windows下,提权代码. 

#include <windows.h>

bool AdjustPrivileges() {
	HANDLE hToken = NULL;
	TOKEN_PRIVILEGES tp;
	TOKEN_PRIVILEGES oldtp;
	DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
	LUID luid;

	OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);


	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
		CloseHandle(hToken);
		OutputDebugString(TEXT("提升权限失败,LookupPrivilegeValue"));
		return false;
	}
	ZeroMemory(&tp, sizeof(tp));
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	/* Adjust Token Privileges */
	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize)) {
		CloseHandle(hToken);
		OutputDebugString(TEXT("提升权限失败 AdjustTokenPrivileges"));
		return false;
	}
	// close handles
	CloseHandle(hToken);
	return true;
}

调用伪代码:
int main()
{
  AdjustPrivileges();
  此时OpenProcess的时候 使用PROCESS_ALL_ACCESS权限则可以成功了
}

降权代码:

#include <WtsApi32.h>
#pragma comment(lib, "Wtsapi32.lib")

BOOL IsSystem()
{
	BOOL bRet = FALSE;
	WCHAR userName[MAX_PATH] = { 0 };
	DWORD dwNum = MAX_PATH;
	WCHAR systemName[] = L"system";
	do {
		if (!GetUserNameW(userName, &dwNum)) {
			break;
		}
		if (0 == _wcsicmp(userName, systemName)) {
			bRet = TRUE;
		}
	} while (FALSE);
	return bRet;
}

BOOL JmpToUser()
{
	BOOL bRet = FALSE;
	HANDLE hUser = NULL;
	PROCESS_INFORMATION* pi = new PROCESS_INFORMATION;
	STARTUPINFOW* si = new STARTUPINFOW;
	WCHAR* path = new WCHAR[MAX_PATH];
	ZeroMemory(si, sizeof(STARTUPINFO));
	ZeroMemory(pi, sizeof(PROCESS_INFORMATION));
	do {
		hUser = GetUserHandle();
		if (0 == GetModuleFileNameW(NULL, path, MAX_PATH)) {
			break;
		}
		if (hUser == NULL) {
			break;
		}
		bRet = CreateProcessAsUser(hUser, NULL,
			path,
			NULL,
			NULL,
			TRUE,
			CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB,
			NULL,
			NULL,
			si,
			pi);
		if (bRet) {
			CloseHandle(pi->hProcess);
			CloseHandle(pi->hThread);
		}
	} while (FALSE);
	delete pi;
	delete si;
	delete[] path;
	return bRet;
}

HANDLE GetUserHandle()
{

	BOOL bRet = FALSE;
	HANDLE hUser = NULL;
	HANDLE hToken = NULL;
	DWORD sessionId = 0;
	
	do {
		sessionId =  WTSGetActiveConsoleSessionId();
		if (sessionId == NULL) {
			break;
		}
		if (!WTSQueryUserToken(sessionId, &hToken)) {
			break;
		}
		if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, 0, SecurityDelegation, TokenPrimary, &hUser)) {
			break;
		}
	} while (FALSE);
	if(hToken != NULL){
		CloseHandle(hToken);
	}
	return hUser;
}
posted @ 2019-04-22 11:49  iBinary  阅读(1281)  评论(2编辑  收藏  举报