代码如下:
#include <windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
//提权函数
BOOL EnableDebugPriv( LPCTSTR szPrivilege )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken ) )
{
return FALSE;
}
if ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
{
CloseHandle( hToken );
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{
CloseHandle( hToken );
return FALSE;
}
return TRUE;
}
void main()
{
HANDLE hSnapshot = NULL;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe;
DWORD dwProcessId;
BOOL rtn = FALSE;
//先提升权限
if(!EnableDebugPriv(SE_DEBUG_NAME))
return;
//获得lsass进程PID
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if(stricmp(pe.szExeFile,"lsass.exe")==0)
{
dwProcessId = pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
//
DebugActiveProcess函数出错,错误代码5,无权访问。
if(!DebugActiveProcess(dwProcessId))
printf("\nERROR %d.",GetLastError());
CloseHandle(hSnapshot);
}
想请问,MSDN上关于DebugActiveProcess函数的说明中,写到:“If the debugging process has the SE_DEBUG_NAME privilege granted and enabled, it can debug any process.” 可见,该函数应该能调试任何进程,包括系统进程lsass。为什们上述情况不行呢?我的系统是xp sp3。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)