windows 从管理员帐户模拟系统(或等效)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2991957/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Impersonate SYSTEM (or equivalent) from Administrator Account
提问by KevenK
This question is a follow up and continuation of this questionabout a Privilege problem I'm dealing with currently.
这个问题是关于我目前正在处理的权限问题的这个问题的后续和延续。
Problem Summary:
I'm running a program under a Domain Administrator account that does not have Debug programs (SeDebugPrivilege)privilege, but I need it on the local machine.
问题摘要:
我在没有Debug programs (SeDebugPrivilege)权限的域管理员帐户下运行程序,但我需要在本地计算机上使用它。
Klugey Solution:
The program can install itself as a service on the local machine, and start the service. Said service now runs under the SYSTEMaccount, which enables us to use our SeTCBPrivilegeprivilege to create a new access token which does have SeDebugPrivilege. We can then use the newly created token to re-launch the initial program with the elevated rights.
Klugey 解决方案:
该程序可以将自己安装为本地机器上的服务,并启动该服务。所述服务现在在该SYSTEM帐户下运行,这使我们能够使用我们的SeTCBPrivilege特权创建一个新的访问令牌,该令牌具有SeDebugPrivilege. 然后我们可以使用新创建的令牌重新启动具有提升权限的初始程序。
I personally do not like this solution. I feel it should be possible to acquire the necessary privileges as an Administrator withouthaving to make system modifications such as installing a service (even if it is only temporary).
我个人不喜欢这个解决方案。我觉得应该可以以管理员身份获得必要的权限,而无需进行系统修改,例如安装服务(即使只是暂时的)。
I am hoping that there is a solution that minimizes system modifications and can preferably be done on the fly (ie: Not require restarting itself). I have unsuccessfully tried to LogonUseras SYSTEMand tried to OpenProcessTokenon a known SYSTEM process (such as csrss.exe) (which fails, because you cannot OpenProcesswith PROCESS_QUERY_INFORMATIONto get a handle to the process without the privileges I'm trying to acquire).
我希望有一种解决方案可以最大限度地减少系统修改,并且最好可以即时完成(即:不需要自行重新启动)。我曾经失败尝试LogonUser的SYSTEM,并试图OpenProcessToken在已知的系统进程(如CSRSS.EXE)(其失败,因为你不能OpenProcess用PROCESS_QUERY_INFORMATION得到的句柄过程中没有特权,我试图获取)。
I'm just at my wit's end trying to come up with an alternative solution to this problem. I was hoping there was an easy way to grab a privileged token on the host machine and impersonate it for this program, but I haven't found a way.
我只是在我的智慧的尽头试图想出一个替代解决方案来解决这个问题。我希望有一种简单的方法可以在主机上获取特权令牌并为该程序模拟它,但我还没有找到方法。
If anyone knows of a way around this, or even has suggestions on things that mightwork, please let me know. I really appreciate the help, thanks!
如果有人知道解决这个问题的方法,或者甚至对可能有效的事情有建议,请告诉我。我非常感谢您的帮助,谢谢!
回答by Billy ONeal
By design, no process is allowed to achieve NT AUTHORITY\SYSTEM rights, unless it is started by another process with NT AUTHORITY\SYSTEM rights. The service is a workaround because the Service Control Manager itself is started by the Kernel at system start.
按照设计,不允许任何进程获得 NT AUTHORITY\SYSTEM 权限,除非它由另一个具有 NT AUTHORITY\SYSTEM 权限的进程启动。该服务是一种解决方法,因为服务控制管理器本身是由内核在系统启动时启动的。
Unfortunately, the operating system is designed to preventexactly what you're trying to do. If you want to be able to remove your service afterwards, simply grant the user in question SeDebugPrivilege for the local machine and then have the service uninstall itself.
不幸的是,操作系统旨在阻止您尝试执行的操作。如果您希望之后能够删除您的服务,只需授予有问题的用户本地机器的 SeDebugPrivilege,然后让服务自行卸载。
Better yet, have the program whose memory is to be modified change DACLs to allow your administrator access to it's memory without SeDebugPrivilege. Then you don't need to take privilege at all.
更好的是,让要修改内存的程序更改 DACL,以允许管理员在没有 SeDebugPrivilege 的情况下访问它的内存。那么你根本不需要获得特权。
EDIT2: And even better yet, just use shared memory in the first place. That's what it's for.
EDIT2:更好的是,首先只使用共享内存。这就是它的用途。
