最近一直想写一个这样的工具,还请看雪的大拿帮忙看看:
一台服务器,有A-B两个会话。 我是B会话,本地管理组,现在要用B去模拟A用户登陆,然后创建进程。这样程序起来就是A创建的,A会话里的内容,比如IPC 都能看到了。
于是想自己写一个,当前测试环境为Windows 2008,想从简单到难。最后一步一步想写一个通用的模拟工具。
后来在我的调试当中,Windows 2008 ,B用户调出SYSTEM权限,可以成功让A用户的会话创建进程。
但是在真实环境当中,得到SYSTEM在一些没有交互的环境下比较难,我也看到网上的一些不开源的工具,在ADMIN权限下也是成功可以模拟其他用户创建进程的。
但是不管无论如何,我始终利用administrator权限无法用createprocessasuser模拟 其他当前sessions来创建进程。
CreateProcessAsUser 始终提示 1314.网上找了很多文章,都说是权限的问题,于是我也尝试提升权限。但是结果也还是一样。
我把代码贴上来,还请各位大拿帮我看看。
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <Tlhelp32.h>
#include <tchar.h>
#include <psapi.h>
#include <stdio.h>
#include <STDLIB.H>
#include <tlhelp32.h>
#include <WtsApi32.h>
#include <Userenv.h>
#pragma comment(lib, "WtsApi32.lib")
#pragma comment (lib,"psapi")
#pragma comment(lib, "userenv.lib")
#define INVALID_PROCESS_ID -2
bool GetSessionUserName(DWORD dwsessionsid,wchar_t username[MAX_PATH])
{
LPWSTR pbuffer = NULL;
DWORD dwbuffer = NULL;
BOOL bres = WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE
,dwsessionsid,WTSUserName,&pbuffer,&dwbuffer);
if (bres == FALSE)
{
printf("get sessions name false");
return false;
}
lstrcpy(username,pbuffer);
WTSFreeMemory(pbuffer);
return true;
}
bool GetSessionsDomain(DWORD dwsessionsid,wchar_t domainname[MAX_PATH])
{
LPTSTR pbuffer = NULL;
DWORD dwbuffer;
BOOL bres = WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE
,dwsessionsid,WTSDomainName,&pbuffer,&dwbuffer);
if(bres == FALSE)
{
printf("get sessions domainname error\r\n");
return false;
}
lstrcpy(domainname,pbuffer);
WTSFreeMemory(pbuffer);
return true;
}
bool ActiveSessions()
{
WTS_SESSION_INFO* sessionsinfo = NULL;
DWORD sessionsinfocount;
wchar_t domainname[MAX_PATH] = {0};
wchar_t Username[MAX_PATH] = {0};
BOOL result = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE,
0,1,&sessionsinfo,&sessionsinfocount);
unsigned int usercount(0);
int num = 0;
for (unsigned int i = 0;i<sessionsinfocount;i++)
{
if ((sessionsinfo[i].State == WTSActive) || (sessionsinfo[i].State == WTSDisconnected))
{
GetSessionUserName(sessionsinfo[i].SessionId,Username);
GetSessionsDomain(sessionsinfo[i].SessionId,domainname);
printf("\r\n\tSession Infomation:%d\r\n\t"
"Session Id:%d\r\n\tSession Username:%S\r\n\t"
"Session Domain:%S\r\n\t",
num++,sessionsinfo[i].SessionId,Username,domainname);
}
}
printf("\r\t\n[*]:Current Active Session:%d",num-1);
WTSFreeMemory(sessionsinfo);
return true;
}
DWORD FindSessionPid(LPCTSTR lpszProcName)
{
DWORD dwPid = INVALID_PROCESS_ID;
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32 = {0};
pe32.dwSize = sizeof(PROCESSENTRY32);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
Process32First(hSnapshot, &pe32);
do
{
if (!lstrcmpi(lpszProcName, pe32.szExeFile))
{
dwPid = pe32.th32ProcessID;
//break;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
} while (Process32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
}
return dwPid;
}
BOOL EnableProcessPrivilege(LPCTSTR lpszPrivName, BOOL bEnable = TRUE)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
BOOL bRet = FALSE;
bRet = OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
if (bRet == FALSE)
{
printf("OpenProcessToken error\r\n");
}
bRet = LookupPrivilegeValue(NULL, lpszPrivName, &tkp.Privileges[0].Luid);
// CHECK_NULL_RET(bRet);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0);
// CHECK_NULL_RET(bRet);
bRet = TRUE;
CloseHandle(hToken);
return bRet;
}
BOOL LaunchAppIntoDifferentSession(wchar_t Cmd[1024])
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD /*dwSessionId = 1,*/ newsessionsid = 0;
HANDLE hPToken, hProcess;
HANDLE newToken;
DWORD dwCreationFlags;
// TOKEN_MANDATORY_LABEL tml;
PSID pIntegritySid = NULL;
DWORD dwPid = 0;
// Log the client on to the local computer.
typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)();
typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );
__pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId =
(__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
__pfnWTSQueryUserToken pfnWTSQueryUserToken =
(__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");
if(pfnWTSGetActiveConsoleSessionId == NULL)
{
printf("Not found api: WTSGetActiveConsoleSessionId\n");
return 0;
}
if(pfnWTSQueryUserToken == NULL)
{
printf("Not found api: WTSQueryUserToken\n");
return 0;
}
BOOL bret2 = EnableProcessPrivilege(SE_DEBUG_NAME, TRUE);
if (bret2 == FALSE)
{
printf("EnableProcessPrivilege error:%d\r\n",GetLastError());
}else
{
printf("EnableProcessPrivilege Susccessfuly\r\n");
}
dwPid = FindSessionPid(L"explorer.exe");
printf("%d\n", dwPid);
if (dwPid == NULL)
{
printf("dwpid = %d\r\n",GetLastError());
}
////////////////////////////////////////////////////////////////////////
dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(pi));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = L"winsta0\\default";
si.wShowWindow = SW_SHOW;
si.dwFlags=STARTF_USESHOWWINDOW;
DWORD RetLen = 0;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
if(!OpenProcessToken(hProcess, PROCESS_ALL_ACCESS, &hPToken))
{
char pTemp[121];
sprintf_s(pTemp, "Process token open Error: %u\n", GetLastError());
printf(pTemp);
}
if(hPToken == NULL)
{
printf("Process tokenError: \n");
}
// Launch the process in the client's logon session.
newsessionsid = WTSGetActiveConsoleSessionId();
if (newsessionsid == 0xFFFFFFFF) {
printf("No session attached to the console (WTSGetActiveConsoleSessionId failed)\n");
}
printf("Got session id [%d]\n", newsessionsid);
if (!WTSQueryUserToken(newsessionsid, &hPToken)) {
printf("WTSQueryUserToken failed %d\n", GetLastError());
}
if(!DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&newToken)) {
printf("DuplicateTokenEx failed %d\n", GetLastError());
}
DWORD dwsessionsid = 2;
SetTokenInformation(newToken,TokenSessionId,&dwsessionsid,sizeof(DWORD));
RtlZeroMemory(Cmd,0,sizeof(cmd));
bResult = CreateProcessAsUser(
newToken, // client's access token
//L"d:\\test.exe", // file to execute
NULL,
Cmd, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags , // creation flags
NULL, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
);
// End impersonation of client.
int iResultOfCreateProcessAsUser = GetLastError();
if(bResult == FALSE && iResultOfCreateProcessAsUser != 0)
{
char pTemp[121];
sprintf_s(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
printf(pTemp);
}
if(pi.hProcess)
{
CloseHandle(pi.hProcess);
}
if(pi.hThread)
{
CloseHandle(pi.hThread);
}
//Perform All the Close Handles task
if(hProcess)
{
CloseHandle(hProcess);
}
if(hPToken)
{
CloseHandle(hPToken);
}
return bResult;
}
int _tmain(int argc,wchar_t* argv[])
{
ActiveSessions();
wchar_t* cmd = argv[1];
LaunchAppIntoDifferentSession(cmd);
return 0;
}
createprocessasuer始终提示1314,还请各位帮我看看问题出在哪儿了。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
