CreateProcessAsUser.docx
《CreateProcessAsUser.docx》由会员分享,可在线阅读,更多相关《CreateProcessAsUser.docx(20页珍藏版)》请在冰点文库上搜索。
CreateProcessAsUser
system服务程序中创建一个进程, 当前登陆用户,用createProcessByUser()
#defineDESKTOP_ALL(DESKTOP_READOBJECTS|DESKTOP_CREATEWINDOW|\
DESKTOP_CREATEMENU|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALRECORD|\
DESKTOP_JOURNALPLAYBACK|DESKTOP_ENUMERATE|DESKTOP_WRITEOBJECTS|\
DESKTOP_SWITCHDESKTOP|STANDARD_RIGHTS_REQUIRED)
#defineWINSTA_ALL(WINSTA_ENUMDESKTOPS|WINSTA_READATTRIBUTES|\
WINSTA_ACCESSCLIPBOARD|WINSTA_CREATEDESKTOP|WINSTA_WRITEATTRIBUTES|\
WINSTA_ACCESSGLOBALATOMS|WINSTA_EXITWINDOWS|WINSTA_ENUMERATE|\
WINSTA_READSCREEN|STANDARD_RIGHTS_REQUIRED)
#defineGENERIC_ACCESS(GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|\
GENERIC_ALL)
BOOLAddAceToWindowStation(HWINSTAhwinsta,PSIDpsid);
BOOLAddAceToDesktop(HDESKhdesk,PSIDpsid);
BOOLGetLogonSID(HANDLEhToken,PSID*ppsid);
VOIDFreeLogonSID(PSID*ppsid);
BOOLStartInteractiveClientProcess(
LPTSTRlpszUsername,//clienttologon
LPTSTRlpszDomain,//domainofclient'saccount
LPTSTRlpszPassword,//client'spassword
LPTSTRlpCommandLine//commandlinetoexecute
)
{
HANDLEhToken;
HDESKhdesk=NULL;
HWINSTAhwinsta=NULL,hwinstaSave=NULL;
PROCESS_INFORMATIONpi;
PSIDpSid=NULL;
STARTUPINFOsi;
BOOLbResult=FALSE;
//Logtheclientontothelocalcomputer.
if(!
LogonUser(
lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
{
gotoCleanup;
}
//Saveahandletothecaller'scurrentwindowstation.
if((hwinstaSave=GetProcessWindowStation())==NULL)
gotoCleanup;
//Getahandletotheinteractivewindowstation.
hwinsta=OpenWindowStation(
L"winsta0",//theinteractivewindowstation
FALSE,//handleisnotinheritable
READ_CONTROL|WRITE_DAC);//rightstoread/writetheDACL
if(hwinsta==NULL)
gotoCleanup;
//Togetthecorrectdefaultdesktop,setthecaller's
//windowstationtotheinteractivewindowstation.
if(!
SetProcessWindowStation(hwinsta))
gotoCleanup;
//Getahandletotheinteractivedesktop.
hdesk=OpenDesktop(
L"default",//theinteractivewindowstation
0,//nointeractionwithotherdesktopprocesses
FALSE,//handleisnotinheritable
READ_CONTROL|//requesttherightstoreadandwritetheDACL
WRITE_DAC|
DESKTOP_WRITEOBJECTS|
DESKTOP_READOBJECTS);
//Restorethecaller'swindowstation.
if(!
SetProcessWindowStation(hwinstaSave))
gotoCleanup;
if(hdesk==NULL)
gotoCleanup;
//GettheSIDfortheclient'slogonsession.
if(!
GetLogonSID(hToken,&pSid))
gotoCleanup;
//AllowlogonSIDfullaccesstointeractivewindowstation.
if(!
AddAceToWindowStation(hwinsta,pSid))
gotoCleanup;
//AllowlogonSIDfullaccesstointeractivedesktop.
if(!
AddAceToDesktop(hdesk,pSid))
gotoCleanup;
//Impersonateclienttoensureaccesstoexecutablefile.
if(!
ImpersonateLoggedOnUser(hToken))
gotoCleanup;
//InitializetheSTARTUPINFOstructure.
//Specifythattheprocessrunsintheinteractivedesktop.
ZeroMemory(&si,sizeof(STARTUPINFO));
si.cb=sizeof(STARTUPINFO);
si.lpDesktop=TEXT("winsta0\\default");
//Launchtheprocessintheclient'slogonsession.
bResult=CreateProcessAsUser(
hToken,//client'saccesstoken
NULL,//filetoexecute
lpCommandLine,//commandline
NULL,//pointertoprocessSECURITY_ATTRIBUTES
NULL,//pointertothreadSECURITY_ATTRIBUTES
FALSE,//handlesarenotinheritable
NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE,//creationflags
NULL,//pointertonewenvironmentblock
NULL,//nameofcurrentdirectory
&si,//pointertoSTARTUPINFOstructure
&pi//receivesinformationaboutnewprocess
);
//Endimpersonationofclient.
RevertToSelf();
if(bResult&&pi.hProcess!
=INVALID_HANDLE_VALUE)
{
WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
}
if(pi.hThread!
=INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
Cleanup:
if(hwinstaSave!
=NULL)
SetProcessWindowStation(hwinstaSave);
//FreethebufferforthelogonSID.
if(pSid)
FreeLogonSID(&pSid);
//Closethehandlestotheinteractivewindowstationanddesktop.
if(hwinsta)
CloseWindowStation(hwinsta);
if(hdesk)
CloseDesktop(hdesk);
//Closethehandletotheclient'saccesstoken.
if(hToken!
=INVALID_HANDLE_VALUE)
CloseHandle(hToken);
returnbResult;
}
BOOLAddAceToWindowStation(HWINSTAhwinsta,PSIDpsid)
{
ACCESS_ALLOWED_ACE*pace;
ACL_SIZE_INFORMATIONaclSizeInfo;
BOOLbDaclExist;
BOOLbDaclPresent;
BOOLbSuccess=FALSE;
DWORDdwNewAclSize;
DWORDdwSidSize=0;
DWORDdwSdSizeNeeded;
PACLpacl;
PACLpNewAcl;
PSECURITY_DESCRIPTORpsd=NULL;
PSECURITY_DESCRIPTORpsdNew=NULL;
PVOIDpTempAce;
SECURITY_INFORMATIONsi=DACL_SECURITY_INFORMATION;
unsignedinti;
__try
{
//ObtaintheDACLforthewindowstation.
if(!
GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
if(GetLastError()==ERROR_INSUFFICIENT_BUFFER)
{
psd=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psd==NULL)
__leave;
psdNew=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psdNew==NULL)
__leave;
dwSidSize=dwSdSizeNeeded;
if(!
GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
__leave;
}
else
__leave;
//CreateanewDACL.
if(!
InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
__leave;
//GettheDACLfromthesecuritydescriptor.
if(!
GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
__leave;
//InitializetheACL.
ZeroMemory(&aclSizeInfo,sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse=sizeof(ACL);
//CallonlyiftheDACLisnotNULL.
if(pacl!
=NULL)
{
//getthefileACLsizeinfo
if(!
GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
__leave;
}
//ComputethesizeofthenewACL.
dwNewAclSize=aclSizeInfo.AclBytesInUse+(2*sizeof(ACCESS_ALLOWED_ACE))+
(2*GetLengthSid(psid))-(2*sizeof(DWORD));
//AllocatememoryforthenewACL.
pNewAcl=(PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize);
if(pNewAcl==NULL)
__leave;
//InitializethenewDACL.
if(!
InitializeAcl(pNewAcl,dwNewAclSize,ACL_REVISION))
__leave;
//IfDACLispresent,copyittoanewDACL.
if(bDaclPresent)
{
//CopytheACEstothenewACL.
if(aclSizeInfo.AceCount)
{
for(i=0;i{
//GetanACE.
if(!
GetAce(pacl,i,&pTempAce))
__leave;
//AddtheACEtothenewACL.
if(!
AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
pTempAce,
((PACE_HEADER)pTempAce)->AceSize)
)
__leave;
}
}
}
//AddthefirstACEtothewindowstation.
pace=(ACCESS_ALLOWED_ACE*)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(ACCESS_ALLOWED_ACE)+GetLengthSid(psid)-
sizeof(DWORD));
if(pace==NULL)
__leave;
pace->Header.AceType=ACCESS_ALLOWED_ACE_TYPE;
pace->Header.AceFlags=CONTAINER_INHERIT_ACE|
INHERIT_ONLY_ACE|OBJECT_INHERIT_ACE;
pace->Header.AceSize=sizeof(ACCESS_ALLOWED_ACE)+
GetLengthSid(psid)-sizeof(DWORD);
pace->Mask=GENERIC_ACCESS;
if(!
CopySid(GetLengthSid(psid),&pace->SidStart,psid))
__leave;
if(!
AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
__leave;
//AddthesecondACEtothewindowstation.
pace->Header.AceFlags=NO_PROPAGATE_INHERIT_ACE;
pace->Mask=WINSTA_ALL;
if(!
AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
__leave;
//SetanewDACLforthesecuritydescriptor.
if(!
SetSecurityDescriptorDacl(
psdNew,
TRUE,
pNewAcl,
FALSE)
)
__leave;
//Setthenewsecuritydescriptorforthewindowstation.
if(!
SetUserObjectSecurity(hwinsta,&si,psdNew))
__leave;
//Indicatesuccess.
bSuccess=TRUE;
}
__finally
{
//Freetheallocatedbuffers.
if(pace!
=NULL)
HeapFree(GetProcessHeap(),0,(LPVOID)pace);
if(pNewAcl!
=NULL)
HeapFree(GetProcessHeap(),0,(LPVOID)pNewAcl);
if(psd!
=NULL)
HeapFree(GetProcessHeap(),0,(LPVOID)psd);
if(psdNew!
=NULL)
HeapFree(GetProcessHeap(),0,(LPVOID)psdNew);
}
returnbSuccess;
}
BOOLAddAceToDesktop(HDESKhdesk,PSIDpsid)
{
ACL_SIZE_INFORMATIONaclSizeInfo;
BOOLbDaclExist;
BOOLbDaclPresent;
BOOLbSuccess=FALSE;
DWORDdwNewAclSize;
DWORDdwSidSize=0;
DWORDdwSdSizeNeeded;
PACLpacl;
PACLpNewAcl;
PSECURITY_DESCRIPTORpsd=NULL;
PSECURITY_DESCRIPTORpsdNew=NULL;
PVOIDpTempAce;
SECURITY_INFORMATIONsi=DACL_SECURITY_INFORMATION;
unsignedinti;
__try
{
//Obtainthesecuritydescriptorforthedesktopobject.
if(!
GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded))
{
if(GetLastError()==ERROR_INSUFFICIENT_BUFFER)
{
psd=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psd==NULL)
__leave;
psdNew=(PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if(psdNew==NULL)
__leave;
dwSidSize=dwSdSizeNeeded;
if(!
GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
__leave;
}
else
__leave;
}
//Createanewsecuritydescriptor.
if(!
InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
__leave;
//ObtaintheDACLfromthesecuritydescriptor.
if(!
GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
__leave;
//Initialize.
ZeroMemory(&aclSizeInfo,sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse=size