[转载]Windows系统RunAs命令的DIY改造
<P>文章作者:<FONT face=宋体>FishSeeWater</FONT><BR></P><P><FONT face=宋体>【下载地址】Microsoft的<BR>【破解工具】OllyDbg(cao_cong汉化版)+C32Asm<BR>【保护方式】无<BR>【软件限制】不接受密码参数<BR>【破解难度】简单<BR>-----------------------------------------------------------------<BR>【软件介绍】<BR>Microsoft系统自带的命令,不用我多罗嗦了吧:)<BR>-----------------------------------------------------------------<BR>【DIY声明】<BR>最近由于公司领导要求“计算机资料保密”,我决定采用WIN2000的系统特性加上NTFS权限完成。用Win2003架了台服务器,然后为每位工程师建了User帐户,但是发现好几个CAD软件在User用户下没法运行,但通过右键的“运行方式”以"Administrator"运行就没事儿,调整组权限,整了好几天也没能搞定,微软出于安全考虑RunAs命令不能直接跟密码参数。每次都要单独输入密码,这样的话那我岂不要~~*&@#$$@:(。在网上找RunAs命令的程序实现方式,准备写个程序调用CAD来运行,可是用LogonUser();CreateProcessAsUse();CreateProcessWithLogonW()这几个函数死活不行,LogonUser()总是返加1314错误,郁闷。无奈之下,还是打RunAs的主意吧。让它支持密码参数不就OK了:)<BR>-----------------------------------------------------------------<BR>【破解分析】<BR>好!开始:<BR><BR>首先预习一下基础知识,控制台程序获取运行参数是用GetCommandLine(VOID)函数<BR>打开OD加载目标程序,参数为"/user:administratorcmd.exe"<BR>然后下断点BPXGetCommandLine回车<BR>F9运行,程序断在01001572CALLDWORDPTRDS:[<&KERNEL32.GetCommandLineW>;|[GetCommandLineW<BR><BR>瞧瞧它是怎样RunAs的:)<BR>F8一步一步走:<BR>[CODE]<BR>01001555|.50PUSHEAX;/pArgc<BR>01001556|.895D>MOVDWORDPTRSS:[EBP-1C],EBX;|<BR>01001559|.895D>MOVDWORDPTRSS:[EBP-20],EBX;|<BR>0100155C|.895D>MOVDWORDPTRSS:[EBP-C],EBX;|<BR>0100155F|.895D>MOVDWORDPTRSS:[EBP-18],EBX;|<BR>01001562|.895D>MOVDWORDPTRSS:[EBP-38],EBX;|<BR>01001565|.8975>MOVDWORDPTRSS:[EBP-4],ESI;|<BR>01001568|.895D>MOVDWORDPTRSS:[EBP-14],EBX;|<BR>0100156B|.C745>MOVDWORDPTRSS:[EBP-7C],44;|<BR>//得到参数<BR>01001572|.FF15>CALLDWORDPTRDS:[<&KERNEL32.GetCommandLineW>;|[GetCommandLineW<BR>01001578|.50PUSHEAX;|CmdLine<BR>//得到参数个数<BR>01001579|.FF15>CALLDWORDPTRDS:[<&SHELL32.CommandLineToArg>;\CommandLineToArgvW<BR>0100157F|.8BC8MOVECX,EAX<BR>01001581|.3BCBCMPECX,EBX<BR>01001583|.894D>MOVDWORDPTRSS:[EBP+8],ECX<BR>01001586|.0F85>JNZrunas.0100163E<BR>0100158C|.895D>MOVDWORDPTRSS:[EBP-4],EBX<BR>.......<BR>.......<BR>.......<BR>//比较参数个数,不等于3就跳走,显示RunAs的帮助(自身的程序名也算一个参数)<BR>0100163E|>\8B45>MOVEAX,DWORDPTRSS:[EBP-14]<BR>01001641|.83F8>CMPEAX,5<BR>01001644|.740>JESHORTrunas.01001650<BR>01001646|.83F8>CMPEAX,4<BR>01001649|.740>JESHORTrunas.01001650<BR>0100164B|.83F8>CMPEAX,3<BR>0100164E|.757>JNZSHORTrunas.010016CF<BR>01001650|>8D50>LEAEDX,DWORDPTRDS:[EAX-2]<BR>//以下是判断并取出第二个参数"administraor"(第一个参数是RunAs.exe)<BR>01001653|.8975>MOVDWORDPTRSS:[EBP-8],ESI<BR>01001656|.3BD6CMPEDX,ESI<BR>01001658|.7C7>JLSHORTrunas.010016CA<BR>0100165A|.8D79>LEAEDI,DWORDPTRDS:[ECX+4]<BR>0100165D|>8B07MOVEAX,DWORDPTRDS:[EDI]<BR>0100165F|.66:8>CMPWORDPTRDS:[EAX],2F<BR>01001663|.756>JNZSHORTrunas.010016CF<BR>01001665|.0FB7>MOVZXECX,WORDPTRDS:[EAX+2]<BR>01001669|.83F9>CMPECX,4E;Switch(cases45..75)<BR>0100166C|.7F1>JGSHORTrunas.0100167E<BR>0100166E|.0F84>JErunas.01001BA4<BR>01001674|.83F9>CMPECX,45<BR>01001677|.755>JNZSHORTrunas.010016CF<BR>01001679|>8975>MOVDWORDPTRSS:[EBP-1C],ESI;Cases45('E'),65('e')ofswitch01001669<BR>0100167C|.EB4>JMPSHORTrunas.010016BF<BR>0100167E|>83E9>SUBECX,50<BR>01001681|.743>JESHORTrunas.010016BC<BR>01001683|.83E9>SUBECX,5<BR>01001686|.741>JESHORTrunas.0100169F<BR>01001688|.83E9>SUBECX,10<BR>0100168B|.^74E>JESHORTrunas.01001679<BR>0100168D|.83E9>SUBECX,9<BR>01001690|.0F84>JErunas.01001BA4<BR>01001696|.49DECECX<BR>01001697|.49DECECX<BR>01001698|.742>JESHORTrunas.010016BC<BR>0100169A|.83E9>SUBECX,5<BR>0100169D|.753>JNZSHORTrunas.010016CF<BR>0100169F|>83C0>ADDEAX,4;Cases55('U'),75('u')ofswitch01001669<BR>010016A2|>66:8>/MOVCX,WORDPTRDS:[EAX]<BR>.......<BR>.......<BR>.......<BR>010016CD|./750>JNZSHORTrunas.010016DC<BR>010016CF|>|E88>CALLrunas.0100125B;Defaultcaseofswitch01001669<BR>010016D4|>|895D>MOVDWORDPTRSS:[EBP-4],EBX<BR>010016D7|.|E95>JMPrunas.01001B38<BR>//加载提示资源串"键入密码administrator:"<BR>010016DC|>\8B3D>MOVEDI,DWORDPTRDS:[<&USER32.LoadStringW>];USER32.LoadStringW<BR>010016E2|.8D85>LEAEAX,DWORDPTRSS:[EBP-630]<BR>010016E8|.68F>PUSH1F4;/Count=1F4(500.)<BR>010016ED|.50PUSHEAX;|Buffer<BR>010016EE|.687>PUSH1B76;|RsrcID=STRING"Enterpasswordfor"<BR>010016F3|.FF35>PUSHDWORDPTRDS:[1003020];|hInst=01000000<BR>010016F9|.FFD7CALLEDI;\LoadStringW<BR>010016FB|.8B35>MOVESI,DWORDPTRDS:[<&USER32.CharToOemW>];USER32.CharToOemW<BR>01001701|.8D85>LEAEAX,DWORDPTRSS:[EBP-8EC]<BR>01001707|.50PUSHEAX;/pDest<BR>01001708|.8D85>LEAEAX,DWORDPTRSS:[EBP-630];|<BR>0100170E|.50PUSHEAX;|pSrc<BR>0100170F|.FFD6CALLESI;\CharToOemW<BR>01001711|.FF75>PUSHDWORDPTRSS:[EBP-C];/String<BR>01001714|.8B1D>MOVEBX,DWORDPTRDS:[<&KERNEL32.lstrlenW>];|kernel32.lstrlenW<BR>0100171A|.FFD3CALLEBX;\lstrlenW<BR>0100171C|.3DF>CMPEAX,1F4<BR>01001721|.760>JBESHORTrunas.0100172E<BR>01001723|.8B45>MOVEAX,DWORDPTRSS:[EBP-C]<BR>01001726|.66:8>ANDWORDPTRDS:[EAX+3E6],0<BR>0100172E|>8D85>LEAEAX,DWORDPTRSS:[EBP-D9C]<BR>01001734|.50PUSHEAX<BR>01001735|.FF75>PUSHDWORDPTRSS:[EBP-C]<BR>01001738|.FFD6CALLESI<BR>0100173A|.8D85>LEAEAX,DWORDPTRSS:[EBP-D9C]<BR>01001740|.50PUSHEAX;/<%s><BR>01001741|.8D85>LEAEAX,DWORDPTRSS:[EBP-8EC];|<BR>01001747|.50PUSHEAX;|<%s><BR>01001748|.688>PUSHrunas.0100118C;|format="%s%s:"<BR>0100174D|.FF15>CALLDWORDPTRDS:[<&MSVCRT.printf>];\printf<BR>01001753|.83C4>ADDESP,0C<BR>01001756|.8D85>LEAEAX,DWORDPTRSS:[EBP-248]<BR>//这个104是干嘛的?难道是最大长度?请高手指点:)<BR>0100175C|.680>PUSH104;/Arg2=00000104<BR>//压入变量地址<BR>01001761|.50PUSHEAX;|Arg1<BR>//下面是调用ReadConsoleW函数读取键盘输入的密码<BR>01001762>|.E84>CALLrunas.010011B0;\读入密码<BR>01001767|.85C0TESTEAX,EAX<BR>01001769|.744>JESHORTrunas.010017AD<BR>0100176B|.8D85>LEAEAX,DWORDPTRSS:[EBP-630]<BR>........<BR>........<BR>........<BR>0100179B|.683>PUSHrunas.01001134;|format="%s"<BR>010017A0|.FF15>CALLDWORDPTRDS:[<&MSVCRT.printf>];\printf<BR>010017A6|.59POPECX<BR>010017A7|.59POPECX<BR>010017A8|.E94>JMPrunas.010019ED<BR>//处理输入的密码<BR>010017AD|>8D85>LEAEAX,DWORDPTRSS:[EBP-248]<BR>010017B3|.50PUSHEAX;/Translation<BR>010017B4|.8D85>LEAEAX,DWORDPTRSS:[EBP-248];|<BR>010017BA|.50PUSHEAX;|OemString<BR>010017BB|.FF15>CALLDWORDPTRDS:[<&USER32.OemToCharA>];\OemToCharA<BR>010017C1|.8D85>LEAEAX,DWORDPTRSS:[EBP-248]<BR>//将密码复制后保存<BR>010017C7|.50PUSHEAX;/<%S><BR>010017C8|.8D85>LEAEAX,DWORDPTRSS:[EBP-1198];|<BR>010017CE|.688>PUSHrunas.01001184;|Format="%S"<BR>010017D3|.50PUSHEAX;|s<BR>010017D4|.FF15>CALLDWORDPTRDS:[<&USER32.wsprintfW>];\wsprintfW<BR>010017DA|.83C4>ADDESP,0C<BR>010017DD|.8D85>LEAEAX,DWORDPTRSS:[EBP-E0]<BR>010017E3|.6A3>PUSH32<BR>010017E5|.50PUSHEAX<BR>010017E6|.687>PUSH1B77<BR>010017EB|.FF35>PUSHDWORDPTRDS:[1003020];runas.01000000<BR>010017F1|.FFD7CALLEDI<BR>010017F3|.8B45>MOVEAX,DWORDPTRSS:[EBP-14]<BR>010017F6|.8B4D>MOVECX,DWORDPTRSS:[EBP+8]<BR>//得到命令行参数的第三个参数长度。(DS:[ECX+EAX*4-4]为第三个参数)<BR>010017F9|.FF74>PUSHDWORDPTRDS:[ECX+EAX*4-4]<BR>010017FD|.FFD3CALLEBX;kernel32.lstrlenW<BR>010017FF|.8BF8MOVEDI,EAX<BR>01001801|.8D85>LEAEAX,DWORDPTRSS:[EBP-E0]<BR>01001807|.50PUSHEAX<BR>01001808|.FFD3CALLEBX<BR>0100180A|.FF75>PUSHDWORDPTRSS:[EBP-C]<BR>........<BR>........<BR>........<BR>01001A0B|.C745>MOVDWORDPTRSS:[EBP-24],400<BR>01001A12|.EB0>JMPSHORTrunas.01001A17<BR>01001A14|>8B5D>MOVEBX,DWORDPTRSS:[EBP-38]<BR>01001A17|>8D45>LEAEAX,DWORDPTRSS:[EBP-34]<BR>//调用CreateProcessWithLogonW函数以"administrator"身份创建进程<BR>01001A1A|.50PUSHEAX;/Arg11<BR>01001A1B|.8D45>LEAEAX,DWORDPTRSS:[EBP-7C];|<BR>01001A1E|.50PUSHEAX;|Arg10<BR>01001A1F|.8B45>MOVEAX,DWORDPTRSS:[EBP-14];|<BR>01001A22|.53PUSHEBX;|Arg9<BR>01001A23|.FF75>PUSHDWORDPTRSS:[EBP-20];|Arg8<BR>01001A26|.FF75>PUSHDWORDPTRSS:[EBP-24];|Arg7<BR>01001A29|.FF74>PUSHDWORDPTRDS:[EDI+EAX*4-4];|Arg6<BR>01001A2D|.8D85>LEAEAX,DWORDPTRSS:[EBP-1198];|<BR>01001A33|.6A0>PUSH0;|Arg5=00000000<BR>01001A35|.FF75>PUSHDWORDPTRSS:[EBP-10];|Arg4<BR>01001A38|.50PUSHEAX;|Arg3<BR>01001A39|.FF75>PUSHDWORDPTRSS:[EBP-18];|Arg2<BR>01001A3C|.FF75>PUSHDWORDPTRSS:[EBP-C];|Arg1<BR>01001A3F|.FF15>CALLDWORDPTRDS:[<&ADVAPI32.CreateProcessWi>;\CreateProcessWithLogonW<BR>01001A45|.85C0TESTEAX,EAX<BR>01001A47|.0F85>JNZrunas.01001B36<BR>01001A4D|.33FFXOREDI,EDI<BR>01001A4F|.C745>MOVDWORDPTRSS:[EBP-10],7B<BR><BR>////////////////////////////////////<BR>[CODE]<BR>过程基本分析完毕,要想达到我们的目的,只要在ReadConsoleW函数之后,将我们的已有密码添上就OK了。<BR><BR>思路:1、先将程序中提示输入密码和读取密码的函数NOP掉!从10016e2处开始一直到1001766<BR>2、我们有现成的密码,也不用他来处理,所以嘛处理过程也NOP!从1007AD处开始到1007D4(哈哈,这下有足够的空间来写我们的代码了)<BR>3、由于我们要用参数型式添入密码,而程序中有检测参数个数的语句,所以在CommandLineToArgvW函数后,将参数个数减1。<BR><BR>好!开工:<BR>首先处理步骤1和2<BR>然后修改1001586处<BR>01001586JNZrunas.0100163E为01001586JNZrunas.010016F2<BR>在010016EF处添加语句<BR>010016EFJMPSHORTrunas.01001767//正常运行时跳过下面处理参数的两句<BR>在010016F2处添加语句<BR>010016F2DECDWORDPTRSS:[EBP-14]//将参数个数减1<BR>010016F5JMPrunas.0100163E//跳回去<BR>处理参数完毕,再处理密码:<BR>修改01001767处<BR>01001767TESTEAX,EAX为01001767XOREAX,EAX//标志位为零<BR>从010017AF处开始添加语句<BR>010017AFMOVEAX,DWORDPTRSS:[EBP-14]<BR>010017B2INCEAX//将参数个数加1<BR>010017B3MOVECX,DWORDPTRSS:[EBP+8]<BR>010017B6NOP<BR>010017B7NOP<BR>010017B8MOVEAX,DWORDPTRDS:[ECX+EAX*4-4]<BR>010017BCPUSHEAX;/String2<BR>010017BDLEAEAX,DWORDPTRSS:[EBP-1198];|<BR>010017C3NOP;|<BR>010017C4PUSHEAX;|String1<BR>010017C5CALLDWORDPTRDS:[<&KERNEL32.lstrcpyW>];\lstrcpyW<BR>OK!!!处理完成!!!运行试试!真爽:)<BR>再写个外壳调用就OK了:)<BR>收工<BR>-----------------------------------------------------------------</FONT><BR></P>
页:
[1]