如何将受限制的用户令牌转换为不受限制的用户令牌? [英] how do i convert restricted user token to unrestricted one?

问题描述

我有一个从受限制的 UAC 启动进程复制的用户令牌，我想从中删除拒绝组 SID.我怎么做?如果我使用 TOKEN_GROUPS 信息类类型调用 SetTokenInformation，则会收到无效参数错误.

I have a user token duplicated from a restricted UAC launched process and I want to remove the deny group SIDs from it. How do I do that? If I call SetTokenInformation with the TOKEN_GROUPS information class type I get an invalid parameter error.

谢谢.

推荐答案

事实证明，有一种受支持的方法可以做到这一点.基本上你需要做一个双重间接来完成这项工作.首先，您希望使用 WTSQueryUserToken 获取用户令牌的会话.接下来，您需要使用 GetTokenInformation<获取关联的管理用户令牌/a>(查找 TokenLinkedToken 信息).现在您有了 admintokn，您可以使用该令牌调用 CreateProcessAsUser.如果需要环境块，可以调用 CreateEnvironmentBlock 获取正确的环境变量.

It turns out that there is a supported way of doing this. Basically you need to do a double indirect to make this work. First you want to get the session for the user's token with WTSQueryUserToken. Next you need to get the associated administrative user token with GetTokenInformation (looking for TokenLinkedToken information). Now that you have the admintokn, you can call CreateProcessAsUser with that token. If you need the environment block, you can call CreateEnvironmentBlock to get the correct environment variables.

这是我从一位同事(他传递了这个技巧)那里得到的一段 VB 代码:

Here's a chunk of VB code I got from a co-worker (who passed on this tip):

Public Function StartAppInSessionAsAdmin(ByVal SessionID As String, ByVal WinstationName As String, ByVal AppName As String) As Integer

    Dim hToken As IntPtr
    Dim hLinkedToken As IntPtr
    Dim bRet As Boolean
    Dim pi As New PROCESS_INFORMATION
    Dim si As New STARTUPINFO
    Dim err As Integer
    Dim iret As Integer
    Dim lpEB As IntPtr


    Dim TLT As New TOKEN_LINKED_TOKEN
    Dim TLTSize As Integer
    Dim retSize As Integer

    si.lpDesktop = WinstationName  '"Winsta0\default"
    si.cb = Marshal.SizeOf(si)

    TLTSize = Marshal.SizeOf(TLT.LinkedToken)

    'get SessionID token
    bRet = WTSQueryUserToken(Integer.Parse(SessionID), hToken)

    'we need to get the TokenLinked Token 
    bRet = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenLinkedToken, hLinkedToken, TLTSize, retSize)

    'Use CreateEnvironment Block with the original token to create an environment for the new program with the USER Environment
    bRet = CreateEnvironmentBlock(lpEB, hToken, False)

    If bRet Then
        'Call CreateProcessAsUser to create the process using the user's modified Token
        iret = CreateProcessAsUser(hLinkedToken, Nothing, AppName, 0, 0, False, 1072, lpEB, Nothing, si, pi)
        'Give user a feedback
        If iret <> 0 Then
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser succeeded", 2)
        Else
            err = Marshal.GetLastWin32Error
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser failed with error " & err.ToString, 5)
        End If
    End If

End Function

他还写了一篇包含更多信息的博客文章:http://blogs.msdn.com/b/itasupport/archive/2010/03/29/uac-bypass-o-meglio-il-modo-supportato-e-by-design-di-aggirare-la-uac.aspx

He also wrote up a blog post with more information: http://blogs.msdn.com/b/itasupport/archive/2010/03/29/uac-bypass-o-meglio-il-modo-supportato-e-by-design-di-aggirare-la-uac.aspx

这篇关于如何将受限制的用户令牌转换为不受限制的用户令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！