Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <winnt.h>
- #include <tchar.h>
- #include <strsafe.h>
- #include <sddl.h>
- DWORD GetSID(LPTSTR lptszUserName, PSID pSid, DWORD pdwSize)
- {
- DWORD dwError;
- LPTSTR lptszDomainName;
- DWORD dwDomainNameLen;
- SID_NAME_USE snu;
- LPTSTR lptszSid;
- BOOL bRet;
- dwError = ERROR_SUCCESS;
- *pdwSize = 0;
- dwDomainNameLen = 0;
- lptszDomainName = NULL;
- bRet = LookupAccountName(NULL, lptszUserName, NULL, pdwSize, NULL, &dwDomainNameLen, &snu);
- dwError = GetLastError();
- *pSid = new BYTE[*pdwSize];
- lptszDomainName = new TCHAR[dwDomainNameLen + 1];
- SecureZeroMemory(lptszDomainName, sizeof(TCHAR) * (dwDomainNameLen + 1));
- SecureZeroMemory(*pSid, *pdwSize);
- bRet = LookupAccountName(NULL, lptszUserName, *pSid, pdwSize, lptszDomainName, &dwDomainNameLen, &snu);
- dwError = GetLastError();
- delete[] lptszDomainName;
- return dwError;
- }
- void _tmain()
- {
- DWORD dwError ;
- dwError = ERROR_SUCCESS;
- HANDLE hProcessToken;
- HANDLE hNewProcessToken;
- BOOL bRet;
- bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hProcessToken);
- PSID sidAdministrator;
- DWORD dwSize;
- dwSize = 0;
- dwError = GetSID(L"Administrator", &sidAdministrator, &dwSize);
- SID_AND_ATTRIBUTES sidAttr = {sidAdministrator, 0};
- LUID luid;
- bRet = LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &luid);
- LUID_AND_ATTRIBUTES luidAttr = {luid, 0};
- STARTUPINFO si;
- SecureZeroMemory(&si, sizeof(STARTUPINFO));
- si.cb = sizeof(STARTUPINFO);
- PROCESS_INFORMATION pi;
- bRet = CreateRestrictedToken(hProcessToken, 0,
- 1, &sidAttr,
- 1, &luidAttr,
- 0, NULL, &hNewProcessToken);
- bRet = CreateProcessAsUser(hNewProcessToken, L"C:\\Windows\\explorer.exe", NULL,
- NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
- LocalFree(sidAdministrator);
- CloseHandle(hProcessToken);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
