SeDebugPrivilege提权

有时需要对任意一个进程进行写相关访问权的OpenProcess操作,需要SeDebug权限或Administrator用户。但是有时即使是Administrator对系统安全进程执行OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID)时还是会访问拒绝,因为默认情况下某些访问权限没有被使能,所以要修改进程令牌。

代码

#include <Windows.h>
#include <stdio.h>

int main() {
    if (OpenProcess(PROCESS_ALL_ACCESS, FALSE, 11828)==NULL) {
    	printf("Wrong open 180-1-%d\n",GetLastError());
    }
    HANDLE tHandle;
    // 获取进程访问令牌的句柄,第二个参数是修改令牌
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tHandle) == NULL) {
    	printf("Error open process token: %d\n", GetLastError());
    }
    // 获取表示特权名的luid(locally unique identifier: A 64-bit value that is guaranteed to be unique on the operating system that generated it until the system is restarted.)
    // GUID是全局唯一,LUID是局部唯一
    LUID luid;
    if (LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &luid) == NULL) {
    	printf("Error look up privilege value: %d\n", GetLastError());
    }
    // 修改访问令牌
    TOKEN_PRIVILEGES NewState;
    NewState.PrivilegeCount = 1;
    NewState.Privileges[0].Luid = luid;
    NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; //SE_PRIVILEGE_ENABLED、SE_PRIVILEGE_ENABLED_BY_DEFAULT、SE_PRIVILEGE_USED_FOR_ACCESS
    if (AdjustTokenPrivileges(tHandle, FALSE, &NewState, sizeof(NewState), NULL, NULL)==0) {
    	printf("Error adjust token privileges: %d\n", GetLastError());
    }
    // 接下来可以使用OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID)打开系统进程
    if (OpenProcess(PROCESS_ALL_ACCESS, FALSE, 180) == NULL) {
    	printf("Wrong open 180-2-%d\n",GetLastError());
    }
}

参考

https://blog.csdn.net/qq_22642239/article/details/70026555

https://gist.github.com/Barakat/020a8be7f4e50e6b4e3de4ede0f84c2c