [3] uint4b +0x0a8 commitcharge:uint4b +0x0ac peakvirtualsize:uint4b +0x0b0 Virtu alsize:uint4b +0x0b4 sessionprocesslinks: _list_entry +0X0BC debugport:ptr32 Void +0x0c0 ExceptionP Ort:ptr32 Void +0x0c4 objecttable:ptr32 _handle_table +0x0c8 Token: _ex_fast_ref +0x0cc work Ingsetlock: _fast_mutex +0x0ec workingsetpage:uint4b +0x0f0 addresscreationlock: _fast_mutex +0x110 HyperSpa celock:uint4b +0x114 forkinprogress:ptr32 _ethread +0x118 hardwaretrigger:uint4b +0x11c VadRoot : Ptr32 Void +0x120 VaDhint:ptr32 void +0x124 cloneroot:ptr32 void +0x128 numberofprivatepages:uint4b +0x12c Numbero flockedpages:uint4b +0x130 win32process:ptr32 Void +0x134 job:ptr32 _ejob +0x138 sectionobjec T:ptr32 void +0x13c sectionbaseaddress:ptr32 void +0x140 quotablock:ptr32 _eprocess_quota_block +0x14 4 Workingsetwatch:ptr32 _pagefault_history +0x148 win32windowstation:ptr32 Void +0x14c InheritedFromUniqueProcess Id:ptr32 void +0x150 ldtinformation:ptr32 void +0x154 vadfreehint:ptr32 void +0x158 vdmobjects: Ptr32 void +0x15c devicemap:ptr32 void +0x160 physicalvadlist: _list_entry +0x168 pagedirectorypte: _HAR Dware_pte_x86 +0x168 filler:uint8b +0x170 session:ptr32 Void +0x174 imagefilename: [+] U Char +0x184 joblinks: _list_entry +0x18c lockedpageslist:ptr32 Void +0x190 threadlisthead: _list_entr Y +0x198 Securityport : Ptr32 void +0x19c paetop:ptr32 void +0x1a0 activethreads:uint4b +0x1a4 Grantedaccess:uin t4b +0x1a8 defaultharderrorprocessing:uint4b +0x1ac lastthreadexitstatus:int4b +0x1b0 Peb:ptr32 _ PEB +0x1b4 prefetchtrace: _ex_fast_ref +0x1b8 readoperationcount: _large_integer +0x1c0 WriteOperationCount: _ Large_integer +0x1c8 otheroperationcount: _large_integer +0x1d0 readtransfercount: _LARGE_INTEGER +0x1d8 WriteTran Sfercount: _large_integer +0x1e0 othertransfercount: _large_integer +0x1e8 commitchargelimit:uint4b +0x1ec Commi tchargepeak:uint4b +0x1f0 aweinfo:ptr32 Void +0x1f4 seauditprocesscreationinfo: _se_audit_process_creati On_info +0x1f8 Vm: _mmsupport +0x238 lastfaultcount:uint4b +0x23c modifiedpagecount:uint4b +0 x240 numberofvads:uint4b +0x244 jobstatus:uint4b +0x248 flags:uint4b +0x248 createreport Ed:pos 0, 1 Bit +0x248 Nodebuginherit:pos 1, 1 bit +0x248 Processexiting:pos 2, 1 bit +0x248 Processdelete:pos 3, 1 bit + 0x248 Wow64splitpages:pos 4, 1 bit +0x248 Vmdeleted:pos 5, 1 bit +0x248 Outswapenabled:pos 6, 1 bit +0x248 Outswapped:pos 7, 1 bit +0x248 Forkfailed:pos 8, 1 bit +0x248 Hasphysicalvad:pos 9, 1 bit +0x248 Addressspaceinitialized:pos, 2 Bits +0x248 settimerresolution:pos, 1 Bit +0x248 breakontermination: Pos 1 bit +0x248 sessioncreationunderway:pos, 1 bit +0x248 writewatch:pos, 1 bit +0x248 Process Insession:pos, 1 bit +0x248 overrideaddressspace:pos, 1 bit +0x248 hasaddressspace:pos, 1 bit +0x248 Launchprefetched:pos, 1 bit +0x248 injectinpageerrors:pos, 1 bit +0x248 vmtopdown:pos, 1 bit +0x248 Unused3:pos, 1 bit +0x248 unused4:pos, 1 bit +0x248 vdmallowed:pos, 1 Bi T +0x248 Unused : Pos, 5 Bits +0x248 unused1:pos, 1 bit +0x248 unused2:pos, 1 bit +0x24c exitstat us:int4b +0x250 nextpagecolor:uint2b +0x252 subsystemminorversion:uchar +0x253 subsystemmajorversion : UChar +0x252 subsystemversion:uint2b +0x254 priorityclass:uchar +0x255 Workingsetacquiredunsafe:uchar + 0x258 cookie:uint4b
The token offset is located at the C8 offset of the eprocess, and the eprocess token of the Cmd.exe is as follows:
kd> DD 8623bc10+c88623bcd8 e1653d4d 00000001 ee4edca0 000000008623bce8 00040001 00000000 8623bcf0 8623bcf08623bcf8 00000000 0001f55b 00000001 ee4edca08623bd08 00000000 00040001 00000000 8623bd148623bd18 8623bd14 00000000 00000000 000000008623bd28 00000000 8605bbe8 86484fd8 000000008623bd38 0000009a 00000000 e18da658 000000008623bd48 e1f33840 4ad00000 85feab08 00000000
3. Run!process system to view system process information
kd>!process 0 1 systemprocess 865b7830 sessionid:none cid:0004 peb:00000000 parentcid:0000 dirbase:00343 Objecttable:e1000c98 handlecount:284. Image:system vadroot 865b0a50 Vads 4 Clone 0 Private 3. Modified 4837. Locked 0. DeviceMap e1004428 Token e10017c8 elapsedtime 00:30:22.218 User Time 00:00:00.000 kerneltime 00:00:11.437 Quotapoolusage[pagedpool] 0 Quotapoolusage[nonpagedpool] 0 working Set Sizes (Now,min,max) (0, 345) (296KB, 0KB, 1380KB) PeakWorkingSetSize 527 virtualsize 1 MB peakvirtualsize 2 MB Pagefaultcount 5146 memorypriority BACKGROUND basepriority 8CommitCharge 7kd> dd 865b7830+c8865b78f8 e10017cd 00000001 f7a38654 00000000865b7908 00040 001 00000865b7910 865b7910865b7918 00000000 00000000 00000001 f7a38658865b7928 00000000 00040001 00000000 865b7934865b7938 8 65b7934 00000000 00000000 00000000865b7948 00000000 865b0a50 865b0a50 00000000865b7958 00000003 00000000 00000000 000000 00865b7968 00000000 00000000 8055b200 00000000
4. Replace the token value of CMD with the token value of system
kd> Ed 8623bcd8 e10017cdkd> dd 8623bc10+c88623bcd8 e10017cd 00000001 ee4edca0 000000008623bce8 00040001 00000000 8623bcf0 8623bcf08623bcf8 00000000 0001f55b 00000001 ee4edca08623bd08 00000000 00040001 00000000 8623bd148623bd18 8623bd14 00000000 00000000 000000008623bd28 00000000 8605bbe8 86484fd8 000000008623bd38 0000009a 00000000 e18da658 000000008623bd48 e1f33840 4ad00000 85feab08 00000000
5. Check the token of the CMD process
kd>!process 0 1 cmd.exeprocess 8623bc10 sessionid:0 cid:01c4 peb:7ffd9000 parentcid:05a0 dirbase:0dd4032 0 objecttable:e1fd04b0 handlecount:34. Image:cmd.exe vadroot 8605bbe8 Vads, Clone 0 Private 154. Modified 1. Locked 0. DeviceMap e1e5c300 Token e10017c8 elapsedtime 00:02:15.109 User Time 00:00:00.031 kerneltime 00:00:00.000 Quotapoolusage[pagedpool] 60444 Quotapoolusage[nonpagedpool] 2440 working Set Sizes (Now,min,max) (710, 345) (2840KB, 200KB, 1380KB) peakworkingsetsize 713 virtualsize Mb peakvirtualsize * Mb pagefaultcount 773 memorypriority BACKGROUND basepriority 8 Commitcharge 516
It can be seen that the token value of the Cmd.exe process after the modification is the same as the token value of the system process, and the results are viewed in the Cmd.exe process test WhoAmI:
At this point Cmd.exe run WhoAmI has become Nt\system permissions
WinDbg modifying the token of CMD to elevate its permissions