RunAsSys

[aw27]

RunAsSys will launch a process in the SYSTEM account (NT Authority\SYSTEM).
I am pretty sure this is the smallest RunAsSys alternative ever produced, not only because is the first one produced in MASM (AFAIK) but also because it uses the singular approach of "stealing" the token of another service to start with, in this case the winlogon.exe service.

If you invoke RunAsSys without parameters it will show some information from within the SYSTEM account and then open a command line.
If you invoke RunAsSys with a single parameter it will assume the parameter is an application and will try to launch it in the SYSTEM account (for example, to launch notepad as System: RunAsSys notepad)

I have used the MASM32 SDK to build this application. However, kernel32.lib and advapi32.lib from the MASM32 SDK do not contain all required functions (Process32Next, Process32First, CreateProcessWithTokenW). There are various solutions, the one I have used was to replace those LIBs with others from the latest Windows 10 Kit. If you want to do the same you can download from here.

Launching RunAsSys without parameters:

[hutch--]

I don't claim to understand what it has done but it runs OK here.

--------------------
nt authority\system
--------------------

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                                   State
=============================== ============================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token                 Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process            Disabled
SeTcbPrivilege                  Act as part of the operating system           Enabled
SeSecurityPrivilege             Manage auditing and security log              Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects      Disabled
SeLoadDriverPrivilege           Load and unload device drivers                Disabled
SeProfileSingleProcessPrivilege Profile single process                        Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority                  Enabled
SeCreatePermanentPrivilege      Create permanent shared objects               Enabled
SeBackupPrivilege               Back up files and directories                 Disabled
SeRestorePrivilege              Restore files and directories                 Disabled
SeShutdownPrivilege             Shut down the system                          Disabled
SeDebugPrivilege                Debug programs                                Enabled
SeAuditPrivilege                Generate security audits                      Enabled
SeSystemEnvironmentPrivilege    Modify firmware environment values            Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                      Enabled
SeUndockPrivilege               Remove computer from docking station          Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks              Disabled
SeImpersonatePrivilege          Impersonate a client after authentication     Enabled
SeCreateGlobalPrivilege         Create global objects                         Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Disabled

Microsoft Windows [Version 10.0.17134.1069]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>

[mineiro]

I don't claim to understand what it has done but it runs OK here.

These are security priviledges. If a program have Sedebug as an example, so it is able to debug a program.
If you need to be an administrator (security priviledges) to backup so you need set that.

This is not the first to be writen in masm, I have done that in XP times, but very good job sir AW. The first example that I have see in masm if my memory is good was written by a russian that wrote drivers tutorial, I suppose was FourF.

To more information about this persons can read some undocumented books, I like the one write by 3 indians in 1998 I suppose.
Undocumented Windows NT - Prasad Dabak, M.C.S., Sandeep Phadke, M.C.S., and Milind Borate, M.C.S.

[aw27]

Escalation to SYSTEM is a hacker's wet dream.
But going from Administrator to SYSTEM is a legal move. So the hacker real puzzle is escalation from Normal User to Administrator - this is becoming harder and harder.
As Windows tightens its defenses, hacker's lives are becoming less and less pleasant and we assist more and more holes being discovered in Swiss cheeses other than Windows.
https://www.exploit-db.com/

This is not the first to be writen in masm, I have done that in XP times

I feel sorry, it did not show up in google search.

Undocumented Windows NT - Prasad Dabak, M.C.S., Sandeep Phadke, M.C.S., and Milind Borate, M.C.S.

Interesting, have the book never looked at the CD.
Thank you for bringing it up, I will have a look.

[Vortex]

Hi AW,

Thanks for the tool, nice work. I will test it on Windows 7.

Here is another one for Windows XP 32-bit :

http://www.masmforum.com/board/index.php?topic=12353.0

[mineiro]

In the time of windows XP was already difficult, structures with divergent size members, usually changed in the next versions of windows, I imagine now, a lot of debugging and patience. I remember that in XP if debugging privileges were enabled then administrative privileges were also enabled. This changed in Vista to up.

About the book, the chapter on memory management will be a big leap, I found nothing in masm and I was not able to try that.

At the time I was helping to remove adware and malware from users' remote computers, and that's how I started reading about. The program generated a report to be analyzed. The hard part I found was backing up while windows was running. I don't know today what it would be like, but backing up critical parts of nt was unfeasible. And at this point I would rather take the user's machine, boot linux or ms-dos, mount the ntfs partition and make the changes. And here I started with drivers, but few progress ... .
I had the ntinternals website burned to a cd-rom before Microsoft bundled it, I don't know where it is.

As I say, very good job sir.

[Vortex]

Hi mineiro,

The hard part I found was backing up while windows was running. I don't know today what it would be like, but backing up critical parts of nt was unfeasible.

Today, that's an easy task if you use the volume shadow copy service. Here is how wimlib captures a live Windows installation :

--snapshot

Create a temporary filesystem snapshot of the source directory and capture the files from it. Currently, this option is only supported on Windows, where it uses the Volume Shadow Copy Service (VSS). Using this option, you can create a consistent backup of the system volume of a running Windows system without running into problems with locked files. For the VSS snapshot to be successfully created, wimlib-imagex must be run as an Administrator, and it cannot be run in WoW64 mode (i.e. if Windows is 64-bit, then wimlib-imagex must be 64-bit as well).

https://wimlib.net/man1/wimcapture.html

[mineiro]

Hello sir Vortex;
thanks for that information.
The place that I was working in past buy that live bootable cd rom from sysinternals, so, in that time I was thinking that's impossible.

[Adamanteus]

On my Win8 Pro not works properly - CreateProcessWithTokenW gives ERROR_SERVICE_DISABLED )-:

[aw27]

On my Win8 Pro not works properly - CreateProcessWithTokenW gives ERROR_SERVICE_DISABLED )-:

Nice finding, Adamanteus. I confirm it does not work in Windows 8.1, even after starting the Secondary Logon service which was given as a reason in my searching.
It works in Vista and Windows 7, though.

Here is another one for Windows XP 32-bit :
http://www.masmforum.com/board/index.php?topic=12353.0

psexec is an amazing tool. It took me a long time to understand how it achieves that functionality.
Other utilities from the Sysinternals website were supplied with source code, not anymore, when Microsoft acquired all rights to it, applied its policy that a good user is a dumb user and removed the learning experience part. Some of it is still available in the wayback machine, though.

[aw27]

I fixed the problem, it was actually a bug. Now it will run from Vista till Windows 10. 

[JonasS]

Hi AW,

This is a very good job. Thank you.
It does not work on Windows XP because CreateProcessWithTokenW was not available yet. But it does not work on Windows 2003 too and it was already available. I know because my company has Windows 2003 Server. Can it be made to work on Windows 2003?

[aw27]

It works in Windows 2003 but we will have to go through the Native API.
Something along this lines:
https://qa.1r1g.com/sf/ask/3319831021/   (starting here: 在LocalSystem(S-1-5-18)下运行的XP进程在令牌上有下一个DACL)
But, you will have to adjust a few things which are left as an exercise (i.e, I will not publish them).



PS: Knowing Chinese is not important in this case. 

[JonasS]

Hi AW,

Thank you. It seems very complicated, I don't know where to start what to do. 

[aw27]

Jonas,

I agree, it is indeed complicated, but the good news is that you don't need 90% of what is there.