685603帐号申诉

来源:蜘蛛抓取(WebSpider) 时间:2015-07-07 22:26 标签: 登录百度帐号
su切换用户
1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置.
2.0,真正实现模拟用户令牌的动作.
3.0,即使帐号禁止也可以模拟用户
4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放
4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败.
8#include &stdio.h&
9#include &stdlib.h&
10#include &winsock2.h&
11#include &lm.h&
12#include &Ntsecapi.h&
13#include &Accctrl.h&
14#include &Aclapi.h&
15#include &Tlhelp32.h&
16#include &windows.h&
19#pragma comment(lib,"ws2_32")
20#pragma comment(lib,"Advapi32")
21#pragma comment(lib,"User32")
22#pragma comment(lib,"Netapi32")
24#define SIZE 1024
25#define VERSION "4.1"
27#define STATUS_SUCCESS
((NTSTATUS)0xL)
28#define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES
| WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
29#define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS
| DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
30#define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL)
31#define SE_GROUP_RESOURCE (0xL)
33typedef struct _OBJECT_ATTRIBUTES
PUNICODE_STRING ObjectN
SecurityQualityOfS
41} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
43typedef enum _LSA_TOKEN_INFORMATION_TYPE {
LsaTokenInformationNull,
// Implies LSA_TOKEN_INFORMATION_NULL data type
LsaTokenInformationV1,
// Implies LSA_TOKEN_INFORMATION_V1 data type
LsaTokenInformationV2
// Implies LSA_TOKEN_INFORMATION_V2 data type
47} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
49typedef struct _LSA_TOKEN_INFORMATION_NULL
LARGE_INTEGER ExpirationT
PTOKEN_GROUPS G
53} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
55typedef NTSTATUS (*PNtCreateToken)(
TokenHandle,
57ACCESS_MASK
DesiredAccess,
58POBJECT_ATTRIBUTES
ObjectAttributes,
59TOKEN_TYPE
TokenType,
AuthenticationId,
61PLARGE_INTEGER
ExpirationTime,
62PTOKEN_USER
TokenUser,
63PTOKEN_GROUPS
TokenGroups,
64PTOKEN_PRIVILEGES
TokenPrivileges,
65PTOKEN_OWNER
TokenOwner,
66PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
67PTOKEN_DEFAULT_DACL
TokenDefaultDacl,
68PTOKEN_SOURCE
TokenSource
72typedef struct _PROFILEINFO {
lpProfileP
lpDefaultP
81} PROFILEINFO, *LPPROFILEINFO;
83typedef BOOL (*PLoadUserProfile)(
HANDLE hToken,
// user token
LPPROFILEINFO lpProfileInfo
// profile
89typedef BOOL (*PUnloadUserProfile)(
HANDLE hToken,
// user token
HANDLE hProfile
// handle to registry key
93BOOL cback = <span style="COLOR: #;
94char *system_user = NULL;
95int lsasspid = <span style="COLOR: #;
96unsigned int DebugLevel = <span style="COLOR: #;
98/**//* 函数定义开始 */
99void usage(char *s); 100int GrantPriv(); 101HANDLE CreateTokenAsUser(char *user); 102BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen); 103BOOL GetUserGroup(char *username,char ***name,int *groupcount); 104PSID GetUserSid(char *LookupUser); 105HANDLE NtCreateTokenAsuser(char *user); 106int GrantPrivFromLsass(int pid); 107void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic); 108void pfree(void *p); 109LUID GetLuidFromText(char *s); 110TOKEN_PRIVILEGES *MakeAdminPriv(); 111BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode); 112 113/**//* 函数定义结束 */ 114int main(int argc,char **argv) 115{
116int 117WSADATA 118HANDLE NewT 119PLoadUserProfile LoadUserP 120PUnloadUserProfile UnloadUserP 121HMODULE UserenvM 122 123printf( "su.exe like unix su tool,version %s \n" 124"by bkbll (bkbll#cnhonker.net) \n\n",VERSION); 125 126if((argc&<span style="COLOR: #) && (strnicmp(argv[<span style="COLOR: #],"-h",<span style="COLOR: #) == <span style="COLOR: #)) 127{
128usage(argv[<span style="COLOR: #]); 129return -<span style="COLOR: #; 130} 131for(i=<span style="COLOR: #;i&i+=<span style="COLOR: #) 132{
133if(strlen(argv[i]) != <span style="COLOR: #) 134{
135usage(argv[<span style="COLOR: #]); 136return -<span style="COLOR: #; 137} 138switch(argv[i][<span style="COLOR: #]) 139{
140case 'u': 141system_user = argv[i+<span style="COLOR: #]; 142break; 143case 'D': 144DebugLevel = atoi(argv[i+<span style="COLOR: #]); 145break; 146 147} 148} 149if(system_user == NULL) 150{
151usage(argv[<span style="COLOR: #]); 152return -<span style="COLOR: #; 153} 154UserenvModule = LoadLibrary("Userenv.dll"); 155if(UserenvModule == NULL ) 156{
157printf("[-] GetModuleHandle
Userenv error:%d\n",GetLastError()); 158return -<span style="COLOR: #; 159} 160LoadUserProfile = (PLoadUserProfile) GetProcAddress(UserenvModule,"LoadUserProfileA"); 161if(LoadUserProfile == NULL) 162{
163printf("[-] GetProcAddress LoadUserProfile error:%d\n",GetLastError()); 164return -<span style="COLOR: #; 165} 166 167UnloadUserProfile = (PUnloadUserProfile) GetProcAddress(UserenvModule,"UnloadUserProfile"); 168if(UnloadUserProfile == NULL) 169{
170printf("[-] GetProcAddress UnloadUserProfile error:%d\n",GetLastError()); 171return -<span style="COLOR: #; 172} 173 174if (WSAStartup(MAKEWORD(<span style="COLOR: #,<span style="COLOR: #), &wsd) != <span style="COLOR: #) 175{
176printf("[-] WSAStartup error:%d\n", WSAGetLastError()); 177return -<span style="COLOR: #; 178} 179//首先建立一个TOKEN,这里假设是ADMIN用户 180//提升自己权限,先. 181printf("[+] Enable SeDebugPrivilege..\n"); 182if(GrantPriv("SeDebugPrivilege") & <span style="COLOR: #) 183return -<span style="COLOR: #; 184printf("[+] Get Lsass.exe Pid.");
185fflush(NULL); 186lsasspid = GetPidOfProcess("lsass.exe"); 187if(lsasspid == -<span style="COLOR: #) 188{
189printf("Get Pid of services failed\n"); 190return -<span style="COLOR: #; 191} 192printf("%d\n",lsasspid); 193//从Lsass继承权限. 194printf("[+] GrantPrivilege From Lsass .\n"); 195if(GrantPrivFromLsass(lsasspid) == <span style="COLOR: #) 196{
197//建立一个TOKEN 198//NewToken = CreateTokenAsUser(system_user); 199printf("[+] Calling NtCreateTokenAsuser \n"); 200NewToken = NtCreateTokenAsuser(system_user); 201if(NewToken != INVALID_HANDLE_VALUE) 202{
203STARTUPINFO 204PROCESS_INFORMATION 205PROFILEINFO ProfileI 206 207 208printf("[+] CreateProcess By that Token\n");
209fflush(stdout); 210Sleep(<span style="COLOR: #00); 211LoadUserProfile(NewToken,&ProfileInfo); 212 213ZeroMemory( &si, sizeof(si) ); 214si.cb = sizeof(si); 215//si.lpDesktop = TEXT("winstaABC\\testdesktop"); 216ZeroMemory( &pi, sizeof(pi) ); 217if( !CreateProcessAsUser( NewToken, 218NULL, // No module name (use command line).
"cmd", // Command line.
// Process handle not inheritable.
// Thread handle not inheritable.
// Set handle inheritance to FALSE.
<span style="COLOR: #,
// No creation flags.
// Use parent's environment block.
// Use parent's starting directory.
// Pointer to STARTUPINFO structure. 227
// Pointer to PROCESS_INFORMATION structure. 228)
230printf( "CreateProcessAsuser failed:%d.",GetLastError()); 231exit(<span style="COLOR: #); 232} 233 234// Wait until child process exits. 235WaitForSingleObject( pi.hProcess, INFINITE ); 236// Close process and thread handles.
237CloseHandle( pi.hProcess ); 238CloseHandle( pi.hThread ); 239printf("[-] Process exited.\n"); 240UnloadUserProfile(NewToken,ProfileInfo.hProfile); 241CloseHandle(NewToken); 242//用这个Token建立进程 243} 244} 245WSACleanup(); 246exit(<span style="COLOR: #); 247} 248//获得指定exe的PID 249int GetPidOfProcess(char *exe) 250{
251HANDLE hProcessSnap = NULL;
252BOOL bRet = FALSE;
253PROCESSENTRY32 pe32; 254int 255 256memset(&pe32,<span style="COLOR: #,sizeof(PROCESSENTRY32)); 257pid = -<span style="COLOR: #; 258hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,<span style="COLOR: #);
259if (hProcessSnap == INVALID_HANDLE_VALUE)
261printf("CreateToolhelp32Snapshot Failed:%d\n",GetLastError()); 262return
263} 264//copy from MSDN 265pe32.dwSize = sizeof(PROCESSENTRY32);
266if (Process32First(hProcessSnap, &pe32))
268do 269{
270if(stricmp(pe32.szExeFile,exe) == <span style="COLOR: #) 271{
272pid = pe32.th32ProcessID; 273break; 274} 275//printf( "PID:%d\n", pe32.th32ProcessID); 276//printf( "exepath:%s\n", pe32.szExeFile); 277} while(Process32Next(hProcessSnap, &pe32));
280return 281// Do not forget to clean up the snapshot object.
282CloseHandle(hProcessSnap);
284} 285//返回指定用户/组的SID 286PSID GetUserSid(char *LookupUser) 287{
288SID *GroupS 289//char StringSid[SIZE]; 290//DWORD SidSize,GroupC 291char *DomainN 292//**UserGroup,*CurrentU 293DWORD cbSid,cbDomainN 294SID_NAME_USE peU 295int ErrorCode,i; 296 297cbDomainName = <span style="COLOR: #; 298cbSid = <span style="COLOR: #; 299LookupAccountName(NULL,LookupUser,NULL,&cbSid,NULL,&cbDomainName,&peUse); 300ErrorCode = GetLastError(); 301if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //<span style="COLOR: #2 302{
303//printf("Buffer is small. require cbSid %d bytes,cbDomainName %d bytes\n",cbSid,cbDomainName); 304GroupSid = (SID *) malloc(cbSid + <span style="COLOR: #); 305DomainName = (char*) malloc(cbDomainName + <span style="COLOR: #); 306if((GroupSid == NULL) || (DomainName == NULL)) 307{
308printf("Malloc failed:%d\n",GetLastError()); 309return NULL; 310} 311memset(GroupSid,<span style="COLOR: #,cbSid + <span style="COLOR: #); 312memset(DomainName,<span style="COLOR: #,cbDomainName + <span style="COLOR: #); 313} 314else 315{
316printf("LookupAccountName in GetUserSid(\"%s\") Failed:%d\n",LookupUser,ErrorCode); 317return NULL; 318} 319if(!LookupAccountName(NULL,LookupUser,GroupSid,&cbSid,DomainName,&cbDomainName,&peUse)) 320{
321printf("LookupAccountName GetUserSid(\"%s\") After Malloc Failed:%d\n",LookupUser,GetLastError()); 322return NULL; 323} 324pfree(DomainName); 325return GroupS 326} 327 328//建立Administrators和SYSTEM 共用的privilege 329TOKEN_PRIVILEGES *MakeAdminPriv() 330{
331TOKEN_PRIVILEGES *token_ 332DWORD i,PrivilegeC 333 334i = <span style="COLOR: #; 335PrivilegeCount = <span style="COLOR: #; 336token_privileges = (PTOKEN_PRIVILEGES) malloc(<span style="COLOR: # + (<span style="COLOR: #*<span style="COLOR: #)*PrivilegeCount + <span style="COLOR: #); 337if(token_privileges == NULL) 338{
339printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n"); 340return NULL; 341} 342token_privileges-&PrivilegeCount = PrivilegeC 343//<span style="COLOR: # 344token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 345token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeTcbPrivilege"); 346//<span style="COLOR: # 347token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 348token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeCreateTokenPrivilege"); 349//<span style="COLOR: # 350token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 351token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeTakeOwnershipPrivilege"); 352//<span style="COLOR: #
353token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 354token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeCreatePagefilePrivilege"); 355//<span style="COLOR: # 356token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 357token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeLockMemoryPrivilege"); 358//<span style="COLOR: # 359token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 360token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeAssignPrimaryTokenPrivilege"); 361//<span style="COLOR: # 362token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 363token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeIncreaseQuotaPrivilege"); 364//<span style="COLOR: #
365token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 366token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeIncreaseBasePriorityPrivilege"); 367//<span style="COLOR: # 368token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 369token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeCreatePermanentPrivilege"); 370//<span style="COLOR: # 371token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 372token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeDebugPrivilege"); 373//<span style="COLOR: # 374token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 375token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeAuditPrivilege"); 376//<span style="COLOR: # 377token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 378token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeSecurityPrivilege"); 379//<span style="COLOR: # 380token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 381token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeSystemEnvironmentPrivilege"); 382//<span style="COLOR: # 383token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 384token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeChangeNotifyPrivilege"); 385//<span style="COLOR: # 386token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 387token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeBackupPrivilege"); 388//<span style="COLOR: # 389token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 390token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeRestorePrivilege"); 391//<span style="COLOR: # 392token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 393token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeShutdownPrivilege"); 394//<span style="COLOR: # 395token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 396token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeLoadDriverPrivilege"); 397//<span style="COLOR: # 398token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 399token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeProfileSingleProcessPrivilege"); 400//<span style="COLOR: # 401token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 402token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeSystemtimePrivilege"); 403//<span style="COLOR: # 404token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 405token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeUndockPrivilege"); 406//<span style="COLOR: # 407token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 408token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeManageVolumePrivilege"); 409//<span style="COLOR: # 410token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 411token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeImpersonatePrivilege"); 412//<span style="COLOR: # 413token_privileges-&Privileges[i].Attributes = <span style="COLOR: #; 414token_privileges-&Privileges[i++].Luid = GetLuidFromText("SeCreateGlobalPrivilege"); 415 416return token_ 417 418} 419//加用户到HANDLE 420BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode) 421{
422PSECURITY_DESCRIPTOR pSecurityDescriptor1,pSD = NULL; 423DWORD size,size1,len,ErrorCode,DaclPresent,DaclDefaulted,dwAbsoluteSDSize,dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupS 424ACL OldA 425PACL POldAcl,PNewAcl,pDacl,pS 426PSID pOwner,pPrimaryG 427EXPLICIT_ACCESS ExplicitAccess1; 428SECURITY_INFORMATION 429 430dwAbsoluteSDSize = dwDaclSize = dwSaclSize = dwOwnerSize = dwPrimaryGroupSize = <span style="COLOR: #;
431 432size = <span style="COLOR: #; 433sinfo = DACL_SECURITY_INFORMATION; 434//获得SECURITY_DESCRIPTOR 435GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len); 436ErrorCode = GetLastError(); 437if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //<span style="COLOR: #2 438{
439pSD = (PSECURITY_DESCRIPTOR) malloc(len + <span style="COLOR: #); 440if(pSD == NULL) 441{
442printf("Malloc failed:%d\n",GetLastError()); 443return FALSE; 444} 445memset(pSD,<span style="COLOR: #,len + <span style="COLOR: #); 446size = 447} 448else 449{
450printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode); 451return FALSE; 452} 453if(!GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len)) 454{
455printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode); 456return FALSE; 457} 458//获得DACL 459POldAcl = NULL; 460if(!GetSecurityDescriptorDacl(pSD,&DaclPresent,&POldAcl,&DaclDefaulted)) 461{
462printf("GetSecurityDescriptorDacl Error:%d\n",GetLastError()); 463return FALSE; 464} 465//重新生成一个ACL,然后在后面合并进去,给administrators组全部的权限. 466memset(&ExplicitAccess1,<span style="COLOR: #,sizeof(ExplicitAccess1)); 467BuildExplicitAccessWithName(&ExplicitAccess1,s,mode,GRANT_ACCESS,NO_INHERITANCE); 468//合并权限 469ErrorCode = SetEntriesInAcl(<span style="COLOR: #,&ExplicitAccess1,POldAcl,&PNewAcl); 470if(ErrorCode !=
ERROR_SUCCESS) 471{
472printf("SetEntriesInAcl Error:%d\n",ErrorCode); 473return FALSE; 474} 475 476dwAbsoluteSDSize = <span style="COLOR: #x400; 477pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+<span style="COLOR: #); 478if(pSecurityDescriptor1 == NULL) 479{
480printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError()); 481return FALSE; 482} 483memset(pSecurityDescriptor1,<span style="COLOR: #,dwAbsoluteSDSize+<span style="COLOR: #); 484 485MakeAbsoluteSD( pSD, 486pSecurityDescriptor1, 487&dwAbsoluteSDSize, 488NULL, 489&dwDaclSize, 490NULL, 491&dwSaclSize, 492NULL, 493&dwOwnerSize, 494NULL, 495&dwPrimaryGroupSize); 496//申请内存先.
497ErrorCode = GetLastError(); 498 499if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) 500{
501//申请内存 502//printf("申请内存大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n", 503// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,dwAbsoluteSDSize); 504// 505//pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1); 506pDacl = (PACL) malloc(dwDaclSize+<span style="COLOR: #); 507pSacl = (PACL) malloc(dwSaclSize+<span style="COLOR: #); 508pOwner = (PSID) malloc(dwOwnerSize+<span style="COLOR: #); 509pPrimaryGroup = (PSID) malloc(dwPrimaryGroupSize+<span style="COLOR: #); 510 511if( //(pSecurityDescriptor1 == NULL) ||
(pDacl == NULL) || 513
(pSacl == NULL) || 514
(pOwner == NULL) || 515
(pPrimaryGroup == NULL)) 516{
517printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError()); 518return FALSE; 519} 520//memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1); 521} 522else 523{
524printf("MakeAbsoluteSD Error:%d\n",GetLastError()); 525return FALSE; 526} 527//申请后就可以接受了 528if(!MakeAbsoluteSD(pSD, 529pSecurityDescriptor1, 530&dwAbsoluteSDSize, 531pDacl, 532&dwDaclSize, 533pSacl, 534&dwSaclSize, 535pOwner, 536&dwOwnerSize, 537pPrimaryGroup, 538&dwPrimaryGroupSize)) 539{
540printf("MakeAbsoluteSD After Malloc Error:%d\n",GetLastError()); 541return FALSE; 542} 543//printf("实际接受大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n", 544// dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,size1); 545//设置新的DACL
546if(!SetSecurityDescriptorDacl(pSecurityDescriptor1,DaclPresent,PNewAcl,DaclDefaulted)) 547{
548printf("SetSecurityDescriptorDacl Error:%d\n",GetLastError()); 549return FALSE; 550} 551//检查新的SecurityDescriptor是否合法 552if(!IsValidSecurityDescriptor(pSecurityDescriptor1)) 553{
554printf("pSecurityDescriptor1 is not a valid SD:%d\n",GetLastError()); 555return FALSE; 556} 557 558//给句柄设置新的ACL 559if(!SetUserObjectSecurity(Hhandle,&sinfo,pSecurityDescriptor1)) 560{
561printf("SetKernelObjectSecurity Error:%d\n",GetLastError()); 562return FALSE; 563} 564if(POldAcl) 565LocalFree(POldAcl); 566if(PNewAcl) 567LocalFree(PNewAcl); 568pfree(pSD); 569pfree(pSecurityDescriptor1); 570pfree(pDacl); 571pfree(pSacl); 572pfree(pOwner); 573pfree(pPrimaryGroup);
574return TRUE;
575} 576 577//根据指定用户名来建立Token 578HANDLE NtCreateTokenAsuser(char *user) 579{
580SID *GroupSid,*UserS 581char StringSid[SIZE],UserDefaultGroup[SIZE]; 582DWORD SidSize,GroupCount,GroupCount2,IsNotUsersGroup = <span style="COLOR: #; 583char *DomainName,**UserGroup,*CurrentU 584DWORD cbSid,cbDomainName,SessionId, 585SID_NAME_USE peU 586int ErrorCode,i; 587LUID Luid = ANONYMOUS_LOGON_LUID; 588//LUID Luid = SYSTEM_LUID; 589SECURITY_QUALITY_OF_SERVICE security_quality_of_service = 590
sizeof( security_quality_of_service ), 592
SecurityAnonymous, 593
SECURITY_STATIC_TRACKING, 594
}; 596OBJECT_ATTRIBUTES
object_attributes
sizeof( object_attributes ), 599
<span style="COLOR: #, 602
&security_quality_of_service 604}; 605 606TOKEN_SOURCE token_ 607TOKEN_PRIVILEGES
*token_ 608TOKEN_GROUPS *token_ 609TOKEN_USER token_ 610TOKEN_OWNER token_ 611TOKEN_PRIMARY_GROUP
token_primary_ 612TOKEN_DEFAULT_DACL token_default_dacl,*SelfD 613ACL NewAcl2,*NewA 614TOKEN_TYPE 615HANDLE token,SelfT 616NTSTATUS ntstatus,ntstatus2; 617PNtCreateToken NtCreateT 618HMODULE 619ACCESS_MASK DesiredA 620LARGE_INTEGER
ExpireT 621EXPLICIT_ACCESS ExplicitA 622//给winstation用的 623HDESK 624HWINSTA 625DWORD PrivilegeC 626//是否是SYSTEM用户 627DWORD IfIsSystemUser = <span style="COLOR: #,IfIsAdmin = <span style="COLOR: #; 628//定义结束 629 630//获取CreateToken地址 631ntdllmodule = GetModuleHandle("ntdll"); 632if(ntdllmodule == NULL ) 633{
634printf("[-] GetModuleHandle
ntdll error:%d\n",GetLastError()); 635return INVALID_HANDLE_VALUE; 636} 637NtCreateToken = (PNtCreateToken) GetProcAddress(ntdllmodule,"ZwCreateToken"); 638if(NtCreateToken == NULL) 639{
640printf("[-] GetProcAddress NtCreateToken error:%d\n",GetLastError()); 641return INVALID_HANDLE_VALUE; 642} 643 644if(stricmp(user,"system") == <span style="COLOR: #) 645{
646IfIsSystemUser = <span style="COLOR: #; 647//Luid.LowPart = 0x3e7; 648//Luid.HighPart = 0x0; 649} 650//arg 2 for NtCreateToken(); 651DesiredAccess = TOKEN_ALL_ACCESS; 652//arg 3 for NtCreateToken(); 653//arg 4 for NtCreateToken(); 654//IN TOKEN_TYPE
TokenType, 655tokentype = TokenP 656//arg 5 for NtCreateToken(); 657//memcpy(&Luid,&SYSTEM_LUID,sizeof(Luid)); 658/**//* 659if(!AllocateLocallyUniqueId(&Luid)) 660{
661printf("AllocateLocallyUniqueId Failed:%d\n",GetLastError()); 662return INVALID_HANDLE_VALUE; 663} 664*/ 665//arg 6 for NtCreateToken(); 666ExpireTime.LowPart = <span style="COLOR: #xffffffff; 667ExpireTime.HighPart = <span style="COLOR: #x7fffffff; 668//printf("sizeof(ExpireTime) = %d\n",sizeof(ExpireTime)); 669//QueryPerformanceFrequency(&ExpireTime); 670//arg 7 for NtCreateToken(); 671//token_user正确 672token_user.User.Sid = GetUserSid(user); 673if(token_user.User.Sid == NULL) 674return INVALID_HANDLE_VALUE; 675token_user.User.Attributes = <span style="COLOR: #; //must be 0 676if(IfIsSystemUser == <span style="COLOR: #) //一般用户 677{
678//arg 8 for NtCreateToken(); 679if(!GetUserGroup(user,&UserGroup,&GroupCount)) 680return INVALID_HANDLE_VALUE; 681//printf("=====================\nGet %d groups\n",GroupCount); 682//给token_groups申请内存 683//看用户组里面有没有"Users" 684IsNotUsersGroup = <span style="COLOR: #; 685for(i=<span style="COLOR: #;i&GroupCi++) 686{
687CurrentUser = UserGroup[i]; 688if(stricmp(CurrentUser,"Users") == <span style="COLOR: #) 689{
690IsNotUsersGroup = <span style="COLOR: #; 691continue; 692} 693if(stricmp(CurrentUser,"Administrators") == <span style="COLOR: #) 694{
695IfIsAdmin = <span style="COLOR: #; 696continue; 697} 698} 699//保存一下,后面要用 700GroupCount2 = GroupC 701//没有就+1,有就+0 702GroupCount += IsNotUsersGroup + <span style="COLOR: #; 703token_groups = (PTOKEN_GROUPS) malloc(<span style="COLOR: #+(<span style="COLOR: #+<span style="COLOR: #)*GroupCount+<span style="COLOR: #); 704if(token_groups == NULL) 705{
706printf("Malloc for token_groups failed:%d\n",GetLastError()); 707return INVALID_HANDLE_VALUE; 708} 709//加"None","Everyone","INTERACTIVE" 组 710//printf("GroupCount:%d\n",GroupCount); 711token_groups-&GroupCount = GroupC 712//给第11个参数用 713//memset(UserDefaultGroup,0,SIZE); 714//strncpy(UserDefaultGroup,UserGroup[0],SIZE -1 ); 715//printf("GroupCount:%d\n",GroupCount); 716//token_group需要最少加以下四个组: 717//只有Users可能有用户或者帐号存在 718//"None","Everyone","Users","INTERACTIVE"他们的ATTribute都是7 719if(DebugLevel != <span style="COLOR: #) 720{
721printf("Using DebugLevel 0x%x \n",DebugLevel); 722} 723for(i=<span style="COLOR: #;i&GroupCount2;i++) 724{
725//printf("%d:%s\n",i,UserGroup[i]); 726 727CurrentUser = UserGroup[i]; 728GroupSid = GetUserSid(CurrentUser); 729if(GroupSid == NULL) 730return INVALID_HANDLE_VALUE; 731token_groups-&Groups[i].Sid = GroupS 732token_groups-&Groups[i].Attributes = DebugL 733free(CurrentUser); 734} 735free(UserGroup); 736/**//* 737GroupSid = GetUserSid("None"); 738if(GroupSid == NULL) 739return INVALID_HANDLE_VALUE; 740token_groups-&Groups[i].Sid = GroupS 741token_groups-&Groups[i++].Attributes = DebugL 742*/ 743GroupSid = GetUserSid("Everyone"); 744if(GroupSid == NULL) 745return INVALID_HANDLE_VALUE; 746token_groups-&Groups[i].Sid = GroupS 747token_groups-&Groups[i++].Attributes = DebugL 748 749GroupSid = GetUserSid("INTERACTIVE"); 750if(GroupSid == NULL) 751return INVALID_HANDLE_VALUE; 752token_groups-&Groups[i].Sid = GroupS 753token_groups-&Groups[i++].Attributes = DebugL 754 755if(IsNotUsersGroup) 756{
757GroupSid = GetUserSid("Users"); 758if(GroupSid == NULL) 759return INVALID_HANDLE_VALUE; 760token_groups-&Groups[i].Sid = GroupS 761token_groups-&Groups[i++].Attributes = DebugL 762} 763//arg 9 for NtCreateToken(); 764//这个倒没错 765//先申请内存 766if(IfIsAdmin == <span style="COLOR: #) //如果不是管理员组 767{
768PrivilegeCount = <span style="COLOR: #; 769token_privileges = (PTOKEN_PRIVILEGES) malloc(<span style="COLOR: # + (<span style="COLOR: #*<span style="COLOR: #)*PrivilegeCount + <span style="COLOR: #); 770if(token_privileges == NULL) 771{
772printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n"); 773return INVALID_HANDLE_VALUE; 774} 775token_privileges-&PrivilegeCount = PrivilegeC 776(token_privileges-&Privileges)[<span style="COLOR: #].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT; 777(token_privileges-&Privileges)[<span style="COLOR: #].Luid = GetLuidFromText("SeChangeNotifyPrivilege"); 778 779(token_privileges-&Privileges)[<span style="COLOR: #].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT; 780(token_privileges-&Privileges)[<span style="COLOR: #].Luid = GetLuidFromText("SeUndockPrivilege"); 781} 782else 783{
784token_privileges = MakeAdminPriv(); 785if(token_privileges == NULL) 786return INVALID_HANDLE_VALUE; 787} 788/**//* 789if(!AllocateLocallyUniqueId(&(token_privileges.Privileges[0].Luid))) 790{
791printf("AllocateLocallyUniqueId for token_privileges Failed:%d\n",GetLastError()); 792return INVALID_HANDLE_VALUE; 793} 794*/ 795//arg 10 for NtCreateToken(); 796//正确的方法 797token_owner.Owner = GetUserSid(user); 798if(token_owner.Owner == NULL) 799return INVALID_HANDLE_VALUE; 800//arg 11 for NtCreateToken(); 801//PrimaryGroup统一都是None 802token_primary_group.PrimaryGroup = GetUserSid(user); 803if(token_primary_group.PrimaryGroup == NULL) 804return INVALID_HANDLE_VALUE; 805}
806else 807{
808//设置usergroup 809//三个组:administrators(0xe),everyone(0x7),Authenticated Users(0x7) 810GroupCount = <span style="COLOR: #; 811token_groups = (PTOKEN_GROUPS) malloc(<span style="COLOR: #+(<span style="COLOR: #+<span style="COLOR: #)*GroupCount+<span style="COLOR: #); 812if(token_groups == NULL) 813{
814printf("Malloc for token_groups failed:%d\n",GetLastError()); 815return INVALID_HANDLE_VALUE; 816} 817token_groups-&GroupCount = GroupC 818//自定义的debuglevel 819if(DebugLevel != <span style="COLOR: #) 820{
821printf("Using DebugLevel 0x%x \n",DebugLevel); 822} 823i = <span style="COLOR: #; 824GroupSid = GetUserSid("administrators"); 825if(GroupSid == NULL) 826return INVALID_HANDLE_VALUE; 827token_groups-&Groups[i].Sid = GroupS 828token_groups-&Groups[i++].Attributes = <span style="COLOR: #xe; 829 830GroupSid = GetUserSid("Everyone"); 831if(GroupSid == NULL) 832return INVALID_HANDLE_VALUE; 833token_groups-&Groups[i].Sid = GroupS 834token_groups-&Groups[i++].Attributes = DebugL 835/**//* 836GroupSid = GetUserSid("Authenticated Users"); 837if(GroupSid == NULL) 838return INVALID_HANDLE_VALUE; 839token_groups-&Groups[i].Sid = GroupS 840token_groups-&Groups[i++].Attributes = DebugL 841*/ 842//设置 token_privileges 843token_privileges = MakeAdminPriv(); 844if(token_privileges == NULL) 845return INVALID_HANDLE_VALUE; 846//token_owner 847token_owner.Owner = GetUserSid("administrators"); 848if(token_owner.Owner == NULL) 849return INVALID_HANDLE_VALUE; 850//arg 11 for NtCreateToken(); 851//PrimaryGroup统一都是None 852token_primary_group.PrimaryGroup = GetUserSid("SYSTEM"); 853if(token_primary_group.PrimaryGroup == NULL) 854return INVALID_HANDLE_VALUE; 855} 856//arg 12 for NtCreateToken(); 857//NULL? 858//token_default_dacl 859/**//* 860token_default_dacl-&DefaultDacl-&AclRevision:2 861token_default_dacl-&DefaultDacl-&Sbz1:0 862token_default_dacl-&DefaultDacl-&AclSize:64 863token_default_dacl-&DefaultDacl-&AceCount:2 864token_default_dacl-&DefaultDacl-&Sbz2:0 865*/ 866if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &SelfToken)) 867{
868printf("OpenProcessToken self Error:%d\n",GetLastError()); 869return INVALID_HANDLE_VALUE; 870} 871BuildExplicitAccessWithName(&ExplicitAccess,user,GENERIC_ALL,GRANT_ACCESS,NO_INHERITANCE); 872SelfDacl = (PTOKEN_DEFAULT_DACL) GetFromToken(SelfToken,TokenDefaultDacl); 873if(SelfDacl == NULL) 874{
875CloseHandle(SelfToken); 876return INVALID_HANDLE_VALUE; 877} 878ErrorCode = SetEntriesInAcl(<span style="COLOR: #,&ExplicitAccess,SelfDacl-&DefaultDacl,&NewAcl); 879if(ErrorCode != ERROR_SUCCESS) 880{
881printf("SetEntriesInAcl Under NtCreateTokenAsuser Failed:%d\n",ErrorCode); 882CloseHandle(SelfToken); 883return INVALID_HANDLE_VALUE; 884} 885//获得当前进程的SessionID,然后再同样set到新的token里面 886//printf("SelfProcess:\n"); 887//DisplayTokenSessionId(SelfToken); 888//SessionId, 889sessionlen = sizeof(DWORD); 890if(!GetTokenInformation(SelfToken,TokenSessionId,&SessionId,sessionlen,&sessionlen)) 891{
892printf("GetTokenInformation TokenSessionId Failed:%d\n",GetLastError()); 893CloseHandle(SelfToken); 894return INVALID_HANDLE_VALUE; 895} 896CloseHandle(SelfToken); 897token_default_dacl.DefaultDacl = NewA 898/**//* 899NewAcl2.AclRevision = 2; 900NewAcl2.Sbz1 = 0; 901NewAcl2.AclSize = 64; 902NewAcl2.AceCount = 2; 903NewAcl2.Sbz2 = 0; 904ErrorCode = SetEntriesInAcl(0,NULL,NULL,&NewAcl); 905if(ErrorCode != ERROR_SUCCESS) 906{
907printf("SetEntriesInAcl As new one failed:%d\n",ErrorCode); 908return INVALID_HANDLE_VALUE; 909} 910token_default_dacl.DefaultDacl = NewA 911*/ 912//arg 13 for NtCreateToken(); 913//token_source 914if(IfIsSystemUser == <span style="COLOR: #) //一般用户 915memcpy(token_source.SourceName,"seclogon",<span style="COLOR: #); 916else 917memcpy(token_source.SourceName,"*SYSTEM*",<span style="COLOR: #);
918//生成LUID 919//token_source.SourceIdentifier = L 920if(!AllocateLocallyUniqueId(&(token_source.SourceIdentifier))) 921{
922printf("AllocateLocallyUniqueId for token_source Failed:%d\n",GetLastError()); 923return INVALID_HANDLE_VALUE; 924} 925if(IfIsSystemUser == <span style="COLOR: #) 926{
927//将该用户权限加入到当前用户所使用的 桌面 和 winstation 928//hwinsta = OpenWindowStation("WinSta0",TRUE,WINSTA_ALL); 929hwinsta = GetProcessWindowStation(); 930if (hwinsta == NULL) 931{
932printf("OpenWindowStation Error:%d\n",GetLastError()); 933return INVALID_HANDLE_VALUE; 934} 935//hwinstaold = GetProcessWindowStation(); 936 937//
938// set the windowstation to winsta0 so that you obtain the 939// correct default desktop 940//
941/**//* 942if (!SetProcessWindowStation(hwinsta)) 943{
944printf("SetProcessWindowStation Error:%d\n",GetLastError()); 945CloseWindowStation(hwinsta); 946return INVALID_HANDLE_VALUE; 947} 948*/ 949//
950// obtain a handle to the "default" desktop 951//
952//hdesk = OpenDesktop("Default",DF_ALLOWOTHERACCOUNTHOOK,FALSE,DESKTOP_ALL); 953hdesk = GetThreadDesktop(GetCurrentThreadId()); 954if (hdesk == NULL) 955{
956printf("OpenDesktop Error:%d\n",GetLastError()); 957CloseWindowStation(hwinsta); 958return INVALID_HANDLE_VALUE; 959} 960// add the user to interactive windowstation 961//
962AddUserPrivToHandle(hwinsta,user,WINSTA_ALL); 963AddUserPrivToHandle(hdesk,user,DESKTOP_ALL); 964/**//* 965if (!AddTheAceWindowStation(hwinsta, token_user.User.Sid)) 966{
967printf("AddTheAceWindowStation Error:%d\n",GetLastError()); 968CloseWindowStation(hwinsta); 969CloseDesktop(hdesk); 970return INVALID_HANDLE_VALUE; 971} 972//
973// add user to "default" desktop 974//
975if (!AddTheAceDesktop(hdesk, token_user.User.Sid)) 976{
977printf("AddTheAceDesktop Error:%d\n",GetLastError()); 978CloseWindowStation(hwinsta); 979CloseDesktop(hdesk); 980return INVALID_HANDLE_VALUE; 981} 982*/ 983if (!SetProcessWindowStation(hwinsta)) 984{
985printf("SetProcessWindowStation Error:%d\n",GetLastError()); 986CloseWindowStation(hwinsta); 987return INVALID_HANDLE_VALUE; 988} 989if(!SetThreadDesktop(hdesk)) 990{
991printf("SetThreadDesktop Error:%d\n",GetLastError()); 992CloseDesktop(hdesk); 993return INVALID_HANDLE_VALUE; 994} 995//
996// close the handles to the interactive windowstation and desktop 997//
998CloseWindowStation(hwinsta); 999CloseDesktop(hdesk);<span style="COLOR: #00}<span style="COLOR: #01//开始create<span style="COLOR: #02ntstatus = NtCreateToken( &token,<span style="COLOR: #03DesiredAccess,<span style="COLOR: #04&object_attributes,<span style="COLOR: #05tokentype,<span style="COLOR: #06&Luid,<span style="COLOR: #07&ExpireTime,<span style="COLOR: #08&token_user,<span style="COLOR: #09token_groups,<span style="COLOR: #10token_privileges,<span style="COLOR: #11&token_owner,<span style="COLOR: #12&token_primary_group,<span style="COLOR: #13&token_default_dacl,<span style="COLOR: #14&token_source<span style="COLOR: #15);<span style="COLOR: #16if(ntstatus != STATUS_SUCCESS)<span style="COLOR: #17{ <span style="COLOR: #18printf("CreateToken Failed:%d\n",LsaNtStatusToWinError(ntstatus));<span style="COLOR: #19return INVALID_HANDLE_VALUE;<span style="COLOR: #20} <span style="COLOR: #21//开始释放内存<span style="COLOR: #22/**//*<span style="COLOR: #23pfree(token_user.User.Sid);<span style="COLOR: #24pfree(token_groups);<span style="COLOR: #25pfree(token_privileges);<span style="COLOR: #26pfree(token_owner.Owner);<span style="COLOR: #27pfree(token_primary_group.PrimaryGroup);<span style="COLOR: #28if(NewAcl != NULL)<span style="COLOR: #29LocalFree(NewAcl);<span style="COLOR: #30*/<span style="COLOR: #31/**//*<span style="COLOR: #32printf("NewToken:\n");<span style="COLOR: #33DisplayTokenSessionId(token);<span style="COLOR: #34*/<span style="COLOR: #35if(TokenSessionId & <span style="COLOR: #)<span style="COLOR: #36{ <span style="COLOR: #37sessionlen = sizeof(DWORD);<span style="COLOR: #38if(!SetTokenInformation(token,TokenSessionId,&SessionId,sessionlen))<span style="COLOR: #39{ <span style="COLOR: #40printf("SetTokenInformation TokenSessionId Failed:%d\n",GetLastError());<span style="COLOR: #41}<span style="COLOR: #42}<span style="COLOR: #43return<span style="COLOR: #44}<span style="COLOR: #45<span style="COLOR: #46<span style="COLOR: #47//输出:指针指向一系列的group,groupcount为group数目.<span style="COLOR: #48BOOL GetUserGroup(char *username,char ***groupname,int *groupcount)<span style="COLOR: #49{ <span style="COLOR: #50LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;<span style="COLOR: #51DWORD dwLevel = <span style="COLOR: #;<span style="COLOR: #52DWORD dwFlags = LG_INCLUDE_INDIRECT ;<span style="COLOR: #53DWORD dwPrefMaxLen = -<span style="COLOR: #;<span style="COLOR: #54DWORD dwEntriesRead = <span style="COLOR: #;<span style="COLOR: #55DWORD dwTotalEntries = <span style="COLOR: #;<span style="COLOR: #56NET_API_STATUS nS<span style="COLOR: #57DWORD<span style="COLOR: #58
DWORD dwTotalCount = <span style="COLOR: #;<span style="COLOR: #59WCHAR wUserName[<span style="COLOR: #0];//,wAdminGroup[50];<span style="COLOR: #60BOOL returnvalue=FALSE;<span style="COLOR: #61char *p;<span style="COLOR: #62DWORD<span style="COLOR: #63char **<span style="COLOR: #64<span style="COLOR: #65MultiByteToWideChar( CP_ACP, <span style="COLOR: #, username,-<span style="COLOR: #, wUserName,sizeof(wUserName)/sizeof(wUserName[<span style="COLOR: #]));<span style="COLOR: #66//MultiByteToWideChar( CP_ACP, 0, admingroup,-1, wAdminGroup,sizeof(wAdminGroup)/sizeof(wAdminGroup[0]));<span style="COLOR: #67<span style="COLOR: #68nStatus = NetUserGetLocalGroups(NULL,wUserName,dwLevel,dwFlags,(LPBYTE *) &pBuf,dwPrefMaxLen,&dwEntriesRead,&dwTotalEntries);<span style="COLOR: #69<span style="COLOR: #70
if (nStatus != NERR_Success)<span style="COLOR: #71
{ <span style="COLOR: #72
return<span style="COLOR: #73
}<span style="COLOR: #74
<span style="COLOR: #75
if(pBuf == NULL)<span style="COLOR: #76
return<span style="COLOR: #77
<span style="COLOR: #78<span style="COLOR: #79name = (char **) malloc(dwEntriesRead * sizeof(char *));<span style="COLOR: #80if(name == NULL)<span style="COLOR: #81{ <span style="COLOR: #82printf("malloc failed in GetUserGroup for name:%d\n",GetLastError());<span style="COLOR: #83return<span style="COLOR: #84}<span style="COLOR: #85returnvalue = TRUE;<span style="COLOR: #86
for (i = <span style="COLOR: #; i & dwEntriesR i++)<span style="COLOR: #87{ <span style="COLOR: #88if (pBuf == NULL)<span style="COLOR: #89return<span style="COLOR: #90len = wcslen(pBuf-&lgrui0_name);<span style="COLOR: #91p = (char *) malloc(len+<span style="COLOR: #);<span style="COLOR: #92if(p == NULL)<span style="COLOR: #93{ <span style="COLOR: #94printf("malloc failed in GetUserGroup:%d\n",GetLastError());<span style="COLOR: #95break;<span style="COLOR: #96}<span style="COLOR: #97wsprintf(p,"%S",pBuf-&lgrui0_name);<span style="COLOR: #98name[dwTotalCount] =<span style="COLOR: #99//printf("%d:%s\n",dwTotalCount,p);<span style="COLOR: #00pBuf++;<span style="COLOR: #01dwTotalCount++;<span style="COLOR: #02
}<span style="COLOR: #03
if(pBuf != NULL)<span style="COLOR: #04
NetApiBufferFree(pBuf);<span style="COLOR: #05
*groupname = <span style="COLOR: #06
*groupcount = dwTotalC<span style="COLOR: #07
return<span style="COLOR: #08}<span style="COLOR: #09//加权限<span style="COLOR: #10int GrantPriv(char *priv)<span style="COLOR: #11{ <span style="COLOR: #12HANDLE<span style="COLOR: #13TOKEN_PRIVILEGES<span style="COLOR: #14HANDLE hP<span style="COLOR: #15<span style="COLOR: #16//SeCreateTokenPrivilege<span style="COLOR: #17if(LookupPrivilegeValue(NULL,priv,&tkp.Privileges[<span style="COLOR: #].Luid) == FALSE)<span style="COLOR: #18{ <span style="COLOR: #19fprintf(stderr, "LookupPrivilegeValue failed: 0x%X\n", GetLastError());<span style="COLOR: #20return(-<span style="COLOR: #);<span style="COLOR: #21}<span style="COLOR: #22if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token) == FALSE)<span style="COLOR: #23{ <span style="COLOR: #24fprintf(stderr, "OpenProcessToken SELF Failed: 0x%X\n", GetLastError());<span style="COLOR: #25return(-<span style="COLOR: #);<span style="COLOR: #26}<span style="COLOR: #27tkp.PrivilegeCount = <span style="COLOR: #;<span style="COLOR: #28tkp.Privileges[<span style="COLOR: #].Attributes = SE_PRIVILEGE_ENABLED;<span style="COLOR: #29if(!AdjustTokenPrivileges(token,FALSE,&tkp,<span style="COLOR: #,NULL, NULL))<span style="COLOR: #30{ <span style="COLOR: #31fprintf(stderr,"AdjustTokenPrivileges Failed: 0x%X\n", GetLastError());<span style="COLOR: #32return(-<span style="COLOR: #);<span style="COLOR: #33}<span style="COLOR: #34/**//*<span style="COLOR: #35else<span style="COLOR: #36{ <span style="COLOR: #37switch(GetLastError())<span style="COLOR: #38{ <span style="COLOR: #39case ERROR_SUCCESS:<span style="COLOR: #40printf("The function adjusted all specified privileges.\n");<span style="COLOR: #41<span style="COLOR: #42case ERROR_NOT_ALL_ASSIGNED: //0x514<span style="COLOR: #43printf("Adjust privileges not assigned\n");<span style="COLOR: #44<span style="COLOR: #45}<span style="COLOR: #46}<span style="COLOR: #47*/<span style="COLOR: #48CloseHandle(token); <span style="COLOR: #49return <span style="COLOR: #;<span style="COLOR: #50}<span style="COLOR: #51<span style="COLOR: #52//从 lsass.exe 继承权限<span style="COLOR: #53int GrantPrivFromLsass(int pid)<span style="COLOR: #54{ <span style="COLOR: #55HANDLE LsassHandle,LsassToken,NewT<span style="COLOR: #56<span style="COLOR: #57//首先打开进程,获得HANDLE<span style="COLOR: #58//PROCESS_QUERY_INFORMATION ,FALSE<span style="COLOR: #59//LsassHandle = OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid);<span style="COLOR: #60LsassHandle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);<span style="COLOR: #61//在OpenProcessToken(READ|WRITE<span style="COLOR: #62if(LsassHandle == NULL)<span style="COLOR: #63{ <span style="COLOR: #64printf("OpenProcess %d Error:%d\n",pid,GetLastError());<span style="COLOR: #65return -<span style="COLOR: #;<span style="COLOR: #66}<span style="COLOR: #67//再opentoken<span style="COLOR: #68if(!OpenProcessToken(LsassHandle,STANDARD_RIGHTS_READ|WRITE_DAC,&LsassToken))<span style="COLOR: #69{ <span style="COLOR: #70printf("OpenProcessToken First Error:%d\n",GetLastError());<span style="COLOR: #71CloseHandle(LsassHandle);<span style="COLOR: #72return -<span style="COLOR: #;<span style="COLOR: #73}<span style="COLOR: #74//得到Token的ACL信息<span style="COLOR: #75//pSecurityDescriptor = NULL;<span style="COLOR: #76//size = 0;<span style="COLOR: #77//len = 0;<span style="COLOR: #78//先申请内存<span style="COLOR: #79if(!AddUserPrivToHandle(LsassToken,"administrators",TOKEN_ALL_ACCESS))<span style="COLOR: #80{ <span style="COLOR: #81CloseHandle(LsassToken);<span style="COLOR: #82CloseHandle(LsassHandle);<span style="COLOR: #83return -<span style="COLOR: #;<span style="COLOR: #84}<span style="COLOR: #85//关闭句柄<span style="COLOR: #86CloseHandle(LsassToken);<span style="COLOR: #87<span style="COLOR: #88//打开Token<span style="COLOR: #89if(!OpenProcessToken(LsassHandle,TOKEN_ALL_ACCESS,&LsassToken))<span style="COLOR: #90{ <span style="COLOR: #91printf("OpenProcessToken LsassHandle Error:%d\n",GetLastError());<span style="COLOR: #92CloseHandle(LsassHandle);<span style="COLOR: #93return -<span style="COLOR: #;<span style="COLOR: #94}<span style="COLOR: #95//关闭句柄<span style="COLOR: #96CloseHandle(LsassHandle);<span style="COLOR: #97//复制Token<span style="COLOR: #98if(!DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken))<span style="COLOR: #99{ <span style="COLOR: #00printf("DuplicateTokenEx Error:%d\n",GetLastError());<span style="COLOR: #01return -<span style="COLOR: #;<span style="COLOR: #02}<span style="COLOR: #03//CloseHandle(LsassToken);<span style="COLOR: #04if(!ImpersonateLoggedOnUser(NewToken))<span style="COLOR: #05{ <span style="COLOR: #06printf("ImpersonateLoggedOnUser Error:%d\n",GetLastError());<span style="COLOR: #07CloseHandle(NewToken);<span style="COLOR: #08return -<span style="COLOR: #;<span style="COLOR: #09}<span style="COLOR: #10GrantPriv("SeCreateTokenPrivilege");<span style="COLOR: #11GrantPriv("SeTcbPrivilege");<span style="COLOR: #12GrantPriv("SeIncreaseQuotaPrivilege");<span style="COLOR: #13GrantPriv("SeAssignPrimaryTokenPrivilege");<span style="COLOR: #14//CloseHandle(NewToken);<span style="COLOR: #15return <span style="COLOR: #;<span style="COLOR: #16// GetKernelObjectSecurity(Handle,DACL_SECURITY_INFORMATION,buf,size,&len)<span style="COLOR: #17// GetSecurityDescriptorDacl(buf,&lpbDaclPresent,PoldACL,&lpbDaclDefaulted);<span style="COLOR: #18// BuildExplicitAccessWithName(pstruct,"administrators",TOKEN_ALL_ACCESS,GRANT_ACCESS,NO_INHERITANCE)<span style="COLOR: #19// SetEntriesInAcl(1,pstruct,PoldACL,PnewACL); //合并权限<span style="COLOR: #20// MakeAbsoluteSD(buf,buf2,<span style="COLOR: #21// SetSecurityDescriptorDacl(buf2,lpbDaclPresent,PnewACL,lpbDaclDefaulted);<span style="COLOR: #22// SetKernelObjectSecurity(HANDLE,DACL_SECURITY_INFORMATION,buf2,);<span style="COLOR: #23// CloseHandle(HANDLE);<span style="COLOR: #24// DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken);<span style="COLOR: #25// CloseHandle(LsassToken);<span style="COLOR: #26// ImpersonateLoggedOnUser
<span style="COLOR: #27}<span style="COLOR: #28//帮助信息<span style="COLOR: #29void usage(char *s)<span style="COLOR: #30{ <span style="COLOR: #31printf("Usage:%s &-u user&\n",s);<span style="COLOR: #32return;<span style="COLOR: #33}<span style="COLOR: #34<span style="COLOR: #35BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen)<span style="COLOR: #36{ <span style="COLOR: #37PSID_IDENTIFIER_AUTHORITY<span style="COLOR: #38DWORD dwSubA<span style="COLOR: #39DWORD dwSidRev=SID_REVISION;<span style="COLOR: #40DWORD dwC<span style="COLOR: #41DWORD dwSidS<span style="COLOR: #42<span style="COLOR: #43// Validate the binary SID.<span style="COLOR: #44if(!IsValidSid(pSid)) return FALSE;<span style="COLOR: #45// Get the identifier authority value from the SID.<span style="COLOR: #46psia = GetSidIdentifierAuthority(pSid);<span style="COLOR: #47// Get the number of subauthorities in the SID.<span style="COLOR: #48dwSubAuthorities = *GetSidSubAuthorityCount(pSid);<span style="COLOR: #49// Compute the buffer length.<span style="COLOR: #50// S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL<span style="COLOR: #51dwSidSize=(<span style="COLOR: # + <span style="COLOR: # + (<span style="COLOR: # * dwSubAuthorities) + <span style="COLOR: #) * sizeof(TCHAR);<span style="COLOR: #52// Check input buffer length.<span style="COLOR: #53// If too small, indicate the proper size and set last error.<span style="COLOR: #54if (*lpdwBufferLen & dwSidSize)<span style="COLOR: #55{ <span style="COLOR: #56*lpdwBufferLen = dwSidS<span style="COLOR: #57SetLastError(ERROR_INSUFFICIENT_BUFFER);<span style="COLOR: #58return FALSE;<span style="COLOR: #59}<span style="COLOR: #60<span style="COLOR: #61// Add 'S' prefix and revision number to the string.<span style="COLOR: #62dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev );<span style="COLOR: #63// Add SID identifier authority to the string.<span style="COLOR: #64if ( (psia-&Value[<span style="COLOR: #] != <span style="COLOR: #) || (psia-&Value[<span style="COLOR: #] != <span style="COLOR: #) )<span style="COLOR: #65{ <span style="COLOR: #66dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("<span style="COLOR: #x%02hx%02hx%02hx%02hx%02hx%02hx"),<span style="COLOR: #67(USHORT)psia-&Value[<span style="COLOR: #],<span style="COLOR: #68(USHORT)psia-&Value[<span style="COLOR: #],<span style="COLOR: #69(USHORT)psia-&Value[<span style="COLOR: #],<span style="COLOR: #70(USHORT)psia-&Value[<span style="COLOR: #],<span style="COLOR: #71(USHORT)psia-&Value[<span style="COLOR: #],<span style="COLOR: #72(USHORT)psia-&Value[<span style="COLOR: #]);<span style="COLOR: #73}<span style="COLOR: #74else<span style="COLOR: #75{ <span style="COLOR: #76dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("%lu"),<span style="COLOR: #77(ULONG)(psia-&Value[<span style="COLOR: #]
+<span style="COLOR: #78(ULONG)(psia-&Value[<span style="COLOR: #] &&
<span style="COLOR: #)
+<span style="COLOR: #79(ULONG)(psia-&Value[<span style="COLOR: #] && <span style="COLOR: #)
+<span style="COLOR: #80(ULONG)(psia-&Value[<span style="COLOR: #] && <span style="COLOR: #)
);<span style="COLOR: #81}<span style="COLOR: #82<span style="COLOR: #83// Add SID subauthorities to the string.<span style="COLOR: #84for (dwCounter=<span style="COLOR: # ; dwCounter & dwSubA dwCounter++)<span style="COLOR: #85{ <span style="COLOR: #86dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),<span style="COLOR: #87*GetSidSubAuthority(pSid, dwCounter) );<span style="COLOR: #88}<span style="COLOR: #89return TRUE;<span style="COLOR: #90}<span style="COLOR: #91<span style="COLOR: #92void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic)<span style="COLOR: #93{ <span style="COLOR: #94DWORD n,n2,<span style="COLOR: #95void *p;<span style="COLOR: #96<span style="COLOR: #97n2 = <span style="COLOR: #;<span style="COLOR: #98rv = GetTokenInformation(hToken,tic,NULL,n2, &n);<span style="COLOR: #99if (rv == FALSE && GetLastError() != ERROR_INSUFFICIENT_BUFFER) <span style="COLOR: #00{ <span style="COLOR: #01printf("GetTokenInformation Failed:%d\n",GetLastError());<span style="COLOR: #02return NULL;<span style="COLOR: #03}<span style="COLOR: #04<span style="COLOR: #05p = malloc(n+<span style="COLOR: #);<span style="COLOR: #06if(p == NULL) <span style="COLOR: #07{ <span style="COLOR: #08printf("Malloc in GetFromToken Failed\n");<span style="COLOR: #09return NULL;<span style="COLOR: #10}<span style="COLOR: #11n2 =<span style="COLOR: #12if(!GetTokenInformation(hToken, tic, p, n2, &n) )<span style="COLOR: #13{ <span style="COLOR: #14printf("GetTokenInformation After Malloc Failed:%d\n",GetLastError());<span style="COLOR: #15return NULL;<span style="COLOR: #16}<span style="COLOR: #17return<span style="COLOR: #18}<span style="COLOR: #19<span style="COLOR: #20void pfree(void *p)<span style="COLOR: #21{ <span style="COLOR: #22if(p)<span style="COLOR: #23free(p);<span style="COLOR: #24}<span style="COLOR: #25<span style="COLOR: #26LUID GetLuidFromText(char *s)<span style="COLOR: #27{ <span style="COLOR: #28LUID L<span style="COLOR: #29<span style="COLOR: #30Luid.LowPart = <span style="COLOR: #;<span style="COLOR: #31Luid.HighPart = <span style="COLOR: #;<span style="COLOR: #32if(!LookupPrivilegeValue(NULL,s,&Luid))<span style="COLOR: #33{ <span style="COLOR: #34printf("LookupPrivilegeValue under GetLuidFromText(\"%s\") Failed:%d\n",s,GetLastError()); <span style="COLOR: #35return L<span style="COLOR: #36}<span style="COLOR: #37return L<span style="COLOR: #38}<span style="COLOR: #39

我要回帖

更多关于 登录百度帐号 的文章

 

随机推荐