1)驅動器將僅在登錄會話可見與LUID與您的令牌TOKEN_STATISTICS.AuthenticationId
將創建符號鏈接對象下\Sessions\0\DosDevices\<LogonId>\<X>:
到\Device\LanmamRedirector\;<X>:<LogonId>\server\share
作爲結果驅動<X>:
將只對可見在<LogonId>
會話中運行的進程。運行「作爲管理員」的過程有不同的<LogonId>
比較過程不運行「作爲管理員」
2),你需要調用NetUseAdd
或WNetAddConnection2
之前冒充另一個上下文。
例如,您可以枚舉進程,找到具有相同終端的瀏覽器SessionId
(不會與登錄會話混淆)並模擬它(打開它的標記,複製和模擬)。或者更一般的開放在同一終端會話作爲過程的每一個進程令牌,查詢它令牌TokenElevationType
(TOKEN_ELEVATION_TYPE
),如果TokenElevationTypeLimited
- 調用之前複製和模仿此令牌,NetUseAdd
如何執行的東西(例如,在「用戶 上下文中」),從「以管理員身份運行 」進程(進程/線程/ API調用)工作代碼
例如:
#include <TlHelp32.h>
#define BOOL_TO_ERR(b) ((b) ? NOERROR : GetLastError())
ULONG RunNonElevated(PCWSTR lpApplicationName, PWSTR lpCommandLine)
{
HANDLE hToken;
ULONG err = BOOL_TO_ERR(OpenProcessToken(NtCurrentProcess(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken));
if (err != NOERROR)
{
return err;
}
DWORD cb, rcb;
union {
TOKEN_ELEVATION_TYPE tet;
TOKEN_LINKED_TOKEN tlt;
};
TOKEN_STATISTICS ts;
LUID AuthenticationId = {};
BOOL bSearchToken = FALSE, bFound = FALSE;
err = BOOL_TO_ERR(GetTokenInformation(hToken, TokenElevationType, &tet, sizeof(tet), &rcb));
if (err == NOERROR)
{
if (tet == TokenElevationTypeFull)
{
err = BOOL_TO_ERR(GetTokenInformation(hToken, TokenLinkedToken, &tlt, sizeof(tlt), &rcb));
if (err == NOERROR)
{
err = BOOL_TO_ERR(GetTokenInformation(tlt.LinkedToken, TokenStatistics, &ts, sizeof(ts), &rcb));
CloseHandle(tlt.LinkedToken);
if (bSearchToken = (err == NOERROR))
{
AuthenticationId.LowPart = ts.AuthenticationId.LowPart;
AuthenticationId.HighPart = ts.AuthenticationId.HighPart;
TOKEN_PRIVILEGES tp = {
1, { { { SE_DEBUG_PRIVILEGE } , SE_PRIVILEGE_ENABLED } }
};
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
}
}
}
}
CloseHandle(hToken);
STARTUPINFO si = { sizeof (si) };
PROCESS_INFORMATION pi;
if (bSearchToken)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32W pe = { sizeof(pe) };
static volatile UCHAR guz;
PVOID stack = alloca(guz);
cb = 0, rcb = FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges[SE_MAX_WELL_KNOWN_PRIVILEGE]);
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
BOOL fHavePrivs = FALSE;
if (Process32FirstW(hSnapshot, &pe))
{
do
{
if (HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe.th32ProcessID))
{
if (OpenProcessToken(hProcess, TOKEN_QUERY|TOKEN_DUPLICATE, &hToken))
{
if (!fHavePrivs) do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))
{
if (ULONG PrivilegeCount = ptp->PrivilegeCount)
{
int n = 3;
BOOL fAdjust = FALSE;
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
switch (Privileges->Luid.LowPart)
{
case SE_ASSIGNPRIMARYTOKEN_PRIVILEGE:
case SE_INCREASE_QUOTA_PRIVILEGE:
case SE_DEBUG_PRIVILEGE:
if (!(Privileges->Attributes & SE_PRIVILEGE_ENABLED))
{
Privileges->Attributes |= SE_PRIVILEGE_ENABLED;
fAdjust = TRUE;
}
if (!--n)
{
if (DuplicateTokenEx(hToken,
TOKEN_ADJUST_PRIVILEGES|TOKEN_IMPERSONATE,
0, SecurityImpersonation, TokenImpersonation,
&tlt.LinkedToken))
{
if (fAdjust)
{
AdjustTokenPrivileges(tlt.LinkedToken, FALSE, ptp, rcb, NULL, NULL);
}
fHavePrivs = SetThreadToken(0, tlt.LinkedToken);
CloseHandle(tlt.LinkedToken);
}
goto __1;
}
}
} while (Privileges++, --PrivilegeCount);
}
break;
}
} while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);
__1:
if (fHavePrivs &&
GetTokenInformation(hToken, TokenStatistics, &ts, sizeof(ts), &rcb) &&
ts.AuthenticationId.LowPart == AuthenticationId.LowPart &&
ts.AuthenticationId.HighPart == AuthenticationId.HighPart)
{
bFound = DuplicateTokenEx(hToken,
TOKEN_QUERY|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY,
0, SecurityImpersonation, TokenPrimary, &tlt.LinkedToken);
}
CloseHandle(hToken);
}
CloseHandle(hProcess);
}
} while (!bFound && Process32NextW(hSnapshot, &pe));
}
CloseHandle(hSnapshot);
if (bFound)
{
err = BOOL_TO_ERR(CreateProcessAsUserW(tlt.LinkedToken, lpApplicationName, lpCommandLine,
NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi));
CloseHandle(tlt.LinkedToken);
if (err == NOERROR)
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
}
}
else if (err == NOERROR)
{
if ((err = BOOL_TO_ERR(CreateProcessW(lpApplicationName, lpCommandLine,
NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))) == NOERROR)
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
return err;
}
相關:http://stackoverflow.com/questions/42767614/ –