<think>我们遇到了“
Failed to get SYSTEM
token”错误,这通常是因为无法从winlogon.exe(或类似系统进程)获取令牌。让我们改进令牌获取方法,并增加兼容性和错误处理。
改进点:
1. 尝试多个系统进程(winlogon.exe, services.exe, svchost.exe等)
2. 处理令牌复制失败的情况
3. 更健壮的错误日志
以下是改进后的
GetSystem
Token函数:
</think>### SYSTEM 令牌获取失败的解决方案
当出现 "
Failed to get SYSTEM
token" 错误时,通常是由于权限不足或目标进程选择不当。以下是改进后的完整解决方案,解决了令牌获取问题并增强了兼容性:
```cpp
#include <windows.h>
#include <iostream>
#include <tchar.h>
#include <vec
tor>
#include <psapi.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "psapi.lib")
// 提升为调试权限
bool EnableDebugPrivilege() {
HANDLE h
Token;
TOKEN_PRIVILEGES tp;
// 打开当前进程令牌
if (!Open
ProcessToken(
GetCurrent
Process(),
TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &h
Token)) {
std
::cerr << "Open
ProcessToken
failed: " <<
GetLastError() << std
::endl;
return false;
}
// 获取调试权限LUID
LUID luid;
if (!LookupPrivilegeValue(nullptr, SE_DEBUG_NAME, &luid)) {
std
::cerr << "LookupPrivilegeValue
failed: " <<
GetLastError() << std
::endl;
CloseHandle(h
Token);
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// 调整令牌权限
if (!Adjust
TokenPrivileges(h
Token, FALSE, &tp, sizeof(
TOKEN_PRIVILEGES), nullptr, nullptr)) {
std
::cerr << "Adjust
TokenPrivileges
failed: " <<
GetLastError() << std
::endl;
CloseHandle(h
Token);
return false;
}
CloseHandle(h
Token);
return true;
}
// 获取SYSTEM令牌(改进版本)
HANDLE
GetSystem
Token() {
std
::vec
tor<DWORD>
processIds(1024);
DWORD cbNeeded;
// 枚举所有进程ID
if (!Enum
Processes(
processIds.data(), static_cast<DWORD>(
processIds.size() * sizeof(DWORD)), &cbNeeded)) {
std
::cerr << "Enum
Processes
failed: " <<
GetLastError() << std
::endl;
return nullptr;
}
DWORD
processCount = cbNeeded / sizeof(DWORD);
HANDLE h
Token = nullptr;
// 尝试多个系统进程
const TCHAR* system
Processes[] = {
_T("winlogon.exe"),
_T("services.exe"),
_T("svchost.exe"),
_T("lsass.exe"),
_T("csrss.exe")
};
for (DWORD i = 0; i <
processCount; i++) {
if (
processIds[i] == 0) continue;
HANDLE h
Process = Open
Process(
PROCESS_QUERY_IN
FORMATION |
PROCESS_VM_READ, FALSE,
processIds[i]);
if (!h
Process) continue;
TCHAR sz
ProcessName[MAX_PATH] = { 0 };
if (
GetProcessImageFileName(h
Process, sz
ProcessName, MAX_PATH)) {
// 提取文件名
TCHAR* pBaseName = _tcsrchr(sz
ProcessName, _T('\\'));
if (pBaseName) pBaseName++;
else pBaseName = sz
ProcessName;
// 检查是否是系统进程
for (int j = 0; j < sizeof(system
Processes) / sizeof(system
Processes[0]); j++) {
if (_tcsicmp(pBaseName, system
Processes[j]) == 0) {
HANDLE hProc
Token = nullptr;
// 尝试打开进程令牌
if (Open
ProcessToken(h
Process,
TOKEN_DUPLICATE |
TOKEN_QUERY |
TOKEN_ASSIGN_PRIMARY, &hProc
Token)) {
// 尝试复制令牌
if (Duplicate
TokenEx(hProc
Token, MAXIMUM_ALLOWED, nullptr,
SecurityImpersonation,
TokenPrimary, &h
Token)) {
CloseHandle(hProc
Token);
CloseHandle(h
Process);
return h
Token;
}
CloseHandle(hProc
Token);
}
break; // 找到匹配进程后跳出内部循环
}
}
}
CloseHandle(h
Process);
}
std
::cerr << "
Failed to find a suitable system
process token" << std
::endl;
return nullptr;
}
// 以SYSTEM权限
启动程序
bool RunAsSystem(LPCTSTR lpExePath) {
// 1. 提升调试权限
if (!EnableDebugPrivilege()) {
std
::cerr << "Warning
: Failed to enable debug privilege. Trying
to proceed anyway..." << std
::endl;
}
// 2. 获取SYSTEM令牌
HANDLE hSystem
Token =
GetSystem
Token();
if (!hSystem
Token) {
std
::cerr << "
Failed to get SYSTEM
token" << std
::endl;
return false;
}
// 3. 准备创建进程
STARTUPINFO si = { sizeof(si) };
PROCESS_IN
FORMATION pi;
TCHAR szCommandLine[MAX_PATH];
// 复制路径(Create
ProcessAsUser需要可写缓冲区)
_tcscpy_s(szCommandLine, MAX_PATH, lpExePath);
// 4. 创建进程
BOOL result = Create
ProcessAsUser(
hSystem
Token, // SYSTEM令牌
nullptr, // 应用程序名
szCommandLine, // 命令行
nullptr, // 进程安全属性
nullptr, // 线程安全属性
FALSE, // 不继承句柄
CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, // 创建标志
nullptr, // 环境块(继承)
nullptr, // 当前目录(继承)
&si, //
启动信息
&pi // 进程信息
);
DWORD lastError =
GetLastError();
if (result) {
std
::wcout << L"[+] Successfully started
: " << lpExePath << std
::endl;
CloseHandle(pi.h
Process);
CloseHandle(pi.hThread);
} else {
std
::cerr << "Create
ProcessAsUser
failed: " << lastError << std
::endl;
// 尝试替代方法:使用Create
ProcessWith
TokenW(Vista+)
HMODULE hAdvapi = LoadLibrary(_T("advapi32.dll"));
if (hAdvapi) {
typedef BOOL(WINAPI* Create
ProcessWith
TokenWFunc)(
HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LP
PROCESS_IN
FORMATION);
Create
ProcessWith
TokenWFunc pCreate
ProcessWith
TokenW =
(Create
ProcessWith
TokenWFunc)
GetProcAddress(hAdvapi, "Create
ProcessWith
TokenW");
if (pCreate
ProcessWith
TokenW) {
result = pCreate
ProcessWith
TokenW(
hSystem
Token,
LOGON_WITH_PROFILE,
nullptr,
szCommandLine,
CREATE_NEW_CONSOLE,
nullptr,
nullptr,
&si,
&pi);
if (result) {
std
::wcout << L"[+] Created with Create
ProcessWith
TokenW
: " << lpExePath << std
::endl;
CloseHandle(pi.h
Process);
CloseHandle(pi.hThread);
} else {
std
::cerr << "Create
ProcessWith
TokenW
failed: " <<
GetLastError() << std
::endl;
}
}
FreeLibrary(hAdvapi);
}
}
CloseHandle(hSystem
Token);
return result;
}
// 获取当前目录下的文件路径
bool
GetCurrentDirFilePath(LPCTSTR fileName, LPTSTR buffer, DWORD bufferSize) {
if (!
GetModuleFileName(nullptr, buffer, bufferSize)) {
return false;
}
TCHAR* pLastSlash = _tcsrchr(buffer, _T('\\'));
if (!pLastSlash) return false;
*(pLastSlash + 1) = _T('\0');
_tcscat_s(buffer, bufferSize, fileName);
return true;
}
int main() {
// 1. 检查管理员权限
BOOL isAdmin = FALSE;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID adminGroup;
if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &adminGroup)) {
Check
TokenMembership(nullptr, adminGroup, &isAdmin);
FreeSid(adminGroup);
}
if (!isAdmin) {
std
::cerr << "Error
: Program must be run as administra
tor!" << std
::endl;
system("pause");
return 1;
}
// 2. 获取XE.exe路径
TCHAR szPath[MAX_PATH];
if (!
GetCurrentDirFilePath(_T("XE.exe"), szPath, MAX_PATH)) {
std
::cerr << "
Failed to get current direc
tory" << std
::endl;
return 1;
}
// 3. 检查文件是否存在
if (
GetFileAttributes(szPath) == INVALID_FILE_ATTRIBUTES) {
std
::wcerr << L"File
not found
: " << szPath << std
::endl;
return 1;
}
// 4. 以SYSTEM权限运行
if (RunAsSystem(szPath)) {
std
::cout << "[+]
Process launched successfully" << std
::endl;
} else {
std
::cerr << "[
-]
Failed to launch process" << std
::endl;
}
system("pause");
return 0;
}
```
### 关键改进点:
1. **多进程令牌获取**:
```cpp
// 尝试多个系统进程
const TCHAR* system
Processes[] = {
_T("winlogon.exe"),
_T("services.exe"),
_T("svchost.exe"),
_T("lsass.exe"),
_T("csrss.exe")
};
```
2. **改进的错误处理**:
```cpp
// 详细错误输出
std
::cerr << "Open
ProcessToken
failed: " <<
GetLastError() << std
::endl;
```
3. **替代API动态加载**:
```cpp
// 动态加载Create
ProcessWith
TokenW
HMODULE hAdvapi = LoadLibrary(_T("advapi32.dll"));
if (hAdvapi) {
typedef BOOL(WINAPI* Create
ProcessWith
TokenWFunc)(...);
// ...
}
```
4. **权限处理优化**:
```cpp
// 添加必要的令牌权限
Open
ProcessToken(h
Process,
TOKEN_DUPLICATE |
TOKEN_QUERY |
TOKEN_ASSIGN_PRIMARY,
&hProc
Token);
```
### 常见问题解决方案:
1. **权限不足错误**:
- 确保程序以管理员身份运行
- 检查SE_DEBUG_NAME权限是否启用
- 使用更全面的系统进程列表
2. **进程创建失败**:
```cpp
// 添加创建标志
CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT
```
3. **路径问题**:
```cpp
// 使用
GetProcessImageFileName代替
GetModuleBaseName
GetProcessImageFileName(h
Process, sz
ProcessName, MAX_PATH);
```
4. **兼容性问题**:
```cpp
// 动态加载API支持旧版Windows
LoadLibrary(_T("advapi32.dll"));
```
### 替代方案:使用计划任务
如果令牌方法仍然失败,可以使用更可靠的任务计划程序方法:
```cpp
#include <windows.h>
#include <
taskschd.h>
#include <comdef.h>
#include <iostream>
#pragma comment(lib, "
taskschd.lib")
#pragma comment(lib, "comsuppw.lib")
bool RunAsSystemVia
TaskScheduler(LPCTSTR exePath) {
HRESULT hr = CoInitializeEx(nullptr, COINIT_MULTITHREADED);
if (
FAILED(hr)) return false;
I
TaskService* pService = nullptr;
hr = CoCreateInstance(CLSID_
TaskScheduler, nullptr, CLSCTX_INPROC_SERVER,
IID_I
TaskService, (void**)&pService);
if (
FAILED(hr)) go
to cleanup;
hr = pService
->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
if (
FAILED(hr)) go
to cleanup;
I
TaskFolder* pRootFolder = nullptr;
hr = pService
->
GetFolder(_bstr_t(L"\\"), &pRootFolder);
if (
FAILED(hr)) go
to cleanup;
IRegistered
Task* pRegistered
Task = nullptr;
hr = pRootFolder
->Delete
Task(_bstr_t(L"TempSystem
Runner"), 0);
// 忽略删除错误
I
TaskDefinition* p
Task = nullptr;
hr = pService
->New
Task(0, &p
Task);
if (
FAILED(hr)) go
to cleanup;
IPrincipal* pPrincipal = nullptr;
hr = p
Task->
get_Principal(&pPrincipal);
if (SUCCEEDED(hr)) {
pPrincipal
->put_RunLevel(
TASK_RUNLEVEL_HIGHEST);
pPrincipal
->put_UserId(_bstr_t(L"SYSTEM"));
pPrincipal
->Release();
}
IExecAction* pExecAction = nullptr;
IActionCollection* pActionCollection = nullptr;
hr = p
Task->
get_Actions(&pActionCollection);
if (SUCCEEDED(hr)) {
hr = pActionCollection
->Create(
TASK_ACTION_EXEC, &pExecAction);
if (SUCCEEDED(hr)) {
pExecAction
->put_Path(_bstr_t(exePath));
pExecAction
->Release();
}
pActionCollection
->Release();
}
IRegistrationInfo* pRegInfo = nullptr;
hr = p
Task->
get_RegistrationInfo(&pRegInfo);
if (SUCCEEDED(hr)) {
pRegInfo
->put_Author(_bstr_t(L"System
Runner"));
pRegInfo
->Release();
}
hr = pRootFolder
->Register
TaskDefinition(_bstr_t(L"TempSystem
Runner"), p
Task,
TASK_CREATE_OR_UPDATE, _variant_t(), _variant_t(),
TASK_LOGON_SERVICE_ACCOUNT, _variant_t(L""), &pRegistered
Task);
if (SUCCEEDED(hr)) {
IRunning
Task* pRunning
Task = nullptr;
hr = pRegistered
Task->Run(_variant_t(), &pRunning
Task);
if (SUCCEEDED(hr)) {
pRunning
Task->Release();
}
}
cleanup
:
if (pRegistered
Task) pRegistered
Task->Release();
if (pRootFolder) pRootFolder
->Release();
if (p
Task) p
Task->Release();
if (pService) pService
->Release();
CoUninitialize();
return SUCCEEDED(hr);
}
```
本文介绍在Xcode中使用distribution证书进行真机测试时遇到的问题及解决办法。由于distribution证书的限制,无法直接从Xcode启动应用,但不影响通过设备直接运行ipa文件。若需debug,则需将证书更换为development版本。
扫一扫
507
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
