Exemple #1
0
inline NTSTATUS AdjustPrivilege(bool is_enable, ULONG privilege)
{
    TOKEN_PRIVILEGES new_privs = {};
    HANDLE           h_process_token = {};

    auto status = ZwOpenProcessTokenEx(ZwCurrentProcess(), TOKEN_ALL_ACCESS, OBJ_KERNEL_HANDLE, &h_process_token);
    if (!NT_SUCCESS(status))
    {
        return status;
    }

    DEFER(ZwClose(h_process_token));

    new_privs.PrivilegeCount = 1;
    new_privs.Privileges[0].Luid = RtlConvertUlongToLuid(privilege);

    if (is_enable)
    {
        new_privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    }
    else
    {
        new_privs.Privileges[0].Attributes = 0;
    }

    return ZwAdjustPrivilegesToken(h_process_token, false, &new_privs, sizeof(new_privs), nullptr, nullptr);
}
Exemple #2
0
NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
	NTSTATUS status = STATUS_SUCCESS;
	PMIMIDRV_PROCESS_TOKEN_FROM_TO pTokenFromTo = (PMIMIDRV_PROCESS_TOKEN_FROM_TO) bufferIn;
	ULONG fromProcessId, toProcessId;
	HANDLE hFromProcess, hFromProcessToken;
	PEPROCESS pFromProcess = PsInitialSystemProcess, pToProcess = NULL;

	if(pTokenFromTo && (szBufferIn == sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO)))
	{
		if(pTokenFromTo->fromProcessId)
			status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->fromProcessId, &pFromProcess);
		if(NT_SUCCESS(status) && pTokenFromTo->toProcessId)
			status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->toProcessId, &pToProcess);
	}

	if(NT_SUCCESS(status))
	{
		status = ObOpenObjectByPointer(pFromProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hFromProcess);
		if(NT_SUCCESS(status))
		{
			status = ZwOpenProcessTokenEx(hFromProcess, 0, OBJ_KERNEL_HANDLE, &hFromProcessToken);
			if(NT_SUCCESS(status))
			{
				status = kprintf(outBuffer, L"Token from %u/%-14S\n", PsGetProcessId(pFromProcess), PsGetProcessImageFileName(pFromProcess));
				if(NT_SUCCESS(status))
				{
					if(pToProcess)
						status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, hFromProcessToken, pToProcess);
					else
						status = kkll_m_process_enum(szBufferIn, bufferIn, outBuffer, kkll_m_process_systoken_callback, hFromProcessToken);
				}
				ZwClose(hFromProcessToken);
			}
			ZwClose(hFromProcess);
		}
	}

	if(pToProcess)
		ObDereferenceObject(pToProcess);

	if(pFromProcess && (pFromProcess != PsInitialSystemProcess))
		ObDereferenceObject(pFromProcess);

	return status;
}
Exemple #3
0
    NtMaxPrivilege_()
        : _h_process_token(), _previous_state()
    {
        auto status = ZwOpenProcessTokenEx(ZwCurrentProcess(), TOKEN_ALL_ACCESS, OBJ_KERNEL_HANDLE, &_h_process_token);
        Assert(NT_SUCCESS(status) && _h_process_token);

        _previous_state     = MakeBuffer(4096);
        auto previous_state = Cast<PTOKEN_PRIVILEGES>(_previous_state);
        status = ZwAdjustPrivilegesToken(_h_process_token, true, nullptr, _previous_state.capacity(), previous_state, Unused<PULONG>());
        Assert(NT_SUCCESS(status));

        for (ULONG priv_num = SE_MIN_WELL_KNOWN_PRIVILEGE; priv_num <= SE_MAX_WELL_KNOWN_PRIVILEGE; ++priv_num)
        {
            TOKEN_PRIVILEGES new_priv = {};
            new_priv.PrivilegeCount   = 1;

            new_priv.Privileges[0].Luid = RtlConvertUlongToLuid(priv_num);
            new_priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

            status = ZwAdjustPrivilegesToken(_h_process_token, false, &new_priv, sizeof(new_priv), nullptr, nullptr);
            Assert(NT_SUCCESS(status));
        }
    }