win7系统C:\WINDOWS\system32文件夹下的文件属于TrustedInstaller权限,Administrators用户组只有读权限和执行权限。而我要做的是重命名里面的文件(以calc.exe为例,重命名为calc1.exe),并执行。
以管理员方式运行cmd.exe,执行下面命令:
TAKEOWN /F calc.exe /a
icacls calc.exe /grant Administrators:F
再查看calc的权限,我们发现Administrators用户组已经有了Full Control权限了,并且Owner也为Administrators用户组。如下图:
OK,将calc.exe重命名为calc1.exe成功!开始执行,却发现执行不了。。。。。。经查阅资料,原来C:\Windows\System32\en-US目录下还有个calc.exe.mui文件,只有把这个也重命名后才可执行。calc.exe.mui也属于TrustedInstaller权限,继续上面两条命令:
TAKEOWN /F en-US\calc.exe.mui /a
icacls en-US\calc.exe.mui /grant Administrators:F
然后把calc.exe.mui重命名为calc1.exe.mui,再回到system32目录下执行calc1.exe,OK,成功执行!
附:修改system32下exe文件的代码(修改system32下的exe文件以及en-US下对应的mui文件
#include <windows.h> #include <stdio.h> void ExeCmd(char *cmd);
//usage: xxx.exe calc.exe void main(int argc,char *argv[]) { char cmd[200]={0}; char path1[100]= "C:\\Windows\\System32\\"; char path2[100]= "C:\\Windows\\System32\\en-US\\"; strcat(path1,argv[1]); strcat(path2,argv[1]); strcat(path2,".mui"); sprintf(cmd,"%s %s %s","cmd.exe /c TAKEOWN /F",path1,"/a"); ExeCmd(cmd); memset(cmd,0,200); sprintf(cmd,"%s %s %s","cmd.exe /c icacls",path1,"/grant Administrators:F"); ExeCmd(cmd); memset(cmd,0,200); sprintf(cmd,"%s %s %s","cmd.exe /c TAKEOWN /F",path2,"/a"); ExeCmd(cmd); memset(cmd,0,200); sprintf(cmd,"%s %s %s","cmd.exe /c icacls",path2,"/grant Administrators:F"); ExeCmd(cmd); } void ExeCmd(char *cmd) { STARTUPINFO StartupInfo; PROCESS_INFORMATION ProcessInformaion; DWORD dwRetun = 0; CHAR buff[200]={0}; memcpy(buff,cmd,strlen(cmd)); CHAR CurentPath[100] = "C:\\Windows\\System32"; ZeroMemory(&StartupInfo, sizeof(STARTUPINFO)); StartupInfo.cb = sizeof(STARTUPINFO); StartupInfo.dwFlags = STARTF_USESHOWWINDOW; StartupInfo.wShowWindow = SW_HIDE; CreateProcess(NULL, buff, NULL, NULL, FALSE, 0, NULL, CurentPath, &StartupInfo, &ProcessInformaion); }
):
原文:http://www.cnblogs.com/royhawk/p/4924435.html