[VC/Win32] WinXP/7/8/8.1/10以系統(SYSTEM)身份執行程式------RunAsSystem
阿新 • • 發佈:2020-08-03
以SYSTEM身份執行命令提示符cmd.exe,在命令提示符下執行的登錄檔regedit.exe也是SYSTEM身份
1 #include <Windows.h> 2 #include <AclAPI.h> 3 #include <TlHelp32.h> 4 #include <stdio.h> 5 6 //#define _WINXP_ 7 8 9 BOOL RunAsSystem(HANDLE hProc, TCHAR *pszPath) 10 { 11 BOOL bRet; 12 HANDLE hProcToken = NULL;13 HANDLE hDupToken = NULL; 14 DWORD dwFlag; 15 STARTUPINFO si; 16 PROCESS_INFORMATION pi; 17 18 // Open the process access token. 19 bRet = OpenProcessToken(hProc, TOKEN_DUPLICATE, &hProcToken); 20 if (!bRet) 21 goto end; 22 23 // Create a new access token that duplicates an existing token.24 bRet = DuplicateTokenEx(hProcToken, MAXIMUM_ALLOWED, NULL, 25 SecurityImpersonation, TokenPrimary, &hDupToken); 26 if (!bRet) 27 goto end; 28 29 dwFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT; 30 ZeroMemory(&si, sizeof(STARTUPINFO)); 31 si.cb = sizeof(STARTUPINFO); 32 si.lpDesktop = TEXT("winsta0\\default"); 33 34 #ifdef _WINXP_ 35 // For Windows XP. 36 bRet = ImpersonateLoggedOnUser(hDupToken); 37 if (!bRet) 38 goto end; 39 40 bRet = CreateProcessAsUser(hDupToken, pszPath, NULL, NULL, NULL, FALSE, 41 dwFlag, NULL, NULL, &si, &pi); 42 43 RevertToSelf(); 44 #else 45 // For Windows 7 and above. 46 bRet = CreateProcessWithTokenW(hDupToken, LOGON_NETCREDENTIALS_ONLY, NULL, pszPath, 47 dwFlag, NULL, NULL, &si, &pi); 48 #endif 49 50 end: 51 if (bRet) 52 { 53 printf("Success!\n"); 54 if (pi.hThread) 55 { 56 printf("Wait for thread exit...\n"); 57 WaitForSingleObject(pi.hThread, INFINITE); 58 CloseHandle(pi.hThread); 59 } 60 if (pi.hProcess) 61 { 62 printf("Wait for process exit...\n"); 63 WaitForSingleObject(pi.hProcess, INFINITE); 64 CloseHandle(pi.hProcess); 65 } 66 printf("Exit: %d\n", GetLastError()); 67 } 68 else 69 { 70 printf("Error: %d\n", GetLastError()); 71 } 72 73 if (hDupToken) 74 CloseHandle(hDupToken); 75 if (hProcToken) 76 CloseHandle(hProcToken); 77 78 return bRet; 79 } 80 81 BOOL SetOwnerAndPermissions(SE_OBJECT_TYPE objtype, HANDLE hProc, HKEY hPreKey, TCHAR *pszPath) 82 { 83 BOOL bRet; 84 DWORD dwRet; 85 HANDLE hToken = NULL; 86 PTOKEN_PRIVILEGES ptp; 87 BYTE tpbyte[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)]; 88 BYTE bits[SECURITY_MAX_SID_SIZE]; 89 PSECURITY_DESCRIPTOR psd = NULL; 90 EXPLICIT_ACCESS ea; 91 PACL paclOld; 92 PACL paclNew = NULL; 93 PSID psidOld; 94 PSID psidNew; 95 LSTATUS ls; 96 HKEY hKey = NULL; 97 HANDLE hFile = INVALID_HANDLE_VALUE; 98 HANDLE hProcToken = NULL; 99 HANDLE hHandle; 100 101 // Open a handle to the access token for the calling process. 102 bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); 103 if (!bRet) 104 goto end; 105 106 // Enable the SeTakeOwnershipPrivilege. 107 ptp = (PTOKEN_PRIVILEGES)tpbyte; 108 bRet = LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &ptp->Privileges[0].Luid); 109 if (!bRet) 110 goto end; 111 112 // Enable the SeRestorePrivilege. 113 bRet = LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &ptp->Privileges[1].Luid); 114 if (!bRet) 115 goto end; 116 117 // Enable the privileges. 118 ptp->PrivilegeCount = 2; 119 ptp->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 120 ptp->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; 121 bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL); 122 if (bRet) 123 { 124 if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) 125 { 126 bRet = FALSE; 127 goto end; 128 } 129 } 130 131 // Create a SID for the BUILTIN\Administrators group. 132 psidNew = (PSID)bits; 133 dwRet = sizeof(bits); 134 bRet = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, psidNew, &dwRet); 135 if (!bRet) 136 goto end; 137 bRet = FALSE; 138 139 // Open the object with READ_CONTROL|WRITE_OWNER access. 140 if (objtype == SE_REGISTRY_KEY) 141 { 142 ls = RegOpenKeyEx(hPreKey, pszPath, 0, READ_CONTROL | WRITE_OWNER, &hKey); 143 if (ls != ERROR_SUCCESS) 144 goto end; 145 hHandle = hKey; 146 } 147 else if (objtype == SE_FILE_OBJECT) 148 { 149 hFile = CreateFile(pszPath, READ_CONTROL | WRITE_OWNER, 150 FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); 151 if (hFile == INVALID_HANDLE_VALUE) 152 goto end; 153 hHandle = hFile; 154 } 155 else if (objtype == SE_KERNEL_OBJECT) 156 { 157 bRet = OpenProcessToken(hProc, READ_CONTROL | WRITE_OWNER, &hProcToken); 158 if (!bRet) 159 goto end; 160 bRet = FALSE; 161 hHandle = hProcToken; 162 } 163 164 // Get the object's original owner and permissions. 165 dwRet = GetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION | 166 DACL_SECURITY_INFORMATION, &psidOld, NULL, &paclOld, NULL, &psd); 167 if (dwRet != ERROR_SUCCESS) 168 goto end; 169 170 // Set full control for Administrators. 171 ea.grfAccessMode = SET_ACCESS; 172 ea.grfAccessPermissions = GENERIC_ALL; 173 ea.grfInheritance = NO_INHERITANCE; 174 ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; 175 ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; 176 ea.Trustee.ptstrName = (LPTSTR)psidNew; 177 ea.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; 178 ea.Trustee.pMultipleTrustee = NULL; 179 dwRet = SetEntriesInAcl(1, &ea, paclOld, &paclNew); 180 if (dwRet != ERROR_SUCCESS) 181 goto end; 182 183 // Set the object's owner first. 184 dwRet = SetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION, 185 psidNew, NULL, NULL, NULL); 186 if (dwRet != ERROR_SUCCESS) 187 goto end; 188 189 // Now the object have WRITE_DAC permission, reopen it. 190 if (objtype == SE_REGISTRY_KEY) 191 { 192 RegCloseKey(hKey); 193 hKey = NULL; 194 ls = RegOpenKeyEx(hPreKey, pszPath, 0, 195 READ_CONTROL | WRITE_OWNER | WRITE_DAC, &hKey); 196 if (ls != ERROR_SUCCESS) 197 goto end; 198 hHandle = hKey; 199 } 200 else if (objtype == SE_FILE_OBJECT) 201 { 202 CloseHandle(hFile); 203 hFile = INVALID_HANDLE_VALUE; 204 hFile = CreateFile(pszPath, READ_CONTROL | WRITE_OWNER | WRITE_DAC, 205 FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); 206 if (hFile == INVALID_HANDLE_VALUE) 207 goto end; 208 hHandle = hFile; 209 } 210 else if (objtype == SE_KERNEL_OBJECT) 211 { 212 CloseHandle(hProcToken); 213 hProcToken = NULL; 214 bRet = OpenProcessToken(hProc, READ_CONTROL | WRITE_OWNER | WRITE_DAC, &hProcToken); 215 if (!bRet) 216 goto end; 217 bRet = FALSE; 218 hHandle = hProcToken; 219 } 220 221 // Then set the object's permissions. 222 dwRet = SetSecurityInfo(hHandle, objtype, DACL_SECURITY_INFORMATION, 223 NULL, NULL, paclNew, NULL); 224 if (dwRet != ERROR_SUCCESS) 225 goto end; 226 227 // Now you can modify the object. 228 //printf("%ws Success!\n", pszPath); 229 //system("pause");/////////////////////////////////////////////////////////// 230 RunAsSystem(hProc, pszPath); 231 232 // Restore the object's permissions first. 233 dwRet = SetSecurityInfo(hHandle, objtype, DACL_SECURITY_INFORMATION, 234 NULL, NULL, paclOld, NULL); 235 if (dwRet != ERROR_SUCCESS) 236 goto end; 237 238 // Then restore the object's owner. 239 dwRet = SetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION, 240 psidOld, NULL, NULL, NULL); 241 if (dwRet != ERROR_SUCCESS) 242 goto end; 243 244 // Disable the privileges. 245 ptp->Privileges[0].Attributes = 0; 246 ptp->Privileges[1].Attributes = 0; 247 bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL); 248 if (bRet) 249 { 250 if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) 251 bRet = FALSE; 252 } 253 254 end: 255 if (hKey) 256 RegCloseKey(hKey); 257 if (hFile != INVALID_HANDLE_VALUE) 258 CloseHandle(hFile); 259 if (hProcToken) 260 CloseHandle(hProcToken); 261 if (paclNew) 262 LocalFree(paclNew); 263 if (psd) 264 LocalFree(psd); 265 if (hToken) 266 CloseHandle(hToken); 267 268 printf("%ws End: %d, %d\n", pszPath, bRet, GetLastError()); 269 //system("pause"); 270 271 return bRet; 272 } 273 274 int main1() 275 { 276 BOOL bRet; 277 HANDLE hSnapshot = NULL; 278 PROCESSENTRY32 pe; 279 HANDLE hProc = NULL; 280 281 // Take a snapshot of all processes int the system. 282 hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 283 if (hSnapshot == INVALID_HANDLE_VALUE) 284 goto end; 285 286 // Get the first process and walk the snapshot of processes. 287 ZeroMemory(&pe, sizeof(PROCESSENTRY32)); 288 pe.dwSize = sizeof(PROCESSENTRY32); 289 bRet = Process32First(hSnapshot, &pe); 290 while (bRet) 291 { 292 if (!lstrcmp(pe.szExeFile, TEXT("winlogon.exe"))) 293 break; 294 295 bRet = Process32Next(hSnapshot, &pe); 296 } 297 if (!bRet) 298 goto end; 299 300 // Open the process with process id. 301 hProc = OpenProcess(MAXIMUM_ALLOWED, FALSE, pe.th32ProcessID); 302 if (!hProc) 303 goto end; 304 305 #ifdef _WINXP_ 306 // For Windows XP. 307 bRet = SetOwnerAndPermissions(SE_KERNEL_OBJECT, hProc, NULL, 308 TEXT("c:\\windows\\system32\\cmd.exe")); 309 #else 310 // For Windows 7 and above. 311 bRet = RunAsSystem(hProc, TEXT("c:\\windows\\system32\\cmd.exe")); 312 #endif 313 314 end: 315 if (hProc) 316 CloseHandle(hProc); 317 if (hSnapshot) 318 CloseHandle(hSnapshot); 319 320 system("pause"); 321 322 return 0; 323 }