现在的位置: 首页 > 综合 > 正文

服务进程创建一个带窗口的进程,过UAC

2019年03月19日 ⁄ 综合 ⁄ 共 4145字 ⁄ 字号 评论关闭 
主要代码如下:
DWORD FindSessionPid(LPSTR lpProcessName, DWORD dwSessionId)
{
DWORD res = 0;

PROCESSENTRY32 procEntry;

HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
{
   return res ;
}

procEntry.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hSnap, &procEntry))
{
   goto _end;
}

do
{
   if (_stricmp(procEntry.szExeFile, lpProcessName) == 0)
   {
    DWORD winlogonSessId = 0;
    if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
    {
     res = procEntry.th32ProcessID;
     break;
    }
   }

} while (Process32Next(hSnap, &procEntry));

_end:
CloseHandle(hSnap);
return res;
}

BOOL LaunchAppIntoDifferentSession(LPSTR lpCmdLine)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId = 0, winlogonPid = 0;
HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
DWORD dwCreationFlags;

// Log the client on to the local computer.

typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)();
typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );

__pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId =
   (__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");

__pfnWTSQueryUserToken pfnWTSQueryUserToken =
   (__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");

if(pfnWTSGetActiveConsoleSessionId == NULL)
{
   WriteLog("Not found api: WTSGetActiveConsoleSessionId\n");
   return 0;
}
if(pfnWTSQueryUserToken == NULL)
{
   WriteLog("Not found api: WTSQueryUserToken\n");
   return 0;
}

dwSessionId = pfnWTSGetActiveConsoleSessionId();

winlogonPid = FindSessionPid("explorer.exe", dwSessionId);

if(winlogonPid == 0)
{
   winlogonPid = FindSessionPid("winlogon.exe", dwSessionId);
}

if(winlogonPid == 0)
{
   WriteLog("Can't Find Explorer\n");
   return 0;
}

////////////////////////////////////////////////////////////////////////

dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));

TOKEN_PRIVILEGES tp;
LUID luid;
LPVOID TokenInformation;
DWORD RetLen = 0;

if( !pfnWTSQueryUserToken(dwSessionId, &hUserToken) )
{
   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, winlogonPid);

   if(!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS_P, &hPToken))
   {
    char pTemp[121];
    sprintf(pTemp, "Process token open Error: %u\n", GetLastError());
    WriteLog(pTemp);
   }

   if(hPToken == NULL)
   {
    WriteLog("Process tokenError: \n");
   }
}
else
{
   hPToken = hUserToken;
}

if(GetTokenInformation(hPToken, TokenLinkedToken, &TokenInformation, 4, &RetLen))
{
   hUserTokenDup = TokenInformation;
}
else
{
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
    {
     char pTemp[121];
     sprintf(pTemp, "Lookup Privilege value Error: %u\n", GetLastError());
     WriteLog(pTemp);
    }

   if(!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup))
   {
    char pTemp[121];
    sprintf(pTemp, "DuplicateTokenEx Error: %u\n", GetLastError());
    WriteLog(pTemp);
   }
}

LPVOID pEnv = NULL;

if(CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE))
{
   dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
   WriteLog("CreateEnvironmentBlock Failed\n");
   pEnv = NULL;
}

// Launch the process in the client's logon session.

bResult = CreateProcessAsUser(
   hUserTokenDup,            // client's access token
   NULL,       // file to execute
   lpCmdLine,         // command line     
   NULL,              // pointer to process SECURITY_ATTRIBUTES
   NULL,              // pointer to thread SECURITY_ATTRIBUTES
   FALSE,             // handles are not inheritable
   dwCreationFlags,   // creation flags
   pEnv,              // pointer to new environment block
   NULL,              // name of current directory
   &si,               // pointer to STARTUPINFO structure
   &pi                // receives information about new process
   );
// End impersonation of client.

//GetLastError Shud be 0

int iResultOfCreateProcessAsUser = GetLastError();

if(bResult == FALSE && iResultOfCreateProcessAsUser != 0)
{
   char pTemp[121];
   sprintf(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
   WriteLog(pTemp);
}

if(pi.hProcess)
{
   CloseHandle(pi.hProcess);
}
if(pi.hThread)
{
   CloseHandle(pi.hThread);
}

//Perform All the Close Handles task

if(hProcess)
{
   CloseHandle(hProcess);
}
if(hUserToken)
{
   CloseHandle(hUserToken);
}
if(hUserTokenDup)
{
   CloseHandle(hUserTokenDup);
}
if(hPToken)
{
   CloseHandle(hPToken);
}
if(pEnv)
{
   DestroyEnvironmentBlock(pEnv);
}

return bResult;
}

调用方式:

LaunchAppIntoDifferentSession("c:\\windows\\notepad.exe");

前提是有个服务进程已经启动,然后服务进程会以管理员模式(不需要用户点UAC的框)启动一个新的可以创建窗口的进程。

安装这个服务需要点UAC的框,所以不是什么不可公开的思路。好处就一点:每次自启动的进程,不需要再让用户点UAC框了

返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)
必威体育
必威电竞