Openprocesstoken token function usage

> Getcurrentprocessid get the ID of the current process openprocesstoken get the process's token handle lookupprivilegevalue Query Process permission adjusttokenprivileges adjust the token permission to any process (including system security process and service process) specify write-related access permissions for OpenProcess, as long as the current process has the sededebug permission. If a user is administrator or has been granted the corresponding permissions, the user can have this permission. However, even if we use the Administrator account to execute OpenProcess (process_all_access, false, dwprocessid) on a system security process, we still encounter an "access denial" error. Why? In the past, some access permissions of the process are not enabled by default. Therefore, the first thing we need to do is to enable these permissions. Some related API functions include openprocesstoken, lookupprivilegevalue, and adjusttokenprivileges. To modify the access token of a process, first obtain the handle of the Process access token, which can be obtained through openprocesstoken. The prototype of the function is as follows: bool openprocesstoken (handle processhandle, DWORD desiredaccess, phandle tokenhandle); the first parameter is the process handle for modifying the access permission; the third parameter is the returned access token pointer; the second parameter specifies the operation type you want to perform, to modify the token, We need to specify the second parameter token_adjust_privileges (for other parameters, refer to platformsdk ). Through this function, we can get the access token handle of the current process (specify the first parameter of the function as getcurrentprocess ). Then we can call adjusttokenprivileges to modify the access token. The following is a prototype of batch: bool batch (handle tokenhandle, // handle to tokenbool disableallprivileges, // disabling into newstate, // privilege informationdword bufferlength, // size of batch previusstate, // Original State bufferpdword returnlength // required buffer size); the first parameter is the access token handle; the second parameter determines whether to modify the permission or disable all permissions; the third parameter specifies the permission to be modified. A pointer to the rivileges structure, which contains an array. Each item in the Data Group specifies the permission type and the operation to be performed. The fourth parameter is the length of the previusstate structure, if previusstate is null, this parameter should be null. The fifth parameter is also a pointer to the token_privileges structure, which stores the information about the access permission before modification. It can be null; the last parameter is the size returned by the actual previusstate structure. Before using this function, let's look at the token_privileges structure. Its declaration is as follows: typedef struct _ token_privileges {DWORD privilegecount; luid_and_attributes privileges [];} token_privileges, * ptoken_privileg; privilegecount refers to the number of original elements in the array, followed by an array of the luid_and_attributes type. Let's take a look at the structure of struct. The declaration is as follows: typedef struct _ luid_and_attributes {luid ;} luid_and_attributes, * the second parameter of pluid_and_attributes indicates the operation type we want to perform. There are three Optional options: se_priver Ege_enabled, se_privilege_enabled_by_default, and se_privilege_used_for_access. To enable a permission, specify attributes as se_privilege_enabled. The first parameter refers to the permission type and is a luid value. luid refers to locallyuniqueidentifier. I think you are familiar with guid, And the guid must be globally unique, as long as the luid is locally unique, it means that it is unique during each operation of the system. In addition, luid is a 64-bit value, which is the same as guid, how can we know the luid value corresponding to a permission? This requires another API function lookupprivilegevalue. Its prototype is as follows: bool kernel (lptstr lpsystemname, // system namelpctstr lpname, // privilege namepluid lpluid/locally unique identifier ); the first parameter is the name of the system. If it is specified as null by the local system, the third parameter is the luid pointer, and the second parameter is the name of the permission, for example, "sedebugprivilege ". In winnt. H also defines some macro permission names, such as: # define se_backup_name text ("strong") # define se_restore_name text ("serestoreprivilege") # define se_shutdown_name text ("seshutdownprivilege ") # define se_debug_name text ("sedebugprivilege") by calling these three functions, we can use OpenProcess (process_all_access, false, dwprocessid) to obtain the handle of any process, all access permissions are specified.

Openprocesstoken token function usage