获取本地System权限

　　作为C++方面的第一片文章，就先说说获取权限方面的东西吧！首先是获取DeBug权限（它是做其他进一步工作的基础），想必大家对这个方法应该很熟悉吧，网上有关这个的文章已经很多了，所以我就直接贴代码了！

 

 

代码

1 BOOL WINAPI EnterDebug()
2 {
3
4 HANDLE retokenhandle;
5 BOOL res = FALSE;
6 BOOL fOK = FALSE;
7 LUID tmpluid;
8 TOKEN_PRIVILEGES tkp;
9
10 __try
11 {
12
13 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS, & retokenhandle);
14
15 if (retokenhandle == 0 ){__leave;}
16
17 res = LookupPrivilegeValue(NULL,SE_DEBUG_NAME, & tmpluid);
18
19 if (res == 0 ){__leave;}
20
21 tkp.PrivilegeCount = 1 ;
22 tkp.Privileges -> Luid = tmpluid;
23 tkp.Privileges -> Attributes = SE_PRIVILEGE_ENABLED;
24
25 res = AdjustTokenPrivileges(retokenhandle,FALSE, & tkp, 0 , 0 , 0 );
26
27 if (res == FALSE){__leave;}
28
29 fOK = TRUE;
30
31 }
32 __finally
33 {
34 if (retokenhandle != 0 ){CloseHandle(retokenhandle);}
35
36 }
37
38   return fOK;
39
40 }
41
42  

 

 

好了，以上就是全过程，并且在 WindowsXP SP2 VC2008 下编译通过。如果无法运行，可以关掉杀毒软件再试试。

 

 

 

 

 

　　接下来要着重讲的是如何获取System权限，System权限也就是系统当中的最高权限，拥有所有特权。软件拥有了他可以干很多事！

现在比较流行的获取方式有两种，第一种是通过HOOK挂钩相应的API函数，从而在创建进程前修改其继承的进程，改为从有System权限的进程继承（如winlogon.exe）。第二种是通过远线程将创建进程的代码注入到winlogon.exe中，从而创建进程的是winlogon.exe，那么被创建的进程自然也有System权限了。

但两种方法都有缺点，第一种：要挂钩的函数在不同版本的操作系统中不同，所以通用性不强。第二种：因为用了远线程，所以容易被杀毒软件消灭。

在这里我先讲第二种方法，第一种我以后再讲。

在做以下工作之前一定要先获得DeBug权限。

 

 

代码

1 static struct MyData // 定义远线程所需的参数结果
2   {
3 LPVOID addrCreateProcess;
4 LPVOID addrExitThread;
5 WCHAR wsCmdLine[MAX_PATH];
6 WCHAR stDesktop[ 16 ];
7 STARTUPINFO si;
8 LPPROCESS_INFORMATION ppinfo;
9
10 };
11
12   static void WINAPI RemoteFunction(MyData * pData);
13   static void WINAPI endFunction();
14
15 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess);
16
17 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR * wcProcessName);
18
19   / /
20  
21   static void WINAPI RemoteFunction(MyData * pData) // 将要注入进程的代码。(必需要有static修饰）
22  
23
24
25 typedef LONG (WINAPI * CREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation );
26
27 CREATEPROCESS RemoteCreateProcess = (CREATEPROCESS)pData -> addrCreateProcess;
28
29 pData -> si.lpDesktop = (LPWSTR) & (pData -> stDesktop);
30
31
32 RemoteCreateProcess(NULL,pData -> wsCmdLine,NULL,NULL,TRUE, 0 ,NULL,NULL,(LPSTARTUPINFO) & (pData -> si),pData -> ppinfo);
33
34 }
35
36   static void WINAPI endFunction() // 上述函数的结束标志。（必需要有static修饰，且必需接在上面的函数之后）
37   {
38 }
39
40
41 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess) // 进行注入操作。
42   {
43
44 BOOL res = FALSE;
45 HANDLE hThread = 0 ;
46 UINT SizeOfFunction = 0 ;
47 LPVOID RemoteAddress = 0 ;
48
49 LPVOID ReDataAddress = 0 ;
50
51 LPVOID Reppinfo = 0 ;
52
53 MyData data = { 0 };
54 wcscpy_s(data.wsCmdLine ,CmdLines);
55 wcscpy_s(data.stDesktop,L " WinSta0\\Default " );
56 data.si.cb = sizeof (STARTUPINFO);
57 data.si.dwFlags = 1 ;
58 data.si.wShowWindow = WinShow;
59
60 __try
61 {
62
63 data.addrCreateProcess = GetProcAddress(GetModuleHandle(L " kernel32.dll " ), " CreateProcessW " );
64 if (data.addrCreateProcess == 0 )__leave;
65
66 data.addrExitThread = GetProcAddress(GetModuleHandle(L " kernel32.dll " ), " ExitThread " );
67 if (data.addrExitThread == 0 )__leave;
68
69   // 以上过程将远线程要调用的函数地址及参数全部通过MyData结构写入winlogon.exe的进程空间。
70  
71 /// /分配内存空间 // //
72   if (hProcess == 0 )__leave;
73
74 SizeOfFunction = (UINT)endFunction - (UINT)RemoteFunction;
75 if (SizeOfFunction == 0 )__leave;
76
77 RemoteAddress = VirtualAllocEx(hProcess,NULL,SizeOfFunction,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
78 if (RemoteAddress == 0 )__leave;
79
80 if ( ! WriteProcessMemory(hProcess,RemoteAddress,(LPCVOID)RemoteFunction,SizeOfFunction, 0 ))__leave;
81
82
83
84 Reppinfo = VirtualAllocEx(hProcess,NULL, sizeof (PROCESS_INFORMATION),MEM_COMMIT,PAGE_READWRITE);
85 if (Reppinfo == 0 )__leave;
86
87 data.ppinfo = (LPPROCESS_INFORMATION)Reppinfo;
88
89 ReDataAddress = VirtualAllocEx(hProcess,NULL, sizeof (data),MEM_COMMIT,PAGE_READWRITE);
90 if (ReDataAddress == 0 )__leave;
91
92 if ( ! WriteProcessMemory(hProcess,ReDataAddress, & data, sizeof (data), 0 ))__leave;
93
94
95
96
97 //创建远线程 //
98  
99 hThread = CreateRemoteThread(hProcess,NULL,NULL,(PTHREAD_START_ROUTINE)RemoteAddress,ReDataAddress,NULL,NULL);
100 if (hThread == 0 )__leave;
101
102 WaitForSingleObject(hThread,INFINITE);
103
104 res = TRUE;
105
106 }
107 __finally
108 {
109
110 if (RemoteAddress != 0 ){ VirtualFreeEx(hProcess,RemoteAddress, 0 ,MEM_RELEASE);}
111
112 if (ReDataAddress != 0 ){ VirtualFreeEx(hProcess,ReDataAddress, 0 ,MEM_RELEASE);}
113
114 if (Reppinfo != 0 ){ VirtualFreeEx(hProcess,Reppinfo, 0 ,MEM_RELEASE);}
115
116 if (hThread != 0 ){ CloseHandle(hThread);}
117
118 if (hProcess != 0 ){ CloseHandle(hProcess);}
119
120 }
121
122   return res;
123 }
124
125
126   // 下面这个函数不是必要的，我只是通过它来获得winlogon.exe的进程句柄。
127  
128 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR * wcProcessName)
129 {
130
131 BOOL fOK = FALSE;
132 DWORD ProcIDs[ 1024 ] = { 0 };
133 DWORD dwLengthOfProc = 0 ;
134 HANDLE hp = NULL;
135 DWORD nSize = 0 ;
136
137 fOK = EnumProcesses(ProcIDs, sizeof (ProcIDs), & dwLengthOfProc);
138   if (fOK == FALSE){ return 0 ;}
139
140 for (DWORD i = 0 ;i < (dwLengthOfProc / sizeof (DWORD));i ++ )
141 {
142 hp = OpenProcess(dwDesiredAccess,bInheritHandle,ProcIDs[i]);
143 if (hp == NULL) continue ;
144
145 WCHAR wcFilePath[MAX_PATH] = { 0 };
146 nSize = GetModuleFileNameEx(hp, 0 ,wcFilePath,MAX_PATH);
147 if (nSize == 0 )
148 {
149 CloseHandle(hp);
150 continue ;
151 }
152
153 if (_wcsicmp( & wcFilePath[nSize - wcslen(wcProcessName)],wcProcessName) == 0 )
154 {
155 return hp;
156 }
157
158 CloseHandle(hp);
159
160 }
161
162 return 0 ;
163
164 }
165

 

 

 

 

 

 

 

 

 

转载于:https://www.cnblogs.com/AniX/archive/2010/10/16/1853023.html