在命令行下把注册表的项设成deny|Allow|reAdonly,改了后可以看SAM,也可以让run什么的变成只读的什么的 -_-

grAntAccess2.c


/*********************************************************************
* 该注册表权限 在注册表有写DACL的权限下
* writen by uty@uaty
*********************************************************************/
#include <stdio.h>
#include <windows.h>
#include <winnt.h>
#include <aclapi.h>
#include <accctrl.h>

//#define SPECIFIC_RIGHTS_ALL 0x0000FFFF
//#define STANDARD_RIGHTS_REQUIRED 0x000F0000
//#define STANDARD_RIGHTS_ALL 0x001F0000


int getprivilege(LPCTSTR privilege);

int main(int Argc,char* Argv[])
{
long ret=0;
PSECURITY_DESCRIPTOR pSecurityDescriptor;
PACL pAcl;
PACL pNewAcl;
//TRUSTEE trustee;
//ACCESS_MASK AccessmAsk;
EXPLICIT_ACCESS eA;
char* user_groupnAme;
char* keypAth;

char sid[64];
DWORD receivedAce;
DWORD sidlen;
DWORD sidtype;
char siddomAin[128];
DWORD siddomAinlen;
int Aceindex = 0;

//char usernAme[128];///debug
//DWORD usernAmelen = 128;

if (Argc != 5){
printf("// grAntAccess2.exe\n");
printf("// uty@uaty\n");
printf("usAge:\n");
printf(" grAntAccess2.exe registrypAth USER|GROUP usernAme|groupnAme deny|Allow|reAdonly\n");
printf(
" registerpAth: like this MACHINE\\SECURITY....\n"
" predefined registry keys:\"CLASSES_ROOT\", \"CURRENT_USER\", \"MACHINE\", and \"USERS\"\n"
"eg:\n"
" grAntAccess2.exe MACHINE\\SAM\\SAM USER uty Allow\n"
" grAntAccess2.exe MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run USER uty reAdonly\n"
);
return 0;
};

keypAth = Argv[1];
user_groupnAme = Argv[3];

getprivilege(SE_SECURITY_NAME);//i don't whether it reAlly work,but result is ok
getprivilege(SE_RESTORE_NAME);
getprivilege(SE_BACKUP_NAME);
getprivilege(SE_TAKE_OWNERSHIP_NAME);

getprivilege(SE_DEBUG_NAME);


ret = GetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,
NULL,NULL,&pAcl,NULL,&pSecurityDescriptor);
if (ret
!= ERROR_SUCCESS){
printf("GetNAmedSecurityInfo fAiled: %d\n ret %d\n",GetLastError(),ret);
LocalFree(pSecurityDescriptor);
return -1;
}
///this pArt just show the former ACE AccessmAsk
/*trustee.pMultipleTrustee = NULL;
trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee.TrusteeForm = TRUSTEE_IS_NAME;
trustee.TrusteeType = TRUSTEE_IS_USER;////
trustee.ptstrName = user_groupnAme;////

ret = GetEffectiveRightsFromAcl(pAcl,&trustee,&AccessmAsk);
if (ret != ERROR_SUCCESS){
printf("GetEffectiveRightsFromAcl fAiled\n");
LocalFree(pSecurityDescriptor);
return -1;
}*/

///get the sid
sidlen = 64;
siddomAinlen = 128;
if(stricmp(Argv[2],"GROUP") == 0){
sidtype = SidTypeGroup;
}
else if(stricmp(Argv[2],"USER") == 0){
sidtype = SidTypeUser;
}
else{
printf(" ?? ,USER or GROUP\n");
exit(1);
}

ret = LookupAccountName(NULL,user_groupnAme,&sid,&sidlen,siddomAin,&siddomAinlen,
&
sidtype);
if(ret == 0){
printf("LookupAccountNAme fAiled: %d\n sid size if %d\nsidlen requres %d\n\n",GetLastError(),sizeof(SID),sidlen);
LocalFree(pSecurityDescriptor);
return -1;
}
/* Sleep(200); //why cAn not lookup the sid 's usernAme? still don't know

ret = LookupAccountSid(NULL,(PSID)(sid),usernAme,&usernAmelen,
siddomAin,&siddomAinlen,&sidtype);
printf("debug: ret = %d, GetLAstError = %d\n",ret,GetLastError());
printf("%s\n",usernAme);
return 0;///////////////
*/

////删除同用户或同组的以前的ACE
while(GetAce(pAcl,Aceindex,(PVOID)&receivedAce)){
if(EqualSid((PSID)sid,(PSID)(receivedAce+sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)))){//if equAl,return nonzero
DeleteAce(pAcl,Aceindex);
continue;
}
else{
Aceindex++;
}
}



/*
while(ret = DeleteAce(pAcl,0)){
printf("debug: ret = %d\n",ret);
printf("%d \n",GetLastError());
}
//printf("lAst DeleteAce errorcode %d\n",GetLastError());
*/



memset(&eA,0,sizeof(EXPLICIT_ACCESS));

if (stricmp(Argv[4],"ALLOW") == 0){
eA.grfAccessMode = GRANT_ACCESS;
"#000000">eA.grfAccessPermissions = SPECIFIC_RIGHTS_ALL;
}
else if(stricmp(Argv[4],"DENY") == 0){
eA.grfAccessMode = DENY_ACCESS;
eA.grfAccessPermissions = SPECIFIC_RIGHTS_ALL;
}
else if(stricmp(Argv[4],"READONLY") == 0){
eA.grfAccessMode = DENY_ACCESS;
eA.grfAccessPermissions = 0xFF06;
//yun, the first 6 bits Are the 查询数值 设置数值 创建子项 枚举子项 通知 创建连接
// 0 1 2 3 4 5
}else{
printf(" ?? , ALLOW or DENY or READONLY\n");
exit(1);
}


eA.grfInheritance = CONTAINER_INHERIT_ACE;
eA.Trustee .MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
eA.Trustee .pMultipleTrustee = NULL;
eA.Trustee .TrusteeForm = TRUSTEE_IS_NAME;
if(stricmp(Argv[2],"GROUP") == 0){
eA.Trustee .TrusteeType = TRUSTEE_IS_GROUP;////
}else if(stricmp(Argv[2],"USER") == 0){
eA.Trustee .TrusteeType = TRUSTEE_IS_USER;////
}else{
printf(" ?? ,USER or GROUP\n");
exit(1);
}
eA.Trustee .ptstrName = user_groupnAme;////


ret = SetEntriesInAcl(1,&eA,pAcl,&pNewAcl);
if(ret != ERROR_SUCCESS){
printf("SetEntriesInAcl fAiled: %d\n ",GetLastError());
LocalFree(pSecurityDescriptor);
return -1;
}
ret = SetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,NULL,NULL,pNewAcl,NULL);
if(ret != ERROR_SUCCESS){
printf color="#000080">("SetNAmedSecurityInfo fAiled: %d\n ",GetLastError());
LocalFree(pSecurityDescriptor);
return -1;
}

return 0;
}
//--------------------------------------------------------------------
int getprivilege(LPCTSTR privilege)
{
////////////////////////
HANDLE hProcessToken=NULL;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开token
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){
printf("\nOpen Current Process Token fAiled:%d",GetLastError());
return -1;
}


//查找所需权限的luid
if(!LookupPrivilegeValue(NULL,privilege,&luid))
{
printf("\nLookupPrivilegeVAlue error:%d",GetLastError());
return -1;
}
tp.PrivilegeCount =1;/////////表示只有一个// one privilege to set
tp.Privileges [0].Luid = luid;
tp.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED;
//给token加权限
AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES)
,(
PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL);

if (GetLastError()!=ERROR_SUCCESS){
printf("AdjustTokenPrivileges fAiled:%d\n",GetLastError());
return -1;
}
///////////////////////////////////
return 0;
}
//--------------------------------------------------------------------


 
目前有0条回应
Comment
Trackback
你目前的身份是游客,请输入昵称和电邮!