标签:ret 功能 lse als AC color sentry snapshot return
仿PwoerTool的查看进程权限功能。
1 #include <iostream> 2 #include <Windows.h> 3 #include <TlHelp32.h> 4 5 using namespace std; 6 7 /* 8 进程名取进程ID 9 pName:进程名 10 isCase:是否区分大小写 11 成功返回进程ID,失败返回0. 12 */ 13 DWORD Pro_NameGetPid(char *pName, BOOL isCase); 14 15 /* 16 获取进程权限 17 hPro:进程句柄 18 pPowers:存放进程权限字符串的指针 19 成功返回进程权限数量,失败或没有启用权限返回0. 20 */ 21 DWORD Pro_GetPrivileges(HANDLE hPro,char ***pPowers); 22 23 int main(void) 24 { 25 HANDLE hPro = NULL; 26 char **a = NULL; 27 28 hPro = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pro_NameGetPid("测试程序.exe", FALSE)); 29 if (!hPro) 30 { 31 printf("进程打开失败:%d\n", GetLastError()); 32 return 1; 33 } 34 DWORD dwLen = Pro_GetPrivileges(hPro, &a); 35 for (DWORD i = 0; i < dwLen; i++) 36 { 37 cout << a[i] << endl; 38 } 39 CloseHandle(hPro); 40 return 0; 41 } 42 43 DWORD Pro_NameGetPid(char *pName, BOOL isCase) 44 { 45 PROCESSENTRY32 proInfo = { 0 }; 46 HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 47 BOOL bOk = FALSE; 48 DWORD dwPid = 0; 49 50 proInfo.dwSize = sizeof(proInfo); 51 if (!hSnap) 52 return 0; 53 bOk = Process32First(hSnap, &proInfo); 54 if (isCase) 55 { 56 while (bOk) 57 { 58 if (!strcmp(proInfo.szExeFile, pName)) 59 { 60 dwPid = proInfo.th32ProcessID; 61 break; 62 } 63 bOk = Process32Next(hSnap, &proInfo); 64 } 65 } 66 else { 67 while (bOk) 68 { 69 char s1[MAX_PATH] = { 0 }, s2[MAX_PATH] = { 0 }; 70 lstrcpyn(s1, proInfo.szExeFile, strlen(proInfo.szExeFile)); 71 lstrcpyn(s2, pName, strlen(pName)); 72 _strupr_s(s1, strlen(s1) + 1); 73 _strupr_s(s2, strlen(s2) + 1); 74 75 if (!strcmp(s1, s2)) 76 { 77 dwPid = proInfo.th32ProcessID; 78 break; 79 } 80 bOk = Process32Next(hSnap, &proInfo); 81 } 82 } 83 CloseHandle(hSnap); 84 return dwPid; 85 } 86 87 DWORD Pro_GetPrivileges(HANDLE hPro, char ***pPowers) 88 { 89 HANDLE hToken = NULL; 90 PTOKEN_PRIVILEGES pTp = NULL; 91 DWORD dwNeededSize = 0, dwI = 0; 92 93 if (!OpenProcessToken(hPro, TOKEN_ALL_ACCESS, &hToken)) 94 { 95 printf("进程Token提取失败:%d\n", GetLastError()); 96 return 0; 97 } 98 // 试探一下需要分配多少内存 99 GetTokenInformation(hToken, TokenPrivileges, NULL, dwNeededSize, &dwNeededSize); 100 // 分配所需内存大小 101 pTp = (PTOKEN_PRIVILEGES)malloc(dwNeededSize); 102 if (!GetTokenInformation(hToken, TokenPrivileges, pTp, dwNeededSize, &dwNeededSize)) 103 { 104 free(pTp); 105 printf("获取进程权限失败!"); 106 return 0; 107 } 108 else 109 { 110 for (DWORD i = 0; i < pTp->PrivilegeCount; i++) 111 { 112 char *pUidName = NULL; 113 DWORD dwNameLen = 0; 114 // 试探uidName所需内存大小 115 LookupPrivilegeName(NULL, &pTp->Privileges[i].Luid, NULL, &dwNameLen); 116 pUidName = (char *)malloc(dwNameLen); 117 LookupPrivilegeName(NULL, &pTp->Privileges[i].Luid, pUidName, &dwNameLen); 118 *pPowers = (char **)malloc(pTp->PrivilegeCount); 119 if (pTp->Privileges[i].Attributes == SE_PRIVILEGE_ENABLED) 120 { 121 *pPowers[dwI] = pUidName; 122 dwI++; 123 pUidName = NULL; 124 break; 125 } 126 free(pUidName); 127 } 128 } 129 free(pTp); 130 CloseHandle(hToken); 131 return dwI; 132 }
给测试程序提权到Debug后的测试效果图:
标签:ret 功能 lse als AC color sentry snapshot return
原文地址:https://www.cnblogs.com/biaoge140/p/9189648.html