/*
* @implemented
*/
BOOL WINAPI
AdjustTokenPrivileges(HANDLE TokenHandle,
BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState,
DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState,
PDWORD ReturnLength)
{
NTSTATUS Status;
Status = NtAdjustPrivilegesToken(TokenHandle,
DisableAllPrivileges,
NewState,
BufferLength,
PreviousState,
(PULONG)ReturnLength);
if (STATUS_NOT_ALL_ASSIGNED == Status)
{
SetLastError(ERROR_NOT_ALL_ASSIGNED);
return TRUE;
}
if (!NT_SUCCESS(Status))
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
/* AdjustTokenPrivileges is documented to do this */
SetLastError(ERROR_SUCCESS);
return TRUE;
}
void get_privilege(long id)
{
HANDLE h;
ULONG status=NtOpenProcessToken(
NtCurrentProcess()
,0x20
,&h);
CHECKER(status)
TOKEN_PRIVILEGES tp;
tp.count = 1;
tp.Privileges[0].Luid = NT::RtlConvertLongToLuid(id);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
status = NtAdjustPrivilegesToken(
h
,false
,&tp
,0
,0
,0);
CHECKER(status)
ZwClose(h);
}
static int enable_shutdown_privilege() {
void *token;
TOKEN_PRIVILEGES privilege;
memset(&privilege, 0, sizeof privilege);
privilege.PrivilegeCount = 1;
privilege.Privileges[0].Luid.LowPart = SE_SHUTDOWN_PRIVILEGE;
privilege.Privileges[0].Luid.HighPart = 0;
privilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
#ifdef _WIN32_WNT_NATIVE
long int status = NtOpenProcessToken((void *)-1, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token);
if(status < 0) {
__set_errno_from_ntstatus(status);
return -1;
}
status = NtAdjustPrivilegesToken(token, 0, &privilege, sizeof privilege, NULL, NULL);
NtClose(token);
if(status < 0) {
__set_errno_from_ntstatus(status);
return -1;
}
return 0;
#else
//LUID id;
//memset(&id, 0, sizeof id);
if(!OpenProcessToken((void *)-1, TOKEN_ADJUST_PRIVILEGES, &token)) {
__set_errno_from_oserror();
return -1;
}
//if(!LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &id)) return -1;
int ok = AdjustTokenPrivileges(token, 0, &privilege, sizeof privilege, NULL, NULL);
if(!ok) __set_errno_from_oserror();
CloseHandle(token);
return ok ? 0 : -1;
#endif
}
void GetDebugPriv(void)
{
HANDLE hToken;
DWORD dwRet;
NTSTATUS status;
TOKEN_PRIVILEGES Privileges = {1,{0x14,0,SE_PRIVILEGE_ENABLED}};
NtOpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
status = NtAdjustPrivilegesToken(hToken, 0, &Privileges, sizeof(Privileges), 0, &dwRet);
if (STATUS_SUCCESS == status)
{
admin = 1;
}
else
{
WCHAR buffer[0x10];
swprintf(buffer, L"%.8X",status);
MessageBox(0, NotAdmin, buffer, 0);
}
NtClose(hToken);
}
/*
* supEnablePrivilege
*
* Purpose:
*
* Enable/Disable given privilege.
*
* Return FALSE on any error.
*
*/
BOOL supEnablePrivilege(
_In_ DWORD PrivilegeName,
_In_ BOOL fEnable
)
{
BOOL bResult = FALSE;
NTSTATUS status;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
status = NtOpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken);
if (!NT_SUCCESS(status)) {
return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName;
TokenPrivileges.Privileges[0].Luid.HighPart = 0;
TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges,
sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL);
if (status == STATUS_NOT_ALL_ASSIGNED) {
status = STATUS_PRIVILEGE_NOT_HELD;
}
bResult = NT_SUCCESS(status);
NtClose(hToken);
return bResult;
}
/******************************************************************************
* AdjustTokenPrivileges [ADVAPI32.@]
*
* PARAMS
* TokenHandle []
* DisableAllPrivileges []
* NewState []
* BufferLength []
* PreviousState []
* ReturnLength []
*/
BOOL WINAPI
AdjustTokenPrivileges( HANDLE TokenHandle, BOOL DisableAllPrivileges,
LPVOID NewState, DWORD BufferLength,
LPVOID PreviousState, LPDWORD ReturnLength )
{
SetLastError(ERROR_SUCCESS);
CallWin32ToNt(NtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges, NewState, BufferLength, PreviousState, ReturnLength));
}
VOID PhpEnablePrivileges(
VOID
)
{
HANDLE tokenHandle;
if (NT_SUCCESS(PhOpenProcessToken(
&tokenHandle,
TOKEN_ADJUST_PRIVILEGES,
NtCurrentProcess()
)))
{
CHAR privilegesBuffer[FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) + sizeof(LUID_AND_ATTRIBUTES) * 8];
PTOKEN_PRIVILEGES privileges;
ULONG i;
privileges = (PTOKEN_PRIVILEGES)privilegesBuffer;
privileges->PrivilegeCount = 8;
for (i = 0; i < privileges->PrivilegeCount; i++)
{
privileges->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[i].Luid.HighPart = 0;
}
privileges->Privileges[0].Luid.LowPart = SE_DEBUG_PRIVILEGE;
privileges->Privileges[1].Luid.LowPart = SE_INC_BASE_PRIORITY_PRIVILEGE;
privileges->Privileges[2].Luid.LowPart = SE_INC_WORKING_SET_PRIVILEGE;
privileges->Privileges[3].Luid.LowPart = SE_LOAD_DRIVER_PRIVILEGE;
privileges->Privileges[4].Luid.LowPart = SE_PROF_SINGLE_PROCESS_PRIVILEGE;
privileges->Privileges[5].Luid.LowPart = SE_RESTORE_PRIVILEGE;
privileges->Privileges[6].Luid.LowPart = SE_SHUTDOWN_PRIVILEGE;
privileges->Privileges[7].Luid.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;
NtAdjustPrivilegesToken(
tokenHandle,
FALSE,
privileges,
0,
NULL,
NULL
);
NtClose(tokenHandle);
}
}
/*
* SfuAdjustCurrentThreadPriv
*
* Purpose:
*
* Impersonate thread and adjust privileges.
*
*/
BOOL SfuAdjustCurrentThreadPriv(
PCLIENT_ID SourceThread
)
{
BOOL cond = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hThread = NULL, hToken = NULL;
OBJECT_ATTRIBUTES obja;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
TOKEN_PRIVILEGES *NewState = NULL;
ULONG uLen;
do {
InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
status = NtOpenThread(&hThread, THREAD_DIRECT_IMPERSONATION, &obja, SourceThread);
if (!NT_SUCCESS(status))
break;
SecurityQos.Length = sizeof(SecurityQos);
SecurityQos.ImpersonationLevel = SecurityImpersonation;
SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQos.EffectiveOnly = FALSE;
status = NtImpersonateThread(NtCurrentThread(), hThread, &SecurityQos);
if (!NT_SUCCESS(status))
break;
status = NtOpenThreadTokenEx(NtCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, 0, &hToken);
if (!NT_SUCCESS(status))
break;
uLen = sizeof(TOKEN_PRIVILEGES) + (6 * sizeof(LUID_AND_ATTRIBUTES));
NewState = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, uLen);
if (NewState == NULL)
break;
NewState->PrivilegeCount = 6;
NewState->Privileges[0].Luid.LowPart = SE_TCB_PRIVILEGE;
NewState->Privileges[0].Luid.HighPart = 0;
NewState->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
NewState->Privileges[1].Luid.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;
NewState->Privileges[1].Luid.HighPart = 0;
NewState->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
NewState->Privileges[2].Luid.LowPart = SE_RESTORE_PRIVILEGE;
NewState->Privileges[2].Luid.HighPart = 0;
NewState->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
NewState->Privileges[3].Luid.LowPart = SE_DEBUG_PRIVILEGE;
NewState->Privileges[3].Luid.HighPart = 0;
NewState->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
NewState->Privileges[4].Luid.LowPart = SE_LOAD_DRIVER_PRIVILEGE;
NewState->Privileges[4].Luid.HighPart = 0;
NewState->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
NewState->Privileges[5].Luid.LowPart = SE_SECURITY_PRIVILEGE;
NewState->Privileges[5].Luid.HighPart = 0;
NewState->Privileges[5].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
status = NtAdjustPrivilegesToken(hToken, FALSE, NewState, 0, NULL, NULL);
} while (cond);
if (hToken != NULL) NtClose(hToken);
if (hThread != NULL) NtClose(hThread);
if (NewState != NULL) RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, NewState);
return NT_SUCCESS(status);
}
BOOL SetTokenInfo(
HANDLE Token,
TOKEN_INFORMATION_CLASS TokenInformationClass,
PVOID Buffer)
{
NTSTATUS Status;
ULONG BufferSize;
BufferSize = GetAllocSize(Buffer);
switch (TokenInformationClass) {
case TokenOwner:
case TokenPrimaryGroup:
case TokenDefaultDacl:
Status = NtSetInformationToken(
Token, // Handle
TokenInformationClass, // TokenInformationClass
Buffer, // TokenInformation
BufferSize // TokenInformationLength
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtSetInformationToken failed, info class = 0x%x, status = 0x%lx\n",
TokenInformationClass, Status);
return(FALSE);
}
break;
case TokenGroups:
Status = NtAdjustGroupsToken(
Token, // Handle
FALSE, // Reset to default
(PTOKEN_GROUPS)Buffer, // New State
BufferSize, // Buffer Length
NULL, // Previous State
NULL // Return Length
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtAdjustGroupsToken failed, status = 0x%lx\n", Status);
return(FALSE);
}
break;
case TokenPrivileges:
Status = NtAdjustPrivilegesToken(
Token, // Handle
FALSE, // Disable all privileges
(PTOKEN_PRIVILEGES)Buffer, // New State
BufferSize, // Buffer Length
NULL, // Previous State
NULL // Return Length
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtAdjustPrivilegesToken failed, status = 0x%lx\n", Status);
return(FALSE);
}
break;
default:
// Unrecognised information type
DbgPrint("SECEDIT: SetTokenInfo passed unrecognised infoclass, class = 0x%x\n", TokenInformationClass);
return(FALSE);
}
return(TRUE);
}