我用SYSTEM权限运行一个程序。 我要求LogonUser(szUserName, NULL, szPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)的句柄的用户名和密码作为本地login。 我想运行cmd.exe程序作为从login提供的用户凭据。 login成功,但是当我尝试运行该进程时,没有任何反应。 程序中止。 我的代码是…
// cmd.cpp : Defines the entry point for the console application. // #include <Windows.h> #include <Lmcons.h> #include <iostream> #include <ctype.h> #include <string> #include <stdio.h> #define winstring LPWSTR #define stcas(x) static_cast<x> #define INFO_BUFFER_SIZE 260 using namespace std; void ReportError(LPCWSTR pszFunction, DWORD dwError = GetLastError()) { wprintf(L"%s failed w/err 0x%08lx\n", pszFunction, dwError); } int main() { TCHAR un[UNLEN+1]; DWORD size = UNLEN + 1; GetUserName(un, &size); string una(un); bool sys = !una.compare("SYSTEM"); if(!sys) { system("cls"); system("title Command Prompt"); system("cmd"); return 0; } char szUserName[INFO_BUFFER_SIZE] = {}; char szPassword[INFO_BUFFER_SIZE] = {}; char *pc = NULL; HANDLE hToken = NULL; BOOL fSucceeded = FALSE; BOOL logon = FALSE; printf("Enter the username: "); fgets(szUserName, ARRAYSIZE(szUserName), stdin); pc = strchr(szUserName, '\n'); if (pc != NULL) *pc = '\0'; // Remove the trailing L'\n' cout << endl; //string un(szUserName); printf("Enter the password: "); fgets(szPassword, ARRAYSIZE(szPassword), stdin); pc = strchr(szPassword, '\n'); if (pc != NULL) *pc = '\0'; // Remove the trailing L'\n' if (!LogonUser(szUserName, NULL, szPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) { ReportError(L"Logon"); goto Cleanup; } else logon = true; // Impersonate the logged on user. if (!ImpersonateLoggedOnUser(hToken)) { ReportError(L"imp"); goto Cleanup; } fSucceeded = true; Cleanup: // Clean up the buffer containing sensitive password. SecureZeroMemory(szPassword, sizeof(szPassword)); LPTSTR szCmdline[] = {"C:\\windows\\system32\\cmd.exe"}; STARTUPINFO si; PROCESS_INFORMATION pi; TCHAR uni[UNLEN+1]; DWORD sizei = UNLEN + 1; GetUserName(uni, &sizei); string unai(uni); cout << unai << endl; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); HANDLE phToken = NULL; BOOL dup = FALSE; if(!DuplicateTokenEx(hToken, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL, SecurityImpersonation, TokenImpersonation, &phToken)){ ReportError(L"DUPLICATE TOKEN"); } else dup = TRUE; system("pause"); // If the impersonation was successful, undo the impersonation. if (fSucceeded && logon && dup) { system("cls"); system("title Command Prompt"); //system("cmd"); if(!CreateProcessAsUser( phToken, // client's access token NULL, // file to execute *szCmdline, // command line NULL, // pointer to process SECURITY_ATTRIBUTES NULL, // pointer to thread SECURITY_ATTRIBUTES FALSE, // handles are not inheritable NORMAL_PRIORITY_CLASS, // creation flags NULL, // pointer to new environment block NULL, // name of current directory &si, // pointer to STARTUPINFO structure &pi // receives information about new process )){ ReportError(L"Create Process"); } if (!RevertToSelf()) { ReportError(L"Undo Imp"); } } system("pause"); }
我真的很想避免安全问题的进程。
请不要告诉我,我input的密码显示。 我知道,稍后会解决。
尝试使用CreateProcessWithLogonUser函数。 这应该做的一切为你没有错误。
你没有初始化si 。 您需要在调用CreateProcessAsUser之前执行此操作:
memset(&si, 0, sizeof(si)); si.cb = sizeof(si);