📄 erunas2.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>
PVOID OldNtCPCommon = NULL;
HANDLE hParent = NULL;
//simplified common hook (otherwise two procedures would be needed)
__declspec(naked) NewNtCPCommon(...) {
__asm { mov eax, hParent
mov [esp+16], eax
jmp OldNtCPCommon
}
}
VOID _tmain(int argc, TCHAR** argv) {
BOOL NoError = FALSE;
if(argc < 2)
_tprintf(_T("Usage: ERunAs2 [ParentPID] <\"CommandLine\">"));
else {
HINSTANCE hntdll;
BYTE WasEn;
typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
TRAP RAP;
if(hntdll = GetModuleHandle(_T("ntdll.dll")))
if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
RAP(20, TRUE, 0, &WasEn);
DWORD ParentPID = PW_MEMERROR;
if(argc == 2)
ParentPID = ProcessName2PID(_T("winlogon.exe"));
else
_stscanf(argv[1], _T("%u"), &ParentPID);
CloseHandle((HANDLE)4); //optional - full access for itself
if(hParent = OpenProcess(PROCESS_CREATE_PROCESS, FALSE, ParentPID)) {
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
DWORD ntver = GetVersion();
ntver = LOBYTE(ntver)*256 + HIBYTE(ntver);
if(HookApi(_T("ntdll.dll"),
ntver > 0x500 ? _T("NtCreateProcessEx") : _T("NtCreateProcess"),
HOOK_OVERWRITE | HOOK_NOT_9X, &OldNtCPCommon, NULL, NewNtCPCommon, NULL)
== ErrorAWSuccess)
if(CreateProcess(NULL, argc > 2 ? argv[2] : argv[1], NULL, NULL, FALSE, 0, NULL, NULL,
&si, &pi)) {
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
NoError = TRUE;
}
else
_tprintf(_T("Can't create target process!"));
else
_tprintf(_T("Can't hook NtCP(Ex)!"));
CloseHandle(hParent);
}
else
_tprintf(_T("Can't open process represented by \"ParentPID\"!"));
}
if(!NoError)
getch();
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -