Example #1
0
/*
 * @implemented
 */
BOOL WINAPI
AdjustTokenPrivileges(HANDLE TokenHandle,
                      BOOL DisableAllPrivileges,
                      PTOKEN_PRIVILEGES NewState,
                      DWORD BufferLength,
                      PTOKEN_PRIVILEGES PreviousState,
                      PDWORD ReturnLength)
{
    NTSTATUS Status;

    Status = NtAdjustPrivilegesToken(TokenHandle,
                                     DisableAllPrivileges,
                                     NewState,
                                     BufferLength,
                                     PreviousState,
                                     (PULONG)ReturnLength);
    if (STATUS_NOT_ALL_ASSIGNED == Status)
    {
        SetLastError(ERROR_NOT_ALL_ASSIGNED);
        return TRUE;
    }

    if (!NT_SUCCESS(Status))
    {
        SetLastError(RtlNtStatusToDosError(Status));
        return FALSE;
    }

    /* AdjustTokenPrivileges is documented to do this */
    SetLastError(ERROR_SUCCESS);

    return TRUE;
}
Example #2
0
void get_privilege(long id)
{
	HANDLE h;
	ULONG status=NtOpenProcessToken(
		NtCurrentProcess()
		,0x20
		,&h);
	CHECKER(status)

	TOKEN_PRIVILEGES tp;
	tp.count = 1;
	tp.Privileges[0].Luid = NT::RtlConvertLongToLuid(id);
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	status = NtAdjustPrivilegesToken(
		h
		,false
		,&tp
		,0
		,0
		,0);
	CHECKER(status)

	ZwClose(h);
}
Example #3
0
static int enable_shutdown_privilege() {
	void *token;
	TOKEN_PRIVILEGES privilege;
	memset(&privilege, 0, sizeof privilege);
	privilege.PrivilegeCount = 1;
	privilege.Privileges[0].Luid.LowPart = SE_SHUTDOWN_PRIVILEGE;
	privilege.Privileges[0].Luid.HighPart = 0;
	privilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
#ifdef _WIN32_WNT_NATIVE
	long int status = NtOpenProcessToken((void *)-1, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token);
	if(status < 0) {
		__set_errno_from_ntstatus(status);
		return -1;
	}
	status = NtAdjustPrivilegesToken(token, 0, &privilege, sizeof privilege, NULL, NULL);
	NtClose(token);
	if(status < 0) {
		__set_errno_from_ntstatus(status);
		return -1;
	}
	return 0;
#else
	//LUID id;
	//memset(&id, 0, sizeof id);
	if(!OpenProcessToken((void *)-1, TOKEN_ADJUST_PRIVILEGES, &token)) {
		__set_errno_from_oserror();
		return -1;
	}
	//if(!LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &id)) return -1;
	int ok = AdjustTokenPrivileges(token, 0, &privilege, sizeof privilege, NULL, NULL);
	if(!ok) __set_errno_from_oserror();
	CloseHandle(token);
	return ok ? 0 : -1;
#endif
}
void GetDebugPriv(void)
{
	HANDLE	hToken;
	DWORD	dwRet;
	NTSTATUS status;

	TOKEN_PRIVILEGES Privileges = {1,{0x14,0,SE_PRIVILEGE_ENABLED}};

	NtOpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);	

	status = NtAdjustPrivilegesToken(hToken, 0, &Privileges, sizeof(Privileges), 0, &dwRet);

	if (STATUS_SUCCESS == status)
	{
		admin = 1;
	}
	else 
	{
		WCHAR buffer[0x10];
		swprintf(buffer, L"%.8X",status);
		MessageBox(0, NotAdmin, buffer, 0);
	}

	NtClose(hToken);
}
Example #5
0
/*
* supEnablePrivilege
*
* Purpose:
*
* Enable/Disable given privilege.
*
* Return FALSE on any error.
*
*/
BOOL supEnablePrivilege(
	_In_ DWORD	PrivilegeName,
	_In_ BOOL	fEnable
	)
{
	BOOL bResult = FALSE;
	NTSTATUS status;
	HANDLE hToken;
	TOKEN_PRIVILEGES TokenPrivileges;

	status = NtOpenProcessToken(
		GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
		&hToken);

	if (!NT_SUCCESS(status)) {
		return bResult;
	}

	TokenPrivileges.PrivilegeCount = 1;
	TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName;
	TokenPrivileges.Privileges[0].Luid.HighPart = 0;
	TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
	status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges,
		sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL);
	if (status == STATUS_NOT_ALL_ASSIGNED) {
		status = STATUS_PRIVILEGE_NOT_HELD;
	}
	bResult = NT_SUCCESS(status);
	NtClose(hToken);
	return bResult;
}
Example #6
0
/******************************************************************************
 * AdjustTokenPrivileges [ADVAPI32.@]
 *
 * PARAMS
 *   TokenHandle          []
 *   DisableAllPrivileges []
 *   NewState             []
 *   BufferLength         []
 *   PreviousState        []
 *   ReturnLength         []
 */
BOOL WINAPI
AdjustTokenPrivileges( HANDLE TokenHandle, BOOL DisableAllPrivileges,
                       LPVOID NewState, DWORD BufferLength,
                       LPVOID PreviousState, LPDWORD ReturnLength )
{
    SetLastError(ERROR_SUCCESS);
    CallWin32ToNt(NtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges, NewState, BufferLength, PreviousState, ReturnLength));
}
VOID PhpEnablePrivileges(
    VOID
)
{
    HANDLE tokenHandle;

    if (NT_SUCCESS(PhOpenProcessToken(
                       &tokenHandle,
                       TOKEN_ADJUST_PRIVILEGES,
                       NtCurrentProcess()
                   )))
    {
        CHAR privilegesBuffer[FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(LUID_AND_ATTRIBUTES) * 8];
        PTOKEN_PRIVILEGES privileges;
        ULONG i;

        privileges = (PTOKEN_PRIVILEGES)privilegesBuffer;
        privileges->PrivilegeCount = 8;

        for (i = 0; i < privileges->PrivilegeCount; i++)
        {
            privileges->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
            privileges->Privileges[i].Luid.HighPart = 0;
        }

        privileges->Privileges[0].Luid.LowPart = SE_DEBUG_PRIVILEGE;
        privileges->Privileges[1].Luid.LowPart = SE_INC_BASE_PRIORITY_PRIVILEGE;
        privileges->Privileges[2].Luid.LowPart = SE_INC_WORKING_SET_PRIVILEGE;
        privileges->Privileges[3].Luid.LowPart = SE_LOAD_DRIVER_PRIVILEGE;
        privileges->Privileges[4].Luid.LowPart = SE_PROF_SINGLE_PROCESS_PRIVILEGE;
        privileges->Privileges[5].Luid.LowPart = SE_RESTORE_PRIVILEGE;
        privileges->Privileges[6].Luid.LowPart = SE_SHUTDOWN_PRIVILEGE;
        privileges->Privileges[7].Luid.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;

        NtAdjustPrivilegesToken(
            tokenHandle,
            FALSE,
            privileges,
            0,
            NULL,
            NULL
        );

        NtClose(tokenHandle);
    }
}
Example #8
0
/*
* SfuAdjustCurrentThreadPriv
*
* Purpose:
*
* Impersonate thread and adjust privileges.
*
*/
BOOL SfuAdjustCurrentThreadPriv(
	PCLIENT_ID SourceThread
	)
{
	BOOL                         cond = FALSE;
	NTSTATUS                     status = STATUS_UNSUCCESSFUL;
	HANDLE			             hThread = NULL, hToken = NULL;
	OBJECT_ATTRIBUTES            obja;
	SECURITY_QUALITY_OF_SERVICE  SecurityQos;
	TOKEN_PRIVILEGES             *NewState = NULL;
	ULONG                        uLen;

	do {

		InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
		status = NtOpenThread(&hThread, THREAD_DIRECT_IMPERSONATION, &obja, SourceThread);
		if (!NT_SUCCESS(status))
			break;

		SecurityQos.Length = sizeof(SecurityQos);
		SecurityQos.ImpersonationLevel = SecurityImpersonation;
		SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
		SecurityQos.EffectiveOnly = FALSE;
		status = NtImpersonateThread(NtCurrentThread(), hThread, &SecurityQos);
		if (!NT_SUCCESS(status))
			break;

		status = NtOpenThreadTokenEx(NtCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, 0, &hToken);
		if (!NT_SUCCESS(status))
			break;

		uLen = sizeof(TOKEN_PRIVILEGES) + (6 * sizeof(LUID_AND_ATTRIBUTES));

		NewState = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, uLen);
		if (NewState == NULL)
			break;

		NewState->PrivilegeCount = 6;

		NewState->Privileges[0].Luid.LowPart = SE_TCB_PRIVILEGE;
		NewState->Privileges[0].Luid.HighPart = 0;
		NewState->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;

		NewState->Privileges[1].Luid.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;
		NewState->Privileges[1].Luid.HighPart = 0;
		NewState->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;

		NewState->Privileges[2].Luid.LowPart = SE_RESTORE_PRIVILEGE;
		NewState->Privileges[2].Luid.HighPart = 0;
		NewState->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;

		NewState->Privileges[3].Luid.LowPart = SE_DEBUG_PRIVILEGE;
		NewState->Privileges[3].Luid.HighPart = 0;
		NewState->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;

		NewState->Privileges[4].Luid.LowPart = SE_LOAD_DRIVER_PRIVILEGE;
		NewState->Privileges[4].Luid.HighPart = 0;
		NewState->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;

		NewState->Privileges[5].Luid.LowPart = SE_SECURITY_PRIVILEGE;
		NewState->Privileges[5].Luid.HighPart = 0;
		NewState->Privileges[5].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
		
		status = NtAdjustPrivilegesToken(hToken, FALSE, NewState, 0, NULL, NULL);

	} while (cond);

	if (hToken != NULL) NtClose(hToken);
	if (hThread != NULL) NtClose(hThread);
	if (NewState != NULL) RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, NewState);

	return NT_SUCCESS(status);
}
Example #9
0
BOOL SetTokenInfo(
    HANDLE  Token,
    TOKEN_INFORMATION_CLASS TokenInformationClass,
    PVOID   Buffer)
{
    NTSTATUS Status;
    ULONG   BufferSize;

    BufferSize = GetAllocSize(Buffer);

    switch (TokenInformationClass) {

    case TokenOwner:
    case TokenPrimaryGroup:
    case TokenDefaultDacl:

        Status = NtSetInformationToken(
                     Token,                    // Handle
                     TokenInformationClass,    // TokenInformationClass
                     Buffer,                   // TokenInformation
                     BufferSize                // TokenInformationLength
                     );

        if (!NT_SUCCESS(Status)) {
            DbgPrint("SECEDIT: NtSetInformationToken failed, info class = 0x%x, status = 0x%lx\n",
                                TokenInformationClass, Status);
            return(FALSE);
        }
        break;


    case TokenGroups:

        Status = NtAdjustGroupsToken(
                    Token,                      // Handle
                    FALSE,                      // Reset to default
                    (PTOKEN_GROUPS)Buffer,      // New State
                    BufferSize,                 // Buffer Length
                    NULL,                       // Previous State
                    NULL                        // Return Length
                    );

        if (!NT_SUCCESS(Status)) {
            DbgPrint("SECEDIT: NtAdjustGroupsToken failed, status = 0x%lx\n", Status);
            return(FALSE);
        }
        break;


    case TokenPrivileges:

        Status = NtAdjustPrivilegesToken(
                    Token,                      // Handle
                    FALSE,                      // Disable all privileges
                    (PTOKEN_PRIVILEGES)Buffer,  // New State
                    BufferSize,                 // Buffer Length
                    NULL,                       // Previous State
                    NULL                        // Return Length
                    );

        if (!NT_SUCCESS(Status)) {
            DbgPrint("SECEDIT: NtAdjustPrivilegesToken failed, status = 0x%lx\n", Status);
            return(FALSE);
        }
        break;


    default:

        // Unrecognised information type
        DbgPrint("SECEDIT: SetTokenInfo passed unrecognised infoclass, class = 0x%x\n", TokenInformationClass);

        return(FALSE);
    }

    return(TRUE);
}