设为首页 收藏本站

QQ登录

只需一步,快速开始

切换到宽版 切换风格

电脑疯子技术论坛|电脑极客社区

电脑疯子技术论坛|电脑极客社区»技术论坛 电脑疯子|资源分享 实用软件下载 帖子
微信扫一扫 分享朋友圈

已有 979 人浏览分享

服务进程创建一个带窗口的进程,过UAC

[复制链接]
979 0


  3. 主要代码如下:

  5. DWORD FindSessionPid(LPSTR lpProcessName, DWORD dwSessionId)
  6. {
  7. DWORD res = 0;
  8. PROCESSENTRY32 procEntry;
  9. HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  10. if (hSnap == INVALID_HANDLE_VALUE)
  11. {
  12.    return res ;
  13. }
  14. procEntry.dwSize = sizeof(PROCESSENTRY32);
  15. if (!Process32First(hSnap, &procEntry))
  16. {
  17.    goto _end;
  18. }
  19. do
  20. {
  21.    if (_stricmp(procEntry.szExeFile, lpProcessName) == 0)
  22.    {
  23.     DWORD winlogonSessId = 0;
  24.     if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
  25.     {
  26.      res = procEntry.th32ProcessID;
  27.      break;
  28.     }
  29.    }
  30. } while (Process32Next(hSnap, &procEntry));
  31. _end:
  32. CloseHandle(hSnap);
  33. return res;
  34. }
  35. BOOL LaunchAppIntoDifferentSession(LPSTR lpCmdLine)
  36. {
  37. PROCESS_INFORMATION pi;
  38. STARTUPINFO si;
  39. BOOL bResult = FALSE;
  40. DWORD dwSessionId = 0, winlogonPid = 0;
  41. HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
  42. DWORD dwCreationFlags;
  43. // Log the client on to the local computer.
  44. typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)();
  45. typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );
  46. __pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId =
  47.    (__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
  48. __pfnWTSQueryUserToken pfnWTSQueryUserToken =
  49.    (__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");
  50. if(pfnWTSGetActiveConsoleSessionId == NULL)
  51. {
  52.    WriteLog("Not found api: WTSGetActiveConsoleSessionId\n");
  53.    return 0;
  54. }
  55. if(pfnWTSQueryUserToken == NULL)
  56. {
  57.    WriteLog("Not found api: WTSQueryUserToken\n");
  58.    return 0;
  59. }
  60. dwSessionId = pfnWTSGetActiveConsoleSessionId();
  61. winlogonPid = FindSessionPid("explorer.exe", dwSessionId);
  62. if(winlogonPid == 0)
  63. {
  64.    winlogonPid = FindSessionPid("winlogon.exe", dwSessionId);
  65. }
  66. if(winlogonPid == 0)
  67. {
  68.    WriteLog("Can't Find Explorer\n");
  69.    return 0;
  70. }
  71. ////////////////////////////////////////////////////////////////////////
  72. dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
  73. ZeroMemory(&si, sizeof(STARTUPINFO));
  74. si.cb= sizeof(STARTUPINFO);
  75. si.lpDesktop = "winsta0\\default";
  76. ZeroMemory(&pi, sizeof(pi));
  77. TOKEN_PRIVILEGES tp;
  78. LUID luid;
  79. LPVOID TokenInformation;
  80. DWORD RetLen = 0;
  81. if( !pfnWTSQueryUserToken(dwSessionId, &hUserToken) )
  82. {
  83.    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, winlogonPid);
  84.    if(!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS_P, &hPToken))
  85.    {
  86.     char pTemp[121];
  87.     sprintf(pTemp, "Process token open Error: %u\n", GetLastError());
  88.     WriteLog(pTemp);
  89.    }
  90.    if(hPToken == NULL)
  91.    {
  92.     WriteLog("Process tokenError: \n");
  93.    }
  94. }
  95. else
  96. {
  97.    hPToken = hUserToken;
  98. }

  100. if(GetTokenInformation(hPToken, TokenLinkedToken, &TokenInformation, 4, &RetLen))
  101. {
  102.    hUserTokenDup = TokenInformation;
  103. }
  104. else
  105. {
  106.     if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
  107.     {
  108.      char pTemp[121];
  109.      sprintf(pTemp, "Lookup Privilege value Error: %u\n", GetLastError());
  110.      WriteLog(pTemp);
  111.     }
  112.    if(!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup))
  113.    {
  114.     char pTemp[121];
  115.     sprintf(pTemp, "DuplicateTokenEx Error: %u\n", GetLastError());
  116.     WriteLog(pTemp);
  117.    }
  118. }
  119. LPVOID pEnv = NULL;
  120. if(CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE))
  121. {
  122.    dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
  123. }
  124. else
  125. {
  126.    WriteLog("CreateEnvironmentBlock Failed\n");
  127.    pEnv = NULL;
  128. }
  129. // Launch the process in the client's logon session.
  130. bResult = CreateProcessAsUser(
  131.    hUserTokenDup,            // client's access token
  132.    NULL,       // file to execute
  133.    lpCmdLine,         // command line      
  134.    NULL,              // pointer to process SECURITY_ATTRIBUTES
  135.    NULL,              // pointer to thread SECURITY_ATTRIBUTES
  136.    FALSE,             // handles are not inheritable
  137.    dwCreationFlags,   // creation flags
  138.    pEnv,              // pointer to new environment block
  139.    NULL,              // name of current directory
  140.    &si,               // pointer to STARTUPINFO structure
  141.    &pi                // receives information about new process
  142.    );
  143. // End impersonation of client.
  144. //GetLastError Shud be 0
  145. int iResultOfCreateProcessAsUser = GetLastError();
  146. if(bResult == FALSE && iResultOfCreateProcessAsUser != 0)
  147. {
  148.    char pTemp[121];
  149.    sprintf(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
  150.    WriteLog(pTemp);
  151. }
  152. if(pi.hProcess)
  153. {
  154.    CloseHandle(pi.hProcess);
  155. }
  156. if(pi.hThread)
  157. {
  158.    CloseHandle(pi.hThread);
  159. }
  160. //Perform All the Close Handles task
  161. if(hProcess)
  162. {
  163.    CloseHandle(hProcess);
  164. }
  165. if(hUserToken)
  166. {
  167.    CloseHandle(hUserToken);
  168. }
  169. if(hUserTokenDup)
  170. {
  171.    CloseHandle(hUserTokenDup);
  172. }
  173. if(hPToken)
  174. {
  175.    CloseHandle(hPToken);
  176. }
  177. if(pEnv)
  178. {
  179.    DestroyEnvironmentBlock(pEnv);
  180. }
  181. return bResult;
  182. }
  183. 调用方式:
  184. LaunchAppIntoDifferentSession("c:\\windows\\notepad.exe");

  186. 前提是有个服务进程已经启动,然后服务进程会以管理员模式(不需要用户点UAC的框)启动一个新的可以创建窗口的进程。
  187. 安装这个服务需要点UAC的框,所以不是什么不可公开的思路。好处就一点:每次自启动的进程,不需要再让用户点UAC框了
复制代码

return

相关帖子

举报

回复
返回列表
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

bek
管理员

1

关注

23

粉丝

2901

主题
精彩推荐
电脑疯子技术论坛GHOST WIN10X64 快速装机版201909
电脑疯子技术论坛GHOST WIN10X64 快速装机
电脑疯子 GHOST WIN7 X86 快速装机版202001
电脑疯子 GHOST WIN7 X86 快速装机版202001
电脑疯子 GHOST WIN7 X64 快速装机版202001
电脑疯子 GHOST WIN7 X64 快速装机版202001
电脑疯子技术论坛GHOST WIN10X86 快速装机版201909
电脑疯子技术论坛GHOST WIN10X86 快速装机
热门资讯
网友晒图
图文推荐

Powered by Pcgho! X3.4

© 2008-2022 Pcgho Inc.