資源簡介
Windows中具有system權(quán)限的進程通過CreatePorcessAsUser調(diào)用其他權(quán)限的進程
代碼片段和文件信息
#include?
#include?
#include?
#include?
#include?
#define?BUILD_SERVICE?1
int?CreateProcessByToken(LPSTR?lpTokenProcessNameLPSTR?lpProcessLPSTR?lpCommend)
{
HANDLE?hToken?=?0;
LPSTR?lpName?=?lpTokenProcessName;
HANDLE?hProcessSnap?=?0;
PROCESSENTRY32?pe32?=?{0};
hProcessSnap?=?CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS0);
pe32.dwSize?=?sizeof(PROCESSENTRY32);
for(Process32First(hProcessSnap&pe32);Process32Next(hProcessSnap&pe32);)
{
if(strcmp(strupr(pe32.szExeFile)strupr(lpName)))?continue;
HANDLE?hProcess?=?OpenProcess(PROCESS_QUERY_INFORMATIONFALSEpe32.th32ProcessID);
OpenProcessToken(hProcessTOKEN_ALL_ACCESS&hToken);
CloseHandle(hProcessSnap);
}
if(hToken?==?0)?return?0;
STARTUPINFO?si;
PROCESS_INFORMATION?pi;
ZeroMemory(&sisizeof(STARTUPINFO));
si.cb?=?sizeof(STARTUPINFO);
si.lpDesktop?=?“winsta0\\default“;
si.dwFlags?=?STARTF_USESHOWWINDOW;
si.wShowWindow?=?SW_HIDE;
return?CreateProcessAsUser(hTokenlpProcesslpCommend00FALSENORMAL_PRIORITY_CLASS00&si&pi);
}
int?mymain(int?argc?char**?argv)
{
FILE*?outfile?=?0;
char?path[512]?=?{0};
char?filepath[512]?=?{0};
if(!GetModuleFileName(NULL?path?sizeof(path)?-?1))?return?1;
sprintf(filepath“%s.txt“path);
char?tokenname[64]=“explorer.exe“;
CreateProcessByToken(tokenname0“myservice_userchild.exe“);
while(1)
{
outfile?=?fopen(filepath“a“);
if(!outfile)?return?2;
fprintf(outfile“%d:?myservice?is?running\n“time(0));
fclose(outfile);
outfile?=?0;
Sleep(5000);
}
return?0;
}
VOID?WINAPI?ServiceHandler(DWORD?dwControl)
{
switch?(dwControl)
{
case?SERVICE_CONTROL_STOP:
WinExec(“taskkill?/F?/IM?myservice_userchild.exe?/T“?SW_HIDE);
exit(0);
break;
}
}
VOID?WINAPI?ServiceMain(int?argc?char**?argv)
{
SERVICE_STATUS_HANDLE?hService?=?NULL;
SERVICE_STATUS?SrvStatus?=?{0};
OutputDebugString(“service?main.....“);
hService=?RegisterServiceCtrlHandler(“myservice“ServiceHandler);
SrvStatus.dwServiceType??=?SERVICE_WIN32_OWN_PROCESS;
SrvStatus.dwCurrentState=?SERVICE_RUNNING;
SrvStatus.dwControlsAccepted?=?SERVICE_ACCEPT_STOP;?
SetServiceStatus(hService&SrvStatus);
mymain(argcargv);
return;
}
int?_tmain(int?argc?_TCHAR*?argv[])
{
#if?BUILD_SERVICE
SERVICE_TABLE_ENTRYA?scArrTable[]?=?
{
{“myservice“(LPSERVICE_MAIN_FUNCTION)ServiceMain}
{NULLNULL}
};
StartServiceCtrlDispatcher(scArrTable);
#else
mymain(argcargv);
#endif
return?0;
}?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????文件??????31232??2016-12-08?13:34??system2user\Debug\myservice.exe
?????文件????????714??2016-12-09?08:10??system2user\Debug\myservice.exe.txt
?????文件??????29184??2016-12-08?13:34??system2user\Debug\myservice_userchild.exe
?????文件???????2567??2016-12-08?13:37??system2user\myservice\myservice.cpp
?????文件???????3926??2016-12-07?15:51??system2user\myservice\myservice.vcxproj
?????文件????????947??2016-12-07?15:51??system2user\myservice\myservice.vcxproj.filters
?????文件????????503??2016-12-07?16:27??system2user\myservice_userchild\myservice_userchild.cpp
?????文件???????3988??2016-12-07?16:55??system2user\myservice_userchild\myservice_userchild.vcxproj
?????文件????????957??2016-12-07?16:55??system2user\myservice_userchild\myservice_userchild.vcxproj.filters
?????文件???????1390??2016-12-07?16:57??system2user\system2user.sln
?????目錄??????????0??2016-12-10?21:07??system2user\Debug
?????目錄??????????0??2016-12-10?21:07??system2user\myservice
?????目錄??????????0??2016-12-10?21:07??system2user\myservice_userchild
?????目錄??????????0??2016-12-10?21:07??system2user
-----------?---------??----------?-----??----
????????????????75408????????????????????14
評論
共有 條評論
川公網(wǎng)安備 51152502000135號