#include "windows.h"
BOOL GetTokenByName(HANDLE &hToken,LPTSTR lpName)
{
if(!lpName)
{
return FALSE;
}
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do
{
if(_wcsicmp(pe32.szExeFile,lpName) == 0)
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
FALSE,pe32.th32ProcessID);
bRet = OpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken);
CloseHandle (hProcessSnap);
return (bRet);
}
}
while (Process32Next(hProcessSnap, &pe32));
//bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap);
return (bRet);
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hToken = NULL;
//获取目标进程权限 此方法可以降权和提权 eg: explore.exe[mid] winlogon.exe[system]
if(!GetTokenByName(hToken,TEXT("winlogon.exe")))
{
return FALSE;
}
if (hToken == NULL)
{
return FALSE;
}
STARTUPINFO startUpInfo;
::ZeroMemory(&startUpInfo, sizeof(startUpInfo));
startUpInfo.cb = sizeof(STARTUPINFO);
startUpInfo.dwFlags = STARTF_USESHOWWINDOW;
startUpInfo.wShowWindow = SW_SHOW;
BOOL bResult = CreateProcessAsUser(hToken,NULL,"需要提权.exe",NULL,NULL,
FALSE,NORMAL_PRIORITY_CLASS,NULL,NULL,&startUpInfo,&m_myProcInfo.procInfo);
CloseHandle(hToken);
return 0;
}
————————————————
版权声明:本文为CSDN博主「小青峰_jd」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/jiangdong2007/article/details/106270384
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
