BOOL ImpersonateAndCheckAccess(PCtxtHandle phContext, PSECURITY_DESCRIPTOR psdSD, PDWORD pdwAccessGranted) { HANDLE hToken = NULL; // AccessCheck() variables DWORD dwAccessDesired = MAXIMUM_ALLOWED; PRIVILEGE_SET PrivilegeSet; DWORD dwPrivSetSize = sizeof(PRIVILEGE_SET); BOOL fAccessGranted = FALSE; GENERIC_MAPPING GenericMapping = { vncGenericRead, vncGenericWrite, vncGenericExecute, vncGenericAll }; // This only does something if we want to use generic access // rights, like GENERIC_ALL, in our call to AccessCheck(). MapGenericMask(&dwAccessDesired, &GenericMapping); // AccessCheck() requires an impersonation token. if ((fn._ImpersonateSecurityContext(phContext) == SEC_E_OK) && OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken) && AccessCheck(psdSD, hToken, dwAccessDesired, &GenericMapping, &PrivilegeSet, &dwPrivSetSize, pdwAccessGranted, &fAccessGranted)) { // Restrict access to relevant rights only fAccessGranted = AreAnyAccessesGranted(*pdwAccessGranted, ViewOnly | Interact); } // End impersonation fn._RevertSecurityContext(phContext); // Close handles if (hToken) CloseHandle(hToken); return fAccessGranted; }
// address: 0x401000 void _start(unsigned int param1) { short ax; // r0 unsigned char cl; // r9 __size32 eax; // r24 unsigned int eax_2; // r24{28} __size32 eax_3; // r24{245} __size32 ebp; // r29 unsigned int ebx; // r27 int *ebx_1; // r27 unsigned int ebx_2; // r27{31} unsigned int ebx_3; // r27{47} __size32 ebx_4; // r27{168} __size32 ebx_5; // r27{172} int *ebx_6; // r27{311} unsigned int ebx_7; // r27{238} __size32 ebx_8; // r27{305} int ecx; // r25 __size32 *ecx_1; // r25 __size32 *ecx_2; // r25{260} unsigned int ecx_3; // r25{160} unsigned int edi; // r31 int edx; // r26 unsigned int esi; // r30 __size32 *esi_1; // r30 unsigned int esi_10; // r30{247} unsigned int esi_11; // r30{286} unsigned int esi_12; // r30{271} unsigned int esi_13; // r30{262} union { unsigned int x7; __size32 * x8; } esi_14; // r30{313} unsigned int esi_2; // r30{12} unsigned int esi_3; // r30{57} unsigned int esi_4; // r30{69} unsigned int esi_5; // r30{101} unsigned int esi_6; // r30{128} __size32 *esi_7; // r30{218} union { unsigned int x7; __size32 * x8; } esi_8; // r30{185} unsigned int esi_9; // r30{253} int esp; // r28 void *esp_1; // r28{42} void *esp_2; // r28{298} unsigned int local0; // m[esp - 36] unsigned int local12; // m[esp - 36]{350} unsigned int local13; // ebx_7{238} unsigned int local14; // esi_10{247} unsigned int local15; // param1{248} unsigned int local16; // esi_9{253} unsigned int local17; // esi_13{262} unsigned int local18; // esi_12{271} unsigned int local19; // esi_11{286} __size32 local20; // ebx_8{305} union { unsigned int x7; __size32 * x8; } local21; // esi_14{313} __size32 *local22; // esi_7{331} union { __size32 * x5; unsigned int x6; } local23; // ecx{340} esi_2 = 0; eax_2 = AddAce(); local14 = esi_2; local15 = param1; ebx_2 = eax_2 + 22; eax = AreAnyAccessesGranted(); /* Warning: also results in ecx, esp_1 */ local13 = ebx_2; if (eax == 0) { ebx_3 = eax_2 - 12; local13 = ebx_3; } ebx_7 = local13; eax = 0; do { eax_3 = eax; esi_10 = local14; param1 = local15; local16 = esi_10; if (esi_10 == ebx_7) { esi_3 = 0; local16 = esi_3; } esi_9 = local16; edi = ecx + param1 * 4 + esi_9; cl = *(esi_9 + 0x404000); ecx = ecx >> 8 & 0xffffff | (cl); *(char*)(eax_3 + 0x401190) = *(eax_3 + 0x401190) ^ cl; eax = eax_3 + 1; esi_4 = esi_9 + 1; local14 = esi_4; local15 = edi; local17 = esi_4; } while (eax_3 + 1 < 0x1440); ecx_1 = 0x402490; ebx_1 = 0xf0400f10; local0 = 0; edi = esi_9 + edi * 4 + 1; do { ecx_2 = ecx_1; esi_13 = local17; local12 = local0; eax = *(ecx_2 + 4); edi = (eax - 8) / 2 + edi * 8; edx = ecx_2 + 8; local19 = esi_13; if ((int)((eax - 8) / 2) > 0) { esi_5 = (eax - 8) / 2; local18 = esi_5; do { esi_12 = local18; eax = *(unsigned short*)edx; edi = eax & 0xf000; if ((eax & 0xf000) == 0x3000) { eax = (eax & 0xfff) + *ecx_2; *(__size32*)(eax + 0x400f10) = *(eax + 0x400f10) - 0xfbff0f0; } edx++; esi_6 = esi_12 - 1; local18 = esi_6; local19 = esi_6; } while (esi_12 != 1); } esi_11 = local19; eax = *(ecx_2 + 4); ax = (unsigned short) eax; ecx_1 = ecx_2 + eax; cl = (unsigned char) ecx_2 + eax; local0 = local12 + eax; local17 = esi_11; local23 = ecx_1; } while (local12 + eax < 228); esi_1 = 0x401c84; edi += edi; flags = SUBFLAGS32(*0x401c94, 0, global10); if (*0x401c94 != 0) { do { esp_2 = esp_1; esi_14 = esi_1; edx = *(esi_14 + 12); *(__size32*)(esp_2 - 4) = edx + 0x400f10; eax = LoadLibraryA(*(esp_2 - 4)); /* Warning: also results in ecx_3 */ local21 = esi_14; local22 = esi_14; local22 = esi_14; edx = eax; *(union { unsigned int x3; void * x4; }*)(esp_2 + 20) = eax; ecx = ecx_3 * 3; cl = (unsigned char) ecx_3 * 3; if (eax != 0) { ebx_4 = *esi_14; local20 = ebx_4; if (ebx_4 == 0) { ebx_5 = *(esi_14 + 16); local20 = ebx_5; } ebx_8 = local20; edi = *(esi_14 + 16); ebx_1 = ebx_8 + 0x400f10; edi += 0x400f10; if (*(ebx_8 + 0x400f10) != 0) { L10: ebx_6 = ebx_1; esi_14 = local21; esi_8 = edi + esi_14 * 4; eax = *ebx_6; local21 = esi_8; if (eax >= 0) { cl = (unsigned char) eax + 0x400f12; *(__size32*)(esp_2 - 4) = eax + 0x400f12; goto L7; } else { *(unsigned int*)(esp_2 - 4) = ((unsigned short) eax); } L7: *(union { unsigned int x3; void * x4; }*)(esp_2 - 8) = edx; eax = GetProcAddress(*(esp_2 - 8), *(esp_2 - 4)); /* Warning: also results in ecx */ *(__size32*)edi = eax; ebx_1 = ebx_6 + 4; eax = ebx_6 + (eax + 1) * 4; ax = (unsigned short) eax; edi += 4; if (*(ebx_6 + 4) != 0) { edx = *(esp_2 + 20); goto L10; } esi_7 = *(esp_2 + 16); local22 = esi_7; } } esp_1 = esp_2; esi_7 = local22; esi_1 = esi_7 + 20; tmp1 = *(esi_7 + 36); flags = SUBFLAGS32(*(esi_7 + 36), 0, tmp1); *(void **)(esp_2 + 16) = esi_7 + 20; local23 = ecx; } while (*(esi_7 + 36) != 0); } ecx = local23; (*0x401960)(pc, -1, -1, 0, 0, 0x401c84, 0, 0, param1, esi, ebp, ebx, ax, cl, eax, ecx, 0x401960, ebx_1, 0x400f10, esi_1, edi, flags, ZF, CF); *(__size32*)(esp - 4) = 0; ExitProcess(*(esp - 4)); return; }