2023年6月23日发(作者：)

windows下,提权代码.#include bool AdjustPrivileges() { HANDLE hToken = NULL; TOKEN_PRIVILEGES tp; TOKEN_PRIVILEGES oldtp; DWORD dwSize = sizeof(TOKEN_PRIVILEGES); LUID luid; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { CloseHandle(hToken); OutputDebugString(TEXT("提升权限失败,LookupPrivilegeValue")); return false; } ZeroMemory(&tp, sizeof(tp)); egeCount = 1; eges[0].Luid = luid; eges[0].Attributes = SE_PRIVILEGE_ENABLED; /* Adjust Token Privileges */ if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize)) { CloseHandle(hToken); OutputDebugString(TEXT("提升权限失败 AdjustTokenPrivileges")); return false; } // close handles CloseHandle(hToken); return true;}调⽤伪代码:int main(){ AdjustPrivileges(); 此时OpenProcess的时候 使⽤PROCESS_ALL_ACCESS权限则可以成功了}降权代码:#include #pragma comment(lib, "")BOOL IsSystem(){ BOOL bRet = FALSE; WCHAR userName[MAX_PATH] = { 0 }; DWORD dwNum = MAX_PATH; WCHAR systemName[] = L"system"; do { if (!GetUserNameW(userName, &dwNum)) { break; } if (0 == _wcsicmp(userName, systemName)) { bRet = TRUE; } } while (FALSE); return bRet;}BOOL JmpToUser(){ BOOL bRet = FALSE; HANDLE hUser = NULL; PROCESS_INFORMATION* pi = new PROCESS_INFORMATION; STARTUPINFOW* si = new STARTUPINFOW; WCHAR* path = new WCHAR[MAX_PATH]; ZeroMemory(si, sizeof(STARTUPINFO)); ZeroMemory(pi, sizeof(PROCESS_INFORMATION)); do { hUser = GetUserHandle(); if (0 == GetModuleFileNameW(NULL, path, MAX_PATH)) { break; } if (hUser == NULL) { break; } bRet = CreateProcessAsUser(hUser, NULL, path, NULL, NULL, TRUE, CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, si, pi); if (bRet) { CloseHandle(pi->hProcess); CloseHandle(pi->hThread); } } while (FALSE); delete pi; delete si; delete[] path; return bRet;}HANDLE GetUserHandle(){ BOOL bRet = FALSE; HANDLE hUser = NULL; HANDLE hToken = NULL; DWORD sessionId = 0;

do { sessionId = WTSGetActiveConsoleSessionId(); if (sessionId == NULL) { break; } if (!WTSQueryUserToken(sessionId, &hToken)) { break; } if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, 0, SecurityDelegation, TokenPrimary, &hUser)) { break; } } while (FALSE); if(hToken != NULL){ CloseHandle(hToken); } return hUser;}