转--让一个运行在SYSTEM权限下的进程与当前用户的桌面进行交互
#define DESKTOP_ALL ( DESKTOP_READOBJECTS | DESKTOP_CreateWINDOW | \
DESKTOP_CreateMENU | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD | \
DESKTOP_JOURNALPLAYBACK | DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \
DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED) #define WINSTA_ALL ( WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \
WINSTA_ACCESSCLIPBOARD | WINSTA_CreateDESKTOP | WINSTA_WRITEATTRIBUTES | \
WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | \
WINSTA_READSCREEN | STANDARD_RIGHTS_REQUIRED) #define GENERIC_ACCESS ( GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL) BOOL AddAceToWindowStation( HWINSTA hwinsta, PSID psid) ; BOOL AddAceToDesktop( HDESK hdesk, PSID psid) ; BOOL GetLogonSID ( HANDLE hToken, PSID * ppsid) ; VOID FreeLogonSID ( PSID * ppsid) ; BOOL StartInteractiveClientProcess (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute
); /*
int main()
{
StartInteractiveClientProcess("test",NULL,"wrxzyl","C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.zxboy.com ");
return 0;
}
*/
BOOL StartInteractiveClientProcess (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute
)
{
HANDLE hToken;
HDESK hdesk = NULL;
HWINSTA hwinsta = NULL, hwinstaSave = NULL;
PROCESS_INFORMATION pi;
PSID pSid = NULL;
STARTUPINFO si;
BOOL bResult = FALSE; // Log the client on to the local computer. if (!LogonUser(
lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken) )
{
goto Cleanup;
} // Save a handle to the caller's current window station. if ( (hwinstaSave = GetProcessWindowStation() ) == NULL)
goto Cleanup; // Get a handle to the interactive window station. hwinsta = OpenWindowStation(
"winsta0", // the interactive window station
FALSE, // handle is not inheritable
READ_CONTROL | WRITE_DAC); // rights to read/write the DACL if (hwinsta == NULL)
goto Cleanup; // To get the correct default desktop, set the caller's
// window station to the interactive window station. if (!SetProcessWindowStation(hwinsta))
goto Cleanup; // Get a handle to the interactive desktop. hdesk = OpenDesktop(
"default", // the interactive window station
, // no interaction with other desktop processes
FALSE, // handle is not inheritable
READ_CONTROL | // request the rights to read and write the DACL
WRITE_DAC |
DESKTOP_WRITEOBJECTS |
DESKTOP_READOBJECTS); // Restore the caller's window station. if (!SetProcessWindowStation(hwinstaSave))
goto Cleanup; if (hdesk == NULL)
goto Cleanup; // Get the SID for the client's logon session. if (!GetLogonSID(hToken, &pSid))
goto Cleanup; // Allow logon SID full access to interactive window station. if (! AddAceToWindowStation(hwinsta, pSid) )
goto Cleanup; // Allow logon SID full access to interactive desktop. if (! AddAceToDesktop(hdesk, pSid) )
goto Cleanup; // Impersonate client to ensure access to executable file. if (! ImpersonateLoggedOnUser(hToken) )
goto Cleanup; // Initialize the STARTUPINFO structure.
// Specify that the process runs in the interactive desktop. ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = TEXT("winsta0\\default"); // Launch the process in the client's logon session. bResult = CreateProcessAsUser(
hToken, // client's access token
NULL, // file to execute
lpCommandLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
NORMAL_PRIORITY_CLASS | Create_NEW_CONSOLE, // creation flags
NULL, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
π // receives information about new process
); // End impersonation of client.
//dwError=GetLastError();
RevertToSelf(); if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
{
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
} if (pi.hThread != INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread); Cleanup: if (hwinstaSave != NULL)
SetProcessWindowStation (hwinstaSave); // Free the buffer for the logon SID. if (pSid)
FreeLogonSID(&pSid); // Close the handles to the interactive window station and desktop. if (hwinsta)
CloseWindowStation(hwinsta); if (hdesk)
CloseDesktop(hdesk); // Close the handle to the client's access token. if (hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken); return bResult;
} BOOL AddAceToWindowStation(HWINSTA hwinsta,PSID psid)
{
ACCESS_ALLOWED_ACE *pace;
ACL_SIZE_INFORMATION aclSizeInfo;
BOOL bDaclExist;
BOOL bDaclPresent;
BOOL bSuccess = FALSE;
DWORD dwNewAclSize;
DWORD dwSidSize = ;
DWORD dwSdSizeNeeded;
PACL pacl;
PACL pNewAcl;
PSECURITY_DESCRIPTOR psd = NULL;
PSECURITY_DESCRIPTOR psdNew = NULL;
PVOID pTempAce;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
unsigned int i; __try
{
// Obtain the DACL for the window station. if (!GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
psd = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded); if (psd == NULL)
__leave; psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded); if (psdNew == NULL)
__leave; dwSidSize = dwSdSizeNeeded; if (!GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
__leave;
}
else
__leave; // Create a new DACL. if (!InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
__leave; // Get the DACL from the security descriptor. if (!GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
__leave; // Initialize the ACL. ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse = sizeof(ACL); // Call only if the DACL is not NULL. if (pacl != NULL)
{
// get the file ACL size info
if (!GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
__leave;
} // Compute the size of the new ACL. dwNewAclSize = aclSizeInfo.AclBytesInUse +
(*sizeof(ACCESS_ALLOWED_ACE)) + (*GetLengthSid(psid)) -
(*sizeof(DWORD)); // Allocate memory for the new ACL. pNewAcl = (PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize); if (pNewAcl == NULL)
__leave; // Initialize the new DACL. if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))
__leave; // If DACL is present, copy it to a new DACL. if (bDaclPresent)
{
// Copy the ACEs to the new ACL.
if (aclSizeInfo.AceCount)
{
for (i=; i < aclSizeInfo.AceCount; i++)
{
// Get an ACE.
if (!GetAce(pacl, i, &pTempAce))
__leave; // Add the ACE to the new ACL.
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
pTempAce,
((PACE_HEADER)pTempAce)->AceSize)
)
__leave;
}
}
} // Add the first ACE to the window station. pace = (ACCESS_ALLOWED_ACE *)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(psid) -
sizeof(DWORD)); if (pace == NULL)
__leave; pace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
pace->Header.AceFlags = CONTAINER_INHERIT_ACE |
INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE;
pace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(psid) - sizeof(DWORD);
pace->Mask = GENERIC_ACCESS; if (!CopySid(GetLengthSid(psid), &pace->SidStart, psid))
__leave; if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
__leave; // Add the second ACE to the window station. pace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE;
pace->Mask = WINSTA_ALL; if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
__leave; // Set a new DACL for the security descriptor. if (!SetSecurityDescriptorDacl(
psdNew,
TRUE,
pNewAcl,
FALSE)
)
__leave; // Set the new security descriptor for the window station. if (!SetUserObjectSecurity(hwinsta, &si, psdNew))
__leave; // Indicate success. bSuccess = TRUE;
}
__finally
{
// Free the allocated buffers. if (pace != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)pace); if (pNewAcl != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)pNewAcl); if (psd != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)psd); if (psdNew != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)psdNew);
} return bSuccess; } BOOL AddAceToDesktop(HDESK hdesk, PSID psid)
{
ACL_SIZE_INFORMATION aclSizeInfo;
BOOL bDaclExist;
BOOL bDaclPresent;
BOOL bSuccess = FALSE;
DWORD dwNewAclSize;
DWORD dwSidSize = ;
DWORD dwSdSizeNeeded;
PACL pacl;
PACL pNewAcl;
PSECURITY_DESCRIPTOR psd = NULL;
PSECURITY_DESCRIPTOR psdNew = NULL;
PVOID pTempAce;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
unsigned int i; __try
{
// Obtain the security descriptor for the desktop object. if (!GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded))
{
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
psd = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded ); if (psd == NULL)
__leave; psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded); if (psdNew == NULL)
__leave; dwSidSize = dwSdSizeNeeded; if (!GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
__leave;
}
else
__leave;
} // Create a new security descriptor. if (!InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
__leave; // Obtain the DACL from the security descriptor. if (!GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
__leave; // Initialize. ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse = sizeof(ACL); // Call only if NULL DACL. if (pacl != NULL)
{
// Determine the size of the ACL information. if (!GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
__leave;
} // Compute the size of the new ACL. dwNewAclSize = aclSizeInfo.AclBytesInUse +
sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(psid) - sizeof(DWORD); // Allocate buffer for the new ACL. pNewAcl = (PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize); if (pNewAcl == NULL)
__leave; // Initialize the new ACL. if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))
__leave; // If DACL is present, copy it to a new DACL. if (bDaclPresent)
{
// Copy the ACEs to the new ACL.
if (aclSizeInfo.AceCount)
{
for (i=; i < aclSizeInfo.AceCount; i++)
{
// Get an ACE.
if (!GetAce(pacl, i, &pTempAce))
__leave; // Add the ACE to the new ACL.
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
pTempAce,
((PACE_HEADER)pTempAce)->AceSize)
)
__leave;
}
}
} // Add ACE to the DACL. if (!AddAccessAllowedAce(
pNewAcl,
ACL_REVISION,
DESKTOP_ALL,
psid)
)
__leave; // Set new DACL to the new security descriptor. if (!SetSecurityDescriptorDacl(
psdNew,
TRUE,
pNewAcl,
FALSE)
)
__leave; // Set the new security descriptor for the desktop object. if (!SetUserObjectSecurity(hdesk, &si, psdNew))
__leave; // Indicate success. bSuccess = TRUE;
}
__finally
{
// Free buffers. if (pNewAcl != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)pNewAcl); if (psd != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)psd); if (psdNew != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)psdNew);
} return bSuccess;
} BOOL GetLogonSID (HANDLE hToken, PSID *ppsid)
{
BOOL bSuccess = FALSE;
DWORD dwIndex;
DWORD dwLength = ;
PTOKEN_GROUPS ptg = NULL; // Verify the parameter passed in is not NULL.
if (NULL == ppsid)
goto Cleanup; // Get required buffer size and allocate the TOKEN_GROUPS buffer. if (!GetTokenInformation(
hToken, // handle to the access token
TokenGroups, // get information about the token's groups
(LPVOID) ptg, // pointer to TOKEN_GROUPS buffer
, // size of buffer
&dwLength // receives required buffer size
))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
goto Cleanup; ptg = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, dwLength); if (ptg == NULL)
goto Cleanup;
} // Get the token group information from the access token. if (!GetTokenInformation(
hToken, // handle to the access token
TokenGroups, // get information about the token's groups
(LPVOID) ptg, // pointer to TOKEN_GROUPS buffer
dwLength, // size of buffer
&dwLength // receives required buffer size
))
{
goto Cleanup;
} // Loop through the groups to find the logon SID. for (dwIndex = ; dwIndex < ptg->GroupCount; dwIndex++)
if ((ptg->Groups[dwIndex].Attributes & SE_GROUP_LOGON_ID)
== SE_GROUP_LOGON_ID)
{
// Found the logon SID; make a copy of it. dwLength = GetLengthSid(ptg->Groups[dwIndex].Sid);
*ppsid = (PSID) HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, dwLength);
if (*ppsid == NULL)
goto Cleanup;
if (!CopySid(dwLength, *ppsid, ptg->Groups[dwIndex].Sid))
{
HeapFree(GetProcessHeap(), , (LPVOID)*ppsid);
goto Cleanup;
}
break;
} bSuccess = TRUE; Cleanup: // Free the buffer for the token groups. if (ptg != NULL)
HeapFree(GetProcessHeap(), , (LPVOID)ptg); return bSuccess;
} VOID FreeLogonSID (PSID *ppsid)
{
HeapFree(GetProcessHeap(), , (LPVOID)*ppsid);
}
原文地址http://handcreate.blog.163.com/blog/static/1751241820131273224705/
转--让一个运行在SYSTEM权限下的进程与当前用户的桌面进行交互的更多相关文章
- Windows服务System权限下在当前用户桌面创建快捷方式C#实例程序
Windows服务一般运行在System权限下,这样权限比较高,方便执行一些高权限的操作. 但是,Environment.GetFolderPath等函数获取的也是System用户下的,而不是当前用户 ...
- 让.net程序自动运行在管理员权限下
原文:让.net程序自动运行在管理员权限下 如何让.net程序自动运行在管理员权限下 VS2010 c# 编译的WINFORM程序 在Win7 以管理员身份运行 windows 7和vista提高的系 ...
- 在SYSTEM权限下以当前用户权限运行程序
http://download.csdn.net/download/lai444132348/9730266 using System; using System.Runtime.InteropSer ...
- 奇特的Local System权限(转载)
转载自:http://mp.weixin.qq.com/s?__biz=MzA3NTM1MzE4Nw==&mid=202597764&idx=1&sn=0cef1a40fb3c ...
- 在linux下,查看一个运行中的程序, 占用了多少内存
1. 在linux下,查看一个运行中的程序, 占用了多少内存, 一般的命令有 (1). ps aux: 其中 VSZ(或VSS)列 表示,程序占用了多少虚拟内存. RSS列 表示, 程序占用了多少物 ...
- 在linux下,怎么去查看一个运行中的程序, 到底是占用了多少内存
1. 在linux下,查看一个运行中的程序, 占用了多少内存, 一般的命令有 (1). ps aux: 其中 VSZ(或VSS)列 表示,程序占用了多少虚拟内存. RSS列 表示, 程序占用了多少物 ...
- linux下,一个运行中的程序,究竟占用了多少内存
linux下,一个运行中的程序,究竟占用了多少内存 1. 在linux下,查看一个运行中的程序, 占用了多少内存, 一般的命令有 (1). ps aux: 其中 VSZ(或VSS)列 表示,程序占用 ...
- win环境下使用sqlmap写shell + MYSQL提权(默认就是system权限)
今天在来一个mysql提权 (也可以说是默认system权限提的) 在被黑站点找到一个站 先教拿shell是有注入漏洞的 有可能是root权限的注入点 可以确定是有注入漏洞的 也得到了 物理路径 ...
- 解决安装包在win7,win8系统下安装后运行没有管理员权限
今天打包一个程序在客户机上安装运行:一直报没有管理员权限:客户机是win8系统:直接右键管理员身份运行则都可以:为了避免不让用户每次都这么麻烦:只有问哈群友和百度,终于找到解决方法: 第一步:项目属性 ...
随机推荐
- SWUST OJ (943)
顺序表插入操作的实现 #include<stdio.h> #include <stdlib.h> void InitList(int *&l, int n) { l = ...
- 『TensorFlow』迁移学习
完全版见github:TransforLearning 零.迁移学习 将一个领域的已经成熟的知识应用到其他的场景中称为迁移学习.用神经网络的角度来表述,就是一层层网络中每个节点的权重从一个训练好的网络 ...
- 水题系列二:PhoneNumbers
问题描述: Phonenumbers 企业喜欢用容易被记住的电话号码.让电话号码容易被记住的一个办法是将它写成一 个容易记 住的 单词或 者短语 .例如 ,你 需要给 滑铁卢 大学打 电话时 ,可 以 ...
- Python类的构成元素
类的构成元素 公共属性:实例化时无需__init__方法绑定到对象,就可以直接使用:普通属性:实例化时 需要__ini__方法绑定到对象之后,才可以直接使用:私有属性:__sex 双下滑杠开头,需要在 ...
- 使用Java实现面向对象编程
使用Java实现面向对象编程 源码展示: package cdjj.s2t075.com; import java.util.Scanner; public class Door { /* * Doo ...
- jformdesigner 开发
jformdesigner 开发 1● 破解jformadesigner 脑补 2● 建立jfd文件 3● 移动关联 <file leaf-file-name=" ...
- List<Map<String, Object>>取值
List<Map<String, Object>> postlist //一个list里面装着多个map,如下 [ {A=0100, B=4}, {A=0200, B=3}, ...
- 逆袭之旅DAY16.东软实训.Oracle.匿名块
2018-07-1216:41:19 六.匿名块 .定义匿名块: declare 定义部分: ---可选部分 begin 执行部分: ---必选部分 exception 异常处理部分: ---可选部分 ...
- Win10系列:UWP界面布局基础12
画刷 画刷(Brush)用于为图形元素填充颜色.在XAML中,画刷有许多属性,其中较常使用的是Fill属性和Stroke属性,Fill用于填充图形的背景色,而Stroke用于设置图形的线条颜色. 在实 ...
- 你应该这样理解JVM内存管理
在进行Java程序设计时,一般不涉及内存的分配和内存回收的相关代码,此处引用一句话: Java和C++之间存在一堵由内存动态分配和垃圾收集技术所围成的高墙,墙外的人想进去,墙里面的人想出来 ,个人从这 ...