{"id":123,"date":"2009-07-17T19:51:19","date_gmt":"2009-07-17T19:51:19","guid":{"rendered":""},"modified":"2011-11-18T16:58:39","modified_gmt":"2011-11-18T08:58:39","slug":"123","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/123.html","title":{"rendered":"\u521b\u5efa\u9ad8\u6743\u9650\u8fdb\u7a0b"},"content":{"rendered":"

\u3010\u8f6c\u8f7d\u3011
\n\/\/ \u5199\u8fd9\u4e2a\u521d\u8877\u662f\u4e3a\u4e86\u8ba9 Windows \u4efb\u52a1\u7ba1\u7406\u5668\u53ef\u4ee5\u7ed3\u675f\u6389\u4e00\u4e9b\u670d\u52a1
\n\/\/ \u548c\u50f5\u6b7b\u8fdb\u7a0b\uff0c\u7528 pslist\/pskill \u4e4b\u7c7b\u5de5\u5177\u65e0\u6cd5\u83b7\u5f97\u8c61\u4efb\u52a1\u7ba1\u7406
\n\/\/ \u5668\u90a3\u6837\u4e30\u5bcc\u7684\u4fe1\u606f\uff0c\u8fd8\u5f97\u6765\u56de\u5207\u6362\uff0c\u9ebb\u70e6\u7684\u5f88\u3002\u6700\u521d\u60f3\u5199\u4e2a\u9a71\u52a8
\n\/\/ \u76d1\u89c6\u4efb\u52a1\u7ba1\u7406\u5668\u8fd0\u884c\uff0c\u4f7f\u7528 SYSTEM \u8fdb\u7a0b TOKEN \u66ff\u6362\u6765\u8fbe\u5230\u76ee\u7684\u3002
\n\/\/ \u540e\u6765\u89c9\u5f97\u901a\u7528\u6027\u4e0d\u597d\uff0c\u5c31\u6539\u7528\u4e86\u8fd9\u79cd\u65b9\u6cd5\u3002\u6b64\u65b9\u6cd5\u8fd8\u53ef\u4f7f regedit
\n\/\/ \u67e5\u770b\u3001\u7f16\u8f91 SAM \u7b49\u6ce8\u518c\u8868\u952e\uff0c\u4f55\u4e50\u800c\u4e0d\u4e3a\u3002
\n\/\/
\n\/\/ wssrun taskmgr.exe
\n\/\/ wssrun regedit.exe
\n\/\/<\/span><\/p>\n

#include
\n#include
\n#include
\n#include
\n#include
\n#include
\n#include<\/p>\n

#pragma comment(lib,”Shlwapi.lib”)<\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u51fd\u6570\u7c7b\u578b :\u81ea\u5b9a\u4e49\u5de5\u5177\u51fd\u6570
\n\/\/ \u51fd\u6570\u6a21\u5757 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u529f\u80fd :\u63d0\u5347\u5f53\u524d\u8fdb\u7a0b\u6743\u9650
\n\/\/ \u6ce8\u610f :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4f5c\u8005 : sinister
\n\/\/ \u53d1\u5e03\u7248\u672c : 1.00.00
\n\/\/ \u53d1\u5e03\u65e5\u671f : 2006.2.09
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u91cd\u00a0\u00a0\u5927\u00a0\u00a0\u4fee\u00a0\u00a0\u6539\u00a0\u00a0\u5386\u00a0\u00a0\u53f2
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4fee\u6539\u8005 :
\n\/\/ \u4fee\u6539\u65e5\u671f :
\n\/\/ \u4fee\u6539\u5185\u5bb9 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/<\/p>\n

BOOL
\nEnableDebugPriv( LPCTSTR szPrivilege )
\n{
\nHANDLE hToken;
\nLUID sedebugnameValue;
\nTOKEN_PRIVILEGES tkp;<\/p>\n

if ( !OpenProcessToken( GetCurrentProcess(),
\nTOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
\n&hToken ) )
\n{
\nreturn FALSE;
\n}
\nif ( !LookupPrivilegeValue( NULL, szPrivilege, &sedebugnameValue ) )
\n{
\nCloseHandle( hToken );
\nreturn FALSE;
\n}<\/p>\n

tkp.PrivilegeCount = 1;
\ntkp.Privileges[0].Luid = sedebugnameValue;
\ntkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;<\/p>\n

if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
\n{
\nCloseHandle( hToken );
\nreturn FALSE;
\n}<\/p>\n

return TRUE;
\n}<\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u51fd\u6570\u7c7b\u578b :\u81ea\u5b9a\u4e49\u5de5\u5177\u51fd\u6570
\n\/\/ \u51fd\u6570\u6a21\u5757 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u529f\u80fd :\u901a\u8fc7\u6307\u5b9a\u8fdb\u7a0b\u540d\u5f97\u5230\u5176\u8fdb\u7a0b ID
\n\/\/ \u6ce8\u610f :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4f5c\u8005 : sinister
\n\/\/ \u53d1\u5e03\u7248\u672c : 1.00.00
\n\/\/ \u53d1\u5e03\u65e5\u671f : 2006.2.09
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u91cd\u00a0\u00a0\u5927\u00a0\u00a0\u4fee\u00a0\u00a0\u6539\u00a0\u00a0\u5386\u00a0\u00a0\u53f2
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4fee\u6539\u8005 :
\n\/\/ \u4fee\u6539\u65e5\u671f :
\n\/\/ \u4fee\u6539\u5185\u5bb9 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/<\/p>\n

DWORD
\nGetProcessId( LPCTSTR szProcName )
\n{
\nPROCESSENTRY32 pe;
\nDWORD dwPid;
\nDWORD dwRet;
\nBOOL bFound = FALSE;<\/p>\n

\/\/
\n\/\/ \u901a\u8fc7 TOOHLP32 \u51fd\u6570\u679a\u4e3e\u8fdb\u7a0b
\n\/\/<\/p>\n

HANDLE hSP = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
\nif ( hSP )
\n{
\npe.dwSize = sizeof( pe );<\/p>\n

for ( dwRet = Process32First( hSP, &pe );
\ndwRet;
\ndwRet = Process32Next( hSP, &pe ) )
\n{
\n\/\/
\n\/\/ \u4f7f\u7528 StrCmpNI \u6bd4\u8f83\u5b57\u7b26\u4f20\uff0c\u53ef\u5ffd\u7565\u5927\u5c0f\u5199
\n\/\/
\nif ( StrCmpNI( szProcName, pe.szExeFile, strlen( szProcName ) ) == 0 )
\n{
\ndwPid = pe.th32ProcessID;
\nbFound = TRUE;
\nbreak;
\n}
\n}<\/p>\n

CloseHandle( hSP );<\/p>\n

if ( bFound == TRUE )
\n{
\nreturn dwPid;
\n}
\n}<\/p>\n

return NULL;
\n}<\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u51fd\u6570\u7c7b\u578b :\u81ea\u5b9a\u4e49\u5de5\u5177\u51fd\u6570
\n\/\/ \u51fd\u6570\u6a21\u5757 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u529f\u80fd : \u521b\u5efa\u5177\u6709\u9ad8\u6743\u9650\u7684\u8fdb\u7a0b
\n\/\/ \u6ce8\u610f :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4f5c\u8005 : sinister
\n\/\/ \u53d1\u5e03\u7248\u672c : 1.00.00
\n\/\/ \u53d1\u5e03\u65e5\u671f : 2006.2.09
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u91cd\u00a0\u00a0\u5927\u00a0\u00a0\u4fee\u00a0\u00a0\u6539\u00a0\u00a0\u5386\u00a0\u00a0\u53f2
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u4fee\u6539\u8005 :
\n\/\/ \u4fee\u6539\u65e5\u671f :
\n\/\/ \u4fee\u6539\u5185\u5bb9 :
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/<\/p>\n

BOOL
\nCreateSystemProcess( LPTSTR szProcessName )
\n{
\nHANDLE hProcess;
\nHANDLE hToken, hNewToken;
\nDWORD dwPid;<\/p>\n

PACL pOldDAcl = NULL;
\nPACL pNewDAcl = NULL;
\nBOOL bDAcl;
\nBOOL bDefDAcl;
\nDWORD dwRet;<\/p>\n

PACL pSacl = NULL;
\nPSID pSidOwner = NULL;
\nPSID pSidPrimary = NULL;
\nDWORD dwAclSize = 0;
\nDWORD dwSaclSize = 0;
\nDWORD dwSidOwnLen = 0;
\nDWORD dwSidPrimLen = 0;<\/p>\n

DWORD dwSDLen;
\nEXP<\/span>LICIT_ACCESS ea;
\nPSECURITY_DESCRIPTOR pOrigSd = NULL;
\nPSECURITY_DESCRIPTOR pNewSd = NULL;<\/p>\n

STARTUPINFO si;
\nPROCESS_INFORMATION pi;<\/p>\n

BOOL bError;<\/p>\n

if ( !EnableDebugPriv( “SeDebugPrivilege” ) )
\n{
\nprintf( “EnableDebugPriv() to failed!
\n” );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u9009\u62e9 WINLOGON \u8fdb\u7a0b
\n\/\/
\nif ( ( dwPid = GetProcessId( “WINLOGON.EXE” ) ) == NULL )
\n{
\nprintf( “GetProcessId() to failed!
\n” );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, dwPid );
\nif ( hProcess == NULL )
\n{
\nprintf( “OpenProcess() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

if ( !OpenProcessToken( hProcess, READ_CONTROL | WRITE_DAC, &hToken ) )
\n{
\nprintf( “OpenProcessToken() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u8bbe\u7f6e ACE \u5177\u6709\u6240\u6709\u8bbf\u95ee\u6743\u9650
\n\/\/
\nZeroMemory( &ea, sizeof( EXPLICIT_ACCESS ) );
\nBuildExplicitAccessWithName( &ea,
\n“Everyone”,
\nTOKEN_ALL_ACCESS,
\nGRANT_ACCESS,
\n0 );<\/p>\n

if ( !GetKernelObjectSecurity( hToken,
\nDACL_SECURITY_INFORMATION,
\npOrigSd,
\n0,
\n&dwSDLen ) )
\n{
\n\/\/
\n\/\/ \u7b2c\u4e00\u6b21\u8c03\u7528\u7ed9\u51fa\u7684\u53c2\u6570\u80af\u5b9a\u8fd4\u56de\u8fd9\u4e2a\u9519\u8bef\uff0c\u8fd9\u6837\u505a\u7684\u76ee\u7684\u662f
\n\/\/ \u4e3a\u4e86\u5f97\u5230\u539f\u5b89\u5168\u63cf\u8ff0\u7b26 pOrigSd \u7684\u957f\u5ea6
\n\/\/
\nif ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
\n{
\npOrigSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwSDLen );
\nif ( pOrigSd == NULL )
\n{
\nprintf( “Allocate pSd memory to failed!
\n” );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u518d\u6b21\u8c03\u7528\u624d\u6b63\u786e\u5f97\u5230\u5b89\u5168\u63cf\u8ff0\u7b26 pOrigSd
\n\/\/
\nif ( !GetKernelObjectSecurity( hToken,
\nDACL_SECURITY_INFORMATION,
\npOrigSd,
\ndwSDLen,
\n&dwSDLen ) )
\n{
\nprintf( “GetKernelObjectSecurity() = %d
\n“, GetLastError() );
\nbError = TRUE;
\ngoto Cleanup;
\n}
\n}
\nelse
\n{
\nprintf( “GetKernelObjectSecurity() = %d
\n“, GetLastError() );
\nbError = TRUE;
\ngoto Cleanup;
\n}
\n}<\/p>\n

\/\/
\n\/\/ \u5f97\u5230\u539f\u5b89\u5168\u63cf\u8ff0\u7b26\u7684\u8bbf\u95ee\u63a7\u5236\u5217\u8868 ACL
\n\/\/
\nif ( !GetSecurityDescriptorDacl( pOrigSd, &bDAcl, &pOldDAcl, &bDefDAcl ) )
\n{
\nprintf( “GetSecurityDescriptorDacl() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u751f\u6210\u65b0 ACE \u6743\u9650\u7684\u8bbf\u95ee\u63a7\u5236\u5217\u8868 ACL
\n\/\/
\ndwRet = SetEntriesInAcl( 1, &ea, pOldDAcl, &pNewDAcl );
\nif ( dwRet != ERROR_SUCCESS )
\n{
\nprintf( “SetEntriesInAcl() = %d
\n“, GetLastError() );
\npNewDAcl = NULL;<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

if ( !MakeAbsoluteSD( pOrigSd,
\npNewSd,
\n&dwSDLen,
\npOldDAcl,
\n&dwAclSize,
\npSacl,
\n&dwSaclSize,
\npSidOwner,
\n&dwSidOwnLen,
\npSidPrimary,
\n&dwSidPrimLen ) )
\n{
\n\/\/
\n\/\/ \u7b2c\u4e00\u6b21\u8c03\u7528\u7ed9\u51fa\u7684\u53c2\u6570\u80af\u5b9a\u8fd4\u56de\u8fd9\u4e2a\u9519\u8bef\uff0c\u8fd9\u6837\u505a\u7684\u76ee\u7684\u662f
\n\/\/ \u4e3a\u4e86\u521b\u5efa\u65b0\u7684\u5b89\u5168\u63cf\u8ff0\u7b26 pNewSd \u800c\u5f97\u5230\u5404\u9879\u7684\u957f\u5ea6
\n\/\/
\nif ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
\n{
\npOldDAcl = ( PACL ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwAclSize );
\npSacl = ( PACL ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwSaclSize );
\npSidOwner = ( PSID ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwSidOwnLen );
\npSidPrimary = ( PSID ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwSidPrimLen );
\npNewSd = ( PSECURITY_DESCRIPTOR ) HeapAlloc( GetProcessHeap(),
\nHEAP_ZERO_MEMORY,
\ndwSDLen );<\/p>\n

if ( pOldDAcl == NULL ||
\npSacl == NULL ||
\npSidOwner == NULL ||
\npSidPrimary == NULL ||
\npNewSd == NULL )
\n{
\nprintf( “Allocate SID or ACL to failed!
\n” );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u518d\u6b21\u8c03\u7528\u624d\u53ef\u4ee5\u6210\u529f\u521b\u5efa\u65b0\u7684\u5b89\u5168\u63cf\u8ff0\u7b26 pNewSd
\n\/\/ \u4f46\u65b0\u7684\u5b89\u5168\u63cf\u8ff0\u7b26\u4ecd\u7136\u662f\u539f\u8bbf\u95ee\u63a7\u5236\u5217\u8868 ACL
\n\/\/
\nif ( !MakeAbsoluteSD( pOrigSd,
\npNewSd,
\n&dwSDLen,
\npOldDAcl,
\n&dwAclSize,
\npSacl,
\n&dwSaclSize,
\npSidOwner,
\n&dwSidOwnLen,
\npSidPrimary,
\n&dwSidPrimLen ) )
\n{
\nprintf( “MakeAbsoluteSD() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}
\n}
\nelse
\n{
\nprintf( “MakeAbsoluteSD() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}
\n}<\/p>\n

\/\/
\n\/\/ \u5c06\u5177\u6709\u6240\u6709\u8bbf\u95ee\u6743\u9650\u7684\u8bbf\u95ee\u63a7\u5236\u5217\u8868 pNewDAcl \u52a0\u5165\u5230\u65b0\u7684
\n\/\/ \u5b89\u5168\u63cf\u8ff0\u7b26 pNewSd \u4e2d
\n\/\/
\nif ( !SetSecurityDescriptorDacl( pNewSd, bDAcl, pNewDAcl, bDefDAcl ) )
\n{
\nprintf( “SetSecurityDescriptorDacl() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u5c06\u65b0\u7684\u5b89\u5168\u63cf\u8ff0\u7b26\u52a0\u5230 TOKEN \u4e2d
\n\/\/
\nif ( !SetKernelObjectSecurity( hToken, DACL_SECURITY_INFORMATION, pNewSd ) )
\n{
\nprintf( “SetKernelObjectSecurity() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u518d\u6b21\u6253\u5f00 WINLOGON \u8fdb\u7a0b\u7684 TOKEN\uff0c\u8fd9\u65f6\u5df2\u7ecf\u5177\u6709\u6240\u6709\u8bbf\u95ee\u6743\u9650
\n\/\/
\nif ( !OpenProcessToken( hProcess, TOKEN_ALL_ACCESS, &hToken ) )
\n{
\nprintf( “OpenProcessToken() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

\/\/
\n\/\/ \u590d\u5236\u4e00\u4efd\u5177\u6709\u76f8\u540c\u8bbf\u95ee\u6743\u9650\u7684 TOKEN
\n\/\/
\nif ( !DuplicateTokenEx( hToken,
\nTOKEN_ALL_ACCESS,
\nNULL,
\nSecurityImpersonation,
\nTokenPrimary,
\n&hNewToken ) )
\n{
\nprintf( “DuplicateTokenEx() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

ZeroMemory( &si, sizeof( STARTUPINFO ) );
\nsi.cb = sizeof( STARTUPINFO );<\/p>\n

\/\/
\n\/\/ \u4e0d\u865a\u62df\u767b\u9646\u7528\u6237\u7684\u8bdd\uff0c\u521b\u5efa\u65b0\u8fdb\u7a0b\u4f1a\u63d0\u793a
\n\/\/ 1314 \u5ba2\u6237\u6ca1\u6709\u6240\u9700\u7684\u7279\u6743\u9519\u8bef
\n\/\/
\nImpersonateLoggedOnUser( hNewToken );<\/p>\n

\/\/
\n\/\/ \u6211\u4eec\u4ec5\u4ec5\u662f\u9700\u8981\u5efa\u7acb\u9ad8\u6743\u9650\u8fdb\u7a0b\uff0c\u4e0d\u7528\u5207\u6362\u7528\u6237
\n\/\/ \u6240\u4ee5\u4e5f\u65e0\u9700\u8bbe\u7f6e\u76f8\u5173\u684c\u9762\uff0c\u6709\u4e86\u65b0 TOKEN \u8db3\u591f
\n\/\/<\/p>\n

\/\/
\n\/\/ \u5229\u7528\u5177\u6709\u6240\u6709\u6743\u9650\u7684 TOKEN\uff0c\u521b\u5efa\u9ad8\u6743\u9650\u8fdb\u7a0b
\n\/\/
\nif ( !CreateProcessAsUser( hNewToken,
\nNULL,
\nszProcessName,
\nNULL,
\nNULL,
\nFALSE,
\nNULL, \/\/NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,
\nNULL,
\nNULL,
\n&si,
\n&pi ) )
\n{
\nprintf( “CreateProcessAsUser() = %d
\n“, GetLastError() );<\/p>\n

bError = TRUE;
\ngoto Cleanup;
\n}<\/p>\n

bError = FALSE;<\/p>\n

Cleanup:
\nif ( pOrigSd )
\n{
\nHeapFree( GetProcessHeap(), 0, pOrigSd );
\n}
\nif ( pNewSd )
\n{
\nHeapFree( GetProcessHeap(), 0, pNewSd );
\n}
\nif ( pSidPrimary )
\n{
\nHeapFree( GetProcessHeap(), 0, pSidPrimary );
\n}
\nif ( pSidOwner )
\n{
\nHeapFree( GetProcessHeap(), 0, pSidOwner );
\n}
\nif ( pSacl )
\n{
\nHeapFree( GetProcessHeap(), 0, pSacl );
\n}
\nif ( pOldDAcl )
\n{
\nHeapFree( GetProcessHeap(), 0, pOldDAcl );
\n}<\/p>\n

CloseHandle( pi.hProcess );
\nCloseHandle( pi.hThread );
\nCloseHandle( hToken );
\nCloseHandle( hNewToken );
\nCloseHandle( hProcess );<\/p>\n

if ( bError )
\n{
\nreturn FALSE;
\n}<\/p>\n

return TRUE;
\n}<\/p>\n

void
\nmain( int argc, char** argv )
\n{
\nif ( argc < 2 )
\n{
\nprintf( “Usage: wssrun
\n” );
\nreturn ;
\n}<\/p>\n

if ( CreateSystemProcess( argv[1] ) == FALSE )
\n{
\nprintf( “wssrun: CreateSystemProcess() to failed!
\n” );
\nreturn ;
\n}
\n}<\/p>\n

 <\/p>\n

Author:\u00a0\u00a0sinister
\nEmail:\u00a0\u00a0<\/span>sinister@whitecell.org<\/span><\/a>
\nHomepage:<\/span>http:\/\/www.whitecell.org<\/span><\/a>
\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

\u3010\u8f6c\u8f7d\u3011 \/\/ \u5199\u8fd9\u4e2a\u521d\u8877\u662f\u4e3a\u4e86\u8ba9 Windows \u4efb\u52a1\u7ba1\u7406\u5668\u53ef\u4ee5\u7ed3\u675f\u6389\u4e00\u4e9b\u670d\u52a1 …<\/p>\n

\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[109],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","tag-109"],"views":794,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}