如何在Windows 8中获得主访问令牌？

Question

我想获取主令牌，以便我可以访问OpenInputDesktop（）并执行必要的操作。

我浏览了网站上的所有帮助信息，发现了如下的结论性代码，但我在调用DuplicateTokenEx（）时出错，它是998，这意味着无法访问内存位置。

HANDLE GetCurrentUserToken() 
{ 
    HANDLE currentToken = 0; 
    PHANDLE primaryToken = 0; 

    unsigned int winlogonPid = 0; 

    int dwSessionId = 0; 
    PHANDLE hUserToken = 0; 
    PHANDLE hTokenDup = 0; 

    PWTS_SESSION_INFO pSessionInfo = 0; 
    DWORD dwCount = 0; 

    WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, 
         &pSessionInfo, &dwCount); 

    //TestLog("Error on WTSEnumerateSessions(): %d",GetLastError()); 

    int dataSize = sizeof(WTS_SESSION_INFO); 

    for (DWORD i = 0; i < dwCount; ++i) 
    { 
     WTS_SESSION_INFO si = pSessionInfo[i]; 
     if (WTSActive == si.State) 
     { 
      dwSessionId = si.SessionId; 
      break; 
     } 
    } 

    WTSFreeMemory(pSessionInfo); 

    array<Process^>^localByName = Process::GetProcessesByName("winlogon"); 


    for (int i=0;i<localByName->Length;i++) 
    { 
     Process^p1 = (Process^)(localByName->GetValue(i)); 

     if ((unsigned int)p1->SessionId == dwSessionId) 
     { 
      winlogonPid = (unsigned int)p1->Id; 
     } 
    } 

    // obtain a handle to the winlogon process 
    HANDLE hProcess = OpenProcess(MAXIMUM_ALLOWED, false, winlogonPid); 
    TestLog("Error on OpenProcess():",GetLastError()); 

    // obtain a handle to the access token of the winlogon process 
    if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &currentToken)) 
    { 
     TestLog("Error on OpenProcessToken():",GetLastError()); 
     CloseHandle(hProcess); 
     return false; 
    } 

    BOOL bRet ; 
    // bRet = DuplicateTokenEx(currentToken, 
    //   MAXIMUM_ALLOWED /*TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS*/, 
    //   NULL/*0*/, 
    //   SecurityImpersonation, TokenImpersonation, primaryToken); 

    bRet = DuplicateTokenEx(currentToken, 
          TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS, 
          NULL, SecurityImpersonation, 
          TokenPrimary, primaryToken); 

    TestLog("Error on DuplicateTokenEx():",GetLastError()); 
    TestLog("return value of DuplicateTokenEx()",bRet); 

    int errorcode = GetLastError(); 
    if (bRet == false) 
    { 
     return 0; 
    } 

    return primaryToken; 
} 

int main(array<System::String ^> ^args) 
{ 
    Console::WriteLine(L"Hello World"); 

    TestLog("**Start TestLaunchExeOneTime**",0); 
    HANDLE hTokenNew = NULL, hTokenDup = NULL; 
    HMODULE hmod = LoadLibrary(L"kernel32.dll"); 

    hTokenDup = GetCurrentUserToken(); 

    STARTUPINFO si; 
    PROCESS_INFORMATION pi; 
    memset(&si,0,sizeof(STARTUPINFO)); 
    si.cb = sizeof(STARTUPINFO); 
    si.lpDesktop = L"winsta0\\default"; 

    LPVOID pEnv = NULL; 
    DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; 
    HMODULE hModule = LoadLibrary(L"Userenv.dll"); 
    if(hModule) 
    { 
     if(CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE)) 
     { 
      //WriteToLog("CreateEnvironmentBlock Ok"); 
      dwCreationFlag |= CREATE_UNICODE_ENVIRONMENT;  
     } 
     else 
     { 
      TestLog("Error on CreateEnvironmentBlock():",GetLastError()); 
      pEnv = NULL; 
     } 
    } 

    // 

    if (!CreateProcessAsUser(hTokenDup, 
     NULL, 
     L"C:\\temp\\DesktopDuplicationmilliseconds.exe", 
     NULL, 
     NULL, 
     FALSE, 
     dwCreationFlag, 
     pEnv, 
     NULL, 
     &si, 
     &pi 
     )) 
    { 

    } 
    else 
    { 
     TestLog("Error on CreateProcessAsUser():",GetLastError()); 
     // printf("error : %d",GetLastError()); 
    } 

    return 0; 
} 

Answer 1

您没有为主令牌分配任何内存。 primaryToken变量是一个指向句柄的指针，但实际上并没有指向任何东西。 （你也宣布GetCurrentUserToken作为一个返回手柄的功能，但实际上返回一个指针手柄。）

你需要明确地分配为抓手内存：

primaryToken = malloc(sizeof(HANDLE)); 

[...] 

return *primaryToken; 

或，更明智的是，将primaryToken定义为一个HANDLE而不是一个指针，并在适当的地方将其引用传递给它：

HANDLE primaryToken; 

[...] 

bRet = DuplicateTokenEx(currentToken, 
         TOKEN_ASSIGN_PRIMARY | TOKEN_ALL_ACCESS, 
         NULL, SecurityImpersonation, 
         TokenPrimary, &primaryToken);