понедельник, 30 апреля 2012 г.

process token hijaqing

I was asked yesterday - wincheck now is able to detect only process token hijaqed from system process but what if somebody want to steal token of some other privileged process ?
I think it`s easy to detect from wincheck log with some simple perl script like this one:
#!perl -w
# Lame script to check processes token hijaq
# 30 Apr 2012 (C) RedPlait 
use strict;
use warnings;

sub parse
{
  my $fname = shift;
  my %hdb;
  my($fh, $str, $pid, $token);
  open($fh, '<', $fname) or die("Cannot open $fname, error $!");
  while( $str = <$fh> )
  {
    chomp $str;
    next if ( $str !~ /Process PID (\d+) token: (.*)$/ );
    $pid = int($1);
    $token = $2;
    if ( exists $hdb{$token} )
    {
      printf("Process %d has the same token as %d !\n", $pid, $hdb{$token});
    } else {
      $hdb{$token} = $pid;
    }
  }
  close $fh;
}

parse $_ foreach @ARGV;

Комментариев нет:

Отправить комментарий