fdv

Taking back the Registry from TrustedInstaller

75 posts in this topic

Usual semi-random idea.

Doeesn't 7 has the tasklist command?

http://technet.microsoft.com/en-us/library/bb491010.aspx

:yes:

Something along the lines of:


@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
SET Process_Name=trustedinstaller
FOR /F "tokens=1,2" %%A IN ('tasklist ^|FIND /i %Process_Name%') DO ECHO %%B
PAUSE

might do. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

Of course it has! :yes:

But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

0

Share this post


Link to post
Share on other sites

Of course it has! :yes:

But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... :angel

But I have no handy 7 system, so I cannot check if it works, if the strings are correct, etc.

If someone verifies that

tasklist |FIND /i "trustedinstaller"

Finds the taks and roduces the right PID, and which actual name the "Windows Modules Installer" service has, and that the commands:

sc query <name_of_Windows_Modules_Installer>

and

sc start <name_of_Windows_Modules_Installer>

or

net start <name_of_Windows_Modules_Installer>

work

and

that the output for the running service is similar to this:

sc query wuauserv

SERVICE_NAME: wuauserv

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

I guess it can be done allright .

jaclaz

0

Share this post


Link to post
Share on other sites

Great find, joakin! Thanks a lot! :thumbup

Yet I do ask myself whether your original solution, although much more complicated, does not, in fact, yield a more complete impersonation of TI... dubbio.gif

Of course, that can only be answered by time and good testing. :yes:

0

Share this post


Link to post
Share on other sites

I think the impersonation is complete, but because of the session separation it is not possible to interact with the process. That was the reason for using tcp/ip for the communication. what is that you can't do, except interacting with a GUI?

The process in my solution originates from a remote thread inside the TI process, and for that reason it should be identical in terms of privs and rights. The other solution is different in that the created and duplicated token has its session id modified, which means you can interact with it directly (including GUI's I presume).

0

Share this post


Link to post
Share on other sites

At first sight both solutions should be equivalent, in most relevant cases, that's true. In any case, the most obvious use is to modify the registry unhampered. And, what's more wonderful is that, when fdv started this thread, we had no solution to the problem, and now, thanks to you, we actually have *two*! :thumbup:

0

Share this post


Link to post
Share on other sites

Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller.

The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example:

C:>@echo test
@echo test
test

The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps".

runasti.cmd - Has to be run as administrator

:: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083
:: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64
:: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ...
:: Run as ADMINISTRATOR

:: Pick a random port between 10000 and 42767 and assume that it's free.
@SET /A PORT=%random% + 10000
@SET Session0Cmd=%~dp0deps\Session0Cmd.exe
@SET NETCAT=%~dp0deps\ncat.exe
@SET EXECUTE=%~dp0init.cmd
@echo off
IF NOT EXIST "%Session0Cmd%" (
echo Session0Injector is required.
echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/
goto:eof
)
IF NOT EXIST "%NETCAT%" (
echo Ncat is required.
echo Get it from http://nmap.org/ncat/
goto:eof
)

echo Starting TrustedInstaller if not started...
SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller

SETLOCAL EnableDelayedExpansion
echo Getting PID for TrustedInstaller.exe...
FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P

IF "%PID%"=="" (
echo Pid not found. Cannot continue.
) ELSE (
echo Starting server (logging messages at %%tmp%%\runasti.log
"%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log"

echo Connecting server...
"%NETCAT%" localhost %PORT%
)
ENDLOCAL

init.cmd - This script will be injected in the process, and spawn a new cmd.

:: Set token file. When this file is deleted, all childs should terminate
@set token=%tmp%\ti_shell_%random%
@type nul > "%token%"
:keepalive
@cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1
:: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted.
@if exist "%token%" @goto:keepalive

subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit".

@echo off
:: This script should never run without parent
@if not "%~1"=="token" goto:eof
@setlocal EnableDelayedExpansion
@for /f "tokens=*" %%u in ('whoami') do echo Running as %%u
@set Path=%path%;%~fd0

:repeat
@if not exist "%~f2" goto:eof
:: Get user input
@set command=
@set /p command=*%cd%^>
:: When command is "exit", delete token file and exit
@if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof
:: Execute command, and repeat
@for /f "tokens=*" %%C in ('echo %command%') do @%%C
@goto:repeat

runasti.cmd

init.cmd

subshell.cmd

0

Share this post


Link to post
Share on other sites

That's great news! :thumbup

And welcome to MSFN! :hello:

0

Share this post


Link to post
Share on other sites

Very good work RobW :thumbup .

OT :ph34r: , and only "marginally" related, but still *somehow* connected:

http://p-nand-q.com/gtools/grootshell.html

Still "up to XP only", but maybe it can be tweaked/used/adapted for later NT based OS's. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com/custom-software/devxexec.html

It is based on token duplication and not remote threads as I described.

Devxexec works very well. :thumbup It can launch cmd.exe or regedit.exe as Trusted Installer or as System. I don't really need anything more for my sabotages against the system. :ph34r:

GL

Edited by GrofLuigi
0

Share this post


Link to post
Share on other sites

Wouldn't the simplest solution be to grant ourselves full privileges under the key:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-645709764-2570854657-2333822770-500\Privilgs

or whatever the SID of our account is? But one has to figure out first what the format of the key is, or, if brave enough, to copy the registry value from another overprivileged account.

I imagine it as a quick guerilla operation: Change permissions, get in, change value, get out, restore permissions. :ph34r:

What do you guys think about that?

GL

Edited by GrofLuigi
0

Share this post


Link to post
Share on other sites

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:

joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".

Thanks joakim, you do rock! :thumbup

0

Share this post


Link to post
Share on other sites
This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! :yes:

joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".

Thanks joakim, you do rock! :thumbup

Thanks for the tip!

0

Share this post


Link to post
Share on other sites

(just theoretical, haven't tried it yet)

On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:

net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

With that command shell you have rather extreme control. Now go crazy on your system.

Would this help some more (with any of the tools mentioned):

net start UI0Detect
net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

?

(Don't know about others, but I have set UI0Detect to manual).

And thanks joakim for the tools. :thumbup

GL

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.