|
阅读:2093回复:12
更改注册表问题
有什么方法可以更改
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB 下载的键值 万分感谢 |
|
|
沙发#
发布于:2005-01-13 08:09
如果XP以上,更改键值的访问权限,
如果2k,使用regedt32更改和操作 |
|
|
|
板凳#
发布于:2005-01-13 10:17
regedit
|
|
|
地板#
发布于:2005-01-15 13:36
2K,用regedit不能更改
|
|
|
|
地下室#
发布于:2005-01-15 13:37
regedt32也不能改 :(
|
|
|
|
5楼#
发布于:2005-01-15 13:39
我改的是DeviceDesc的值
安全模式下也不能改 我想应该可以用vc改吧 [编辑 - 1/15/05 by xiaofan123] [编辑 - 1/15/05 by xiaofan123] |
|
|
6楼#
发布于:2005-01-16 12:58
有些注册表的地方是不能修改的,你的这个不知道是不是权限问题。你可以参考一下BO2K的那个拷贝SAM文件的方法,他是更改了注册表以后实现的。如果还是不行看看这个有没有帮助:
/* su切换用户 * 2004/12/28 1.0,发现Bingle的wsu是假冒令牌,权限并没有真正设置. * 2004/12/29 2.0,真正实现模拟用户令牌的动作. * 2004/12/29 3.0,即使帐号禁止也可以模拟用户 * 2004/12/30 4.0, 可以模拟SYSTEM用户,权限24个,全部默认开放 * 2004/12/30 4.1 终端登陆用户可以获取管理员组/SYSTEM权限.普通用户失败. * 2005/01/06 4.2 modified a bug */ #include <stdio.h> #include <stdlib.h> #include <winsock2.h> #include <lm.h> #include <Ntsecapi.h> #include <Accctrl.h> #include <Aclapi.h> #include <Tlhelp32.h> #include <windows.h> #pragma comment(lib,"ws2_32") #pragma comment(lib,"Advapi32") #pragma comment(lib,"User32") #pragma comment(lib,"Netapi32") #define SIZE 1024 #define VERSION "4.2" #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define WINSTA_ALL (WINSTA_ACCESSCLIPBOARD|WINSTA_ACCESSGLOBALATOMS|WINSTA_CREATEDESKTOP| WINSTA_ENUMDESKTOPS|WINSTA_ENUMERATE|WINSTA_EXITWINDOWS|WINSTA_READATTRIBUTES | WINSTA_READSCREEN|WINSTA_WRITEATTRIBUTES|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER) #define DESKTOP_ALL (DESKTOP_CREATEMENU|DESKTOP_CREATEWINDOW|DESKTOP_ENUMERATE|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALPLAYBACK|DESKTOP_JOURNALRECORD|DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP|DESKTOP_WRITEOBJECTS|DELETE|READ_CONTROL| WRITE_DAC|WRITE_OWNER) #define GENERIC_ACCESS (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL) #define SE_GROUP_RESOURCE (0x20000000L) typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _LSA_TOKEN_INFORMATION_TYPE { LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type } LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE; typedef struct _LSA_TOKEN_INFORMATION_NULL { LARGE_INTEGER ExpirationTime; PTOKEN_GROUPS Groups; } LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL; typedef NTSTATUS (__stdcall *PNtCreateToken)( PHANDLE TokenHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, TOKEN_TYPE TokenType, PLUID AuthenticationId, PLARGE_INTEGER ExpirationTime, PTOKEN_USER TokenUser, PTOKEN_GROUPS TokenGroups, PTOKEN_PRIVILEGES TokenPrivileges, PTOKEN_OWNER TokenOwner, PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, PTOKEN_DEFAULT_DACL TokenDefaultDacl, PTOKEN_SOURCE TokenSource ); typedef struct _PROFILEINFO { DWORD dwSize; DWORD dwFlags; LPTSTR lpUserName; LPTSTR lpProfilePath; LPTSTR lpDefaultPath; LPTSTR lpServerName; LPTSTR lpPolicyPath; HANDLE hProfile; } PROFILEINFO, *LPPROFILEINFO; typedef BOOL (__stdcall *PLoadUserProfile)( HANDLE hToken, // user token LPPROFILEINFO lpProfileInfo // profile ); typedef BOOL (__stdcall *PUnloadUserProfile)( HANDLE hToken, // user token HANDLE hProfile // handle to registry key ); BOOL cback = 0; char *system_user = NULL; int lsasspid = 0; unsigned int DebugLevel = 7; /* 函数定义开始 */ void usage(char *s); int GrantPriv(); HANDLE CreateTokenAsUser(char *user); BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen); BOOL GetUserGroup(char *username,char ***name,int *groupcount); PSID GetUserSid(char *LookupUser); HANDLE NtCreateTokenAsuser(char *user); int GrantPrivFromLsass(int pid); void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic); void pfree(void *p); LUID GetLuidFromText(char *s); TOKEN_PRIVILEGES *MakeAdminPriv(); BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode); /* 函数定义结束 */ int main(int argc,char **argv) { int i; WSADATA wsd; HANDLE NewToken; PLoadUserProfile LoadUserProfile; PUnloadUserProfile UnloadUserProfile; HMODULE UserenvModule; printf( "su.exe like unix su tool,version %s \n" "by bkbll (bkbll#cnhonker.net) http://www.cnhonker.com\n\n",VERSION); if((argc>1) && (strnicmp(argv[1],"-h",2) == 0)) { usage(argv[0]); return -1; } for(i=1;i<argc;i+=2) { if(strlen(argv) != 2) { usage(argv[0]); return -1; } switch(argv[1]) { case 'u': system_user = argv[i+1]; break; case 'D': DebugLevel = atoi(argv[i+1]); break; } } if(system_user == NULL) { usage(argv[0]); return -1; } UserenvModule = LoadLibrary("Userenv.dll"); if(UserenvModule == NULL ) { printf("[-] GetModuleHandle Userenv error:%d\n",GetLastError()); return -1; } LoadUserProfile = (PLoadUserProfile) GetProcAddress(UserenvModule,"LoadUserProfileA"); if(LoadUserProfile == NULL) { printf("[-] GetProcAddress LoadUserProfile error:%d\n",GetLastError()); return -1; } UnloadUserProfile = (PUnloadUserProfile) GetProcAddress(UserenvModule,"UnloadUserProfile"); if(UnloadUserProfile == NULL) { printf("[-] GetProcAddress UnloadUserProfile error:%d\n",GetLastError()); return -1; } if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup error:%d\n", WSAGetLastError()); return -1; } //首先建立一个TOKEN,这里假设是ADMIN用户 //提升自己权限,先. printf("[+] Enable SeDebugPrivilege..\n"); if(GrantPriv("SeDebugPrivilege") < 0) return -1; printf("[+] Get Lsass.exe Pid...."); fflush(NULL); lsasspid = GetPidOfProcess("lsass.exe"); if(lsasspid == -1) { printf("Get Pid of services failed\n"); return -1; } printf("%d\n",lsasspid); //从Lsass继承权限. printf("[+] GrantPrivilege From Lsass ....\n"); if(GrantPrivFromLsass(lsasspid) == 0) { //建立一个TOKEN //NewToken = CreateTokenAsUser(system_user); printf("[+] Calling NtCreateTokenAsuser ...\n"); NewToken = NtCreateTokenAsuser(system_user); if(NewToken != INVALID_HANDLE_VALUE) { STARTUPINFO si; PROCESS_INFORMATION pi; PROFILEINFO ProfileInfo; printf("[+] CreateProcess By that Token...\n"); fflush(stdout); Sleep(1000); LoadUserProfile(NewToken,&ProfileInfo); ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); //si.lpDesktop = TEXT("winstaABC\\testdesktop"); ZeroMemory( &pi, sizeof(pi) ); if( !CreateProcessAsUser( NewToken, NULL, // No module name (use command line). "cmd", // Command line. NULL, // Process handle not inheritable. NULL, // Thread handle not inheritable. TRUE, // Set handle inheritance to FALSE. 0, // No creation flags. NULL, // Use parent's environment block. NULL, // Use parent's starting directory. &si, // Pointer to STARTUPINFO structure. &pi ) // Pointer to PROCESS_INFORMATION structure. ) { printf( "CreateProcessAsuser failed:%d.",GetLastError()); exit(0); } // Wait until child process exits. WaitForSingleObject( pi.hProcess, INFINITE ); // Close process and thread handles. CloseHandle( pi.hProcess ); CloseHandle( pi.hThread ); printf("[-] Process exited.\n"); UnloadUserProfile(NewToken,ProfileInfo.hProfile); CloseHandle(NewToken); //用这个Token建立进程 } } WSACleanup(); exit(0); } //获得指定exe的PID int GetPidOfProcess(char *exe) { HANDLE hProcessSnap = NULL; BOOL bRet = FALSE; PROCESSENTRY32 pe32; int pid; memset(&pe32,0,sizeof(PROCESSENTRY32)); pid = -1; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcessSnap == INVALID_HANDLE_VALUE) { printf("CreateToolhelp32Snapshot Failed:%d\n",GetLastError()); return pid; } //copy from MSDN pe32.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hProcessSnap, &pe32)) { do { if(stricmp(pe32.szExeFile,exe) == 0) { pid = pe32.th32ProcessID; break; } //printf( "PID:%d\n", pe32.th32ProcessID); //printf( "exepath:%s\n", pe32.szExeFile); } while(Process32Next(hProcessSnap, &pe32)); } else return pid; // Do not forget to clean up the snapshot object. CloseHandle(hProcessSnap); return pid; } //返回指定用户/组的SID PSID GetUserSid(char *LookupUser) { SID *GroupSid; //char StringSid[SIZE]; //DWORD SidSize,GroupCount; char *DomainName; //**UserGroup,*CurrentUser; DWORD cbSid,cbDomainName; SID_NAME_USE peUse; int ErrorCode,i; cbDomainName = 0; cbSid = 0; LookupAccountName(NULL,LookupUser,NULL,&cbSid,NULL,&cbDomainName,&peUse); ErrorCode = GetLastError(); if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122 { //printf("Buffer is small. require cbSid %d bytes,cbDomainName %d bytes\n",cbSid,cbDomainName); GroupSid = (SID *) malloc(cbSid + 1); DomainName = (char*) malloc(cbDomainName + 1); if((GroupSid == NULL) || (DomainName == NULL)) { printf("Malloc failed:%d\n",GetLastError()); return NULL; } memset(GroupSid,0,cbSid + 1); memset(DomainName,0,cbDomainName + 1); } else { printf("LookupAccountName in GetUserSid(\"%s\") Failed:%d\n",LookupUser,ErrorCode); return NULL; } if(!LookupAccountName(NULL,LookupUser,GroupSid,&cbSid,DomainName,&cbDomainName,&peUse)) { printf("LookupAccountName GetUserSid(\"%s\") After Malloc Failed:%d\n",LookupUser,GetLastError()); return NULL; } pfree(DomainName); return GroupSid; } //建立Administrators和SYSTEM 共用的privilege TOKEN_PRIVILEGES *MakeAdminPriv() { TOKEN_PRIVILEGES *token_privileges; DWORD i,PrivilegeCount; i = 0; PrivilegeCount = 24; token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4); if(token_privileges == NULL) { printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n"); return NULL; } token_privileges->PrivilegeCount = PrivilegeCount; //0 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTcbPrivilege"); //1 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateTokenPrivilege"); //2 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeTakeOwnershipPrivilege"); //3 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePagefilePrivilege"); //4 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLockMemoryPrivilege"); //5 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAssignPrimaryTokenPrivilege"); //6 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseQuotaPrivilege"); //7 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeIncreaseBasePriorityPrivilege"); //8 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreatePermanentPrivilege"); //9 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeDebugPrivilege"); //10 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeAuditPrivilege"); //11 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSecurityPrivilege"); //12 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemEnvironmentPrivilege"); //13 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeChangeNotifyPrivilege"); //14 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeBackupPrivilege"); //15 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeRestorePrivilege"); //16 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeShutdownPrivilege"); //17 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeLoadDriverPrivilege"); //18 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeProfileSingleProcessPrivilege"); //19 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeSystemtimePrivilege"); //20 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeUndockPrivilege"); //21 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeManageVolumePrivilege"); //22 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeImpersonatePrivilege"); //23 token_privileges->Privileges.Attributes = 3; token_privileges->Privileges[i++].Luid = GetLuidFromText("SeCreateGlobalPrivilege"); return token_privileges; } //加用户到HANDLE BOOL AddUserPrivToHandle(HANDLE Hhandle,char *s,ACCESS_MODE mode) { PSECURITY_DESCRIPTOR pSecurityDescriptor1,pSD = NULL; DWORD size,size1,len,ErrorCode,DaclPresent,DaclDefaulted,dwAbsoluteSDSize,dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize; ACL OldAcl; PACL POldAcl,PNewAcl,pDacl,pSacl; PSID pOwner,pPrimaryGroup; EXPLICIT_ACCESS ExplicitAccess1; SECURITY_INFORMATION sinfo; dwAbsoluteSDSize = dwDaclSize = dwSaclSize = dwOwnerSize = dwPrimaryGroupSize = 0; size = 0; sinfo = DACL_SECURITY_INFORMATION; //获得SECURITY_DESCRIPTOR GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len); ErrorCode = GetLastError(); if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) //122 { pSD = (PSECURITY_DESCRIPTOR) malloc(len + 1); if(pSD == NULL) { printf("Malloc failed:%d\n",GetLastError()); return FALSE; } memset(pSD,0,len + 1); size = len; } else { printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode); return FALSE; } if(!GetUserObjectSecurity(Hhandle,&sinfo,pSD,size,&len)) { printf("GetUserObjectSecurity in AddUserPrivToHandle(\"%s\") Failed:%d\n",s,ErrorCode); return FALSE; } //获得DACL POldAcl = NULL; if(!GetSecurityDescriptorDacl(pSD,&DaclPresent,&POldAcl,&DaclDefaulted)) { printf("GetSecurityDescriptorDacl Error:%d\n",GetLastError()); return FALSE; } //重新生成一个ACL,然后在后面合并进去,给administrators组全部的权限. memset(&ExplicitAccess1,0,sizeof(ExplicitAccess1)); BuildExplicitAccessWithName(&ExplicitAccess1,s,mode,GRANT_ACCESS,NO_INHERITANCE); //合并权限 ErrorCode = SetEntriesInAcl(1,&ExplicitAccess1,POldAcl,&PNewAcl); if(ErrorCode != ERROR_SUCCESS) { printf("SetEntriesInAcl Error:%d\n",ErrorCode); return FALSE; } dwAbsoluteSDSize = 0x400; pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1); if(pSecurityDescriptor1 == NULL) { printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError()); return FALSE; } memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1); MakeAbsoluteSD( pSD, pSecurityDescriptor1, &dwAbsoluteSDSize, NULL, &dwDaclSize, NULL, &dwSaclSize, NULL, &dwOwnerSize, NULL, &dwPrimaryGroupSize); //申请内存先. ErrorCode = GetLastError(); if(ErrorCode == ERROR_INSUFFICIENT_BUFFER) { //申请内存 //printf("申请内存大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n", // dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,dwAbsoluteSDSize); // //pSecurityDescriptor1 = (PSECURITY_DESCRIPTOR) malloc(dwAbsoluteSDSize+1); pDacl = (PACL) malloc(dwDaclSize+1); pSacl = (PACL) malloc(dwSaclSize+1); pOwner = (PSID) malloc(dwOwnerSize+1); pPrimaryGroup = (PSID) malloc(dwPrimaryGroupSize+1); if( //(pSecurityDescriptor1 == NULL) || (pDacl == NULL) || (pSacl == NULL) || (pOwner == NULL) || (pPrimaryGroup == NULL)) { printf("Malloc for MakeAbsoluteSD failed:%d\n",GetLastError()); return FALSE; } //memset(pSecurityDescriptor1,0,dwAbsoluteSDSize+1); } else { printf("MakeAbsoluteSD Error:%d\n",GetLastError()); return FALSE; } //申请后就可以接受了 if(!MakeAbsoluteSD(pSD, pSecurityDescriptor1, &dwAbsoluteSDSize, pDacl, &dwDaclSize, pSacl, &dwSaclSize, pOwner, &dwOwnerSize, pPrimaryGroup, &dwPrimaryGroupSize)) { printf("MakeAbsoluteSD After Malloc Error:%d\n",GetLastError()); return FALSE; } //printf("实际接受大小:\ndwDaclSize=%d\ndwSaclSize=%d\ndwOwnerSize=%d\ndwPrimaryGroupSize=%d\ndwAbsoluteSDSize=%d\n", // dwDaclSize,dwSaclSize,dwOwnerSize,dwPrimaryGroupSize,size1); //设置新的DACL if(!SetSecurityDescriptorDacl(pSecurityDescriptor1,DaclPresent,PNewAcl,DaclDefaulted)) { printf("SetSecurityDescriptorDacl Error:%d\n",GetLastError()); return FALSE; } //检查新的SecurityDescriptor是否合法 if(!IsValidSecurityDescriptor(pSecurityDescriptor1)) { printf("pSecurityDescriptor1 is not a valid SD:%d\n",GetLastError()); return FALSE; } //给句柄设置新的ACL if(!SetUserObjectSecurity(Hhandle,&sinfo,pSecurityDescriptor1)) { printf("SetKernelObjectSecurity Error:%d\n",GetLastError()); return FALSE; } if(POldAcl) LocalFree(POldAcl); if(PNewAcl) LocalFree(PNewAcl); pfree(pSD); pfree(pSecurityDescriptor1); pfree(pDacl); pfree(pSacl); pfree(pOwner); pfree(pPrimaryGroup); return TRUE; } //根据指定用户名来建立Token HANDLE NtCreateTokenAsuser(char *user) { SID *GroupSid,*UserSid; char StringSid[SIZE],UserDefaultGroup[SIZE]; DWORD SidSize,GroupCount,GroupCount2,IsNotUsersGroup = 1; char *DomainName,**UserGroup,*CurrentUser; DWORD cbSid,cbDomainName,SessionId,sessionlen; SID_NAME_USE peUse; int ErrorCode,i; LUID Luid = ANONYMOUS_LOGON_LUID; //LUID Luid = SYSTEM_LUID; SECURITY_QUALITY_OF_SERVICE security_quality_of_service = { sizeof( security_quality_of_service ), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE }; OBJECT_ATTRIBUTES object_attributes = { sizeof( object_attributes ), NULL, NULL, 0, NULL, &security_quality_of_service }; TOKEN_SOURCE token_source; TOKEN_PRIVILEGES *token_privileges; TOKEN_GROUPS *token_groups; TOKEN_USER token_user; TOKEN_OWNER token_owner; TOKEN_PRIMARY_GROUP token_primary_group; TOKEN_DEFAULT_DACL token_default_dacl,*SelfDacl; ACL NewAcl2,*NewAcl; TOKEN_TYPE tokentype; HANDLE token,SelfToken; NTSTATUS ntstatus,ntstatus2; PNtCreateToken NtCreateToken; HMODULE ntdllmodule; ACCESS_MASK DesiredAccess; LARGE_INTEGER ExpireTime; EXPLICIT_ACCESS ExplicitAccess; //给winstation用的 HDESK hdesk; HWINSTA hwinsta; DWORD PrivilegeCount; //是否是SYSTEM用户 DWORD IfIsSystemUser = 0,IfIsAdmin = 0; //定义结束 //获取CreateToken地址 ntdllmodule = GetModuleHandle("ntdll"); if(ntdllmodule == NULL ) { printf("[-] GetModuleHandle ntdll error:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } NtCreateToken = (PNtCreateToken) GetProcAddress(ntdllmodule,"ZwCreateToken"); if(NtCreateToken == NULL) { printf("[-] GetProcAddress NtCreateToken error:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } if(stricmp(user,"system") == 0) { IfIsSystemUser = 1; //Luid.LowPart = 0x3e7; //Luid.HighPart = 0x0; } //arg 2 for NtCreateToken(); DesiredAccess = TOKEN_ALL_ACCESS; //arg 3 for NtCreateToken(); //arg 4 for NtCreateToken(); //IN TOKEN_TYPE TokenType, tokentype = TokenPrimary; //arg 5 for NtCreateToken(); //memcpy(&Luid,&SYSTEM_LUID,sizeof(Luid)); /* if(!AllocateLocallyUniqueId(&Luid)) { printf("AllocateLocallyUniqueId Failed:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } */ //arg 6 for NtCreateToken(); ExpireTime.LowPart = 0xffffffff; ExpireTime.HighPart = 0x7fffffff; //printf("sizeof(ExpireTime) = %d\n",sizeof(ExpireTime)); //QueryPerformanceFrequency(&ExpireTime); //arg 7 for NtCreateToken(); //token_user正确 token_user.User.Sid = GetUserSid(user); if(token_user.User.Sid == NULL) return INVALID_HANDLE_VALUE; token_user.User.Attributes = 0; //must be 0 if(IfIsSystemUser == 0) //一般用户 { //arg 8 for NtCreateToken(); if(!GetUserGroup(user,&UserGroup,&GroupCount)) return INVALID_HANDLE_VALUE; //printf("=====================\nGet %d groups\n",GroupCount); //给token_groups申请内存 //看用户组里面有没有"Users" IsNotUsersGroup = 1; for(i=0;i<GroupCount;i++) { CurrentUser = UserGroup; if(stricmp(CurrentUser,"Users") == 0) { IsNotUsersGroup = 0; continue; } if(stricmp(CurrentUser,"Administrators") == 0) { IfIsAdmin = 1; continue; } } //保存一下,后面要用 GroupCount2 = GroupCount; //没有就+1,有就+0 GroupCount += IsNotUsersGroup + 2; token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1); if(token_groups == NULL) { printf("Malloc for token_groups failed:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } //加"None","Everyone","INTERACTIVE" 组 //printf("GroupCount:%d\n",GroupCount); token_groups->GroupCount = GroupCount; //给第11个参数用 //memset(UserDefaultGroup,0,SIZE); //strncpy(UserDefaultGroup,UserGroup[0],SIZE -1 ); //printf("GroupCount:%d\n",GroupCount); //token_group需要最少加以下四个组: //只有Users可能有用户或者帐号存在 //"None","Everyone","Users","INTERACTIVE"他们的ATTribute都是7 if(DebugLevel != 7) { printf("Using DebugLevel 0x%x \n",DebugLevel); } for(i=0;i<GroupCount2;i++) { //printf("%d:%s\n",i,UserGroup); CurrentUser = UserGroup; GroupSid = GetUserSid(CurrentUser); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups.Attributes = DebugLevel; free(CurrentUser); } free(UserGroup); /* GroupSid = GetUserSid("None"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; */ GroupSid = GetUserSid("Everyone"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; GroupSid = GetUserSid("INTERACTIVE"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; if(IsNotUsersGroup) { GroupSid = GetUserSid("Users"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; } //arg 9 for NtCreateToken(); //这个倒没错 //先申请内存 if(IfIsAdmin == 0) //如果不是管理员组 { PrivilegeCount = 2; token_privileges = (PTOKEN_PRIVILEGES) malloc(4 + (3*4)*PrivilegeCount + 4); if(token_privileges == NULL) { printf("malloc failed for PTOKEN_PRIVILEGES in NtCreateTokenAsuser\n"); return INVALID_HANDLE_VALUE; } token_privileges->PrivilegeCount = PrivilegeCount; (token_privileges->Privileges)[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT; (token_privileges->Privileges)[0].Luid = GetLuidFromText("SeChangeNotifyPrivilege"); (token_privileges->Privileges)[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT; (token_privileges->Privileges)[1].Luid = GetLuidFromText("SeUndockPrivilege"); } else { token_privileges = MakeAdminPriv(); if(token_privileges == NULL) return INVALID_HANDLE_VALUE; } /* if(!AllocateLocallyUniqueId(&(token_privileges.Privileges[0].Luid))) { printf("AllocateLocallyUniqueId for token_privileges Failed:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } */ //arg 10 for NtCreateToken(); //正确的方法 token_owner.Owner = GetUserSid(user); if(token_owner.Owner == NULL) return INVALID_HANDLE_VALUE; //arg 11 for NtCreateToken(); //PrimaryGroup统一都是None token_primary_group.PrimaryGroup = GetUserSid(user); if(token_primary_group.PrimaryGroup == NULL) return INVALID_HANDLE_VALUE; } else { //设置usergroup //三个组:administrators(0xe),everyone(0x7),Authenticated Users(0x7) GroupCount = 2; token_groups = (PTOKEN_GROUPS) malloc(4+(4+4)*GroupCount+1); if(token_groups == NULL) { printf("Malloc for token_groups failed:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } token_groups->GroupCount = GroupCount; //自定义的debuglevel if(DebugLevel != 7) { printf("Using DebugLevel 0x%x \n",DebugLevel); } i = 0; GroupSid = GetUserSid("administrators"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = 0xe; GroupSid = GetUserSid("Everyone"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; /* GroupSid = GetUserSid("Authenticated Users"); if(GroupSid == NULL) return INVALID_HANDLE_VALUE; token_groups->Groups.Sid = GroupSid; token_groups->Groups[i++].Attributes = DebugLevel; */ //设置 token_privileges token_privileges = MakeAdminPriv(); if(token_privileges == NULL) return INVALID_HANDLE_VALUE; //token_owner token_owner.Owner = GetUserSid("administrators"); if(token_owner.Owner == NULL) return INVALID_HANDLE_VALUE; //arg 11 for NtCreateToken(); //PrimaryGroup统一都是None token_primary_group.PrimaryGroup = GetUserSid("SYSTEM"); if(token_primary_group.PrimaryGroup == NULL) return INVALID_HANDLE_VALUE; } //arg 12 for NtCreateToken(); //NULL? //token_default_dacl /* token_default_dacl->DefaultDacl->AclRevision:2 token_default_dacl->DefaultDacl->Sbz1:0 token_default_dacl->DefaultDacl->AclSize:64 token_default_dacl->DefaultDacl->AceCount:2 token_default_dacl->DefaultDacl->Sbz2:0 */ if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &SelfToken)) { printf("OpenProcessToken self Error:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } BuildExplicitAccessWithName(&ExplicitAccess,user,GENERIC_ALL,GRANT_ACCESS,NO_INHERITANCE); SelfDacl = (PTOKEN_DEFAULT_DACL) GetFromToken(SelfToken,TokenDefaultDacl); if(SelfDacl == NULL) { CloseHandle(SelfToken); return INVALID_HANDLE_VALUE; } ErrorCode = SetEntriesInAcl(1,&ExplicitAccess,SelfDacl->DefaultDacl,&NewAcl); if(ErrorCode != ERROR_SUCCESS) { printf("SetEntriesInAcl Under NtCreateTokenAsuser Failed:%d\n",ErrorCode); CloseHandle(SelfToken); return INVALID_HANDLE_VALUE; } //获得当前进程的SessionID,然后再同样set到新的token里面 //printf("SelfProcess:\n"); //DisplayTokenSessionId(SelfToken); //SessionId,sessionlen; sessionlen = sizeof(DWORD); if(!GetTokenInformation(SelfToken,TokenSessionId,&SessionId,sessionlen,&sessionlen)) { printf("GetTokenInformation TokenSessionId Failed:%d\n",GetLastError()); CloseHandle(SelfToken); return INVALID_HANDLE_VALUE; } CloseHandle(SelfToken); token_default_dacl.DefaultDacl = NewAcl; /* NewAcl2.AclRevision = 2; NewAcl2.Sbz1 = 0; NewAcl2.AclSize = 64; NewAcl2.AceCount = 2; NewAcl2.Sbz2 = 0; ErrorCode = SetEntriesInAcl(0,NULL,NULL,&NewAcl); if(ErrorCode != ERROR_SUCCESS) { printf("SetEntriesInAcl As new one failed:%d\n",ErrorCode); return INVALID_HANDLE_VALUE; } token_default_dacl.DefaultDacl = NewAcl; */ //arg 13 for NtCreateToken(); //token_source if(IfIsSystemUser == 0) //一般用户 memcpy(token_source.SourceName,"seclogon",8); else memcpy(token_source.SourceName,"*SYSTEM*",8); //生成LUID //token_source.SourceIdentifier = Luid; if(!AllocateLocallyUniqueId(&(token_source.SourceIdentifier))) { printf("AllocateLocallyUniqueId for token_source Failed:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } if(IfIsSystemUser == 0) { //将该用户权限加入到当前用户所使用的 桌面 和 winstation //hwinsta = OpenWindowStation("WinSta0",TRUE,WINSTA_ALL); hwinsta = GetProcessWindowStation(); if (hwinsta == NULL) { printf("OpenWindowStation Error:%d\n",GetLastError()); return INVALID_HANDLE_VALUE; } //hwinstaold = GetProcessWindowStation(); // // set the windowstation to winsta0 so that you obtain the // correct default desktop // /* if (!SetProcessWindowStation(hwinsta)) { printf("SetProcessWindowStation Error:%d\n",GetLastError()); CloseWindowStation(hwinsta); return INVALID_HANDLE_VALUE; } */ // // obtain a handle to the "default" desktop // //hdesk = OpenDesktop("Default",DF_ALLOWOTHERACCOUNTHOOK,FALSE,DESKTOP_ALL); hdesk = GetThreadDesktop(GetCurrentThreadId()); if (hdesk == NULL) { printf("OpenDesktop Error:%d\n",GetLastError()); CloseWindowStation(hwinsta); return INVALID_HANDLE_VALUE; } // add the user to interactive windowstation // AddUserPrivToHandle(hwinsta,user,WINSTA_ALL); AddUserPrivToHandle(hdesk,user,DESKTOP_ALL); /* if (!AddTheAceWindowStation(hwinsta, token_user.User.Sid)) { printf("AddTheAceWindowStation Error:%d\n",GetLastError()); CloseWindowStation(hwinsta); CloseDesktop(hdesk); return INVALID_HANDLE_VALUE; } // // add user to "default" desktop // if (!AddTheAceDesktop(hdesk, token_user.User.Sid)) { printf("AddTheAceDesktop Error:%d\n",GetLastError()); CloseWindowStation(hwinsta); CloseDesktop(hdesk); return INVALID_HANDLE_VALUE; } */ if (!SetProcessWindowStation(hwinsta)) { printf("SetProcessWindowStation Error:%d\n",GetLastError()); CloseWindowStation(hwinsta); return INVALID_HANDLE_VALUE; } if(!SetThreadDesktop(hdesk)) { printf("SetThreadDesktop Error:%d\n",GetLastError()); CloseDesktop(hdesk); return INVALID_HANDLE_VALUE; } // // close the handles to the interactive windowstation and desktop // CloseWindowStation(hwinsta); CloseDesktop(hdesk); } //开始create ntstatus = NtCreateToken( &token, DesiredAccess, &object_attributes, tokentype, &Luid, &ExpireTime, &token_user, token_groups, token_privileges, &token_owner, &token_primary_group, &token_default_dacl, &token_source ); if(ntstatus != STATUS_SUCCESS) { printf("CreateToken Failed:%d\n",LsaNtStatusToWinError(ntstatus)); return INVALID_HANDLE_VALUE; } //开始释放内存 /* pfree(token_user.User.Sid); pfree(token_groups); pfree(token_privileges); pfree(token_owner.Owner); pfree(token_primary_group.PrimaryGroup); if(NewAcl != NULL) LocalFree(NewAcl); */ /* printf("NewToken:\n"); DisplayTokenSessionId(token); */ if(TokenSessionId > 0) { sessionlen = sizeof(DWORD); if(!SetTokenInformation(token,TokenSessionId,&SessionId,sessionlen)) { printf("SetTokenInformation TokenSessionId Failed:%d\n",GetLastError()); } } return token; } //输出:指针指向一系列的group,groupcount为group数目. BOOL GetUserGroup(char *username,char ***groupname,int *groupcount) { LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; DWORD dwLevel = 0; DWORD dwFlags = LG_INCLUDE_INDIRECT ; DWORD dwPrefMaxLen = -1; DWORD dwEntriesRead = 0; DWORD dwTotalEntries = 0; NET_API_STATUS nStatus; DWORD i; DWORD dwTotalCount = 0; WCHAR wUserName[100];//,wAdminGroup[50]; BOOL returnvalue=FALSE; char *p; DWORD len; char **name; MultiByteToWideChar( CP_ACP, 0, username,-1, wUserName,sizeof(wUserName)/sizeof(wUserName[0])); //MultiByteToWideChar( CP_ACP, 0, admingroup,-1, wAdminGroup,sizeof(wAdminGroup)/sizeof(wAdminGroup[0])); nStatus = NetUserGetLocalGroups(NULL,wUserName,dwLevel,dwFlags,(LPBYTE *) &pBuf,dwPrefMaxLen,&dwEntriesRead,&dwTotalEntries); if (nStatus != NERR_Success) { return returnvalue; } if(pBuf == NULL) return returnvalue; name = (char **) malloc(dwEntriesRead * sizeof(char *)); if(name == NULL) { printf("malloc failed in GetUserGroup for name:%d\n",GetLastError()); return returnvalue; } returnvalue = TRUE; for (i = 0; i < dwEntriesRead; i++) { if (pBuf == NULL) return returnvalue; len = wcslen(pBuf->lgrui0_name); p = (char *) malloc(len+1); if(p == NULL) { printf("malloc failed in GetUserGroup:%d\n",GetLastError()); break; } wsprintf(p,"%S",pBuf->lgrui0_name); name[dwTotalCount] = p; //printf("%d:%s\n",dwTotalCount,p); pBuf++; dwTotalCount++; } if(pBuf != NULL) NetApiBufferFree(pBuf); *groupname = name; *groupcount = dwTotalCount; return returnvalue; } //加权限 int GrantPriv(char *priv) { HANDLE token; TOKEN_PRIVILEGES tkp; HANDLE hProc; //SeCreateTokenPrivilege if(LookupPrivilegeValue(NULL,priv,&tkp.Privileges[0].Luid) == FALSE) { fprintf(stderr, "LookupPrivilegeValue failed: 0x%X\n", GetLastError()); return(-1); } if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token) == FALSE) { fprintf(stderr, "OpenProcessToken SELF Failed: 0x%X\n", GetLastError()); return(-1); } tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(token,FALSE,&tkp,0,NULL, NULL)) { fprintf(stderr,"AdjustTokenPrivileges Failed: 0x%X\n", GetLastError()); return(-1); } /* else { switch(GetLastError()) { case ERROR_SUCCESS: printf("The function adjusted all specified privileges.\n"); break; case ERROR_NOT_ALL_ASSIGNED: //0x514 printf("Adjust privileges not assigned\n"); break; } } */ CloseHandle(token); return 0; } //从 lsass.exe 继承权限 int GrantPrivFromLsass(int pid) { HANDLE LsassHandle,LsassToken,NewToken; //首先打开进程,获得HANDLE //PROCESS_QUERY_INFORMATION ,FALSE //LsassHandle = OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid); LsassHandle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid); //在OpenProcessToken(READ|WRITE if(LsassHandle == NULL) { printf("OpenProcess %d Error:%d\n",pid,GetLastError()); return -1; } //再opentoken if(!OpenProcessToken(LsassHandle,STANDARD_RIGHTS_READ|WRITE_DAC,&LsassToken)) { printf("OpenProcessToken First Error:%d\n",GetLastError()); CloseHandle(LsassHandle); return -1; } //得到Token的ACL信息 //pSecurityDescriptor = NULL; //size = 0; //len = 0; //先申请内存 if(!AddUserPrivToHandle(LsassToken,"administrators",TOKEN_ALL_ACCESS)) { CloseHandle(LsassToken); CloseHandle(LsassHandle); return -1; } //关闭句柄 CloseHandle(LsassToken); //打开Token if(!OpenProcessToken(LsassHandle,TOKEN_ALL_ACCESS,&LsassToken)) { printf("OpenProcessToken LsassHandle Error:%d\n",GetLastError()); CloseHandle(LsassHandle); return -1; } //关闭句柄 CloseHandle(LsassHandle); //复制Token if(!DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken)) { printf("DuplicateTokenEx Error:%d\n",GetLastError()); return -1; } //CloseHandle(LsassToken); if(!ImpersonateLoggedOnUser(NewToken)) { printf("ImpersonateLoggedOnUser Error:%d\n",GetLastError()); CloseHandle(NewToken); return -1; } GrantPriv("SeCreateTokenPrivilege"); GrantPriv("SeTcbPrivilege"); GrantPriv("SeIncreaseQuotaPrivilege"); GrantPriv("SeAssignPrimaryTokenPrivilege"); //CloseHandle(NewToken); return 0; // GetKernelObjectSecurity(Handle,DACL_SECURITY_INFORMATION,buf,size,&len) // GetSecurityDescriptorDacl(buf,&lpbDaclPresent,PoldACL,&lpbDaclDefaulted); // BuildExplicitAccessWithName(pstruct,"administrators",TOKEN_ALL_ACCESS,GRANT_ACCESS,NO_INHERITANCE) // SetEntriesInAcl(1,pstruct,PoldACL,PnewACL); //合并权限 // MakeAbsoluteSD(buf,buf2, // SetSecurityDescriptorDacl(buf2,lpbDaclPresent,PnewACL,lpbDaclDefaulted); // SetKernelObjectSecurity(HANDLE,DACL_SECURITY_INFORMATION,buf2,); // CloseHandle(HANDLE); // DuplicateTokenEx(LsassToken,TOKEN_ALL_ACCESS,NULL,SecurityImpersonation,TokenPrimary,&NewToken); // CloseHandle(LsassToken); // ImpersonateLoggedOnUser } //帮助信息 void usage(char *s) { printf("Usage:%s <-u user>\n",s); return; } BOOL ConvertSidToStringSid(PSID pSid,LPTSTR TextualSid, LPDWORD lpdwBufferLen) { PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev=SID_REVISION; DWORD dwCounter; DWORD dwSidSize; // Validate the binary SID. if(!IsValidSid(pSid)) return FALSE; // Get the identifier authority value from the SID. psia = GetSidIdentifierAuthority(pSid); // Get the number of subauthorities in the SID. dwSubAuthorities = *GetSidSubAuthorityCount(pSid); // Compute the buffer length. // S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR); // Check input buffer length. // If too small, indicate the proper size and set last error. if (*lpdwBufferLen < dwSidSize) { *lpdwBufferLen = dwSidSize; SetLastError(ERROR_INSUFFICIENT_BUFFER); return FALSE; } // Add 'S' prefix and revision number to the string. dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev ); // Add SID identifier authority to the string. if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) ) { dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"), (USHORT)psia->Value[0], (USHORT)psia->Value[1], (USHORT)psia->Value[2], (USHORT)psia->Value[3], (USHORT)psia->Value[4], (USHORT)psia->Value[5]); } else { dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),TEXT("%lu"), (ULONG)(psia->Value[5] ) + (ULONG)(psia->Value[4] << 8) + (ULONG)(psia->Value[3] << 16) + (ULONG)(psia->Value[2] << 24) ); } // Add SID subauthorities to the string. for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++) { dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"), *GetSidSubAuthority(pSid, dwCounter) ); } return TRUE; } void *GetFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS tic) { DWORD n,n2,rv; void *p; n2 = 0; rv = GetTokenInformation(hToken,tic,NULL,n2, &n); if (rv == FALSE && GetLastError() != ERROR_INSUFFICIENT_BUFFER) { printf("GetTokenInformation Failed:%d\n",GetLastError()); return NULL; } p = malloc(n+1); if(p == NULL) { printf("Malloc in GetFromToken Failed\n"); return NULL; } n2 = n; if(!GetTokenInformation(hToken, tic, p, n2, &n) ) { printf("GetTokenInformation After Malloc Failed:%d\n",GetLastError()); return NULL; } return p; } void pfree(void *p) { if(p) free(p); } LUID GetLuidFromText(char *s) { LUID Luid; Luid.LowPart = 0; Luid.HighPart = 0; if(!LookupPrivilegeValue(NULL,s,&Luid)) { printf("LookupPrivilegeValue under GetLuidFromText(\"%s\") Failed:%d\n",s,GetLastError()); return Luid; } return Luid; } |
|
|
|
7楼#
发布于:2005-01-18 00:46
你好
谢谢你的回复 不过我认为不是权限问题 这个路径下的USB的硬件信息 我想改的就是这个PC CAMERA 把整个名改掉 |
|
|
|
8楼#
发布于:2005-01-18 08:24
regedt32也不能改 :( 点击要更改的键后,菜单里进入安全->权限,增加修改权限 |
|
|
|
9楼#
发布于:2005-01-18 10:41
[quote]regedt32也不能改 :( 点击要更改的键后,菜单里进入安全->权限,增加修改权限 [/quote] XP下试了一下 问题 今晚回去用2K试试 多谢了^_^ |
|
|
10楼#
发布于:2005-03-09 15:50
snowStart的方法完全可行!
|
|
|
|
11楼#
发布于:2005-03-09 15:56
就是权限问题,如果是手动方式就直接改权限,如果是编程实现就使用liwashington方法
|
|
|
12楼#
发布于:2005-03-09 16:22
[quote]regedt32也不能改 :( 点击要更改的键后,菜单里进入安全->权限,增加修改权限 [/quote] 编程用SetSecurityInfo |
|
|