[讨论]regsavekey为啥我提权了还是不好用?
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])议题作者:qxc0574
源代码如下,我使用asm写的,调用regsavekey不返回ERROR_SUCCESS..
哪位大侠帮帮我,我是照着邪八vc源码改写的(我的系统是xp sp2,未装杀毒软件,工具是masmplus):
[code].386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib advapi32.lib
.data?
szResult dd ?
.const
hBackUp db 'SeBackupPrivilege',0
szRegFile db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
szBackFile db 'D:\\1.hive',0
.code
_ProcPrivilege Proc
local hToken
local hTokenLiu:TOKEN_PRIVILEGES
invoke GetCurrentThread
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY or TOKEN_READ,hToken
invoke LookupPrivilegeValue,NULL,addr hBackUp,addr hTokenLiu.Privileges.Luid
mov hTokenLiu.PrivilegeCount,1
mov hTokenLiu.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE,addr hTokenLiu,NULL,NULL,NULL
invoke CloseHandle,hToken
ret
_ProcPrivilege endp
start:call _ProcPrivilege
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,addr szRegFile,0,KEY_WRITE,addr szResult
invoke RegSaveKey,szResult,addr szBackFile,NULL
invoke RegCloseKey,szResult
invoke ExitProcess,NULL
end start[/code]
下面是vc的:
[code]#include <windows.h>
#include <stdio.h>
int EnablePrivilege(LPCTSTR lpszPrivilege,BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return 1;
//if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
// return 1;
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid ) ) // receives LUID of privilege
return 2;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return 0;
}
void ShowError(const LONG ErrorNo){
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
ErrorNo,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL 为啥我提权了还是不好用
);
printf("ID:%d\n%s",ErrorNo,lpMsgBuf);
}
int main(){
EnablePrivilege(SE_BACKUP_NAME,TRUE);
HKEY hKey;
RegOpenKeyEx( HKEY_CLASSES_ROOT,
"WScript.Network",
0, KEY_WRITE, &hKey );
LONG result;
result=RegSaveKey(hKey,"d:\\test.reg",NULL);
ShowError(result);
RegCloseKey( hKey );
return 0;
}
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[/code] RegSaveKey跟进程权限有关系吗? [s:289] _EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
LOCAL hToken
LOCAL tkp : TOKEN_PRIVILEGES
invoke GetCurrentProcess ;GetCurrentProcess获得当前进程的HANDLE
mov edx, eax
invoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken ;获取进程访问令牌
invoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid;一个权限对应的LUID值
mov tkp.PrivilegeCount, 1
xor eax, eax
.if bFlags
mov eax, SE_PRIVILEGE_ENABLED
.endif
mov tkp.Privileges.Attributes, eax
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0 ;对这个访问令牌进行修改
push eax
invoke CloseHandle, hToken
pop eax
ret
_EnablePrivilege endp
;***********************************************************************************************
invoke _EnablePrivilege,CTXT("SeDebugPrivilege"), TRUE
可以结贴了。 [s:265] [s:269] 谢谢大大们,我知道错在哪里了..对了好像对于vista好像上面的老方法不管用了..
页:
[1]