?? 管理員組獲取系統權限的完美解決方案.html
字號:
PSECURITY_DESCRIPTOR pAbsSD = NULL;<br />
if(MakeAbsoluteSD(pSD, pAbsSD, &dwSDLength, pAcl, &dwAclSize, pSacl,<br />
&dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)<br />
|| (GetLastError() != ERROR_INSUFFICIENT_BUFFER))<br />
{<br />
printf("ModifySecurity MakeAbsoluteSD Size Failed");<br />
__leave;<br />
}<br />
<br />
// Allocate the buffers<br />
pAcl = (PACL) LocalAlloc(LPTR, dwAclSize);<br />
pSacl = (PACL) LocalAlloc(LPTR, dwSaclSize);<br />
pSidOwner = (PSID) LocalAlloc(LPTR, dwSidOwnLen);<br />
pSidPrimary = (PSID) LocalAlloc(LPTR, dwSidPrimLen);<br />
pAbsSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, dwSDLength);<br />
if(!(pAcl && pSacl && pSidOwner && pSidPrimary && pAbsSD))<br />
{<br />
printf("ModifySecurity Invalid SID Found");<br />
__leave;<br />
}<br />
<br />
// And actually make our SD absolute<br />
if(!MakeAbsoluteSD(pSD, pAbsSD, &dwSDLength, pAcl, &dwAclSize, pSacl,<br />
&dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen))<br />
{<br />
printf("ModifySecurity MakeAbsoluteSD Failed");<br />
__leave;<br />
}<br />
<br />
// Now set the security descriptor DACL<br />
if(!SetSecurityDescriptorDacl(pAbsSD, fDaclPresent, pNewAcl,<br />
fDaclDefaulted))<br />
{<br />
printf("ModifySecurity SetSecurityDescriptorDacl Failed");<br />
__leave;<br />
}<br />
<br />
// And set the security for the object<br />
if(!SetKernelObjectSecurity(hProc, DACL_SECURITY_INFORMATION, pAbsSD))<br />
{<br />
printf("ModifySecurity SetKernelObjectSecurity Failed");<br />
__leave;<br />
}<br />
<br />
fSuccess = TRUE;<br />
<br />
} <br />
__finally<br />
{<br />
// Cleanup<br />
if (pNewAcl == NULL)<br />
LocalFree(pNewAcl);<br />
<br />
if (pSD == NULL)<br />
LocalFree(pSD);<br />
<br />
if (pAcl == NULL)<br />
LocalFree(pAcl);<br />
<br />
if (pSacl == NULL)<br />
LocalFree(pSacl);<br />
<br />
if (pSidOwner == NULL)<br />
LocalFree(pSidOwner);<br />
<br />
if (pSidPrimary == NULL)<br />
LocalFree(pSidPrimary);<br />
<br />
if(!fSuccess)<br />
{<br />
printf("ModifySecurity exception caught in __finally");<br />
}<br />
<br />
return(fSuccess);<br />
}<br />
}<br />
<br />
HANDLE GetLSAToken() <br />
{<br />
HANDLE hProc = NULL;<br />
HANDLE hToken = NULL;<br />
BOOL bSuccess = FALSE;<br />
__try<br />
{<br />
// Enable the SE_DEBUG_NAME privilege in our process token<br />
if (!EnablePrivilege(SE_DEBUG_NAME)) <br />
{<br />
printf("GetLSAToken EnablePrivilege Failed");<br />
__leave;<br />
}<br />
<br />
// Retrieve a handle to the "System" process<br />
hProc = OpenSystemProcess();<br />
if(hProc == NULL) <br />
{<br />
printf("GetLSAToken OpenSystemProcess Failed");<br />
__leave;<br />
}<br />
<br />
// Open the process token with READ_CONTROL and WRITE_DAC access. We<br />
// will use this access to modify the security of the token so that we<br />
// retrieve it again with a more complete set of rights.<br />
BOOL fResult = OpenProcessToken(hProc, READ_CONTROL | WRITE_DAC,<br />
&hToken);<br />
if(FALSE == fResult) <br />
{<br />
printf("GetLSAToken OpenProcessToken Failed");<br />
__leave;<br />
}<br />
<br />
// Add an ace for the current user for the token. This ace will add<br />
// TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY rights.<br />
if (!ModifySecurity(hToken, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY<br />
| TOKEN_QUERY | TOKEN_ADJUST_SESSIONID)) <br />
{<br />
printf("GetLSAToken ModifySecurity Failed");<br />
__leave;<br />
}<br />
<br />
<br />
// Reopen the process token now that we have added the rights to<br />
// query the token, duplicate it, and assign it.<br />
fResult = OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_DUPLICATE<br />
| TOKEN_ASSIGN_PRIMARY | READ_CONTROL | WRITE_DAC, &hToken);<br />
if (FALSE == fResult) <br />
{<br />
printf("GetLSAToken OpenProcessToken Failed");<br />
__leave;<br />
}<br />
bSuccess = TRUE;<br />
} <br />
__finally<br />
{<br />
// Close the System process handle<br />
if (hProc != NULL) CloseHandle(hProc);<br />
if(bSuccess)<br />
return hToken;<br />
else<br />
{<br />
::CloseHandle(hToken);<br />
return NULL;<br />
}<br />
}<br />
}<br />
<br />
#define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | \<br />
DESKTOP_JOURNALRECORD | DESKTOP_JOURNALPLAYBACK | \<br />
DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \<br />
DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)<br />
<br />
#define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \<br />
WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \<br />
WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \<br />
WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | \<br />
WINSTA_READSCREEN | \<br />
STANDARD_RIGHTS_REQUIRED)<br />
<br />
#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL)<br />
<br />
BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid);<br />
<br />
BOOL AddAceToDesktop(HDESK hdesk, PSID psid);<br />
<br />
BOOL GetLogonSID(HANDLE hToken, PSID *ppsid)<br />
{<br />
PWTS_PROCESS_INFO pProcessInfo = NULL;<br />
DWORD ProcessCount = 0;<br />
BOOL ret=FALSE;<br />
<br />
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))<br />
{<br />
// dump each process description<br />
for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)<br />
{<br />
<br />
if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "System") == 0 )<br />
{<br />
//*ppsid = pProcessInfo[CurrentProcess].pUserSid;<br />
DWORD dwLength = GetLengthSid(pProcessInfo[CurrentProcess].pUserSid);<br />
*ppsid = (PSID) HeapAlloc(GetProcessHeap(),<br />
HEAP_ZERO_MEMORY, dwLength);<br />
if (*ppsid == NULL)<br />
break;<br />
if (!CopySid(dwLength, *ppsid, pProcessInfo[CurrentProcess].pUserSid)) <br />
{<br />
HeapFree(GetProcessHeap(), 0, (LPVOID)*ppsid);<br />
break;<br />
}<br />
ret=TRUE;<br />
&nb?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -