NTSTATUS kkll_m_process_token_toProcess(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, HANDLE hSrcToken, PEPROCESS pToProcess) { PROCESS_ACCESS_TOKEN ProcessTokenInformation = {NULL, NULL}; HANDLE hToProcess; PULONG pFlags2 = NULL; NTSTATUS status; HANDLE processId = PsGetProcessId(pToProcess); PCHAR processName = PsGetProcessImageFileName(pToProcess); status = ObOpenObjectByPointer(pToProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hToProcess); if(NT_SUCCESS(status)) { status = ZwDuplicateToken(hSrcToken, 0, NULL, FALSE, TokenPrimary, &ProcessTokenInformation.Token); if(NT_SUCCESS(status)) { if(KiwiOsIndex >= KiwiOsIndex_VISTA) { pFlags2 = (PULONG) (((ULONG_PTR) pToProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]); if(*pFlags2 & TOKEN_FROZEN_MASK) *pFlags2 &= ~TOKEN_FROZEN_MASK; else pFlags2 = NULL; } status = ZwSetInformationProcess(hToProcess, ProcessAccessToken, &ProcessTokenInformation, sizeof(PROCESS_ACCESS_TOKEN)); if(NT_SUCCESS(status)) status = kprintf(outBuffer, L" * to %u/%-14S\n", processId, processName); else status = kprintf(outBuffer, L" ! ZwSetInformationProcess 0x%08x for %u/%-14S\n", status, processId, processName); if((KiwiOsIndex >= KiwiOsIndex_VISTA) && pFlags2) *pFlags2 |= TOKEN_FROZEN_MASK; ZwClose(ProcessTokenInformation.Token); } ZwClose(hToProcess); } return status; }
DualErr DuplicateProcessToken(PGPUInt32 procId, PHANDLE pDupedToken) { CLIENT_ID clientId; DualErr derr; HANDLE procHandle, token; NTSTATUS status; OBJECT_ATTRIBUTES objAttribs; PGPBoolean openedProcess, openedToken; openedProcess = openedToken = FALSE; pgpAssertAddrValid(pDupedToken, HANDLE); InitializeObjectAttributes(&objAttribs, NULL, 0, NULL, NULL); clientId.UniqueThread = NULL; clientId.UniqueProcess = (PVOID) procId; // Open a handle to the process. status = ZwOpenProcess(&procHandle, PROCESS_ALL_ACCESS, &objAttribs, &clientId); if (!NT_SUCCESS(status)) { derr = DualErr(kPGDMinorError_ZwOpenProcessFailed, status); } openedProcess = derr.IsntError(); // Open a handle to the process token. if (derr.IsntError()) { status = ZwOpenProcessToken(procHandle, TOKEN_ALL_ACCESS, &token); if (!NT_SUCCESS(status)) { derr = DualErr(kPGDMinorError_ZwOpenProcessTokenFailed, status); } openedToken = derr.IsntError(); } // Duplicate the token. if (derr.IsntError()) { SECURITY_QUALITY_OF_SERVICE SQOS; SQOS.Length = sizeof(SQOS); SQOS.ImpersonationLevel = SecurityImpersonation; SQOS.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; SQOS.EffectiveOnly = FALSE; objAttribs.SecurityQualityOfService = (PVOID) &SQOS; status = ZwDuplicateToken(token, TOKEN_QUERY | TOKEN_IMPERSONATE, &objAttribs, SecurityAnonymous, TokenImpersonation, pDupedToken); if (!NT_SUCCESS(status)) { derr = DualErr(kPGDMinorError_ZwDuplicateTokenFailed, status); } } if (openedToken) ZwClose(token); if (openedProcess) ZwClose(procHandle); return derr; }