三个给进程提权的方法

Nisy · 发表于 2010-5-8 20:00:27

方法一：

C/C++ code

bool EnableDebugPrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
      return FALSE;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
      CloseHandle(hToken);
      return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
      CloseHandle(hToken);
      return false;
}
return true;
}

方法二：

C/C++ code

bool UpPrivilege()
{
HANDLE hToken;                            // handle to process token
TOKEN_PRIVILEGES tkp;             // pointer to token structure
bool result = OpenProcessToken(GetCurrentProcess(),
      TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
      &hToken);
if(!result)       //打开进程错误
      return result;
result = LookupPrivilegeValue(    NULL,
      SE_DEBUG_NAME,
      &tkp.Privileges[0].Luid);
if(!result)       //查看进程权限错误
      return result;
tkp.PrivilegeCount = 1;    // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
result = AdjustTokenPrivileges( hToken,
      FALSE,
      &tkp,
      sizeof(TOKEN_PRIVILEGES),
      (PTOKEN_PRIVILEGES) NULL,
      (PDWORD) NULL);
return result;
}

方法三：

C/C++ code

#define SE_CREATE_TOKEN_NAME             TEXT("SeCreateTokenPrivilege")
#define SE_ASSIGNPRIMARYTOKEN_NAME       TEXT("SeAssignPrimaryTokenPrivilege")
#define SE_LOCK_MEMORY_NAME             TEXT("SeLockMemoryPrivilege")
#define SE_INCREASE_QUOTA_NAME          TEXT("SeIncreaseQuotaPrivilege")
#define SE_UNSOLICITED_INPUT_NAME       TEXT("SeUnsolicitedInputPrivilege")
#define SE_MACHINE_ACCOUNT_NAME          TEXT("SeMachineAccountPrivilege")
#define SE_TCB_NAME                      TEXT("SeTcbPrivilege")
#define SE_SECURITY_NAME                TEXT("SeSecurityPrivilege")
#define SE_TAKE_OWNERSHIP_NAME          TEXT("SeTakeOwnershipPrivilege")
#define SE_LOAD_DRIVER_NAME             TEXT("SeLoadDriverPrivilege")
#define SE_SYSTEM_PROFILE_NAME          TEXT("SeSystemProfilePrivilege")
#define SE_SYSTEMTIME_NAME             TEXT("SeSystemtimePrivilege")
#define SE_PROF_SINGLE_PROCESS_NAME    TEXT("SeProfileSingleProcessPrivilege")
#define SE_INC_BASE_PRIORITY_NAME       TEXT("SeIncreaseBasePriorityPrivilege")
#define SE_CREATE_PAGEFILE_NAME          TEXT("SeCreatePagefilePrivilege")
#define SE_CREATE_PERMANENT_NAME       TEXT("SeCreatePermanentPrivilege")
#define SE_BACKUP_NAME                   TEXT("SeBackupPrivilege")
#define SE_RESTORE_NAME                TEXT("SeRestorePrivilege")
#define SE_SHUTDOWN_NAME                TEXT("SeShutdownPrivilege")
#define SE_DEBUG_NAME                   TEXT("SeDebugPrivilege")
#define SE_AUDIT_NAME                   TEXT("SeAuditPrivilege")
#define SE_SYSTEM_ENVIRONMENT_NAME       TEXT("SeSystemEnvironmentPrivilege")
#define SE_CHANGE_NOTIFY_NAME          TEXT("SeChangeNotifyPrivilege")
#define SE_REMOTE_SHUTDOWN_NAME          TEXT("SeRemoteShutdownPrivilege")
#define SE_UNDOCK_NAME                   TEXT("SeUndockPrivilege")
#define SE_SYNC_AGENT_NAME             TEXT("SeSyncAgentPrivilege")
#define SE_ENABLE_DELEGATION_NAME       TEXT("SeEnableDelegationPrivilege")
#define SE_MANAGE_VOLUME_NAME          TEXT("SeManageVolumePrivilege")

BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;

if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
      TOKEN_QUERY | TOKEN_READ,&hToken))
      return FALSE;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
      return TRUE;

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;

AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);

CloseHandle(hToken);

return (GetLastError() == ERROR_SUCCESS);

}

本文来自CSDN博客，转载请标明出处：http://blog.csdn.net/abcpanpeng/archive/2009/12/06/4953529.aspx

Luckly · 发表于 2010-5-8 20:21:58

一句话的不简单些么?

Nisy · 发表于 2010-5-8 20:50:25

原帖由 Luckly 于 2010-5-8 20:21 发表
一句话的不简单些么?

？哪句话哦 ~

whypro · 发表于 2010-5-10 06:08:58

Call RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, 1, 0, 0)

[ 本帖最后由 whypro 于 2010-5-10 06:10 编辑 ]

whypro · 发表于 2010-5-10 06:10:40

发一个vb版的。
Option Explicit

Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long

Private Const ANYSIZE_ARRAY = 1
Private Const TOKEN_ADJUST_PRIVILEGES = &H20
Private Const TOKEN_QUERY = &H8
Private Const SE_PRIVILEGE_ENABLED = &H2

Private Type LUID
lowpart As Long
highpart As Long
End Type

Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type

Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type

Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ADJUST_DEFAULT = (&H80)
Private Const TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or TOKEN_ASSIGN_PRIMARY Or TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or TOKEN_ADJUST_PRIVILEGES Or TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_DEFAULT)

Public Sub AdjustTokenPrivileges2000()  '提升权限至debug

Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long
Dim lP As Long

hdlProcessHandle = GetCurrentProcess()
OpenProcessToken hdlProcessHandle, TOKEN_ALL_ACCESS, hdlTokenHandle '得到进程的令牌句柄
LookupPrivilegeValue "", "SeDebugPrivilege", tmpLuid                '查询进程的权限

tkp.PrivilegeCount = 1
tkp.Privileges(0).pLuid = tmpLuid
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED                            '设置权限

AdjustTokenPrivileges hdlTokenHandle, False, tkp, _
                        Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded    '使进程获得Debug权限.

End Sub

[ 本帖最后由 whypro 于 2010-5-10 06:22 编辑 ]

		自动登录	找回密码
密码			加入我们

三个给进程提权的方法

相关帖子