Здравствуйте, Alex Fedotov
Где-то здесь был уже этот код:
bool rrt;
PCTSTR privs = {_T("SeDebugPrivilege")};
rrt = EnablePrivileges(&privs,1);
PCTSTR privs2 = {_T("SeIncreaseQuotaPrivilege")};
rrt = EnablePrivileges(&privs2,1);
PCTSTR privs3 = {_T("SeAssignPrimaryTokenPrivilege")};
rrt = EnablePrivileges(&privs3,1);
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,0x04);
if (hProcess != NULL){
HANDLE hTok;
if (OpenProcessToken(hProcess, READ_CONTROL|WRITE_DAC,&hTok)){
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
if (GetSecurityInfo(hTok,SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD) != ERROR_SUCCESS) goto l1;
PACL dacl;
BOOL b;
if (!GetSecurityDescriptorDacl(pSD,&b,&dacl,&b)) goto l1;
TCHAR UserName[1024];
DWORD dwLen = sizeof UserName/sizeof UserName[0];
if (!GetUserName(UserName, &dwLen)) goto l1;
EXPLICIT_ACCESS ea;
BuildExplicitAccessWithName(&ea, UserName,
TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_QUERY, GRANT_ACCESS, 0);
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.grfAccessPermissions = TOKEN_DUPLICATE;
PACL newpAcl = NULL;
if (SetEntriesInAcl(1, &ea, dacl,&newpAcl) != ERROR_SUCCESS) goto l1;
if (SetSecurityInfo(hTok,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,newpAcl,NULL) == ERROR_SUCCESS)
{
BOOL res;
res = 1;
CloseHandle(hTok);
hTok = NULL;
res = OpenProcessToken(hProcess,TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_QUERY,&hTok);
DWORD aaa = GetLastError();
if (res){
STARTUPINFO si = {sizeof(STARTUPINFO)};
GetStartupInfo(&si);
PROCESS_INFORMATION pi = {0};
res = CreateProcessAsUser(hTok,NULL,_T("notepad.exe"),NULL,NULL,FALSE,
0,NULL,NULL,&si,&pi);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
if (newpAcl) LocalFree(newpAcl);
l1:
if (pSD) LocalFree(pSD);
if (hTok) CloseHandle(hTok);
}
CloseHandle(hProcess);
}
return 0;
