</pre><pre>
HANDLE tokenHandle;
//獲得令牌句柄
BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &tokenHandle);
if (bRet){
TOKEN_PRIVILEGES tokenPri;tokenPri.PrivilegeCount = 1;//tokenPri.Privileges數組的大小
tokenPri.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//開啓權限Luid所標識的權限
bRet = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenPri.Privileges[0].Luid);//獲取權限的標識Luid
if (bRet){
bRet = AdjustTokenPrivileges(tokenHandle, FALSE, &tokenPri, sizeof(tokenPri), NULL, NULL);//修改權限}CloseHandle(tokenHandle);
}
}
return bRet;//提權是否成功
OpenProcessToken原型:
BOOL WINAPI OpenProcessToken(
_In_ HANDLE ProcessHandle,<span style="white-space:pre"> </span>// 進程句柄
_In_ DWORD DesiredAccess,<span style="white-space:pre"> </span>// 想要獲得的訪問權限
_Out_ PHANDLE TokenHandle<span style="white-space:pre"> </span>// 返回的令牌句柄
);
DesiredAccess的取值及其含義(不太清楚的話直接用TOKEN_ALL_ACCESS就行了)
Value | Meaning |
---|---|
TOKEN_ADJUST_DEFAULT | Required to change the default owner, primary group, or DACL of an access token. |
TOKEN_ADJUST_GROUPS | Required to adjust the attributes of the groups in an access token. |
TOKEN_ADJUST_PRIVILEGES | Required to enable or disable the privileges in an access token. |
TOKEN_ADJUST_SESSIONID | Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required. |
TOKEN_ASSIGN_PRIMARY | Required to attach a primary token to aprocess. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. |
TOKEN_DUPLICATE | Required to duplicate an access token. |
TOKEN_EXECUTE | Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE. |
TOKEN_IMPERSONATE | Required to attach an impersonation access token to a process. |
TOKEN_QUERY | Required to query an access token. |
TOKEN_QUERY_SOURCE | Required to query the source of an access token. |
TOKEN_READ | Combines STANDARD_RIGHTS_READ and TOKEN_QUERY. |
TOKEN_WRITE | Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT. |
TOKEN_ALL_ACCESS | Combines all possible access rights for a token. |
AdjustTokenPrivileges原型:
BOOL WINAPI AdjustTokenPrivileges(
_In_ HANDLE TokenHandle,<span style="white-space:pre"> </span>//令牌句柄
_In_ BOOL DisableAllPrivileges,<span style="white-space:pre"> </span>//爲FALSE時表示禁用所有權限,爲TRUE時表示用NewState所指向的結構體來修改權限
_In_opt_ PTOKEN_PRIVILEGES NewState,//指向TOKEN_PRIVILEGES結構體的指針
_In_ DWORD BufferLength,<span style="white-space:pre"> </span>//sizeof(NewState)
_Out_opt_ PTOKEN_PRIVILEGES PreviousState,<span style="white-space:pre"> </span>// 指向用來保存修改前的TOKEN_PRIVILIGES的結構體,若不想保存修改前的權限,可以爲NULL
_Out_opt_ PDWORD ReturnLength<span style="white-space:pre"> </span>// 指向用來保存<span style="font-family: Arial;">PreviousState大小的DWORD的指針</span>
);
_TOKEN_PRIVILEGES 定義:
typedef struct _TOKEN_PRIVILEGES { ULONG PrivilegeCount; //Privileges數組的大小,一般爲1 LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
_LUID_AND_ATTRIBUTES 定義:
typedef struct _LUID_AND_ATTRIBUTES {
LUID Luid;<span style="white-space:pre"> </span>//權限的唯一標識
ULONG Attributes; //要對這個權限做什麼?
} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;
Attributes的取值:
屬性
|
描述
|
SE_PRIVILEGE_ENABLED_BY_DEFAULT
|
特權默認啓用
|
SE_PRIVILEGE_ENABLED
|
特權啓用.
|
SE_PRIVILEGE_USED_FOR_ACCESS
|
特權被用來訪問一個對象或服務。
這個標誌 被用於 標識有關特權,因爲
通過一組客戶端應用程序,可能包含不必要的特權
|
LookupPrivilegeValue原型:
BOOL WINAPI LookupPrivilegeValue( _In_opt_ LPCTSTR lpSystemName,//指向系統名稱的字符串的指針,一般爲NULL,表示從本地系統獲取查找權限的名稱, _In_ LPCTSTR lpName, //權限的名稱 _Out_ PLUID lpLuid //返回的LUID的指針 );
Constant/value | Description |
---|---|
|
Required to assign the primary token of a process. User Right: Replace a process-level token. |
|
Required to generate audit-log entries. Give this privilege to secure servers. User Right: Generate security audits. |
|
Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of theaccess control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by theRegSaveKey andRegSaveKeyExfunctions. The following access rights are granted if this privilege is held:
User Right: Back up files and directories. |
|
Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users. User Right: Bypass traverse checking. |
|
Required to create named file mapping objects in the global namespace during Terminal Services sessions. This privilege is enabled by default for administrators, services, and the local system account. User Right: Create global objects. |
|
Required to create a paging file. User Right: Create a pagefile. |
|
Required to create a permanent object. User Right: Create permanent shared objects. |
|
Required to create a symbolic link. User Right: Create symbolic links. |
|
Required to create a primary token. User Right: Create a token object. You cannot add this privilege to a user account with the "Create a token object" policy. Additionally, you cannot add this privilege to an owned process using Windows APIs. Windows Server 2003 and Windows XP with SP1 and earlier:Windows APIs can add this privilege to an owned process. |
|
Required to debug and adjust the memory of a process owned by another account. User Right: Debug programs. |
|
Required to mark user and computer accounts as trusted for delegation. User Right: Enable computer and user accounts to be trusted for delegation. |
|
Required to impersonate. User Right: Impersonate a client after authentication. |
|
Required to increase the base priority of a process. User Right: Increase scheduling priority. |
|
Required to increase the quota assigned to a process. User Right: Adjust memory quotas for a process. |
|
Required to allocate more memory for applications that run in the context of users. User Right: Increase a process working set. |
|
Required to load or unload a device driver. User Right: Load and unload device drivers. |
|
Required to lock physical pages in memory. User Right: Lock pages in memory. |
|
Required to create a computer account. User Right: Add workstations to domain. |
|
Required to enable volume management privileges. User Right: Manage the files on a volume. |
|
Required to gather profiling information for a single process. User Right: Profile single process. |
|
Required to modify the mandatory integrity level of an object. User Right: Modify an object label. |
|
Required to shut down a system using a network request. User Right: Force shutdown from a remote system. |
|
Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. This privilege is required by theRegLoadKey function. The following access rights are granted if this privilege is held:
User Right: Restore files and directories. |
|
Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator. User Right: Manage auditing and security log. |
|
Required to shut down a local system. User Right: Shut down the system. |
|
Required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. User Right: Synchronize directory service data. |
|
Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. User Right: Modify firmware environment values. |
|
Required to gather profiling information for the entire system. User Right: Profile system performance. |
|
Required to modify the system time. User Right: Change the system time. |
|
Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. User Right: Take ownership of files or other objects. |
|
This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. User Right: Act as part of the operating system. |
|
Required to adjust the time zone associated with the computer's internal clock. User Right: Change the time zone. |
|
Required to access Credential Manager as a trusted caller. User Right: Access Credential Manager as a trusted caller. |
|
Required to undock a laptop. User Right: Remove computer from docking station. |
|
Required to read unsolicited input from a terminal device. User Right: Not applicable. |
參考:
MSDN Library
http://www.cnblogs.com/94cool/archive/2012/10/30/2745785.html
http://blog.csdn.net/fbmly/article/details/5442965
http://baike.baidu.com/link?url=AzXy27AIFWnhCKzJ-HthRIhqoox4LzO5xRubc-UQ9G_XKrnOHu_PA6eR8IIgFUZy35GR2n-qbkOsEm4Vr_05Ca