RunAsSys will launch a process in the SYSTEM account (NT Authority\SYSTEM).
I am pretty sure this is the smallest RunAsSys alternative ever produced, not only because is the first one produced in MASM (AFAIK) but also because it uses the singular approach of "stealing" the token of another service to start with, in this case the winlogon.exe service.
If you invoke RunAsSys without parameters it will show some information from within the SYSTEM account and then open a command line.
If you invoke RunAsSys with a single parameter it will assume the parameter is an application and will try to launch it in the SYSTEM account (for example, to launch notepad as System: RunAsSys notepad)
I have used the MASM32 SDK to build this application. However, kernel32.lib and advapi32.lib from the MASM32 SDK do not contain all required functions (Process32Next, Process32First, CreateProcessWithTokenW). There are various solutions, the one I have used was to replace those LIBs with others from the latest Windows 10 Kit. If you want to do the same you can download from here (https://www.cloud.vgpt.com/index.php/s/l5xNdPOyebnDlaO?path=%2Flib10.0.18362x86).
Launching RunAsSys without parameters:
(https://www.dropbox.com/s/mg1b8cbe0ynm2q4/runassys.png?dl=1)
I don't claim to understand what it has done but it runs OK here.
--------------------
nt authority\system
--------------------
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ============================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Disabled
Microsoft Windows [Version 10.0.17134.1069]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
Quote from: hutch-- on January 02, 2020, 10:20:40 PM
I don't claim to understand what it has done but it runs OK here.
These are security priviledges. If a program have Sedebug as an example, so it is able to debug a program.
If you need to be an administrator (security priviledges) to backup so you need set that.
This is not the first to be writen in masm, I have done that in XP times, but very good job sir AW. The first example that I have see in masm if my memory is good was written by a russian that wrote drivers tutorial, I suppose was FourF.
To more information about this persons can read some undocumented books, I like the one write by 3 indians in 1998 I suppose.
Undocumented Windows NT - Prasad Dabak, M.C.S., Sandeep Phadke, M.C.S., and Milind Borate, M.C.S.
Escalation to SYSTEM is a hacker's wet dream.
But going from Administrator to SYSTEM is a legal move. So the hacker real puzzle is escalation from Normal User to Administrator - this is becoming harder and harder.
As Windows tightens its defenses, hacker's lives are becoming less and less pleasant and we assist more and more holes being discovered in Swiss cheeses other than Windows.
https://www.exploit-db.com/
Quote from: mineiro on January 03, 2020, 01:46:58 AM
This is not the first to be writen in masm, I have done that in XP times
I feel sorry, it did not show up in google search.
Quote from: mineiro on January 03, 2020, 01:46:58 AM
Undocumented Windows NT - Prasad Dabak, M.C.S., Sandeep Phadke, M.C.S., and Milind Borate, M.C.S.
Interesting, have the book never looked at the CD.
Thank you for bringing it up, I will have a look.
(https://www.dropbox.com/s/8txbw0nhentfzt5/undocumented.png?dl=1)
Hi AW,
Thanks for the tool, nice work. :thumbsup: I will test it on Windows 7.
Here is another one for Windows XP 32-bit :
http://www.masmforum.com/board/index.php?topic=12353.0
In the time of windows XP was already difficult, structures with divergent size members, usually changed in the next versions of windows, I imagine now, a lot of debugging and patience. I remember that in XP if debugging privileges were enabled then administrative privileges were also enabled. This changed in Vista to up.
About the book, the chapter on memory management will be a big leap, I found nothing in masm and I was not able to try that.
At the time I was helping to remove adware and malware from users' remote computers, and that's how I started reading about. The program generated a report to be analyzed. The hard part I found was backing up while windows was running. I don't know today what it would be like, but backing up critical parts of nt was unfeasible. And at this point I would rather take the user's machine, boot linux or ms-dos, mount the ntfs partition and make the changes. And here I started with drivers, but few progress ... .
I had the ntinternals website burned to a cd-rom before Microsoft bundled it, I don't know where it is.
As I say, very good job sir.
Hi mineiro,
QuoteThe hard part I found was backing up while windows was running. I don't know today what it would be like, but backing up critical parts of nt was unfeasible.
Today, that's an easy task if you use the volume shadow copy service. Here is how wimlib captures a live Windows installation :
Quote--snapshot
Create a temporary filesystem snapshot of the source directory and capture the files from it. Currently, this option is only supported on Windows, where it uses the Volume Shadow Copy Service (VSS). Using this option, you can create a consistent backup of the system volume of a running Windows system without running into problems with locked files. For the VSS snapshot to be successfully created, wimlib-imagex must be run as an Administrator, and it cannot be run in WoW64 mode (i.e. if Windows is 64-bit, then wimlib-imagex must be 64-bit as well).
https://wimlib.net/man1/wimcapture.html
Hello sir Vortex;
thanks for that information.
The place that I was working in past buy that live bootable cd rom from sysinternals, so, in that time I was thinking that's impossible.
On my Win8 Pro not works properly - CreateProcessWithTokenW gives ERROR_SERVICE_DISABLED )-:
Quote from: Adamanteus on January 03, 2020, 11:16:58 AM
On my Win8 Pro not works properly - CreateProcessWithTokenW gives ERROR_SERVICE_DISABLED )-:
Nice finding, Adamanteus. I confirm it does not work in Windows 8.1, even after starting the Secondary Logon service which was given as a reason in my searching.
It works in Vista and Windows 7, though.
Quote from: Vortex on January 03, 2020, 04:55:17 AM
Here is another one for Windows XP 32-bit :
http://www.masmforum.com/board/index.php?topic=12353.0
psexec is an amazing tool. It took me a long time to understand how it achieves that functionality.
Other utilities from the Sysinternals website were supplied with source code, not anymore, when Microsoft acquired all rights to it, applied its policy that a good user is a dumb user and removed the learning experience part. Some of it is still available in the wayback machine, though.
I fixed the problem, it was actually a bug. Now it will run from Vista till Windows 10. :biggrin:
(https://www.dropbox.com/s/7gianos1btyztbe/ruanasSys81.png?dl=1)
Hi AW,
This is a very good job. Thank you.
It does not work on Windows XP because CreateProcessWithTokenW was not available yet. But it does not work on Windows 2003 too and it was already available. I know because my company has Windows 2003 Server. Can it be made to work on Windows 2003?
It works in Windows 2003 but we will have to go through the Native API.
Something along this lines:
https://qa.1r1g.com/sf/ask/3319831021/ (starting here: 在LocalSystem(S-1-5-18)下运行的XP进程在令牌上有下一个DACL)
But, you will have to adjust a few things which are left as an exercise (i.e, I will not publish them).
(https://www.dropbox.com/s/wkc5xp4i4cuyizg/ruanasSysWin2003.png?dl=1)
PS: Knowing Chinese is not important in this case. :badgrin:
Hi AW,
Thank you. It seems very complicated, I don't know where to start what to do. :dazzled:
Jonas,
I agree, it is indeed complicated, but the good news is that you don't need 90% of what is there.
I am completely lost. :undecided:
I am not much into native API. :nie:
Quote from: JonasS on January 26, 2020, 05:57:34 PM
I am completely lost. :undecided:
I am not much into native API. :nie:
I will post it here, just need to find it and clean it up.
This is the version using the Native API and works from Windows 2003 onwards. The Native API is needed for Windows 2003 because we have to impersonate a thread of Winlogon.exe in order to be allowed to access and duplicate its token. This does not happen in later Windows versions.
While I have used the Masm32 SDK, some libs will need to be updated (see comments in the source). There is also a structure that is wrong in Windows.inc causing a fail that took me some time to figure out.
Quote from: AW on January 27, 2020, 05:37:45 PM
This is the version using the Native API and works from Windows 2003 onwards. The Native API is needed for Windows 2003 because we have to impersonate a thread of Winlogon.exe in order to be allowed to access and duplicate its token. This does not happen in later Windows versions.
While I have used the Masm32 SDK, some libs will need to be updated (see comments in the source). There is also a structure that is wrong in Windows.inc causing a fail that took me some time to figure out.
Thank you SO MUCH!!!!! :thumbsup: