我写一个VC++程序,怎样让该程序以SYSTEM用户运行?
当用任务管理器查看进程里,用户名应该为SYSTEM,而不是ADMINISTRATOR等用户自己的用户名。那些杀毒软件等程序的用户名都是SYSTEM,这是怎样做到的???...
当用任务管理器查看进程里,用户名应该为SYSTEM,而不是ADMINISTRATOR等用户自己的用户名。
那些杀毒软件等程序的用户名都是SYSTEM,这是怎样做到的??? 展开
那些杀毒软件等程序的用户名都是SYSTEM,这是怎样做到的??? 展开
展开全部
其实这个都是系统system权限都是铅竖相对的,不过可以用CreateService创建服务来实现哈!
新建一个空的,名为CreateService 控制台工程,再新建一个CreateService.cpp文件,下面代塌则码粘贴进去。。。
#include "Windows.h"
#include "Winsvc.h"
#include "time.h"
#include "stdio.h"
SERVICE_STATUS m_ServiceStatus;
SERVICE_STATUS_HANDLE m_ServiceStatusHandle;
BOOL bRunning=true;
void WINAPI ServiceMain(DWORD argc, LPTSTR *argv);
void WINAPI ServiceCtrlHandler(DWORD Opcode);
BOOL InstallService();
BOOL DeleteService();
void DoTask()
{
// do something here;
}
void WINAPI ServiceMain(DWORD argc, LPTSTR *argv)
{
//团激棚 DWORD status;
// DWORD specificError;
m_ServiceStatus.dwServiceType = SERVICE_WIN32;
m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwServiceSpecificExitCode = 0;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
//m_ServiceStatus.dwServiceType = SERVICE_AUTO_START;
m_ServiceStatusHandle = RegisterServiceCtrlHandler("Service2",ServiceCtrlHandler);
if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)
{
return;
}
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus))
{
}
bRunning=true;
while(bRunning)
{
Sleep(3000);
//Place Your Code for processing here....
DoTask();
//Sleep(60*1000);
}
return;
}
void WINAPI ServiceCtrlHandler(DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
m_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus);
bRunning=false;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
return;
}
BOOL InstallService()
{
char strDir[1024];
HANDLE schSCManager,schService;
GetCurrentDirectory(1024,strDir);
strcat(strDir,"\\CreateService.exe");
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
return false;
LPCTSTR lpszBinaryPathName=strDir;
schService = CreateService((struct SC_HANDLE__ *)schSCManager,"Service2","MB Service", // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type
lpszBinaryPathName, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService == NULL)
return false;
CloseServiceHandle((struct SC_HANDLE__ *)schService);
return true;
}
BOOL DeleteService()
{
HANDLE schSCManager;
SC_HANDLE hService;
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
return false;
hService=OpenService((struct SC_HANDLE__ *)schSCManager,"Service2",SERVICE_ALL_ACCESS);
if (hService == NULL)
return false;
if(DeleteService(hService)==0)
return false;
if(CloseServiceHandle(hService)==0)
return false;
else
return true;
}
int main(int argc, char* argv[])
{
if(argc>1)
{
if(strcmp(argv[1],"-i")==0) {
if(InstallService())
printf("\nMB Service Installed Sucessfully\n");
else
printf("\nMB Service has been installed\n");
} else if(strcmp(argv[1],"-d")==0) {
if(DeleteService())
printf("\nMB Service UnInstalled Sucessfully\n");
else
printf("\nInstalled Easin Central Service Not Found\n");
} else {
printf("\nUnknown Switch Usage\nFor Install use Servicetest -i\nFor UnInstall use Servicetest -d\n");
}
}
else
{
SERVICE_TABLE_ENTRY DispatchTable[]={{"Service2",ServiceMain},{NULL,NULL}};
StartServiceCtrlDispatcher(DispatchTable);
}
return 0;
}
成功编译后,生成一个CreateService.exe,使用cmd-cd CreateService.exe目录下面,输入CreateService.exe -i 安装服务
CreateService.exe -d 删除服务
有点繁琐,然后开始 - 运行 - service.msc 找到,MB Service ,右键启动。
现在到任务管理器里面去看,是不是有个CreateService.exe 【System进程的权限】
不懂的再问我哈!Good Lucky
新建一个空的,名为CreateService 控制台工程,再新建一个CreateService.cpp文件,下面代塌则码粘贴进去。。。
#include "Windows.h"
#include "Winsvc.h"
#include "time.h"
#include "stdio.h"
SERVICE_STATUS m_ServiceStatus;
SERVICE_STATUS_HANDLE m_ServiceStatusHandle;
BOOL bRunning=true;
void WINAPI ServiceMain(DWORD argc, LPTSTR *argv);
void WINAPI ServiceCtrlHandler(DWORD Opcode);
BOOL InstallService();
BOOL DeleteService();
void DoTask()
{
// do something here;
}
void WINAPI ServiceMain(DWORD argc, LPTSTR *argv)
{
//团激棚 DWORD status;
// DWORD specificError;
m_ServiceStatus.dwServiceType = SERVICE_WIN32;
m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwServiceSpecificExitCode = 0;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
//m_ServiceStatus.dwServiceType = SERVICE_AUTO_START;
m_ServiceStatusHandle = RegisterServiceCtrlHandler("Service2",ServiceCtrlHandler);
if (m_ServiceStatusHandle == (SERVICE_STATUS_HANDLE)0)
{
return;
}
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus))
{
}
bRunning=true;
while(bRunning)
{
Sleep(3000);
//Place Your Code for processing here....
DoTask();
//Sleep(60*1000);
}
return;
}
void WINAPI ServiceCtrlHandler(DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
m_ServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
m_ServiceStatus.dwWin32ExitCode = 0;
m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
m_ServiceStatus.dwCheckPoint = 0;
m_ServiceStatus.dwWaitHint = 0;
SetServiceStatus (m_ServiceStatusHandle,&m_ServiceStatus);
bRunning=false;
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
return;
}
BOOL InstallService()
{
char strDir[1024];
HANDLE schSCManager,schService;
GetCurrentDirectory(1024,strDir);
strcat(strDir,"\\CreateService.exe");
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
return false;
LPCTSTR lpszBinaryPathName=strDir;
schService = CreateService((struct SC_HANDLE__ *)schSCManager,"Service2","MB Service", // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type
lpszBinaryPathName, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService == NULL)
return false;
CloseServiceHandle((struct SC_HANDLE__ *)schService);
return true;
}
BOOL DeleteService()
{
HANDLE schSCManager;
SC_HANDLE hService;
schSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (schSCManager == NULL)
return false;
hService=OpenService((struct SC_HANDLE__ *)schSCManager,"Service2",SERVICE_ALL_ACCESS);
if (hService == NULL)
return false;
if(DeleteService(hService)==0)
return false;
if(CloseServiceHandle(hService)==0)
return false;
else
return true;
}
int main(int argc, char* argv[])
{
if(argc>1)
{
if(strcmp(argv[1],"-i")==0) {
if(InstallService())
printf("\nMB Service Installed Sucessfully\n");
else
printf("\nMB Service has been installed\n");
} else if(strcmp(argv[1],"-d")==0) {
if(DeleteService())
printf("\nMB Service UnInstalled Sucessfully\n");
else
printf("\nInstalled Easin Central Service Not Found\n");
} else {
printf("\nUnknown Switch Usage\nFor Install use Servicetest -i\nFor UnInstall use Servicetest -d\n");
}
}
else
{
SERVICE_TABLE_ENTRY DispatchTable[]={{"Service2",ServiceMain},{NULL,NULL}};
StartServiceCtrlDispatcher(DispatchTable);
}
return 0;
}
成功编译后,生成一个CreateService.exe,使用cmd-cd CreateService.exe目录下面,输入CreateService.exe -i 安装服务
CreateService.exe -d 删除服务
有点繁琐,然后开始 - 运行 - service.msc 找到,MB Service ,右键启动。
现在到任务管理器里面去看,是不是有个CreateService.exe 【System进程的权限】
不懂的再问我哈!Good Lucky
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
这个比较复杂
我所知道的方法有三种
一、你可以创建一个服务进程,这是最简单的创建系统进程的方法,ATL服务进程和一般的服务进程都可首键以,但是要想带界面含者就比较麻烦,还要用到状态服务
二、注入到系统进程,再由系统进程创建进程,这时候创建的进程就是具有系统权限的。可以通过API HOOK,或HOOK消息都行,也可以通过远谈芹薯程线程注入,但是这样做不太稳定,很容易被拦截
三、提升创建线程的用户权限,换言之就是创建高于当前系统用户权限的线程,方法可通过win API的方式,具体的API可以查一下api使用手册
我所知道的方法有三种
一、你可以创建一个服务进程,这是最简单的创建系统进程的方法,ATL服务进程和一般的服务进程都可首键以,但是要想带界面含者就比较麻烦,还要用到状态服务
二、注入到系统进程,再由系统进程创建进程,这时候创建的进程就是具有系统权限的。可以通过API HOOK,或HOOK消息都行,也可以通过远谈芹薯程线程注入,但是这样做不太稳定,很容易被拦截
三、提升创建线程的用户权限,换言之就是创建高于当前系统用户权限的线程,方法可通过win API的方式,具体的API可以查一下api使用手册
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
这个问题问的真猥琐,一看就是想做木马的,你用VC++编译出来腊敬的程序运行是你自己用手点的吧,那肯定就是用户程序。想把你的用户程序改成系统程序你觉得微软能让这么做吗。你可以做个挂靠的文件,和系统文扰数件名称相同,骗过系统,第一次运行是你人为触发运行你的程序(也可以是某种条件触发),然后你挂靠的假的系统文件再可以自动触发你的程序。
还有种就是系统运行你的程序需要轮李慎调用你的数据库,这时候你某个程序在进程里就是显示SYSTEM.这样的程序大部分都是做成服务器的。
还有种就是系统运行你的程序需要轮李慎调用你的数据库,这时候你某个程序在进程里就是显示SYSTEM.这样的程序大部分都是做成服务器的。
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
好问题,搜藏
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
标记一好东西
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
更多回答(3)
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
