即使设置了正确的权限,CreateProcessAsUser也会失败并显示错误1314
我不断从CreateProcessAsUserW收到错误1314,无论我设置了什么权限,根据MSDN,我应该添加 SE_INCREASE_QUOTA_NAME &的 SE_ASSIGNPRIMARYTOKEN_NAME
为了确保,我在组策略控制台中验证了实际添加了权限。
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR* SystemName = &strSessionUserName[0];
USHORT SystemNameLength;
LSA_UNICODE_STRING lusSystemName;
NTSTATUS ntsResult;
LSA_HANDLE lsahPolicyHandle;
// Object attributes are reserved, so initialize to zeros.
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
//Initialize an LSA_UNICODE_STRING to the server name.
SystemNameLength = (USHORT)wcslen(SystemName);
lusSystemName.Buffer = SystemName;
lusSystemName.Length = SystemNameLength * sizeof(WCHAR);
lusSystemName.MaximumLength = (SystemNameLength + 1) * sizeof(WCHAR);
// Get a handle to the Policy object.
ntsResult = LsaOpenPolicy(
nullptr, //Name of the target system.
&ObjectAttributes, //Object attributes.
0x000f0fff, //Desired access permissions.
&lsahPolicyHandle //Receives the policy handle.
);
PSID pSid;
if (false == ConvertStringSidToSid(strSid.data(), &pSid))
return false;
WCHAR* pQuotaName = L"SeIncreaseQuotaPrivilege";
LSA_UNICODE_STRING Privilege[1];
size_t stQuotaLength = wcslen(pQuotaName);
Privilege[0].Buffer = pQuotaName;
Privilege[0].Length = (USHORT)(stQuotaLength*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stQuotaLength + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeIncreaseQuotaPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
WCHAR* pAssignToken = L"SeAssignPrimaryTokenPrivilege";
size_t stAssignToken = wcslen(pAssignToken);
Privilege[0].Buffer = pAssignToken;
Privilege[0].Length = (USHORT)(stAssignToken*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stAssignToken + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeAssignPrimaryTokenPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
WCHAR* pTcbName = L"SeTcbPrivilege";
size_t stTcbName = wcslen(pTcbName);
Privilege[0].Buffer = pTcbName;
Privilege[0].Length = (USHORT)(stTcbName*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stTcbName + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeTcbPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
si.cb = sizeof(STARTUPINFO);
if (FALSE == CreateProcessAsUserW(hToken, nullptr, L"notepad.exe", nullptr, nullptr, false, CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB, nullptr, nullptr, &si, &pi))
{
return false;
}
我使用以下标志从目标用户检索令牌:
TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_ASSIGN_PRIMARY
使用 CreateProcessWithToken / CreateProcessWithLogon 是有问题的,因为CreateProcessWithToken在新作业中启动,这会弄乱目标进程的初始化,而CreateProcessWithLogon需要密码,这是未知的在运行期间。
0 个答案:
没有答案
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?