[英]Runas /NETONLY from C#
我正在嘗試編寫一個與 runas /netonly 執行相同操作的 C# 程序。 做和 runas 一樣的事情很容易,我找到了很多例子。 但是,像 runas 一樣執行 /netonly 似乎並不容易。
我從各種答案中發現了大部分代碼,但它需要一些標准用戶沒有的特權。 我的問題是,runas 命令行如何在沒有任何特權,甚至沒有管理員權限的情況下工作,而我的程序不能? runas 使用什么 API 使其無需任何特權即可工作? 我應該在此代碼中進行哪些更改,以使其在沒有特權的情況下工作?
為了進一步解釋這種方法:我使用 LogonUser API 來創建一個帶有“NEW_CREDENTIALS”參數的 NetOnly 令牌。 然后,我使用 CreateProcessAsUser 使用以前的令牌運行任何外部 exe。
我嘗試過的其他方法失敗,例如:使用來自 LogonUser 的模擬令牌的進程啟動不起作用,因為進程啟動不繼承模擬令牌,而是使用來自父進程的原始令牌。
這是代碼:
using Microsoft.Win32.SafeHandles;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace runas_manager
{
internal class ImpersonatedProcess
{
//private const string CommandLine = @"C:\createjobobject.exe";
private NativeMethods.ProcessInformation _processInfo;
private readonly ManualResetEvent _exited = new ManualResetEvent(false);
public IntPtr Handle { get; private set; }
public event EventHandler? Exited;
public TextReader StandardOutput { get; private set; }
public TextReader StandardError { get; private set; }
public TextWriter StandardInput { get; private set; }
public void WaitForExit()
{
WaitForExit(-1);
}
public bool WaitForExit(int milliseconds)
{
return _exited.WaitOne(milliseconds);
}
public bool Start(string username, string password, string domain, string executablePath)
{
_processInfo = new NativeMethods.ProcessInformation();
var startInfo = new NativeMethods.StartupInfo();
bool success;
SafeFileHandle hToken, hReadOut, hWriteOut, hReadErr, hWriteErr, hReadIn, hWriteIn;
var securityAttributes = new NativeMethods.SecurityAttributes();
securityAttributes.bInheritHandle = true;
success = NativeMethods.CreatePipe(out hReadOut, out hWriteOut, securityAttributes, 0);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
success = NativeMethods.CreatePipe(out hReadErr, out hWriteErr, securityAttributes, 0);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
success = NativeMethods.CreatePipe(out hReadIn, out hWriteIn, securityAttributes, 0);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
success = NativeMethods.SetHandleInformation(hReadOut, NativeMethods.Constants.HANDLE_FLAG_INHERIT, 0);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
// Logon user
success = NativeMethods.LogonUser(
username,
domain,
password,
NativeMethods.LogonType.LOGON32_LOGON_NEW_CREDENTIALS,
NativeMethods.LogonProvider.LOGON32_PROVIDER_DEFAULT,
out hToken
);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
if (!NativeMethods.CreateEnvironmentBlock(out IntPtr unmanagedEnv, hToken.DangerousGetHandle(), false))
{
int lastError = Marshal.GetLastWin32Error();
throw new Win32Exception(lastError, "Error calling CreateEnvironmentBlock: " + lastError);
}
// Create process
startInfo.cb = Marshal.SizeOf(startInfo);
startInfo.dwFlags = NativeMethods.Constants.STARTF_USESTDHANDLES;
startInfo.hStdOutput = hWriteOut;
startInfo.hStdError = hWriteErr;
startInfo.hStdInput = hReadIn;
success = NativeMethods.CreateProcessAsUser(
hToken,
null,
executablePath,
IntPtr.Zero,
IntPtr.Zero,
true,
NativeMethods.CreateProcessFlags.CREATE_UNICODE_ENVIRONMENT,
unmanagedEnv,
null,
ref startInfo,
out _processInfo
);
if (!success)
throw new Win32Exception(Marshal.GetLastWin32Error());
Handle = _processInfo.hProcess;
startInfo.hStdOutput.Close();
startInfo.hStdError.Close();
startInfo.hStdInput.Close();
StandardOutput = new StreamReader(new FileStream(hReadOut, FileAccess.Read), Console.OutputEncoding);
StandardError = new StreamReader(new FileStream(hReadErr, FileAccess.Read), Console.OutputEncoding);
StandardInput = new StreamWriter(new FileStream(hWriteIn, FileAccess.Write), Console.InputEncoding);
WaitForExitAsync();
return success;
}
private void WaitForExitAsync()
{
var thr = new Thread(() =>
{
_ = NativeMethods.WaitForSingleObject(_processInfo.hProcess, NativeMethods.Constants.INFINITE);
Exited?.Invoke(this, EventArgs.Empty);
_exited.Set();
});
thr.Start();
}
}
}
和 nativemethods 聲明
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using Microsoft.Win32.SafeHandles;
namespace runas_manager
{
class NativeMethods
{
[StructLayout(LayoutKind.Sequential)]
public struct ProcessInformation
{
public IntPtr hProcess;
public IntPtr hThread;
public Int32 dwProcessId;
public Int32 dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct StartupInfo
{
public Int32 cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public uint dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public SafeFileHandle hStdInput;
public SafeFileHandle hStdOutput;
public SafeFileHandle hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public class SecurityAttributes
{
public Int32 Length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
public SecurityAttributes()
{
this.Length = Marshal.SizeOf(this);
}
}
[Flags]
public enum LogonType
{
LOGON32_LOGON_INTERACTIVE = 2,
LOGON32_LOGON_NETWORK = 3,
LOGON32_LOGON_BATCH = 4,
LOGON32_LOGON_SERVICE = 5,
LOGON32_LOGON_UNLOCK = 7,
LOGON32_LOGON_NETWORK_CLEARTEXT = 8,
LOGON32_LOGON_NEW_CREDENTIALS = 9
}
[Flags]
public enum LogonProvider
{
LOGON32_PROVIDER_DEFAULT = 0,
LOGON32_PROVIDER_WINNT35,
LOGON32_PROVIDER_WINNT40,
LOGON32_PROVIDER_WINNT50
}
[Flags]
public enum CreateProcessFlags
{
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_NO_WINDOW = 0x08000000,
CREATE_PROTECTED_PROCESS = 0x00040000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_SEPARATE_WOW_VDM = 0x00000800,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
INHERIT_PARENT_AFFINITY = 0x00010000
}
public class Constants
{
public const int HANDLE_FLAG_INHERIT = 1;
public static uint STARTF_USESTDHANDLES = 0x00000100;
public const UInt32 INFINITE = 0xFFFFFFFF;
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CreatePipe(out SafeFileHandle phReadPipe, out SafeFileHandle phWritePipe,
SecurityAttributes lpPipeAttributes, uint nSize);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool SetHandleInformation(SafeFileHandle hObject, int dwMask, uint dwFlags);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern Boolean LogonUser(
String lpszUserName,
String lpszDomain,
String lpszPassword,
LogonType dwLogonType,
LogonProvider dwLogonProvider,
out SafeFileHandle phToken);
[DllImport("userenv.dll", SetLastError = true)]
public static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern Boolean CreateProcessAsUser
(
SafeFileHandle hToken,
String? lpApplicationName,
String lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
Boolean bInheritHandles,
CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
String? lpCurrentDirectory,
ref StartupInfo lpStartupInfo,
out ProcessInformation lpProcessInformation
);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
}
我找到了讓它工作的方法。 在上面的代碼中,我只使用了 CreateProcessWithLogonW,而不是使用 LogonUser 和 CreateProcessAsUser。 這需要知道密碼,通常在使用 runas /netonly 時就知道,但好在除了標准用戶之外,您不需要任何特權!
將 LogonUser、Environment creation 和 CreateProcessAsUser 替換為以下代碼。
success = NativeMethods.CreateProcessWithLogonW(
username,
domain,
password,
NativeMethods.LogonFlags.LOGON_NETCREDENTIALS_ONLY,
null,
executablePath,
NativeMethods.CreateProcessFlags.CREATE_UNICODE_ENVIRONMENT,
IntPtr.Zero,//unmanagedEnv,
null,
ref startInfo,
out _processInfo
);
添加到 dllimport 定義
[Flags]
public enum LogonFlags
{
LOGON_WITH_PROFILE = 1,
LOGON_NETCREDENTIALS_ONLY = 2
}
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool CreateProcessWithLogonW(
String userName,
String domain,
String password,
LogonFlags logonFlags,
String? applicationName,
String commandLine,
CreateProcessFlags creationFlags,
IntPtr environment,
String? currentDirectory,
ref StartupInfo startupInfo,
out ProcessInformation processInformation);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.