如何在系统登陆桌面运行程序(续)

前面说在系统登陆桌面运行程序必须取得TCB特权,今天研究了一下,这话说的有点儿绝对了。在网上搜索了一下,大名鼎鼎的Phrack上的有一篇文章介绍如何操作Physical Memory给了我启发。问题的关键不在于TCB特权,而在于ADMIN帐号没有权限操作"\Winlogon"内核对象。从下面这张图可以看出SYSTEM帐号和ADMIN帐号在"\Winlogon"内核对象上的权限区别:

那么在"\Winlogon"内核对象上给ADMIN帐号加上相应的访问权限是不是就可以了呢?答案是肯定的。添加权限的代码如下:
BOOLGrantAccessRights(HANDLEhWinlogonDesktop)
...{
PACLOldDacl
=NULL,NewDacl=NULL;
PSECURITY_DESCRIPTORSecDesc
=NULL;
EXPLICIT_ACCESSAccess;
BOOLretval
=FALSE;

DWORDRes
=GetSecurityInfo(
hWinlogonDesktop,SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,NULL,NULL,
&OldDacl,
NULL,
&SecDesc);

if(Res!=ERROR_SUCCESS)
returnFALSE;

Access.grfAccessPermissions
=ACTRL_PERM_1|ACTRL_PERM_2;
Access.grfAccessMode
=GRANT_ACCESS;
Access.grfInheritance
=NO_INHERITANCE;
Access.Trustee.MultipleTrusteeOperation
=NO_MULTIPLE_TRUSTEE;
//changetheseinformationstograntaccesstoagrouporotheruser

Access.Trustee.TrusteeForm
=TRUSTEE_IS_NAME;
Access.Trustee.TrusteeType
=TRUSTEE_IS_USER;
Access.Trustee.ptstrName
="CURRENT_USER";

//createthenewACL

if(ERROR_SUCCESS!=SetEntriesInAcl(1,&Access,OldDacl,&NewDacl))
gotocleanup;

//updateACL

retval
=ERROR_SUCCESS==SetSecurityInfo(
hWinlogonDesktop,SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,NULL,NULL,NewDacl,
NULL);

cleanup:
if(NewDacl)
LocalFree(NewDacl);
if(SecDesc)
LocalFree(SecDesc);
returnretval;
}

阅读更多
文章标签: Access Security
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭