win下实现切换帐号的方法
来源:互联网 发布:电工理论与新技术 知乎 编辑:程序博客网 时间:2024/05/16 14:28
1
/**//* su切换用户2
* 2004/12/28 1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置.3
* 2004/12/29 2.0,真正实现模拟用户令牌的动作.4
* 2004/12/29 3.0,即使帐号禁止也可以模拟用户5
* 2004/12/30 4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放6
* 2004/12/30 4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败.7
*/8
#include <stdio.h>9
#include <stdlib.h>10
#include <winsock2.h>11
#include <lm.h>12
#include <Ntsecapi.h>13
#include <Accctrl.h>14
#include <Aclapi.h>15
#include <Tlhelp32.h>16
#include <windows.h>17
18
19
#pragma comment(lib,"ws2_32")20
#pragma comment(lib,"Advapi32")21
#pragma comment(lib,"User32")22
#pragma comment(lib,"Netapi32")23
24
#define SIZE 102425
#define VERSION "4.1"26
27
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)28
#define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES | WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)29
#define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)30
#define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL)31
#define SE_GROUP_RESOURCE (0x20000000L)32
33
typedef struct _OBJECT_ATTRIBUTES 34
{ 35
ULONG Length;36
HANDLE RootDirectory;37
PUNICODE_STRING ObjectName;38
ULONG Attributes;39
PVOID SecurityDescriptor;40
PVOID SecurityQualityOfService;41
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 42
43
typedef enum _LSA_TOKEN_INFORMATION_TYPE { 44
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type45
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type46
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type47
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;48
49
typedef struct _LSA_TOKEN_INFORMATION_NULL 50
{ 51
LARGE_INTEGER ExpirationTime;52
PTOKEN_GROUPS Groups;53
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;54
55
typedef NTSTATUS (*PNtCreateToken)(56
PHANDLE TokenHandle,57
ACCESS_MASK DesiredAccess,58
POBJECT_ATTRIBUTES ObjectAttributes,59
TOKEN_TYPE TokenType,60
PLUID AuthenticationId,61
PLARGE_INTEGER ExpirationTime,62
PTOKEN_USER TokenUser,63
PTOKEN_GROUPS TokenGroups,64
PTOKEN_PRIVILEGES TokenPrivileges,65
PTOKEN_OWNER TokenOwner,66
PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,67
PTOKEN_DEFAULT_DACL TokenDefaultDacl,68
PTOKEN_SOURCE TokenSource69
);70
71
72
typedef struct _PROFILEINFO { 73
DWORD dwSize; 74
DWORD dwFlags; 75
LPTSTR lpUserName; 76
LPTSTR lpProfilePath; 77
LPTSTR lpDefaultPath; 78
LPTSTR lpServerName; 79
LPTSTR lpPolicyPath; 80
HANDLE hProfile; 81
} PROFILEINFO, *LPPROFILEINFO;82
83
typedef BOOL (*PLoadUserProfile)(84
HANDLE hToken, // user token85
LPPROFILEINFO lpProfileInfo // profile86
);87
88
89
typedef BOOL (*PUnloadUserProfile)(90
HANDLE hToken, // user token91
HANDLE hProfile // handle to registry key92
); 93
BOOL cback = 0;94
char *system_user = NULL;95
int lsasspid = 0;96
unsigned int DebugLevel = 7;97
98
/**//* 函数定义开始 */99
void usage(char *s);100
int GrantPriv();101
HANDLE CreateTokenAsUser(char *user);102
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen);103
BOOL GetUserGroup(char *username,char ***name,int *groupcount);104
PSID GetUserSid(char *LookupUser);105
HANDLE NtCreateTokenAsuser(char *user);106
int GrantPrivFromLsass(int pid);107
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic);108
void pfree(void *p);109
LUID GetLuidFromText(char *s);110
TOKEN_PRIVILEGES *MakeAdminPriv();111
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode);112
113
/**//* 函数定义结束 */114
int main(int argc,char **argv)115
{ 116
int i;117
WSADATA wsd;118
HANDLE NewToken;119
PLoadUserProfile LoadUserProfile;120
PUnloadUserProfile UnloadUserProfile;121
HMODULE UserenvModule;122
123
printf( "su.exe like unix su tool,version %s \n"124
"by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com\n\n",VERSION);125
126
if((argc>1) && (strnicmp(argv[1],"-h",2) == 0))127
{ 128
usage(argv[0]);129
return -1;130
}131
for(i=1;i<argc;i+=2)132
{ 133
if(strlen(argv[i]) != 2)134
{ 135
usage(argv[0]);136
return -1;137
}138
switch(argv[i][1])139
{ 140
case 'u':141
system_user = argv[i+1];142
break;143
case 'D':144
DebugLevel = atoi(argv[i+1]);145
break;146
147
}148
}149
if(system_user == NULL)150
{ 151
usage(argv[0]);152
return -1;153
}154
UserenvModule = LoadLibrary("Userenv.dll");155
if(UserenvModule == NULL )156
{ 157
printf("[-] GetModuleHandle Userenv error:%d\n",GetLastError());158
return -1;159
}160
LoadUserProfile = (PLoadUserProfile) GetProcAddress(UserenvModule,"LoadUserProfileA");161
if(LoadUserProfile == NULL)162
{ 163
printf("[-] GetProcAddress LoadUserProfile error:%d\n",GetLastError());164
return -1;165
}166
167
UnloadUserProfile = (PUnloadUserProfile) GetProcAddress(UserenvModule,"UnloadUserProfile");168
if(UnloadUserProfile == NULL)169
{ 170
printf("[-] GetProcAddress UnloadUserProfile error:%d\n",GetLastError());171
return -1;172
}173
174
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)175
{ 176
printf("[-] WSAStartup error:%d\n", WSAGetLastError());177
return -1;178
}179
//首先建立一个TOKEN,这里假设是ADMIN用户180
//提升自己权限,先.181
printf("[+] Enable SeDebugPrivilege..\n");182
if(GrantPriv("SeDebugPrivilege") < 0)183
return -1;184
printf("[+] Get Lsass.exe Pid."); 185
fflush(NULL);186
lsasspid = GetPidOfProcess("lsass.exe");187
if(lsasspid == -1)188
{ 189
printf("Get Pid of services failed\n");190
return -1;191
}192
printf("%d\n",lsasspid);193
//从Lsass继承权限.194
printf("[+] GrantPrivilege From Lsass .\n");195
if(GrantPrivFromLsass(lsasspid) == 0)196
{ 197
//建立一个TOKEN198
//NewToken = CreateTokenAsUser(system_user);199
printf("[+] Calling NtCreateTokenAsuser \n");200
NewToken = NtCreateTokenAsuser(system_user);201
if(NewToken != INVALID_HANDLE_VALUE)202
{ 203
STARTUPINFO si;204
PROCESS_INFORMATION pi;205
PROFILEINFO ProfileInfo;206
207
208
printf("[+] CreateProcess By that Token\n"); 209
fflush(stdout);210
Sleep(1000);211
LoadUserProfile(NewToken,&ProfileInfo);212
213
ZeroMemory( &si, sizeof(si) );214
si.cb = sizeof(si);215
//si.lpDesktop = TEXT("winstaABC\\testdesktop");216
ZeroMemory( &pi, sizeof(pi) );217
if( !CreateProcessAsUser( NewToken,218
NULL, // No module name (use command line). 219
"cmd", // Command line. 220
NULL, // Process handle not inheritable. 221
NULL, // Thread handle not inheritable. 222
TRUE, // Set handle inheritance to FALSE. 223
0, // No creation flags. 224
NULL, // Use parent's environment block. 225
NULL, // Use parent's starting directory. 226
&si, // Pointer to STARTUPINFO structure.227
&pi ) // Pointer to PROCESS_INFORMATION structure.228
) 229
{ 230
printf( "CreateProcessAsuser failed:%d.",GetLastError());231
exit(0);232
}233
234
// Wait until child process exits.235
WaitForSingleObject( pi.hProcess, INFINITE );236
// Close process and thread handles. 237
CloseHandle( pi.hProcess );238
CloseHandle( pi.hThread );239
printf("[-] Process exited.\n");240
UnloadUserProfile(NewToken,ProfileInfo.hProfile);241
CloseHandle(NewToken);242
//用这个Token建立进程243
}244
}245
WSACleanup();246
exit(0);247
}248
//获得指定exe的PID249
int GetPidOfProcess(char *exe)250
{ 251
HANDLE hProcessSnap = NULL; 252
BOOL bRet = FALSE; 253
PROCESSENTRY32 pe32;254
int pid;255
256
memset(&pe32,0,sizeof(PROCESSENTRY32));257
pid = -1;258
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 259
if (hProcessSnap == INVALID_HANDLE_VALUE) 260
{ 261
printf("CreateToolhelp32Snapshot Failed:%d\n",GetLastError());262
return pid; 263
}264
//copy from MSDN265
pe32.dwSize = sizeof(PROCESSENTRY32); 266
if (Process32First(hProcessSnap, &pe32)) 267
{ 268
do269
{ 270
if(stricmp(pe32.szExeFile,exe) == 0)271
{ 272
pid = pe32.th32ProcessID;273
break;274
}275
//printf( "PID:%d\n", pe32.th32ProcessID);276
//printf( "exepath:%s\n", pe32.szExeFile);277
} while(Process32Next(hProcessSnap, &pe32)); 278
} 279
else 280
return pid;281
// Do not forget to clean up the snapshot object. 282
CloseHandle(hProcessSnap); 283
return pid; 284
}285
//返回指定用户/组的SID286
PSID GetUserSid(char *LookupUser)287
{ 288
SID *GroupSid;289
//char StringSid[SIZE];290
//DWORD SidSize,GroupCount;291
char *DomainName;292
//**UserGroup,*CurrentUser;293
DWORD cbSid,cbDomainName;294
SID_NAME_USE peUse;295
int ErrorCode,i;296
297
cbDomainName = 0;298
cbSid = 0;299
LookupAccountName(NULL,LookupUser,NULL,&cbSid,NULL,&cbDomainName,&peUse);300
ErrorCode = GetLastError();301
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122302
{ 303
//printf("Buffer is small. require cbSid %d bytes,cbDomainName %d bytes\n",cbSid,cbDomainName);304
GroupSid = (SID *) malloc(cbSid + 1);305
DomainName = (char*) malloc(cbDomainName + 1);306
if((GroupSid == NULL) || (DomainName == NULL))307
{ 308
printf("Malloc failed:%d\n",GetLastError());309
return NULL;310
}311
memset(GroupSid,0,cbSid + 1);312
memset(DomainName,0,cbDomainName + 1);313
}314
else315
{ 316
printf("LookupAccountName in GetUserSid(\"%s\") Failed:%d\n",LookupUser,ErrorCode);317
return NULL;318
}319
if(!LookupAccountName(NULL,LookupUser,GroupSid,&cbSid,DomainName,&cbDomainName,&peUse))320
{ 321
printf("LookupAccountName GetUserSid(\"%s\") After Malloc Failed:%d\n",LookupUser,GetLastError());322
return NULL;323
}324
pfree(DomainName);325
return GroupSid;326
}327
328
//建立Administrators和SYSTEM 共用的privilege329
TOKEN_PRIVILEGES *MakeAdminPriv()330
{ 331
TOKEN_PRIVILEGES *token_privileges;332
DWORD i,PrivilegeCount;333
334
i = 0;335
PrivilegeCount = 24;336
token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4);337
if(token_privileges == NULL)338
{ 339
printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n");340
return NULL;341
}342
token_privileges->PrivilegeCount = PrivilegeCount;343
//0344
token_privileges->Privileges[i].Attributes = 3;345
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTcbPrivilege");346
//1347
token_privileges->Privileges[i].Attributes = 3;348
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateTokenPrivilege");349
//2350
token_privileges->Privileges[i].Attributes = 3;351
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTakeOwnershipPrivilege");352
//3 353
token_privileges->Privileges[i].Attributes = 3;354
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePagefilePrivilege");355
//4356
token_privileges->Privileges[i].Attributes = 3;357
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLockMemoryPrivilege");358
//5359
token_privileges->Privileges[i].Attributes = 3;360
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAssignPrimaryTokenPrivilege");361
//6362
token_privileges->Privileges[i].Attributes = 3;363
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseQuotaPrivilege");364
//7 365
token_privileges->Privileges[i].Attributes = 3;366
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseBasePriorityPrivilege");367
//8368
token_privileges->Privileges[i].Attributes = 3;369
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePermanentPrivilege");370
//9371
token_privileges->Privileges[i].Attributes = 3;372
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeDebugPrivilege");373
//10374
token_privileges->Privileges[i].Attributes = 3;375
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAuditPrivilege");376
//11377
token_privileges->Privileges[i].Attributes = 3;378
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSecurityPrivilege");379
//12380
token_privileges->Privileges[i].Attributes = 3;381
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemEnvironmentPrivilege");382
//13383
token_privileges->Privileges[i].Attributes = 3;384
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeChangeNotifyPrivilege");385
//14386
token_privileges->Privileges[i].Attributes = 3;387
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeBackupPrivilege");388
//15389
token_privileges->Privileges[i].Attributes = 3;390
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeRestorePrivilege");391
//16392
token_privileges->Privileges[i].Attributes = 3;393
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeShutdownPrivilege");394
//17395
token_privileges->Privileges[i].Attributes = 3;396
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLoadDriverPrivilege");397
//18398
token_privileges->Privileges[i].Attributes = 3;399
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeProfileSingleProcessPrivilege");400
//19401
token_privileges->Privileges[i].Attributes = 3;402
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemtimePrivilege");403
//20404
token_privileges->Privileges[i].Attributes = 3;405
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeUndockPrivilege");406
//21407
token_privileges->Privileges[i].Attributes = 3;408
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeManageVolumePrivilege");409
//22410
token_privileges->Privileges[i].Attributes = 3;411
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeImpersonatePrivilege");412
//23413
token_privileges->Privileges[i].Attributes = 3;414
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateGlobalPrivilege");415
416
return token_privileges;417
418
}419
//加用户到HANDLE420
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode)421
{ 422
PSECURITY_DESCRIPTOR pSecurityDescriptor1,pSD = NULL;423
DWORD size,size1,len,ErrorCode,DaclPresent,DaclDefaulted,dwAbsoluteSDSize,dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize;424
ACL OldAcl;425
PACL POldAcl,PNewAcl,pDacl,pSacl;426
PSID pOwner,pPrimaryGroup;427
EXPLICIT_ACCESS ExplicitAccess1;428
SECURITY_INFORMATION sinfo;429
430
dwAbsoluteSDSize = dwDaclSize = dwSaclSize = dwOwnerSize = dwPrimaryGroupSize = 0; 431
432
size = 0;433
sinfo = DACL_SECURITY_INFORMATION;434
//获得SECURITY_DESCRIPTOR435
GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len);436
ErrorCode = GetLastError();437
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122438
{ 439
pSD = (PSECURITY_DESCRIPTOR) malloc(len + 1);440
if(pSD == NULL)441
{ 442
printf("Malloc failed:%d\n",GetLastError());443
return FALSE;444
}445
memset(pSD,0,len + 1);446
size = len;447
}448
else449
{ 450
printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode);451
return FALSE;452
}453
if(!GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len))454
{ 455
printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode);456
return FALSE;457
}458
//获得DACL459
POldAcl = NULL;460
if(!GetSecurityDescriptorDacl(pSD,&DaclPresent,&POldAcl,&DaclDefaulted))461
{ 462
printf("GetSecurityDescriptorDacl Error:%d\n",GetLastError());463
return FALSE;464
}465
//重新生成一个ACL,然后在后面合并进去,给administrators组全部的权限.466
memset(&ExplicitAccess1,0,sizeof(ExplicitAccess1));467
BuildExplicitAccessWithName(&ExplicitAccess1,s,mode,GRANT_ACCESS,NO_INHERITANCE);468
//合并权限469
ErrorCode = SetEntriesInAcl(1,&ExplicitAccess1,POldAcl,&PNewAcl);470
if(ErrorCode != ERROR_SUCCESS)471
{ 472
printf("SetEntriesInAcl Error:%d\n",ErrorCode);473
return FALSE;474
}475
476
dwAbsoluteSDSize = 0x400;477
pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1);478
if(pSecurityDescriptor1 == NULL)479
{ 480
printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError());481
return FALSE;482
}483
memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1);484
485
MakeAbsoluteSD( pSD,486
pSecurityDescriptor1,487
&dwAbsoluteSDSize,488
NULL,489
&dwDaclSize,490
NULL,491
&dwSaclSize,492
NULL,493
&dwOwnerSize,494
NULL,495
&dwPrimaryGroupSize);496
//申请内存先. 497
ErrorCode = GetLastError();498
499
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER)500
{ 501
//申请内存502
//printf("申请内存大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n",503
// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,dwAbsoluteSDSize);504
//505
//pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1);506
pDacl = (PACL) malloc(dwDaclSize+1);507
pSacl = (PACL) malloc(dwSaclSize+1);508
pOwner = (PSID) malloc(dwOwnerSize+1);509
pPrimaryGroup = (PSID) malloc(dwPrimaryGroupSize+1);510
511
if( //(pSecurityDescriptor1 == NULL) || 512
(pDacl == NULL) ||513
(pSacl == NULL) ||514
(pOwner == NULL) ||515
(pPrimaryGroup == NULL))516
{ 517
printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError());518
return FALSE;519
}520
//memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1);521
}522
else523
{ 524
printf("MakeAbsoluteSD Error:%d\n",GetLastError());525
return FALSE;526
}527
//申请后就可以接受了528
if(!MakeAbsoluteSD(pSD,529
pSecurityDescriptor1,530
&dwAbsoluteSDSize,531
pDacl,532
&dwDaclSize,533
pSacl,534
&dwSaclSize,535
pOwner,536
&dwOwnerSize,537
pPrimaryGroup,538
&dwPrimaryGroupSize))539
{ 540
printf("MakeAbsoluteSD After Malloc Error:%d\n",GetLastError());541
return FALSE;542
}543
//printf("实际接受大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n",544
// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,size1);545
//设置新的DACL 546
if(!SetSecurityDescriptorDacl(pSecurityDescriptor1,DaclPresent,PNewAcl,DaclDefaulted))547
{ 548
printf("SetSecurityDescriptorDacl Error:%d\n",GetLastError());549
return FALSE;550
}551
//检查新的SecurityDescriptor是否合法552
if(!IsValidSecurityDescriptor(pSecurityDescriptor1))553
{ 554
printf("pSecurityDescriptor1 is not a valid SD:%d\n",GetLastError());555
return FALSE;556
}557
558
//给句柄设置新的ACL559
if(!SetUserObjectSecurity(Hhandle,&sinfo,pSecurityDescriptor1))560
{ 561
printf("SetKernelObjectSecurity Error:%d\n",GetLastError());562
return FALSE;563
}564
if(POldAcl)565
LocalFree(POldAcl);566
if(PNewAcl)567
LocalFree(PNewAcl);568
pfree(pSD);569
pfree(pSecurityDescriptor1);570
pfree(pDacl);571
pfree(pSacl);572
pfree(pOwner);573
pfree(pPrimaryGroup); 574
return TRUE; 575
}576
577
//根据指定用户名来建立Token578
HANDLE NtCreateTokenAsuser(char *user)579
{ 580
SID *GroupSid,*UserSid;581
char StringSid[SIZE],UserDefaultGroup[SIZE];582
DWORD SidSize,GroupCount,GroupCount2,IsNotUsersGroup = 1;583
char *DomainName,**UserGroup,*CurrentUser;584
DWORD cbSid,cbDomainName,SessionId,sessionlen;585
SID_NAME_USE peUse;586
int ErrorCode,i;587
LUID Luid = ANONYMOUS_LOGON_LUID;588
//LUID Luid = SYSTEM_LUID;589
SECURITY_QUALITY_OF_SERVICE security_quality_of_service =590
{ 591
sizeof( security_quality_of_service ),592
SecurityAnonymous,593
SECURITY_STATIC_TRACKING,594
FALSE595
};596
OBJECT_ATTRIBUTES object_attributes =597
{ 598
sizeof( object_attributes ),599
NULL,600
NULL,601
0,602
NULL,603
&security_quality_of_service604
};605
606
TOKEN_SOURCE token_source;607
TOKEN_PRIVILEGES *token_privileges;608
TOKEN_GROUPS *token_groups;609
TOKEN_USER token_user;610
TOKEN_OWNER token_owner;611
TOKEN_PRIMARY_GROUP token_primary_group;612
TOKEN_DEFAULT_DACL token_default_dacl,*SelfDacl;613
ACL NewAcl2,*NewAcl;614
TOKEN_TYPE tokentype;615
HANDLE token,SelfToken;616
NTSTATUS ntstatus,ntstatus2;617
PNtCreateToken NtCreateToken;618
HMODULE ntdllmodule;619
ACCESS_MASK DesiredAccess;620
LARGE_INTEGER ExpireTime;621
EXPLICIT_ACCESS ExplicitAccess;622
//给winstation用的623
HDESK hdesk;624
HWINSTA hwinsta;625
DWORD PrivilegeCount;626
//是否是SYSTEM用户627
DWORD IfIsSystemUser = 0,IfIsAdmin = 0;628
//定义结束629
630
//获取CreateToken地址631
ntdllmodule = GetModuleHandle("ntdll");632
if(ntdllmodule == NULL )633
{ 634
printf("[-] GetModuleHandle ntdll error:%d\n",GetLastError());635
return INVALID_HANDLE_VALUE;636
}637
NtCreateToken = (PNtCreateToken) GetProcAddress(ntdllmodule,"ZwCreateToken");638
if(NtCreateToken == NULL)639
{ 640
printf("[-] GetProcAddress NtCreateToken error:%d\n",GetLastError());641
return INVALID_HANDLE_VALUE;642
}643
644
if(stricmp(user,"system") == 0)645
{ 646
IfIsSystemUser = 1;647
//Luid.LowPart = 0x3e7;648
//Luid.HighPart = 0x0;649
}650
//arg 2 for NtCreateToken();651
DesiredAccess = TOKEN_ALL_ACCESS;652
//arg 3 for NtCreateToken();653
//arg 4 for NtCreateToken();654
//IN TOKEN_TYPE TokenType,655
tokentype = TokenPrimary;656
//arg 5 for NtCreateToken();657
//memcpy(&Luid,&SYSTEM_LUID,sizeof(Luid));658
/**//*659
if(!AllocateLocallyUniqueId(&Luid))660
{ 661
printf("AllocateLocallyUniqueId Failed:%d\n",GetLastError());662
return INVALID_HANDLE_VALUE;663
}664
*/665
//arg 6 for NtCreateToken();666
ExpireTime.LowPart = 0xffffffff;667
ExpireTime.HighPart = 0x7fffffff;668
//printf("sizeof(ExpireTime) = %d\n",sizeof(ExpireTime));669
//QueryPerformanceFrequency(&ExpireTime);670
//arg 7 for NtCreateToken();671
//token_user正确672
token_user.User.Sid = GetUserSid(user);673
if(token_user.User.Sid == NULL)674
return INVALID_HANDLE_VALUE;675
token_user.User.Attributes = 0; //must be 0676
if(IfIsSystemUser == 0) //一般用户677
{ 678
//arg 8 for NtCreateToken();679
if(!GetUserGroup(user,&UserGroup,&GroupCount))680
return INVALID_HANDLE_VALUE;681
//printf("=====================\nGet %d groups\n",GroupCount);682
//给token_groups申请内存683
//看用户组里面有没有"Users"684
IsNotUsersGroup = 1;685
for(i=0;i<GroupCount;i++)686
{ 687
CurrentUser = UserGroup[i];688
if(stricmp(CurrentUser,"Users") == 0)689
{ 690
IsNotUsersGroup = 0;691
continue;692
}693
if(stricmp(CurrentUser,"Administrators") == 0)694
{ 695
IfIsAdmin = 1;696
continue;697
}698
}699
//保存一下,后面要用700
GroupCount2 = GroupCount;701
//没有就+1,有就+0702
GroupCount += IsNotUsersGroup + 2;703
token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1);704
if(token_groups == NULL)705
{ 706
printf("Malloc for token_groups failed:%d\n",GetLastError());707
return INVALID_HANDLE_VALUE;708
}709
//加"None","Everyone","INTERACTIVE" 组710
//printf("GroupCount:%d\n",GroupCount);711
token_groups->GroupCount = GroupCount;712
//给第11个参数用713
//memset(UserDefaultGroup,0,SIZE);714
//strncpy(UserDefaultGroup,UserGroup[0],SIZE -1 );715
//printf("GroupCount:%d\n",GroupCount);716
//token_group需要最少加以下四个组:717
//只有Users可能有用户或者帐号存在718
//"None","Everyone","Users","INTERACTIVE"他们的ATTribute都是7719
if(DebugLevel != 7)720
{ 721
printf("Using DebugLevel 0x%x \n",DebugLevel);722
}723
for(i=0;i<GroupCount2;i++)724
{ 725
//printf("%d:%s\n",i,UserGroup[i]);726
727
CurrentUser = UserGroup[i];728
GroupSid = GetUserSid(CurrentUser);729
if(GroupSid == NULL)730
return INVALID_HANDLE_VALUE;731
token_groups->Groups[i].Sid = GroupSid;732
token_groups->Groups[i].Attributes = DebugLevel;733
free(CurrentUser);734
}735
free(UserGroup);736
/**//*737
GroupSid = GetUserSid("None");738
if(GroupSid == NULL)739
return INVALID_HANDLE_VALUE;740
token_groups->Groups[i].Sid = GroupSid;741
token_groups->Groups[i++].Attributes = DebugLevel;742
*/743
GroupSid = GetUserSid("Everyone");744
if(GroupSid == NULL)745
return INVALID_HANDLE_VALUE;746
token_groups->Groups[i].Sid = GroupSid;747
token_groups->Groups[i++].Attributes = DebugLevel;748
749
GroupSid = GetUserSid("INTERACTIVE");750
if(GroupSid == NULL)751
return INVALID_HANDLE_VALUE;752
token_groups->Groups[i].Sid = GroupSid;753
token_groups->Groups[i++].Attributes = DebugLevel;754
755
if(IsNotUsersGroup)756
{ 757
GroupSid = GetUserSid("Users");758
if(GroupSid == NULL)759
return INVALID_HANDLE_VALUE;760
token_groups->Groups[i].Sid = GroupSid;761
token_groups->Groups[i++].Attributes = DebugLevel;762
}763
//arg 9 for NtCreateToken();764
//这个倒没错765
//先申请内存766
if(IfIsAdmin == 0) //如果不是管理员组767
{ 768
PrivilegeCount = 2;769
token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4);770
if(token_privileges == NULL)771
{ 772
printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n");773
return INVALID_HANDLE_VALUE;774
}775
token_privileges->PrivilegeCount = PrivilegeCount;776
(token_privileges->Privileges)[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT;777
(token_privileges->Privileges)[0].Luid = GetLuidFromText("SeChangeNotifyPrivilege");778
779
(token_privileges->Privileges)[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT;780
(token_privileges->Privileges)[1].Luid = GetLuidFromText("SeUndockPrivilege");781
}782
else783
{ 784
token_privileges = MakeAdminPriv();785
if(token_privileges == NULL)786
return INVALID_HANDLE_VALUE;787
}788
/**//*789
if(!AllocateLocallyUniqueId(&(token_privileges.Privileges[0].Luid)))790
{ 791
printf("AllocateLocallyUniqueId for token_privileges Failed:%d\n",GetLastError());792
return INVALID_HANDLE_VALUE;793
}794
*/795
//arg 10 for NtCreateToken();796
//正确的方法797
token_owner.Owner = GetUserSid(user);798
if(token_owner.Owner == NULL)799
return INVALID_HANDLE_VALUE;800
//arg 11 for NtCreateToken();801
//PrimaryGroup统一都是None802
token_primary_group.PrimaryGroup = GetUserSid(user);803
if(token_primary_group.PrimaryGroup == NULL)804
return INVALID_HANDLE_VALUE;805
} 806
else807
{ 808
//设置usergroup809
//三个组:administrators(0xe),everyone(0x7),Authenticated Users(0x7)810
GroupCount = 2;811
token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1);812
if(token_groups == NULL)813
{ 814
printf("Malloc for token_groups failed:%d\n",GetLastError());815
return INVALID_HANDLE_VALUE;816
}817
token_groups->GroupCount = GroupCount;818
//自定义的debuglevel819
if(DebugLevel != 7)820
{ 821
printf("Using DebugLevel 0x%x \n",DebugLevel);822
}823
i = 0;824
GroupSid = GetUserSid("administrators");825
if(GroupSid == NULL)826
return INVALID_HANDLE_VALUE;827
token_groups->Groups[i].Sid = GroupSid;828
token_groups->Groups[i++].Attributes = 0xe;829
830
GroupSid = GetUserSid("Everyone");831
if(GroupSid == NULL)832
return INVALID_HANDLE_VALUE;833
token_groups->Groups[i].Sid = GroupSid;834
token_groups->Groups[i++].Attributes = DebugLevel;835
/**//*836
GroupSid = GetUserSid("Authenticated Users");837
if(GroupSid == NULL)838
return INVALID_HANDLE_VALUE;839
token_groups->Groups[i].Sid = GroupSid;840
token_groups->Groups[i++].Attributes = DebugLevel;841
*/842
//设置 token_privileges843
token_privileges = MakeAdminPriv();844
if(token_privileges == NULL)845
return INVALID_HANDLE_VALUE;846
//token_owner847
token_owner.Owner = GetUserSid("administrators");848
if(token_owner.Owner == NULL)849
return INVALID_HANDLE_VALUE;850
//arg 11 for NtCreateToken();851
//PrimaryGroup统一都是None852
token_primary_group.PrimaryGroup = GetUserSid("SYSTEM");853
if(token_primary_group.PrimaryGroup == NULL)854
return INVALID_HANDLE_VALUE;855
}856
//arg 12 for NtCreateToken();857
//NULL?858
//token_default_dacl859
/**//*860
token_default_dacl->DefaultDacl->AclRevision:2861
token_default_dacl->DefaultDacl->Sbz1:0862
token_default_dacl->DefaultDacl->AclSize:64863
token_default_dacl->DefaultDacl->AceCount:2864
token_default_dacl->DefaultDacl->Sbz2:0865
*/866
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &SelfToken))867
{ 868
printf("OpenProcessToken self Error:%d\n",GetLastError());869
return INVALID_HANDLE_VALUE;870
}871
BuildExplicitAccessWithName(&ExplicitAccess,user,GENERIC_ALL,GRANT_ACCESS,NO_INHERITANCE);872
SelfDacl = (PTOKEN_DEFAULT_DACL) GetFromToken(SelfToken,TokenDefaultDacl);873
if(SelfDacl == NULL)874
{ 875
CloseHandle(SelfToken);876
return INVALID_HANDLE_VALUE;877
}878
ErrorCode = SetEntriesInAcl(1,&ExplicitAccess,SelfDacl->DefaultDacl,&NewAcl);879
if(ErrorCode != ERROR_SUCCESS)880
{ 881
printf("SetEntriesInAcl Under NtCreateTokenAsuser Failed:%d\n",ErrorCode);882
CloseHandle(SelfToken);883
return INVALID_HANDLE_VALUE;884
}885
//获得当前进程的SessionID,然后再同样set到新的token里面886
//printf("SelfProcess:\n");887
//DisplayTokenSessionId(SelfToken);888
//SessionId,sessionlen;889
sessionlen = sizeof(DWORD);890
if(!GetTokenInformation(SelfToken,TokenSessionId,&SessionId,sessionlen,&sessionlen))891
{ 892
printf("GetTokenInformation TokenSessionId Failed:%d\n",GetLastError());893
CloseHandle(SelfToken);894
return INVALID_HANDLE_VALUE;895
}896
CloseHandle(SelfToken);897
token_default_dacl.DefaultDacl = NewAcl;898
/**//*899
NewAcl2.AclRevision = 2;900
NewAcl2.Sbz1 = 0;901
NewAcl2.AclSize = 64;902
NewAcl2.AceCount = 2;903
NewAcl2.Sbz2 = 0;904
ErrorCode = SetEntriesInAcl(0,NULL,NULL,&NewAcl);905
if(ErrorCode != ERROR_SUCCESS)906
{ 907
printf("SetEntriesInAcl As new one failed:%d\n",ErrorCode);908
return INVALID_HANDLE_VALUE;909
}910
token_default_dacl.DefaultDacl = NewAcl;911
*/912
//arg 13 for NtCreateToken();913
//token_source914
if(IfIsSystemUser == 0) //一般用户915
memcpy(token_source.SourceName,"seclogon",8);916
else917
memcpy(token_source.SourceName,"*SYSTEM*",8); 918
//生成LUID919
//token_source.SourceIdentifier = Luid;920
if(!AllocateLocallyUniqueId(&(token_source.SourceIdentifier)))921
{ 922
printf("AllocateLocallyUniqueId for token_source Failed:%d\n",GetLastError());923
return INVALID_HANDLE_VALUE;924
}925
if(IfIsSystemUser == 0)926
{ 927
//将该用户权限加入到当前用户所使用的 桌面 和 winstation928
//hwinsta = OpenWindowStation("WinSta0",TRUE,WINSTA_ALL);929
hwinsta = GetProcessWindowStation();930
if (hwinsta == NULL)931
{ 932
printf("OpenWindowStation Error:%d\n",GetLastError());933
return INVALID_HANDLE_VALUE;934
}935
//hwinstaold = GetProcessWindowStation();936
937
// 938
// set the windowstation to winsta0 so that you obtain the939
// correct default desktop940
// 941
/**//*942
if (!SetProcessWindowStation(hwinsta))943
{ 944
printf("SetProcessWindowStation Error:%d\n",GetLastError());945
CloseWindowStation(hwinsta);946
return INVALID_HANDLE_VALUE;947
}948
*/949
// 950
// obtain a handle to the "default" desktop951
// 952
//hdesk = OpenDesktop("Default",DF_ALLOWOTHERACCOUNTHOOK,FALSE,DESKTOP_ALL);953
hdesk = GetThreadDesktop(GetCurrentThreadId());954
if (hdesk == NULL)955
{ 956
printf("OpenDesktop Error:%d\n",GetLastError());957
CloseWindowStation(hwinsta);958
return INVALID_HANDLE_VALUE;959
}960
// add the user to interactive windowstation961
// 962
AddUserPrivToHandle(hwinsta,user,WINSTA_ALL);963
AddUserPrivToHandle(hdesk,user,DESKTOP_ALL);964
/**//*965
if (!AddTheAceWindowStation(hwinsta, token_user.User.Sid))966
{ 967
printf("AddTheAceWindowStation Error:%d\n",GetLastError());968
CloseWindowStation(hwinsta);969
CloseDesktop(hdesk);970
return INVALID_HANDLE_VALUE;971
}972
// 973
// add user to "default" desktop974
// 975
if (!AddTheAceDesktop(hdesk, token_user.User.Sid))976
{ 977
printf("AddTheAceDesktop Error:%d\n",GetLastError());978
CloseWindowStation(hwinsta);979
CloseDesktop(hdesk);980
return INVALID_HANDLE_VALUE;981
}982
*/983
if (!SetProcessWindowStation(hwinsta))984
{ 985
printf("SetProcessWindowStation Error:%d\n",GetLastError());986
CloseWindowStation(hwinsta);987
return INVALID_HANDLE_VALUE;988
}989
if(!SetThreadDesktop(hdesk))990
{ 991
printf("SetThreadDesktop Error:%d\n",GetLastError());992
CloseDesktop(hdesk);993
return INVALID_HANDLE_VALUE;994
}995
// 996
// close the handles to the interactive windowstation and desktop997
// 998
CloseWindowStation(hwinsta);999
CloseDesktop(hdesk);1000
}1001
//开始create1002
ntstatus = NtCreateToken( &token,1003
DesiredAccess,1004
&object_attributes,1005
tokentype,1006
&Luid,1007
&ExpireTime,1008
&token_user,1009
token_groups,1010
token_privileges,1011
&token_owner,1012
&token_primary_group,1013
&token_default_dacl,1014
&token_source1015
);1016
if(ntstatus != STATUS_SUCCESS)1017
{ 1018
printf("CreateToken Failed:%d\n",LsaNtStatusToWinError(ntstatus));1019
return INVALID_HANDLE_VALUE;1020
} 1021
//开始释放内存1022
/**//*1023
pfree(token_user.User.Sid);1024
pfree(token_groups);1025
pfree(token_privileges);1026
pfree(token_owner.Owner);1027
pfree(token_primary_group.PrimaryGroup);1028
if(NewAcl != NULL)1029
LocalFree(NewAcl);1030
*/1031
/**//*1032
printf("NewToken:\n");1033
DisplayTokenSessionId(token);1034
*/1035
if(TokenSessionId > 0)1036
{ 1037
sessionlen = sizeof(DWORD);1038
if(!SetTokenInformation(token,TokenSessionId,&SessionId,sessionlen))1039
{ 1040
printf("SetTokenInformation TokenSessionId Failed:%d\n",GetLastError());1041
}1042
}1043
return token;1044
}1045
1046
1047
//输出:指针指向一系列的group,groupcount为group数目.1048
BOOL GetUserGroup(char *username,char ***groupname,int *groupcount)1049
{ 1050
LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;1051
DWORD dwLevel = 0;1052
DWORD dwFlags = LG_INCLUDE_INDIRECT ;1053
DWORD dwPrefMaxLen = -1;1054
DWORD dwEntriesRead = 0;1055
DWORD dwTotalEntries = 0;1056
NET_API_STATUS nStatus;1057
DWORD i;1058
DWORD dwTotalCount = 0;1059
WCHAR wUserName[100];//,wAdminGroup[50];1060
BOOL returnvalue=FALSE;1061
char *p;1062
DWORD len;1063
char **name;1064
1065
MultiByteToWideChar( CP_ACP, 0, username,-1, wUserName,sizeof(wUserName)/sizeof(wUserName[0]));1066
//MultiByteToWideChar( CP_ACP, 0, admingroup,-1, wAdminGroup,sizeof(wAdminGroup)/sizeof(wAdminGroup[0]));1067
1068
nStatus = NetUserGetLocalGroups(NULL,wUserName,dwLevel,dwFlags,(LPBYTE *) &pBuf,dwPrefMaxLen,&dwEntriesRead,&dwTotalEntries);1069
1070
if (nStatus != NERR_Success)1071
{ 1072
return returnvalue;1073
}1074
1075
if(pBuf == NULL)1076
return returnvalue;1077
1078
1079
name = (char **) malloc(dwEntriesRead * sizeof(char *));1080
if(name == NULL)1081
{ 1082
printf("malloc failed in GetUserGroup for name:%d\n",GetLastError());1083
return returnvalue;1084
}1085
returnvalue = TRUE;1086
for (i = 0; i < dwEntriesRead; i++)1087
{ 1088
if (pBuf == NULL)1089
return returnvalue;1090
len = wcslen(pBuf->lgrui0_name);1091
p = (char *) malloc(len+1);1092
if(p == NULL)1093
{ 1094
printf("malloc failed in GetUserGroup:%d\n",GetLastError());1095
break;1096
}1097
wsprintf(p,"%S",pBuf->lgrui0_name);1098
name[dwTotalCount] = p;1099
//printf("%d:%s\n",dwTotalCount,p);1100
pBuf++;1101
dwTotalCount++;1102
}1103
if(pBuf != NULL)1104
NetApiBufferFree(pBuf);1105
*groupname = name; 1106
*groupcount = dwTotalCount;1107
return returnvalue;1108
}1109
//加权限1110
int GrantPriv(char *priv)1111
{ 1112
HANDLE token;1113
TOKEN_PRIVILEGES tkp;1114
HANDLE hProc;1115
1116
//SeCreateTokenPrivilege1117
if(LookupPrivilegeValue(NULL,priv,&tkp.Privileges[0].Luid) == FALSE)1118
{ 1119
fprintf(stderr, "LookupPrivilegeValue failed: 0x%X\n", GetLastError());1120
return(-1);1121
}1122
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token) == FALSE)1123
{ 1124
fprintf(stderr, "OpenProcessToken SELF Failed: 0x%X\n", GetLastError());1125
return(-1);1126
}1127
tkp.PrivilegeCount = 1;1128
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;1129
if(!AdjustTokenPrivileges(token,FALSE,&tkp,0,NULL, NULL))1130
{ 1131
fprintf(stderr,"AdjustTokenPrivileges Failed: 0x%X\n", GetLastError());1132
return(-1);1133
}1134
/**//*1135
else1136
{ 1137
switch(GetLastError())1138
{ 1139
case ERROR_SUCCESS:1140
printf("The function adjusted all specified privileges.\n");1141
break;1142
case ERROR_NOT_ALL_ASSIGNED: //0x5141143
printf("Adjust privileges not assigned\n");1144
break;1145
}1146
}1147
*/1148
CloseHandle(token); 1149
return 0;1150
}1151
1152
//从 lsass.exe 继承权限1153
int GrantPrivFromLsass(int pid)1154
{ 1155
HANDLE LsassHandle,LsassToken,NewToken;1156
1157
//首先打开进程,获得HANDLE1158
//PROCESS_QUERY_INFORMATION ,FALSE1159
//LsassHandle = OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid);1160
LsassHandle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);1161
//在OpenProcessToken(READ|WRITE1162
if(LsassHandle == NULL)1163
{ 1164
printf("OpenProcess %d Error:%d\n",pid,GetLastError());1165
return -1;1166
}1167
//再opentoken1168
if(!OpenProcessToken(LsassHandle,STANDARD_RIGHTS_READ|WRITE_DAC,&LsassToken))1169
{ 1170
printf("OpenProcessToken First Error:%d\n",GetLastError());1171
CloseHandle(LsassHandle);1172
return -1;1173
}1174
//得到Token的ACL信息1175
//pSecurityDescriptor = NULL;1176
//size = 0;1177
//len = 0;1178
//先申请内存1179
if(!AddUserPrivToHandle(LsassToken,"administrators",TOKEN_ALL_ACCESS))1180
{ 1181
CloseHandle(LsassToken);1182
CloseHandle(LsassHandle);1183
return -1;1184
}1185
//关闭句柄1186
CloseHandle(LsassToken);1187
1188
//打开Token1189
if(!OpenProcessToken(LsassHandle,TOKEN_ALL_ACCESS,&LsassToken))1190
{ 1191
printf("OpenProcessToken LsassHandle Error:%d\n",GetLastError());1192
CloseHandle(LsassHandle);1193
return -1;1194
}1195
//关闭句柄1196
CloseHandle(LsassHandle);1197
//复制Token1198
if(!DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken))1199
{ 1200
printf("DuplicateTokenEx Error:%d\n",GetLastError());1201
return -1;1202
}1203
//CloseHandle(LsassToken);1204
if(!ImpersonateLoggedOnUser(NewToken))1205
{ 1206
printf("ImpersonateLoggedOnUser Error:%d\n",GetLastError());1207
CloseHandle(NewToken);1208
return -1;1209
}1210
GrantPriv("SeCreateTokenPrivilege");1211
GrantPriv("SeTcbPrivilege");1212
GrantPriv("SeIncreaseQuotaPrivilege");1213
GrantPriv("SeAssignPrimaryTokenPrivilege");1214
//CloseHandle(NewToken);1215
return 0;1216
// GetKernelObjectSecurity(Handle,DACL_SECURITY_INFORMATION,buf,size,&len)1217
// GetSecurityDescriptorDacl(buf,&lpbDaclPresent,PoldACL,&lpbDaclDefaulted);1218
// BuildExplicitAccessWithName(pstruct,"administrators",TOKEN_ALL_ACCESS,GRANT_ACCESS,NO_INHERITANCE)1219
// SetEntriesInAcl(1,pstruct,PoldACL,PnewACL); //合并权限1220
// MakeAbsoluteSD(buf,buf2,1221
// SetSecurityDescriptorDacl(buf2,lpbDaclPresent,PnewACL,lpbDaclDefaulted);1222
// SetKernelObjectSecurity(HANDLE,DACL_SECURITY_INFORMATION,buf2,);1223
// CloseHandle(HANDLE);1224
// DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken);1225
// CloseHandle(LsassToken);1226
// ImpersonateLoggedOnUser 1227
}1228
//帮助信息1229
void usage(char *s)1230
{ 1231
printf("Usage:%s <-u user>\n",s);1232
return;1233
}1234
1235
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen)1236
{ 1237
PSID_IDENTIFIER_AUTHORITY psia;1238
DWORD dwSubAuthorities;1239
DWORD dwSidRev=SID_REVISION;1240
DWORD dwCounter;1241
DWORD dwSidSize;1242
1243
// Validate the binary SID.1244
if(!IsValidSid(pSid)) return FALSE;1245
// Get the identifier authority value from the SID.1246
psia = GetSidIdentifierAuthority(pSid);1247
// Get the number of subauthorities in the SID.1248
dwSubAuthorities = *GetSidSubAuthorityCount(pSid);1249
// Compute the buffer length.1250
// S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL1251
dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR);1252
// Check input buffer length.1253
// If too small, indicate the proper size and set last error.1254
if (*lpdwBufferLen < dwSidSize)1255
{ 1256
*lpdwBufferLen = dwSidSize;1257
SetLastError(ERROR_INSUFFICIENT_BUFFER);1258
return FALSE;1259
}1260
1261
// Add 'S' prefix and revision number to the string.1262
dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev );1263
// Add SID identifier authority to the string.1264
if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) )1265
{ 1266
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),1267
(USHORT)psia->Value[0],1268
(USHORT)psia->Value[1],1269
(USHORT)psia->Value[2],1270
(USHORT)psia->Value[3],1271
(USHORT)psia->Value[4],1272
(USHORT)psia->Value[5]);1273
}1274
else1275
{ 1276
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("%lu"),1277
(ULONG)(psia->Value[5] ) +1278
(ULONG)(psia->Value[4] << 8) +1279
(ULONG)(psia->Value[3] << 16) +1280
(ULONG)(psia->Value[2] << 24) );1281
}1282
1283
// Add SID subauthorities to the string.1284
for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++)1285
{ 1286
dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),1287
*GetSidSubAuthority(pSid, dwCounter) );1288
}1289
return TRUE;1290
}1291
1292
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic)1293
{ 1294
DWORD n,n2,rv;1295
void *p;1296
1297
n2 = 0;1298
rv = GetTokenInformation(hToken,tic,NULL,n2, &n);1299
if (rv == FALSE && GetLastError() != ERROR_INSUFFICIENT_BUFFER) 1300
{ 1301
printf("GetTokenInformation Failed:%d\n",GetLastError());1302
return NULL;1303
}1304
1305
p = malloc(n+1);1306
if(p == NULL) 1307
{ 1308
printf("Malloc in GetFromToken Failed\n");1309
return NULL;1310
}1311
n2 = n;1312
if(!GetTokenInformation(hToken, tic, p, n2, &n) )1313
{ 1314
printf("GetTokenInformation After Malloc Failed:%d\n",GetLastError());1315
return NULL;1316
}1317
return p;1318
}1319
1320
void pfree(void *p)1321
{ 1322
if(p)1323
free(p);1324
}1325
1326
LUID GetLuidFromText(char *s)1327
{ 1328
LUID Luid;1329
1330
Luid.LowPart = 0;1331
Luid.HighPart = 0;1332
if(!LookupPrivilegeValue(NULL,s,&Luid))1333
{ 1334
printf("LookupPrivilegeValue under GetLuidFromText(\"%s\") Failed:%d\n",s,GetLastError()); 1335
return Luid;1336
}1337
return Luid;1338
}1339
- win下实现切换帐号的方法
- win下实现切换帐号的方法
- win下实现IE网页自动截屏的方法
- windows 访问共享文件夹的帐号切换方法
- 强行登陆远程桌面和切换帐号的方法
- WIN下动态注册码实现方法
- 批量创建win帐号的脚本程序.
- ubuntu在win下安装的方法
- WIN 下安装Django 的方法
- linux下svn用户帐号切换
- 在XP/2K 下实现 Win+Ctrl+Del 等键的屏蔽的方法
- win主机下wordpress完美实现301重定向的方法
- 命令行下一种新的加帐号的方法
- 命令行下一种新的加帐号的方法
- 多github帐号的SSH key切换
- 多github帐号的SSH key切换
- 多个git帐号的切换
- 多github帐号的SSH key切换
- XCode下的iOS单元测试
- 修改liunx的预读区大小
- Nginx warn] the "log_format"
- 排序算法总结(c#版)
- 【windows8开发】现有代码移植到Metro App所必须的API整合
- win下实现切换帐号的方法
- 警告: No configuration found for the specified action: 'loginPerson' in namespace: ''. Form action def
- 关于List和IList的区别和不同情况的不同用法
- 做一个像植物大战僵尸的Flash游戏5
- USACO Factorials,DP,因子分解
- 数据库连接,查询和插入数据的方法
- eclispe中debug调试程序
- andorid移植好文
- 多行数据提交到Struts的ActionForm的List属性中
