标签:tokenPrivileges 令牌 return ShowError Windows 黑客 FALSE bRet
描述
- 利用AdjustTokenPrivileges提升进程的令牌访问权限
代码
外层调用
#include "stdafx.h"
#include "AdjustToken.h"
int _tmain(int argc, _TCHAR* argv[])
{
if (FALSE == EnbalePrivileges(::GetCurrentProcess(), SE_DEBUG_NAME))
{
printf("Enbale Privileges Error!\n");
}
printf("Enbale Privileges OK!\n");
system("pause");
return 0;
}
里层实现
- 获取当前进程令牌
- 根据要提升的令牌名查询对应Luid
- 调用AdjustTokenPrivileges提升令牌权限
- 根据GetLastError函数返回值判断是否完成提升
#include "stdafx.h"
#include "AdjustToken.h"
void ShowError(char* pszText)
{
char szErr[MAX_PATH] = { 0 };
::wsprintf(szErr, "%s Error[%d]\n", pszText, ::GetLastError());
::MessageBox(NULL, szErr, "ERROR", MB_OK);
}
BOOL EnbalePrivileges(HANDLE hProcess, char* pszPrivilegesName)
{
HANDLE hToken = NULL;
LUID luidValue = { 0 };
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
BOOL bRet = FALSE;
DWORD dwRet = 0;
bRet = ::OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
if (FALSE == bRet)
{
ShowError("OpenProcessToken");
return FALSE;
}
bRet = ::LookupPrivilegeValue(NULL, pszPrivilegesName, &luidValue);
if (FALSE == bRet)
{
ShowError("LookupPrivilegeValue");
return FALSE;
}
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Luid = luidValue;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = ::AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, NULL, NULL);
if (FALSE == bRet)
{
ShowError("AdjustTokenPrivileges");
return FALSE;
}
else
{
dwRet = ::GetLastError();
if (ERROR_SUCCESS == dwRet)
{
return TRUE;
}
else if (ERROR_NOT_ALL_ASSIGNED == dwRet)
{
ShowError("ERROR_NOT_ALL_ASSIGNED");
return FALSE;
}
}
return FALSE;
}
结果
- 管理员权限运行程序,成功获得
SE_DEBUG_NAME令牌权限
标签:tokenPrivileges,
令牌,
return,
ShowError,
Windows,
黑客,
FALSE,
bRet
From: https://www.cnblogs.com/z5onk0/p/17153977.html