// 选择 WINLOGON 进程
//
if ( ( dwPid = GetProcessId( "WINLOGON.EXE" ) ) == NULL )
{
printf( "GetProcessId() to failed!\n" );
bError = TRUE;
goto Cleanup;
}
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, dwPid );
if ( hProcess == NULL )
{
printf( "OpenProcess() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
if ( !OpenProcessToken( hProcess, READ_CONTROL | WRITE_DAC, &hToken ) )
{
printf( "OpenProcessToken() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
//
// 设置 ACE 具有所有访问权限
//
ZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
BuildExplicitAccessWithName( &ea,
"Everyone",
TOKEN_ALL_ACCESS,
GRANT_ACCESS,
0 );
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
0,
&dwSDLen ) )
{
//
// 第一次调用给出的参数肯定返回这个错误,这样做的目的是
// 为了得到原安全描述符 pOrigSd 的长度
//
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOrigSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOrigSd == NULL )
{
printf( "Allocate pSd memory to failed!\n" );
bError = TRUE;
goto Cleanup;
}
//
// 再次调用才正确得到安全描述符 pOrigSd
//
if ( !GetKernelObjectSecurity( hToken,
DACL_SECURITY_INFORMATION,
pOrigSd,
dwSDLen,
&dwSDLen ) )
{
printf( "GetKernelObjectSecurity() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
else
{
printf( "GetKernelObjectSecurity() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
//
// 得到原安全描述符的访问控制列表 ACL
//
if ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
{
printf( "GetSecurityDescriptorDacl() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
//
// 生成新 ACE 权限的访问控制列表 ACL
//
dwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
if ( dwRet != ERROR_SUCCESS )
{
printf( "SetEntriesInAcl() = %d\n", GetLastError() );
pNewDAcl = NULL;
bError = TRUE;
goto Cleanup;
}
创建高权限进程的方法
0
相关文章
关注我们
