). DLL load-order hijacking can even be used for a privilege escalation. If the directory where the shows how malware enables its SeDebugPrivilege.Example 11-6. Setting the access token to SeDebugPrivilege
00401003 lea eax, [esp+1Ch+TokenHandle] 00401006 push eax ; TokenHandle 00401007 push (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY) ; DesiredAccess 00401009 call ds:GetCurrentProcess 0040100F push eax ; ProcessHandle 00401010 call ds:OpenProcessToken ❶ 00401016 test eax, eax 00401018 jz short loc_401080 0040101A lea ecx, [esp+1Ch+Luid] 0040101E push ecx ; lpLuid 0040101F push offset Name ; "SeDebugPrivilege" 00401024 push 0 ; lpSystemName 00401026 call ds:LookupPrivilegeValueA 0040102C test eax, eax 0040102E jnz short loc_40103E ... 0040103E mov eax, [esp+1Ch+Luid.LowPart] 00401042 mov ecx, [esp+1Ch+Luid.HighPart] 00401046 push 0 ; ReturnLength 00401048 push 0 ; PreviousState 0040104A push 10h ; BufferLength 0040104C lea edx, [esp+28h+NewState] 00401050 push edx ; NewState 00401051 mov [esp+2Ch+NewState.Privileges.Luid.LowPt], eax ❸ 00401055 mov eax, [esp+2Ch+TokenHandle] 00401059 push 0 ; DisableAllPrivileges 0040105B push eax ; TokenHandle 0040105C mov [esp+34h+NewState.PrivilegeCount], 1 00401064 mov [esp+34h+NewState.Privileges.Luid.HighPt], ecx ❹ 00401068 mov [esp+34h+NewState.Privileges.Attributes], SE_PRIVILEGE_ENABLED ❺ 00401070 call ds:AdjustTokenPrivileges ❷
Example 11-6. Setting the access token to SeDebugPrivilege
00401003 lea eax, [esp+1Ch+TokenHandle] 00401006 push eax ; TokenHandle 00401007 push (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY) ; DesiredAccess 00401009 call ds:GetCurrentProcess 0040100F push eax ; ProcessHandle 00401010 call ds:OpenProcessToken ❶ 00401016 test eax, eax 00401018 jz short loc_401080 0040101A lea ecx, [esp+1Ch+Luid] 0040101E push ecx ; lpLuid 0040101F push offset Name ; "SeDebugPrivilege" 00401024 push 0 ; lpSystemName 00401026 call ds:LookupPrivilegeValueA 0040102C test eax, eax 0040102E jnz short loc_40103E ... 0040103E mov eax, [esp+1Ch+Luid.LowPart] 00401042 mov ecx, [esp+1Ch+Luid.HighPart] 00401046 push 0 ; ReturnLength 00401048 push 0 ; PreviousState 0040104A push 10h ; BufferLength 0040104C lea edx, [esp+28h+NewState] 00401050 push edx ; NewState 00401051 mov [esp+2Ch+NewState.Privileges.Luid.LowPt], eax ❸ 00401055 mov eax, [esp+2Ch+TokenHandle] 00401059 push 0 ; DisableAllPrivileges 0040105B push eax ; TokenHandle 0040105C mov [esp+34h+NewState.PrivilegeCount], 1 00401064 mov [esp+34h+NewState.Privileges.Luid.HighPt], ecx ❹ 00401068 mov [esp+34h+NewState.Privileges.Attributes], SE_PRIVILEGE_ENABLED ❺ 00401070 call ds:AdjustTokenPrivileges ❷
The access token is obtained using a call to OpenProcessToken at ❶ and passing in its process handle (obtained with the call to GetCurrentProcess), and the desired access (in this case, to query and adjust privileges) are passed in. Next, the malware calls LookupPrivilegeValueA. which retrieves the locally unique identifier (LUID). The LUID is a structure that represents the specified privilege (in this case, SeDebugPrivilege).
The information obtained from OpenProcessToken and LookupPrivilegeValueA is used in the call to AdjustTokenPrivileges at ❷. A key structure, PTOKEN_PRIVILEGES, is also passed to AdjustTokenPrivileges and labeled as NewState by IDA Pro. Notice that this structure sets the low and high bits of the LUID using the result from LookupPrivilegeValueA in a two-step process seen at ❸ and ❹. The Attributes section of the NewState structure is set to SE_PRIVILEGE_ENABLED at ❺, in order to enable SeDebugPrivilege.
This combination of calls often happens before system process manipulation code. When you see a function containing this code, label it and move on. It’s typically not necessary to analyze the intricate details of the escalation method that malware uses.
Войти в систему
Войти с помощью соц. сетей:
