Simone如何修改线程的access token
的有关信息介绍如下:
BOOL Impersonate(LPCSTR szFileName)函数中,输入参数为需要Impersonate的进程名,比如说explorer.exeInt main(){ OSVERSIONINFO os = {sizeof(OSVERSIONINFO)};GetVersionEx(&os);if(os.dwMajorVersion >= 6 ){//Only Impersonate when it is vista and later Impersonate(_T("explorer.exe")); //now this thread have the Access Token of explorer.exe}} BOOL Impersonate(LPCSTR szFileName){BOOL bResult = FALSE;HANDLE hProcess = NULL;HANDLE hToken = NULL; for(DWORD dw=0; dw<0xFFFFFF; Sleep((++dw)*100)){//loop until success DWORD dwSessionID = 0;//GetActiveConsoleSessionId(); if(!ProcessIdToSessionId(GetCurrentProcessId(), &dwSessionID)) continue; DWORD dwPID = GetPIDOFSpecifiedSession(dwSessionID, szFileName, NULL); hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, dwPID); if(hProcess == NULL) continue; if(!OpenProcessToken(hProcess, TOKEN_READ | TOKEN_DUPLICATE | TOKEN_QUERY|TOKEN_ASSIGN_PRIMARY , &hToken )) { CloseHandle(hProcess); hProcess = NULL; DbgPrint("In CreateProcessAsActiveWinlogon, Open Process Failed"); continue; } bResult = ImpersonateLoggedOnUser(hToken); break;}return bResult;} DWORD GetActiveConsoleSessionId(){DWORD dwResult = 0;HINSTANCE hKernal32 = NULL;do { OSVERSIONINFO os = {sizeof(OSVERSIONINFO)}; GetVersionEx(&os); if(os.dwMajorVersion == 5 && os.dwMinorVersion==0){//2000 break; } else{//xp and vista typedef DWORD (WINAPI* PWTSActiveSessionID)(); hKernal32 = LoadLibrary(_T("kernel32.dll")); if(hKernal32 == NULL) break; PWTSActiveSessionID pWTSActiveSessionID = (PWTSActiveSessionID)GetProcAddress(hKernal32, _T("WTSGetActiveConsoleSessionId")); if(pWTSActiveSessionID == NULL) break; dwResult = pWTSActiveSessionID(); }} while(FALSE);if(hKernal32 != NULL) FreeLibrary(hKernal32);return dwResult; } DWORD GetPIDOFSpecifiedSession(DWORD dwSessionID, LPCTSTR lpProcessName, LPCTSTR lpUserName){DWORD dwRet = 0;PWTS_PROCESS_INFO lpProcessInfo = NULL;do { if (lpProcessName==NULL) break; DWORD dwProcessCount = 0; if(!WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &lpProcessInfo, &dwProcessCount)) {//This functions will fail if it is run in windows 2000 //and in windows 2000, I can just using the process id of current process instead DbgPrint("In CCheckPIN::GetPIDOFSpecifiedSession, WTSEnumerateProcesses returns FALSE,\ Last Error:%d", GetLastError()); dwRet = GetCurrentProcessId();//using current process id break; } // dump each process description for (DWORD dwIndex = 0; dwIndex < dwProcessCount; dwIndex++) { if(lpProcessInfo[dwIndex].SessionId != dwSessionID) continue; if(lstrcmpi(lpProcessInfo[dwIndex].pProcessName, lpProcessName) != 0 ) continue; if(lpUserName != NULL){ TCHAR szUser[MAX_PATH] = {0}; DWORD chUser = MAX_PATH; TCHAR szDomain[MAX_PATH] = {0}; DWORD chDomain = MAX_PATH; SID_NAME_USE snu; if(!LookupAccountSid(NULL, lpProcessInfo[dwIndex].pUserSid, szUser, &chUser, szDomain, &chDomain, &snu)) { DbgPrint("LookupAccountSid returns FALSE, LastError:%d", GetLastError()); break; } DbgPrint("szUser:%s, lpUserName:%s", szUser, lpUserName); if(lstrcmpi(szUser, lpUserName) != 0) { break; } } dwRet = lpProcessInfo[dwIndex].ProcessId; break; }//end of for loop}while(FALSE); if(lpProcessName != NULL){ WTSFreeMemory(lpProcessInfo);}return dwRet;}
