当前位置：首页 > news >正文

[笔记] 关于CreateProcessWithLogonW函数创建进程

news 2025/7/27 22:36:59

函数介绍

https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw

BOOL CreateProcessWithLogonW([in]                LPCWSTR               lpUsername,[in, optional]      LPCWSTR               lpDomain,[in]                LPCWSTR               lpPassword,[in]                DWORD                 dwLogonFlags,[in, optional]      LPCWSTR               lpApplicationName,[in, out, optional] LPWSTR                lpCommandLine,[in]                DWORD                 dwCreationFlags,[in, optional]      LPVOID                lpEnvironment,[in, optional]      LPCWSTR               lpCurrentDirectory,[in]                LPSTARTUPINFOW        lpStartupInfo,[out]               LPPROCESS_INFORMATION lpProcessInformation
);

几种使用方法

使用存在的账号信息创建进程

在这里插入图片描述

使用空网络账号信息创建进程

在这里插入图片描述
所以即使账号信息实际不存在也可以创建进程，只是无权访问网络资源

if (!CreateProcessWithLogonW(L"MalseclogonUser", L"MalseclogonDomain", L"MalseclogonPwd", LOGON_NETCREDENTIALS_ONLY, NULL, cmdline, 0, NULL, NULL, &startInfo, &procInfo)) {printf("CreateProcessWithLogonW() failed with error code %d \n", GetLastError());
} else {// the returned handles in procInfo are wrong and duped into the spoofed parent process, so we can't close handles or wait for process end.printf("Spoofed process %S created correctly as child of PID %d using CreateProcessWithLogonW()!", cmdline, pid);
}