win下实现切换帐号的方法

by:dumplogin         https://www.xfocus.net/

目前实现的方法有几种:
1.CreateProcessWithLogonW() //需要密码
2.LogonUser(),CreateProcessAsUser() //也需要密码
3.NtCreateToken(),CreateProcessAsUser() //不需要密码

1,2外面都有很多工具. 3的话bingle的wsu -f可以实现.
不过bingle的wsu只是做了SID的处理, 他切换到guest后,该环境下依然对system32目录有写权限.切换到SYSTEM后,对sam键还是打不开.
根据bingle的wsu原形,重写了一下SU, 可以真正做到权限切换,即使帐号被禁止
缺点是在终端下只能su到admin组和SYSTEM帐号.不能切换到普通用户,这个问题我是放弃了, 如果谁可以做到欢迎帮我完善.
[root@DUMPLOGIN C:WINNTsystem32]#reg query HKEY_LOCAL_MACHINESECURITY

Error:
[root@DUMPLOGIN C:WINNTsystem32]#
[[root@DUMPLOGIN E:mytestcsu]#su4 -u system
su.exe like unix su tool,version 4.1
by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com

[+] Enable SeDebugPrivilege..
[+] Get Lsass.exe Pid....292
[+] GrantPrivilege From Lsass ....
[+] Calling NtCreateTokenAsuser ...
[+] CreateProcess By that Token...
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.

[root@DUMPLOGIN E:mytestcsu]#reg query HKEY_LOCAL_MACHINESECURITY

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINESECURITY

HKEY_LOCAL_MACHINESECURITYPolicy

HKEY_LOCAL_MACHINESECURITYRXACT

HKEY_LOCAL_MACHINESECURITYSAM

[root@DUMPLOGIN E:mytestcsu]#

搞这个东西搞的我疲惫不堪. 苦啊. 将我的代码贴出来,希望以后对大家有所帮助, 少走弯路.

在这个期间骚扰bingle和tk n次,谢谢他们。

这个东东目前只在win2k sp4 cn上测试过, xp/2003缺少环境, 希望有人能帮我测试. :)

附:su4.c

/*   su切换用户
* 2004/12/28 1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置.
* 2004/12/29 2.0,真正实现模拟用户令牌的动作.
* 2004/12/29 3.0,即使帐号禁止也可以模拟用户
* 2004/12/30 4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放
* 2004/12/30 4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败.
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <lm.h>
#include <Ntsecapi.h>
#include <Accctrl.h>
#include <Aclapi.h>
#include <Tlhelp32.h>
#include <windows.h>

#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Advapi32")
#pragma comment(lib,"User32")
#pragma comment(lib,"Netapi32")

#define SIZE 1024
#define VERSION "4.1"

#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
#define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES   | WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
#define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS     | DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER)
#define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL)
#define SE_GROUP_RESOURCE (0x20000000L)

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG        Length;
    HANDLE        RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG        Attributes;
    PVOID        SecurityDescriptor;
    PVOID        SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 

typedef enum _LSA_TOKEN_INFORMATION_TYPE {
    LsaTokenInformationNull,  // Implies LSA_TOKEN_INFORMATION_NULL data type
    LsaTokenInformationV1,     // Implies LSA_TOKEN_INFORMATION_V1 data type
    LsaTokenInformationV2     // Implies LSA_TOKEN_INFORMATION_V2 data type
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;

typedef struct _LSA_TOKEN_INFORMATION_NULL
{
    LARGE_INTEGER ExpirationTime;
    PTOKEN_GROUPS Groups;
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;

typedef NTSTATUS (*PNtCreateToken)(
PHANDLE             TokenHandle,
ACCESS_MASK          DesiredAccess,
POBJECT_ATTRIBUTES   ObjectAttributes,
TOKEN_TYPE           TokenType,
PLUID                AuthenticationId,
PLARGE_INTEGER       ExpirationTime,
PTOKEN_USER          TokenUser,
PTOKEN_GROUPS        TokenGroups,
PTOKEN_PRIVILEGES    TokenPrivileges,
PTOKEN_OWNER         TokenOwner,
PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
PTOKEN_DEFAULT_DACL  TokenDefaultDacl,
PTOKEN_SOURCE        TokenSource
);

typedef struct _PROFILEINFO {
    DWORD   dwSize;
    DWORD   dwFlags;
    LPTSTR  lpUserName;
    LPTSTR  lpProfilePath;
    LPTSTR  lpDefaultPath;
    LPTSTR  lpServerName;
    LPTSTR  lpPolicyPath;
    HANDLE  hProfile;
} PROFILEINFO, *LPPROFILEINFO;

typedef BOOL (*PLoadUserProfile)(
  HANDLE hToken,               // user token
  LPPROFILEINFO lpProfileInfo  // profile
);

typedef BOOL (*PUnloadUserProfile)(
  HANDLE hToken,   // user token
  HANDLE hProfile  // handle to registry key
);
BOOL cback = 0;
char *system_user = NULL;
int lsasspid = 0;
unsigned int DebugLevel = 7;

/* 函数定义开始 */
void usage(char *s);
int GrantPriv();
HANDLE CreateTokenAsUser(char *user);
BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen);
BOOL GetUserGroup(char *username,char ***name,int *groupcount);
PSID GetUserSid(char *LookupUser);
HANDLE NtCreateTokenAsuser(char *user);
int GrantPrivFromLsass(int pid);
void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic);
void pfree(void *p);
LUID GetLuidFromText(char *s);
TOKEN_PRIVILEGES *MakeAdminPriv();
BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode);

/* 函数定义结束 */
int main(int argc,char **argv)
{
int i;
WSADATA wsd;
HANDLE NewToken;
PLoadUserProfile LoadUserProfile;
PUnloadUserProfile UnloadUserProfile;
HMODULE UserenvModule;

printf( "su.exe like unix su tool,version %s "
"by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com ",VERSION);

if((argc>1) && (strnicmp(argv[1],"-h",2) == 0))
{
usage(argv[0]);
return -1;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case u:
system_user = argv[i+1];
break;
case D:
DebugLevel = atoi(argv[i+1]);
break;

}
}
if(system_user == NULL)
{
usage(argv[0]);
return -1;
}
Use

补充：综合编程 , 安全编程 ,

上一个：页面校验用通用js
下一个：怎样在 SQL Server 实例之间传输登录和密码