CreateProcessAsUser 导致进程退出并在进程启动时出现错误 0xc0000142
问题描述 投票:0回答:1
CreateProcessAsUser()我遵循了我在网上可以找到的一些代码示例。我还完成了一个使用
CreateProcess()LogonUser()CreateProcessAsUser()CreateEnvironmentBlock()CreateEnvironmentBlock()我的问题:
CreateProcessAsUser()whoami.exe应用程序无法正确启动(0xc0000142)。单击“确定”关闭应用程序。
我从管理员命令提示符启动我的应用程序,并通过本地安全策略,我已向管理员和我的特定帐户授予用户权限
SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeCreateProcessAsUser()下面的登录账户
usernamewhoami.exe这是我的代码片段:
int main()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
WCHAR cmd_line[] = L"C:\\Windows\\System32\\whoami.exe";
HANDLE token = INVALID_HANDLE_VALUE;
LPVOID proc_env = NULL;
char username[MAX_PATH] = "username";
BOOL success = LogonUserA(username, "machine_domain", "password",
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &token);
if (!success)
{
std::cout << "LogonUser() GLE " << GetLastError() << std::endl;
}
if (token == NULL || token == INVALID_HANDLE_VALUE)
{
std::cout << "token is bad" << std::endl;
}
// Use token to get environment.
success = CreateEnvironmentBlock(&proc_env, token, FALSE);
if (!success)
{
std::cout << "CreateEnvironmentBlock() GLE " << GetLastError() << std::endl;
CloseHandle(token);
return 1;
}
if (proc_env == NULL)
{
std::cout << "procenv is null" << std::endl;
}
success = CreateProcessAsUser(
token,
NULL, // app name
cmd_line, // includes app name.
NULL, // proc security attrs
NULL, // thread security attrs
FALSE, // inherit handles
CREATE_UNICODE_ENVIRONMENT, // creation flags
proc_env, // env
L"C:\\", // current dir
&si, // startupinfo
&pi);
if (!success)
{
std::cout << "CreateProcessAsUser() GLE " << GetLastError() << std::endl;
return 1;
}
// Wait until child process exits.
WaitForSingleObject(pi.hProcess, INFINITE);
// Close process and thread handles.
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
我在
CreationFlagsCREATE_UNICODE_ENVIRONMENTSTARTUPINFOlpDesktop"winsta0\\default"编辑1
我做了一些编辑,以确保
STARTUPINFOlbInheritTRUESTARTF_USESTDHANDLESwhoamiNULLL""L"winsta0\\default"winsta0\defaultCreateProcessWithLogon()int main()
{
WCHAR cmd_line[] = L"C:\\Windows\\System32\\whoami.exe";
HANDLE token = INVALID_HANDLE_VALUE;
LPVOID proc_env = NULL;
char username[MAX_PATH] = "target_user";
BOOL success = LogonUserA(username, "domain_local", "password",
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &token);
if (!success)
{
std::cout << "LogonUser() GLE " << GetLastError() << std::endl;
}
if (token == NULL || token == INVALID_HANDLE_VALUE)
{
std::cout << "token is bad" << std::endl;
}
// Use token to get environment.
success = CreateEnvironmentBlock(&proc_env, token, FALSE);
if (!success)
{
std::cout << "CreateEnvironmentBlock() GLE " << GetLastError() << std::endl;
CloseHandle(token);
return 1;
}
if (proc_env == NULL)
{
std::cout << "procenv is null" << std::endl;
}
HANDLE child_write_pipe = NULL; // child's STDOUT
HANDLE parent_read_pipe = NULL;
SECURITY_ATTRIBUTES sa = { 0 };
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = NULL;
sa.nLength = sizeof(sa);
// Create pipe to communicate with child.
success = CreatePipe(&parent_read_pipe, &child_write_pipe, &sa, 0);
if (!success)
{
std::cout << "CreatePipe fail" << std::endl;
return 1;
}
success = SetHandleInformation(parent_read_pipe, HANDLE_FLAG_INHERIT, 0);
if (!success)
{
std::cout << "SetHandleInformation fail" << std::endl;
return 1;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdOutput = child_write_pipe;
si.hStdError = child_write_pipe;
si.hStdInput = NULL;
//// Prevent cmd window pop up.
si.wShowWindow = SW_HIDE;
WCHAR lpd[] = L"";
si.lpDesktop = lpd;
ZeroMemory(&pi, sizeof(pi));
// Token must have TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY.
success = CreateProcessAsUser(
token,
NULL, // app name
cmd_line, // includes app name.
NULL, // proc security attrs
NULL, // thread security attrs
TRUE, // inherit handles
CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, // creation flags
proc_env, // env
L"C:\\", // current dir
&si, // startupinfo
&pi);
if (!success)
{
std::cout << "CreateProcessAsUser() GLE " << GetLastError() << std::endl;
return 1;
}
// Read the results from child (POLL / BLOCK).
char* result_buf = NULL;
_result_read(pi.hProcess, parent_read_pipe, &result_buf);
if (result_buf)
{
std::cout << "result: " << result_buf << std::endl;
// Copy into result object.
free(result_buf);
}
// get exit code.
DWORD ec = 0;
success = GetExitCodeProcess(pi.hProcess, &ec);
std::cout << "exit code: " << ec << std::endl;
// Close process and thread handles.
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
1个回答
0
投票
投票
您在第二次编辑中就明白了全部要点。您的非管理员用户没有与 windows station 和 destkop 对象交互的权限。
默认 ACL 仅限于
NT AUTHORITY\LogonSessionId_X_YS-1-5-5-X-YLogonUserAUTHORITY\LogonSessionId_X_YUserLogon要解决此问题,您可以使用
OpenWindowStationWOpenDesktopWSetSecurityInfo这里是在 Station 对象上设置一些 非常危险 ACL 的代码,允许每个人用它做任何事情 :
void AddFullAccessForEveryoneStation(LPCWSTR lpWinstaName) {
HWINSTA hWinsta = OpenWindowStationW(lpWinstaName, FALSE, READ_CONTROL | WRITE_DAC);
if (hWinsta == NULL) {
std::cerr << "OpenWindowStationW Error: " << GetLastError() << std::endl;
return;
}
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pDacl = NULL;
DWORD dwRes = GetSecurityInfo(
hWinsta, // handle to the object
SE_WINDOW_OBJECT, // type of the object
DACL_SECURITY_INFORMATION, // type of security information
NULL, // owner SID
NULL, // primary group SID
&pDacl, // DACL
NULL, // SACL
&pSD); // security descriptor
if (dwRes != ERROR_SUCCESS) {
std::cerr << "GetSecurityInfo Error: " << dwRes << std::endl;
if (pSD) {
LocalFree(pSD);
}
CloseWindowStation(hWinsta);
return;
}
EXPLICIT_ACCESS ea;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = GENERIC_ALL |
WINSTA_ACCESSCLIPBOARD |
WINSTA_ACCESSGLOBALATOMS |
WINSTA_CREATEDESKTOP |
WINSTA_ENUMDESKTOPS |
WINSTA_ENUMERATE |
WINSTA_EXITWINDOWS |
WINSTA_READATTRIBUTES |
WINSTA_READSCREEN |
WINSTA_WRITEATTRIBUTES;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
PSID pEveryoneSID = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID)) {
std::cerr << "AllocateAndInitializeSid Error: " << GetLastError() << std::endl;
if (pSD) {
LocalFree(pSD);
}
CloseWindowStation(hWinsta);
return;
}
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = (LPTSTR)pEveryoneSID;
PACL pNewDacl = NULL;
dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if (dwRes != ERROR_SUCCESS) {
std::cerr << "SetEntriesInAcl Error: " << dwRes << std::endl;
if (pEveryoneSID) {
FreeSid(pEveryoneSID);
}
if (pSD) {
LocalFree(pSD);
}
CloseWindowStation(hWinsta);
return;
}
dwRes = SetSecurityInfo(
hWinsta, // handle to the object
SE_WINDOW_OBJECT, // type of the object
DACL_SECURITY_INFORMATION, // type of security information
NULL, // owner SID
NULL, // primary group SID
pNewDacl, // DACL
NULL); // SACL
if (dwRes != ERROR_SUCCESS) {
std::cerr << "SetSecurityInfo Error: " << dwRes << std::endl;
}
else {
std::cout << "Successfully added full access for Everyone." << std::endl;
}
if (pEveryoneSID) {
FreeSid(pEveryoneSID);
}
if (pNewDacl) {
LocalFree(pNewDacl);
}
if (pSD) {
LocalFree(pSD);
}
CloseWindowStation(hWinsta);
}
Then do the same for the Desktop. But please, keep in mind that this code is dangerous as it allow everyone. Modify it for your user only.
// call it with `AddFullAccessForEveryoneStation(L"winsta0")`
最新问题
- WPF ComboBox 获取突出显示的项目
- 修改 Windows 2016 EC2 Windows 实例上的右上角信息面板
- ASP.NET 端 Datagrid 中数据的动态过滤器
- Azure DevOps 自定义管道任务更新到新版本通过了验证,但实际上失败了,没有任何错误并且未使用更新版本
- 如何断言 cypress 中每页有 10 个项目的 50 页上的项目总数?
- QGraphicsView 使用鼠标滚轮在鼠标位置下放大和缩小
- window.print() 打印空白页
- 无法在 Intellij 下运行 Junit 测试,但可以在 Intellij IDE 中的 maven 下运行
- Rundeck 通过 api 触发作业,无需暴露脚本
- 使用 Azure 用户身份验证的 Node js 应用程序中具有 DefaultAzureCredentials 的应用程序见解
- Pytest:仅运行 linter 检查(pytest-flake8),不运行测试
- Inertiajs onFinish 在 redux 工具包减速器中不起作用
- 更新一个表的列中的值(如果这些值存在于另一个表的列中并且这些值是唯一的)
- Runtime.getRuntime().gc()有副作用吗[重复]
- Blazor:名称“Acti”在当前上下文中不存在
- 有没有一种方法可以使用带有默认字段和__slots__的数据类
- 如何让我的程序休眠 50 毫秒?
- 如何检查 Selenium Python WebDriver 中的复选框是否已选中?
- 整理一大张纸
- 将切换复选框的值发送到 ASP.NET MVC 中的控件
© www.soinside.com 2019 - 2024. All rights reserved.