0

我的程序被设计成一个安全的 Sticky Keys hack。如果从登录中调用粘滞键,它将要求输入本地帐户的用户名和密码。如果它们正确,则会以该用户身份调用 cmd.exe 实例以避免损坏。当我从资源管理器中双击 sethc 程序时,

它运行成功。

当我按五次 shift 运行同一个程序时,

它失败并出现错误 5 Access Denied。

当按五次 shift 时,我可以验证 sethc 是否在 winlogon 下运行。

整个文件是:

// cmd.cpp : Defines the entry point for the console application.
//

#include <Windows.h>
#include <Lmcons.h>
#include <iostream>
#include <ctype.h>
#include <string>
#include <stdio.h>

#define winstring LPWSTR
#define stcas(x) static_cast<x>
#define INFO_BUFFER_SIZE    260 

using namespace std;

void ReportError(LPCWSTR pszFunction, DWORD dwError = GetLastError()) 
{ 
    wprintf(L"%s failed w/err 0x%08lx\n", pszFunction, dwError); 
    system("pause");
    exit(dwError);
} 

int main()
{
    LPTSTR szCmdline[] = {"cmd"};
    STARTUPINFOW si;
    PROCESS_INFORMATION pi;
    memset(&si, 0, sizeof(si));
    si.cb = sizeof(si);
    TCHAR un[UNLEN+1];
    DWORD size = UNLEN + 1;
    GetUserName(un, &size);

    string una(un);

    bool sys = !una.compare("SYSTEM");


    if(!sys) {
        system("cls");
        if(!CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, &si, &pi)) ReportError(L"normal Create process");
        return 0;
    }



    wchar_t szUserName[INFO_BUFFER_SIZE] = {}; 
    wchar_t szPassword[INFO_BUFFER_SIZE] = {}; 
    wchar_t *pc = NULL; 
    HANDLE hToken = NULL;
    HANDLE aToken = NULL;
    BOOL dup = FALSE;
    BOOL logon = FALSE;


    printf("Enter the username: "); 
    fgetws(szUserName, ARRAYSIZE(szUserName), stdin); 
    pc = wcschr(szUserName, '\n'); 
    if (pc != NULL) *pc = '\0';  // Remove the trailing L'\n' 

    cout << endl;

    printf("Enter the password: "); 
    fgetws(szPassword, ARRAYSIZE(szPassword), stdin); 
    pc = wcschr(szPassword, '\n'); 
    if (pc != NULL) *pc = '\0';  // Remove the trailing L'\n'

    if(!LogonUserW(szUserName, NULL, szPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) ReportError(L"Logon");
    else logon = TRUE;

    if(!DuplicateTokenEx(hToken, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL, SecurityImpersonation, TokenPrimary, &aToken)) ReportError(L"Impersonate");
    else dup = TRUE;

    if(!CreateProcessAsUserW(aToken,L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, FALSE, CREATE_BREAKAWAY_FROM_JOB, NULL, L"C:\\Windows\\System32\\", &si, &pi)){
        ReportError(L"Create Process");
    }

    SecureZeroMemory(szPassword, sizeof(szPassword));
}

我想知道为什么如果sethc 是从winlogon 派生的,那么为什么根本不允许CreateProcess。我正在运行 Windows 7。奇怪的是它system(command)运行良好。我用过system("pause");一次。

4

1 回答 1

0

While it is difficult to say what your question actually is, be aware that there is a specific privilege called PROCESS_CREATE_PROCESS.

From MSDN:

PROCESS_CREATE_PROCESS (0x0080) Required to create a process.

A process lacking this privilege can't spawn child processes. system("pause"); does not create a child process, because pause is a built-in shell command, but I understand why you might have got that impression.

So check if your process has that privilege. Use process explorer or simply a WINAPI function, there's bound to be one.

If you want to know why Microsoft developers decided not to give that privilege to sethc, you'd have to ask them.

于 2014-03-28T16:51:22.440 回答