【权限与会话】提权

这篇文章会给你带来？

1. 直接 Copy 就可以使用的提权代码以及如何使用

提权

相关头文件

#include <windows.h>  
#include <tlhelp32.h>  

代码

BOOL  EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
    int nResult = FALSE;
    int nRetCode = FALSE;
    HANDLE hToken = NULL;
    TOKEN_PRIVILEGES tkp = { 0 };

    do
    {
        nRetCode = ::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
        if (!nRetCode)
            break;

        nRetCode = ::LookupPrivilegeValue(NULL, lpszPrivilegeName, &tkp.Privileges[0].Luid);
        if (!nRetCode)
            break;

        tkp.PrivilegeCount = 1;
        tkp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
        nRetCode = ::AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
        if (!nRetCode)
            break;

        nResult = TRUE;
    } while (FALSE);

    if (hToken != NULL)
    {
        CloseHandle(hToken);
    }

    return nResult;
}

HANDLE GetExplorerToken()
{
    EnablePrivilege(SE_DEBUG_NAME, TRUE);

    HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot == INVALID_HANDLE_VALUE)
    {
        return NULL;
    }

    HANDLE hExplorerToken = NULL;
    PROCESSENTRY32 pe = { 0 };
    pe.dwSize = sizeof(pe);

    BOOL bMore = ::Process32First(hSnapshot, &pe);
    while (bMore)
    {
        if (_tcsicmp("explorer.exe", pe.szExeFile) == 0)
        {
            HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID);
            if (hProcess == NULL)
            {
                continue;
            }
            if (OpenProcessToken(hProcess, TOKEN_QUERY, &hExplorerToken))
            {
                CloseHandle(hProcess);
                break;
            }

            CloseHandle(hProcess);
        }
        bMore = ::Process32Next(hSnapshot, &pe);
    }
    CloseHandle(hSnapshot);

    return hExplorerToken;
}

也可以使用下边这段代码

BOOL EnableDebugPrivilege() {
	HANDLE hToken;
	BOOL fOk = FALSE;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
		TOKEN_PRIVILEGES tp;
		tp.PrivilegeCount = 1;
		LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);

		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

		fOk = (GetLastError() == ERROR_SUCCESS);
		CloseHandle(hToken);
	}
	return fOk;
}

将权限设置为入参形式：

BOOL EnableXXXPrivilege(LPCTSTR pszPrivilegeName)
{
	HANDLE hToken;
	LUID seXXXNameValue;
	TOKEN_PRIVILEGES tkp;
	
	// enable the SeXXXPrivilege
	if ( ! OpenProcessToken( GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
	{
		MYTRACE(L"OpenProcessToken() failed, Error = %d  %s is not available.\n" , GetLastError(), pszPrivilegeName );
		return FALSE;
	}
	
	if ( !LookupPrivilegeValue( NULL, pszPrivilegeName, &seXXXNameValue))
	{
		MYTRACE(L"LookupPrivilegeValue() failed, Error = %d %s is not available.\n", GetLastError(), pszPrivilegeName);
		CloseHandle( hToken );
		return FALSE;
	}
	
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = seXXXNameValue;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	
	if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ))
	{
		MYTRACE(L"AdjustTokenPrivileges() failed, Error = %d %s is not available.\n", GetLastError(),pszPrivilegeName);
		CloseHandle( hToken );
		return FALSE;
	}
	
	CloseHandle( hToken );

	return TRUE;
}

使用

HANDLE hExplorerToken = GetExplorerToken();
if (hExplorerToken == NULL)
    break;

char szUserProfilePath[MAX_PATH] = { 0 };
DWORD cchSize = MAX_PATH;
if (!GetUserProfileDirectoryA(hExplorerToken, szUserProfilePath, &cchSize))
{
    CloseHandle(hExplorerToken);
    break;
}