能力值:
( LV9,RANK:610 )
|
-
-
1
// 这个函数需要在system权限下运行, 例如在服务里。 void main() { HANDLE hToken = NULL; HANDLE hTokenDup = NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) { return; } DWORD dwSessionId = WTSGetActiveConsoleSessionId(); if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hTokenDup)) { CloseHandle(hToken); return; } if (!SetTokenInformation(hTokenDup, TokenSessionId, &dwSessionId, sizeof(DWORD))) { CloseHandle(hToken); CloseHandle(hTokenDup); return; } char szCommon[MAX_PATH] = { "C:\\Windows\\System32\\cmd.exe" }; PROCESS_INFORMATION pi = { 0 }; STARTUPINFO si = { sizeof(si) }; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = TRUE;//窗口显示为0不显示 if (!CreateProcessAsUser( hTokenDup, (char*)szCommon, //在Unicode版本中此参数不能为常量字符串,因为此参数会被修改 NULL, NULL, NULL, FALSE, NULL, 0, NULL, &si, &pi)) { } }
|
能力值:
( LV9,RANK:610 )
|
-
-
|
能力值:
( LV9,RANK:610 )
|
-
-
|
能力值:
( LV9,RANK:610 )
|
-
-
|
能力值:
( LV9,RANK:610 )
|
-
-
[原创]实时混淆在线编译器
200byte ->200kb
只要搞清楚Client对这200kb的处理方式,还有必要去逆向这200kb的数据吗?
|
能力值:
( LV9,RANK:610 )
|
-
-
|
能力值:
( LV9,RANK:610 )
|
-
-
[求助]win7下管理员权限的进程如何创建一个非管理员权限进程
结贴。楼上是我一朋友,刚好这个问题昨天解决了,想把kx给他转正,求大家不要举报我啊~~~谢谢各位大神。。。
http://hi.baidu.com/blueapple_c/item/52b7d529beb7c30f76272cd7
下面公布代码,可能有点细节需要调整:
-------- CreateProcessEx.h文件 --------
#ifndef _CREATE_PROCESS_EX_H_
#define _CREATE_PROCESS_EX_H_
#include <windows.h>
#include "tchar.h"
#pragma comment(lib, "shell32")
#pragma comment(lib, "user32")
#pragma comment(lib, "Advapi32.lib")
//以普通权限启动进程
BOOL CreateProcessLow(TCHAR * lpApplicationName,
TCHAR * lpCommandLine = NULL,
TCHAR * lpDirectory = NULL,
UINTnShow = SW_SHOWNORMAL);
//以管理员权限启动进程
BOOL CreateProcessHigh(TCHAR * strProcessName,
TCHAR * strCommandLine = NULL,
TCHAR * lpDirectory = NULL,
UINTnShow = SW_SHOWNORMAL);
#endif //_CREATE_PROCESS_EX_H_
-------- CreateProcessEx.h文件 --------
-------- CreateProcessEx.cpp文件 --------
#include "CreateProcessEx.h"
#include <string>
using namespace std;
typedef BOOL (WINAPI *F_CreateProcessWithTokenW)(
__in HANDLE hToken,
__in DWORD dwLogonFlags,
__in LPCWSTR lpApplicationName,
__in LPWSTR lpCommandLine,
__in DWORD dwCreationFlags,
__in LPVOID lpEnvironment,
__in LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInfo
);
HANDLE DupExplorerToken();
BOOL IsVistaOrLater();
BOOL IsAdminPrivilege();
//以普通权限启动进程
BOOL CreateProcessLow(TCHAR * lpApplicationName,
TCHAR * lpCommandLine,
TCHAR * lpDirectory,
UINTnShow)
{
if (!IsVistaOrLater()
|| !IsAdminPrivilege())
{
HINSTANCE hRet = ShellExecute(NULL, _T("open"), lpApplicationName, lpCommandLine, lpDirectory, nShow);
return ((int)hRet > 32);
}
HANDLE hToken = DupExplorerToken();
if (hToken == NULL)
return FALSE;
static HMODULE hDll = LoadLibrary(_T("ADVAPI32.dll"));
if (!hDll)
{
CloseHandle(hToken);
return FALSE;
}
F_CreateProcessWithTokenW pfn = (F_CreateProcessWithTokenW)GetProcAddress(hDll, "CreateProcessWithTokenW");
if (!pfn)
{
CloseHandle(hToken);
return FALSE;
}
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi = {0};
BOOL ret = pfn(hToken,
LOGON_WITH_PROFILE,
lpApplicationName,
lpCommandLine,
NORMAL_PRIORITY_CLASS,
NULL,
lpDirectory,
&si,
&pi);
if (ret)
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
CloseHandle(hToken);
return ret;
}
//以管理员权限启动进程
BOOL CreateProcessHigh(TCHAR * lpApplicationName,
TCHAR * lpCommandLine,
TCHAR * lpDirectory,
UINTnShow)
{
#ifdef _UNICODE
wstring command;
#else
string command;
#endif
if (lpCommandLine)
{
command = lpCommandLine;
}
if (IsVistaOrLater()
&& !IsAdminPrivilege())
{
command += _T(" -Admin");
}
HINSTANCE hRet = ShellExecute(NULL, _T("runas"), lpApplicationName, command.c_str(), lpDirectory, nShow);
return ((int)hRet > 32);
}
HANDLE DupExplorerToken()
{
DWORD dwPid = 0;
HWND hwnd = FindWindow(_T("Shell_TrayWnd"), NULL);
if (NULL == hwnd)
return NULL;
GetWindowThreadProcessId(hwnd, &dwPid);
if (dwPid == 0)
return NULL;
HANDLE hExplorer = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
if (hExplorer == NULL)
return NULL;
HANDLE hToken = NULL;
OpenProcessToken(hExplorer, TOKEN_DUPLICATE, &hToken);
CloseHandle(hExplorer);
HANDLE hNewToken = NULL;
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken);
CloseHandle(hToken);
return hNewToken;
}
BOOL IsVistaOrLater()
{
OSVERSIONINFOEX version = {sizeof(OSVERSIONINFOEX)};
if (!GetVersionEx((LPOSVERSIONINFO)&version))
{
version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (!GetVersionEx((LPOSVERSIONINFO)&version))
{
return FALSE;
}
}
return (version.dwMajorVersion >= 6);
}
BOOL IsAdminPrivilege()
{
BOOL bIsAdmin = FALSE;
BOOL bRet = FALSE;
SID_IDENTIFIER_AUTHORITY idetifier = SECURITY_NT_AUTHORITY;
PSID pAdministratorGroup;
if (AllocateAndInitializeSid(
&idetifier,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,0,0,0,0,0,
&pAdministratorGroup))
{
if (!CheckTokenMembership(NULL, pAdministratorGroup, &bRet))
{
bIsAdmin = FALSE;
}
if (bRet)
{
bIsAdmin = TRUE;
}
FreeSid(pAdministratorGroup);
}
return bIsAdmin;
}
-------- CreateProcessEx.cpp文件 --------
|
能力值:
( LV9,RANK:610 )
|
-
-
[分享]菜鸟用SDK写了个系统锁
加几行 禁止Windows 键
if (pKHS->vkCode == VK_LWIN
|| pKHS->vkCode == VK_RWIN)
{
return TRUE;
}
|
能力值:
( LV9,RANK:610 )
|
-
-
....
哪怕你把那位仁兄的资料直接copy过来 也比你弄个连接强
会有人认为你连写个简历都懒的写
这么点耐心都没有
这么敷衍了事
怎么写出好程序? 个人想法,真心希望对你有用。
|
能力值:
( LV9,RANK:610 )
|
-
-
ReadProcessMemory失败,GetLastError()错误码为299
299错误的解释是:仅完成部分的 ReadProcessMemory 或 WriteProcessMemory 请求。
看到这个解释,你应该能想到这个操作还没结束,需要继续读。举个例子,假如一个文件上G,你可能一次都读到内存吗?是不是需要分多次读? lz的需求或许还有另外一种思路,hook 记事本的打开文件的动作,截获的txt等文件的全路径,自己去读文件。
|
能力值:
( LV9,RANK:610 )
|
-
-
|
Thead
能力排名:
等 级:
活跃值:
在线值:
浏览人数:498
最近活跃:2025-1-22 11:45
注册时间:2009-05-15
