#SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = 3
#SE_INCREASE_QUOTA_PRIVILEGE = 5
#SE_DEBUG_PRIVILEGE = 20
#SE_IMPERSONATE_PRIVILEGE = 29
#LOGON_WITH_PROFILE = 1
#LOGON_NETCREDENTIALS_ONLY = 2
Structure ProcInfo
Name.s
PID.l
EndStructure
Prototype pCreateProcessWithTokenW(hToken, dwLogonFlags.l, *ApplicationName, *CommandLine, dwCreationFlags.l,
*lpEnvironment, *lpCurrentDirectory, *lpStartupInfo, *lpProcessInfo)
Global CreateProcessWithTokenW.pCreateProcessWithTokenW=0
Procedure GetProcess(List ProcList.ProcInfo())
Protected pe32.PROCESSENTRY32
Protected hthSnapshot
pe32\dwSize = SizeOf(PROCESSENTRY32)
ClearList(ProcList())
hthSnapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
Process32First_(hthSnapshot, @pe32)
While Process32Next_(hthSnapshot, @pe32)
If AddElement(ProcList())
ProcList()\Name = PeekS(@pe32\szExeFile)
ProcList()\PID = pe32\th32ProcessID
EndIf
Wend
EndProcedure
Procedure RunProc_System(HostPID, RunProg.s, CmdLine.s="")
Protected hProc=0, hToken=0, DupToken=0
Protected pEnvBlock=0, s.s, Res = #False
Protected PI.PROCESS_INFORMATION, SI.STARTUPINFO
hProc = OpenProcess_(#PROCESS_ALL_ACCESS, #False, HostPID)
If hProc
If OpenProcessToken_(hProc, #TOKEN_DUPLICATE, @hToken) And hToken
If DuplicateTokenEx_(hToken, #TOKEN_ALL_ACCESS, #Null, 1, 1, @DupToken) And DupToken
s = "winsta0\default"
SI\cb = SizeOf(SI)
SI\lpDesktop = @s
If Left(RunProg, 1)<>Chr(34)
RunProg = Chr(34)+RunProg+Chr(34)
EndIf
If CmdLine<>""
If Left(CmdLine, 1)<>" "
RunProg+" "
EndIf
RunProg+CmdLine
EndIf
If CreateProcessWithTokenW And
CreateProcessWithTokenW(DupToken, #LOGON_WITH_PROFILE, #Null, @RunProg, #NORMAL_PRIORITY_CLASS,
#Null, #Null, @SI, @PI)
Res = #True
ElseIf CreateProcessAsUser_(DupToken, #Null, RunProg, #Null, #Null, #False, #NORMAL_PRIORITY_CLASS,
#Null, #Null, @SI, @PI)
Res = #True
EndIf
If PI\hThread
CloseHandle_(PI\hThread)
EndIf
If PI\hProcess
CloseHandle_(PI\hProcess)
EndIf
CloseHandle_(DupToken)
EndIf
CloseHandle_(hToken)
EndIf
CloseHandle_(hProc)
EndIf
ProcedureReturn Res
EndProcedure
Procedure RunSys(RunFile.s, Param.s)
Static Advapi32_lib=0
Protected NewList Proc.ProcInfo()
Protected x=0, PID=0
If CreateProcessWithTokenW=0
If Advapi32_lib=0
Advapi32_lib=LoadLibrary_("Advapi32.dll")
EndIf
If Advapi32_lib
CreateProcessWithTokenW=GetProcAddress_(Advapi32_lib, ?Funct)
EndIf
EndIf
RtlAdjustPrivilege_(#SE_DEBUG_PRIVILEGE, #True, 0, @x) ; Получаем привилегию отладчика.
x=0
RtlAdjustPrivilege_(#SE_IMPERSONATE_PRIVILEGE, #True, 0, @x)
x=0
RtlAdjustPrivilege_(#SE_INCREASE_QUOTA_PRIVILEGE, #True, 0, @x)
x=0
RtlAdjustPrivilege_(#SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, #True, 0, @x)
GetProcess(Proc())
ForEach Proc()
x=0
If LCase(Proc()\Name)="winlogon.exe"
PID = Proc()\PID
Break
EndIf
Next
If PID>0
RunProc_System(PID, RunFile, Param)
EndIf
ProcedureReturn
DataSection
Funct:
!db "CreateProcessWithTokenW", 0, 0
EndDataSection
EndProcedure
RunSys("C:\Windows\regedit.exe", "")