,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground email@example.com
Imagine a situation. You're running under security context of non administrator user but you have the admin password (how to gain it see my next article). You have the privileges you need and now you are thinking about what I will do with it? The answer for you is impersonation.
Let's have a look at MSDN definition of impersonation: Impersonation is the ability of a thread to execute using different security information than the process that owns the thread.
There exist a lot of types of impersonation eg DDE, a named-pipe, RPC impersonation etc. Generally impersonation is used when the server needs to act for while as the client. But we will use this method to declare our thread as an admin one and to create admin processes ...
If you want to impersonate running thread the only privilege you need is the SeTcbPrivilege. However if you want to create a new process under the different security context you need SeAssignPrimaryTokenPrivilege, SeIncreaseQuotaPrivilege and SeTcbPrivilege too.
A impersonation scenario may look like this:
your virus is runned under the administrator user account. it adds needed privileges to everyone and installs a trojan to get admin passwords. later, when runned under normal user account it impersonates the admin one and worx normally as it would be runned under admin account.
First of all you might want to know whether your process runs under the member of the administrator group account or not (it's useless to impersonate admin when you're amin too :)) This little code snippet may help you ...
Let's have an account "administrator" with the password "fucker". First of all we have to log in this user. For this we will use the LogonUser function which is exported by advapi32.dll. Let's have a look at the prototype:
In phToken we will recieve the tokens handle which we'll need later. Logon provider will be null (ie default). Logon type is LOGON32_LOGON_INTERACTIVE and password and user name is obvious. Domain will be null. Now let's see the code.
Loging in an user
If everything went fine we have a impersonation token. Now we will use the ImpersonateLoggedOnUser function which will finally declare our thread as and impersonated one. The function takes one parameter - token.
Impersonating an user
Now our thread runs under the administrator privileges. We can do all we need and later, when we are finished with admin stuff we want to get back our own security context just call RevertToSelf function ...
Creating a new process under impersonated security context
First of all we have to log in as in previous case. Just use the same code as presented in - Loging in an user -. We will use the CreateProcessAsUser function which is again exported by advapi32.dll. This api is almost the same as CreateProcess but it takes one param more - token.
Creating an admin process
This snippet will run an instance of command intepreter which will run under under administrator security context ...
As you might see impersonation is a very powerfull thingy. The only weak point are the passwords. But if you find a good way to get the password (eg a trojan horse) then it will be your best friend :)