Window指定用户运行程序

Linux下可以通过seteuid seteguid等api设置程序运行用户，window下通过CreateProcessWithTokenW达到类似效果，原理是先找到目标用户下的一个进程，获取到它的token，再创建进程，代码如下：

#include <Windows.h> #include <TlHelp32.h> #include <Userenv.h> #include <stdio.h> static BOOL EnablePrivilege(LPCWSTR lpszPrivilege) { HANDLE hToken = NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return FALSE; TOKEN_PRIVILEGES tp; ZeroMemory(&tp, sizeof(tp)); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; LookupPrivilegeValueW(NULL, lpszPrivilege, &tp.Privileges[0].Luid); AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL); CloseHandle(hToken); return TRUE; } static BOOL GetProcessUserName(DWORD dwPid, LPWSTR szUserName, DWORD dwNameSize) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); if (!hProcess) return FALSE; HANDLE hToken = NULL; if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) { CloseHandle(hProcess); return FALSE; } DWORD dwLen = 0; GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLen); PTOKEN_USER pTokenUser = (PTOKEN_USER)LocalAlloc(LPTR, dwLen); BOOL bOk = FALSE; if (GetTokenInformation(hToken, TokenUser, pTokenUser, dwLen, &dwLen)) { SID_NAME_USE sidType; WCHAR szDomain[256] = { 0 }; DWORD dwDomainLen = 256; if (LookupAccountSidW(NULL, pTokenUser->User.Sid, szUserName, &dwNameSize, szDomain, &dwDomainLen, &sidType)) { bOk = TRUE; } } LocalFree(pTokenUser); CloseHandle(hToken); CloseHandle(hProcess); return bOk; } DWORD FindProcessIdByUserName(LPCWSTR szTargetUserName) { HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap == INVALID_HANDLE_VALUE) return 0; PROCESSENTRY32W pe; pe.dwSize = sizeof(pe); if (!Process32FirstW(hSnap, &pe)) { CloseHandle(hSnap); return 0; } do { WCHAR szProcessUser[256] = { 0 }; if (GetProcessUserName(pe.th32ProcessID, szProcessUser, 256)) { if (_wcsicmp(szProcessUser, szTargetUserName) == 0) { CloseHandle(hSnap); return pe.th32ProcessID; } } } while (Process32NextW(hSnap, &pe)); CloseHandle(hSnap); return 0; } HANDLE CreateProcessByUserToken(DWORD dwPid, LPCWSTR cmdline, HANDLE logFile) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); if (!hProcess) return INVALID_HANDLE_VALUE; HANDLE hToken = NULL; OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_IMPERSONATE, &hToken); HANDLE hPrimaryToken = NULL; DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hPrimaryToken); LPVOID pEnv = NULL; CreateEnvironmentBlock(&pEnv, hPrimaryToken, FALSE); STARTUPINFOW si; ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES; si.hStdOutput = logFile; si.hStdError = logFile; si.hStdInput = NULL; si.lpDesktop = L"WinSta0\\Default"; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); WCHAR cmd[4096] = { 0 }; wcscpy(cmd, cmdline); BOOL bOk = CreateProcessWithTokenW( hPrimaryToken, LOGON_WITH_PROFILE, NULL, cmd, CREATE_UNICODE_ENVIRONMENT, pEnv, NULL, &si, &pi ); if (bOk) { CloseHandle(pi.hThread); } if (pEnv) DestroyEnvironmentBlock(pEnv); CloseHandle(hPrimaryToken); CloseHandle(hToken); CloseHandle(hProcess); return pi.hProcess; } HANDLE CreateProcessNormal(LPCWSTR cmdline, HANDLE logFile) { STARTUPINFOW si; ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES; si.hStdOutput = logFile; si.hStdError = logFile; si.hStdInput = NULL; si.lpDesktop = L"WinSta0\\Default"; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); WCHAR cmd[4096] = { 0 }; wcscpy(cmd, cmdline); BOOL ok = CreateProcessW( NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi ); if (!ok) return INVALID_HANDLE_VALUE; CloseHandle(pi.hThread); return pi.hProcess; } BOOL IsAdmin() { BOOL isAdmin = FALSE; PSID adminGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &adminGroup ); CheckTokenMembership(NULL, adminGroup, &isAdmin); FreeSid(adminGroup); return isAdmin; } HANDLE CreateLogFile(long long key) { WCHAR fileName[260]; swprintf(fileName, 260, L"%lld.log", key); SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(sa); sa.lpSecurityDescriptor = NULL; sa.bInheritHandle = TRUE; return CreateFileW( fileName, FILE_APPEND_DATA, FILE_SHARE_READ, &sa, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); } HANDLE RunProcessAsUser(LPCWSTR szUserName, LPCWSTR cmd, HANDLE logFile) { if (!IsAdmin()) return CreateProcessNormal(cmd, logFile); if (!szUserName || szUserName[0] == L'\0') return CreateProcessNormal(cmd, logFile); EnablePrivilege(SE_DEBUG_NAME); EnablePrivilege(SE_IMPERSONATE_NAME); EnablePrivilege(SE_ASSIGNPRIMARYTOKEN_NAME); EnablePrivilege(SE_INCREASE_QUOTA_NAME); DWORD pid = FindProcessIdByUserName(szUserName); if (pid == 0) return CreateProcessNormal(cmd, logFile); return CreateProcessByUserToken(pid, cmd, logFile); } HANDLE RunProcessAsUserA(const char* szUserNameA, const char* cmdA, HANDLE logFile) { WCHAR szUserNameW[256] = { 0 }; WCHAR cmdW[4096] = { 0 }; if (szUserNameA) MultiByteToWideChar(CP_UTF8, 0, szUserNameA, -1, szUserNameW, 256); if (cmdA) MultiByteToWideChar(CP_UTF8, 0, cmdA, -1, cmdW, 4096); return RunProcessAsUser(szUserNameW, cmdW, logFile); } int main() { HANDLE logFile = CreateLogFile(123123); RunProcessAsUserA("test", "cmd.exe /c \"notepad.exe 1.txt\"", logFile); return 0; }