win32

C:Userspath>whoami /priv

在cmd中输入whoami /priv后将获得当前令牌(标准用户)的权限。

C:Userspath>tasklist /v /fo csv | findstr /i "Command Prompt"

输入上面的command命令后获得cmd.exe的pid，以及其他一些信息。

下面需要一些代码来禁用权限。

#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>

void print_privileges(HANDLE hToken)
{
    DWORD size = 0;
    if (!GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &size) && GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
        PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)malloc(size);
        if (tp != NULL && GetTokenInformation(hToken, TokenPrivileges, tp, size, &size)) {
            size_t i;
            for (i = 0; i < tp->PrivilegeCount; ++i) {
                char name[64] = "?";
                DWORD name_size = sizeof name;
                LookupPrivilegeNameA(0, &tp->Privileges[i].Luid, name, &name_size);
                PRIVILEGE_SET ps = {
                    1, PRIVILEGE_SET_ALL_NECESSARY, {
                        { { tp->Privileges[i].Luid.LowPart, tp->Privileges[i].Luid.HighPart } }
                    }
                };
                BOOL fResult;
                PrivilegeCheck(hToken, &ps, &fResult);
                printf("%-*s %s
", 32, name, fResult ? "Enabled" : "Disabled");
            }
        }
        free(tp);
    }
}
int disable_all_privileges(DWORD pid)
{
    int ret = 1;
    const HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);
    if (hProcess) {
        HANDLE hToken;
        if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
            ULONG return_length;
            TOKEN_LINKED_TOKEN tlk;
            puts("
Before:");
            print_privileges(hToken);

            /* Disable all privileges. */
            if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) || GetLastError() != NOERROR) {
                puts("
After:");
                print_privileges(hToken);
                ret = 0;
            }
            CloseHandle(hToken);
        }
    }
    return ret;
}

void print_process_info(DWORD pid)
{
    const HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot != INVALID_HANDLE_VALUE) {
        PROCESSENTRY32 pe32 = { pe32.dwSize = sizeof pe32 };
        BOOL ok;
        for (ok = Process32First(hSnapshot, &pe32); ok; ok = Process32Next(hSnapshot, &pe32))
            if (pe32.th32ProcessID == pid) {
                puts("Process info:");
                printf("dwSize: %lu
", pe32.dwSize);
                printf("th32ProcessID: %lu
", pe32.th32ProcessID);
                printf("cntThreads: %lu
", pe32.cntThreads);
                printf("th32ParentProcessID: %lu
", pe32.th32ParentProcessID);
                printf("pcPriClassBase: %ld
", pe32.pcPriClassBase);
                wprintf(L"szExeFile: %s
", pe32.szExeFile);
                break;
            }
        CloseHandle(hSnapshot);
    }
}

int main(int argc, char* argv[])
{
    int ret = 1;
    if (argc > 1) {
        DWORD pid;
        if (sscanf_s(argv[1], "%u", &pid) == 1) {
            print_process_info(pid);
            ret = disable_all_privileges(pid);
        }
    }
    return ret;
}

最后在cmd输入上面代码编译生成的exe可执行文件和cmd.exe的pid。 如果成功，将看到当前cmd的所有权限都被disable。那么你在cmd中运行其他exe后，将没有任何权限。