深入理解MSF之Getsystem技术原理与实现<\/h1>

Windows访问控制模型基础<\/h2>

访问令牌(Access Token)<\/h3>

Windows访问控制模型的核心是访问令牌，它是在用户身份认证后生成的内核对象，包含以下关键信息：<\/p>

用户标识符(User Identifier)<\/strong>：唯一的安全标识符(SID)<\/li>
组标识符(Group Identifiers)<\/strong>：用户所属组的SIDs<\/li>
权限(Privileges)<\/strong>：线程能执行的系统级操作<\/li>
所有者(Owner)<\/strong>：默认所有者SID<\/li>
访问控制列表(DACL)<\/strong>：指定用户\/组对对象的操作权限<\/li>

登录会话(Logon Session)<\/strong>：关联的登录会话标识符<\/li> <\/ol>
令牌类型<\/h3>

主令牌(Primary Token)<\/strong>：进程创建时分配的默认令牌<\/li>
模拟令牌(Impersonation Token)<\/strong>：线程模拟客户端时的临时令牌<\/li> <\/ol>
安全检查流程<\/h3>

线程携带访问令牌访问安全对象<\/li>
系统检查安全对象的安全描述符<\/li>
依次执行ACE(访问控制条目)检查<\/li>
通过检查后授予相应权限<\/li> <\/ol>
ACE优先级规则：<\/p>

显式(手动设置) > 继承<\/li>
拒绝 > 允许<\/li> <\/ul>
关键概念与技术<\/h2>
UAC与完整性级别<\/h3>
Windows引入UAC(用户账户控制)和MIC(强制完整性控制)机制：<\/p>

完整性级别<\/th> 描述<\/th> <\/tr> <\/thead>

System<\/td> 最高权限，系统和服务保留<\/td> <\/tr>
Installer<\/td> 修改系统核心组件的能力<\/td> <\/tr>
High<\/td> 管理员权限进程<\/td> <\/tr>
Medium<\/td> 标准用户进程<\/td> <\/tr>
Low<\/td> 与互联网交互的进程<\/td> <\/tr>
Untrusted<\/td> 匿名登录进程<\/td> <\/tr>
AppContainer<\/td> 轻量级应用容器<\/td> <\/tr> <\/tbody> <\/table>
命名管道(Named Pipe)<\/h3>
命名管道是进程间通信(IPC)机制，关键特性：<\/p>

使用NPFS(命名管道文件系统)接口<\/li>
支持模拟客户端权限(ImpersonateNamedPipeClient)<\/li>
可通过标准文件API(ReadFile\/WriteFile)操作<\/li> <\/ul>
创建命名管道示例：<\/p>
const<\/span> char<\/span> pipename[] =<\/span> "<\/span>\\\\<\/span>.<\/span>\\<\/span>pipe<\/span>\\<\/span>endlessparadox"<\/span>; <\/span><\/span>CreateNamedPipeA(pipename, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE|<\/span>PIPE_WAIT, <\/span><\/span> 10<\/span>, 2048<\/span>, 2048<\/span>, 0<\/span>, NULL); <\/span><\/span><\/code><\/pre>模拟令牌流程<\/h3> 创建命名管道并等待连接<\/li> 高权限进程连接管道<\/li> 调用ImpersonateNamedPipeClient模拟客户端<\/li> 获取线程令牌并创建新进程<\/li> <\/ol> ImpersonateNamedPipeClient(hPipe); <\/span><\/span>OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &<\/span>hToken); <\/span><\/span>DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, <\/span><\/span> TokenPrimary, &<\/span>hSystemTokenDup); <\/span><\/span>CreateProcessWithTokenW(hSystemTokenDup, LOGON_WITH_PROFILE, NULL, <\/span><\/span> cmd, 0x00000400<\/span>, NULL, NULL, &<\/span>si, &<\/span>pi); <\/span><\/span><\/code><\/pre>MSF的Getsystem技术详解<\/h2> 技术1：服务命名管道(elevate_via_service_namedpipe)<\/h3> 原理<\/strong>：<\/p> 创建SYSTEM权限服务连接恶意命名管道<\/li> 模拟服务令牌获取SYSTEM权限<\/li> <\/ul> 实现步骤<\/strong>：<\/p> 检查操作系统版本(排除NT4)<\/li> 生成随机命名管道名<\/li> 创建服务(使用cmd.exe，预期会失败)<\/li> 服务尝试连接管道时模拟其令牌<\/li> <\/ol> OPSEC注意事项<\/strong>：<\/p> 服务创建行为易被检测<\/li> 管道名称有特征<\/li> <\/ul> 技术2：DLL服务命名管道(elevate_via_service_namedpipe2)<\/h3> 改进点<\/strong>：<\/p> 写入DLL到磁盘<\/li> 通过rundll32.exe以SYSTEM权限执行<\/li> <\/ul> OPSEC问题<\/strong>：<\/p> 文件落地易被检测<\/li> rundll32.exe行为可疑<\/li> <\/ul> 技术3：令牌复制(elevate_via_service_tokendup)<\/h3> 前提条件<\/strong>：<\/p> 需要SeDebugPrivilege权限<\/li> 仅适用于x86系统<\/li> <\/ul> 实现方法<\/strong>：<\/p> 枚举服务获取PID<\/li> 打开目标进程<\/li> 反射式注入DLL<\/li> 复制注入线程的令牌<\/li> <\/ol> 优势<\/strong>：<\/p> 无文件落地<\/li> 内存操作隐蔽<\/li> <\/ul> 技术4：RPCSS服务利用(elevate_via_service_namedpipe_rpcss)<\/h3> 目标<\/strong>：<\/p> 从NETWORK SERVICE提权至SYSTEM<\/li> <\/ul> 关键流程<\/strong>：<\/p> 创建恶意命名管道<\/li> 获取RPCSS服务PID<\/li> 查找可用高权限Token句柄<\/li> 复制最佳令牌<\/li> <\/ol> \/\/ 核心代码片段 <\/span><\/span><\/span><\/span>get_system_token() { <\/span><\/span> \/\/ 获取Token对象类型索引 <\/span><\/span><\/span><\/span> get_token_object_index(); <\/span><\/span> \/\/ 查询进程信息 <\/span><\/span><\/span><\/span> NtQueryInformationProcess(); <\/span><\/span> \/\/ 遍历句柄查找高权限Token <\/span><\/span><\/span><\/span> for<\/span>(...) { <\/span><\/span> DuplicateHandle(); <\/span><\/span> GetTokenInformation(); <\/span><\/span> \/\/ 比较并选择最佳令牌 <\/span><\/span><\/span><\/span> if<\/span>(is_equal_luid(...)) { <\/span><\/span> hBestToken =<\/span> hTokenDup; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> hBestToken; <\/span><\/span>} <\/span><\/span><\/code><\/pre>技术5：打印机欺骗(elevate_via_namedpipe_printspooler)<\/h3> 利用点<\/strong>：<\/p> 打印机服务(spoolsv.exe)的路径规范化缺陷<\/li> 自动添加\pipe\spoolss<\/code>后缀<\/li> <\/ul> 欺骗过程<\/strong>：<\/p> 创建形如\\localhost\/pipe\/test<\/code>的管道<\/li> 规范化后变为\\localhost\pipe\test<\/code><\/li> 打印机添加后缀变为\\localhost\pipe\test\pipe\spoolss<\/code><\/li> 实际连接攻击者管道<\/li> <\/ol> RPC触发函数<\/strong>：<\/p> RpcRemoteFindFirstPrinterChangeNotification( <\/span><\/span> hPrinter, fdwFlags, fdwOptions, <\/span><\/span> pszLocalMachine, \/\/ 恶意管道路径 <\/span><\/span><\/span><\/span> dwPrinterLocal, cbBuffer, pBuffer); <\/span><\/span><\/code><\/pre>技术6：EFSRPC利用(elevate_via_namedpipe_efs)<\/h3> 基础<\/strong>：<\/p> MS-EFSR(加密文件系统远程)协议<\/li> 调用EfsRpcOpenFileRaw欺骗lsass.exe<\/li> <\/ul> 绕过修复<\/strong>：<\/p> 使用RpcBindingSetAuthInfoW设置AuthnLevel为RPC_C_AUTHN_LEVEL_PKT_PRIVACY<\/li> <\/ul> 触发函数<\/strong>：<\/p> EfsRpcOpenFileRaw( <\/span><\/span> binding_h, hContext, <\/span><\/span> FileName, \/\/ 恶意管道路径 <\/span><\/span><\/span><\/span> Flags); <\/span><\/span><\/code><\/pre>防御与检测规避<\/h2> 检测点分析<\/h3> Sigma规则检测<\/strong>：<\/p> # 检测服务创建+命名管道特征<\/span> <\/span><\/span>selection<\/span>: <\/span><\/span> CommandLine|contains<\/span>: <\/span><\/span> - 'pipe'<\/span> <\/span><\/span> - 'echo'<\/span> <\/span><\/span> ParentImage|endswith<\/span>: '\cmd.exe'<\/span> <\/span><\/span>condition<\/span>: selection<\/span> <\/span><\/span><\/code><\/pre><\/li> 行为特征<\/strong>：<\/p> 短暂存在的命名管道<\/li> 服务创建行为<\/li> RPC调用模式异常<\/li> <\/ul> <\/li> <\/ol> OPSEC改进建议<\/h3> 管道技术优化<\/strong>：<\/p> 使用合法管道名称<\/li> 延长管道存在时间<\/li> 混淆命令行参数<\/li> <\/ul> <\/li> 内存操作<\/strong>：<\/p> 使用无文件技术(反射DLL注入)<\/li> 擦除NT\/DOS头规避内存扫描<\/li> <\/ul> <\/li> 权限获取<\/strong>：<\/p> 优先使用RPC类技术(4\/5\/6)<\/li> 避免服务创建和文件落地<\/li> <\/ul> <\/li> <\/ol> 实际应用技巧<\/h2> 应急提权<\/strong>：<\/p> 在只能利用一次的漏洞场景中，可尝试进程PID欺骗： # CS命令<\/span> <\/span><\/span>ps <\/span><\/span>steal_token <pid> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 自定义实现<\/strong>：<\/p> 将提权技术集成到shellcode加载器<\/li> 上线即高权限，减少后期操作<\/li> <\/ul> <\/li> 技术选择矩阵<\/strong>：<\/p> <\/li> <\/ol> 技术<\/th> 适用系统<\/th> 需要条件<\/th> 隐蔽性<\/th> <\/tr> <\/thead> 1-服务管道<\/td> Win2000+<\/td> 管理员<\/td> 低<\/td> <\/tr> 2-DLL服务<\/td> Win2000+<\/td> 管理员<\/td> 中<\/td> <\/tr> 3-令牌复制<\/td> WinXP-7<\/td> SeDebugPrivilege<\/td> 高<\/td> <\/tr> 4-RPCSS<\/td> Win8.1+<\/td> 无<\/td> 高<\/td> <\/tr> 5-打印机<\/td> Win8.1+<\/td> 无<\/td> 高<\/td> <\/tr> 6-EFSRPC<\/td> Win8-11<\/td> 无<\/td> 高<\/td> <\/tr> <\/tbody> <\/table> 总结<\/h2> Windows提权技术的核心在于令牌窃取，MSF的getsystem提供了多种实现方式。理解这些技术原理有助于：<\/p> 根据目标环境选择最合适的提权方法<\/li> 自定义开发规避检测的工具<\/li> 更好地防御此类提权攻击<\/li> <\/ol> RPC相关技术(4\/5\/6)因其高隐蔽性和广泛适用性，成为现代Windows系统提权的首选方案。<\/p>