VC++ 提升自身权限为system

751k8

#include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
#pragma comment(lib,"Psapi.lib")
#include "Shellapi.h"
#include <TLHELP32.H>
#include <aclapi.h>

int ProcessExit(LPCTSTR szProcName,int x)
{
PROCESSENTRY32 pe;
DWORD dwRet;
BOOL bFound = FALSE;
HANDLE hProcess;
char fileName[1024] = {0};
HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
  pe.dwSize = sizeof(pe);
  
  for (dwRet = Process32First(hSP, &pe);
  dwRet;
  dwRet = Process32Next(hSP, &pe))
  {
   if(x){
    if (lstrcmpi( szProcName, pe.szExeFile) == 0)
    {
     bFound = TRUE;
     break;
    }
   }
   else
    {
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,pe.th32ProcessID);
    if(hProcess)
    {
     Sleep(1);
     GetModuleFileNameEx(hProcess,NULL, (LPSTR)fileName,sizeof(fileName));
     Sleep(1);
     if (lstrcmpi( szProcName, fileName) == 0)
     {
      bFound = TRUE;
      break;
     }
    }
     CloseHandle(hProcess);
   }
  }
  CloseHandle(hSP);
}
return bFound;
}

typedef HANDLE (WINAPI *CreateMutexAT)

(
__in_opt LPSECURITY_ATTRIBUTES lpMutexAttributes,
__in     BOOL bInitialOwner,
__in_opt LPCSTR lpName
);


BOOL
EnableDebugPriv( LPCTSTR szPrivilege )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( !OpenProcessToken( GetCurrentProcess(),
  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
  &hToken ) )
{
  return FALSE;
}
if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
{
  CloseHandle( hToken );
  return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{
  CloseHandle( hToken );
  return FALSE;
}

return TRUE;
}


DWORD
GetProcessId( LPCTSTR szProcName )
{
PROCESSENTRY32 pe;  
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;

//
// 通过 TOOHLP32 函数枚举进程
//

HANDLE hSP = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if ( hSP )
{
  pe.dwSize = sizeof( pe );
  
  for ( dwRet = Process32First( hSP, &pe );
  dwRet;
  dwRet = Process32Next( hSP, &pe ) )
  {
   //
   // 使用 StrCmpNI 比较字符传，可忽略大小写
   //
   if ( lstrcmpi(szProcName, pe.szExeFile) == 0 )
   {
    dwPid = pe.th32ProcessID;
    bFound = TRUE;
    break;
   }
  }
  
  CloseHandle( hSP );
  
  if ( bFound == TRUE )
  {
   return dwPid;
  }
}

return NULL;
}


BOOL CreateSystemProcess( LPTSTR szProcessName )
{
HANDLE hProcess;
HANDLE hToken, hNewToken;
DWORD dwPid;

PACL pOldDAcl = NULL;
PACL pNewDAcl = NULL;
BOOL bDAcl;
BOOL bDefDAcl;
DWORD dwRet;

PACL pSacl = NULL;
PSID pSidOwner = NULL;
PSID pSidPrimary = NULL;
DWORD dwAclSize = 0;
DWORD dwSaclSize = 0;
DWORD dwSidOwnLen = 0;
DWORD dwSidPrimLen = 0;

DWORD dwSDLen;
EXPLICIT_ACCESS ea;
PSECURITY_DESCRIPTOR pOrigSd = NULL;
PSECURITY_DESCRIPTOR pNewSd = NULL;

STARTUPINFO si;
PROCESS_INFORMATION pi;

BOOL bError;

if (!EnableDebugPriv("SeDebugPrivilege"))
{
  bError = TRUE;
  goto Cleanup;
}

if ( ( dwPid = GetProcessId("WINLOGON.EXE") ) == NULL )
{
  bError = TRUE;
  goto Cleanup;
}

hProcess = OpenProcess( MAXIMUM_ALLOWED, FALSE, dwPid );
if ( hProcess == NULL )
{
  bError = TRUE;
  goto Cleanup;
}

if ( !OpenProcessToken( hProcess, READ_CONTROL | WRITE_DAC, &hToken ) )
{
  bError = TRUE;
  goto Cleanup;
}

ZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
BuildExplicitAccessWithName( &ea,
  "Everyone",
  TOKEN_ALL_ACCESS,
  GRANT_ACCESS,
  0 );

if ( !GetKernelObjectSecurity( hToken,
  DACL_SECURITY_INFORMATION,
  pOrigSd,
  0,
  &dwSDLen ) )
{
  
  if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  {
   pOrigSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwSDLen );
   if ( pOrigSd == NULL )
   {
    bError = TRUE;
    goto Cleanup;
   }
   
   if ( !GetKernelObjectSecurity( hToken,
    DACL_SECURITY_INFORMATION,
    pOrigSd,
    dwSDLen,
    &dwSDLen ) )
   {
    bError = TRUE;
    goto Cleanup;
   }
  }
  else
  {
   bError = TRUE;
   goto Cleanup;
  }
}

if ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
{
  bError = TRUE;
  goto Cleanup;
}


dwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
if ( dwRet != ERROR_SUCCESS )
{
  pNewDAcl = NULL;
  
  bError = TRUE;
  goto Cleanup;
}

if ( !MakeAbsoluteSD( pOrigSd,
  pNewSd,
  &dwSDLen,
  pOldDAcl,
  &dwAclSize,
  pSacl,
  &dwSaclSize,
  pSidOwner,
  &dwSidOwnLen,
  pSidPrimary,
  &dwSidPrimLen ) )
{
  
  if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  {
   pOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwAclSize );
   pSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwSaclSize );
   pSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwSidOwnLen );
   pSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwSidPrimLen );
   pNewSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
    HEAP_ZERO_MEMORY,
    dwSDLen );
   
   if ( pOldDAcl == NULL ||
    pSacl == NULL ||
    pSidOwner == NULL ||
    pSidPrimary == NULL ||
    pNewSd == NULL )
   {
    bError = TRUE;
    goto Cleanup;
   }
   
   //
   // 再次调用才可以成功创建新的安全描述符 pNewSd
   // 但新的安全描述符仍然是原访问控制列表 ACL
   //
   if ( !MakeAbsoluteSD( pOrigSd,
    pNewSd,
    &dwSDLen,
    pOldDAcl,
    &dwAclSize,
    pSacl,
    &dwSaclSize,
    pSidOwner,
    &dwSidOwnLen,
    pSidPrimary,
    &dwSidPrimLen ) )
   {
    bError = TRUE;
    goto Cleanup;
   }
  }
  else
  {
   bError = TRUE;
   goto Cleanup;
  }
}

if ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) )
{
  bError = TRUE;
  goto Cleanup;
}

if ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) )
{
  bError = TRUE;
  goto Cleanup;
}

if ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) )
{
  bError = TRUE;
  goto Cleanup;
}

if ( !DuplicateTokenEx( hToken,
  TOKEN_ALL_ACCESS,
  NULL,
  SecurityImpersonation,
  TokenPrimary,
  &hNewToken ) )
{
  bError = TRUE;
  goto Cleanup;
}


ZeroMemory( &si, sizeof( STARTUPINFO ) );
si.cb = sizeof( STARTUPINFO );

ImpersonateLoggedOnUser( hNewToken );

if ( !CreateProcessAsUser( hNewToken,
  NULL,
  szProcessName,
  NULL,
  NULL,
  FALSE,
  NULL, //NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,
  NULL,
  NULL,
  &si,
  &pi ) )
{
  bError = TRUE;
  goto Cleanup;
}

bError = FALSE;

Cleanup:
if ( pOrigSd )
{
  HeapFree( GetProcessHeap(), 0, pOrigSd );
}
if ( pNewSd )
{
  HeapFree( GetProcessHeap(), 0, pNewSd );
}
if ( pSidPrimary )
{
  HeapFree( GetProcessHeap(), 0, pSidPrimary );
}
if ( pSidOwner )
{
  HeapFree( GetProcessHeap(), 0, pSidOwner );
}
if ( pSacl )
{
  HeapFree( GetProcessHeap(), 0, pSacl );
}
if ( pOldDAcl )
{
  HeapFree( GetProcessHeap(), 0, pOldDAcl );
}

CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
CloseHandle( hToken );
CloseHandle( hNewToken );
CloseHandle( hProcess );

if ( bError )
{
  return FALSE;
}

return TRUE;
}





int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{



char strInstallModule[MAX_PATH];
memset(strInstallModule, 0, sizeof(strInstallModule));
GetModuleFileName(NULL,strInstallModule,sizeof(strInstallModule));

CreateSystemProcess(strInstallModule);
  Sleep(1000);
  return 0;
}



以上是提升自身权限为system

完整代码 可以提升自己为system

lwb_hao

想钱钱的疯子！！！

ikkyphoenix

多谢分享！

onflypuma

谢谢分享！