Open
Description
提权
BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
int nResult = FALSE;
int nRetCode = FALSE;
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tkp = { 0 };
do
{
nRetCode = ::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
if (!nRetCode)
break;
nRetCode = ::LookupPrivilegeValue(NULL, lpszPrivilegeName, &tkp.Privileges[0].Luid);
if (!nRetCode)
break;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
nRetCode = ::AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
if (!nRetCode)
break;
nResult = TRUE;
} while (FALSE);
if (hToken != NULL)
{
CloseHandle(hToken);
}
return nResult;
}
HANDLE GetExplorerToken()
{
EnablePrivilege(SE_DEBUG_NAME, TRUE);
HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
return NULL;
}
HANDLE hExplorerToken = NULL;
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(pe);
BOOL bMore = ::Process32First(hSnapshot, &pe);
while (bMore)
{
if (_tcsicmp("explorer.exe", pe.szExeFile) == 0)
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID);
if (hProcess == NULL)
{
continue;
}
if (OpenProcessToken(hProcess, TOKEN_QUERY, &hExplorerToken))
{
CloseHandle(hProcess);
break;
}
CloseHandle(hProcess);
}
bMore = ::Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
return hExplorerToken;
}使用
HANDLE hExplorerToken = GetExplorerToken();
if (hExplorerToken == NULL)
break;
char szUserProfilePath[MAX_PATH] = { 0 };
DWORD cchSize = MAX_PATH;
if (!GetUserProfileDirectoryA(hExplorerToken, szUserProfilePath, &cchSize))
{
CloseHandle(hExplorerToken);
break;
}blog link 提权
Metadata
Metadata
Assignees
Labels
No labels