Launch Elevated User Process from Session 0 (service) [duplicate]

五迷三道 提交于 2019-12-05 00:22:06

问题


Morning All,

This question seems to have been asked a few times but i cannot find whether its actually possible. I have posted at here

No reply - Lets try asking people on here.

My aim is to launch a elevated process (as administrator) from a service in the current user context (only if they are in the local administrators group).

I can get the Current User token without an problems but i cannot get the secondary / administrator token for the account!

I have read quite a lot of forums and just cannot get it to work (starting to think its not feasible to do).

My current method:

  • WTSGetActiveConsoleSessionId - Get the active session Id
  • WTSQueryUserToken - Get user token of the session Id
  • Check if the token is admin - which its not.
  • OpenProcess - Process handle of explorer.exe of the logged on user
  • OpenProcessToken - To get handle of access token
  • LookupPrivilegeValue - SE_DEBUG to confirm that we can adjust token rights
  • DuplicateTokenEx - the user token
  • SetTokenInformation
  • AdjustTokenPrivileges
  • CreateEnvironmentBlock - To run the new process in
  • CreateProcessAsUser - Spawn the process hopefully in elevated user context(Not happening - Standard user context)

Please see code below - Apologies that its messy and need to be tidied and all handles closed. This is just experiemental code at the moment.

public static bool CreateProcessInConsoleSession(String CommandLine, bool bElevate)
{
    PROCESS_INFORMATION pi;
    bool isadmin = IsUserAnAdmin();

    bool bResult = false;
    uint dwSessionId, winlogonPid = 0;
    IntPtr hUserToken = IntPtr.Zero, hUserTokenDup = IntPtr.Zero,
        hPToken = IntPtr.Zero, hProcess = IntPtr.Zero;

    Debug.Print("CreateProcessInConsoleSession");
    // Log the client on to the local computer.
    dwSessionId = WTSGetActiveConsoleSessionId();

    // Find the winlogon process
    var procEntry = new PROCESSENTRY32();

    uint hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap == INVALID_HANDLE_VALUE)
    {
        return false;
    }

    procEntry.dwSize = (uint)Marshal.SizeOf(procEntry); //sizeof(PROCESSENTRY32);

    if (Process32First(hSnap, ref procEntry) == 0)
    {
        return false;
    }

    String strCmp = "explorer.exe";
    do
    {
        if (strCmp.IndexOf(procEntry.szExeFile) == 0)
        {
            // We found a winlogon process...make sure it's running in the console session
            uint winlogonSessId = 0;
            if (ProcessIdToSessionId(procEntry.th32ProcessID, ref winlogonSessId) &&
                winlogonSessId == dwSessionId)
            {
                winlogonPid = procEntry.th32ProcessID;
                break;
            }
        }
    }
    while (Process32Next(hSnap, ref procEntry) != 0);

    //Get the user token used by DuplicateTokenEx
    WTSQueryUserToken(dwSessionId, ref hUserToken);

    //Check if the user token is admin
    isadmin = CheckIfAdminToken(hUserToken);

    var si = new STARTUPINFO();
    si.cb = Marshal.SizeOf(si);
    si.lpDesktop = "winsta0\\default";
    var tp = new TOKEN_PRIVILEGES();
    var luid = new LUID();
    hProcess = OpenProcess(MAXIMUM_ALLOWED, false, winlogonPid);

    TOKEN_INFORMATION_CLASS tokenInfo = new TOKEN_INFORMATION_CLASS();
    uint TokenInfLength = 0 ;

    if (
        !OpenProcessToken(hProcess,
            TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY
            | TOKEN_ADJUST_SESSIONID | TOKEN_READ | TOKEN_WRITE, ref hPToken))
    {
        Debug.Print(String.Format("CreateProcessInConsoleSession OpenProcessToken error: {0}",
            Marshal.GetLastWin32Error()));
    }

    if (!LookupPrivilegeValue(IntPtr.Zero, SE_DEBUG_NAME, ref luid))
    {
        Debug.Print(String.Format("CreateProcessInConsoleSession LookupPrivilegeValue error: {0}",
            Marshal.GetLastWin32Error()));
    }

    bool Result;

    #region TestToElevate
    //http://www.microsoft-questions.com/microsoft/Platform-SDK-Security/35984508/how-to-run-a-process-with-elevated-privileges-run-as-administrat.aspx
    // first call gets lenght of TokenInformation
    Result = GetTokenInformation(hPToken, TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero , TokenInfLength , out TokenInfLength );
    IntPtr TokenInformation = Marshal.AllocHGlobal((int)TokenInfLength);

    Result = GetTokenInformation(hPToken, TOKEN_INFORMATION_CLASS.TokenElevation, TokenInformation, TokenInfLength, out TokenInfLength);
    if (Result == false)
        Result = GetTokenInformation(hPToken, TOKEN_INFORMATION_CLASS.TokenLinkedToken, TokenInformation, TokenInfLength, out TokenInfLength);

    isadmin = CheckIfAdminToken(hPToken);
    #endregion

    var sa = new SECURITY_ATTRIBUTES();
    sa.Length = Marshal.SizeOf(sa);

    if (!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, ref sa,
            (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, (int)TOKEN_TYPE.TokenPrimary,
            ref hUserTokenDup))
    {
        Debug.Print(
            String.Format(
                "CreateProcessInConsoleSession DuplicateTokenEx error: {0} Token does not have the privilege.",
                Marshal.GetLastWin32Error()));
        CloseHandle(hProcess);
        CloseHandle(hUserToken);
        CloseHandle(hPToken);
        return false;
    }

    if (bElevate)
    {
        tp.PrivilegeCount = 1;
        tp.Privileges = new int[3];
        tp.Privileges[2] = SE_PRIVILEGE_ENABLED;
        tp.Privileges[1] = luid.HighPart;
        tp.Privileges[0] = luid.LowPart;

        //Adjust Token privilege
        if (!SetTokenInformation(hUserTokenDup, TOKEN_INFORMATION_CLASS.TokenSessionId, ref dwSessionId, (uint)IntPtr.Size))
        {
            Debug.Print(
                String.Format(
                    "CreateProcessInConsoleSession SetTokenInformation error: {0} Token does not have the privilege.",
                    Marshal.GetLastWin32Error()));
            CloseHandle(hProcess);
            CloseHandle(hUserToken);
            CloseHandle(hPToken);
            CloseHandle(hUserTokenDup);
            return false;
        }


        if (!AdjustTokenPrivileges(hUserTokenDup, false, ref tp, Marshal.SizeOf(tp), /*(PTOKEN_PRIVILEGES)*/ IntPtr.Zero, IntPtr.Zero))
        {
            int nErr = Marshal.GetLastWin32Error();
            if (nErr == ERROR_NOT_ALL_ASSIGNED)
            {
                Debug.Print(String.Format(
                        "CreateProcessInConsoleSession AdjustTokenPrivileges error: {0} Token does not have the privilege.", nErr));
            }
            else
            {
                Debug.Print(String.Format("CreateProcessInConsoleSession AdjustTokenPrivileges error: {0}", nErr));
            }
        }
    }


    isadmin = CheckIfAdminToken(hUserTokenDup);

    //Create Environment
    uint dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
    IntPtr pEnv = IntPtr.Zero;
    if (CreateEnvironmentBlock(ref pEnv, hUserTokenDup, true))
    {
        dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
    }
    else
    {
        pEnv = IntPtr.Zero;
    }


    // Launch the process in the client's logon session.
    bResult = CreateProcessAsUser(
        hUserTokenDup, // client's access token
        null, // file to execute
        CommandLine, // command line
        ref sa, // pointer to process SECURITY_ATTRIBUTES
        ref sa, // pointer to thread SECURITY_ATTRIBUTES
        false, // handles are not inheritable
        (int)dwCreationFlags, // creation flags
        pEnv, // pointer to new environment block
        null, // name of current directory
        ref si, // pointer to STARTUPINFO structure
        out pi // receives information about new process
        );
    // End impersonation of client.

    //GetLastError should be 0
    int iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error();

    //Close handles task
    CloseHandle(hProcess);
    CloseHandle(hUserToken);
    CloseHandle(hUserTokenDup);
    CloseHandle(hPToken);

    return (iResultOfCreateProcessAsUser == 0) ? true : false;
}

回答1:


You can't. Services are isolated and run on a different session (session 0) which is isolated from the user's sessions (sessions 1,2,3 and so on).



来源:https://stackoverflow.com/questions/20324382/launch-elevated-user-process-from-session-0-service

标签

工具导航Map

JSON相关