[Code Snip] 서비스에서 관리자권한으로 프로세스 실행

-
lancer wrote:

Now I need to create a process with administrator privilege from a
service on Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.

I did it as the following:
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)

Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
similar to:
TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {

--
Larry Futrell

출처 : http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2008-06/msg00075.html

댓글

댓글 쓰기

이 블로그의 인기 게시물

[WinAPI] 모달리스 다이얼로그 설명

-
이미지
출처 : http://www.winprog.org/tutorial/modeless_dialogs.html Now we take a look at CreateDialog() , DialogBox() 's sister function. The difference is that while DialogBox() implements it's own message loop and does not return untill the dialog is closed, CreateDialog() acts more like a window created with CreateWindowEx() in that it returns immediately and depends on your message loop to pump the messages as it does for your main window. This is termed Modeless , whereas DialogBox() creates Modal dialogs. You can create the dialog resource just like you did for the last dialog example, you might also want to set the "Tool window" extended style to give it's title bar the typical smaller caption of toolbars. The dialog resource I created follows: IDD_TOOLBAR DIALOGEX 0, 0, 98, 52 STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION EXSTYLE WS_EX_TOOLWINDOW CAPTION "My Dialog Toolbar" FONT 8, "MS Sans Serif" BEGIN PUSHBUTTON "...
자세한 내용 보기

[WinDbg] Debugging a stack overflow

-
참조 : http://msdn.microsoft.com/en-us/library/windows/hardware/ff540620(v=vs.85).aspx Debugging a Stack Overflow 5 out of 11 rated this helpful - Rate this topic A stack overflow is an error that user-mode threads can encounter. There are three possible causes for this error: A thread uses the entire stack reserved for it. This is often caused by infinite recursion. A thread cannot extend the stack because the page file is maxed out, and therefore no additional pages can be committed to extend the stack. A thread cannot extend the stack because the system is within the brief period used to extend the page file. When a function running on a thread allocates local variables, the variables are put on the thread's call stack. The amount of stack space required by the function could be as large as the sum of the sizes of all the local variables. However, the compiler usually performs optimizations that reduce the stack space required by a function. For example, if two...
자세한 내용 보기

[WinDbg] first-chance, second-chance Exception

-
First-chance Exception 이란 디버거에서 프로그램이 실행 중일 때 SEH 같은 Exception 처리 구문이 들어가 있는 코드를 실행 하다가 어떠한 이유에서 던지 Exception 이 일어 났고 그 Exception 에 대한 처리 코드가 존재 하여 처리가 되었음을 디버거에 알리는 것입니다. 이 Exception이 꼭 프로그램에 심각한 오류가 있음을 말하는 것은 아니며 Exception 처리 코드에 의해 해당 Exception이 안전하게 처리가 되었고 계속 실행할 수 있음을 의미 할 수 있습니다.(대개는 대부분 별 문제 없는 경우입니다.) 만약 그런 Exception에 대한 처리가 없는 경우 디버거는 이를 인지 하고 사용자에게 직접 Exception이 났음 을 알리는데 이를 Second Chance Exception 이라고 하고 이것이 우리가 프로그램 디버깅 중 흔히 보는 에러 상황이 되겠습니다. http://support.microsoft.com/kb/105675              __try              {                            bReturn = IsBadReadPtr(buffer, sizeof(buffer));                     ...
자세한 내용 보기