服务进程创建一个带窗口的进程 主要代码如下: PROCESSENTRY32 procEntry; HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); procEntry.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hSnap, &procEntry)) do } while (Process32Next(hSnap, &procEntry)); _end: BOOL LaunchAppIntoDifferentSession(LPSTR lpCmdLine) // Log the client on to the local computer. typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)(); __pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId = __pfnWTSQueryUserToken pfnWTSQueryUserToken = if(pfnWTSGetActiveConsoleSessionId == NULL) dwSessionId = pfnWTSGetActiveConsoleSessionId(); winlogonPid = FindSessionPid("explorer.exe", dwSessionId); if(winlogonPid == 0) if(winlogonPid == 0) //////////////////////////////////////////////////////////////////////// dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE; TOKEN_PRIVILEGES tp; if( !pfnWTSQueryUserToken(dwSessionId, &hUserToken) ) if(!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS_P, &hPToken)) if(hPToken == NULL) if(!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup)) LPVOID pEnv = NULL; if(CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE)) // Launch the process in the client's logon session. bResult = CreateProcessAsUser( //GetLastError Shud be 0 int iResultOfCreateProcessAsUser = GetLastError(); if(bResult == FALSE && iResultOfCreateProcessAsUser != 0) if(pi.hProcess) //Perform All the Close Handles task if(hProcess) return bResult; 调用方式: LaunchAppIntoDifferentSession("c:\\windows\\notepad.exe"); 前提是有个服务进程已经启动,然后服务进程会以管理员模式(不需要用户点UAC的框)启动一个新的可以创建窗口的进程。 安装这个服务需要点UAC的框,所以不是什么不可公开的思路。好处就一点:每次自启动的进程,不需要再让用户点UAC框了
DWORD FindSessionPid(LPSTR lpProcessName, DWORD dwSessionId)
{
DWORD res = 0;
if (hSnap == INVALID_HANDLE_VALUE)
{
return res ;
}
{
goto _end;
}
{
if (_stricmp(procEntry.szExeFile, lpProcessName) == 0)
{
DWORD winlogonSessId = 0;
if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
{
res = procEntry.th32ProcessID;
break;
}
}
CloseHandle(hSnap);
return res;
}
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId = 0, winlogonPid = 0;
HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
DWORD dwCreationFlags;
typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );
(__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");
(__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");
{
WriteLog("Not found api: WTSGetActiveConsoleSessionId\n");
return 0;
}
if(pfnWTSQueryUserToken == NULL)
{
WriteLog("Not found api: WTSQueryUserToken\n");
return 0;
}
{
winlogonPid = FindSessionPid("winlogon.exe", dwSessionId);
}
{
WriteLog("Can't Find Explorer\n");
return 0;
}
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));
LUID luid;
LPVOID TokenInformation;
DWORD RetLen = 0;
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, winlogonPid);
{
char pTemp[121];
sprintf(pTemp, "Process token open Error: %u\n", GetLastError());
WriteLog(pTemp);
}
{
WriteLog("Process tokenError: \n");
}
}
else
{
hPToken = hUserToken;
}
if(GetTokenInformation(hPToken, TokenLinkedToken, &TokenInformation, 4, &RetLen))
{
hUserTokenDup = TokenInformation;
}
else
{
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
char pTemp[121];
sprintf(pTemp, "Lookup Privilege value Error: %u\n", GetLastError());
WriteLog(pTemp);
}
{
char pTemp[121];
sprintf(pTemp, "DuplicateTokenEx Error: %u\n", GetLastError());
WriteLog(pTemp);
}
}
{
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
WriteLog("CreateEnvironmentBlock Failed\n");
pEnv = NULL;
}
hUserTokenDup, // client's access token
NULL, // file to execute
lpCmdLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
);
// End impersonation of client.
{
char pTemp[121];
sprintf(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
WriteLog(pTemp);
}
{
CloseHandle(pi.hProcess);
}
if(pi.hThread)
{
CloseHandle(pi.hThread);
}
{
CloseHandle(hProcess);
}
if(hUserToken)
{
CloseHandle(hUserToken);
}
if(hUserTokenDup)
{
CloseHandle(hUserTokenDup);
}
if(hPToken)
{
CloseHandle(hPToken);
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
服务进程创建一个带窗口的进程
精选 转载下一篇:绕过360安全卫士写自启动项
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
Vue3 创建一个应用
Vue3 创建一个应用
vite vue -
创建一个守护进程
创建一个守护进程
进程 创建 守护 -
vc++创建一个进程
#includeint main(){STARTUPINFO si; //进程启动时需要初始化的结构PROCESS_INFOR
vc++ null c 初始化 #include -
java中创建个新的进程 java如何创建一个进程
java 创建进程_用Java创建操作系统进程
java中创建个新的进程 java 创建进程 java 标准输出 System