pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
//
// 第一次调用给出的参数肯定返回这个错误,这样做的目的是
// 为了创建新的安全描述符 pNewSd 而得到各项的长度
//
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
pOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwAclSize );
pSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSaclSize );
pSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidOwnLen );
pSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSidPrimLen );
pNewSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSDLen );
if ( pOldDAcl == NULL ||
pSacl == NULL ||
pSidOwner == NULL ||
pSidPrimary == NULL ||
pNewSd == NULL )
{
printf( "Allocate SID or ACL to failed!\n" );
bError = TRUE;
goto Cleanup;
}
//
// 再次调用才可以成功创建新的安全描述符 pNewSd
// 但新的安全描述符仍然是原访问控制列表 ACL
//
if ( !MakeAbsoluteSD( pOrigSd,
pNewSd,
&dwSDLen,
pOldDAcl,
&dwAclSize,
pSacl,
&dwSaclSize,
pSidOwner,
&dwSidOwnLen,
pSidPrimary,
&dwSidPrimLen ) )
{
printf( "MakeAbsoluteSD() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
else
{
printf( "MakeAbsoluteSD() = %d\n", GetLastError() );
bError = TRUE;
goto Cleanup;
}
}
//
// 将具有所有访问权限的访问控制列表 pNewDAcl 加入到新的 // 安全描述符 pNewSd 中 // if ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) ) { printf( "SetSecurityDescriptorDacl() = %d\n", GetLastError() ); bError = TRUE; goto Cleanup; } // // 将新的安全描述符加到 TOKEN 中 // if ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) ) { printf( "SetKernelObjectSecurity() = %d\n", GetLastError() ); bError = TRUE; goto Cleanup; } // // 再次打开 WINLOGON 进程的 TOKEN,这时已经具有所有访问权限 // if ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) ) { printf( "OpenProcessToken() = %d\n", GetLastError() ); bError = TRUE; goto Cleanup; } // // 复制一份具有相同访问权限的 TOKEN // if ( !DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken ) ) { printf( "DuplicateTokenEx() = %d\n", GetLastError() ); bError = TRUE; goto Cleanup; } ZeroMemory( &si, sizeof( STARTUPINFO ) ); si.cb = sizeof( STARTUPINFO ); // // 不虚拟登陆用户的话,创建新进程会提示 // 1314 客户没有所需的特权错误 // ImpersonateLoggedOnUser( hNewToken ); // // 我们仅仅是需要建立高权限进程,不用切换用户 // 所以也无需设置相关桌面,有了新 TOKEN 足够 // // // 利用具有所有权限的 TOKEN,创建高权限进程 // if ( !CreateProcessAsUser( hNewToken, NULL, szProcessName, NULL, NULL, FALSE, NULL, //NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi ) ) { printf( "CreateProcessAsUser() = %d\n", GetLastError() ); bError = TRUE; goto Cleanup; } bError = FALSE; Cleanup: if ( pOrigSd ) { HeapFree( GetProcessHeap(), 0, pOrigSd ); } if ( pNewSd ) { HeapFree( GetProcessHeap(), 0, pNewSd ); } if ( pSidPrimary ) { HeapFree( GetProcessHeap(), 0, pSidPrimary ); } if ( pSidOwner ) { HeapFree( GetProcessHeap(), 0, pSidOwner ); } if ( pSacl ) { HeapFree( GetProcessHeap(), 0, pSacl ); } if ( pOldDAcl ) { HeapFree( GetProcessHeap(), 0, pOldDAcl ); } CloseHandle( pi.hProcess ); CloseHandle( pi.hThread ); CloseHandle( hToken ); CloseHandle( hNewToken ); CloseHandle( hProcess ); if ( bError ) { return FALSE; } return TRUE; } void main( int argc, char** argv ) { if ( argc 〈 2 ) { printf( "Usage: wssrun \n" ); return ; } if ( CreateSystemProcess( argv[1] ) == FALSE ) { printf( "wssrun: CreateSystemProcess() to failed!\n" ); return ; } }
【以上内容,仅供参考!
