如何提升进程的权限
我们可以通过WriteProcessMemory函数直接修改其他进程的内存从而实现内存补丁或者游戏修改之类的功能,但是,有个问题,并不是所有的程序都是能够被写内存的,这从前面的日志
通过CreateToolhelp32Snapshot函数获得系统中当前运行的进程信息2 可以看出来,好多程序的打开状态是失败的。所以,提升当前进程的权限非常非常必要。程序实现的代码如下:
#include < windows.h >
#include < tlhelp32.h >
BOOL CALLBACK EnumChildWindowProc(HWND hWnd,LPARAM lParam); // 枚举记事本中的子窗口
char mess[ 999999 ];
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nShowCmd)
{
HWND nphWnd = ::FindWindow( " notepad " ,NULL);
if (nphWnd)
{
char temp[ 1024 ];
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof (pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 ); // 获得进程列表的快照,第一个参数可以有其他选项,详细请参考MSDN
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
::MessageBox(NULL, " CreateToolhelp32Snapshot error " , " error " ,MB_OK);
return 0 ;
}
HANDLE hProcess;
HANDLE hToken;
BOOL bMore;
TOKEN_PRIVILEGES tkp;
// 获得本进程的句柄,并提升其权限
bMore = ::Process32First(hProcessSnap, & pe32);
while (bMore)
{
::wsprintf(temp, " %s " ,pe32.szExeFile);
if ( ! ::strcmp(temp, " upprocess.exe " )) // 找到本进程
{
// 提升权限
// 获得debug权限的LUID
if ( ! ::LookupPrivilegeValue(NULL, " SeDebugPrivilege " , & tkp.Privileges[ 0 ].Luid))
{
::MessageBox(NULL, " LookupPrivilegeValue error " , " error " ,MB_OK);
return 0 ;
}
tkp.PrivilegeCount = 1 ;
tkp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
// 打开进程的令牌环
if ( ! ::OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken))
{
::MessageBox(NULL, " OpenProcessToken error " , " error " ,MB_OK);
return 0 ;
}
// 修改进程权限
if ( ! ::AdjustTokenPrivileges(hToken,FALSE, & tkp, 0 ,(PTOKEN_PRIVILEGES)NULL, 0 ))
{
::MessageBox(NULL, " AdjustTokenPrivileges error " , " error " ,MB_OK);
return 0 ;
}
break ;
}
bMore = ::Process32Next(hProcessSnap, & pe32);
}
// 获得本进程的句柄,并提升其权限
bMore = ::Process32First(hProcessSnap, & pe32); // 获得第一个进程的信息
while (bMore)
{
::wsprintf(temp, " %s%s%s%d%s " , " \r\n进程名: " ,pe32.szExeFile, " 进程ID: " ,pe32.th32ProcessID, " \r\n " );
::strcat(mess,temp);
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_ALL_ACCESS权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_PROCESS, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_CREATE_PROCESS权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_CREATE_THREAD, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_CREATE_THREAD权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_DUP_HANDLE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_DUP_HANDLE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_QUERY_INFORMATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_SET_INFORMATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_SET_INFORMATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_TERMINATE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_TERMINATE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_OPERATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_OPERATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_READ, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_READ权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_WRITE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_WRITE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
bMore = ::Process32Next(hProcessSnap, & pe32); // 获得其他进程信息
}
::EnumChildWindows(nphWnd,EnumChildWindowProc, 0 ); // 获得记事本的edit窗口,打印进程信息
return 0 ;
}
else
{
::MessageBox(NULL, " please open notepad " , " error " ,MB_OK);
return 0 ;
}
}
BOOL CALLBACK EnumChildWindowProc(HWND hWnd,LPARAM lParam)
{
char temp1[ 256 ];
if (hWnd)
{
::GetClassName(hWnd,temp1, 255 );
if ( ! ::strcmp(temp1, " Edit " )) // 得到edit子窗口句柄
{
::SendMessage(hWnd,WM_SETTEXT, 0 ,(LPARAM)mess);
return 0 ;
}
}
return true ;
}
#include < windows.h >
#include < tlhelp32.h >
BOOL CALLBACK EnumChildWindowProc(HWND hWnd,LPARAM lParam); // 枚举记事本中的子窗口
char mess[ 999999 ];
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nShowCmd)
{
HWND nphWnd = ::FindWindow( " notepad " ,NULL);
if (nphWnd)
{
char temp[ 1024 ];
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof (pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 ); // 获得进程列表的快照,第一个参数可以有其他选项,详细请参考MSDN
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
::MessageBox(NULL, " CreateToolhelp32Snapshot error " , " error " ,MB_OK);
return 0 ;
}
HANDLE hProcess;
HANDLE hToken;
BOOL bMore;
TOKEN_PRIVILEGES tkp;
// 获得本进程的句柄,并提升其权限
bMore = ::Process32First(hProcessSnap, & pe32);
while (bMore)
{
::wsprintf(temp, " %s " ,pe32.szExeFile);
if ( ! ::strcmp(temp, " upprocess.exe " )) // 找到本进程
{
// 提升权限
// 获得debug权限的LUID
if ( ! ::LookupPrivilegeValue(NULL, " SeDebugPrivilege " , & tkp.Privileges[ 0 ].Luid))
{
::MessageBox(NULL, " LookupPrivilegeValue error " , " error " ,MB_OK);
return 0 ;
}
tkp.PrivilegeCount = 1 ;
tkp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
// 打开进程的令牌环
if ( ! ::OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken))
{
::MessageBox(NULL, " OpenProcessToken error " , " error " ,MB_OK);
return 0 ;
}
// 修改进程权限
if ( ! ::AdjustTokenPrivileges(hToken,FALSE, & tkp, 0 ,(PTOKEN_PRIVILEGES)NULL, 0 ))
{
::MessageBox(NULL, " AdjustTokenPrivileges error " , " error " ,MB_OK);
return 0 ;
}
break ;
}
bMore = ::Process32Next(hProcessSnap, & pe32);
}
// 获得本进程的句柄,并提升其权限
bMore = ::Process32First(hProcessSnap, & pe32); // 获得第一个进程的信息
while (bMore)
{
::wsprintf(temp, " %s%s%s%d%s " , " \r\n进程名: " ,pe32.szExeFile, " 进程ID: " ,pe32.th32ProcessID, " \r\n " );
::strcat(mess,temp);
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_ALL_ACCESS权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_PROCESS, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_CREATE_PROCESS权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_CREATE_THREAD, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_CREATE_THREAD权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_DUP_HANDLE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_DUP_HANDLE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_QUERY_INFORMATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_SET_INFORMATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_SET_INFORMATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_TERMINATE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_TERMINATE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_OPERATION, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_OPERATION权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_READ, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_READ权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
hProcess = ::OpenProcess(PROCESS_VM_WRITE, false ,(DWORD)pe32.th32ProcessID); // 根据进程ID获得进程句柄
::wsprintf(temp, " %s " , " PROCESS_VM_WRITE权限: " );
::strcat(mess,temp);
if (hProcess == NULL)
{
::wsprintf(temp, " %s " , " 失败\r\n " );
::strcat(mess,temp);
}
else
{
::wsprintf(temp, " %s " , " 成功\r\n " );
::strcat(mess,temp);
::CloseHandle(hProcess);
}
bMore = ::Process32Next(hProcessSnap, & pe32); // 获得其他进程信息
}
::EnumChildWindows(nphWnd,EnumChildWindowProc, 0 ); // 获得记事本的edit窗口,打印进程信息
return 0 ;
}
else
{
::MessageBox(NULL, " please open notepad " , " error " ,MB_OK);
return 0 ;
}
}
BOOL CALLBACK EnumChildWindowProc(HWND hWnd,LPARAM lParam)
{
char temp1[ 256 ];
if (hWnd)
{
::GetClassName(hWnd,temp1, 255 );
if ( ! ::strcmp(temp1, " Edit " )) // 得到edit子窗口句柄
{
::SendMessage(hWnd,WM_SETTEXT, 0 ,(LPARAM)mess);
return 0 ;
}
}
return true ;
}