啥都不说了，就是这样搞！！！！-优快云博客

本文介绍了一种在Windows环境中通过编程方式获取当前活动会话的Token的方法。具体实现了枚举会话、获取指定会话ID的用户名及Token，并演示了如何使用该Token启动一个新的进程。

这版作为基础版。

获取当前session的token，有几个思路，

可以通过进程，活动session,或是循环所有用户，或是从共享session里弄出来。

#include <windows.h>
#include <stdio.h>
#include <Userenv.h>
#include <Wtsapi32.h>
#pragma comment(lib, "WtsApi32.lib")
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "userenv.lib")
using namespace std;



HANDLE GetUserToken(DWORD dwSessionId)
{
    HANDLE hImpersonationToken = 0;
    if (!WTSQueryUserToken(dwSessionId, &hImpersonationToken))
    {
        printf(" WTSQueryUserToken ERROR: %d\n", GetLastError());
        return FALSE;
    }
    DWORD dwNeededSize = 0;
    HANDLE *realToken = new HANDLE;
    TOKEN_USER *pTokenUser = NULL;
    PTOKEN_GROUPS pGroups = NULL;
    //twice call function
    if (!GetTokenInformation(hImpersonationToken, TokenUser, NULL, 0, &dwNeededSize))
    {
        if (GetLastError() == ERROR_INSUFFICIENT_BUFFER && dwNeededSize > 0)
        {
            pTokenUser = (TOKEN_USER*)new BYTE[dwNeededSize];
            if (!GetTokenInformation(hImpersonationToken, TokenUser, pTokenUser, dwNeededSize, &dwNeededSize))
            {
                printf("GetTokenInformation ERROR: %d", GetLastError());
            }
        }
        return hImpersonationToken;
    }
    return hImpersonationToken;
}

bool GetSessionUserName(DWORD dwSessionId, char username[256])
{
    LPTSTR pBuffer = NULL;
    DWORD dwBufferLen;
    if (!WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSUserName, &pBuffer, &dwBufferLen))
    {
        printf(" WTSQuerySessionInformation ERROR: %d\n", GetLastError());
        return FALSE;
    }
    lstrcpy(username ,pBuffer);
    WTSFreeMemory(pBuffer);
    return TRUE;
}


int main(int argc, char **argv)
{
    DWORD session_id = -1;
    DWORD session_count = 0;
    WTS_SESSION_INFOA *pSession = NULL;
    char username[256];
    HMODULE hInstKernel32 = NULL;
    HMODULE hInstWtsapi32 = NULL;
    //EnumerateSessions
    if (!WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pSession, &session_count))
    {
        printf("WTSEnumerateSessions ERROR: %d", GetLastError());
        return FALSE;
    }
    //Get the right user and his session id
    for(DWORD i = 0; i < session_count; ++i)
    {
        if( (pSession[i].State == WTSActive) && (pSession[i].State != WTSDisconnected) )
        {
            printf("\tsessionInfo.SessionId=%d\n",pSession[i].SessionId);
            GetSessionUserName(pSession[i].SessionId,username);
            printf("\tSession user's name = %s\n",username);
            session_id = pSession[i].SessionId;
        }
    }

    WTSFreeMemory(pSession); //free meme heap

    //Duplicate User Token
    HANDLE hTokenThis = GetUserToken(session_id);
    HANDLE hTokenDup = NULL;

    if (!DuplicateTokenEx(hTokenThis, TOKEN_ALL_ACCESS, NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
    {
        printf("DuplicateTokenEx ERROR: %d\n", GetLastError());
        return FALSE;
    }

    if (!SetTokenInformation(hTokenDup, TokenSessionId, &session_id, sizeof(DWORD)))
    {
         printf("SetTokenInformation Error === %d\n",GetLastError());
         return FALSE;
    }

    //init this process info
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    ZeroMemory(&si, sizeof(STARTUPINFO));
    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
    si.cb = sizeof(STARTUPINFO);
    si.lpDesktop = "WinSta0\\Default";
    //LPVOID pEnv = NULL;
    DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
    //CreateEnvironmentBlock(&pEnv, hTokenDup, FALSE);

    LPSTR lpCmdLine = "c:\\windows\\system32\\notepad.exe";

    if (!CreateProcessAsUser(hTokenDup, NULL, lpCmdLine, NULL, NULL, FALSE, dwCreationFlag, NULL, NULL, &si, &pi))
    {
        printf("CreateProcessAsUser Error === %d\n",GetLastError());
    }
    printf("OK");

    return 0;
}