用其他身份执行程序

unit Unit1;
 
interface
 
uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls;
 
 
const
  LOGON_WITH_PROFILE = 1;
  LOGON_NETCREDENTIALS_ONLY = 2;
 
function CreateProcessWithLogon(
                                 lpUsername: PWChar;
                                 lpDomain: PWChar;
                                 lpPassword: PWChar;
                                 dwLogonFlags: DWORD;
                                 lpApplicationName: PWChar;
                                 lpCommandLine: PWChar;
                                 dwCreationFlags: DWORD;
                                 lpEnvironment: Pointer;
                                 lpCurrentDirectory: PWChar;
                                 const lpStartupInfo: TStartupInfo;
                                 var lpProcessInfo: TProcessInformation
                               ): BOOL; stdcall;
 
 
type
  TForm1 = class(TForm)
    Button1: TButton;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;
 
var
  Form1: TForm1;
 
implementation
 
{$R *.dfm}
 
function CreateProcessWithLogon; external advapi32 name 'CreateProcessWithLogonW';
 
procedure TForm1.Button1Click(Sender: TObject);
var
  wUsername, wDomain, wPassword, wApplicationName: WideString;
  pwUsername, pwDomain, pwPassword, pwApplicationName: PWideChar;
  StartupInfo: TStartupInfo;
  ProcessInfo: TProcessInformation;
begin
  wUsername := 'administrator';
  wDomain := '';
  wPassword := '123456';
  wApplicationName := 'cmd.exe';
  pwUsername := Addr(wUsername[1]);
  pwDomain := Addr(wDomain[1]);
  pwPassword := Addr(wPassword[1]);
  pwApplicationName := Addr(wApplicationName[1]);
 
  FillChar(StartupInfo, SizeOf(TStartupInfo), 0);
  StartupInfo.cb := SizeOf(TStartupInfo);
  if not CreateProcessWithLogon(pwUsername,pwDomain,pwPassword,LOGON_WITH_PROFILE,
                                pwApplicationName,nil,CREATE_DEFAULT_ERROR_MODE,
                                nil,nil,StartupInfo,ProcessInfo) then
    RaiseLastOSError;
end;
 
end.
可带入其它使用者的Profile,使用上比LogonUser、CreateProcessAsUser简单,省去设定SE_TCB_NAME privilege

 

 

此函数可用于暴力破解本地账号密码

CreateProcessWithLogonW函数
CreateProcessWithLogonW API的定义如下:
BOOL CreateProcessWithLogonW(
LPCWSTR , // 用户乙的账号(Account)
LPCWSTR , //用户乙的域(Domain)
LPCWSTR , // 用户乙的密码(Password)
DWORD , // logon option
LPCWSTR , // executable module name
LPWSTR , // command-line string
DWORD , // creation flags
LPVOID , // new environment block
LPCWSTR , // current directory name
LPSTARTUPINFOW , // startup information
LPPROCESS_INFORMATION // process information
);

 

你可能感兴趣的:(用其他身份执行程序)