logo标签列表

SendInput在UAC提示上失败。

winapiuacsendinputwindows-securityuipi
3
我们正在编写一个仅限运行的远程桌面应用程序,使用SendInput进行键盘(和鼠标)交互。但是它无法与UAC提示交互。
我们的应用程序需要什么权限/权限?
背景信息:该应用程序由另一个进程生成,复制了winlogon.exe的访问令牌。这使得它可以在SYSTEM帐户下以系统完整性级别运行,附加到物理控制台会话,并具有与winlogon.exe相同的SE特权(https://learn.microsoft.com/en-us/windows/desktop/secauthz/privilege-constants),尽管并非所有特权都已启用。
struct MY_TOKEN_PRIVILEGES {
  DWORD PrivilegeCount;
  LUID_AND_ATTRIBUTES Privileges[2];
};

int RunUnderWinLogon(LPCWSTR executableWithSendInput)
{
  DWORD physicalConsoleSessionId = WTSGetActiveConsoleSessionId();

  auto winlogonPid = GetWinLogonPid(); // external function

  if (!winlogonPid)
  {
    std::cout << "ERROR getting winlogon pid" << std::endl;
    return 0;
  }

  HANDLE hWinlogonToken, hProcess;
  hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, winlogonPid);

  if (!::OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
    | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID
    | TOKEN_READ | TOKEN_WRITE, &hWinlogonToken))
  {
    printf("Process token open Error: %u\n", GetLastError());
  }

  // Is security descriptor needed for SendInput?
  PSECURITY_DESCRIPTOR pSD = NULL;

  SECURITY_ATTRIBUTES saToken;
  ZeroMemory(&saToken, sizeof(SECURITY_ATTRIBUTES));

  saToken.nLength = sizeof (SECURITY_ATTRIBUTES);
  saToken.lpSecurityDescriptor = pSD;
  saToken.bInheritHandle = FALSE;

  HANDLE hWinlogonTokenDup;
  if (!DuplicateTokenEx(hWinlogonToken, TOKEN_ALL_ACCESS, &saToken, SecurityImpersonation, TokenPrimary, &hWinlogonTokenDup))
  {
    printf("DuplicateTokenEx Error: %u\n", GetLastError());
  }

  if (!SetTokenInformation(hWinlogonTokenDup, TokenSessionId, (void*)physicalConsoleSessionId, sizeof(DWORD)))
  {
    printf("SetTokenInformation Error: %u\n", GetLastError());
  }

  //Adjust Token privilege
  LUID luidSeDebugName;
  if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidSeDebugName))
  {
    printf("Lookup Privilege value Error: %u\n", GetLastError());
  }

  LUID luidSeTcbName;
  if (!LookupPrivilegeValue(NULL, SE_TCB_NAME, &luidSeTcbName))
  {
    printf("Lookup Privilege value Error: %u\n", GetLastError());
  }

  MY_TOKEN_PRIVILEGES tp;
  tp.PrivilegeCount = 2;
  tp.Privileges[0].Luid = luidSeDebugName;
  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  tp.Privileges[1].Luid = luidSeTcbName;
  tp.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;

  if (!AdjustTokenPrivileges(hWinlogonTokenDup, FALSE, (PTOKEN_PRIVILEGES)&tp, /*BufferLength*/0, /*PreviousState*/(PTOKEN_PRIVILEGES)NULL, NULL))
  {
    printf("Adjust Privilege value Error: %u\n", GetLastError());
  }

  if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
  {
    printf("Token does not have the privilege\n");
  }

  DWORD creationFlags;
  creationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;

  LPVOID pEnv = NULL;
  if (CreateEnvironmentBlock(&pEnv, hWinlogonTokenDup, TRUE))
  {
    std::cout << "CreateEnvironmentBlock() success" << std::endl;
    creationFlags |= CREATE_UNICODE_ENVIRONMENT;
  }

  SECURITY_ATTRIBUTES saProcess, saThread;
  ZeroMemory(&saProcess, sizeof(SECURITY_ATTRIBUTES));
  ZeroMemory(&saThread, sizeof(SECURITY_ATTRIBUTES));

  saProcess.nLength = sizeof (SECURITY_ATTRIBUTES);
  saProcess.lpSecurityDescriptor = pSD;
  saProcess.bInheritHandle = FALSE;

  saThread.nLength = sizeof (SECURITY_ATTRIBUTES);
  saThread.lpSecurityDescriptor = pSD;
  saThread.bInheritHandle = FALSE;

  STARTUPINFO si;
  ZeroMemory(&si, sizeof(STARTUPINFO));
  si.cb = sizeof(STARTUPINFO);
  si.lpDesktop = (LPWSTR)L"winsta0\\default";

  PROCESS_INFORMATION pi;
  ZeroMemory(&pi, sizeof(pi));

  BOOL bResult = CreateProcessAsUser(
    hWinlogonTokenDup,   // client's access token
    executableWithSendInput,    // file using SendInput
    NULL,                 // command line
    &saProcess,            // pointer to process SECURITY_ATTRIBUTES
    &saThread,               // pointer to thread SECURITY_ATTRIBUTES
    FALSE,              // handles are not inheritable
    creationFlags,     // creation flags
    pEnv,               // pointer to new environment block
    NULL,               // name of current directory
    &si,               // pointer to STARTUPINFO structure
    &pi                // receives information about new process
  );
}
你可以学习开源远程解决方案如何实现这一点。 - David Heffernan
你应该在“特权窗口”中重现相同的问题。例如,如果你右键单击cmd.exe,然后点击“以管理员身份运行”,你就无法向这样的窗口发送输入。 - Bemipefe
2个回答
5
SendInputSendMessagePostMessage一样,仅限于在同一登录会话和目标进程的相同桌面之间进行工作。UAC提示显示在Winlogon的安全桌面winsta0 \ Winlogon),因此您需要定期使用OpenInputDesktop()轮询当前桌面,然后使用SetThreadDesktop()启用当前线程向用户桌面/安全桌面发送消息,无论哪个处于活动状态。

在UAC的情况下,您需要以系统帐户运行进程,以符合UIPI完整性级别检查,就像您已经做过的那样。

另请参阅:如何在默认桌面和Winlogon桌面之间切换进程?

有没有可能“授权”一个以普通用户身份运行的进程向特权窗口发送输入?(例如UAC提示或由特权用户拥有的窗口)也许类似二进制签名、白名单等等的东西会有帮助吗? - Bemipefe
0

有可能授权您的应用程序能够执行这些UIAutomation / 屏幕阅读器任务。

在您的程序集清单中创建一个条目,其中包括:

uiAccess="true"

然后你必须使用有效的数字证书进行数字签名。
并且你必须安装在Program Files中。

能够自动化UAC对话框是一项严肃的业务;你不能随意胡闹。

额外阅读

https://techcommunity.microsoft.com/t5/windows-blog-archive/using-the-uiaccess-attribute-of-requestedexecutionlevel-to/ba-p/228641

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接