Python如何获取SeDebugPrivilege?

how to obtain SeDebugPrivilege in Python?

如何在Python中获得SeDebugPrivilege?我相信 Ctypes api 和 PyWin32 都可以独立完成,我不关心使用哪个 API。我在野外发现了这个损坏的代码,它可能非常接近

import win32api
import win32con
import win32security
#
def get_extra_privs():
    # Try to give ourselves some extra privs (only works if we're admin):
    # SeBackupPrivilege   - so we can read anything
    # SeDebugPrivilege    - so we can find out about other processes (otherwise OpenProcess will fail for some)
    # SeSecurityPrivilege - ??? what does this do?
    
    # Problem: Vista+ support "Protected" processes, e.g. audiodg.exe.  We can't see info about these.
    # Interesting post on why Protected Process aren't really secure anyway: http://www.alex-ionescu.com/?p=34
    
    th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)
    TokenPrivileges = 1
    privs = win32security.GetTokenInformation(th, TokenPrivileges)
    newprivs = []
    for privtuple in privs:
        if privtuple[0] == win32security.LookupPrivilegeValue(remote_server, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(remote_server, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(remote_server, "SeSecurityPrivilege"):
            print ("Added privilege " + str(privtuple[0]))
            # privtuple[1] = 2 # tuples are immutable.  WHY?!
            newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED
        else:
            newprivs.append((privtuple[0], privtuple[1]))
                
    # Adjust privs
    privs = tuple(newprivs)
    str(win32security.AdjustTokenPrivileges(th, False , privs)) 

但它崩溃了

  File "C:\cygwin64\home\hans\tibia\pybot\pybot.py", line 11, in init
    processStuff.get_extra_privs()
  File "C:\cygwin64\home\hans\tibia\pybot\processStuff.py", line 20, in get_extra_privs
    if privtuple[0] == win32security.LookupPrivilegeValue(remote_server, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(remote_server
, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(remote_server, "SeSecurityPrivilege"):
TypeError: 'PySID' object is not subscriptable

问题:

codee00.py:

#!/usr/bin/env python

import sys

import win32api as wapi
import win32con as wcon
import win32security as wsec


PRIV_NAMES = (
    wsec.SE_BACKUP_NAME,
    wsec.SE_DEBUG_NAME,
    wsec.SE_SECURITY_NAME,
)


def enable_privs(remote_server=None, priv_names=PRIV_NAMES):
    priv_ids = sorted(wsec.LookupPrivilegeValue(remote_server, e) for e in priv_names)
    print("Privileges to be enabled IDs:", priv_ids)
    tok = wsec.OpenProcessToken(wapi.GetCurrentProcess(), wcon.TOKEN_ADJUST_PRIVILEGES | wcon.TOKEN_QUERY)
    proc_privs = wsec.GetTokenInformation(tok, wsec.TokenPrivileges)
    print("Existing process privileges:", proc_privs)
    new_proc_privs = []
    need_change = False
    for proc_priv in proc_privs:
        if proc_priv[0] in priv_ids:
            print("Checking privilege " + str(proc_priv[0]))
            if proc_priv[1] != wcon.SE_PRIVILEGE_ENABLED:
                need_change = True
            new_proc_privs.append((proc_priv[0], wcon.SE_PRIVILEGE_ENABLED))
        else:
            new_proc_privs.append(proc_priv)
    print("New process privileges:", new_proc_privs)
    if need_change:
        modif_privs = wsec.AdjustTokenPrivileges(tok, False, new_proc_privs)
        res = wapi.GetLastError()
        print("Changed privileges:", modif_privs)  # Changed ones
        if res != 0:
            print("Error (partial) setting privileges:", res)
    else:
        print("Already set")
    #wsec.GetTokenInformation(tok, wsec.TokenPrivileges)  # To compare with proc_privs
    wapi.CloseHandle(tok)


def main(*argv):
    enable_privs()


if __name__ == "__main__":
    print("Python {:s} {:03d}bit on {:s}\n".format(" ".join(elem.strip() for elem in sys.version.split("\n")),
                                                   64 if sys.maxsize > 0x100000000 else 32, sys.platform))
    rc = main(*sys.argv[1:])
    print("\nDone.")
    sys.exit(rc)

输出:

[cfati@CFATI-5510-0:e:\Work\Dev\Whosebug\q072193556]> "e:\Work\Dev\VEnvs\py_pc064_03.09_test0\Scripts\python.exe" code00.py
Python 3.9.9 (tags/v3.9.9:ccb0e6a, Nov 15 2021, 18:08:50) [MSC v.1929 64 bit (AMD64)] 064bit on win32

Privileges to be added IDs: [17, 20, 8]
Existing process privileges: ((2, 0), (3, 0), (4, 0), (5, 0), (7, 0), (8, 2), (9, 0), (10, 0), (11, 0), (12, 0), (13, 0), (14, 0), (15, 0), (16, 0), (17, 0), (18, 0), (19, 0), (20, 0), (21, 0), (22, 0), (23, 3), (24, 0), (25, 0), (26, 0), (28, 0), (29, 3), (30, 3), (31, 0), (32, 0), (33, 0), (34, 0), (35, 0), (36, 0))
Checking privilege 8
Checking privilege 17
Checking privilege 20
New process privileges: [(2, 0), (3, 0), (4, 0), (5, 0), (7, 0), (8, 2), (9, 0), (10, 0), (11, 0), (12, 0), (13, 0), (14, 0), (15, 0), (16, 0), (17, 2), (18, 0), (19, 0), (20, 2), (21, 0), (22, 0), (23, 3), (24, 0), (25, 0), (26, 0), (28, 0), (29, 3), (30, 3), (31, 0), (32, 0), (33, 0), (34, 0), (35, 0), (36, 0)]
Changed privileges: ((17, 0), (20, 0))

Done

[cfati@CFATI-5510-0:e:\Work\Dev\Whosebug\q072193556]> :: Attempt running as non Administrator user
[cfati@CFATI-5510-0:e:\Work\Dev\Whosebug\q072193556]> runas /user:test "cmd /k e:\Work\Dev\VEnvs\py_pc064_03.09_test0\Scripts\python.exe %CD%\code00.py"
Enter the password for test:
Attempting to start cmd /k e:\Work\Dev\VEnvs\py_pc064_03.09_test0\Scripts\python.exe e:\Work\Dev\Whosebug\q072193556\code00.py as user "CFATI-5510-0\test" ...

以及新启动的终端:

Python 3.9.9 (tags/v3.9.9:ccb0e6a, Nov 15 2021, 18:08:50) [MSC v.1929 64 bit (AMD64)] 064bit on win32

Privileges to be enabled IDs: [8, 17, 20]
Existing process privileges: ((19, 0), (23, 3), (25, 0), (33, 0), (34, 0))
New process privileges: [(19, 0), (23, 3), (25, 0), (33, 0), (34, 0)]
Already set

Done.

至于最终目标(增加额外的新特权-问题中没有明确说明):

  • 无法完成,这是完全有道理的,因为一个非特权进程能够授予自己(管理)特权,将击败整个 Windows 安全(特权和权利)机制的目的

    • 即使有人尝试向现有列表添加新的权限条目(这自动暗示当前代码存在设计缺陷),AdjustTokenPrivileges 也会(默默地)失败 ERROR_NOT_ALL_ASSIGNED (1300)。检查 [MS.Docs]: Changing Privileges in a Token 了解更多详情