서비스를 생성하지 않고 SYSTEM 권한으로 지정된 프로세스를 실행하는 방법을 알고 싶습니다. 온라인으로 검색해보고 남들이 쓴 글을 분석하면서 많이 배웠습니다
1. 지정된 프로세스의 토큰 핸들을 얻습니다
2. 토큰 핸들을 통해 메인 토큰을 생성합니다 2. 생성된 토큰 헤드를
통해 새로운 프로세스를 실행합니다.h <span># <span>pragma</span> 한 번</span><br><span>#<span>포함</span> <span>"iostream"</span></span><br><span>#<span>포함</span> <span>"문자열"</span></span><br><span># <span>포함</span> <span>"Windows.h"</span></span><br><span>사용</span> <span>네임스페이스</span>::<span>std</span>;<br> main.cpp <span>#<span>include</span> <span>"stdafx.h"</span>< /span><br><span>#<span>포함</span> <span>"head.h"</span></span><br><span><span>클래스</span> <span>Jack</span><br>{</span><br><span>공개</span>:<br> <span>핸들 <span>GetAccessToken</span><span>(DWORD pid) </span> </span>{<br> HANDLE currentProcess = {};<br> HANDLE Asstoken = {};<br> DWORD LastError;<br> currentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);<br> <span>if</span> (!currentProcess) {<br> LastError = GetLastError();<br> <span>cout</span> << span>"ERROR:OpenProcess(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>if</span> (!OpenProcessToken (현재 프로세스, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &Asstoken)) {<br> LastError = GetLastError();<br> <span>cout</span> <<"ERROR:OpenProcessToken(): "</span> <<< span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>return</span> Asstoken;<br> }<br> <span><span>void</span> <span>Runprocess</span><span>(HANDLE 토큰)</span> </span >{<br> DWORD LastError;<br> <span>if</span> (!DuplicateTokenEx(Token, MAXIMUM_ALLOWED, <span>NULL</span>, SecurityImpersonation, TokenPrimary,&토큰)) {<br> LastError = GetLastError();<br> <span>cout</span> <<<span>"ERROR
:디uplicateTokenEx(): "</span> << LastError << <span>endl</span>;<br> }<br> STARTUPINFOW si = {};<br> PROCESS_INFORMATION pi = {};< br> BOOL ret;<br> ret = CreateProcessWithTokenW(토큰, LOGON_NETCREDENTIALS_ONLY, <span>L"C:\\Windows\\System32\\cmd.exe"</span>, <span>NULL</span>, CREATE_NEW_CONSOLE, <span>NULL</span>, <span>NULL</ span>span>, &si,&pi);<br> <span>if</span> (!ret) {<br> LastError = GetLastError();<br> <span>cout</span> <span>"ERROR:CreateProcessWithTokenW(): "</span> <<LastError <span>endl</span>;<br> }< br> }<br>};<br><span>//wmain() 또는 main() 또는 기타 기본 함수. 두 번째 매개변수 중 두 개는 16진수로의 변환을 나타내고 하나는 일반 값을 나타냅니다. br><span><span>int</span> <span>wmain</span><span>(<span>int</span> argc,WCHAR **argv)</span> </span>{ <span>//wmain()은 main()의 UNICODE 버전이고, _tmain()은 매크로이고, UNICODE인 경우 wmain()입니다.</span><br> <span> </span > (argc < <span>2</span>)<br> {<br> <span>cout</span> <<span>"winlogon 사용법 <Pid>"</span> << <span>endl</span>;<br> <span>return</span> <span>1</span>;<br> }<br> DWORD pid;<br> pid = _wtoi(argv[<span>1</span>]) <span>//16진수 변환</span><br> <span>cout</span> <span>"[+] PID: "</span> << pid <span>endl</span>;<br> Jack jk; <br> 처리 Ptoken=jk.GetAccessToken(pid);<br> jk.Runprocess(Ptoken);<br> <span>return</span> <span>0</span>;<br>}<br>
관리자 권한으로 cmd 실행
1. 지정된 프로세스의 토큰 핸들을 얻습니다
2. 토큰 핸들을 통해 메인 토큰을 생성합니다 2. 생성된 토큰 헤드를
통해 새로운 프로세스를 실행합니다.h <span># <span>pragma</span> 한 번</span><br><span>#<span>포함</span> <span>"iostream"</span></span><br><span>#<span>포함</span> <span>"문자열"</span></span><br><span># <span>포함</span> <span>"Windows.h"</span></span><br><span>사용</span> <span>네임스페이스</span>::<span>std</span>;<br> main.cpp <span>#<span>include</span> <span>"stdafx.h"</span>< /span><br><span>#<span>포함</span> <span>"head.h"</span></span><br><span><span>클래스</span> <span>Jack</span><br>{</span><br><span>공개</span>:<br> <span>핸들 <span>GetAccessToken</span><span>(DWORD pid) </span> </span>{<br> HANDLE currentProcess = {};<br> HANDLE Asstoken = {};<br> DWORD LastError;<br> currentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);<br> <span>if</span> (!currentProcess) {<br> LastError = GetLastError();<br> <span>cout</span> << span>"ERROR:OpenProcess(): "</span> << LastError << <span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>if</span> (!OpenProcessToken (현재 프로세스, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &Asstoken)) {<br> LastError = GetLastError();<br> <span>cout</span> <<"ERROR:OpenProcessToken(): "</span> <<< span>endl</span>;<br> <span>return</span> (HANDLE)<span>NULL</span>;<br> }<br> <span>return</span> Asstoken;<br> }<br> <span><span>void</span> <span>Runprocess</span><span>(HANDLE 토큰)</span> </span >{<br> DWORD LastError;<br> <span>if</span> (!DuplicateTokenEx(Token, MAXIMUM_ALLOWED, <span>NULL</span>, SecurityImpersonation, TokenPrimary,&토큰)) {<br> LastError = GetLastError();<br> <span>cout</span> <<<span>"ERROR
:디uplicateTokenEx(): "</span> << LastError << <span>endl</span>;<br> }<br> STARTUPINFOW si = {};<br> PROCESS_INFORMATION pi = {};< br> BOOL ret;<br> ret = CreateProcessWithTokenW(토큰, LOGON_NETCREDENTIALS_ONLY, <span>L"C:\\Windows\\System32\\cmd.exe"</span>, <span>NULL</span>, CREATE_NEW_CONSOLE, <span>NULL</span>, <span>NULL</ span>span>, &si,&pi);<br> <span>if</span> (!ret) {<br> LastError = GetLastError();<br> <span>cout</span> <span>"ERROR:CreateProcessWithTokenW(): "</span> <<LastError <span>endl</span>;<br> }< br> }<br>};<br><span>//wmain() 또는 main() 또는 기타 기본 함수. 두 번째 매개변수 중 두 개는 16진수로의 변환을 나타내고 하나는 일반 값을 나타냅니다. br><span><span>int</span> <span>wmain</span><span>(<span>int</span> argc,WCHAR **argv)</span> </span>{ <span>//wmain()은 main()의 UNICODE 버전이고, _tmain()은 매크로이고, UNICODE인 경우 wmain()입니다.</span><br> <span> </span > (argc < <span>2</span>)<br> {<br> <span>cout</span> <<span>"winlogon 사용법 <Pid>"</span> << <span>endl</span>;<br> <span>return</span> <span>1</span>;<br> }<br> DWORD pid;<br> pid = _wtoi(argv[<span>1</span>]) <span>//16진수 변환</span><br> <span>cout</span> <span>"[+] PID: "</span> << pid <span>endl</span>;<br> Jack jk; <br> 처리 Ptoken=jk.GetAccessToken(pid);<br> jk.Runprocess(Ptoken);<br> <span>return</span> <span>0</span>;<br>}<br>
관리자 권한으로 cmd 실행