0

我用的是win7操作系统,开发环境是vs2005。

情况是我想将进程创建为当前帐户的权限。(例如:在普通帐户中,右键单击程序选择“以管理员身份运行”)

我参考其他人的方式: 1.获取进程explorer.exe的token;2.提升特权;3.使用 CreateProcessAsUser 创建一个进程。

但 CreateProcessAsUser 失败,使用 GetLastError() 获取错误代码为 1314。

正因为如此,我觉得我现在疯了。你能告诉我我的程序有什么问题吗?谢谢!!!

    #include <iostream>
    using namespace std;

    #include "windows.h"
    #include "tlhelp32.h"


    BOOL GetProcessTokenByName(HANDLE &hToken, LPTSTR szProcessName)
    {    
        // var init    
        STARTUPINFO st;    
        PROCESS_INFORMATION pi;
        PROCESSENTRY32 ps;
        HANDLE hSnapshot;    
        ZeroMemory(&st, sizeof(STARTUPINFO));    
        ZeroMemory(&pi, sizeof(PROCESS_INFORMATIO

N));    
    st.cb = sizeof(STARTUPINFO);    
    ZeroMemory(&ps,sizeof(PROCESSENTRY32));    
    ps.dwSize = sizeof(PROCESSENTRY32);    
    // find the explorer.exe    
    hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);    
    if(hSnapshot == INVALID_HANDLE_VALUE)    
    {        
        return FALSE;    
    }    
    if(!Process32First(hSnapshot,&ps))    
    {        
        return FALSE;    
    }    
    do
    {
        wprintf(_T("%s , %u\n"), ps.szExeFile, ps.th32ProcessID);
        // compare the process name        
        if(lstrcmpi(ps.szExeFile,szProcessName)==0)        
        {            // find            
            //*lpPID = ps.th32ProcessID;            
            //CloseHandle(hSnapshot);            
            //return TRUE;        

            HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ps.th32ProcessID);
            BOOL bRet = FALSE;
            HANDLE tmpToken;
            if( OpenProcessToken(hProcess, /*TOKEN_QUERY*/TOKEN_ALL_ACCESS, &tmpToken) )
            {
                bRet = DuplicateTokenEx(
                    tmpToken,                        //_In_      HANDLE hExistingToken,
                    MAXIMUM_ALLOWED,                //_In_      DWORD dwDesiredAccess,
                    NULL,                            //_In_opt_  LPSECURITY_ATTRIBUTES lpTokenAttributes,
                    SecurityIdentification,            //_In_      SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
                    TokenPrimary,                    //_In_      TOKEN_TYPE TokenType,
                    &hToken                            //_Out_     PHANDLE phNewToken
                    );

                //DWORD dwSessionId = WTSGetActiveConsoleSessionId();
                //SetTokenInformation(hToken,TokenSessionId,(void*)dwSessionId,sizeof(DWORD));

                //SetPrivilege(hToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);


            }
            else
            {
                printf("OpenProcessToken error: %u\n", GetLastError());
            }
            CloseHandle (hSnapshot);
            return (bRet);
        }    
    }while(Process32Next(hSnapshot,&ps));    
    // didn't find   
    CloseHandle(hSnapshot);    
    return FALSE;
}

BOOL RunasUser( )
{
    HANDLE    hToken;
    if( GetProcessTokenByName( hToken, _T("explorer.exe") ) )
    {
        if( hToken != INVALID_HANDLE_VALUE )
        {
            STARTUPINFO si;
            PROCESS_INFORMATION pi;

            ZeroMemory(&si, sizeof(STARTUPINFO));
            si.cb= sizeof(STARTUPINFO);
            si.lpDesktop = TEXT("winsta0\\default");

            {
                TOKEN_PRIVILEGES    tp;
                tp.PrivilegeCount    =1;
                if(!LookupPrivilegeValue(NULL,SE_ASSIGNPRIMARYTOKEN_NAME/*SE_DEBUG_NAME*/,&tp.Privileges[0].Luid))
                {                
                    printf("LookupPrivilegeValue value Error: %u\n",GetLastError());
                }

                tp.Privileges[0].Attributes    = SE_PRIVILEGE_ENABLED;
                if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL) )
                {                
                    printf("Adjust Privilege value Error: %u\n",GetLastError());
                }
            }
            printf("Adjust Privilege\n");
            {
                TOKEN_PRIVILEGES    tp;
                tp.PrivilegeCount    =1;
                if(!LookupPrivilegeValue(NULL,SE_INCREASE_QUOTA_NAME/*SE_DEBUG_NAME*/,&tp.Privileges[0].Luid))
                {                
                    printf("LookupPrivilegeValue value Error: %u\n",GetLastError());
                }
                tp.Privileges[0].Attributes    = SE_PRIVILEGE_ENABLED;
                if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL) )
                {                
                    printf("Adjust Privilege value Error: %u\n",GetLastError());
                }
            }

            BOOL bResult = CreateProcessAsUser(
                hToken,                            //_In_opt_     HANDLE hToken,
                _T("D:\\GetMac.exe"),            //_In_opt_     LPCTSTR lpApplicationName,
                NULL,                            //_Inout_opt_  LPTSTR lpCommandLine,
                NULL,                            //_In_opt_     LPSECURITY_ATTRIBUTES lpProcessAttributes,
                NULL,                            //_In_opt_     LPSECURITY_ATTRIBUTES lpThreadAttributes,
                FALSE,                            //_In_         BOOL bInheritHandles,
                NORMAL_PRIORITY_CLASS,            //_In_         DWORD dwCreationFlags,
                NULL,                            //_In_opt_     LPVOID lpEnvironment,
                NULL,                            //_In_opt_     LPCTSTR lpCurrentDirectory,
                &si,                            //_In_         LPSTARTUPINFO lpStartupInfo,
                &pi                                //_Out_        LPPROCESS_INFORMATION lpProcessInformation
                );
            CloseHandle(hToken);

            if( bResult )
            {
                //succeed
                return TRUE;
            }
            else
            {   //fail
                DWORD dwErr = GetLastError();
                printf( "error: %u\n", dwErr );
            }
        }
    }
    else
    {
        printf("GetProcessTokenByName fail\n");
    }

    return FALSE;
}
int _tmain(int argc, _TCHAR* argv[])
{

    BOOL bRet = RunasUser();

    printf("result: %d\n", bRet);
    system("pause");
    return 0;
}
4

0 回答 0