how do i convert restricted user token to unrestri

2020-07-30 02:41发布

问题:

I have a user token duplicated from a restricted UAC launched process and I want to remove the deny group SIDs from it. How do I do that? If I call SetTokenInformation with the TOKEN_GROUPS information class type I get an invalid parameter error.

Thank you.

回答1:

It turns out that there is a supported way of doing this. Basically you need to do a double indirect to make this work. First you want to get the session for the user's token with WTSQueryUserToken. Next you need to get the associated administrative user token with GetTokenInformation (looking for TokenLinkedToken information). Now that you have the admintokn, you can call CreateProcessAsUser with that token. If you need the environment block, you can call CreateEnvironmentBlock to get the correct environment variables.

Here's a chunk of VB code I got from a co-worker (who passed on this tip):

Public Function StartAppInSessionAsAdmin(ByVal SessionID As String, ByVal WinstationName As String, ByVal AppName As String) As Integer

    Dim hToken As IntPtr
    Dim hLinkedToken As IntPtr
    Dim bRet As Boolean
    Dim pi As New PROCESS_INFORMATION
    Dim si As New STARTUPINFO
    Dim err As Integer
    Dim iret As Integer
    Dim lpEB As IntPtr


    Dim TLT As New TOKEN_LINKED_TOKEN
    Dim TLTSize As Integer
    Dim retSize As Integer

    si.lpDesktop = WinstationName  '”Winsta0\default”
    si.cb = Marshal.SizeOf(si)

    TLTSize = Marshal.SizeOf(TLT.LinkedToken)

    'get SessionID token
    bRet = WTSQueryUserToken(Integer.Parse(SessionID), hToken)

    'we need to get the TokenLinked Token 
    bRet = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenLinkedToken, hLinkedToken, TLTSize, retSize)

    'Use CreateEnvironment Block with the original token to create an environment for the new program with the USER Environment
    bRet = CreateEnvironmentBlock(lpEB, hToken, False)

    If bRet Then
        'Call CreateProcessAsUser to create the process using the user's modified Token
        iret = CreateProcessAsUser(hLinkedToken, Nothing, AppName, 0, 0, False, 1072, lpEB, Nothing, si, pi)
        'Give user a feedback
        If iret <> 0 Then
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser succeeded", 2)
        Else
            err = Marshal.GetLastWin32Error
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser failed with error " & err.ToString, 5)
        End If
    End If

End Function

He also wrote up a blog post with more information: http://blogs.msdn.com/b/itasupport/archive/2010/03/29/uac-bypass-o-meglio-il-modo-supportato-e-by-design-di-aggirare-la-uac.aspx