主要代码如下:
DWORD FindSessionPid(LPSTR lpProcessName, DWORD dwSessionId)
{
DWORD res = 0;
PROCESSENTRY32 procEntry;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
{
return res ;
}
procEntry.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnap, &procEntry))
{
goto _end;
}
do
{
if (_stricmp(procEntry.szExeFile, lpProcessName) == 0)
{
DWORD winlogonSessId = 0;
if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
{
res = procEntry.th32ProcessID;
break;
}
}
} while (Process32Next(hSnap, &procEntry));
_end:
CloseHandle(hSnap);
return res;
}
BOOL LaunchAppIntoDifferentSession(LPSTR lpCmdLine)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId = 0, winlogonPid = 0;
HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
DWORD dwCreationFlags;
// Log the client on to the local computer.
typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)();
typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );
__pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId =
(__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
__pfnWTSQueryUserToken pfnWTSQueryUserToken =
(__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");
if(pfnWTSGetActiveConsoleSessionId == NULL)
{
WriteLog("Not found api: WTSGetActiveConsoleSessionId\n");
return 0;
}
if(pfnWTSQueryUserToken == NULL)
{
WriteLog("Not found api: WTSQueryUserToken\n");
return 0;
}
dwSessionId = pfnWTSGetActiveConsoleSessionId();
winlogonPid = FindSessionPid("explorer.exe", dwSessionId);
if(winlogonPid == 0)
{
winlogonPid = FindSessionPid("winlogon.exe", dwSessionId);
}
if(winlogonPid == 0)
{
WriteLog("Can't Find Explorer\n");
return 0;
}
dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));
TOKEN_PRIVILEGES tp;
LUID luid;
LPVOID TokenInformation;
DWORD RetLen = 0;
if( !pfnWTSQueryUserToken(dwSessionId, &hUserToken) )
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, winlogonPid);
if(!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS_P, &hPToken))
{
char pTemp[121];
sprintf(pTemp, "Process token open Error: %u\n", GetLastError());
WriteLog(pTemp);
}
if(hPToken == NULL)
{
WriteLog("Process tokenError: \n");
}
}
else
{
hPToken = hUserToken;
}
if(GetTokenInformation(hPToken, TokenLinkedToken, &TokenInformation, 4, &RetLen))
{
hUserTokenDup = TokenInformation;
}
else
{
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
char pTemp[121];
sprintf(pTemp, "Lookup Privilege value Error: %u\n", GetLastError());
WriteLog(pTemp);
}
if(!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup))
{
char pTemp[121];
sprintf(pTemp, "DuplicateTokenEx Error: %u\n", GetLastError());
WriteLog(pTemp);
}
}
LPVOID pEnv = NULL;
if(CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE))
{
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
WriteLog("CreateEnvironmentBlock Failed\n");
pEnv = NULL;
}
// Launch the process in the client's logon session.
bResult = CreateProcessAsUser(
hUserTokenDup, // client's access token
NULL, // file to execute
lpCmdLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
);
// End impersonation of client.
//GetLastError Shud be 0
int iResultOfCreateProcessAsUser = GetLastError();
if(bResult == FALSE && iResultOfCreateProcessAsUser != 0)
{
char pTemp[121];
sprintf(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
WriteLog(pTemp);
}
if(pi.hProcess)
{
CloseHandle(pi.hProcess);
}
if(pi.hThread)
{
CloseHandle(pi.hThread);
}
//Perform All the Close Handles task
if(hProcess)
{
CloseHandle(hProcess);
}
if(hUserToken)
{
CloseHandle(hUserToken);
}
if(hUserTokenDup)
{
CloseHandle(hUserTokenDup);
}
if(hPToken)
{
CloseHandle(hPToken);
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
return bResult;
}
调用方式:
LaunchAppIntoDifferentSession("c:\\windows\\notepad.exe");
前提是有个服务进程已经启动,然后服务进程会以管理员模式(不需要用户点UAC的框)启动一个新的可以创建窗口的进程。
安装这个服务需要点UAC的框,所以不是什么不可公开的思路。好处就一点:每次自启动的进程,不需要再让用户点UAC框了
服务进程创建一个带窗口的进程,过UAC
最新推荐文章于 2021-11-26 14:20:25 发布