int _tmain(int argc, _TCHAR* argv[])
{
PWTS_SESSION_INFO pSessionInfo;
DWORD dwSessionInfo=0;
WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE,0,1,&pSessionInfo,&dwSessionInfo);
printf("[*] Windows DACL Enumeration Project - https://github.com/nccgroup/WindowsDACLEnumProject - WinStationsAndDesktopsPerms\n");
printf("[*] NCC Group Plc - http://www.nccgroup.com/ \n");
printf("[*] -h for help \n");
SetPrivilege(GetCurrentProcess(),SE_DEBUG_NAME);
DWORD dwSessID = 0;
ProcessIdToSessionId(GetCurrentProcessId(),&dwSessID);
fprintf(stdout,"[i] Running in session %d\n",dwSessID);
EnumWindowStations(&EnumWindowStationProc,NULL);
return 0;
}
RETVAL AdvancedOpenProcess(DWORD dwPid, HANDLE *phRemoteProc) {
RETVAL rv, rv2;
#define NEEDEDACCESS PROCESS_QUERY_INFORMATION | \
PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD
// must be cleaned up
HANDLE hThisProcToken = NULL;
// initialize out params
*phRemoteProc = NULL;
bool bDebugPriv = false;
// get a process handle with the needed access
*phRemoteProc = OpenProcess(NEEDEDACCESS, false, dwPid);
if (NULL == *phRemoteProc) {
rv = GetLastError();
if (rv != ERROR_ACCESS_DENIED) {
_HandleError(rv, __T("OpenProcess"));
}
_tprintf(__T("Access denied; retrying with increased privileges.\n"));
// give ourselves god-like access over process handles
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisProcToken)) {
_HandleLastError(rv, __T("OpenProcessToken"));
}
rv = SetPrivilege(hThisProcToken, SE_DEBUG_NAME, true);
if (rv != EXIT_OK) {
_HandleError1(rv, __T("SetPrivilege"), SE_DEBUG_NAME);
} else {
bDebugPriv = true;
}
// get a process handle with the needed access
*phRemoteProc = OpenProcess(NEEDEDACCESS, false, dwPid);
if (*phRemoteProc == NULL) {
_HandleLastError(rv, __T("OpenProcess"));
}
}
// success
rv = EXIT_OK;
error:
if (rv == ERROR_ACCESS_DENIED && bDebugPriv == false) {
_tprintf(__T("You need administrative access (debug privilege) to access this process.\n"));
}
if (bDebugPriv == true) {
rv2 = SetPrivilege(hThisProcToken, SE_DEBUG_NAME, false);
_TeardownIfError(rv, rv2, __T("SetPrivilege"));
}
if (hThisProcToken != NULL) {
if (!CloseHandle(hThisProcToken)) {
rv2 = GetLastError();
_TeardownIfError(rv, rv2, __T("CloseHandle"));
}
}
return rv;
}
void SetACLPrivileges()
{
static bool InitDone=false;
if (InitDone)
return;
if (SetPrivilege(SE_SECURITY_NAME))
ReadSacl=true;
SetPrivilege(SE_RESTORE_NAME);
InitDone=true;
}
static void ChangeOwner(const SchemeType * scheme, TCHAR * path, ChangeMode mode)
{
TCHAR * param = (TCHAR *)LocalAlloc(LPTR, g_string_size*sizeof(TCHAR));
SECURITY_INFORMATION what;
PSID pSidOwner = NULL;
PSID pSidGroup = NULL;
PSID pSid = NULL;
DWORD ret = 0;
HANDLE hToken;
if (popstring(param))
ABORT("Trustee is missing");
if (NULL == (pSid = ParseSid(param)))
ABORT_s("Bad trustee (%s)", param);
switch(mode)
{
case ChangeMode_Owner:
what = OWNER_SECURITY_INFORMATION;
pSidOwner = pSid;
break;
case ChangeMode_Group:
what = GROUP_SECURITY_INFORMATION;
pSidGroup = pSid;
break;
default:
ABORT_d("Bug: Unsupported change mode: %d", mode);
}
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
ABORT_d("Cannot open process token. Error code: %d", GetLastError());
if (!SetPrivilege(hToken, SE_RESTORE_NAME, TRUE))
ABORT("Unable to give SE_RESTORE_NAME privilege.");
ret = SetNamedSecurityInfo(path, scheme->type,
what, pSidOwner, pSidGroup, NULL, NULL);
if (ret != ERROR_SUCCESS)
ABORT_d("Cannot apply new ownership. Error code: %d", ret);
cleanup:
SetPrivilege(hToken, SE_RESTORE_NAME, FALSE);
CloseHandle(hToken);
LocalFree(param);
}
static RBOOL
Get_Privilege
(
RPNCHAR privName
)
{
RBOOL isSuccess = FALSE;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
hProcess = GetCurrentProcess();
if( NULL != hProcess )
{
if( OpenProcessToken( hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken ) )
{
if( SetPrivilege( hToken, privName, TRUE ) )
{
isSuccess = TRUE;
}
CloseHandle( hToken );
}
}
return isSuccess;
}
/**
* For each privilege that is specified, an attempt will be made to
* drop the privilege.
*
* @param token The token to adjust the privilege on.
* Pass nullptr for current token.
* @param unneededPrivs An array of unneeded privileges.
* @param count The size of the array
* @return TRUE if there were no errors
*/
BOOL
UACHelper::DisableUnneededPrivileges(HANDLE token,
LPCTSTR *unneededPrivs,
size_t count)
{
HANDLE obtainedToken = nullptr;
if (!token) {
// Note: This handle is a pseudo-handle and need not be closed
HANDLE process = GetCurrentProcess();
if (!OpenProcessToken(process, TOKEN_ALL_ACCESS_P, &obtainedToken)) {
LOG_WARN(("Could not obtain token for current process, no "
"privileges changed. (%d)", GetLastError()));
return FALSE;
}
token = obtainedToken;
}
BOOL result = TRUE;
for (size_t i = 0; i < count; i++) {
if (SetPrivilege(token, unneededPrivs[i], FALSE)) {
LOG(("Disabled unneeded token privilege: %s.",
unneededPrivs[i]));
} else {
LOG(("Could not disable token privilege value: %s. (%d)",
unneededPrivs[i], GetLastError()));
result = FALSE;
}
}
if (obtainedToken) {
CloseHandle(obtainedToken);
}
return result;
}
//***********************************************************************************
// Name: SetProcessPrivilege
//
// Routine Description:
//
// Enables or disables privilege for the current process.
//
// Return Value:
//
// If the function handles the control signal, it should return TRUE.
// If it returns FALSE, the next handler function in the list of handlers for
// this process is used.
//
// Parameters:
//
// lpszPrivilege - A pointer to a null-terminated string that specifies the name
// of the privilege
// bSet - enable or disable privilege
//
//***********************************************************************************
BOOL
SetProcessPrivilege(
IN LPCTSTR PrivilegeName,
IN BOOL bSet
)
{
HANDLE hToken;
BOOL fbResult;
//
// Open process access token
//
fbResult =
OpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken
);
if( fbResult ) {
//
// set token privilege
//
fbResult =
SetPrivilege(
hToken,
PrivilegeName,
bSet
);
CloseHandle( hToken);
}
return fbResult;
}
int UnsetSeDebug()
{
HANDLE hToken;
if(! OpenThreadToken(GetCurrentThread(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
FALSE,
&hToken)
){
if(GetLastError() == ERROR_NO_TOKEN){
if(! ImpersonateSelf(SecurityImpersonation)){
//Log2File("Error setting impersonation! [UnsetSeDebug()]", L_DEBUG);
return 0;
}
if(!OpenThreadToken(GetCurrentThread(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
FALSE,
&hToken)
){
//Log2File("Error Opening Thread Token! [UnsetSeDebug()]", L_DEBUG);
return 0;
}
}
}
//now disable SeDebug
if(!SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)){
//Log2File("Error unsetting SeDebug Privilege [SetPrivilege()]", L_WARN);
return 0;
}
CloseHandle(hToken);
return 1;
}
int _tmain(int argc, TCHAR* argv[])
{
int nMode = INJECTION_MODE;
HMODULE hLib = NULL;
PFN_SetProcName SetProcName = NULL;
if( argc != 4 )
{
printf("\n Usage : HideProc.exe <-hide|-show> "\
"<process name> <dll path>\n\n");
return 1;
}
// change privilege
SetPrivilege(SE_DEBUG_NAME, TRUE);
// load library
hLib = LoadLibrary(argv[3]);
// set process name to hide
SetProcName = (PFN_SetProcName)GetProcAddress(hLib, "SetProcName");
SetProcName(argv[2]);
// Inject(Eject) Dll to all process
if( !_tcsicmp(argv[1], L"-show") )
nMode = EJECTION_MODE;
InjectAllProcess(nMode, argv[3]);
// free library
FreeLibrary(hLib);
return 0;
}
BOOL XAccessControl::EnableSecurityPriv()
{
HANDLE hTokenSelf = NULL;
BOOL bRet = TRUE;
// HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
// if (!hProcess)
// {
// bRet = FALSE;
// }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenSelf))
{
bRet = FALSE;
}
if (!SetPrivilege(hTokenSelf, SE_SECURITY_NAME, TRUE))
{
bRet = FALSE;
}
// if (hProcess) CloseHandle(hProcess);
if (hTokenSelf) CloseHandle(hTokenSelf);
return bRet;
}
void ConnectionLimit::UnlockFile(CString path)
{
//TakeOwnership(path);
TCHAR wszDN[512];
DWORD cchDN = 512;
GetUserName(wszDN, &cchDN);
//return;
SHELLEXECUTEINFO seInfo;
ZeroMemory(&seInfo, sizeof(SHELLEXECUTEINFO));
seInfo.cbSize=sizeof(SHELLEXECUTEINFO);
seInfo.nShow = SW_HIDE;
seInfo.lpVerb = _T("open");
seInfo.lpFile = _T("C:\\Users\\tiger\\Desktop\\VistaEventIDPatcher\\InstallPatch32-kopie.bat");
//fileStr.Format(_T("/s %s"),dllName);
// seInfo.lpParameters = "/U administrator /f c:\\windows\\System32\\drivers\\wanarp.sys";
seInfo.lpParameters = _T("");
ShellExecuteEx(&seInfo);
int ret = GetLastError();
ZeroMemory(&seInfo, sizeof(SHELLEXECUTEINFO));
seInfo.cbSize=sizeof(SHELLEXECUTEINFO);
seInfo.nShow = SW_HIDE;
seInfo.lpFile = _T("cmd");
//fileStr.Format(_T("/s %s"),dllName);
seInfo.lpParameters = _T("echo y | cacls %Systemroot%\\System32\\drivers\\vga.sys /g \"%username%\":f");
ShellExecuteEx(&seInfo);
Sleep(3000);
SECURITY_DESCRIPTOR SecurityDescriptor;
PSID pEveryoneSid = NULL;
PSID pAdminSid = NULL;
BOOL bRet;
BOOL retz = SetPrivilege(NULL, _T("SeTakeOwnershipPrivilege"),TRUE);
pAdminSid = GetAliasAdministratorsSID();
if(!pAdminSid)
{
return;
}
InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
bRet = SetSecurityDescriptorOwner(&SecurityDescriptor,pAdminSid,FALSE);
if(bRet)
{
bRet = SetFileSecurity(path, OWNER_SECURITY_INFORMATION, &SecurityDescriptor);
}
if(pAdminSid)
FreeSid(pAdminSid);
}
BOOL EnableSeDebug(void){
HANDLE hToken;
BOOL rv = false;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
rv = SetPrivilege(hToken,SE_DEBUG_NAME, TRUE);
CloseHandle(hToken);
printf("SeDebug Enabled? %s\n", rv==TRUE ? "true" : "false");
return rv;
};
int main(int argc, char *argv[])
{
HANDLE htoken;
::OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken);
SetPrivilege(htoken, SE_DEBUG_NAME, TRUE);
::CloseHandle(htoken);
::InitCommonControlsEx(NULL);
::DialogBoxParamA(GetModuleHandleA(0), MAKEINTRESOURCE(IDD_DIALOG1), 0, DlgProc, 0);
::ExitProcess(0);
}
BOOL GetSeDebugPrivilege(VOID)
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
return FALSE;
}
if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
return FALSE;
}
return TRUE;
}
unsigned long EnableDebugPrivilege(unsigned long fEnable)
{
HANDLE hToken;
unsigned long bRet=FALSE;
int i=0;
for( i=0;i<4;i++)
{
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
bRet=SetPrivilege(hToken,g_SE[i],fEnable);
CloseHandle(hToken);
}
return bRet;
}
bool AdjustDebugPrivilege()
{
HANDLE hProcess=GetCurrentProcess();
HANDLE hToken;
bool result = false;
if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken))
{
result = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE) == TRUE;
CloseHandle(hToken);
}
return result;
}
BOOL SetSecurityPrivilage(BOOL bEnablePrivilege) {
LPCTSTR lpszPrivilege = L"SeSecurityPrivilege";
HANDLE hToken;
// Open a handle to the access token for the calling process. That is this running program
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
DebugOut("OpenProcessToken() error %u\n", GetLastError());
return FALSE;
}
// Call the user defined SetPrivilege() function to enable and set the needed privilege
if (!SetPrivilege(hToken, lpszPrivilege, bEnablePrivilege)) {
DebugOut("Failed to adjust Privilege\n");
return FALSE;
}
return TRUE;
}
BOOL AcquirePrivileges() {
HANDLE hCurrentProc = GetCurrentProcess();
HANDLE hCurrentProcToken;
if (!OpenProcessToken(hCurrentProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hCurrentProcToken)) {
// syslog(LOG_ERR, "OpenProcessToken Error %u", GetLastError());
} else {
if (!SetPrivilege(hCurrentProcToken, SE_DEBUG_NAME, TRUE)) {
// syslog(LOG_ERR, "SetPrivleges SE_DEBUG_NAME Error %u", GetLastError());
} else {
return TRUE;
}
}
return FALSE;
}
int _tmain(int argc, TCHAR *argv[])
{
#define BUFSIZE (1024)
int nMode = INJECTION_MODE;
TCHAR szPath[BUFSIZE] = L"";
if( (argc != 4) ||
( _tcsicmp(argv[2], L"-i") && _tcsicmp(argv[2], L"-e")) )
{
_tprintf(L"\n %s (Ver 1.1.1) - Dll Injection/Ejection Utility!!!\n"\
L" www.reversecore.com\n"\
L" [email protected]\n"\
L"\n USAGE : %s <procname|pid|*> <-i|-e> <dll path>\n\n",
argv[0], argv[0]);
return 1;
}
if( !GetFullPathName(argv[3], BUFSIZE, szPath, NULL) )
{
_tprintf(L"GetFullPathName() failed! [%d]", GetLastError());
return 1;
}
// check DLL Path
if( _taccess(szPath, 0) == -1 )
{
_tprintf(L"There is no \"%s\" file!\n", szPath);
return FALSE;
}
// change privilege
if( !SetPrivilege(SE_DEBUG_NAME, TRUE) )
return 1;
// Mode (Injection/Ejection)
if( !_tcsicmp(argv[2], L"-e") )
nMode = EJECTION_MODE;
// Inject Dll
if( !_tcsicmp(argv[1], L"*") )
InjectDllToAll(nMode, szPath);
else
InjectDllToOne(argv[1], nMode, szPath);
return 0;
}
int main(int argc, char *argv[])
{
SetPrivilege(SE_DEBUG_NAME, TRUE);
// InjectDll.exe <PID> <dllpath>
if( argc != 3 )
{
printf("Ó÷¨ : %s <½ø³ÌPID> <dll·¾¶>/n", argv[0]);
return 1;
}
if( !InjectDll((DWORD)atoi(argv[1]), argv[2]) )
{
printf("InjectDllµ÷ÓÃʧ°Ü£¡/n");
return 1;
}
printf("InjectDllµ÷Óóɹ¦£¡/n");
return 0;
}
int _tmain(int argc, TCHAR *argv[])
{
if( argc != 3)
{
_tprintf(L"USAGE : %s <pid> <dll_path>\n", argv[0]);
return 1;
}
// change privilege
if( !SetPrivilege(SE_DEBUG_NAME, TRUE) )
return 1;
// inject dll
if( InjectDll((DWORD)_tstol(argv[1]), argv[2]) )
_tprintf(L"InjectDll(\"%s\") success!!!\n", argv[2]);
else
_tprintf(L"InjectDll(\"%s\") failed!!!\n", argv[2]);
return 0;
}
BOOL GetDebugPrivileges( void )
{
HANDLE hToken;
bool bOK = false;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
CloseHandle( hToken );
return TRUE;
}
CloseHandle( hToken );
}
return FALSE;
}
BOOL EnablePrivForCurrentProcess(
_In_ LPTSTR szPrivilege
) {
BOOL bResult = FALSE;
HANDLE hToken = 0;
bResult = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
if (!bResult) {
LOG(Err, "Cannot open process token : <%u>", GetLastError());
return FALSE;
}
bResult = SetPrivilege(hToken, szPrivilege, TRUE);
if (!bResult && GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
LOG(Err, "Current process does not have the privilege <%s>", szPrivilege);
return FALSE;
}
return TRUE;
}
// return the page minimum size, if the user has privileges to access
// large pages, otherwise 0
static UINT adjustprivileges() {
HMODULE h;
HANDLE accessToken;
PGetLargePageMinimum m_GetLargePageMinimum;
if (!(OpenProcessToken (GetCurrentProcess (),
TOKEN_ALL_ACCESS, &accessToken)
&& SetPrivilege (accessToken, "SeLockMemoryPrivilege", TRUE))) {
CTRACE(("Lock Page Privilege was not set."));
return 0;
}
h = GetModuleHandleA("kernel32.dll");
m_GetLargePageMinimum = (PGetLargePageMinimum) GetProcAddress(h, "GetLargePageMinimum");
if (!m_GetLargePageMinimum) {
CTRACE(("Cannot locate GetLargePageMinimum."));
return 0;
}
return m_GetLargePageMinimum();
} //adjustprivileges
BOOL CallSetSystemTimeAdjustment(DWORD dwTimeAdjustment) {
HANDLE hToken;
BOOL bTimeAdjustmentDisabled = FALSE;
if (dwTimeAdjustment == 0)
bTimeAdjustmentDisabled = TRUE;
// else
// dwTimeAdjustment = atoi(argv[2]); // 100ns
/* Get hToken */
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
PrintErrorMessage((__FILE__), "OpenProcessToken()", __LINE__);
exit(1);
}
/* enable SE_SYSTEMTIME_NAME Privilege */
if (!SetPrivilege(hToken, SE_SYSTEMTIME_NAME, TRUE)) {
CloseHandle(hToken);
PrintErrorMessage((__FILE__), "SetPrivilege(hToken, SE_SYSTEMTIME_NAME, TRUE)", __LINE__);
exit(1);
}
CloseHandle(hToken);
/* Call SetSystemTimeAdjustment() */
printf("SetSystemTimeAdjustment() Calling...\n");
if (!SetSystemTimeAdjustment(dwTimeAdjustment, bTimeAdjustmentDisabled)) {
if (bTimeAdjustmentDisabled)
PrintErrorMessage((__FILE__), "SetSystemTimeAdjustment(0, TRUE)", __LINE__);
else
PrintErrorMessage((__FILE__), "SetSystemTimeAdjustment(dwTimeAdjustment, FALSE)", __LINE__);
exit(1);
}
else {
printf("dwTimeAdjustment: %ld [100-nanosecond unit]\n", dwTimeAdjustment);
printf("bTimeAdjustmentDisabled : %s \n", bTimeAdjustmentDisabled ? "True (Sync RTC see KB232488)" : "False (Ignore RTC)");
}
return TRUE;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
char szCurProc[MAX_PATH] = {0,};
char *p = NULL;
// HideProc2.exe 프로세스에는 인젝션 되지 않도록 예외처리
GetModuleFileNameA(NULL, szCurProc, MAX_PATH);
p = strrchr(szCurProc, '\\');
if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") )
return TRUE;
// change privilege
SetPrivilege(SE_DEBUG_NAME, TRUE);
switch( fdwReason )
{
case DLL_PROCESS_ATTACH :
// hook
hook_by_code("kernel32.dll", "CreateProcessA",
(PROC)NewCreateProcessA, g_pOrgCPA);
hook_by_code("kernel32.dll", "CreateProcessW",
(PROC)NewCreateProcessW, g_pOrgCPW);
hook_by_code("ntdll.dll", "ZwQuerySystemInformation",
(PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);
break;
case DLL_PROCESS_DETACH :
// unhook
unhook_by_code("kernel32.dll", "CreateProcessA",
g_pOrgCPA);
unhook_by_code("kernel32.dll", "CreateProcessW",
g_pOrgCPW);
unhook_by_code("ntdll.dll", "ZwQuerySystemInformation",
g_pOrgZwQSI);
break;
}
return TRUE;
}
/**
*
* Load SYSTEM hive to memory
* Returns TRUE or FALSE
*
*/
BOOL SystemKey::Load (std::wstring fname) {
UnLoad();
if (!bRestore) {
bRestore = SetPrivilege (L"SeRestorePrivilege", TRUE);
}
if (bRestore) {
dprintf("\nChecking %s", std::string(fname.begin(), fname.end()).c_str());
DWORD dwAttr = GetFileAttributes (fname.c_str());
if (dwAttr != INVALID_FILE_ATTRIBUTES) {
dwError = RegLoadKey (HKEY_LOCAL_MACHINE, L"$$_SYSTEM", fname.c_str());
if (dwError == ERROR_SUCCESS) {
regFile = L"$$_SYSTEM";
bLoaded = TRUE;
}
} else {
dwError = GetLastError ();
}
}
return dwError == ERROR_SUCCESS;
}
int WINAPI wWinMain(
_In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ LPWSTR lpCmdLine,
_In_ int nShowCmd
)
{
CPipeServer *pw;
HANDLE p;
HANDLE hToken;
p = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId() );
OpenProcessToken( p, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken );
SetPrivilege( hToken, SE_DEBUG_NAME, TRUE );
CoInitialize(NULL);
MSG m;
PeekMessage(&m, (HWND)-1, 0,0,PM_REMOVE); //this will tell windows that the app hasn't crashed
if ((lpCmdLine) && (wcslen(lpCmdLine)))
{
int r;
pw=new CPipeServer(lpCmdLine);
r=pw->Start();
delete pw;
return r;
}
else
{
MessageBoxA(0, "No pipename provided","dotNET Data Collector", MB_ICONERROR);
return 1;
}
return 0;
}
int main()
{
HANDLE hProc = GetCurrentProcess();
HANDLE hToken = NULL;
if (!OpenProcessToken(hProc, TOKEN_ADJUST_PRIVILEGES, &hToken))
printf("Failed to open access token\n");
if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
printf("Failed to set debug privilege\n");
DWORD pid = 5356;
HANDLE hTargetProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!hTargetProc)
printf("Failed to open process: %u\n", GetLastError());
DWORD_PTR address = 0x001E0000;
WriteDword(hTargetProc, address, 0xDEADBEEF);
printf("Result of reading dword at 0x%llx address = 0x%x\n", address, ReadDword(hTargetProc, address));
CloseHandle(hTargetProc);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
// change privilege
SetPrivilege(SE_DEBUG_NAME, TRUE);
switch( fdwReason )
{
case DLL_PROCESS_ATTACH :
// hook
hook_by_hotpatch("kernel32.dll", "CreateProcessA",
(PROC)NewCreateProcessA);
hook_by_hotpatch("kernel32.dll", "CreateProcessW",
(PROC)NewCreateProcessW);
break;
case DLL_PROCESS_DETACH :
// unhook
unhook_by_hotpatch("kernel32.dll", "CreateProcessA");
unhook_by_hotpatch("kernel32.dll", "CreateProcessW");
break;
}
return TRUE;
}
