windows程序提权至system

问题:

程序没有最高权限,无法进行高权限的操作
(即使管理员权限也无法满足的情况下)

解决方案:

使用C++实现在win10系统上获取系统的system权限
通过system父进程创建子进程方式给程序提权

核心代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
static bool CreateProcessFromParent(char* lpPath)
{
	char str[][20] = { "winlogon.exe","lsass.exe" };
	DWORD pid = 0;
	int index = 0;
	do
	{
		pid = GetProcessIDByName(str[index++]);
		if (pid == 0) break;
	} while (index < sizeof(str) / 20);
	if (pid == 0 ) return false;

	//程序提权
	if (!EnableDebugPriv()) {
		cout << "EnableDebugPriv  Failed !" << endl;
		return false;
	}

	//创建启动信息结构体
	STARTUPINFOEXA si;

	//初始化结构体
	ZeroMemory(&si, sizeof(si));

	//设置结构体成员
	si.StartupInfo.cb = sizeof(si);

	//已全部权限打开services.exe 进程
	HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

	SIZE_T lpSize = 0;
	InitializeProcThreadAttributeList(NULL, 1, 0, &lpSize);

	//转换指针到正确类型
	char * pTemp = new char[(int)lpSize];
	LPPROC_THREAD_ATTRIBUTE_LIST AttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)pTemp;

	InitializeProcThreadAttributeList(AttributeList, 1, 0, &lpSize);

	//用已构造的属性结构体更新属性表
	if (!UpdateProcThreadAttribute(
		AttributeList, 
		0,
		PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, 
		&handle, 
		sizeof(HANDLE), 
		NULL, 
		NULL))
	{
		cout << "Fail to update attributes" << endl;
		return false;
	}

	si.lpAttributeList = AttributeList;

	PROCESS_INFORMATION pi;
	ZeroMemory(&pi, sizeof(pi));

	if (CreateProcessAsUser(NULL, lpPath, 0,
		0, 0, 0, EXTENDED_STARTUPINFO_PRESENT,
		0, 0, (LPSTARTUPINFOA)&si, &pi))
	{
		CloseHandle(pi.hProcess);
		CloseHandle(pi.hThread);

		DeleteProcThreadAttributeList(AttributeList);
		delete []pTemp;

		cout << "CreateProcessAsUserA Succeed ! ProcessId: " << pi.dwProcessId << endl;
		return true;
	}
	else
	{
		cout << "CreateProcessAsUserA Failed ! Error:" << GetLastError() << endl;
	}
	DeleteProcThreadAttributeList(AttributeList);
	delete []pTemp;

	return false;
}

工具下载:

x86:https://raw.githubusercontent.com/InkyTea/CreateProcessFromSystem/master/x86/CreateProcessFromSystem.exe
x64:https://raw.githubusercontent.com/InkyTea/CreateProcessFromSystem/master/x64/CreateProcessFromSystem.exe

使用教程:

1.根据windows系统下载对应版本

2.运行CreateProcessFromSystem.exe

3.选择/输入需要提权程序路径(如:C:\Users\Administrator\Desktop\myCE\myce.exe)

4.程序成功运行

5.打开任务管理器=》详细信息(程序用户名已经提权为SYSTEM)

源码地址:

https://github.com/InkyTea/CreateProcessFromSystem