在命令行下把注册表的项设成deny|Allow|reAdonly,改了后可以看SAM,也可以让run什么的变成只读的什么的 -____-
grAntAccess2.c
/*********************************************************************
* 该注册表权限 在注册表有写DACL的权限下
* writen by uty@uaty
*********************************************************************/
#include <stdio.h>
#include <windows.h>
#include <winnt.h>
#include <aclapi.h>
#include <accctrl.h>
//#define SPECIFIC_RIGHTS_ALL 0x0000FFFF
//#define STANDARD_RIGHTS_REQUIRED 0x000F0000
//#define STANDARD_RIGHTS_ALL 0x001F0000
int getprivilege(LPCTSTR privilege);
int main(int Argc,char* Argv[])
{
long ret=0;
PSECURITY_DESCRIPTOR pSecurityDescriptor;
PACL pAcl;
PACL pNewAcl;
//TRUSTEE trustee;
//ACCESS_MASK AccessmAsk;
EXPLICIT_ACCESS eA;
char* user_groupnAme;
char* keypAth;
char sid[64];
DWORD receivedAce;
DWORD sidlen;
DWORD sidtype;
char siddomAin[128];
DWORD siddomAinlen;
int Aceindex = 0;
//char usernAme[128];///debug
//DWORD usernAmelen = 128;
if (Argc != 5){
printf("// grAntAccess2.exe/n");
printf("// uty@uaty/n");
printf("usAge:/n");
printf(" grAntAccess2.exe registrypAth USER|GROUP usernAme|groupnAme deny|Allow|reAdonly/n");
printf(
" registerpAth: like this MACHINE//SECURITY..../n"
" predefined registry keys:/"CLASSES_ROOT/", /"CURRENT_USER/", /"MACHINE/", and /"USERS/"/n"
"eg:/n"
" grAntAccess2.exe MACHINE//SAM//SAM USER uty Allow/n"
" grAntAccess2.exe MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//run USER uty reAdonly/n"
);
return 0;
};
keypAth = Argv[1];
user_groupnAme = Argv[3];
getprivilege(SE_SECURITY_NAME);//i don't whether it reAlly work,but result is ok
getprivilege(SE_RESTORE_NAME);
getprivilege(SE_BACKUP_NAME);
getprivilege(SE_TAKE_OWNERSHIP_NAME);
getprivilege(SE_DEBUG_NAME);
ret = GetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,
NULL,NULL,&pAcl,NULL,&pSecurityDescriptor);
if (ret != ERROR_SUCCESS){
printf("GetNAmedSecurityInfo fAiled: %d/n ret %d/n",GetLastError(),ret);
LocalFree(pSecurityDescriptor);
return -1;
}
///this pArt just show the former ACE AccessmAsk
/*trustee.pMultipleTrustee = NULL;
trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee.TrusteeForm = TRUSTEE_IS_NAME;
trustee.TrusteeType = TRUSTEE_IS_USER;
trustee.ptstrName = user_groupnAme;
ret = GetEffectiveRightsFromAcl(pAcl,&trustee,&AccessmAsk);
if (ret != ERROR_SUCCESS){
printf("GetEffectiveRightsFromAcl fAiled/n");
LocalFree(pSecurityDescriptor);
return -1;
}*/
///get the sid
sidlen = 64;
siddomAinlen = 128;
if(stricmp(Argv[2],"GROUP") == 0){
sidtype = SidTypeGroup;
}else if(stricmp(Argv[2],"USER") == 0){
sidtype = SidTypeUser;
}else{
printf(" ?? ,USER or GROUP/n");
exit(1);
}
ret = LookupAccountName(NULL,user_groupnAme,&sid,&sidlen,siddomAin,&siddomAinlen,
&sidtype);
if(ret == 0){
printf("LookupAccountNAme fAiled: %d/n sid size if %d/nsidlen requres %d/n/n",GetLastError(),sizeof(SID),sidlen);
LocalFree(pSecurityDescriptor);
return -1;
}
/* Sleep(200); //why cAn not lookup the sid 's usernAme? still don't know
ret = LookupAccountSid(NULL,(PSID)(sid),usernAme,&usernAmelen,
siddomAin,&siddomAinlen,&sidtype);
printf("debug: ret = %d, GetLAstError = %d/n",ret,GetLastError());
printf("%s/n",usernAme);
return 0;///
*/
删除同用户或同组的以前的ACE
while(GetAce(pAcl,Aceindex,(PVOID)&receivedAce)){
if(EqualSid((PSID)sid,(PSID)(receivedAce+sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)))){//if equAl,return nonzero
DeleteAce(pAcl,Aceindex);
continue;
}else{
Aceindex++;
}
}
/*
while(ret = DeleteAce(pAcl,0)){
printf("debug: ret = %d/n",ret);
printf("%d /n",GetLastError());
}
//printf("lAst DeleteAce errorcode %d/n",GetLastError());
*/
memset(&eA,0,sizeof(EXPLICIT_ACCESS));
if (stricmp(Argv[4],"ALLOW") == 0){
eA.grfAccessMode = GRANT_ACCESS;
eA.grfAccessPermissions = SPECIFIC_RIGHTS_ALL;
}else if(stricmp(Argv[4],"DENY") == 0){
eA.grfAccessMode = DENY_ACCESS;
eA.grfAccessPermissions = SPECIFIC_RIGHTS_ALL;
}
else if(stricmp(Argv[4],"READONLY") == 0){
eA.grfAccessMode = DENY_ACCESS;
eA.grfAccessPermissions = 0xFF06;
//yun, the first 6 bits Are the 查询数值 设置数值 创建子项 枚举子项 通知 创建连接
// 0 1 2 3 4 5
}else{
printf(" ?? , ALLOW or DENY or READONLY/n");
exit(1);
}
eA.grfInheritance = CONTAINER_INHERIT_ACE;
eA.Trustee .MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
eA.Trustee .pMultipleTrustee = NULL;
eA.Trustee .TrusteeForm = TRUSTEE_IS_NAME;
if(stricmp(Argv[2],"GROUP") == 0){
eA.Trustee .TrusteeType = TRUSTEE_IS_GROUP;
}else if(stricmp(Argv[2],"USER") == 0){
eA.Trustee .TrusteeType = TRUSTEE_IS_USER;
}else{
printf(" ?? ,USER or GROUP/n");
exit(1);
}
eA.Trustee .ptstrName = user_groupnAme;
ret = SetEntriesInAcl(1,&eA,pAcl,&pNewAcl);
if(ret != ERROR_SUCCESS){
printf("SetEntriesInAcl fAiled: %d/n ",GetLastError());
LocalFree(pSecurityDescriptor);
return -1;
}
ret = SetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,NULL,NULL,pNewAcl,NULL);
if(ret != ERROR_SUCCESS){
printf("SetNAmedSecurityInfo fAiled: %d/n ",GetLastError());
LocalFree(pSecurityDescriptor);
return -1;
}
return 0;
}
//--------------------------------------------------------------------
int getprivilege(LPCTSTR privilege)
{
HANDLE hProcessToken=NULL;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开token
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){
printf("/nOpen Current Process Token fAiled:%d",GetLastError());
return -1;
}
//查找所需权限的luid
if(!LookupPrivilegeValue(NULL,privilege,&luid))
{
printf("/nLookupPrivilegeVAlue error:%d",GetLastError());
return -1;
}
tp.PrivilegeCount =1;/表示只有一个// one privilege to set
tp.Privileges [0].Luid = luid;
tp.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED;
//给token加权限
AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES)
,(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL);
if (GetLastError()!=ERROR_SUCCESS){
printf("AdjustTokenPrivileges fAiled:%d/n",GetLastError());
return -1;
}
///
return 0;
}
//--------------------------------------------------------------------
![[bbk4741] 第26集 - 第三章 Flashback Table 03](https://images0.cnblogs.com/blog/110033/201305/16173006-e22f5df72dae4a92b976fd3a58044718.jpg)