如何在Windows 8中獲得主訪問令牌？

Question

我想獲取主令牌，以便我可以訪問OpenInputDesktop（）並執行必要的操作。

我瀏覽了網站上的所有幫助信息，發現瞭如下的結論性代碼，但我在調用DuplicateTokenEx（）時出錯，它是998，這意味着無法訪問內存位置。

HANDLE GetCurrentUserToken() 
{ 
    HANDLE currentToken = 0; 
    PHANDLE primaryToken = 0; 

    unsigned int winlogonPid = 0; 

    int dwSessionId = 0; 
    PHANDLE hUserToken = 0; 
    PHANDLE hTokenDup = 0; 

    PWTS_SESSION_INFO pSessionInfo = 0; 
    DWORD dwCount = 0; 

    WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, 
         &pSessionInfo, &dwCount); 

    //TestLog("Error on WTSEnumerateSessions(): %d",GetLastError()); 

    int dataSize = sizeof(WTS_SESSION_INFO); 

    for (DWORD i = 0; i < dwCount; ++i) 
    { 
     WTS_SESSION_INFO si = pSessionInfo[i]; 
     if (WTSActive == si.State) 
     { 
      dwSessionId = si.SessionId; 
      break; 
     } 
    } 

    WTSFreeMemory(pSessionInfo); 

    array<Process^>^localByName = Process::GetProcessesByName("winlogon"); 


    for (int i=0;i<localByName->Length;i++) 
    { 
     Process^p1 = (Process^)(localByName->GetValue(i)); 

     if ((unsigned int)p1->SessionId == dwSessionId) 
     { 
      winlogonPid = (unsigned int)p1->Id; 
     } 
    } 

    // obtain a handle to the winlogon process 
    HANDLE hProcess = OpenProcess(MAXIMUM_ALLOWED, false, winlogonPid); 
    TestLog("Error on OpenProcess():",GetLastError()); 

    // obtain a handle to the access token of the winlogon process 
    if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &currentToken)) 
    { 
     TestLog("Error on OpenProcessToken():",GetLastError()); 
     CloseHandle(hProcess); 
     return false; 
    } 

    BOOL bRet ; 
    // bRet = DuplicateTokenEx(currentToken, 
    //   MAXIMUM_ALLOWED /*TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS*/, 
    //   NULL/*0*/, 
    //   SecurityImpersonation, TokenImpersonation, primaryToken); 

    bRet = DuplicateTokenEx(currentToken, 
          TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS, 
          NULL, SecurityImpersonation, 
          TokenPrimary, primaryToken); 

    TestLog("Error on DuplicateTokenEx():",GetLastError()); 
    TestLog("return value of DuplicateTokenEx()",bRet); 

    int errorcode = GetLastError(); 
    if (bRet == false) 
    { 
     return 0; 
    } 

    return primaryToken; 
} 

int main(array<System::String ^> ^args) 
{ 
    Console::WriteLine(L"Hello World"); 

    TestLog("**Start TestLaunchExeOneTime**",0); 
    HANDLE hTokenNew = NULL, hTokenDup = NULL; 
    HMODULE hmod = LoadLibrary(L"kernel32.dll"); 

    hTokenDup = GetCurrentUserToken(); 

    STARTUPINFO si; 
    PROCESS_INFORMATION pi; 
    memset(&si,0,sizeof(STARTUPINFO)); 
    si.cb = sizeof(STARTUPINFO); 
    si.lpDesktop = L"winsta0\\default"; 

    LPVOID pEnv = NULL; 
    DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; 
    HMODULE hModule = LoadLibrary(L"Userenv.dll"); 
    if(hModule) 
    { 
     if(CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE)) 
     { 
      //WriteToLog("CreateEnvironmentBlock Ok"); 
      dwCreationFlag |= CREATE_UNICODE_ENVIRONMENT;  
     } 
     else 
     { 
      TestLog("Error on CreateEnvironmentBlock():",GetLastError()); 
      pEnv = NULL; 
     } 
    } 

    // 

    if (!CreateProcessAsUser(hTokenDup, 
     NULL, 
     L"C:\\temp\\DesktopDuplicationmilliseconds.exe", 
     NULL, 
     NULL, 
     FALSE, 
     dwCreationFlag, 
     pEnv, 
     NULL, 
     &si, 
     &pi 
     )) 
    { 

    } 
    else 
    { 
     TestLog("Error on CreateProcessAsUser():",GetLastError()); 
     // printf("error : %d",GetLastError()); 
    } 

    return 0; 
} 

Answer 1

您沒有爲主令牌分配任何內存。 primaryToken變量是一個指向句柄的指針，但實際上並沒有指向任何東西。 （你也宣佈GetCurrentUserToken作爲一個返回手柄的功能，但實際上返回一個指針手柄。）

你需要明確地分配爲抓手內存：

primaryToken = malloc(sizeof(HANDLE)); 

[...] 

return *primaryToken; 

或，更明智的是，將primaryToken定義爲一個HANDLE而不是一個指針，並在適當的地方將其引用傳遞給它：

HANDLE primaryToken; 

[...] 

bRet = DuplicateTokenEx(currentToken, 
         TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS, 
         NULL, SecurityImpersonation, 
         TokenPrimary, &primaryToken);