SYSTEM权限(服务启动程序)下如何读写当前登录用户相关的数据(桌面、开始菜单、注册表等等)?管理员权限如何提升到SYSTEM权限进行一些特殊的操作(一些关键的注册表位置、创建一个SYSTEM权限的进程等等)?一个非常关键的API就是ImpersonateLoggedOnUser,可以让当前线程模拟登陆用户进行操作(当然还可以从管理员模拟SYSTEM权限),用完之后记得调用RevertToSelf。
没有进行什么总结了,懒得写了⊙﹏⊙,贴几个地址吧:
服务应用程序如何访问当前登录用户的信息
模拟用户登录
创建高权限进程
从管理员身份获得 SYSTEM 权限的四种方法
如何读取指定用户的 HKEY_CURRENT_USER 注册表键
DLL注入到system进程后(在SYSTEM权限下弹MessageBox?)
照着从管理员权限到SYSTEM权限写了段代码:
#include <stdio.h> #include <windows.h> #include <tchar.h> #include <TlHelp32.h> #include <AclAPI.h> #pragma comment(lib, "advapi32.lib") #define CHECK_NULL_RET(bCondition) if (!bCondition) goto Exit0 #define INVALID_PROCESS_ID -2 BOOL EnableProcessPrivilege(LPCTSTR lpszPrivName, BOOL bEnable = TRUE) { HANDLE hToken; TOKEN_PRIVILEGES tkp; BOOL bRet = FALSE; bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); CHECK_NULL_RET(bRet); bRet = LookupPrivilegeValue(NULL, lpszPrivName, &tkp.Privileges[0].Luid); CHECK_NULL_RET(bRet); tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED; bRet = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); CHECK_NULL_RET(bRet); bRet = TRUE; Exit0: CloseHandle(hToken); return bRet; } DWORD GetProcessPidByName(LPCTSTR lpszProcName) { DWORD dwPid = INVALID_PROCESS_ID; HANDLE hSnapshot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe32 = {0}; pe32.dwSize = sizeof(PROCESSENTRY32); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (hSnapshot != INVALID_HANDLE_VALUE) { Process32First(hSnapshot, &pe32); do { if (!lstrcmpi(lpszProcName, pe32.szExeFile)) { dwPid = pe32.th32ProcessID; break; } pe32.dwSize = sizeof(PROCESSENTRY32); } while (Process32Next(hSnapshot, &pe32)); CloseHandle(hSnapshot); } return dwPid; } BOOL AdjustPrivilege(HANDLE hToken, DWORD dwAccess) { BOOL bRet = FALSE; PSECURITY_DESCRIPTOR pOldSd = NULL, pNewSd = NULL; DWORD dwLen = 0; DWORD dwReturn = 0; DWORD dwRet = 0; BOOL bAcl = FALSE, bDefAcl = FALSE; PACL pOldAcl = NULL; PACL pNewAcl = NULL; PACL pSacl = NULL; static TCHAR szUserName[1024] = {0}; EXPLICIT_ACCESS ea = {0}; DWORD dwDaclSize = 0; DWORD dwSaclSize = 0; DWORD dwOwnerSize = 0; DWORD dwPrimaryGroupSize = 0; PSID pSidOwner = NULL; PSID pPrimaryGroup = NULL; GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOldSd, NULL, &dwLen); pOldSd = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLen); CHECK_NULL_RET(pOldSd); bRet = GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOldSd, dwLen, &dwReturn); CHECK_NULL_RET(bRet); bRet = GetSecurityDescriptorDacl(pOldSd, &bAcl, &pOldAcl, &bDefAcl); CHECK_NULL_RET(bRet); dwReturn = sizeof(szUserName) / sizeof(szUserName[0]); GetUserName(szUserName, &dwReturn); BuildExplicitAccessWithName(&ea, szUserName, dwAccess, GRANT_ACCESS, NULL); dwRet = SetEntriesInAcl(1, &ea, pOldAcl, &pNewAcl); CHECK_NULL_RET((dwRet == ERROR_SUCCESS)); MakeAbsoluteSD( pOldSd, pNewSd, &dwLen, pOldAcl, &dwDaclSize, pSacl, &dwSaclSize, pSidOwner, &dwOwnerSize, pPrimaryGroup, &dwPrimaryGroupSize); pOldAcl = (PACL)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwDaclSize); CHECK_NULL_RET(pOldAcl); pSacl = (PACL)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwSaclSize); CHECK_NULL_RET(pSacl); pSidOwner = (PSID)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwOwnerSize); CHECK_NULL_RET(pSidOwner); pPrimaryGroup = (PSID)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwPrimaryGroupSize); CHECK_NULL_RET(pPrimaryGroup); pNewSd = (PSECURITY_DESCRIPTOR)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwLen); CHECK_NULL_RET(pNewSd); bRet = MakeAbsoluteSD( pOldSd, pNewSd, &dwLen, pOldAcl, &dwDaclSize, pSacl, &dwSaclSize, pSidOwner, &dwOwnerSize, pPrimaryGroup, &dwPrimaryGroupSize); CHECK_NULL_RET(bRet); bRet = SetSecurityDescriptorDacl( pNewSd, bAcl, pNewAcl, bDefAcl); CHECK_NULL_RET(bRet); bRet = SetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pNewSd); CHECK_NULL_RET(bRet); bRet = TRUE; Exit0: if (pOldSd != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pOldSd); if (pOldAcl != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pOldAcl); if (pSacl != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSacl); if (pSidOwner != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSidOwner); if (pPrimaryGroup != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pPrimaryGroup); if (pNewSd != NULL) HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pNewSd); return bRet; } BOOL PrivilegeExecStart(LPCTSTR lpszProcName, LPTSTR lpszCmdLine) { BOOL bRet = FALSE; HANDLE hProcess = INVALID_HANDLE_VALUE; HANDLE hToken = NULL; HANDLE hNewToken = NULL; DWORD dwPid = 0; STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; bRet = EnableProcessPrivilege(SE_DEBUG_NAME, TRUE); CHECK_NULL_RET(bRet); dwPid = GetProcessPidByName(lpszProcName); CHECK_NULL_RET((dwPid != INVALID_PROCESS_ID)); hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); CHECK_NULL_RET(hProcess); bRet = OpenProcessToken(hProcess, READ_CONTROL | WRITE_DAC, &hToken); CHECK_NULL_RET(bRet); bRet = AdjustPrivilege(hToken, TOKEN_ALL_ACCESS); CHECK_NULL_RET(bRet); bRet = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken); CHECK_NULL_RET(bRet); bRet = DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken); CHECK_NULL_RET(bRet); si.cb = sizeof(STARTUPINFO); bRet = ImpersonateLoggedOnUser(hNewToken); CHECK_NULL_RET(bRet); bRet = CreateProcessAsUser( hToken, lpszCmdLine, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); CHECK_NULL_RET(bRet); bRet = TRUE; Exit0: CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(hToken); CloseHandle(hNewToken); CloseHandle(hProcess); return bRet; } BOOL PrivilegeExecStop(void) { return RevertToSelf(); } int _tmain(int argc, _TCHAR* argv[]) { TCHAR szCmdLine[MAX_PATH] = TEXT("C:\\Windows\\regedit.exe"); if (PrivilegeExecStart(TEXT("lsass.exe"), szCmdLine)) { PrivilegeExecStop(); } return 0; } Copyed From 程序人生 Home Page:http://www.programlife.net Source URL:http://www.programlife.net/impersonateloggedonuser.html