inline NTSTATUS AdjustPrivilege(bool is_enable, ULONG privilege)
{
TOKEN_PRIVILEGES new_privs = {};
HANDLE h_process_token = {};
auto status = ZwOpenProcessTokenEx(ZwCurrentProcess(), TOKEN_ALL_ACCESS, OBJ_KERNEL_HANDLE, &h_process_token);
if (!NT_SUCCESS(status))
{
return status;
}
DEFER(ZwClose(h_process_token));
new_privs.PrivilegeCount = 1;
new_privs.Privileges[0].Luid = RtlConvertUlongToLuid(privilege);
if (is_enable)
{
new_privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
new_privs.Privileges[0].Attributes = 0;
}
return ZwAdjustPrivilegesToken(h_process_token, false, &new_privs, sizeof(new_privs), nullptr, nullptr);
}
NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
PMIMIDRV_PROCESS_TOKEN_FROM_TO pTokenFromTo = (PMIMIDRV_PROCESS_TOKEN_FROM_TO) bufferIn;
ULONG fromProcessId, toProcessId;
HANDLE hFromProcess, hFromProcessToken;
PEPROCESS pFromProcess = PsInitialSystemProcess, pToProcess = NULL;
if(pTokenFromTo && (szBufferIn == sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO)))
{
if(pTokenFromTo->fromProcessId)
status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->fromProcessId, &pFromProcess);
if(NT_SUCCESS(status) && pTokenFromTo->toProcessId)
status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->toProcessId, &pToProcess);
}
if(NT_SUCCESS(status))
{
status = ObOpenObjectByPointer(pFromProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hFromProcess);
if(NT_SUCCESS(status))
{
status = ZwOpenProcessTokenEx(hFromProcess, 0, OBJ_KERNEL_HANDLE, &hFromProcessToken);
if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"Token from %u/%-14S\n", PsGetProcessId(pFromProcess), PsGetProcessImageFileName(pFromProcess));
if(NT_SUCCESS(status))
{
if(pToProcess)
status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, hFromProcessToken, pToProcess);
else
status = kkll_m_process_enum(szBufferIn, bufferIn, outBuffer, kkll_m_process_systoken_callback, hFromProcessToken);
}
ZwClose(hFromProcessToken);
}
ZwClose(hFromProcess);
}
}
if(pToProcess)
ObDereferenceObject(pToProcess);
if(pFromProcess && (pFromProcess != PsInitialSystemProcess))
ObDereferenceObject(pFromProcess);
return status;
}
NtMaxPrivilege_()
: _h_process_token(), _previous_state()
{
auto status = ZwOpenProcessTokenEx(ZwCurrentProcess(), TOKEN_ALL_ACCESS, OBJ_KERNEL_HANDLE, &_h_process_token);
Assert(NT_SUCCESS(status) && _h_process_token);
_previous_state = MakeBuffer(4096);
auto previous_state = Cast<PTOKEN_PRIVILEGES>(_previous_state);
status = ZwAdjustPrivilegesToken(_h_process_token, true, nullptr, _previous_state.capacity(), previous_state, Unused<PULONG>());
Assert(NT_SUCCESS(status));
for (ULONG priv_num = SE_MIN_WELL_KNOWN_PRIVILEGE; priv_num <= SE_MAX_WELL_KNOWN_PRIVILEGE; ++priv_num)
{
TOKEN_PRIVILEGES new_priv = {};
new_priv.PrivilegeCount = 1;
new_priv.Privileges[0].Luid = RtlConvertUlongToLuid(priv_num);
new_priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
status = ZwAdjustPrivilegesToken(_h_process_token, false, &new_priv, sizeof(new_priv), nullptr, nullptr);
Assert(NT_SUCCESS(status));
}
}