有SetThreadToken()函数,但没有“SetProcessToken()”这样的函数。有没有办法为其他进程设置令牌?
有没有办法为另一个进程设置令牌?如何编写“SetProcessToken()”?
有SetThreadToken()函数,但没有“SetProcessToken()”这样的函数。有没有办法为其他进程设置令牌?
有没有办法为另一个进程设置令牌?如何编写“SetProcessToken()”?
一个进程只有一个安全令牌,即主用户,它是用户安全令牌的副本。
线程有第二个安全令牌,即模拟令牌。进程没有这些,只有线程。您不能让一个进程模拟另一个用户的安全令牌。
是的,您可以使用未公开的NtSetInformationProcess
函数,但是一旦进程开始运行,进程令牌被锁定并且不能再被修改。因此,您必须使用CREATE_SUSPENDED
创建标志启动进程,设置进程标记,然后使用ResumeThread()
继续进程。为了设置调用者必须拥有的进程令牌并启用SeAssignPrimaryTokenPrivilege
权限。
代码,如下面应该足够了:
// A few required typedefs
typedef enum _PROCESS_INFORMATION_CLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass
} PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;
typedef struct _PROCESS_ACCESS_TOKEN
{
HANDLE Token;
HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
typedef NTSTATUS (NTAPI * NtSetInformationProcess) (HANDLE processHandle, PROCESS_INFORMATION_CLASS infoClass, PVOID info, ULONG infoLength);
// Assume we have a handle to an existing process: targetProcessHandle, started in a suspended state, and a new token: newToken to assign to this process.
// First we must enable SeAssignPrimaryTokenPrivilege.
// Note: The user under which this runs must already hold the privilege, this only enables it (it is initially disabled by default).
LUID luid;
LookupPrivilegeValue(0, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
TOKEN_PRIVILEGES privs;
privs.PrivilegeCount = 1;
privs.Privileges[0].Luid = luid;
privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
HANDLE myToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &myToken))
{
wprintf("Unable to open own process token to enable permissions\n");
return FALSE;
}
if (!AdjustTokenPrivileges(myToken, FALSE, &privs, sizeof(TOKEN_PRIVILEGES), 0, 0))
{
wprintf("Error setting token privileges: 0x%08x\n", GetLastError());
CloseHandle(myToken);
return FALSE;
}
// Even if AdjustTokenPrivileges returns TRUE, it may not have succeeded, check last error top confirm
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
wprintf("Unable to enable a required privilege\n");
CloseHandle(myToken);
return FALSE;
}
CloseHandle(myToken);
PROCESS_ACCESS_TOKEN tokenInfo;
tokenInfo.Token = newToken;
tokenInfo.Thread = 0;
// Get a handle to ntdll
HMODULE ntdll = LoadLibrary(L"ntdll.dll");
// And a pointer to the NtSetInformationProcess function
NtSetInformationProcess setInfo = (NtSetInformationProcess)GetProcAddress(ntdll,"NtSetInformationProcess");
NTSTATUS setInfoResult = setInfo(targetProcessHandle, ProcessAccessToken, &tokenInfo, sizeof(PROCESS_ACCESS_TOKEN));
if (setInfoResult < 0)
{
wprintf(L"Error setting token: 0x%08x\n", setInfoResult);
return FALSE;
}
FreeLibrary(ntdll);
// You can now resume the target process' main thread here using ResumeThread().
return TRUE;
将很好理解为什么这是降低表决... – Iridium 2016-06-27 11:39:17
是。通过OpenProcessToken()
让你一个令牌,与DuplicateTokenEx()
复制令牌,设置重复令牌作为您SetTokenInformation()
喜欢,并通过CreateProcessAsUser()
你需要为这个SeTcbPrivilege
,SeAssignPrimaryTokenPrivilege
和SeIncreaseQuotaPrivilege
@ user143233,所以权限是为当前进程或您以前用'OpenProcess()'得到的进程句柄设置的吗? – 2017-01-25 18:44:23
新过程。你用这个令牌来建立一个新的进程。在DuplicateTokenEx()之后,您有一个不与任何进程关联的令牌。改变它没有任何作用,但是一旦你用这个令牌创建一个新的进程,新进程就获得令牌的设置。 – user1438233 2017-12-21 09:57:55
创建此令牌的新工艺Upvoting由于连接到超级用户。 – Joshua 2017-04-17 17:48:30