当前位置：首页 > news >正文

PrivescCheck高级用法：自定义检查模块和扩展功能开发终极指南

news 2026/5/12 17:50:18

PrivescCheck高级用法：自定义检查模块和扩展功能开发终极指南

【免费下载链接】PrivescCheckPrivilege Escalation Enumeration Script for Windows项目地址: https://gitcode.com/gh_mirrors/pr/PrivescCheck

PrivescCheck是一款强大的Windows权限提升枚举脚本，专为渗透测试人员和安全研究人员设计，用于快速识别Windows系统中的安全漏洞和配置问题。本文将为新手和普通用户深入讲解如何利用PrivescCheck的高级功能，包括自定义检查模块开发和功能扩展，帮助你充分发挥这个强大工具的全部潜力。

🔍 为什么需要自定义检查模块？

PrivescCheck默认提供了超过100个安全检查项，覆盖了从用户权限到系统配置的各个方面。然而，在实际渗透测试和安全审计中，你可能会遇到一些特殊场景：

特定企业环境的定制化检查需求
新型攻击技术的快速检测
特定应用程序的安全评估
合规性要求的特殊检查

通过自定义检查模块，你可以根据实际需求扩展PrivescCheck的功能，创建针对性的安全检查方案。

PrivescCheck生成的HTML格式安全报告，清晰展示高风险和中风险漏洞

📁 PrivescCheck项目架构深度解析

在开始自定义开发前，让我们先了解PrivescCheck的项目结构：

核心目录结构

src/check/- 所有检查模块的源代码
- Applications.ps1 - 应用程序相关检查
- Configuration.ps1 - 系统配置检查
- Credentials.ps1 - 凭据相关检查
- User.ps1 - 用户权限和组检查
- Services.ps1 - 服务配置检查
src/core/- 核心功能模块
src/helper/- 辅助函数库
data/- 配置数据文件
- Checks.csv - 检查项配置文件

检查模块工作机制

PrivescCheck采用模块化设计，每个检查模块都是一个独立的PowerShell函数。主程序Main.ps1负责调度所有检查模块，并根据Checks.csv中的配置决定执行哪些检查。

🛠️ 创建自定义检查模块的完整步骤

步骤1：理解检查模块的基本结构

每个检查模块都遵循相同的模式。让我们以User.ps1中的Invoke-UserCheck函数为例：

function Invoke-UserCheck { [CmdletBinding()] param( [UInt32] $BaseSeverity ) # 执行检查逻辑 $Results = @() # 构建结果对象 $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) $Result }

步骤2：在Checks.csv中注册新检查项

要向PrivescCheck添加新的检查项，你需要在data/Checks.csv文件中添加一行配置：

"MY_CUSTOM_CHECK","Invoke-MyCustomCheck","TA0004 - Privilege Escalation","自定义检查名称","Medium","List","Extended","False","False","自定义检查的描述信息"

各字段含义：

Id: 检查的唯一标识符
Command: 要执行的PowerShell函数名
Category: 检查类别（如TA0004 - Privilege Escalation）
DisplayName: 显示名称
Severity: 严重级别（None/Low/Medium/High）
Format: 输出格式（Table/List）
Type: 检查类型（Base/Extended/Audit/Experimental）
RunIfAdmin: 是否以管理员身份运行
Risky: 是否为高风险检查
Description: 检查描述

步骤3：编写自定义检查函数

创建一个新的PowerShell脚本文件，例如CustomChecks.ps1，并添加你的自定义检查函数：

function Invoke-MyCustomCheck { <# .SYNOPSIS 检查自定义安全配置 .DESCRIPTION 检查特定的安全配置是否符合最佳实践 .PARAMETER BaseSeverity 基础严重级别 .EXAMPLE PS C:\> Invoke-MyCustomCheck -BaseSeverity 2 #> [CmdletBinding()] param( [UInt32] $BaseSeverity ) $Results = @() # 示例：检查注册表项 $RegistryPath = "HKLM:\SOFTWARE\CustomApp" if (Test-Path $RegistryPath) { $Value = Get-ItemProperty -Path $RegistryPath -Name "SecureSetting" -ErrorAction SilentlyContinue if ($Value.SecureSetting -eq "Enabled") { $CheckResult = New-Object -TypeName PSObject $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Setting" -Value "SecureSetting" $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Status" -Value "已启用" $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Risk" -Value "低" $Results += $CheckResult } else { $CheckResult = New-Object -TypeName PSObject $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Setting" -Value "SecureSetting" $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Status" -Value "未启用" $CheckResult | Add-Member -MemberType "NoteProperty" -Name "Risk" -Value "高" $Results += $CheckResult } } $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) $Result }

步骤4：集成自定义检查到主脚本

将你的自定义检查函数集成到PrivescCheck主脚本中：

将自定义检查函数添加到相应的检查模块文件中
确保函数在脚本中被正确加载
测试检查功能是否正常工作

🎯 实际案例：创建Web应用安全检查模块

让我们创建一个实用的自定义检查模块，用于检查常见Web应用的安全配置：

function Invoke-WebAppSecurityCheck { <# .SYNOPSIS 检查Web应用安全配置 .DESCRIPTION 检查IIS、Apache等Web服务器的安全配置 .PARAMETER BaseSeverity 基础严重级别 #> [CmdletBinding()] param( [UInt32] $BaseSeverity ) $Results = @() # 检查IIS是否安装 if (Get-Service -Name "W3SVC" -ErrorAction SilentlyContinue) { $IISResult = New-Object -TypeName PSObject $IISResult | Add-Member -MemberType "NoteProperty" -Name "组件" -Value "IIS服务" $IISResult | Add-Member -MemberType "NoteProperty" -Name "状态" -Value "已安装" $IISResult | Add-Member -MemberType "NoteProperty" -Name "建议" -Value "检查Web配置安全性" $Results += $IISResult # 检查IIS日志配置 $LogPath = "C:\inetpub\logs\LogFiles" if (Test-Path $LogPath) { $LogResult = New-Object -TypeName PSObject $LogResult | Add-Member -MemberType "NoteProperty" -Name "组件" -Value "IIS日志" $LogResult | Add-Member -MemberType "NoteProperty" -Name "路径" -Value $LogPath $LogResult | Add-Member -MemberType "NoteProperty" -Name "权限" -Value "需检查访问控制" $Results += $LogResult } } # 检查Apache是否安装 $ApacheServices = Get-Service | Where-Object { $_.Name -like "*apache*" -or $_.DisplayName -like "*Apache*" } if ($ApacheServices) { foreach ($Service in $ApacheServices) { $ApacheResult = New-Object -TypeName PSObject $ApacheResult | Add-Member -MemberType "NoteProperty" -Name "组件" -Value "Apache服务" $ApacheResult | Add-Member -MemberType "NoteProperty" -Name "服务名" -Value $Service.Name $ApacheResult | Add-Member -MemberType "NoteProperty" -Name "状态" -Value $Service.Status $Results += $ApacheResult } } $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) $Result }

🔧 高级扩展功能开发技巧

1. 利用辅助函数库

PrivescCheck提供了丰富的辅助函数，位于src/helper/目录中：

AccessControl.ps1- 访问控制相关函数
SystemInformation.ps1- 系统信息收集函数
Utility.ps1- 通用工具函数

2. 实现多线程检查

对于需要扫描大量文件或注册表项的检查，可以使用多线程提高性能：

function Invoke-ParallelFileCheck { param( [UInt32] $BaseSeverity ) # 使用PowerShell作业实现并行处理 $Files = Get-ChildItem -Path "C:\Program Files" -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue $Jobs = @() foreach ($File in $Files) { $ScriptBlock = { param($FilePath) # 检查文件权限 $Acl = Get-Acl -Path $FilePath $Permissions = $Acl.Access | Where-Object { $_.FileSystemRights -match "Write|Modify|FullControl" -and $_.IdentityReference -notmatch "SYSTEM|Administrators" } if ($Permissions) { [PSCustomObject]@{ File = $FilePath Permissions = $Permissions.IdentityReference } } } $Job = Start-Job -ScriptBlock $ScriptBlock -ArgumentList $File.FullName $Jobs += $Job } $Results = Receive-Job -Job $Jobs -Wait -AutoRemoveJob # 处理结果... }

3. 集成外部数据源

你可以将外部威胁情报集成到检查模块中：

function Invoke-ThreatIntelligenceCheck { param( [UInt32] $BaseSeverity ) # 从外部API获取威胁情报 $ThreatIntelUrl = "https://api.threatintel.example.com/indicators" try { $Response = Invoke-RestMethod -Uri $ThreatIntelUrl -Method Get $Indicators = $Response.indicators # 检查系统进程是否匹配威胁指标 $Processes = Get-Process | Select-Object Name, Id, Path $Matches = @() foreach ($Process in $Processes) { foreach ($Indicator in $Indicators) { if ($Process.Path -like "*$Indicator*") { $Matches += [PSCustomObject]@{ ProcessName = $Process.Name ProcessPath = $Process.Path Indicator = $Indicator } } } } # 返回检查结果 $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Matches $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Matches) { $BaseSeverity } else { $script:SeverityLevel::None }) return $Result } catch { Write-Warning "无法获取威胁情报: $_" } }

📊 自定义报告生成

PrivescCheck支持多种报告格式（TXT、HTML、CSV、XML）。你可以扩展报告生成功能：

PrivescCheck生成的纯文本报告，使用ASCII表格清晰展示检查结果

创建自定义报告模板

function Write-CustomReport { param( [object[]] $AllResults ) $ReportContent = @" # 自定义安全审计报告 生成时间: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss") 系统名称: $($env:COMPUTERNAME) 用户: $($env:USERNAME) ## 检查摘要 总检查项: $($AllResults.Count) 高风险项: $(($AllResults | Where-Object { $_.Severity -eq "High" }).Count) 中风险项: $(($AllResults | Where-Object { $_.Severity -eq "Medium" }).Count) 低风险项: $(($AllResults | Where-Object { $_.Severity -eq "Low" }).Count) ## 详细结果 "@ foreach ($Result in $AllResults | Sort-Object -Property "Category", "DisplayName") { $ReportContent += @" ### $($Result.Category) - $($Result.DisplayName) 严重级别: $($Result.Severity) 描述: $($Result.Description) $($Result.ResultRawString) "@ } $ReportContent }

🚀 最佳实践和注意事项

1. 性能优化建议

缓存检查结果: 对于耗时的检查，考虑缓存结果以避免重复执行
并行处理: 使用PowerShell作业或工作流实现并行检查
增量检查: 只检查发生变化的部分，提高效率

2. 错误处理策略

function Invoke-RobustCheck { param( [UInt32] $BaseSeverity ) try { # 尝试执行主要检查逻辑 $Results = @() # 添加错误处理 $ErrorActionPreference = "Stop" # 检查逻辑... $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) return $Result } catch { Write-Warning "检查执行失败: $_" # 返回错误信息 $ErrorResult = New-Object -TypeName PSObject $ErrorResult | Add-Member -MemberType "NoteProperty" -Name "Error" -Value $_.Exception.Message $ErrorResult | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $script:SeverityLevel::None return $ErrorResult } }

3. 兼容性考虑

支持多版本Windows: 确保检查模块在不同Windows版本上都能正常工作
权限要求: 明确标注检查所需的最低权限级别
依赖项: 列出检查模块的外部依赖

📈 测试和验证自定义模块

单元测试框架

创建简单的测试脚本验证自定义检查模块：

# Test-CustomChecks.ps1 Import-Module .\CustomChecks.ps1 -Force Write-Host "测试自定义检查模块..." -ForegroundColor Cyan # 测试Web应用安全检查 $WebAppResult = Invoke-WebAppSecurityCheck -BaseSeverity 2 Write-Host "Web应用安全检查结果:" -ForegroundColor Yellow $WebAppResult.Result | Format-Table -AutoSize # 测试威胁情报检查 $ThreatIntelResult = Invoke-ThreatIntelligenceCheck -BaseSeverity 3 Write-Host "威胁情报检查结果:" -ForegroundColor Yellow $ThreatIntelResult.Result | Format-Table -AutoSize Write-Host "测试完成!" -ForegroundColor Green

集成测试

将自定义模块集成到PrivescCheck中进行完整测试：

# 1. 将自定义检查添加到Checks.csv # 2. 将自定义函数添加到主脚本或单独模块 # 3. 运行完整测试 powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report CustomTest"

🎁 实用自定义检查模块示例

示例1：Docker安全配置检查

function Invoke-DockerSecurityCheck { <# .SYNOPSIS 检查Docker容器安全配置 .DESCRIPTION 检查Docker安装、配置和运行容器的安全性 #> [CmdletBinding()] param( [UInt32] $BaseSeverity ) $Results = @() # 检查Docker是否安装 if (Get-Command docker -ErrorAction SilentlyContinue) { $DockerResult = New-Object -TypeName PSObject $DockerResult | Add-Member -MemberType "NoteProperty" -Name "组件" -Value "Docker" $DockerResult | Add-Member -MemberType "NoteProperty" -Name "状态" -Value "已安装" $Results += $DockerResult # 检查Docker服务运行状态 $DockerService = Get-Service -Name "docker" -ErrorAction SilentlyContinue if ($DockerService) { $ServiceResult = New-Object -TypeName PSObject $ServiceResult | Add-Member -MemberType "NoteProperty" -Name "服务" -Value "Docker服务" $ServiceResult | Add-Member -MemberType "NoteProperty" -Name "状态" -Value $DockerService.Status $Results += $ServiceResult } # 检查运行中的容器 try { $Containers = docker ps --format "{{.Names}}|{{.Image}}|{{.Status}}" 2>$null if ($Containers) { foreach ($Container in $Containers) { $ContainerInfo = $Container -split "\|" $ContainerResult = New-Object -TypeName PSObject $ContainerResult | Add-Member -MemberType "NoteProperty" -Name "容器名称" -Value $ContainerInfo[0] $ContainerResult | Add-Member -MemberType "NoteProperty" -Name "镜像" -Value $ContainerInfo[1] $ContainerResult | Add-Member -MemberType "NoteProperty" -Name "状态" -Value $ContainerInfo[2] $Results += $ContainerResult } } } catch { Write-Verbose "无法获取容器信息: $_" } } $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) $Result }

示例2：云服务配置检查

function Invoke-CloudServiceCheck { <# .SYNOPSIS 检查云服务配置安全性 .DESCRIPTION 检查AWS、Azure等云服务的本地配置安全性 #> [CmdletBinding()] param( [UInt32] $BaseSeverity ) $Results = @() # 检查AWS CLI配置 $AwsConfigPath = "$env:USERPROFILE\.aws\credentials" if (Test-Path $AwsConfigPath) { $AwsResult = New-Object -TypeName PSObject $AwsResult | Add-Member -MemberType "NoteProperty" -Name "服务" -Value "AWS CLI" $AwsResult | Add-Member -MemberType "NoteProperty" -Name "配置文件" -Value $AwsConfigPath $AwsResult | Add-Member -MemberType "NoteProperty" -Name "风险" -Value "中 - 检查凭据文件权限" $Results += $AwsResult # 检查文件权限 $Acl = Get-Acl -Path $AwsConfigPath $Permissions = $Acl.Access | Where-Object { $_.FileSystemRights -match "Read|Write|FullControl" -and $_.IdentityReference -notmatch $env:USERNAME } if ($Permissions) { $PermissionResult = New-Object -TypeName PSObject $PermissionResult | Add-Member -MemberType "NoteProperty" -Name "文件" -Value $AwsConfigPath $PermissionResult | Add-Member -MemberType "NoteProperty" -Name "异常权限" -Value ($Permissions.IdentityReference -join ", ") $PermissionResult | Add-Member -MemberType "NoteProperty" -Name "建议" -Value "限制访问权限" $Results += $PermissionResult } } # 检查Azure CLI配置 $AzureConfigPath = "$env:USERPROFILE\.azure" if (Test-Path $AzureConfigPath) { $AzureResult = New-Object -TypeName PSObject $AzureResult | Add-Member -MemberType "NoteProperty" -Name "服务" -Value "Azure CLI" $AzureResult | Add-Member -MemberType "NoteProperty" -Name "配置目录" -Value $AzureConfigPath $AzureResult | Add-Member -MemberType "NoteProperty" -Name "风险" -Value "中 - 检查目录权限" $Results += $AzureResult } $Result = New-Object -TypeName PSObject $Result | Add-Member -MemberType "NoteProperty" -Name "Result" -Value $Results $Result | Add-Member -MemberType "NoteProperty" -Name "Severity" -Value $(if ($Results) { $BaseSeverity } else { $script:SeverityLevel::None }) $Result }