我正在尝试从提升的进程创建一个中或低完整性进程。我知道还有其他类似的问题,但它们主要集中在解决方法上,例如使用资源管理器或任务计划程序,我想坚持使用 CreateRestrictedToken() + CreateProcessAsUser() .
我认为一定可以以某种方式执行此操作,因为我相信 UAC 在您登录时会这样做,但我无法让令牌中的所有内容看起来像普通的 UAC Medium IL 令牌。
您可以通过使用 CreateRestrictedToken(hThisProcessToken, LUA_TOKEN, ...) 创建令牌,然后在调用 CreateProcessAsUser() 之前设置 TokenOwner 、 TokenDefaultDacl 和 TokenIntegrityLevel 来获得 80%。
其余的问题是TokenVirtualizationAllowed、TokenVirtualizationEnabled、TokenElevation、TokenElevationType和TokenMandatoryPolicy SetTokenInformation()因ERROR_PRIVILEGE_NOT_HELD或ERROR_INVALID_PARAMETER而失败。
如果我以 SYSTEM @ SECURITY_MANDATORY_SYSTEM_RID 身份运行并启用所有权限,而不是管理员 @ SECURITY_MANDATORY_HIGH_RID,那么我可以设置TokenMandatoryPolicy并TokenVirtualization*但设置TokenElevation*仍然失败!(到目前为止仅在Windows 8上测试过)
令牌中没有正确的TokenElevation*值是一个大问题,因为 Internet Explorer 无法在保护模式下启动,因为它认为令牌已提升。
SetTokenInformation()的文档没有说明可以设置哪些TOKEN_INFORMATION_CLASS项目以及需要哪些权限(如果有),我不明白为什么不允许您将这些设置为与令牌的实际完整性级别(TokenIntegrityLevel)匹配的较低安全值。
使用更安全的 API 创建SAFER_LEVELID_NORMALUSER令牌不会解决任何这些问题,并且还会创建比普通中等 IL 令牌更受限制的令牌。
我发现有人在早期的Vista/Longhorn时代遇到了类似的问题,从那时起没有任何变化吗?
function CreateLowProcess(szProcessName: WideString; const IntegritySid: UnicodeString=''): Boolean;
var
hToken: THandle;
hNewToken: THandle;
szIntegritySid: WideString;
pIntegritySid: PSID;
TIL: TOKEN_MANDATORY_LABEL;
ProcInfo: PROCESS_INFORMATION;
startupInfo: TStartupInfo;
const
SE_GROUP_INTEGRITY = $00000020;
TokenIntegrityLevel = 25;
SLowIntegritySid: UnicodeString = 'S-1-16-4096';
SMediumIntegritySid: UnicodeString = 'S-1-16-8192';
SHighIntegritySid: UnicodeString = 'S-1-16-12288';
SSystemIntegritySid: UnicodeString = 'S-1-16-16384';
begin
{
Designing Applications to Run at a Low Integrity Level
http://msdn.microsoft.com/en-us/library/bb625960.aspx
To start a low-integrity process:
- Duplicate the handle of the current process, which is at medium integrity level.
- Use SetTokenInformation to set the integrity level in the access token to Low.
- Use CreateProcessAsUser to create a new process using the handle to the low integrity access token.
CreateProcessAsUser updates the security descriptor in the new child process and the security descriptor
for the access token to match the integrity level of the low-integrity access token.
}
// Low integrity SID
if IntegritySid <> '' then
szIntegritySid := IntegritySid
else
szIntegritySid := SLowIntegritySid;
// szIntegritySid := 'S-1-5-32-545'; //BUILTINUSERS
ZeroMemory(@startupInfo, sizeof(startupInfo));
if (not OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE or TOKEN_ADJUST_DEFAULT or TOKEN_QUERY or TOKEN_ASSIGN_PRIMARY,
{var}hToken)) then
RaiseLastOSError;
try
if (not DuplicateTokenEx(hToken, 0, nil, SecurityImpersonation, TokenPrimary, {var}hNewToken)) then
RaiseLastOSError;
try
pIntegritySid := StringToSid(szIntegritySid); //free with LocalFree
try
TIL._Label.Attributes := SE_GROUP_INTEGRITY;
TIL._Label.Sid := pIntegritySid;
// Set the process integrity level
if (not SetTokenInformation(hNewToken, TTokenInformationClass(TokenIntegrityLevel), @TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid))) then
RaiseLastOSError;
//Create the new process at Low integrity
Result := CreateProcessAsUserW(
hNewToken,
nil,
PWideChar(szProcessName),
nil, //ProcessAttributes
nil, //ThreadAttributes
False, //bInheritHandles
0, //dwCreationFlags
nil, //lpEnvironment
nil, //lpCurrentDirectory
startupInfo,
ProcInfo);
finally
LocalFree(HLOCAL(pIntegritySid));
end;
finally
CloseHandle(hNewToken);
end;
finally
CloseHandle(hToken);
end;
end;