官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - 52pojie.cn»网站 【 软件安全 】 『编程语言区』 单EXE以SYSTEM权限运行,并可以创建交互窗口或对话框
返回列表 发新帖
查看: 2391|回复: 1
收起左侧

[C&C++ 转载] 单EXE以SYSTEM权限运行,并可以创建交互窗口或对话框

[复制链接]
cgbsmy
cgbsmy 发表于 2020-4-22 10:28
声明代码大部分都是在网上收集,如有侵权请联系我删除
在XP/WIN7/WIN10测试通过,理论上XP以上系统都可以使用
[C++] 纯文本查看 复制代码
BOOL LaunchAppIntoDifferentSession(WCHAR *szExe,WCHAR *szDir)//以SYSTEM运行程序
{
	PROCESS_INFORMATION pi;
	STARTUPINFO si;
	BOOL bResult = FALSE;
	DWORD dwSessionId, winlogonPid;
	HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
	DWORD dwCreationFlags;
	dwSessionId = WTSGetActiveConsoleSessionId();
	//////////////////////////////////////////
	   // Find the winlogon process
	////////////////////////////////////////
	PROCESSENTRY32 procEntry;
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnap == INVALID_HANDLE_VALUE)
	{
		return 1;
	}

	procEntry.dwSize = sizeof(PROCESSENTRY32);

	if (!Process32First(hSnap, &procEntry))
	{
		return 1;
	}

	do
	{
		if (_wcsicmp(procEntry.szExeFile, L"winlogon.exe") == 0)
		{
			// We found a winlogon process...
		// make sure it's running in the console session
			DWORD winlogonSessId = 0;
			if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId)
				&& winlogonSessId == dwSessionId)
			{
				winlogonPid = procEntry.th32ProcessID;
				break;
			}
		}

	} while (Process32Next(hSnap, &procEntry));

	////////////////////////////////////////////////////////////////////////

	WTSQueryUserToken(dwSessionId, &hUserToken);
	dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
	ZeroMemory(&si, sizeof(STARTUPINFO));
	si.cb = sizeof(STARTUPINFO);
	si.lpDesktop = (LPWSTR)L"winsta0\\default";
	ZeroMemory(&pi, sizeof(pi));
	TOKEN_PRIVILEGES tp;
	LUID luid;
	hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, winlogonPid);

	if (!::OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
		| TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID
		| TOKEN_READ | TOKEN_WRITE, &hPToken))
	{
		int abcd = GetLastError();
//		printf("Process token open Error: %u\n", GetLastError());
	}

	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
	{
//		printf("Lookup Privilege value Error: %u\n", GetLastError());
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL,
		SecurityIdentification, TokenPrimary, &hUserTokenDup);
	int dup = GetLastError();

	//Adjust Token privilege
	SetTokenInformation(hUserTokenDup,
		TokenSessionId, (void*)dwSessionId, sizeof(DWORD));

	if (!AdjustTokenPrivileges(hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
		(PTOKEN_PRIVILEGES)NULL, NULL))
	{
		int abc = GetLastError();
//		printf("Adjust Privilege value Error: %u\n", GetLastError());
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
//		printf("Token does not have the provilege\n");
	}

	LPVOID pEnv = NULL;

	if (CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE))
	{
		dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
	}
	else
		pEnv = NULL;

	// Launch the process in the client's logon session.

	bResult = CreateProcessAsUser(
		hUserTokenDup,                     // client's access token
		szExe,    // file to execute
		NULL,                 // command line
		NULL,            // pointer to process SECURITY_ATTRIBUTES
		NULL,               // pointer to thread SECURITY_ATTRIBUTES
		FALSE,              // handles are not inheritable
		dwCreationFlags,     // creation flags
		pEnv,               // pointer to new environment block
		szDir,               // name of current directory
		&si,               // pointer to STARTUPINFO structure
		&pi                // receives information about new process
	);

	CloseHandle(hProcess);
	CloseHandle(hUserToken);
	CloseHandle(hUserTokenDup);
	CloseHandle(hPToken);
	return bResult;
}


BOOL bInstallService;
WHCAR szAppName[]=L"TopC";
SERVICE_STATUS_HANDLE hServiceStatus;
SERVICE_STATUS status;
void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv);

HANDLE hEvent = INVALID_HANDLE_VALUE;

//服务控制函数
void WINAPI ServiceStrl(DWORD dwOpcode)
{	
	switch (dwOpcode)
	{
	case SERVICE_CONTROL_STOP:
		status.dwCurrentState = SERVICE_STOP_PENDING;
		SetServiceStatus(hServiceStatus, &status);
		//告诉服务线程停止工作
		::SetEvent(hEvent);
		break;
	case SERVICE_CONTROL_PAUSE:
		break;
	case SERVICE_CONTROL_CONTINUE:
		break;
	case SERVICE_CONTROL_INTERROGATE:
		break;
	case SERVICE_CONTROL_SHUTDOWN:
		break;
	default:
		break;
	}
}
void WINAPI ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv)
{
	

	// Register the control request handler
	status.dwCurrentState = SERVICE_START_PENDING;
	status.dwControlsAccepted = SERVICE_ACCEPT_STOP;
	//注册服务控制
	hServiceStatus = RegisterServiceCtrlHandler(szServiceName, ServiceStrl);
	if (hServiceStatus == NULL)
	{
		return;
	}
	SetServiceStatus(hServiceStatus, &status);
	//如下代码可以为启动服务前的准备工作
	hEvent = ::CreateEvent(NULL, TRUE, FALSE, NULL);
	if (hEvent == NULL)
	{
		status.dwCurrentState = SERVICE_STOPPED;
		SetServiceStatus(hServiceStatus, &status);
		return;
	}
	//更改服务状态为启动
	status.dwWin32ExitCode = S_OK;
	status.dwCheckPoint = 0;
	status.dwWaitHint = 0;
	status.dwCurrentState = SERVICE_RUNNING;
	SetServiceStatus(hServiceStatus, &status);
	//等待用户选择停止服务,
	//当然你也可以把你的服务代码用线程来执行,
	//此时这里只需等待线程结束既可。
///////////////////////////////////////////////////////////////////////以SYSTEM启动自己或别的程序
	WCHAR szExe[MAX_PATH];
	HINSTANCE hInst = GetModuleHandle(NULL);
	GetModuleFileName(hInst, szExe, MAX_PATH);
	int iLen = wcslen(szExe);
	szExe[iLen] = L'\0';
	LaunchAppIntoDifferentSession(szExe,NULL);
///////////////////////////////////////////////////////////////////////
	while (WaitForSingleObject(hEvent, 1000) != WAIT_OBJECT_0)
	{
		//服务程序代码放这里
	}
	//停止服务
	status.dwCurrentState = SERVICE_STOPPED;
	SetServiceStatus(hServiceStatus, &status);
}
DWORD ServiceRunState()//查询当前服务状态
{
	BOOL bResult = FALSE;
	//打开服务控制管理器
	SC_HANDLE hSCM = ::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCM != NULL)
	{
		//打开服务
		SC_HANDLE hService = ::OpenService(hSCM, szServiceName, SERVICE_QUERY_STATUS);
		if (hService != NULL)
		{
			SERVICE_STATUS ss;
			QueryServiceStatus(hService, &ss);
			bResult = ss.dwCurrentState;
			::CloseServiceHandle(hService);
		}
		::CloseServiceHandle(hSCM);
	}
	return bResult;	
}
BOOL IsServiceInstalled()//查询服务是否安装
{
	BOOL bResult = FALSE;
	//打开服务控制管理器
	SC_HANDLE hSCM = ::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCM != NULL)
	{
		//打开服务
		SC_HANDLE hService = ::OpenService(hSCM, szServiceName, SERVICE_QUERY_CONFIG);
		if (hService != NULL)
		{
			bResult = TRUE;
			::CloseServiceHandle(hService);
		}
		::CloseServiceHandle(hSCM);
	}
	return bResult;
}


BOOL InstallService()//安装服务
{
	if (IsServiceInstalled())
		return TRUE;
	//打开服务控制管理器
	SC_HANDLE hSCM = ::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCM == NULL)
	{
		return FALSE;
	}
	// Get the executable file path
	TCHAR szFilePath[MAX_PATH];
	::GetModuleFileName(NULL, szFilePath, MAX_PATH);
	//创建服务
	SC_HANDLE hService = ::CreateService(
		hSCM,
		szServiceName,
		szServiceName,
		SERVICE_ALL_ACCESS,
		SERVICE_WIN32_OWN_PROCESS,
		SERVICE_AUTO_START, //如果为SERVICE_DEMAND_START则表示此服务需手工启动
		SERVICE_ERROR_NORMAL,
		szFilePath,
		NULL,
		NULL,
		_T(""),
		NULL,
		NULL);
	if (hService == NULL)
	{
		::CloseServiceHandle(hSCM);
		return FALSE;
	}
	::CloseServiceHandle(hService);
	::CloseServiceHandle(hSCM);
	return TRUE;
}
BOOL UninstallService()//卸载服务
{
	if (!IsServiceInstalled())
		return TRUE;
	SC_HANDLE hSCM = ::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCM == NULL)
	{
		return FALSE;
	}
	SC_HANDLE hService = ::OpenService(hSCM, szServiceName, SERVICE_STOP | DELETE);
	if (hService == NULL)
	{
		::CloseServiceHandle(hSCM);
		return FALSE;
	}
	SERVICE_STATUS status;
	::ControlService(hService, SERVICE_CONTROL_STOP, &status);
	//删除服务
	BOOL bDelete = ::DeleteService(hService);
	::CloseServiceHandle(hService);
	::CloseServiceHandle(hSCM);
	if (bDelete)
		return TRUE;
	return FALSE;
}
void Init()//初始化参数
{
	hServiceStatus = NULL;
	status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
	status.dwCurrentState = SERVICE_STOPPED;
	status.dwControlsAccepted = SERVICE_ACCEPT_STOP;
	status.dwWin32ExitCode = 0;
	status.dwServiceSpecificExitCode = 0;
	status.dwCheckPoint = 0;
	status.dwWaitHint = 0;
}

//开启服务
BOOL ServiceCtrlStart()
{
	BOOL bRet;
	SC_HANDLE hSCM;
	SC_HANDLE hService;
	hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
	if (hSCM != NULL)
	{
//		hService = OpenService(hSCM, szServiceName, SERVICE_START);
		hService = OpenService(hSCM, szServiceName, SERVICE_ALL_ACCESS);
		if (hService != NULL)
		{
			ChangeServiceConfig(hService, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
			//开始Service
			bRet = StartService(hService, 0, NULL);
			CloseServiceHandle(hService);
		}
		else
		{
			bRet = FALSE;
		}
		CloseServiceHandle(hSCM);
	}
	else
	{
		bRet = FALSE;
	}
	return bRet;
}

//停止服务
BOOL ServiceCtrlStop()
{
	BOOL bRet;
	SC_HANDLE hSCM;
	SC_HANDLE hService;
	SERVICE_STATUS ServiceStatus;
	hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCM != NULL)
	{
		hService = OpenService(hSCM, szServiceName, SERVICE_STOP | SERVICE_QUERY_STATUS);
		if (hService != NULL)
		{
			QueryServiceStatus(hService, &ServiceStatus);
			if (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
			{
				bRet = ControlService(hService, SERVICE_CONTROL_STOP, &ServiceStatus);
			}
			else
			{
				bRet = FALSE;
			}
			CloseServiceHandle(hService);
		}
		else
		{
			bRet = FALSE;
		}
		CloseServiceHandle(hSCM);
	}
	else
	{
		bRet = FALSE;
	}
	return bRet;
}
int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
	_In_opt_ HINSTANCE hPrevInstance,
	_In_ LPWSTR    lpCmdLine,
	_In_ int       nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	UNREFERENCED_PARAMETER(lpCmdLine);
	hInst = hInstance;
	Init();
	SERVICE_TABLE_ENTRY st[] =
	{
		{ szServiceName, (LPSERVICE_MAIN_FUNCTION)ServiceMain},
		{ NULL, NULL }
	};
	if (_wcsicmp(lpCmdLine, L"/install") == 0)//安装服务
	{
		InstallService();
		return 0;
	}
	else if (_wcsicmp(lpCmdLine, L"/uninstall") == 0)//卸载服务
	{
		UninstallService();
		return 0;
	}
	else if (_wcsicmp(lpCmdLine, L"/start") == 0)//开始启动服务
	{
		ServiceCtrlStart();
		return 0;
	}
	else if (_wcsicmp(lpCmdLine, L"/stop") == 0)//停止服务
	{
		ServiceCtrlStop();
		return 0;
	}
	if (ServiceRunState() != SERVICE_RUNNING)
	{
		if (IsServiceInstalled())
		{
			if (ServiceRunState() == SERVICE_STOPPED)
				ServiceCtrlStart();
			StartServiceCtrlDispatcher(st);
			return 0;
		}
	}
	ServiceCtrlStop();//程序已经以SYSTEM运行,退出服务
//下面是程序运行代码
}

免费评分

参与人数 2吾爱币 +4 热心值 +1 收起 理由
苏紫方璇 + 3 + 1 用心讨论,共获提升!
CarroAro + 1 好像很不错 保存参考

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

crowhack
crowhack 发表于 2020-10-16 22:16
没看懂,这是搞什么的
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-25 23:33

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表