16,749
社区成员
发帖
与我相关
我的任务
分享怎样在其他用户下取文磁盘的admin权限,写入文件?
我在chen权限下(自己在系统中添加的用户,对D磁盘没有写的权限),我用软件怎么取得系统的admin权限,把文件写入磁盘?
多谢大侠指点,分不够可以在加!
多谢大侠指点,分不够可以在加!
...全文
请发表友善的回复…
发表回复
柯本 2005-12-19
- 打赏
- 举报
我曾花过N多时间找过方面次料,得到的结果是即使你拥有administrator口令,一般用户在本进程中是不可能提升自己的权限到administrator的
根据网上的资料,用LogonUser、CreateProcessAsUser这两个API,发现也要SE_TCB_NAME权限,且即使你是administrator,也很难在程序中得到要SE_TCB_NAME权限(我从未成功过)
后来终于找到一个M$未公开的函数:CreateProcessWithLogonW,它可以用administrator身份运行一个进程,以下是delphi的例程:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
const
LOGON_WITH_PROFILE = 1;
LOGON_NETCREDENTIALS_ONLY = 2;
function CreateProcessWithLogon(
lpUsername: PWChar;
lpDomain: PWChar;
lpPassword: PWChar;
dwLogonFlags: DWORD;
lpApplicationName: PWChar;
lpCommandLine: PWChar;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PWChar;
const lpStartupInfo: TStartupInfo;
var lpProcessInfo: TProcessInformation
): BOOL; stdcall;
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function CreateProcessWithLogon; external advapi32 name 'CreateProcessWithLogonW';
procedure TForm1.Button1Click(Sender: TObject);
var
wUsername, wDomain, wPassword, wApplicationName: WideString;
pwUsername, pwDomain, pwPassword, pwApplicationName: PWideChar;
StartupInfo: TStartupInfo;
ProcessInfo: TProcessInformation;
begin
wUsername := 'administrator';
wDomain := '';
wPassword := '123456';
wApplicationName := 'cmd.exe';
pwUsername := Addr(wUsername[1]);
pwDomain := Addr(wDomain[1]);
pwPassword := Addr(wPassword[1]);
pwApplicationName := Addr(wApplicationName[1]);
FillChar(StartupInfo, SizeOf(TStartupInfo), 0);
StartupInfo.cb := SizeOf(TStartupInfo);
if not CreateProcessWithLogon(pwUsername,pwDomain,pwPassword,LOGON_WITH_PROFILE,
pwApplicationName,nil,CREATE_DEFAULT_ERROR_MODE,
nil,nil,StartupInfo,ProcessInfo) then
RaiseLastOSError;
end;
end.
其实,还有一个最简的方法,就是用系统的runas命令:
如:
runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
根据网上的资料,用LogonUser、CreateProcessAsUser这两个API,发现也要SE_TCB_NAME权限,且即使你是administrator,也很难在程序中得到要SE_TCB_NAME权限(我从未成功过)
后来终于找到一个M$未公开的函数:CreateProcessWithLogonW,它可以用administrator身份运行一个进程,以下是delphi的例程:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
const
LOGON_WITH_PROFILE = 1;
LOGON_NETCREDENTIALS_ONLY = 2;
function CreateProcessWithLogon(
lpUsername: PWChar;
lpDomain: PWChar;
lpPassword: PWChar;
dwLogonFlags: DWORD;
lpApplicationName: PWChar;
lpCommandLine: PWChar;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PWChar;
const lpStartupInfo: TStartupInfo;
var lpProcessInfo: TProcessInformation
): BOOL; stdcall;
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function CreateProcessWithLogon; external advapi32 name 'CreateProcessWithLogonW';
procedure TForm1.Button1Click(Sender: TObject);
var
wUsername, wDomain, wPassword, wApplicationName: WideString;
pwUsername, pwDomain, pwPassword, pwApplicationName: PWideChar;
StartupInfo: TStartupInfo;
ProcessInfo: TProcessInformation;
begin
wUsername := 'administrator';
wDomain := '';
wPassword := '123456';
wApplicationName := 'cmd.exe';
pwUsername := Addr(wUsername[1]);
pwDomain := Addr(wDomain[1]);
pwPassword := Addr(wPassword[1]);
pwApplicationName := Addr(wApplicationName[1]);
FillChar(StartupInfo, SizeOf(TStartupInfo), 0);
StartupInfo.cb := SizeOf(TStartupInfo);
if not CreateProcessWithLogon(pwUsername,pwDomain,pwPassword,LOGON_WITH_PROFILE,
pwApplicationName,nil,CREATE_DEFAULT_ERROR_MODE,
nil,nil,StartupInfo,ProcessInfo) then
RaiseLastOSError;
end;
end.
其实,还有一个最简的方法,就是用系统的runas命令:
如:
runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
Kingron 2005-12-19
- 打赏
- 举报
正常情况下,如果你的程序运行的当前用户不是Admin,是不能够提升权限的,当时可以采取其他的手段做到,去找找“提升权限”相应的代码吧。
Merrybip 2005-12-15
- 打赏
- 举报
我也做过关机的
可是写文件我真的不知道
能不能在具体一点
可是写文件我真的不知道
能不能在具体一点
aiirii 2005-12-15
- 打赏
- 举报
首先调用OpenProcessToken()函数得到存取令牌的句柄,然后调用AdjustTokenPrivileges()函数来使能该特权。Win32API定义了一组字符串常量来标识不同的特权,如关机特权是 ’SeShutdownPrivilege’。
var
rl: Cardinal;
hToken: Cardinal;
tkp: TOKEN_PRIVILEGES;
begin
{获得用户关机特权,仅对Windows NT/2000/XP}
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
if LookupPrivilegeValue(nil, ’SeShutdownPrivilege’, tkp.Privileges[0].Luid) then
begin
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
tkp.PrivilegeCount := 1;
AdjustTokenPrivileges(hToken, False, tkp, 0, nil, rl);
end;
修改上面的代码应该就可
var
rl: Cardinal;
hToken: Cardinal;
tkp: TOKEN_PRIVILEGES;
begin
{获得用户关机特权,仅对Windows NT/2000/XP}
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
if LookupPrivilegeValue(nil, ’SeShutdownPrivilege’, tkp.Privileges[0].Luid) then
begin
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
tkp.PrivilegeCount := 1;
AdjustTokenPrivileges(hToken, False, tkp, 0, nil, rl);
end;
修改上面的代码应该就可
Merrybip 2005-12-15
- 打赏
- 举报
自己先顶一下
