在启用 FS 虚拟化的情况下创建进程 [英] Create Process with FS Virtualization Enabled

问题描述

在禁用 UAC 的情况下，我需要创建一个与在启用 UAC 的情况下创建的进程具有相同特征的进程 - 基本上我是在启用 UAC 的情况下模拟进程创建.

With UAC disabled, I need to create a process with the same characteristics as the process created with UAC enabled - basically I'm emulating process creation with UAC enabled.

我唯一的障碍是虚拟化.下面的示例代码应该在启用虚拟化的中等 IL 中创建一个记事本实例.实际上，它在禁用虚拟化的中等 IL 中创建了一个记事本实例.我不完全确定为什么虚拟化令牌被忽略.有什么想法吗?

My only roadblock is virtualization. The sample code below should create an instance of notedpad at medium IL with virtualization enabled. In actuality, it creates an instance of notepad at medium IL with virtualization disabled. I'm not entirely sure why the virtualization token is being ignored. Any ideas?

BOOL bRet;
HANDLE hToken;
HANDLE hNewToken;

// Notepad is used as an example
WCHAR wszProcessName[MAX_PATH] =
L"C:\\Windows\\System32\\Notepad.exe";

// Medium integrity SID
WCHAR wszIntegritySid[20] = L"S-1-16-8192";
PSID pIntegritySid = NULL;

DWORD EnableVirtualization = 1;
TOKEN_MANDATORY_LABEL TIL = {0};
PROCESS_INFORMATION ProcInfo = {0};
STARTUPINFO StartupInfo = {0};
ULONG ExitCode = 0;

if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken))
{
   if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
      SecurityImpersonation, TokenPrimary, &hNewToken))
   {
      if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid))
      {
         TIL.Label.Attributes = SE_GROUP_INTEGRITY;
         TIL.Label.Sid = pIntegritySid;

         // Set the process integrity level
         if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL,
            sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
         {
            // Enable FS Virtualization
            if (SetTokenInformation(hNewToken, TokenVirtualizationEnabled,
               &EnableVirtualization, sizeof(EnableVirtualization)))
            {
               // Create the new process at Low integrity
               bRet = CreateProcessAsUser(hNewToken, NULL,
                  wszProcessName, NULL, NULL, FALSE,
                  0, NULL, NULL, &StartupInfo, &ProcInfo);
            }
         }
         LocalFree(pIntegritySid);
      }
      CloseHandle(hNewToken);
   }
   CloseHandle(hToken);
}

推荐答案

所以，我错误地处理了这个问题 - fs 虚拟化不是我想要的.如上所述，要模拟 UAC，必须创建一个禁用管理员组的受限令牌，并使用该令牌创建进程.

So, I was approaching this incorrectly - fs virtualization is not what I want. To emulate UAC, as described above, its necessary to create a restricted token with the administrators group disabled and use that token to create the process.

这篇关于在启用 FS 虚拟化的情况下创建进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！