这篇文章会给你带来?
- 直接 Copy 就可以使用的提权代码以及如何使用
提权
相关头文件
#include <windows.h>
#include <tlhelp32.h> 代码
BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
int nResult = FALSE;
int nRetCode = FALSE;
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tkp = { 0 };
do
{
nRetCode = ::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
if (!nRetCode)
break;
nRetCode = ::LookupPrivilegeValue(NULL, lpszPrivilegeName, &tkp.Privileges[0].Luid);
if (!nRetCode)
break;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
nRetCode = ::AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
if (!nRetCode)
break;
nResult = TRUE;
} while (FALSE);
if (hToken != NULL)
{
CloseHandle(hToken);
}
return nResult;
}
HANDLE GetExplorerToken()
{
EnablePrivilege(SE_DEBUG_NAME, TRUE);
HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
return NULL;
}
HANDLE hExplorerToken = NULL;
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(pe);
BOOL bMore = ::Process32First(hSnapshot, &pe);
while (bMore)
{
if (_tcsicmp("explorer.exe", pe.szExeFile) == 0)
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID);
if (hProcess == NULL)
{
continue;
}
if (OpenProcessToken(hProcess, TOKEN_QUERY, &hExplorerToken))
{
CloseHandle(hProcess);
break;
}
CloseHandle(hProcess);
}
bMore = ::Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
return hExplorerToken;
}也可以使用下边这段代码
BOOL EnableDebugPrivilege() {
HANDLE hToken;
BOOL fOk = FALSE;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return fOk;
}将权限设置为入参形式:
BOOL EnableXXXPrivilege(LPCTSTR pszPrivilegeName)
{
HANDLE hToken;
LUID seXXXNameValue;
TOKEN_PRIVILEGES tkp;
// enable the SeXXXPrivilege
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
MYTRACE(L"OpenProcessToken() failed, Error = %d %s is not available.\n" , GetLastError(), pszPrivilegeName );
return FALSE;
}
if ( !LookupPrivilegeValue( NULL, pszPrivilegeName, &seXXXNameValue))
{
MYTRACE(L"LookupPrivilegeValue() failed, Error = %d %s is not available.\n", GetLastError(), pszPrivilegeName);
CloseHandle( hToken );
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = seXXXNameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ))
{
MYTRACE(L"AdjustTokenPrivileges() failed, Error = %d %s is not available.\n", GetLastError(),pszPrivilegeName);
CloseHandle( hToken );
return FALSE;
}
CloseHandle( hToken );
return TRUE;
}使用
HANDLE hExplorerToken = GetExplorerToken();
if (hExplorerToken == NULL)
break;
char szUserprofilePath[MAX_PATH] = { 0 };
DWORD cchSize = MAX_PATH;
if (!GetUserProfileDirectoryA(hExplorerToken, szUserProfilePath, &cchSize))
{
CloseHandle(hExplorerToken);
break;
}