[英]Why an RPC call would return access denied when running as a local admin?
我刚刚开始使用 Windows RPC 编程。 我正在尝试通过ms-even6与 Windows 事件日志系统进行交互。 Microsoft 没有在其教程中介绍安全 RPC 调用,我在任何地方都找不到太多相关信息。 到目前为止,我有以下代码......
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include "ms-even6_h.h"
#include <windows.h>
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_np"));
RPC_WSTR pszNetworkAddress = NULL;
RPC_WSTR pszEndpoint = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"\\pipe\\eventlog"));
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept // This block always throw an Access Denied runtime exception
{
EvtRpcVariantList props;
status = EvtRpcGetChannelConfig(L"Application", 0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
printf("Runtime reported exception 0x%lx = %ld\n", ulCode, ulCode);
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
我尝试调用不同的 RPC 函数,它们都抛出拒绝访问异常。 我的客户端进程以本地管理员身份运行,我的目标是我的本地机器。
对我在这里做错了什么有什么想法吗?
感谢所有帮助!
#更新
在查看windows_protocols ms-even6后,我将协议序列更改为ncacn_ip_tcp 。 现在ACCESS DENIED错误似乎消失了,但现在我得到一个Runtime reported exception 0x6f7 = 1783 (The stub received bad data.) 错误。
/* file: helloc.c */
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include "ms-even6_h.h"
#include <windows.h>
#include <thread>
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_ip_tcp"));
RPC_WSTR pszNetworkAddress = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"localhost"));
RPC_WSTR pszEndpoint = NULL;
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcEpResolveBinding(
client_IfHandle,
IEventService_v1_0_c_ifspec
);
if (status) {
std::cerr << "[-] RpcEpResolveBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept
{
EvtRpcVariantList props;
status = EvtRpcGetChannelConfig(L"Application", (INT32)0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
std::cerr << "[-] Runtime reported exception 0x"
<< std::hex << ulCode
<< " = "
<< std::dec << ulCode
<< std::endl;
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
看了windows_protocols ms-even6,把协议顺序改成了ncacn_ip_tcp。 一旦完成,ACCESS DENIED 错误就消失了,但我仍然无法调用远程过程。 该应用程序总是会失败,运行时报告异常 0x6f7 = 1783(存根收到错误数据。)或运行时报告异常 0x6c6 = 1734(数组边界无效。) 。
原因? 未初始化的指针,一旦我正确初始化了我的指针和 DWORD,一切正常!
这是一个工作示例。
/* file: helloc.c */
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include <windows.h>
#include "ms-even6_h.h"
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_ip_tcp"));
RPC_WSTR pszNetworkAddress = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"localhost"));
RPC_WSTR pszEndpoint = NULL;
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcEpResolveBinding(
client_IfHandle,
IEventService_v1_0_c_ifspec
);
if (status) {
std::cerr << "[-] RpcEpResolveBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept
{
PCONTEXT_HANDLE_LOG_HANDLE hLog;
RpcInfo error;
status = EvtRpcOpenLogHandle(L"Application", 1, &hLog, &error);
if (status)
{
std::cerr << "[-] EvtRpcOpenLogHandle failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcOpenLogHandle worked!" << std::endl;
status = EvtRpcClose(&hLog);
if (status)
{
std::cerr << "[-] EvtRpcClose failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcClose worked!" << std::endl;
EvtRpcVariantList props;
props.count = 0;
props.props = NULL;
status = EvtRpcGetChannelConfig(L"Application", 0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
for (size_t i = 0; i < props.count; i++)
{
std::cout << "\tChannelConfig[" << i << "]:"
<< "\n\t\ttype: " << props.props[i].type
<< std::endl;
}
PCONTEXT_HANDLE_REMOTE_SUBSCRIPTION hSub;
PCONTEXT_HANDLE_OPERATION_CONTROL hOpCtrl;
DWORD dwQueryChannelInfoSize = 0;
EvtRpcQueryChannelInfo* queryChannelInfo = NULL;
status = EvtRpcRegisterRemoteSubscription(
L"Application",
L"*",
NULL,
0x00000002 | 0x00001000,
&hSub,
&hOpCtrl,
&dwQueryChannelInfoSize,
&queryChannelInfo,
&error);
if (status)
{
std::cerr << "[-] EvtRpcRegisterRemoteSubscription failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcRegisterRemoteSubscription worked!" << std::endl;
std::cout << "\tdwQueryChannelInfoSize: " << dwQueryChannelInfoSize << std::endl;
for (size_t i = 0; i < dwQueryChannelInfoSize; i++)
{
std::wcout << L"\tqueryChannelInfo[" << i << "]: "
<< queryChannelInfo[i].name
<< L" ("
<< queryChannelInfo[i].status
<< L")"
<< std::endl;
}
DWORD numRequestedRecords = 1;
DWORD flags = 0;
DWORD numActualRecords = 0;
DWORD* eventDataIndices = NULL;
DWORD* eventDataSizes = NULL;
DWORD resultBufferSize = 0;
BYTE* resultBuffer = NULL;
status = EvtRpcRemoteSubscriptionNextAsync(
hSub,
numRequestedRecords,
flags,
&numActualRecords,
&eventDataIndices,
&eventDataSizes,
&resultBufferSize,
&resultBuffer
);
if (status)
{
std::cerr << "[-] EvtRpcRemoteSubscriptionNextAsync failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcRemoteSubscriptionNextAsync worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
std::cerr << "[-] Runtime reported exception 0x"
<< std::hex << ulCode
<< " = "
<< std::dec << ulCode
<< std::endl;
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
为什么从通过WMI启动的进程调用CryptAcquireContext时会返回ERROR_ACCESS_DENIED?
[英]Why does CryptAcquireContext return ERROR_ACCESS_DENIED when called from a process started via WMI?
为什么在系统服务中运行的这段代码中,LoadUserProfile()失败并显示错误5“拒绝访问”?
[英]Why LoadUserProfile() fails with error 5 “Denied Access” in this code running in system service?
在调试器下运行时,AssignProcessToJobObject失败并显示“Access Denied”错误
[英]AssignProcessToJobObject fails with “Access Denied” error when running under the debugger
wx复制文件; “错误 5:访问被拒绝”即使以管理员权限运行
[英]wxCopyFile; “ERROR 5: Access is denied” even when running with administrator privilages
为什么从write()调用__kernel_vsyscall()永远不会返回?
[英]Why would call to __kernel_vsyscall() from write() never return?
为什么当我使用线程局部变量调用函数时,这个 nostdlib C++ 代码会出现段错误? 但不是使用全局变量或当我访问成员时?
[英]Why does this nostdlib C++ code segfault when I call a function with a thread local variable? But not with a global var or when I access members?
即使应用程序以管理员身份运行,SetNamedSecurityInfo() 函数也会返回 ACCESS_IS_DENIED(Winerror.h 中的错误代码 5)
[英]SetNamedSecurityInfo() function returning ACCESS_IS_DENIED (error code 5 in Winerror.h) even when the application is run as admin
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.