本文详细介绍了使用C++编程语言实现系统管理员权限提升,并通过远程进程操作实现特定进程的控制,包括识别、定位并执行特定DLL文件以触发系统行为,如关机或特定应用的操作。
// m1.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include"stdio.h"
#include <windows.h>
#include <tlhelp32.h>
#include"tlhelp32.h"
void shutdown()
{
// 以下为提权函数,使其用关机权限,
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken调用失败");
}
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,false,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
//下面为关机函数
if(!ExitWindowsEx(EWX_SHUTDOWN ,0))
{
printf("关机失败");
}
}
int main(int argc, char* argv[])
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf(" CreateToolhelp32Snapshot调用失败!");
return -1;
}
//string lpName = "EXPLORER.EXE" ; // 设定需要监视的进程名
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while(bMore)
{
printf(" 进程名称:%s \n", pe32.szExeFile);
if(stricmp("EXPLORER.exe",pe32.szExeFile)==0)
{
//取得宿主进程(EXPLORER.EXE)的句柄
HANDLE hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,pe.th32ProcessID);
//取得目标DLL的当前路径(路径可自由设置)
char szInspectDllPath[128] ;
GetCurrentDirectory ( 128, szInspectDllPath ) ;
strcat (szInspectDllPath, "QQLandDlg.dll >\\debug\\InspectQQLandDlg.dll" ) ;
printf(" 地址: %s \n", szInspectDllPath);
//申请存放文件名的空间
LPVOID pszInspectDllRemote ;
int InspectDllNameLength = sizeof ( szInspectDllPath ) + 1 ;
pszInspectDllRemote = VirtualAllocEx ( hRemoteProcess, NULL, InspectDllNameLength, MEM_COMMIT, PAGE_READWRITE ) ;
//把dll文件名写入申请的空间
WriteProcessMemory ( hRemoteProcess, pszInspectDllRemote,(LPVOID)szInspectDllPath, InspectDllNameLength, NULL);
//获取动态链接库函数地址
HMODULE hModule ;
hModule = GetModuleHandle ( "kernel32.DLL" ) ;
LPTHREAD_START_ROUTINE fnStartAddr ;
fnStartAddr = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( hModule,"LoadLibraryA" ) ;
//////////////////
//创建远程线程
HANDLE hInspectRemoteThread = NULL ;//存放远程线程句柄
hInspectRemoteThread = CreateRemoteThread ( hRemoteProcess, NULL, 0,fnStartAddr, pszInspectDllRemote, 0, NULL ) ;
if( hProcessSnap != NULL ){
CloseHandle ( hProcessSnap ) ;//关闭进程快照
CloseHandle ( hRemoteProcess ) ;
printf(" 来到这里了: \n");
break ;
}
//////////////////
}
if(stricmp("QQ.exe",pe32.szExeFile)==0)
{
printf("QQ 运行中,准备关机");
// shutdown();
break;
}
if(stricmp("Thunder.exe",pe32.szExeFile)==0)
{
printf("Thunder 运行中,准备关机");
// shutdown();
break;
}
bMore = ::Process32Next(hProcessSnap, &pe32);
}
::CloseHandle(hProcessSnap);
printf("QQ 不在运行");
return 0;
}
//
#include "stdafx.h"
#include"stdio.h"
#include <windows.h>
#include <tlhelp32.h>
#include"tlhelp32.h"
void shutdown()
{
// 以下为提权函数,使其用关机权限,
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken调用失败");
}
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,false,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
//下面为关机函数
if(!ExitWindowsEx(EWX_SHUTDOWN ,0))
{
printf("关机失败");
}
}
int main(int argc, char* argv[])
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf(" CreateToolhelp32Snapshot调用失败!");
return -1;
}
//string lpName = "EXPLORER.EXE" ; // 设定需要监视的进程名
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while(bMore)
{
printf(" 进程名称:%s \n", pe32.szExeFile);
if(stricmp("EXPLORER.exe",pe32.szExeFile)==0)
{
//取得宿主进程(EXPLORER.EXE)的句柄
HANDLE hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,pe.th32ProcessID);
//取得目标DLL的当前路径(路径可自由设置)
char szInspectDllPath[128] ;
GetCurrentDirectory ( 128, szInspectDllPath ) ;
strcat (szInspectDllPath, "QQLandDlg.dll >\\debug\\InspectQQLandDlg.dll" ) ;
printf(" 地址: %s \n", szInspectDllPath);
//申请存放文件名的空间
LPVOID pszInspectDllRemote ;
int InspectDllNameLength = sizeof ( szInspectDllPath ) + 1 ;
pszInspectDllRemote = VirtualAllocEx ( hRemoteProcess, NULL, InspectDllNameLength, MEM_COMMIT, PAGE_READWRITE ) ;
//把dll文件名写入申请的空间
WriteProcessMemory ( hRemoteProcess, pszInspectDllRemote,(LPVOID)szInspectDllPath, InspectDllNameLength, NULL);
//获取动态链接库函数地址
HMODULE hModule ;
hModule = GetModuleHandle ( "kernel32.DLL" ) ;
LPTHREAD_START_ROUTINE fnStartAddr ;
fnStartAddr = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( hModule,"LoadLibraryA" ) ;
//////////////////
//创建远程线程
HANDLE hInspectRemoteThread = NULL ;//存放远程线程句柄
hInspectRemoteThread = CreateRemoteThread ( hRemoteProcess, NULL, 0,fnStartAddr, pszInspectDllRemote, 0, NULL ) ;
if( hProcessSnap != NULL ){
CloseHandle ( hProcessSnap ) ;//关闭进程快照
CloseHandle ( hRemoteProcess ) ;
printf(" 来到这里了: \n");
break ;
}
//////////////////
}
if(stricmp("QQ.exe",pe32.szExeFile)==0)
{
printf("QQ 运行中,准备关机");
// shutdown();
break;
}
if(stricmp("Thunder.exe",pe32.szExeFile)==0)
{
printf("Thunder 运行中,准备关机");
// shutdown();
break;
}
bMore = ::Process32Next(hProcessSnap, &pe32);
}
::CloseHandle(hProcessSnap);
printf("QQ 不在运行");
return 0;
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
