</pre><pre>
HANDLE tokenHandle;
//获得令牌句柄
BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &tokenHandle);
if (bRet){
TOKEN_PRIVILEGES tokenPri;tokenPri.PrivilegeCount = 1;//tokenPri.Privileges数组的大小
tokenPri.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//开启权限Luid所标识的权限
bRet = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenPri.Privileges[0].Luid);//获取权限的标识Luid
if (bRet){
bRet = AdjustTokenPrivileges(tokenHandle, FALSE, &tokenPri, sizeof(tokenPri), NULL, NULL);//修改权限}CloseHandle(tokenHandle);
}
}
return bRet;//提权是否成功
OpenProcessToken原型:
BOOL WINAPI OpenProcessToken(
_In_ HANDLE ProcessHandle,<span style="white-space:pre"> </span>// 进程句柄
_In_ DWORD DesiredAccess,<span style="white-space:pre"> </span>// 想要获得的访问权限
_Out_ PHANDLE TokenHandle<span style="white-space:pre"> </span>// 返回的令牌句柄
);
DesiredAccess的取值及其含义(不太清楚的话直接用TOKEN_ALL_ACCESS就行了)
Value | Meaning |
---|---|
TOKEN_ADJUST_DEFAULT | Required to change the default owner, primary group, or DACL of an access token. |
TOKEN_ADJUST_GROUPS | Required to adjust the attributes of the groups in an access token. |
TOKEN_ADJUST_PRIVILEGES | Required to enable or disable the privileges in an access token. |
TOKEN_ADJUST_SESSIONID | Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required. |
TOKEN_ASSIGN_PRIMARY | Required to attach a primary token to aprocess. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. |
TOKEN_DUPLICATE | Required to duplicate an access token. |
TOKEN_EXECUTE | Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE. |
TOKEN_IMPERSONATE | Required to attach an impersonation access token to a process. |
TOKEN_QUERY | Required to query an access token. |
TOKEN_QUERY_SOURCE | Required to query the source of an access token. |
TOKEN_READ | Combines STANDARD_RIGHTS_READ and TOKEN_QUERY. |
TOKEN_WRITE | Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT. |
TOKEN_ALL_ACCESS | Combines all possible access rights for a token. |
AdjustTokenPrivileges原型:
BOOL WINAPI AdjustTokenPrivileges(
_In_ HANDLE TokenHandle,<span style="white-space:pre"> </span>//令牌句柄
_In_ BOOL DisableAllPrivileges,<span style="white-space:pre"> </span>//为FALSE时表示禁用所有权限,为TRUE时表示用NewState所指向的结构体来修改权限
_In_opt_ PTOKEN_PRIVILEGES NewState,//指向TOKEN_PRIVILEGES结构体的指针
_In_ DWORD BufferLength,<span style="white-space:pre"> </span>//sizeof(NewState)
_Out_opt_ PTOKEN_PRIVILEGES PreviousState,<span style="white-space:pre"> </span>// 指向用来保存修改前的TOKEN_PRIVILIGES的结构体,若不想保存修改前的权限,可以为NULL
_Out_opt_ PDWORD ReturnLength<span style="white-space:pre"> </span>// 指向用来保存<span style="font-family: Arial;">PreviousState大小的DWORD的指针</span>
);
_TOKEN_PRIVILEGES 定义:
typedef struct _TOKEN_PRIVILEGES { ULONG PrivilegeCount; //Privileges数组的大小,一般为1 LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
_LUID_AND_ATTRIBUTES 定义:
typedef struct _LUID_AND_ATTRIBUTES {
LUID Luid;<span style="white-space:pre"> </span>//权限的唯一标识
ULONG Attributes; //要对这个权限做什么?
} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;
Attributes的取值:
</