[英]Why does CryptAcquireContext return ERROR_ACCESS_DENIED when called from a process started via WMI?
[英]Why an RPC call would return access denied when running as a local admin?
我剛剛開始使用 Windows RPC 編程。 我正在嘗試通過ms-even6與 Windows 事件日志系統進行交互。 Microsoft 沒有在其教程中介紹安全 RPC 調用,我在任何地方都找不到太多相關信息。 到目前為止,我有以下代碼......
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include "ms-even6_h.h"
#include <windows.h>
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_np"));
RPC_WSTR pszNetworkAddress = NULL;
RPC_WSTR pszEndpoint = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"\\pipe\\eventlog"));
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept // This block always throw an Access Denied runtime exception
{
EvtRpcVariantList props;
status = EvtRpcGetChannelConfig(L"Application", 0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
printf("Runtime reported exception 0x%lx = %ld\n", ulCode, ulCode);
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
我嘗試調用不同的 RPC 函數,它們都拋出拒絕訪問異常。 我的客戶端進程以本地管理員身份運行,我的目標是我的本地機器。
對我在這里做錯了什么有什么想法嗎?
感謝所有幫助!
#更新
在查看windows_protocols ms-even6后,我將協議序列更改為ncacn_ip_tcp 。 現在ACCESS DENIED錯誤似乎消失了,但現在我得到一個Runtime reported exception 0x6f7 = 1783 (The stub received bad data.) 錯誤。
/* file: helloc.c */
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include "ms-even6_h.h"
#include <windows.h>
#include <thread>
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_ip_tcp"));
RPC_WSTR pszNetworkAddress = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"localhost"));
RPC_WSTR pszEndpoint = NULL;
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcEpResolveBinding(
client_IfHandle,
IEventService_v1_0_c_ifspec
);
if (status) {
std::cerr << "[-] RpcEpResolveBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept
{
EvtRpcVariantList props;
status = EvtRpcGetChannelConfig(L"Application", (INT32)0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
std::cerr << "[-] Runtime reported exception 0x"
<< std::hex << ulCode
<< " = "
<< std::dec << ulCode
<< std::endl;
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
看了windows_protocols ms-even6,把協議順序改成了ncacn_ip_tcp。 一旦完成,ACCESS DENIED 錯誤就消失了,但我仍然無法調用遠程過程。 該應用程序總是會失敗,運行時報告異常 0x6f7 = 1783(存根收到錯誤數據。)或運行時報告異常 0x6c6 = 1734(數組邊界無效。) 。
原因? 未初始化的指針,一旦我正確初始化了我的指針和 DWORD,一切正常!
這是一個工作示例。
/* file: helloc.c */
#include <stdlib.h>
#include <iostream>
#include <ctype.h>
#include <windows.h>
#include "ms-even6_h.h"
#pragma comment(lib, "rpcrt4.lib")
int main()
{
RPC_STATUS status;
RPC_WSTR pszUuid = NULL;
RPC_WSTR pszProtocolSequence = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"ncacn_ip_tcp"));
RPC_WSTR pszNetworkAddress = reinterpret_cast<RPC_WSTR>(const_cast<PWSTR>(L"localhost"));
RPC_WSTR pszEndpoint = NULL;
RPC_WSTR pszOptions = NULL;
RPC_WSTR pszStringBinding = NULL;
unsigned long ulCode;
status = RpcStringBindingCompose(pszUuid,
pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringBindingCompose failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFromStringBinding(pszStringBinding, &client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFromStringBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcEpResolveBinding(
client_IfHandle,
IEventService_v1_0_c_ifspec
);
if (status) {
std::cerr << "[-] RpcEpResolveBinding failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingSetAuthInfo(client_IfHandle,
0,
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY,
RPC_C_AUTHN_WINNT,
0,
0
);
if (status) {
std::cerr << "[-] RpcBindingSetAuthInfo failed [" << status << "]" << std::endl;
exit(status);
}
RpcTryExcept
{
PCONTEXT_HANDLE_LOG_HANDLE hLog;
RpcInfo error;
status = EvtRpcOpenLogHandle(L"Application", 1, &hLog, &error);
if (status)
{
std::cerr << "[-] EvtRpcOpenLogHandle failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcOpenLogHandle worked!" << std::endl;
status = EvtRpcClose(&hLog);
if (status)
{
std::cerr << "[-] EvtRpcClose failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcClose worked!" << std::endl;
EvtRpcVariantList props;
props.count = 0;
props.props = NULL;
status = EvtRpcGetChannelConfig(L"Application", 0, &props);
if (status)
{
std::cerr << "[-] EvtRpcGetChannelConfig failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcGetChannelConfig worked!" << std::endl;
for (size_t i = 0; i < props.count; i++)
{
std::cout << "\tChannelConfig[" << i << "]:"
<< "\n\t\ttype: " << props.props[i].type
<< std::endl;
}
PCONTEXT_HANDLE_REMOTE_SUBSCRIPTION hSub;
PCONTEXT_HANDLE_OPERATION_CONTROL hOpCtrl;
DWORD dwQueryChannelInfoSize = 0;
EvtRpcQueryChannelInfo* queryChannelInfo = NULL;
status = EvtRpcRegisterRemoteSubscription(
L"Application",
L"*",
NULL,
0x00000002 | 0x00001000,
&hSub,
&hOpCtrl,
&dwQueryChannelInfoSize,
&queryChannelInfo,
&error);
if (status)
{
std::cerr << "[-] EvtRpcRegisterRemoteSubscription failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcRegisterRemoteSubscription worked!" << std::endl;
std::cout << "\tdwQueryChannelInfoSize: " << dwQueryChannelInfoSize << std::endl;
for (size_t i = 0; i < dwQueryChannelInfoSize; i++)
{
std::wcout << L"\tqueryChannelInfo[" << i << "]: "
<< queryChannelInfo[i].name
<< L" ("
<< queryChannelInfo[i].status
<< L")"
<< std::endl;
}
DWORD numRequestedRecords = 1;
DWORD flags = 0;
DWORD numActualRecords = 0;
DWORD* eventDataIndices = NULL;
DWORD* eventDataSizes = NULL;
DWORD resultBufferSize = 0;
BYTE* resultBuffer = NULL;
status = EvtRpcRemoteSubscriptionNextAsync(
hSub,
numRequestedRecords,
flags,
&numActualRecords,
&eventDataIndices,
&eventDataSizes,
&resultBufferSize,
&resultBuffer
);
if (status)
{
std::cerr << "[-] EvtRpcRemoteSubscriptionNextAsync failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] EvtRpcRemoteSubscriptionNextAsync worked!" << std::endl;
}
RpcExcept(1)
{
ulCode = RpcExceptionCode();
std::cerr << "[-] Runtime reported exception 0x"
<< std::hex << ulCode
<< " = "
<< std::dec << ulCode
<< std::endl;
}
RpcEndExcept
status = RpcStringFree(&pszStringBinding);
if (status) {
std::cerr << "[-] RpcStringFree failed [" << status << "]" << std::endl;
exit(status);
}
status = RpcBindingFree(&client_IfHandle);
if (status) {
std::cerr << "[-] RpcBindingFree failed [" << status << "]" << std::endl;
exit(status);
}
std::cout << "[+] Done." << std::endl;
return 0;
}
/******************************************************/
/* MIDL allocate and free */
/******************************************************/
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t len)
{
return (malloc(len));
}
void __RPC_USER midl_user_free(void __RPC_FAR* ptr)
{
free(ptr);
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.