作为C++方面的第一片文章,就先说说获取权限方面的东西吧!首先是获取DeBug权限(它是做其他进一步工作的基础),想必大家对这个方法应该很熟悉吧,网上有关这个的文章已经很多了,所以我就直接贴代码了!
代码
1 BOOL WINAPI EnterDebug() 2 { 3 4 HANDLE retokenhandle; 5 BOOL res = FALSE; 6 BOOL fOK = FALSE; 7 LUID tmpluid; 8 TOKEN_PRIVILEGES tkp; 9 10 __try11 {12 13 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&retokenhandle);14 15 if (retokenhandle == 0){__leave;}16 17 res = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tmpluid);18 19 if (res == 0){__leave;}20 21 tkp.PrivilegeCount = 1;22 tkp.Privileges->Luid = tmpluid;23 tkp.Privileges->Attributes = SE_PRIVILEGE_ENABLED;24 25 res = AdjustTokenPrivileges(retokenhandle,FALSE,&tkp,0,0,0);26 27 if (res == FALSE){__leave;}28 29 fOK = TRUE;30 31 }32 __finally33 {34 if (retokenhandle != 0 ){CloseHandle(retokenhandle);}35 36 }37 38 return fOK;39 40 }41 42
好了,以上就是全过程,并且在 WindowsXP SP2 VC2008 下编译通过。如果无法运行,可以关掉杀毒软件再试试。
接下来要着重讲的是如何获取System权限,System权限也就是系统当中的最高权限,拥有所有特权。软件拥有了他可以干很多事!
现在比较流行的获取方式有两种,第一种是通过HOOK挂钩相应的API函数,从而在创建进程前修改其继承的进程,改为从有System权限的进程继承(如winlogon.exe)。第二种是通过远线程将创建进程的代码注入到winlogon.exe中,从而创建进程的是winlogon.exe,那么被创建的进程自然也有System权限了。
但两种方法都有缺点,第一种:要挂钩的函数在不同版本的操作系统中不同,所以通用性不强。第二种:因为用了远线程,所以容易被杀毒软件消灭。
在这里我先讲第二种方法,第一种我以后再讲。
在做以下工作之前一定要先获得DeBug权限。
代码
1 static struct MyData //定义远线程所需的参数结果 2 { 3 LPVOID addrCreateProcess; 4 LPVOID addrExitThread; 5 WCHAR wsCmdLine[MAX_PATH]; 6 WCHAR stDesktop[16]; 7 STARTUPINFO si; 8 LPPROCESS_INFORMATION ppinfo; 9 10 }; 11 12 static void WINAPI RemoteFunction(MyData *pData); 13 static void WINAPI endFunction(); 14 15 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess); 16 17 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName); 18 19 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 20 21 static void WINAPI RemoteFunction(MyData *pData)//将要注入进程的代码。(必需要有static修饰) 22 23 24 25 typedef LONG (WINAPI *CREATEPROCESS)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation ); 26 27 CREATEPROCESS RemoteCreateProcess = (CREATEPROCESS)pData->addrCreateProcess; 28 29 pData->si.lpDesktop = (LPWSTR)&(pData->stDesktop); 30 31 32 RemoteCreateProcess(NULL,pData->wsCmdLine,NULL,NULL,TRUE,0,NULL,NULL,(LPSTARTUPINFO)&(pData->si),pData->ppinfo); 33 34 } 35 36 static void WINAPI endFunction()//上述函数的结束标志。(必需要有static修饰,且必需接在上面的函数之后) 37 { 38 } 39 40 41 BOOL WINAPI InjectCode(LPWSTR CmdLines,UINT WinShow,HANDLE hProcess)//进行注入操作。 42 { 43 44 BOOL res = FALSE; 45 HANDLE hThread = 0; 46 UINT SizeOfFunction = 0; 47 LPVOID RemoteAddress = 0; 48 49 LPVOID ReDataAddress = 0; 50 51 LPVOID Reppinfo = 0; 52 53 MyData data = {0}; 54 wcscpy_s(data.wsCmdLine ,CmdLines); 55 wcscpy_s(data.stDesktop,L"WinSta0\Default"); 56 data.si.cb = sizeof(STARTUPINFO); 57 data.si.dwFlags = 1; 58 data.si.wShowWindow = WinShow; 59 60 __try 61 { 62 63 data.addrCreateProcess = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW"); 64 if (data.addrCreateProcess == 0)__leave; 65 66 data.addrExitThread = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"ExitThread"); 67 if (data.addrExitThread == 0)__leave; 68 69 //以上过程将远线程要调用的函数地址及参数全部通过MyData结构写入winlogon.exe的进程空间。 70 71 ////////////////////////////分配内存空间//////////////////////////////////////////// 72 if (hProcess == 0)__leave; 73 74 SizeOfFunction = (UINT)endFunction - (UINT)RemoteFunction; 75 if (SizeOfFunction == 0)__leave; 76 77 RemoteAddress = VirtualAllocEx(hProcess,NULL,SizeOfFunction,MEM_COMMIT,PAGE_EXECUTE_READWRITE); 78 if (RemoteAddress == 0)__leave; 79 80 if (!WriteProcessMemory(hProcess,RemoteAddress,(LPCVOID)RemoteFunction,SizeOfFunction,0))__leave; 81 82 83 84 Reppinfo = VirtualAllocEx(hProcess,NULL,sizeof(PROCESS_INFORMATION),MEM_COMMIT,PAGE_READWRITE); 85 if (Reppinfo == 0)__leave; 86 87 data.ppinfo = (LPPROCESS_INFORMATION)Reppinfo; 88 89 ReDataAddress = VirtualAllocEx(hProcess,NULL,sizeof(data),MEM_COMMIT,PAGE_READWRITE); 90 if (ReDataAddress == 0)__leave; 91 92 if (!WriteProcessMemory(hProcess,ReDataAddress,&data,sizeof(data),0))__leave; 93 94 95 96 97 //////////////////////////创建远线程////////////////////////////////////////////////// 98 99 hThread = CreateRemoteThread(hProcess,NULL,NULL,(PTHREAD_START_ROUTINE)RemoteAddress,ReDataAddress,NULL,NULL);100 if (hThread == 0)__leave;101 102 WaitForSingleObject(hThread,INFINITE);103 104 res = TRUE;105 106 }107 __finally108 {109 110 if (RemoteAddress != 0){ VirtualFreeEx(hProcess,RemoteAddress,0,MEM_RELEASE);}111 112 if (ReDataAddress != 0){ VirtualFreeEx(hProcess,ReDataAddress,0,MEM_RELEASE);}113 114 if (Reppinfo != 0){ VirtualFreeEx(hProcess,Reppinfo,0,MEM_RELEASE);}115 116 if (hThread != 0){ CloseHandle(hThread);}117 118 if (hProcess != 0){ CloseHandle(hProcess);}119 120 }121 122 return res;123 }124 125 126 //下面这个函数不是必要的,我只是通过它来获得winlogon.exe的进程句柄。127 128 HANDLE WINAPI GetProcessByName(DWORD dwDesiredAccess,BOOL bInheritHandle,WCHAR* wcProcessName)129 {130 131 BOOL fOK = FALSE;132 DWORD ProcIDs[1024] = {0};133 DWORD dwLengthOfProc = 0;134 HANDLE hp = NULL;135 DWORD nSize = 0;136 137 fOK = EnumProcesses(ProcIDs,sizeof(ProcIDs),&dwLengthOfProc);138 if (fOK == FALSE){return 0;}139 140 for(DWORD i = 0;i<(dwLengthOfProc/sizeof(DWORD));i++)141 {142 hp = OpenProcess(dwDesiredAccess,bInheritHandle,ProcIDs[i]);143 if (hp == NULL)continue;144 145 WCHAR wcFilePath[MAX_PATH] = {0};146 nSize = GetModuleFileNameEx(hp,0,wcFilePath,MAX_PATH);147 if (nSize == 0)148 {149 CloseHandle(hp);150 continue;151 }152 153 if (_wcsicmp(&wcFilePath[nSize - wcslen(wcProcessName)],wcProcessName) == 0)154 {155 return hp;156 }157 158 CloseHandle(hp);159 160 }161 162 return 0;163 164 }165
原文链接: https://www.cnblogs.com/AniX/archive/2010/10/16/1853023.html
欢迎关注
微信关注下方公众号,第一时间获取干货硬货;公众号内回复【pdf】免费获取数百本计算机经典书籍
原创文章受到原创版权保护。转载请注明出处:https://www.ccppcoding.com/archives/16187
非原创文章文中已经注明原地址,如有侵权,联系删除
关注公众号【高性能架构探索】,第一时间获取最新文章
转载文章受原作者版权保护。转载请注明原作者出处!
