CreateProcessAsUser.docx
- 文档编号:9882396
- 上传时间:2023-05-21
- 格式:DOCX
- 页数:20
- 大小:18.88KB
CreateProcessAsUser.docx
《CreateProcessAsUser.docx》由会员分享,可在线阅读,更多相关《CreateProcessAsUser.docx(20页珍藏版)》请在冰点文库上搜索。
CreateProcessAsUser
system服务程序中创建一个进程, 当前登陆用户,用createProcessByUser()
#defineDESKTOP_ALL(DESKTOP_READOBJECTS|DESKTOP_CREATEWINDOW|\
DESKTOP_CREATEMENU|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALRECORD|\
DESKTOP_JOURNALPLAYBACK|DESKTOP_ENUMERATE|DESKTOP_WRITEOBJECTS|\
DESKTOP_SWITCHDESKTOP|STANDARD_RIGHTS_REQUIRED)
#defineWINSTA_ALL(WINSTA_ENUMDESKTOPS|WINSTA_READATTRIBUTES|\
WINSTA_ACCESSCLIPBOARD|WINSTA_CREATEDESKTOP|WINSTA_WRITEATTRIBUTES|\
WINSTA_ACCESSGLOBALATOMS|WINSTA_EXITWINDOWS|WINSTA_ENUMERATE|\
WINSTA_READSCREEN|STANDARD_RIGHTS_REQUIRED)
#defineGENERIC_ACCESS(GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|\
GENERIC_ALL)
BOOLAddAceToWindowStation(HWINSTAhwinsta,PSIDpsid);
BOOLAddAceToDesktop(HDESKhdesk,PSIDpsid);
BOOLGetLogonSID(HANDLEhToken,PSID*ppsid);
VOIDFreeLogonSID(PSID*ppsid);
BOOLStartInteractiveClientProcess(
LPTSTRlpszUsername,//clienttologon
LPTSTRlpszDomain,//domainofclient'saccount
LPTSTRlpszPassword,//client'spassword
LPTSTRlpCommandLine//commandlinetoexecute
)
{
HANDLEhToken;
HDESKhdesk=NULL;
HWINSTAhwinsta=NULL,hwinstaSave=NULL;
PROCESS_INFORMATIONpi;
PSIDpSid=NULL;
STARTUPINFOsi;
BOOLbResult=FALSE;
//Logtheclientontothelocalcomputer.
if(!
LogonUser(
lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
{
gotoCleanup;
}
//Saveahandletothecaller'scurrentwindowstation.
if((hwinstaSave=GetProcessWindowStation())==NULL)
gotoCleanup;
//Getahandletotheinteractivewindowstation.
hwinsta=OpenWindowStation(
L"winsta0",//theinteractivewindowstation
FALSE,//handleisnotinheritable
READ_CONTROL|WRITE_DAC);//rightstoread/writetheDACL
if(hwinsta==NULL)
gotoCleanup;
//Togetthecorrectdefaultdesktop,setthecaller's
//windowstationtotheinteractivewindowstation.
if(!
SetProcessWindowStation(hwinsta))
gotoCleanup;
//Getahandletotheinteractivedesktop.
hdesk=OpenDesktop(
L"default",//theinteractivewindowstation
0,//nointeractionwithotherdesktopprocesses
FALSE,//handleisnotinheritable
READ_CONTROL|//requesttherightstoreadandwritetheDACL
WRITE_DAC|
DESKTOP_WRITEOBJECTS|
DESKTOP_READOBJECTS);
//Restorethecaller'swindowstation.
if(!
SetProcessWindowStation(hwinstaSave))
gotoCleanup;
if(hdesk==NULL)
gotoCleanup;
//GettheSIDfortheclient'slogonsession.
if(!
GetLogonSID(hToken,&pSid))
gotoCleanup;
//AllowlogonSIDfullaccesstointeractivewindowstation.
if(!
AddAceToWindowStation(hwinsta,pSid))
gotoCleanup;
//AllowlogonSIDfullaccesstointeractivedesktop.
if(!
AddAceToDesktop(hdesk,pSid))
gotoCleanup;
//Impersonateclienttoensureaccesstoexecutablefile.
if(!
ImpersonateLoggedOnUser(hToken))
gotoCleanup;
//InitializetheSTARTUPINFOstructure.
//Specifythattheprocessrunsintheinteractivedesktop.
ZeroMemory(&si,sizeof(STARTUPINFO));
si.cb=sizeof(STARTUPINFO);
si.lpDesktop=TEXT("winsta0\\default");
//Launchtheprocessintheclient'slogonsession.
bResult=CreateProcessAsUser(
hToken,//client'saccesstoken
NULL,//filetoexecute
lpCommandLine,//commandline
NULL,//pointertoprocessSECURITY_ATTRIBUTES
NULL,//pointertothreadSECURITY_ATTRIBUTES
FALSE,//handlesarenotinheritable
NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE,//creationflags
NULL,//pointertonewenvironmentblock
NULL,//nameofcurrentdirectory
&si,//pointertoSTARTUPINFOstructure
&pi//receivesinformationaboutnewprocess
);
//Endimpersonationofclient.
RevertToSelf();
if(bResult&&pi.hProcess!
=INVALID_HANDLE_VALUE)
{
WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
}
if(pi.hThread!
=INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
Cleanup:
if(hwinstaSave!
=NULL)
SetProcessWindowStation(hwinstaSave);
//FreethebufferforthelogonSID.
if(pSid)
FreeLogonSID(&pSid);
//Closethehandlestotheinteractivewindowstationanddesktop.
if(hwinsta)
CloseWindowStation(hwinsta);
if(hdesk)
CloseDesktop(hdesk);
//Closethehandletotheclient'saccesstoken.
if(hToken!
=INVALID_HANDLE_VALUE)
CloseHandle(hToken);
returnbResult;
}
BOOLAddAceToWindowStation(HWINSTAhwinsta,PSIDpsid)
{
ACCESS_ALLOWED_ACE*pace;
ACL_SIZE_INFORMATIONaclSizeInfo;
BOOLbDaclExist;
BOOLbDaclPresent;
BOOLbSuccess=FALSE;
DWORDdwNewAclSize;
DWORDdwSidSize=0;
DWORDdwSdSizeNeeded;
PACLpacl;
PACLpNewAcl;
PSECURITY_DESCRIPTORpsd=NULL;
PSECURITY_DESCRIPTORpsdNew=NULL;
PVOIDpTempAce;
SECURITY_INFORMATIONsi=DACL_SECURITY_INFORMATION;
unsignedinti;
__try
{
//ObtaintheDACLforthewindowstation.
if(!
GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
if(GetLastError()==ERROR_INSUFFICIENT_BUFFER)
{
psd=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psd==NULL)
__leave;
psdNew=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psdNew==NULL)
__leave;
dwSidSize=dwSdSizeNeeded;
if(!
GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
__leave;
}
else
__leave;
//CreateanewDACL.
if(!
InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
__leave;
//GettheDACLfromthesecuritydescriptor.
if(!
GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
__leave;
//InitializetheACL.
ZeroMemory(&aclSizeInfo,sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse=sizeof(ACL);
//CallonlyiftheDACLisnotNULL.
if(pacl!
=NULL)
{
//getthefileACLsizeinfo
if(!
GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
__leave;
}
//ComputethesizeofthenewACL.
dwNewAclSize=aclSizeInfo.AclBytesInUse+(2*sizeof(ACCESS_ALLOWED_ACE))+
(2*GetLengthSid(psid))-(2*sizeof(DWORD));
//AllocatememoryforthenewACL.
pNewAcl=(PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize);
if(pNewAcl==NULL)
__leave;
//InitializethenewDACL.
if(!
InitializeAcl(pNewAcl,dwNewAclSize,ACL_REVISION))
__leave;
//IfDACLispresent,copyittoanewDACL.
if(bDaclPresent)
{
//CopytheACEstothenewACL.
if(aclSizeInfo.AceCount)
{
for(i=0;i { //GetanACE. if(! GetAce(pacl,i,&pTempAce)) __leave; //AddtheACEtothenewACL. if(! AddAce( pNewAcl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize) ) __leave; } } } //AddthefirstACEtothewindowstation. pace=(ACCESS_ALLOWED_ACE*)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(ACCESS_ALLOWED_ACE)+GetLengthSid(psid)- sizeof(DWORD)); if(pace==NULL) __leave; pace->Header.AceType=ACCESS_ALLOWED_ACE_TYPE; pace->Header.AceFlags=CONTAINER_INHERIT_ACE| INHERIT_ONLY_ACE|OBJECT_INHERIT_ACE; pace->Header.AceSize=sizeof(ACCESS_ALLOWED_ACE)+ GetLengthSid(psid)-sizeof(DWORD); pace->Mask=GENERIC_ACCESS; if(! CopySid(GetLengthSid(psid),&pace->SidStart,psid)) __leave; if(! AddAce( pNewAcl, ACL_REVISION, MAXDWORD, (LPVOID)pace, pace->Header.AceSize) ) __leave; //AddthesecondACEtothewindowstation. pace->Header.AceFlags=NO_PROPAGATE_INHERIT_ACE; pace->Mask=WINSTA_ALL; if(! AddAce( pNewAcl, ACL_REVISION, MAXDWORD, (LPVOID)pace, pace->Header.AceSize) ) __leave; //SetanewDACLforthesecuritydescriptor. if(! SetSecurityDescriptorDacl( psdNew, TRUE, pNewAcl, FALSE) ) __leave; //Setthenewsecuritydescriptorforthewindowstation. if(! SetUserObjectSecurity(hwinsta,&si,psdNew)) __leave; //Indicatesuccess. bSuccess=TRUE; } __finally { //Freetheallocatedbuffers. if(pace! =NULL) HeapFree(GetProcessHeap(),0,(LPVOID)pace); if(pNewAcl! =NULL) HeapFree(GetProcessHeap(),0,(LPVOID)pNewAcl); if(psd! =NULL) HeapFree(GetProcessHeap(),0,(LPVOID)psd); if(psdNew! =NULL) HeapFree(GetProcessHeap(),0,(LPVOID)psdNew); } returnbSuccess; } BOOLAddAceToDesktop(HDESKhdesk,PSIDpsid) { ACL_SIZE_INFORMATIONaclSizeInfo; BOOLbDaclExist; BOOLbDaclPresent; BOOLbSuccess=FALSE; DWORDdwNewAclSize; DWORDdwSidSize=0; DWORDdwSdSizeNeeded; PACLpacl; PACLpNewAcl; PSECURITY_DESCRIPTORpsd=NULL; PSECURITY_DESCRIPTORpsdNew=NULL; PVOIDpTempAce; SECURITY_INFORMATIONsi=DACL_SECURITY_INFORMATION; unsignedinti; __try { //Obtainthesecuritydescriptorforthedesktopobject. if(! GetUserObjectSecurity( hdesk, &si, psd, dwSidSize, &dwSdSizeNeeded)) { if(GetLastError()==ERROR_INSUFFICIENT_BUFFER) { psd=(PSECURITY_DESCRIPTOR)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwSdSizeNeeded); if(psd==NULL) __leave; psdNew=(PSECURITY_DESCRIPTOR)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, dwSdSizeNeeded); if(psdNew==NULL) __leave; dwSidSize=dwSdSizeNeeded; if(! GetUserObjectSecurity( hdesk, &si, psd, dwSidSize, &dwSdSizeNeeded) ) __leave; } else __leave; } //Createanewsecuritydescriptor. if(! InitializeSecurityDescriptor( psdNew, SECURITY_DESCRIPTOR_REVISION) ) __leave; //ObtaintheDACLfromthesecuritydescriptor. if(! GetSecurityDescriptorDacl( psd, &bDaclPresent, &pacl, &bDaclExist) ) __leave; //Initialize. ZeroMemory(&aclSizeInfo,sizeof(ACL_SIZE_INFORMATION)); aclSizeInfo.AclBytesInUse=size
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- CreateProcessAsUser