一、错误函数
void ShowError()
{
LPWSTR lpMessageBuf = NULL;
FormatMessage(
FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER, NULL,
GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPWSTR)&lpMessageBuf, 0, NULL);
OutputDebugString(lpMessageBuf);
LocalFree(lpMessageBuf);
}
二、管理员权限检测
HANDLE hToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
ShowError();
return false;
}
TOKEN_ELEVATION eve;
DWORD len = 0;
if (GetTokenInformation(hToken, TokenElevation, &eve, sizeof(eve), &len) == FALSE)
{
ShowError();
return false;
}
CloseHandle(hToken);
if (len == sizeof(eve))
{
return eve.TokenIsElevated;
}
printf("length of tokeninformation is %d\r\n", len);
return false;
1 token令牌:一般是一串数字后者包含权限的数据结构等
2 在Windows中令牌一般用句柄代替
三、管理员权限获取
HANDLE hToken = NULL;
BOOL ret = LogonUser(L"Administrator", NULL, NULL, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken);
if (!ret)
{
ShowError();
exit(0);
}
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
TCHAR sPath[MAX_PATH] = _T("");
GetCurrentDirectory(MAX_PATH, sPath);
CString strCmd = sPath;
strCmd += _T("\\RemoteCtrl.exe");
ret = CreateProcessWithLogonW(_T("Administrator"), NULL, NULL, LOGON_WITH_PROFILE,NULL, (LPWSTR)(LPCWSTR)strCmd, CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi);;
CloseHandle(hToken);
if (!ret)
{
ShowError();
MessageBox(NULL, strCmd, _T("创建进程失败"), 0);
exit(0);
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
1 获取管理员权限
2 使用该权限创建进程
3 需要对改变本地策略