Moved to a new blog Http://www.raysoftware click the Open link. cn/?p=49
The project uses a feature that Win7 under the Super administrator to create a normal permissions task.
Tried several ways, such as obtaining token from the Resource manager, and then creating a task with CREATEPROCESSWITHTOKENW with this token. It is possible to do so.
But what if you don't currently have a resource manager or other normal permission task? Createtoken can build a token himself, but those parameters look great.
Try it. Start Task Manager with a super user to run in the menu, it is the default to create a normal permissions task, there is a complex option to start the task with superuser privileges.
Tracked it with WinDbg. The Discovery Task Manager invokes the Wdcruntaskasinteractiveuser function. function bit field Wdc.dll.
The form of the function is analyzed as follows:
Delphi statement:
[Delphi]View Plaincopy
- function Wdcruntaskasinteractiveuser (Pwszcmdline, Pwszpath:pwidechar;
- Dwdummy:dword): HResult; stdcall; External ' Wdc.dll ';
C + + declaration:
[CPP]View Plaincopy
- HRESULT WINAPI wdcruntaskasinteractiveuser (lpcwstr Pwszcmdline,
- lpcwstr Pwszpath,
- DWORD dwdummy);
This is a function that Microsoft does not expose. Not available on MSDN or Google.
This function uses very few parameters and is very simple.
The last parameter to the Task Manager is 39. It should be identified by a bit. 39 should be 4 or 2 or 1 get.
I tried to give 0, open exe and so on is no problem, but open MP3 and so will fail.
Using Ida to Decompile Wdcruntaskasinteractiveuser discovers that his implementation is to create a low-privilege scheduled task, and then invoke the Run method of the scheduled task,
There is also an episode. I think Vista and Windows7 are similar, just judge Windows version >=6 with Wdcruntaskasinteractiveuser, otherwise call Shellexecuteexe.
It turns out that Vista is not working, there is no such function on Vista, and even the process manager without Wdc.dll.Vista can not create a normal process under superuser privileges, it simply calls the ShellExecuteEx.
Of course, Vista we can use the scheduled task to create the normal permissions process tasks, and then run the. That is, to realize the wdcruntaskasinteractiveuser.
I am more lazy, the project as long as GetProcAddress can not find Wdcruntaskasinteractiveuser, I use ShellExecuteEx.
Here is a code of execution that I encapsulated in my project.
[Delphi]View Plaincopy
- function Runtaskasinteractiveuser (cmdline, Param, dir:string): Boolean;
- Const
- WDC = ' Wdc.dll ';
- Type
- Twdcruntaskasinteractiveuser = function (pwszcmdline, Pwszpath:pwidechar;
- Dwdummy:dword): HResult; stdcall;
- Var
- Wdcruntaskasinteractiveuser:twdcruntaskasinteractiveuser;
- FullName: string;
- Sei:shellexecuteinfo;
- E:integer;
- hwdc:cardinal;
- Begin
- Result: = False;
- SetLength (FullName, Length (cmdline));
- CopyMemory (PChar (FullName), PChar (CmdLine), ByteLength (CmdLine));
- //If Windows version >=6
- if Win32majorversion >= 6 Then
- begin
- HWDC: = GetModuleHandle (WDC);
- if HWDC = 0 Then
- HWDC: = LoadLibrary (WDC);
- @WdcRunTaskAsInteractiveUser: = GetProcAddress (HWDC, ' Wdcruntaskasinteractiveuser ');
- //If you can find Wdcruntaskasinteractiveuser, then it should be Windows7 .
- if Assigned (wdcruntaskasinteractiveuser) Then
- begin
- if Length (Param) > 0 Then
- FullName: = Format (' "%s '%s ', [FullName, Param]);
- //fullname + ' + Param;
- ///The last parameter 39 is the reverse. I don't know what it means. Taskmgr gives a fixed
- //If given 0, EXE etc can be started, but the folder, MP3, etc. cannot start
- E: = Wdcruntaskasinteractiveuser (PChar (FullName), PChar (dir), 39);
- Result: = e = S_OK;
- end;
- end;
- //If not successful, usually there is no wdcruntaskasinteractiveuser, the system may be Vista or XP
- if not Result Then
- begin
- //
- ZeroMemory (@sei, sizeof (SEI));
- Sei. cbsize: = sizeof (SHELLEXECUTEINFO);
- Sei. Fmask: = see_mask_nocloseprocess or see_mask_flag_no_ui;
- Sei. Lpfile: = PChar (fullname);
- Sei. Lpverb: = ' Open '; If this gives ' runas ' the ability to start with Super User privileges
- Sei. Nshow: = Sw_show;
- if Length (Param) > 0 Then
- Sei. Lpparameters: = PChar (Param)
- Else
- Sei. Lpparameters: = nil;
- Sei. Lpdirectory: = PChar (dir);
- ShellExecuteEx (@sei);
- if Sei. hprocess <> 0 Then
- CloseHandle (seihprocess);
- end;
- End
http://blog.csdn.net/wr960204/article/details/6600581
Win7 under Super Admin create normal permissions task