system权限下降权程序的问题
作者:pt007[at]vip.sina.com 摘自邪恶八进制
#include "windows.h"
#include <process.h>
#include <Tlhelp32.h>
#include <tchar.h>
#include <psapi.h>
#include <stdio.h>
#include <STDLIB.H>
#include <tlhelp32.h>
#pragma comment (lib,"psapi")
int upto_common_user(TCHAR cmdline[256]); //切换到当前活动用户
DWORD GetPIDFromName(char *ProcName);
int make_to_lower1(char *buf,char *lowerbuf);
int PrintProcessNameAndID(DWORD processID);
BOOL EnableDebugPriv();
HANDLE GetProcessHandle(LPSTR szExeName);
/*int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)*/
int main(int argc, char **argv) //切换到管理员用户
{
TCHAR cmdline1[256]={0};
if(argc <2)
{
printf("用法: %s "whoami" ",argv[0]);
return 0;
}lstrcpy(cmdline1,argv[1]);
upto_common_user(cmdline1);
return 0;
}
int upto_common_user(TCHAR cmdline[256]) //切换到管理员用户身份
{
HANDLE hToken;
HANDLE hExp = GetProcessHandle("EXPLORER.EXE");
if(hExp == NULL)
return FALSE;
OpenProcessToken(hExp,TOKEN_ALL_ACCESS,&hToken);
if(hToken == NULL)
return FALSE;
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\default";
si.wShowWindow = SW_SHOW;
si.dwFlags=STARTF_USESHOWWINDOW;
TCHAR szParameter[256] = "/c ";
lstrcat(szParameter,cmdline);
printf("szParameter=%s ",szParameter);
//char * lpAppName="c:\win2003\temp\svchosts.exe";
//TCHAR szParameter[10] = {0};
//char * lpAppName;//="c:\tmp\KeyLoggerTest.exe";
char path[MAX_PATH];
GetSystemWindowsDirectory(path,MAX_PATH); //c:win2003
lstrcat(path,"\system32\cmd.exe"); //c:win2003 empklog.txt*/
//lstrcpy(lpAppName,(char *)path);//打开用户的winsta0
/* HWINSTA hwinsta = OpenWindowStation("winsta0", FALSE,
WINSTA_ACCESSCLIPBOARD |
WINSTA_ACCESSGLOBALATOMS |
WINSTA_CREATEDESKTOP |
WINSTA_ENUMDESKTOPS |
WINSTA_ENUMERATE |
WINSTA_EXITWINDOWS |
WINSTA_READATTRIBUTES |
WINSTA_READSCREEN |
WINSTA_WRITEATTRIBUTES);
if (hwinsta == NULL){
printf(_T("open window station err "));
return 0;
}
if (!SetProcessWindowStation(hwinsta)){
printf(_T("Set window station err "));
return 0;
}
//打开desktop
HDESK hdesk = OpenDesktop("default", 0, FALSE,
DESKTOP_CREATEMENU |DESKTOP_CREATEWINDOW |DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|
DESKTOP_JOURNALPLAYBACK |
DESKTOP_JOURNALRECORD |
DESKTOP_READOBJECTS |
DESKTOP_SWITCHDESKTOP |
DESKTOP_WRITEOBJECTS);
if (hdesk == NULL){
printf("Open desktop err! ");
return 0;
}
SetThreadDesktop(hdesk); */if(CreateProcessAsUser(hToken,(char *)path,szParameter,NULL,
NULL,FALSE,CREATE_DEFAULT_ERROR_MODE,NULL,NULL,&si,&pi)) //以administrator用户身份执行程序,CREATE_NO_WINDOW,CREATE_NEW_CONSOLE,CREATE_DEFAULT_ERROR_MODE
{
printf("CreateProcessAsUser sucessed!%d ",GetLastError());
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
/*HANDLE hToken,hNewToken;
HANDLE hProcess;
DWORD PID1;
PID1=GetPIDFromName("Explorer.EXE"); //获得explorer.exe进程的PID
//PID1=964; //explorer.exe进程的PID
printf("explorer.exes PID=%d ",PID1);hProcess = ::OpenProcess(PROCESS_ALL_ACCESS,0,PID1);
if(hProcess == NULL)
{
//printf(NULL, "OpenProcess" , "FF", MB_OK);
//MessageBox(NULL,"Error Opening Process",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING | MB_SERVICE_NOTIFICATION);
printf("Error Opening Process!%x ",GetLastError());
return 0;
}
if(OpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken) == 0) //TOKEN_ALL_ACCESS
{
// MessageBoxA(NULL, "OpenProcessToken" , "FF", MB_OK);
// MessageBox(NULL,"Error Opening Process Token.Err = " ,NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING | MB_SERVICE_NOTIFICATION);
printf("Error Opening Process Token!%x ",GetLastError());
return 1;
}//
// 模拟当前登陆用户
//
&
补充:综合编程 , 安全编程 ,
