我想确定指定的流程是否启用了特定的 privilege 。
为了使这个问题更容易,示例目标流程将是当前流程,我将检查是否有权关闭本地系统(之前已启用 AdjustTokenPrivileges 功能)。
然后,我发现 PrivilegeCheck 函数似乎可以确定是否在目标进程的访问令牌中启用了一组指定的权限。
我认为我专注于错误的方向,因为似乎PrivilegeCheck函数需要模仿,所以现在我面临另一个无休止的试错法阶段 GetTokenInformation 功能,这似乎是实现此任务的正确功能。
我遇到的问题是,当我尝试使用PrivilegeCheck函数时,它总是返回False(错误),并且by-reference数组的特权没有预期的值(因为功能失败了)。
GetTokenInformation函数也失败并带有 False 值,返回此win32错误代码: 122 (HRESULT: -2147467259 )留言:
传递给系统调用的数据区域太小
我应该采取哪些措施来修复我的代码中的错误,以便检查进程的权限是否存在,然后是否启用了权限?
使用PrivilegeCheck或GetTokenInformation函数,或者只使用可以确定特权状态的任何其他该函数。
这是一个完整的可复制示例(连同下面的p / invokes),我将演示如何测试PrivilegeCheck和GetTokenInformation方法,两者都是失败。
Dim pHandle As IntPtr = Process.GetCurrentProcess().Handle
Dim privilegeName As String = "SeShutdownPrivilege"
Dim tokenAccess As TokenAccess = (TokenAccess.AdjustPrivileges Or TokenAccess.Query Or TokenAccess.Duplicate)
Dim hToken As IntPtr
Dim hTokenDup As IntPtr
Try
' ****************************************************************************
' 1st Step: Enable the "SeShutdownPrivilege" privilege in the current process.
' ****************************************************************************
Dim win32Err As Integer
' Get the process token.
NativeMethods.OpenProcessToken(pHandle, tokenAccess, hToken)
' Set up a LuidAndAttributes structure containing the privilege to enable,
' getting the LUID that corresponds to the privilege.
Dim luAttr As New LuidAndAttributes
luAttr.Attributes = TokenPrivilegeAttributes.PrivilegeEnabled
NativeMethods.LookupPrivilegeValue(Nothing, privilegeName, luAttr.Luid)
' Set up a TokenPrivileges structure containing only the source privilege.
Dim newState As New TokenPrivileges
newState.PrivilegeCount = 1
newState.Privileges = New LuidAndAttributes() {luAttr}
' Set up a TokenPrivileges structure for the previous (modified) privileges.
Dim prevState As New TokenPrivileges
prevState = New TokenPrivileges
ReDim prevState.Privileges(CInt(newState.PrivilegeCount))
' Apply the TokenPrivileges structure to the source process token.
Dim bufferLength As Integer = Marshal.SizeOf(prevState)
Dim returnLength As IntPtr
If Not NativeMethods.AdjustTokenPrivileges(hToken, False, newState, bufferLength, prevState, returnLength) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("AdjustTokenPrivileges failed.")
Throw New Win32Exception(win32Err)
End If
' *********************************************************************
' Everything OK at this point,
' as AdjustTokenPrivileges dididn't failed, I assume the privilege Is enabled in the process.
'
' 2n Step: Check whether the privilege is enabled or not...
' *********************************************************************
' Set up a new one LuidAndAttributes structure containing the privilege to check,
' getting the LUID that corresponds to the privilege.
luAttr = New LuidAndAttributes
NativeMethods.LookupPrivilegeValue(Nothing, privilegeName, luAttr.Luid)
' *********************************************************************
' Trying PrivilegeCheck and Duplicatetoken methodology...
' *********************************************************************
NativeMethods.DuplicateToken(hToken, SecurityImpersonationLevel.SecurityImpersonation, hTokenDup)
win32Err = Marshal.GetLastWin32Error
If (hTokenDup <> IntPtr.Zero) Then
Dim result As Boolean
Dim pSet As New PrivilegeSet
pSet.Control = 0
pSet.PrivilegeCount = 1
pSet.Privileges = New LuidAndAttributes() {luAttr}
If Not NativeMethods.PrivilegeCheck(hToken, pSet, result) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("PrivilegeCheck using original access-token failed.")
' Ignore exception, to continue with the GetTokenInformation methodology.
' Throw New Win32Exception(win32Err)
Else
MessageBox.Show(String.Format("{0} (original token) state is: {1}",
privilegeName, pSet.Privileges(0).Attributes.ToString()))
If Not NativeMethods.PrivilegeCheck(hTokenDup, pSet, result) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("PrivilegeCheck using impersonated access-token failed.")
' Ignore exception, to continue with the GetTokenInformation methodology.
' Throw New Win32Exception(win32Err)
Else
MessageBox.Show(String.Format("{0} (impersonated token) state is: {1}",
privilegeName, pSet.Privileges(0).Attributes.ToString()))
End If
End If
Else
MessageBox.Show("DuplicateToken failed.")
' Ignore exception, to continue with the GetTokenInformation methodology.
' Throw New Win32Exception(win32Err)
End If
' *********************************************************************
' Trying GetTokenInformation methodology...
' *********************************************************************
Dim tkp As New TokenPrivileges
Dim tkpHandle As IntPtr
Dim tkInfoLength As Integer = 0
tkpHandle = Marshal.AllocHGlobal(Marshal.SizeOf(tkpHandle))
Marshal.StructureToPtr(tkp, tkpHandle, False)
NativeMethods.GetTokenInformation(hToken, TokenInformationClass.TokenPrivileges, IntPtr.Zero, tkInfoLength, tkInfoLength)
win32Err = Marshal.GetLastWin32Error
' If I understood, It is supposed to return 122,
' so I should ignore that error code?:
If (win32Err <> 122) Then
MessageBox.Show("GetTokenInformation failed in the attempt to get the TokenPrivileges's size.")
Throw New Win32Exception(win32Err)
Else
If Not NativeMethods.GetTokenInformation(hToken, TokenInformationClass.TokenPrivileges, tkpHandle, tkInfoLength, tkInfoLength) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("GetTokenInformation failed in the attempt to get the TokenPrivileges.")
Throw New Win32Exception(win32Err)
Else
Dim privilegeAttr As TokenPrivilegeAttributes = tkp.Privileges(0).Attributes
MessageBox.Show(String.Format("{0} state is: {1}", privilegeName, privilegeAttr.ToString()))
End If
End If
Catch ex As Win32Exception
MessageBox.Show(ex.NativeErrorCode & " " & ex.Message)
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
If (hTokenDup <> IntPtr.Zero) Then
NativeMethods.CloseHandle(hTokenDup)
End If
If (hToken <> IntPtr.Zero) Then
NativeMethods.CloseHandle(hToken)
End If
End Try
这些是相关的winapi定义(注意感兴趣的MSDN网址):
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa379295%28v=vs.85%29.aspx
<DllImport("advapi32.dll", SetLastError:=True)>
Public Shared Function OpenProcessToken(ByVal processHandle As IntPtr,
ByVal desiredAccess As TokenAccess,
ByRef tokenHandle As IntPtr
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa379180%28v=vs.85%29.aspx
<DllImport("Advapi32.dll", SetLastError:=True, CharSet:=CharSet.Auto, BestFitMapping:=False, ThrowOnUnmappableChar:=True)>
Public Shared Function LookupPrivilegeValue(ByVal lpSystemName As String,
ByVal lpName As String,
ByRef lpLuid As Luid
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' http://msdn.microsoft.com/es-es/library/windows/desktop/aa375202%28v=vs.85%29.aspx
<DllImport("Advapi32.dll", SetLastError:=True)>
Public Shared Function AdjustTokenPrivileges(ByVal tokenHandle As IntPtr,
ByVal disableAllPrivileges As Boolean,
ByRef newState As TokenPrivileges,
ByVal bufferLength As Integer,
ByRef refPreviousState As TokenPrivileges,
ByRef refReturnLength As IntPtr
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa379304%28v=vs.85%29.aspx
<DllImport("Advapi32.dll", SetLastError:=True)>
Public Shared Function PrivilegeCheck(ByVal token As IntPtr,
<[In], Out> ByRef privileges As PrivilegeSet,
ByRef refResult As Boolean
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa446616%28v=vs.85%29.aspx
<DllImport("advapi32.dll", SetLastError:=True)>
Public Shared Function DuplicateToken(ByVal tokenHandle As IntPtr,
ByVal impersonationLevel As SecurityImpersonationLevel,
ByRef duplicateTokenHandle As IntPtr
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671%28v=vs.85%29.aspx
<DllImport("Advapi32.dll", SetLastError:=True)>
Public Shared Function GetTokenInformation(ByVal tokenHandle As IntPtr,
ByVal tokenInformationClass As TokenInformationClass,
ByVal tokenInformation As IntPtr,
ByVal tokenInformationLength As Integer,
ByRef refReturnLength As Integer
) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa374905%28v=vs.85%29.aspx
<Flags>
Public Enum TokenAccess As UInteger
' THIS ENUMERATION IS PARTIALLY DEFINED.
' **************************************
TokenAdjustPrivileges = &H20UI
TokenQuery = &H8UI
End Enum
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630%28v=vs.85%29.aspx
<Flags>
Public Enum TokenPrivilegeAttributes As UInteger
PrivilegeDisabled = &H0UI
PrivilegeEnabledByDefault = &H1UI
PrivilegeEnabled = &H2UI
PrivilegeRemoved = &H4UI
PrivilegeUsedForAccess = &H80000000UI
End Enum
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa379572(v=vs.85).aspx
Public Enum SecurityImpersonationLevel As Integer
SecurityAnonymous = 0
SecurityIdentification = 1
SecurityImpersonation = 2
SecurityDelegation = 3
End Enum
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa379261%28v=vs.85%29.aspx
<StructLayout(LayoutKind.Sequential)>
Public Structure Luid
Public LowPart As UInteger
Public HighPart As Integer
End Structure
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa379263%28v=vs.85%29.aspx
<StructLayout(LayoutKind.Sequential)>
Public Structure LuidAndAttributes
Public Luid As Luid
Public Attributes As TokenPrivilegeAttributes
End Structure
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630%28v=vs.85%29.aspx
<StructLayout(LayoutKind.Sequential)>
Public Structure TokenPrivileges
Public PrivilegeCount As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=1)>
Public Privileges As LuidAndAttributes()
End Structure
' https://msdn.microsoft.com/en-us/library/windows/desktop/aa379307%28v=vs.85%29.aspx
<StructLayout(LayoutKind.Sequential)>
Public Structure PrivilegeSet
Public PrivilegeCount As UInteger
Public Control As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=1)>
Public Privileges As LuidAndAttributes()
End Structure
答案 0 :(得分:3)
我现在上传了用于测试我的答案的完整代码,以防其他人需要一个有效的例子。特别是那些样板并不完美(并且不打算这样),请不要对此进行评判。请参阅此粘贴:http://pastebin.com/gdxwWHRb
您错误地使用了非托管内存块tkpHandle和结构tkp。此外,您只是检查GetTokenInformation(tkp.Privileges(0))返回的第一个权限的属性 - 相反,您必须检查所有权限并找到正确的权限。
如果我这样更改你的代码,它对我有用:
' *********************************************************************
' Trying GetTokenInformation methodology...
' *********************************************************************
Dim tkp As New TokenPrivileges
Dim tkpHandle As IntPtr = IntPtr.Zero ' <<< will be set later
Dim tkInfoLength As Integer = 0
' Here we call GetTokenInformation the first time to receive the length of the data it would like to store.
NativeMethods.GetTokenInformation(hToken, TokenInformationClass.TokenPrivileges, IntPtr.Zero, tkInfoLength, tkInfoLength)
win32Err = Marshal.GetLastWin32Error
' Since the "current" length we pass is 0, we'll always get "error" 122, which is fine. We also get the required length returned.
If (win32Err <> 122) Then
MessageBox.Show("GetTokenInformation failed in the attempt to get the TokenPrivileges's size.")
Throw New Win32Exception(win32Err)
Else
Try
' Here we allocate memory for receiving the actual data. By now, tkInfoLength contains the size of the memory block we need to allocate.
tkpHandle = Marshal.AllocHGlobal(tkInfoLength)
' This time, we shouldn't get an error 122, because this time we already have set the correct buffer size. GetTokenInformation should now write the data into the memory block we just allocated.
If Not NativeMethods.GetTokenInformation(hToken, TokenInformationClass.TokenPrivileges, tkpHandle, tkInfoLength, tkInfoLength) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("GetTokenInformation failed in the attempt to get the TokenPrivileges.")
Throw New Win32Exception(win32Err)
Else
' We will now ask PtrToStructure to read the raw data out of the memory block and convert it to a managed structure of type TokenPrivileges which we can use in our code. That's it!
tkp = Marshal.PtrToStructure(tkpHandle, GetType(TokenPrivileges))
' We have to iterate over all privileges listed in the TokenPrivileges structure to find the one we are looking for
Dim found As Boolean = False
For i As Integer = 0 To tkp.PrivilegeCount - 1
' There is a problem: Marshal.PtrToStructure can't marshal variable-length structures, but the array TokenPrivileges::Privileges has
' a variable length determined by the value of TokenPrivileges::PrivilegeCount! Since we don't know the size at compile time, the
' size of the array was hardcoded to 1, which means that we would only be able to access the first element of the array.
' To work around this, we calculate the raw memory offset pointing to the array element we need and load it separately into a
' LuidAndAttributes variable.
' The way this works is: The contents of the TokenPrivilege structure or stored in memory one after another, like this:
' PrivilegeCount (type: UInteger)
' Privileges(0) (type: LuidAndAttributes)
' Privileges(1) (type: LuidAndAttributes) << these and all further we normally can't access
' Privileges(2) (type: LuidAndAttributes)
' ...and so on.
' We are now calculating the offset into the structure for a specific array element. Let's use Privileges(2) as example:
' To get to it, we need to take the pointer to the beginning of the structure and add the sizes of all previous elements,
' which would be once the size of PrivilegeCount and then 2 times the size of a LuidAndAttributes structure.
Dim directPointer As New IntPtr(tkpHandle.ToInt64() + Len(tkp.PrivilegeCount) + i * Marshal.SizeOf(GetType(LuidAndAttributes)))
Dim luidAndAttributes As LuidAndAttributes = Marshal.PtrToStructure(directPointer, GetType(LuidAndAttributes))
' Get the privilege name. We first call LookupPrivilegeName with a zero size to get the real size we need, then reserve space, then get the actual data
' NOTE: The part below isn't actually necessary as commented Mark Hurd pointed out, because you already have the right privilege's LUID in luAttr.Luid.
' But I'll leave it here anyway in case somebody uses this piece of code without the part which sets the privilege.
' Another solution in this case would also be to run LookupPrivilegeValue to get the LUID to compare to (which is what led to luAttr.Luid as well).
Dim privNameLen As Integer = 0
Dim sb As New System.Text.StringBuilder()
NativeMethods.LookupPrivilegeName(Nothing, luidAndAttributes.Luid, sb, privNameLen)
sb.EnsureCapacity(privNameLen + 1)
If Not NativeMethods.LookupPrivilegeName(Nothing, luidAndAttributes.Luid, sb, privNameLen) Then
win32Err = Marshal.GetLastWin32Error
MessageBox.Show("LookupPrivilegeName failed.")
Throw New Win32Exception(win32Err)
End If
' Now that we have the name, we can check if it's the one we are looking for.
' NOTE: Refering to me comments above, this could be just: If luidAndAttributes.Luid = luAttr.Luid
If sb.ToString() = privilegeName Then
' Found! So we can finally get the status of the privilege!
found = True
MessageBox.Show(String.Format("{0} state is: {1}", privilegeName, luidAndAttributes.Attributes.ToString()))
Exit For
End If
Next
If Not found Then MessageBox.Show(String.Format("{0} not found in list of privileges!", privilegeName))
End If
Finally
' Make sure the memory block is freed again (even when an error occured)
If tkpHandle Then Marshal.FreeHGlobal(tkpHandle)
End Try
End If
在代码中查看我的评论。基本上,流程是:
Marshal.PtrToStructure(不是Marshal.StructureToPtr)将原始数据转换为.NET结构。这里还有另一个棘手的部分,就是如何找到正确的权限来检查GetTokenInformation返回的权限列表:
Marshal.PtrToStructure无法编组可变长度数组,例如TokenInformation结构内的数组。为了能够在代码中的第一个元素之后访问元素,我们必须玩一些技巧并进行指针运算以计算这些数组元素的内存偏移量,然后对每个元素使用Marshal.PtrToStructure个别。有关详细信息,请参阅代码中的注释。LookupPrivilegeName,这基本上与LookupPrivilegeValue相反。请注意,我们再次使用零长度调用它来获取实际长度,然后保留空间,然后再次调用它。 - 注意:正如我在EDIT2中所写,如果您正在寻找特定的权限,这实际上并不是必需的。您只需使用LookupPrivilegeValue获取正确的LUID,然后将LUID与已知LUID进行比较。而且你已经在代码中提到了它(它在luAttr.Luid中)。请在代码中阅读我的其他评论!我这样导入了LookupPrivilegeName:
<DllImport("Advapi32.dll", SetLastError:=True, CharSet:=CharSet.Auto, BestFitMapping:=False, ThrowOnUnmappableChar:=True)>
Public Shared Function LookupPrivilegeName(lpSystemName As String, ByRef lpLuid As Luid, lpName As System.Text.StringBuilder, ByRef cchName As Integer) As <MarshalAs(UnmanagedType.Bool)> Boolean
现在代码成功运行并显示了一个消息框:
SeShutdownPrivilege状态为:PrivilegeEnabled
编辑:我忽略了tkp.Privileges(0).Attributes被硬编码而不是遍历所有权限以找到合适的问题的问题。我在答案中添加了正确的解决方案。
EDIT2 :正确commenter Mark Hurd pointed out,实际上每次都无需拨打LookupPrivilegeName。在此问题的原始代码中,特权的LUID已经知道,因为它之前使用LookupPrivilegeValue进行了查找。但我仍然会在代码中留下名称查找,以防有人需要枚举其他已启用的权限 - 我只是添加了有关它的注释。