jaclaz Posted March 21, 2012 Share Posted March 21, 2012 Usual semi-random idea.Doeesn't 7 has the tasklist command?http://technet.microsoft.com/en-us/library/bb491010.aspx Something along the lines of:@ECHO OFFSETLOCAL ENABLEEXTENSIONSSET Process_Name=trustedinstallerFOR /F "tokens=1,2" %%A IN ('tasklist ^|FIND /i %Process_Name%') DO ECHO %%BPAUSEmight do. jaclaz Link to comment Share on other sites More sharing options...
dencorso Posted March 21, 2012 Share Posted March 21, 2012 Of course it has! But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... Link to comment Share on other sites More sharing options...
jaclaz Posted March 21, 2012 Share Posted March 21, 2012 Of course it has! But since you're at it, one of your wonderful batches to automate fully the operations descrbed in post #30 by fdv, incorporating your idea of using Tasklist, would be really handy, if you can find time for creating it... But I have no handy 7 system, so I cannot check if it works, if the strings are correct, etc.If someone verifies thattasklist |FIND /i "trustedinstaller"Finds the taks and roduces the right PID, and which actual name the "Windows Modules Installer" service has, and that the commands:sc query <name_of_Windows_Modules_Installer>and sc start <name_of_Windows_Modules_Installer>or net start <name_of_Windows_Modules_Installer>work andthat the output for the running service is similar to this:sc query wuauservSERVICE_NAME: wuauserv TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0I guess it can be done allright .jaclaz Link to comment Share on other sites More sharing options...
joakim Posted April 8, 2012 Share Posted April 8, 2012 On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com/custom-software/devxexec.html It is based on token duplication and not remote threads as I described. Link to comment Share on other sites More sharing options...
dencorso Posted April 9, 2012 Share Posted April 9, 2012 Great find, joakin! Thanks a lot! Yet I do ask myself whether your original solution, although much more complicated, does not, in fact, yield a more complete impersonation of TI... Of course, that can only be answered by time and good testing. Link to comment Share on other sites More sharing options...
joakim Posted April 9, 2012 Share Posted April 9, 2012 I think the impersonation is complete, but because of the session separation it is not possible to interact with the process. That was the reason for using tcp/ip for the communication. what is that you can't do, except interacting with a GUI? The process in my solution originates from a remote thread inside the TI process, and for that reason it should be identical in terms of privs and rights. The other solution is different in that the created and duplicated token has its session id modified, which means you can interact with it directly (including GUI's I presume). Link to comment Share on other sites More sharing options...
dencorso Posted April 9, 2012 Share Posted April 9, 2012 At first sight both solutions should be equivalent, in most relevant cases, that's true. In any case, the most obvious use is to modify the registry unhampered. And, what's more wonderful is that, when fdv started this thread, we had no solution to the problem, and now, thanks to you, we actually have *two*! : Link to comment Share on other sites More sharing options...
RobW Posted June 27, 2012 Share Posted June 27, 2012 Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller.The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example:C:>@echo test@echo testtestThe script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps".runasti.cmd - Has to be run as administrator:: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083:: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64:: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ...:: Run as ADMINISTRATOR:: Pick a random port between 10000 and 42767 and assume that it's free.@SET /A PORT=%random% + 10000@SET Session0Cmd=%~dp0deps\Session0Cmd.exe@SET NETCAT=%~dp0deps\ncat.exe@SET EXECUTE=%~dp0init.cmd@echo offIF NOT EXIST "%Session0Cmd%" ( echo Session0Injector is required. echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/ goto:eof)IF NOT EXIST "%NETCAT%" ( echo Ncat is required. echo Get it from http://nmap.org/ncat/ goto:eof)echo Starting TrustedInstaller if not started...SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstallerSETLOCAL EnableDelayedExpansionecho Getting PID for TrustedInstaller.exe...FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%PIF "%PID%"=="" ( echo Pid not found. Cannot continue.) ELSE ( echo Starting server (logging messages at %%tmp%%\runasti.log "%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log" echo Connecting server... "%NETCAT%" localhost %PORT%)ENDLOCALinit.cmd - This script will be injected in the process, and spawn a new cmd.:: Set token file. When this file is deleted, all childs should terminate@set token=%tmp%\ti_shell_%random%@type nul > "%token%":keepalive@cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1:: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted.@if exist "%token%" @goto:keepalivesubshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit".@echo off:: This script should never run without parent@if not "%~1"=="token" goto:eof@setlocal EnableDelayedExpansion@for /f "tokens=*" %%u in ('whoami') do echo Running as %%u@set Path=%path%;%~fd0:repeat@if not exist "%~f2" goto:eof:: Get user input@set command=@set /p command=*%cd%^>:: When command is "exit", delete token file and exit@if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof:: Execute command, and repeat@for /f "tokens=*" %%C in ('echo %command%') do @%%C@goto:repeatrunasti.cmdinit.cmdsubshell.cmd Link to comment Share on other sites More sharing options...
dencorso Posted June 27, 2012 Share Posted June 27, 2012 That's great news! And welcome to MSFN! Link to comment Share on other sites More sharing options...
jaclaz Posted June 28, 2012 Share Posted June 28, 2012 Very good work RobW .OT , and only "marginally" related, but still *somehow* connected:http://p-nand-q.com/gtools/grootshell.htmlStill "up to XP only", but maybe it can be tweaked/used/adapted for later NT based OS's. jaclaz Link to comment Share on other sites More sharing options...
GrofLuigi Posted July 24, 2012 Share Posted July 24, 2012 (edited) On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com/custom-software/devxexec.html It is based on token duplication and not remote threads as I described.Devxexec works very well. It can launch cmd.exe or regedit.exe as Trusted Installer or as System. I don't really need anything more for my sabotages against the system. GL Edited July 24, 2012 by GrofLuigi Link to comment Share on other sites More sharing options...
GrofLuigi Posted August 3, 2012 Share Posted August 3, 2012 (edited) Wouldn't the simplest solution be to grant ourselves full privileges under the key:HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-645709764-2570854657-2333822770-500\Privilgsor whatever the SID of our account is? But one has to figure out first what the format of the key is, or, if brave enough, to copy the registry value from another overprivileged account.I imagine it as a quick guerilla operation: Change permissions, get in, change value, get out, restore permissions. What do you guys think about that?GL Edited August 3, 2012 by GrofLuigi Link to comment Share on other sites More sharing options...
dencorso Posted September 28, 2012 Share Posted September 28, 2012 This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".Thanks joakim, you do rock! Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted September 28, 2012 Share Posted September 28, 2012 This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!! joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".Thanks joakim, you do rock! Thanks for the tip! Link to comment Share on other sites More sharing options...
GrofLuigi Posted September 29, 2012 Share Posted September 29, 2012 (just theoretical, haven't tried it yet)On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:net start trustedinstallerC:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"With that command shell you have rather extreme control. Now go crazy on your system.Would this help some more (with any of the tools mentioned):net start UI0Detectnet start trustedinstallerC:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"?(Don't know about others, but I have set UI0Detect to manual).And thanks joakim for the tools. GL Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now