以系统权限执行Regedit
本帖最后由 diddom 于 2012-5-31 07:33 编辑虽然这是老掉牙的东西,但是我想对一些新手可能有点帮助
一般我们执行程式的权限大都在管理员
但是当我们需要执行Regedit,想看 SAM
你却发现看不到, 这时我们可以靠正统的方法去实现
执行後就可以看SAM了
叫出工作管理员,你会发现regedit的权限是"SYSTEM"
希望此文能带领你进入权限的入门
// SystemPrivilege.cpp : Defines the entry point for the console application.
//
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <psapi.h>
#include <Accctrl.h>
#include <Aclapi.h>
#pragma comment(lib, "PSAPI.LIB")
char strUserName;
//
BOOL CreateSystemProcess( LPTSTR szProcessName);
BOOL EnablePrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if (OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tkp.Privileges.Luid );
tkp.PrivilegeCount=1;
tkp.Privileges.Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL );
return( (GetLastError()==ERROR_SUCCESS) );
}
return TRUE;
}
DWORD GetPidFromProcName(LPCSTR ProcName)
{
DWORD processid;
DWORD needed;
DWORD processcount;
char path = "";
HANDLE hProcess;
HMODULE hModule;
// getting need buffer size
EnumProcesses(processid, sizeof(processid), &needed);
processcount = needed / sizeof(DWORD);
for (DWORD i=0; i<processcount; i++)
{
//hProcess = NULL;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processid);
DWORD pp = processid;
if (hProcess)
{
EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);
GetModuleFileNameEx(hProcess, hModule, path, sizeof(path));
//GetShortPathName(path,path,256);
char *strLwr=strlwr(path);
char *pos = strstr(path, ProcName);
if (pos > 0) {
CloseHandle(hProcess);
return processid;
}
//itoa(processid,temp,10);
//printf("%s Pid:%s\n",path,temp);
}
else
printf("GetPidFromProcName() OpenProcess() Failed!!!\n");
if (hProcess)
CloseHandle(hProcess);
}
return NULL;
}
int main(int argc, char* argv[])
{
BOOL bError;
HANDLE hProc;
DWORD dwPid;
HANDLE hToken;
DWORD dwSize;
dwSize = 260;
ZeroMemory(&strUserName, 260);
if (!GetUserName(strUserName, &dwSize))
{
printf( "GetUserName() = %d\n", GetLastError() );
}
//strcpy(strUserName, "ilovevb"); //<<<<<<<< your username
EnablePrivilege();
CreateSystemProcess("regedit.exe");
return 0;
}
BOOL CreateSystemProcess( LPTSTR szProcessName)
{
char ProcName[] = "lsass.exe";
HANDLE hProcess;
HANDLE hToken, hNewToken;
DWORD dwPid;
PACL pOldDAcl = NULL;
PACL pNewDAcl = NULL;
BOOL bDAcl;
BOOL bDefDAcl;
DWORD dwRet;
PACL pSacl = NULL;
PSID pSidOwner = NULL;
PSID pSidPrimary = NULL;
DWORD dwAclSize = 0;
DWORD dwSaclSize = 0;
DWORD dwSidOwnLen = 0;
DWORD dwSidPrimLen = 0;
DWORD dwSDLen;
EXPLICIT_ACCESS ea;
PSECURITY_DESCRIPTOR pOrigSd = NULL;
PSECURITY_DESCRIPTOR pNewSd = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
BOOL bError;
// Get the current process - IEExplore.exe
//hProcess = GetCurrentProcess();
dwPid = GetPidFromProcName(ProcName);
//dwPid = 1200;//<<<<<<<<<<<<<<<<<< PID
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, false, dwPid);
//OpenProcessToken(hProc, READ_CONTROL | WRITE_DAC, &hToken);
// Open IE process token and specify the access types to IE token
if (!OpenProcessToken(hProcess, READ_CONTROL | WRITE_DAC, &hToken))
{
printf( "OpenProcessToken() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
// Create a new access control information that includes all access permissions.
ZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
BuildExplicitAccessWithName( &ea,
strUserName, // Note: if you specified other trustee name,
// it would fail at subsequent code
TOKEN_ALL_ACCESS,
GRANT_ACCESS,
0 );
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
0,
&dwSDLen ) )
{
// We first get the length of original
// security descriptor to IE token
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOrigSd = ( PSECURITY_DESCRIPTOR )
HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOrigSd == NULL )
{
printf( "Allocate pSd memory to failed!\n" );
bError = TRUE;
goto Cleanup;
}
// Again, we now get the original
// security descriptor to IE token
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
dwSDLen,
&dwSDLen ) )
{
printf( "GetKernelObjectSecurity() = %d\n",
GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
else
{
printf( "GetKernelObjectSecurity() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
// Getting ACL of original security descriptor
if ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
{
printf( "GetSecurityDescriptorDacl() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
// Using the created access control information - EXPLICIT_ACCESS,
// and the original ACL to generate a new ACL
dwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
if ( dwRet != ERROR_SUCCESS )
{
printf( "SetEntriesInAcl() = %d\n", GetLastError() );
pNewDAcl = NULL;
bError = TRUE;
goto Cleanup;
}
// Create a new security descriptor that refers
// to original security descriptor.
if ( !MakeAbsoluteSD( pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwAclSize );
pSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSaclSize );
pSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidOwnLen );
pSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidPrimLen );
pNewSd = ( PSECURITY_DESCRIPTOR )
HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOldDAcl == NULL ||
pSacl == NULL ||
pSidOwner == NULL ||
pSidPrimary == NULL ||
pNewSd == NULL )
{
printf( "Allocate SID or ACL to failed!\n" );
bError = TRUE;
goto Cleanup;
}
if ( !MakeAbsoluteSD( pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
printf( "MakeAbsoluteSD() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
else
{
printf( "MakeAbsoluteSD() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
// Well, we have owned a new security descriptor & a new ACL,
// all we have to do is fetch the new ACL into the new security descriptor!
if ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) )
{
printf( "SetSecurityDescriptorDacl() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
//
// Injects the new security descriptor into IE token
//
if ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) )
{
printf( "SetKernelObjectSecurity() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
//
// When we open IE process again, the hToken has all access permissions.
//
if ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) )
{
printf( "OpenProcessToken() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
//
// Then, make a duplicate from IE token
//
if ( !DuplicateTokenEx( hToken,
TOKEN_ALL_ACCESS,
NULL,
SecurityImpersonation,
TokenPrimary,
&hNewToken ) )
{
printf( "DuplicateTokenEx() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
ZeroMemory( &si, sizeof( STARTUPINFO ) );
si.cb = sizeof( STARTUPINFO );
// Now, we impersonate the security context of a
// logged-on user using the token.
// Note: if you didn't, the below CreateProcessAsUser
// will report 1314 no permission error.
ImpersonateLoggedOnUser( hNewToken );
// Finally, we use the token to create new process.
if ( !CreateProcessAsUser( hNewToken,
NULL,
szProcessName,
NULL,
NULL,
FALSE,
NULL, //NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi ) )
{
printf( "CreateProcessAsUser() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
bError = FALSE;
Cleanup:
if ( pOrigSd )
{
HeapFree( GetProcessHeap(), 0, pOrigSd );
}
if ( pNewSd )
{
HeapFree( GetProcessHeap(), 0, pNewSd );
}
if ( pSidPrimary )
{
HeapFree( GetProcessHeap(), 0, pSidPrimary );
}
if ( pSidOwner )
{
HeapFree( GetProcessHeap(), 0, pSidOwner );
}
if ( pSacl )
{
HeapFree( GetProcessHeap(), 0, pSacl );
}
//if ( pOldDAcl )
//{
//HeapFree( GetProcessHeap(), 0, pOldDAcl );
//}
if (!bError)
{
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
CloseHandle( hToken );
CloseHandle( hNewToken );
CloseHandle( hProcess );
}
if ( bError )
{
return FALSE;
}
return TRUE;
}
BOOL EnumProcesseEx1()
{
DWORD processid;
DWORD needed;
DWORD processcount;
char path = "";
char temp;
HANDLE hProcess;
HMODULE hModule;
// getting need buffer size
EnumProcesses(processid, sizeof(processid), &needed);
processcount = needed / sizeof(DWORD);
for (DWORD i=0; i<processcount; i++)
{
//hProcess = NULL;
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processid);
if (hProcess)
{
EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);
GetModuleFileNameEx(hProcess, hModule, path, sizeof(path));
GetShortPathName(path,path,256);
itoa(processid,temp,10);
printf("%s Pid:%s\n",path,temp);
}
else
printf("Failed!!!\n");
if (hProcess)
CloseHandle(hProcess);
}
return TRUE;
}
发表于 2 小时前
怎么你半夜刷SRC,难道是超人不用睡觉???{:soso_e115:} 本帖最后由 diddom 于 2012-5-17 15:46 编辑
我是夜貓子~
本帖最后由 diddom 于 2012-5-17 15:48 编辑
这主题的source於5/17/2012更新
代码收下了,正好研究下 LZ的好东西真多。 还有一招不用编程的办法也能读写SAM键,那就是直接在这个键上右键---->权限---->把当前用户名的所有权勾上,再重新打开regedit即可......
也可以伪编程,生成一个INI权限描述文件,再用regini.exe去执行,嘿嘿...... 对Win7不起作用...... 多谢
页:
[1]