获取访问令牌的残疾特权?

huangapple go评论83阅读模式
英文:

How to get disabled privileges for access token?

问题

I know that an access token has disabled and enabled privileges. With some rights, I can enable privileges which are disabled, but I can't get how to receive a list of them. If I use the PrivilegeCheck() function, it just returns me the enabled privileges.

Can you give me a hint as to how to get a list of disabled privileges (may be a code snippet, function, or another direction)?

I use this code:

// Get Process Handle with QUERY_INFORMATION rights
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);
// Get Access Token with READ rights
OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken);
// Get ID of privilege in the system
if (!LookupPrivilegeValue(NULL, priv_list[i], &luid)) continue;
// Set checking privilege by one
privs.PrivilegeCount = 1;
privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
privs.Privilege[0].Luid = luid;
privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
// Check enabled privilege
PrivilegeCheck(hToken, &privs, &bResult);

It just returns the enabled privileges, not the disabled ones.

I repeat again, if the process has disabled privileges that I can activate, I want to list them.

In the end, I want to get something like this:

获取访问令牌的残疾特权?

英文:

I know that an access token has disabled and enabled privileges. With some rights, I can enable privileges which are disabled, but I can't get how to receive a list of them. If I use the PrivilegeCheck() function, it just returns me the enabled privileges.

Can you give me a hint as to how to get a list of disabled privileges (may be a code snippet, function, or another direction)?

I use this code:

// Get Process Handle with QUERY_INFORMATION rights
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);
// Get Access Token with READ rights
OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken);
// Get ID of privelege in the system
if (!LookupPrivilegeValue(NULL, priv_list[i], &luid))  continue;
// Set checking privilege by one 
privs.PrivilegeCount = 1;
privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
privs.Privilege[0].Luid = luid;
privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
// Check enabled privilege
PrivilegeCheck(hToken, &privs, &bResult);

It just returns the enabled privileges, not the disabled ones.

I repeat again, if the process has disabled privileges that I can activate, I want to list them.

In the end, I want to get something like this:

获取访问令牌的残疾特权?

答案1

得分: 0

如RbMm所说,遍历权限是一种方法。

  1. 获取令牌句柄并查询令牌的权限。
  2. 使用GetTokenInformation()
  3. 返回TOKEN_PRIVILEGES结构体。

这是一个示例,希望对你有帮助。

#include<windows.h>
#include<stdio.h>

int main()
{
    HANDLE hToken = NULL;
    OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
    if (!hToken)
    {
        printf("OpenProcessToken() error\n");
        return 0;
    }

    DWORD dwSize = 0;
    GetTokenInformation(hToken, TokenPrivileges, NULL, NULL, &dwSize);

    TOKEN_PRIVILEGES* pTokenPriv = (TOKEN_PRIVILEGES*)calloc(1, dwSize);
    GetTokenInformation(hToken, TokenPrivileges, pTokenPriv, dwSize, &dwSize);

    DWORD dwCount = pTokenPriv->PrivilegeCount;
    LUID_AND_ATTRIBUTES* pPriv = pTokenPriv->Privileges;

    char szPrivName[1000] = { 0 };

    DWORD dwNameLen = sizeof(szPrivName);
    for (int i = 0; i < dwCount; ++i)
    {

        LookupPrivilegeNameA(0, &(pPriv[i].Luid), szPrivName, &dwNameLen);
        printf("[%s] -- Attributes:[%d]\n", szPrivName, pPriv[i].Attributes);
    }

    if (pTokenPriv)
    {
        free(pTokenPriv);
        pTokenPriv = NULL;
    }
}

希望这有帮助。

英文:

As RbMm said, traversing permissions is a method.

  1. Get the token handle and query the permissions of the token.
  2. GetTokenInformation().
  3. Return TOKEN_PRIVILEGES struct.

Here is a sample, hope this helpful.

#include&lt;windows.h&gt;
#include&lt;stdio.h&gt;

int main()
{
                HANDLE hToken = NULL;
                OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &amp;hToken);
                if (!hToken)
                {
                                printf(&quot;OpenProcessToken() error\n&quot;);
                                return 0;
                }

                DWORD dwSize = 0;
                GetTokenInformation(hToken, TokenPrivileges, NULL, NULL, &amp;dwSize);

                TOKEN_PRIVILEGES* pTokenPriv = (TOKEN_PRIVILEGES*)calloc(1, dwSize);
                GetTokenInformation(hToken, TokenPrivileges, pTokenPriv, dwSize, &amp;dwSize);

                DWORD dwCount = pTokenPriv-&gt;PrivilegeCount;
                LUID_AND_ATTRIBUTES* pPriv = pTokenPriv-&gt;Privileges;
                
                char szPrivName[1000] = { 0 };

                DWORD dwNameLen = sizeof(szPrivName);
                for (int i = 0; i &lt; dwCount; ++i)
                {
                                
                                LookupPrivilegeNameA(0, &amp;(pPriv[i].Luid), szPrivName, &amp;dwNameLen);
                                printf(&quot;[%s] -- Attributes:[%d]\n&quot;, szPrivName, pPriv[i].Attributes);
                }

                if (pTokenPriv)
                {
                                free(pTokenPriv);
                                pTokenPriv = NULL;
                }
}

huangapple
  • 本文由 发表于 2023年5月15日 15:44:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76251882.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定