win下实现切换帐号的方法
by:dumplogin https://www.xfocus.net/
目前实现的方法有几种:
1.CreateProcessWithLogonW() //需要密码
2.LogonUser(),CreateProcessAsUser() //也需要密码
3.NtCreateToken(),CreateProcessAsUser() //不需要密码
1,2外面都有很多工具. 3的话bingle的wsu -f可以实现.
不过bingle的wsu只是做了SID的处理, 他切换到guest后,该环境下依然对system32目录有写权限.切换到SYSTEM后,对sam键还是打不开.
根据bingle的wsu原形,重写了一下SU, 可以真正做到权限切换,即使帐号被禁止
缺点是在终端下只能su到admin组和SYSTEM帐号.不能切换到普通用户,这个问题我是放弃了, 如果谁可以做到欢迎帮我完善.
[root@DUMPLOGIN C:WINNTsystem32]#reg query HKEY_LOCAL_MACHINESECURITY
Error:
[root@DUMPLOGIN C:WINNTsystem32]#
[[root@DUMPLOGIN E:mytestcsu]#su4 -u system
su.exe like unix su tool,version 4.1
by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com
[+] Enable SeDebugPrivilege..
[+] Get Lsass.exe Pid....292
[+] GrantPrivilege From Lsass ....
[+] Calling NtCreateTokenAsuser ...
[+] CreateProcess By that Token...
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
[root@DUMPLOGIN E:mytestcsu]#reg query HKEY_LOCAL_MACHINESECURITY
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINESECURITY
HKEY_LOCAL_MACHINESECURITYPolicy
HKEY_LOCAL_MACHINESECURITYRXACT
HKEY_LOCAL_MACHINESECURITYSAM
[root@DUMPLOGIN E:mytestcsu]#
搞这个东西搞的我疲惫不堪. 苦啊. 将我的代码贴出来,希望以后对大家有所帮助, 少走弯路.
在这个期间易做图扰bingle和tk n次,谢谢他们。
这个东东目前只在win2k sp4 cn上测试过, xp/2003缺少环境, 希望有人能帮我测试. :)
附:su4.c
/* su切换用户
* 2004/12/28 1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置.
* 2004/12/29 2.0,真正实现模拟用户令牌的动作.
* 2004/12/29 3.0,即使帐号禁止也可以模拟用户
* 2004/12/30 4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放
* 2004/12/30 4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败.
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <lm.h>
#include <Ntsecapi.h>
#include <Accctrl.h>
#include <Aclapi.h>
#include <Tlhelp32.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Advapi32")
#pragma comment(lib,"User32")
#pragma comment(lib,"Netapi32")
#define SIZE 1024
#define VERSION "4.1"
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES | WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
#define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
#define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL)
#define SE_GROUP_RESOURCE (0x20000000L)
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef enum _LSA_TOKEN_INFORMATION_TYPE {
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
typedef struct _LSA_TOKEN_INFORMATION_NULL
{
LARGE_INTEGER ExpirationTime;
PTOKEN_GROUPS Groups;
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
typedef NTSTATUS (*PNtCreateToken)(
PHANDLE TokenHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
TOKEN_TYPE TokenType,
PLUID AuthenticationId,
PLARGE_INTEGER ExpirationTime,
PTOKEN_USER TokenUser,
PTOKEN_GROUPS TokenGroups,
PTOKEN_PRIVILEGES TokenPrivileges,
PTOKEN_OWNER TokenOwner,
PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
PTOKEN_DEFAULT_DACL TokenDefaultDacl,
PTOKEN_SOURCE TokenSource
);
typedef struct _PROFILEINFO {
DWORD dwSize;
DWORD dwFlags;
LPTSTR lpUserName;
LPTSTR lpProfilePath;
LPTSTR lpDefaultPath;
LPTSTR lpServerName;
LPTSTR lpPolicyPath;
HANDLE hProfile;
} PROFILEINFO, *LPPROFILEINFO;
typedef BOOL (*PLoadUserProfile)(
HANDLE hToken, // user token
LPPROFILEINFO lpProfileInfo // profile
);
typedef BOOL (*PUnloadUserProfile)(
HANDLE hToken, // user token
HANDLE hProfile // handle to registry key
);
BOOL cback = 0;
char *system_user = NULL;
int lsasspid = 0;
unsigned int DebugLevel = 7;
/* 函数定义开始 */
void usage(char *s);
int GrantPriv();
HANDLE CreateTokenAsUser(char *user);
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen);
BOOL GetUserGroup(char *username,char ***name,int *groupcount);
PSID GetUserSid(char *LookupUser);
HANDLE NtCreateTokenAsuser(char *user);
int GrantPrivFromLsass(int pid);
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic);
void pfree(void *p);
LUID GetLuidFromText(char *s);
TOKEN_PRIVILEGES *MakeAdminPriv();
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode);
/* 函数定义结束 */
int main(int argc,char **argv)
{
int i;
WSADATA wsd;
HANDLE NewToken;
PLoadUserProfile LoadUserProfile;
PUnloadUserProfile UnloadUserProfile;
HMODULE UserenvModule;
printf( "su.exe like unix su tool,version %s
"
"by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com
",VERSION);
if((argc>1) && (strnicmp(argv[1],"-h",2) == 0))
{
usage(argv[0]);
return -1;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case u:
system_user = argv[i+1];
break;
case D:
DebugLevel = atoi(argv[i+1]);
break;
}
}
if(system_user == NULL)
{
usage(argv[0]);
return -1;
}
Use
补充:综合编程 , 安全编程 ,