带假返回的WTSQueryUserToken
带假返回的WTSQueryUserToken
提问于 2013-01-22 09:24:58
因此,我想使用下面的这些函数从服务中执行一个进程。
- CreateProcessAsUserW
- WTSGetActiveConsoleSessionId
- WTSQueryUserToken
但是我似乎不能触发CreateProcessAsUserW(),因为WTSQueryUserToken被返回为FALSE,而ERROR_PRIVILEGE_NOT_HELD正在窃听。
我在互联网上找到了一些线程,但这些解决方案都在Windows 7和Server 2008之前。
我的密码在这里..。
STARTUPINFOW si = {0,};
PROCESS_INFORMATION pi = {0,};
HANDLE hTokenNew = nullptr;
HANDLE hTokenDup = nullptr;
HMODULE hModKernel32 = LoadLibrary(TEXT("kernel32.dll"));
HMODULE hModWtsapi32 = LoadLibrary(TEXT("Wtsapi32.dll"));
HMODULE hModUserEnv = LoadLibrary(TEXT("Userenv.dll"));
auto lpfnWTSGetActiveConsoleSessionId = reinterpret_cast<DWORD(*)(void)>(GetProcAddress(hModKernel32, "WTSGetActiveConsoleSessionId"));
auto lpfnWTSQueryUserToken = reinterpret_cast<bool(*)(ULONG, PHANDLE)>(GetProcAddress(hModWtsapi32, "WTSQueryUserToken"));
auto lpfnCreateEnvironmentBlock = reinterpret_cast<bool(*)(LPVOID*, HANDLE, bool)>(GetProcAddress(hModUserEnv, "CreateEnvironmentBlock"));
auto lpfnDestroyEnvironmentBlock = reinterpret_cast<bool(*)(LPVOID)>(GetProcAddress(hModUserEnv, "DestroyEnvironmentBlock"));
LPVOID pEnvironment = nullptr;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS;
DWORD dwSessionId = lpfnWTSGetActiveConsoleSessionId();
// FALSE Returned.
lpfnWTSQueryUserToken(dwSessionId, &hTokenNew);
// 1314 : ERROR_PRIVILEGE_NOT_HELD
DWORD d = GetLastError();
// Since WTSQueryUserToken gives me FALSE and no token, the code below is meaningless.
DuplicateTokenEx(hTokenNew, MAXIMUM_ALLOWED, nullptr, SecurityIdentification, TokenPrimary, &hTokenDup);
si.cb = sizeof(STARTUPINFO);
si.lpReserved = nullptr;
si.lpReserved2 = nullptr;
si.cbReserved2 = 0;
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
si.lpDesktop = TEXT("winsta0\\default");
if(lpfnCreateEnvironmentBlock != nullptr)
{
if (lpfnCreateEnvironmentBlock(&pEnvironment, hTokenDup, false))
{
dwCreationFlag |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
pEnvironment = nullptr;
}
}
if (!CreateProcessAsUserW(
hTokenDup,
nullptr,
TEXT("D:\\MyProgram.exe"),
nullptr,
nullptr,
false,
dwCreationFlag,
pEnvironment,
nullptr,
&si,
&pi))
{
return 0;
}
if(hTokenDup)
{
CloseHandle(hTokenDup);
}
if (hTokenNew)
{
CloseHandle(hTokenNew);
}
if (pi.hProcess)
{
CloseHandle(pi.hProcess);
}
if (pi.hThread)
{
CloseHandle(pi.hThread);
}
if (nullptr != pEnvironment)
{
lpfnDestroyEnvironmentBlock(pEnvironment);
}任何建议都将得到真正的感谢。提前谢谢。
回答 1
Stack Overflow用户
回答已采纳
发布于 2013-01-22 13:36:59
根据MSDN:"ERROR_PRIVILEGE_NOT_HELD -调用方没有SE_TCB_NAME特权。“
您是否检查了您的进程是否具有SE_TCB_NAME特权?
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/14455211
复制相关文章
相似问题
腾讯云开发者
