/ThirdParty/ApplicationLoader.cs
http://applicationloader.codeplex.com · C# · 199 lines · 132 code · 37 blank · 30 comment · 4 complexity · d4e208d398a72d5553b579824e45a3a7 MD5 · raw file
- using System;
- using System.Diagnostics;
- using System.Runtime.InteropServices;
- using System.Security;
-
- namespace ThirdParty {
-
- /// <summary>
- /// Class that launches applications with elevated privileges
- /// </summary>
- /// <see cref="http://www.codeproject.com/KB/vista-security/SubvertingVistaUAC.aspx?msg=3953060"/>
- /// <remarks>Pero Mati? is the original author of this class, full credit to him
- /// Licensed under CPOL http://www.codeproject.com/info/cpol10.aspx
- /// </remarks>
- public class ApplicationLoader {
- #region Structures
-
- [StructLayout(LayoutKind.Sequential)]
- public struct SECURITY_ATTRIBUTES {
- public int Length;
- public IntPtr lpSecurityDescriptor;
- public bool bInheritHandle;
- }
-
- [StructLayout(LayoutKind.Sequential)]
- public struct STARTUPINFO {
- public int cb;
- public String lpReserved;
- public String lpDesktop;
- public String lpTitle;
- public uint dwX;
- public uint dwY;
- public uint dwXSize;
- public uint dwYSize;
- public uint dwXCountChars;
- public uint dwYCountChars;
- public uint dwFillAttribute;
- public uint dwFlags;
- public short wShowWindow;
- public short cbReserved2;
- public IntPtr lpReserved2;
- public IntPtr hStdInput;
- public IntPtr hStdOutput;
- public IntPtr hStdError;
- }
-
- [StructLayout(LayoutKind.Sequential)]
- public struct PROCESS_INFORMATION {
- public IntPtr hProcess;
- public IntPtr hThread;
- public uint dwProcessId;
- public uint dwThreadId;
- }
-
- #endregion
-
- #region Enumerations
-
- enum TOKEN_TYPE : int {
- TokenPrimary = 1,
- TokenImpersonation = 2
- }
-
- enum SECURITY_IMPERSONATION_LEVEL : int {
- SecurityAnonymous = 0,
- SecurityIdentification = 1,
- SecurityImpersonation = 2,
- SecurityDelegation = 3,
- }
-
- #endregion
-
- #region Constants
-
- public const int TOKEN_DUPLICATE = 0x0002;
- public const uint MAXIMUM_ALLOWED = 0x2000000;
- public const int CREATE_NEW_CONSOLE = 0x00000010;
-
- public const int IDLE_PRIORITY_CLASS = 0x40;
- public const int NORMAL_PRIORITY_CLASS = 0x20;
- public const int HIGH_PRIORITY_CLASS = 0x80;
- public const int REALTIME_PRIORITY_CLASS = 0x100;
-
- #endregion
-
- #region Win32 API Imports
-
- [DllImport("kernel32.dll", SetLastError = true)]
- private static extern bool CloseHandle(IntPtr hSnapshot);
-
- [DllImport("kernel32.dll")]
- static extern uint WTSGetActiveConsoleSessionId();
-
- [DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
- public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
- ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment,
- String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
-
- [DllImport("kernel32.dll")]
- static extern bool ProcessIdToSessionId(uint dwProcessId, ref uint pSessionId);
-
- [DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
- public extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess,
- ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType,
- int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
-
- [DllImport("kernel32.dll")]
- static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
-
- [DllImport("advapi32", SetLastError = true), SuppressUnmanagedCodeSecurityAttribute]
- static extern bool OpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, ref IntPtr TokenHandle);
-
- #endregion
-
- /// <summary>
- /// Launches the given application with full admin rights, and in addition bypasses the Vista/Win7 UAC prompt
- /// </summary>
- /// <param name="applicationName">The name of the application to launch</param>
- /// <param name="procInfo">Process information regarding the launched application that gets returned to the caller</param>
- /// <returns></returns>
- public static bool StartProcessAndBypassUAC(String applicationName, out PROCESS_INFORMATION procInfo) {
- uint winlogonPid = 0;
- IntPtr hUserTokenDup = IntPtr.Zero, hPToken = IntPtr.Zero, hProcess = IntPtr.Zero;
- procInfo = new PROCESS_INFORMATION();
-
- // obtain the currently active session id; every logged on user in the system has a unique session id
- uint dwSessionId = GetActiveSessionId();
-
- // obtain the process id of the winlogon process that is running within the currently active session
- Process[] processes = Process.GetProcessesByName("winlogon");
- foreach (Process p in processes) {
- if ((uint)p.SessionId == dwSessionId) {
- winlogonPid = (uint)p.Id;
- }
- }
-
- // obtain a handle to the winlogon process
- hProcess = OpenProcess(MAXIMUM_ALLOWED, false, winlogonPid);
-
- // obtain a handle to the access token of the winlogon process
- if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, ref hPToken)) {
- CloseHandle(hProcess);
- return false;
- }
-
- // Security attibute structure used in DuplicateTokenEx and CreateProcessAsUser
- // I would prefer to not have to use a security attribute variable and to just
- // simply pass null and inherit (by default) the security attributes
- // of the existing token. However, in C# structures are value types and therefore
- // cannot be assigned the null value.
- SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
- sa.Length = Marshal.SizeOf(sa);
-
- // copy the access token of the winlogon process; the newly created token will be a primary token
- if (!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, (int)TOKEN_TYPE.TokenPrimary, ref hUserTokenDup)) {
- CloseHandle(hProcess);
- CloseHandle(hPToken);
- return false;
- }
-
- // By default CreateProcessAsUser creates a process on a non-interactive window station, meaning
- // the window station has a desktop that is invisible and the process is incapable of receiving
- // user input. To remedy this we set the lpDesktop parameter to indicate we want to enable user
- // interaction with the new process.
- STARTUPINFO si = new STARTUPINFO();
- si.cb = (int)Marshal.SizeOf(si);
- si.lpDesktop = @"winsta0\default"; // interactive window station parameter; basically this indicates that the process created can display a GUI on the desktop
-
- // flags that specify the priority and creation method of the process
- int dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
-
- // create a new process in the current user's logon session
- bool result = CreateProcessAsUser(hUserTokenDup, // client's access token
- null, // file to execute
- applicationName, // command line
- ref sa, // pointer to process SECURITY_ATTRIBUTES
- ref sa, // pointer to thread SECURITY_ATTRIBUTES
- false, // handles are not inheritable
- dwCreationFlags, // creation flags
- IntPtr.Zero, // pointer to new environment block
- null, // name of current directory
- ref si, // pointer to STARTUPINFO structure
- out procInfo // receives information about new process
- );
-
- // invalidate the handles
- CloseHandle(hProcess);
- CloseHandle(hPToken);
- CloseHandle(hUserTokenDup);
-
- return result; // return the result
- }
-
- public static uint GetActiveSessionId() {
- return WTSGetActiveConsoleSessionId();
- }
-
- }
- }