int main(void) { // GetCurrentProcess cannot fail HANDLE hProcess = GetCurrentProcess(); if (OpenProcessToken(hProcess, TOKEN_READ, &hProcess)) { LUID seCreateSymbolicLinkPrivilege; if (LookupPrivilegeValue(NULL, SE_CREATE_SYMBOLIC_LINK_NAME, &seCreateSymbolicLinkPrivilege)) { DWORD length; printf("SeCreateSymbolicLinkPrivilege = %ld, %ld\n", seCreateSymbolicLinkPrivilege.HighPart, seCreateSymbolicLinkPrivilege.LowPart); if (!GetTokenInformation(hProcess, TokenPrivileges, NULL, 0, &length)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { TOKEN_PRIVILEGES* privileges = (TOKEN_PRIVILEGES*)malloc(length); if (GetTokenInformation(hProcess, TokenPrivileges, privileges, length, &length)) { BOOL found = FALSE; DWORD count = privileges->PrivilegeCount; printf("User has %ld privileges\n", count); if (count > 0) { LUID_AND_ATTRIBUTES* privs = privileges->Privileges; while (count-- > 0 && !luid_eq(privs->Luid, seCreateSymbolicLinkPrivilege)) privs++; found = (count > 0); } printf("User does%s have the SeCreateSymbolicLinkPrivilege\n", (found ? "" : "n't")); } else { fprintf(stderr, "Second GetTokenInformation failed\n"); } free(privileges); } else { fprintf(stderr, "First GetTokenInformation failed\n"); } } else { fprintf(stderr, "Impossible output from GetTokenInformation\n"); } } else { fprintf(stderr, "LookupPrivilegeValue failed\n"); } CloseHandle(hProcess); } else { fprintf(stderr, "OpenProcessToken failed\n"); } LSA_HANDLE hPolicy; NTSTATUS r; LSA_OBJECT_ATTRIBUTES attributes = {0, NULL, NULL, 0, NULL, NULL}; attributes.Length = sizeof(attributes); LUID seCreateSymbolicLinkPrivilege; if (LookupPrivilegeValue(NULL, SE_CREATE_SYMBOLIC_LINK_NAME, &seCreateSymbolicLinkPrivilege)) { // POLICY_LOOKUP_NAMES: LsaLookupNames2, LsaEnumerateAccountRights, LsaLookupSids, LsaAddAccountRights // POLICY_VIEW_LOCAL_INFORMATION: LsaEnumerateAccountsWithUserRight // Elevation: LsaEnumerateAccountRights, LsaEnumerateAccountsWithUserRight, LsaRemoveAccountRights, LsaAddAccountRights if (NT_SUCCESS(r = LsaOpenPolicy(NULL, &attributes, POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION, &hPolicy))) { LSA_REFERENCED_DOMAIN_LIST* referencedDomains; LSA_TRANSLATED_SID2* sids; LSA_UNICODE_STRING name; name.Buffer = L"Users"; name.Length = wcslen(name.Buffer) * sizeof(WCHAR); name.MaximumLength = name.Length + sizeof(WCHAR); if (NT_SUCCESS(r = LsaLookupNames2(hPolicy, LSA_LOOKUP_ISOLATED_AS_LOCAL, 1, &name, &referencedDomains, &sids))) { LSA_UNICODE_STRING* rights; ULONG count; LsaFreeMemory(referencedDomains); if (NT_SUCCESS(r = LsaEnumerateAccountRights(hPolicy, sids->Sid, &rights, &count))) { LSA_UNICODE_STRING* right = rights; printf("%ld right%s found\n", count, PLURAL(count)); while (count-- > 0) { printf(" %.*S\n", right->Length / 2, right->Buffer); right++; } LsaFreeMemory(rights); LSA_ENUMERATION_INFORMATION* allSidsRaw; LSA_UNICODE_STRING lsaCreateSymbolicLinkPrivilege; lsaCreateSymbolicLinkPrivilege.Buffer = SE_CREATE_SYMBOLIC_LINK_NAME; lsaCreateSymbolicLinkPrivilege.Length = wcslen(lsaCreateSymbolicLinkPrivilege.Buffer) * sizeof(WCHAR); lsaCreateSymbolicLinkPrivilege.MaximumLength = lsaCreateSymbolicLinkPrivilege.Length + sizeof(WCHAR); if (NT_SUCCESS(r = LsaEnumerateAccountsWithUserRight(hPolicy, &lsaCreateSymbolicLinkPrivilege, (void**)&allSidsRaw, &count))) { LSA_ENUMERATION_INFORMATION* sid = allSidsRaw; PSID* allSids; PSID* p; PLSA_TRANSLATED_NAME names; ULONG i = count; printf("%ld SID%s found\n", count, PLURAL(count)); p = allSids = (PSID*)malloc(count * sizeof(PSID)); while (i-- > 0) *p++ = (sid++)->Sid; if (NT_SUCCESS(r = LsaLookupSids(hPolicy, count, allSids, &referencedDomains, &names))) { PLSA_TRANSLATED_NAME name = names; BOOL usersAssigned = FALSE; LsaFreeMemory(referencedDomains); while (count-- > 0) { LPTSTR sidString; USHORT len = name->Name.Length / 2; ConvertSidToStringSid(*allSids++, &sidString); printf(" %.*S (%S)\n", len, name->Name.Buffer, sidString); usersAssigned |= (len > 4 && !wcsncmp(L"Users", name->Name.Buffer, len)); name++; LocalFree(sidString); } printf("Users had%s got SeCreateSymbolicLinkPrivilege\n", (usersAssigned ? "" : "n't")); if (usersAssigned) { if (!NT_SUCCESS(r = LsaRemoveAccountRights(hPolicy, sids->Sid, FALSE, &lsaCreateSymbolicLinkPrivilege, 1))) { fprintf(stderr, "Lsa failed with code %x\n", r); } } else { if (!NT_SUCCESS(r = LsaAddAccountRights(hPolicy, sids->Sid, &lsaCreateSymbolicLinkPrivilege, 1))) { fprintf(stderr, "LsaAddAccountRights failed with code %x\n", r); } } LsaFreeMemory(names); } else { fprintf(stderr, "LsaLookupSids2 failed with code %x\n", r); } LsaFreeMemory(allSidsRaw); free(allSids); } else { fprintf(stderr, "LsaEnumerateAccountsWithUserRight failed with code %x\n", r); } } else { fprintf(stderr, "LsaEnumerateAccountRights failed with code %x\n", r); } LsaFreeMemory(sids); } else { fprintf(stderr, "LsaLookupNames2 failed with code %x\n", r); } LsaClose(hPolicy); } else { fprintf(stderr, "LsaOpenPolicy failed with code %x\n", r); } } else { fprintf(stderr, "LookupPrivilegeValue failed\n"); } }
int yr_process_get_memory( int pid, YR_MEMORY_BLOCK** first_block) { PVOID address; SIZE_T read; unsigned char* data; int result = ERROR_SUCCESS; SYSTEM_INFO si; MEMORY_BASIC_INFORMATION mbi; YR_MEMORY_BLOCK* new_block; YR_MEMORY_BLOCK* current_block = NULL; TOKEN_PRIVILEGES tokenPriv; LUID luidDebug; HANDLE hProcess = NULL; HANDLE hToken = NULL; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) && LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug)) { tokenPriv.PrivilegeCount = 1; tokenPriv.Privileges[0].Luid = luidDebug; tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL); } hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid); *first_block = NULL; if (hProcess == NULL) { if (hToken != NULL) CloseHandle(hToken); return ERROR_COULD_NOT_ATTACH_TO_PROCESS; } GetSystemInfo(&si); address = si.lpMinimumApplicationAddress; while (address < si.lpMaximumApplicationAddress && VirtualQueryEx(hProcess, address, &mbi, sizeof(mbi)) != 0) { if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0)) { data = (unsigned char*) yr_malloc(mbi.RegionSize); if (data == NULL) { result = ERROR_INSUFICIENT_MEMORY; break; } if (ReadProcessMemory( hProcess, mbi.BaseAddress, data, mbi.RegionSize, &read)) { new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK)); if (new_block == NULL) { yr_free(data); result = ERROR_INSUFICIENT_MEMORY; break; } if (*first_block == NULL) *first_block = new_block; new_block->base = (size_t) mbi.BaseAddress; new_block->size = mbi.RegionSize; new_block->data = data; new_block->next = NULL; if (current_block != NULL) current_block->next = new_block; current_block = new_block; } else { yr_free(data); } } address = (PVOID)((ULONG_PTR) mbi.BaseAddress + mbi.RegionSize); } if (hToken != NULL) CloseHandle(hToken); if (hProcess != NULL) CloseHandle(hProcess); return result; }
static HANDLE make_token_from_pid(DWORD winLogonPid) { HANDLE hProcess; HANDLE hTokenOrig; LUID debugPriv; TOKEN_PRIVILEGES tp = {0}; HANDLE hTokenDup; hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, winLogonPid); if (hProcess == NULL) { // failed return NULL; } if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | TOKEN_READ | TOKEN_WRITE, &hTokenOrig)) { // failed return NULL; } if (!DuplicateTokenEx(hTokenOrig, MAXIMUM_ALLOWED, NULL, SecurityIdentification, /* impersonation level */ TokenPrimary, /* token type */ &hTokenDup )) { // failed return FALSE; } if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &debugPriv)) { // failed return NULL; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = debugPriv; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; /* adjust token privilege */ SetTokenInformation(hTokenDup, TokenSessionId, (void*) 1, sizeof(DWORD)); if (!AdjustTokenPrivileges(hTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (TOKEN_PRIVILEGES*) NULL, NULL)) { // failed return NULL; } CloseHandle(hProcess); CloseHandle(hTokenOrig); return hTokenDup; }
int test() { HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pinfo; THREADENTRY32 tinfo; DWORD dwHandle = 0; TOKEN_PRIVILEGES tkp; HANDLE hToken; THREAD_BASIC_INFORMATION TIB; memset(&pinfo,0, sizeof(pinfo)); memset(&tinfo,0, sizeof(tinfo)); if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken)) { printf("OpenProcessToken failed!"); //获得进程句柄失败 } LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tkp.Privileges[0].Luid); //获得本地机唯一的标识 tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); //调整获得的权限 PFN_ZwQueryInformationThread ZwQueryInformationThread = (PFN_ZwQueryInformationThread)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryInformationThread"); if (GetLastError() != ERROR_SUCCESS) { printf("AdjustTokenPrivileges enable failed!"); //修改权限失败 } pinfo.dwSize = sizeof( PROCESSENTRY32 ); BOOL report = Process32First(hProcess, &pinfo); //调用Process32First使用快照返回的句柄对进程进行遍历 while(report) { DWORD dwSize, dwWritten; char str_dllname[] = "GUI32.dll"; // 打开相应的进程 HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, pinfo.th32ProcessID); hProcess = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pinfo.th32ProcessID); GetModules(hProcess, str_dllname); THREADENTRY32 te = { sizeof(THREADENTRY32) }; printf("进程(PID): %d\n", pinfo.th32ProcessID); if (Thread32First(hThreadSnap, &te)) // 开始枚举线程 { do { if (te.th32OwnerProcessID == pinfo.th32ProcessID) { HANDLE hThread = OpenThread(THREAD_TERMINATE | THREAD_QUERY_INFORMATION, FALSE, te.th32ThreadID); if(hThread == NULL) // 以关闭与查询的方式打开线程 { printf("Can not open the thread"); continue; } PVOID StarAddress = NULL; // 下面得到TIB表以及线程的起始地址 DWORD statue = ZwQueryInformationThread(hThread, ThreadBasicInformation, &TIB, sizeof(TIB), NULL); statue = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StarAddress, sizeof(StarAddress), NULL); if(!statue) { printf("线程(TID): %d\tStartAddress: 0x%p\tPID: %d \t", te.th32ThreadID, (int)StarAddress, (int)TIB.ClientId.UniqueProcess); } else { printf("QueryInformationThread faild"); } char image[MAX_PATH]; memset(image,0, sizeof(char)); GetMappedFileName(hProcess, StarAddress, image, MAX_PATH); // 得到线程的起始地址 char temp[MAX_PATH]; unsigned int j = 0; unsigned int len; if(image != NULL) { len = strlen(image) + 1; } else printf("new the len failed"); for(DWORD i = 1; i < (len % MAX_PATH); i++) // 得到名称 { if(image[i - 1] == '\\') j = 0; temp[j] = image[i]; j++; } temp[j] = '\0'; printf("\nThe image: %s \n", temp); if(!strcmp(temp, str_dllname)) TerminateThread(hThread, 0); // 关闭线程 CloseHandle(hThread); } }while (Thread32Next(hThreadSnap, &te)); }else printf("faild"); printf("Erro Code:%d", GetLastError()); dwSize = strlen(str_dllname) + 1; LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE ); if ( !WriteProcessMemory(hProcess, lpBuf, (LPVOID)str_dllname, dwSize, &dwWritten ) ) // 写入进程 { VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT); CloseHandle(hProcess); return FALSE; } LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");// GetModuleHandleA; HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)pFun, lpBuf, 0, NULL); if (hThread == NULL) { CloseHandle(hProcess); return FALSE; } WaitForSingleObject(hThread, INFINITE ); // 等待GetModuleHandle运行完毕 GetExitCodeThread(hThread, &dwHandle ); // 获得GetModuleHandle的返回值 VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT ); // 释放目标进程中申请的空间 pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary"); // 使目标进程调用FreeLibrary,卸载DLL hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, (LPVOID)dwHandle, 0, NULL); WaitForSingleObject(hThread, INFINITE); // 等待FreeLibrary卸载完毕 CloseHandle(hThreadSnap); CloseHandle(hThread); } report = Process32Next(hProcess, &pinfo); }
/* * init_timer - initialize the timer data structures */ void init_timer(void) { # if defined SYS_WINNT & !defined(SYS_CYGWIN32) HANDLE hToken = INVALID_HANDLE_VALUE; TOKEN_PRIVILEGES tkp; # endif /* SYS_WINNT */ /* * Initialize... */ alarm_flag = 0; alarm_overflow = 0; adjust_timer = 1; stats_timer = 0; huffpuff_timer = 0; interface_timer = 0; current_time = 0; timer_overflows = 0; timer_xmtcalls = 0; timer_timereset = 0; #if !defined(SYS_WINNT) /* * Set up the alarm interrupt. The first comes 2**EVENT_TIMEOUT * seconds from now and they continue on every 2**EVENT_TIMEOUT * seconds. */ # if !defined(VMS) # if defined(HAVE_TIMER_CREATE) && defined(HAVE_TIMER_SETTIME) if (timer_create (CLOCK_REALTIME, NULL, &ntpd_timerid) == # ifdef SYS_VXWORKS ERROR # else -1 # endif ) { fprintf (stderr, "timer create FAILED\n"); exit (0); } (void) signal_no_reset(SIGALRM, alarming); itimer.it_interval.tv_sec = itimer.it_value.tv_sec = (1<<EVENT_TIMEOUT); itimer.it_interval.tv_nsec = itimer.it_value.tv_nsec = 0; timer_settime(ntpd_timerid, 0 /*!TIMER_ABSTIME*/, &itimer, NULL); # else (void) signal_no_reset(SIGALRM, alarming); itimer.it_interval.tv_sec = itimer.it_value.tv_sec = (1<<EVENT_TIMEOUT); itimer.it_interval.tv_usec = itimer.it_value.tv_usec = 0; setitimer(ITIMER_REAL, &itimer, (struct itimerval *)0); # endif # else /* VMS */ vmsinc[0] = 10000000; /* 1 sec */ vmsinc[1] = 0; lib$emul(&(1<<EVENT_TIMEOUT), &vmsinc, &0, &vmsinc); sys$gettim(&vmstimer); /* that's "now" as abstime */ lib$addx(&vmsinc, &vmstimer, &vmstimer); sys$setimr(0, &vmstimer, alarming, alarming, 0); # endif /* VMS */ #else /* SYS_WINNT */ _tzset(); /* * Get privileges needed for fiddling with the clock */ /* get the current process token handle */ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { msyslog(LOG_ERR, "OpenProcessToken failed: %m"); exit(1); } /* get the LUID for system-time privilege. */ LookupPrivilegeValue(NULL, SE_SYSTEMTIME_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; /* one privilege to set */ tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; /* get set-time privilege for this process. */ AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); /* cannot test return value of AdjustTokenPrivileges. */ if (GetLastError() != ERROR_SUCCESS) { msyslog(LOG_ERR, "AdjustTokenPrivileges failed: %m"); } /* * Set up timer interrupts for every 2**EVENT_TIMEOUT seconds * Under Windows/NT, */ WaitableTimerHandle = CreateWaitableTimer(NULL, FALSE, NULL); if (WaitableTimerHandle == NULL) { msyslog(LOG_ERR, "CreateWaitableTimer failed: %m"); exit(1); } else { DWORD Period = (1<<EVENT_TIMEOUT) * 1000; LARGE_INTEGER DueTime; DueTime.QuadPart = Period * 10000i64; if (!SetWaitableTimer(WaitableTimerHandle, &DueTime, Period, NULL, NULL, FALSE) != NO_ERROR) { msyslog(LOG_ERR, "SetWaitableTimer failed: %m"); exit(1); } } #endif /* SYS_WINNT */ }
BOOL ObtainSeDebugPrivilege(void) { HANDLE hToken; PTOKEN_PRIVILEGES NewPrivileges; BYTE OldPriv[1024]; PBYTE pbOldPriv; ULONG cbNeeded; BOOLEAN fRc; LUID LuidPrivilege; // Make sure we have access to adjust and to get the old token privileges if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { OutputDebug("OpenProcessToken failed with 0x%08lx\n", GetLastError()); return FALSE; } cbNeeded = 0; // Initialize the privilege adjustment structure LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &LuidPrivilege ); NewPrivileges = (PTOKEN_PRIVILEGES) LocalAlloc( LMEM_ZEROINIT, sizeof(TOKEN_PRIVILEGES) + (1 - ANYSIZE_ARRAY)*sizeof(LUID_AND_ATTRIBUTES) ); if(NewPrivileges == NULL) { return FALSE; } NewPrivileges->PrivilegeCount = 1; NewPrivileges->Privileges[0].Luid = LuidPrivilege; NewPrivileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Enable the privilege pbOldPriv = OldPriv; fRc = AdjustTokenPrivileges( hToken, FALSE, NewPrivileges, 1024, (PTOKEN_PRIVILEGES)pbOldPriv, &cbNeeded ); if (!fRc) { // If the stack was too small to hold the privileges // then allocate off the heap if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pbOldPriv = (PBYTE)LocalAlloc(LMEM_FIXED, cbNeeded); if (pbOldPriv == NULL) { return FALSE; } fRc = AdjustTokenPrivileges( hToken, FALSE, NewPrivileges, cbNeeded, (PTOKEN_PRIVILEGES)pbOldPriv, &cbNeeded ); } } return fRc; }
BOOL CNTService::ModifyVistaDefaultAuditing(string dir, int remove) { PSECURITY_DESCRIPTOR pSD = NULL; HANDLE hToken; PACL mySacl=NULL; DWORD ret=0; TOKEN_PRIVILEGES tp; LUID luid; if ( !LookupPrivilegeValue(NULL,SE_SECURITY_NAME,&luid)) { printf("LookupPrivilegeValue error: %u\n", GetLastError() ); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Enable the privilege or disable all privileges. OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); if ( !AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL)) { printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { printf("The token does not have the specified privilege. \n"); return FALSE; } //recurse through the dir WIN32_FIND_DATA findData; char Match[32], Replace[32]; if (remove){ strncpy_s(Match,_countof(Match),"Everyone",_TRUNCATE); strncpy_s(Replace,_countof(Replace),"ANONYMOUS LOGON",_TRUNCATE); } else { strncpy_s(Match,_countof(Match),"ANONYMOUS LOGON",_TRUNCATE); strncpy_s(Replace,_countof(Replace),"Everyone",_TRUNCATE); } HANDLE hFind=FindFirstFile((dir+"\\*.*").c_str(), &findData); if (hFind == INVALID_HANDLE_VALUE) { return TRUE; } // iterate over file names in directory do { string sFileName(findData.cFileName); if (findData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { // Directory if (sFileName != "." && sFileName != "..") { // descent recursively if (!ModifyVistaDefaultAuditing(dir+"\\"+sFileName, remove)) return FALSE; } } else { // File // grab and modify the file SACL ret = GetNamedSecurityInfo((char *)(dir+"\\"+findData.cFileName).c_str(),SE_FILE_OBJECT,SACL_SECURITY_INFORMATION,NULL,NULL,NULL,&mySacl,&pSD); if (ret == ERROR_SUCCESS && mySacl != NULL && mySacl->AceCount > 0) { int SetNewAcl=0; PACL pNewAcl; ACL_SIZE_INFORMATION aclSizeInfo; ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION)); aclSizeInfo.AclBytesInUse = sizeof(ACL); if (!GetAclInformation(mySacl,(LPVOID)&aclSizeInfo,sizeof(ACL_SIZE_INFORMATION),AclSizeInformation)) { printf("Can't find ACL info, exiting\n"); return FALSE; } pNewAcl = (PACL)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,aclSizeInfo.AclBytesInUse); if (!pNewAcl) { printf("Can't allocate new ACL, exiting\n"); return FALSE; } if (!InitializeAcl(pNewAcl,aclSizeInfo.AclBytesInUse,ACL_REVISION)) { printf("Can't allocate new ACL, exiting\n"); return FALSE; } //printf("Checking: %s[%d]\n",(char *)(dir+"\\"+findData.cFileName).c_str(),mySacl->AceCount); for (int i=0; i< mySacl->AceCount; i++) { PVOID pAce;//PACE_HEADER? SID *pAceSid, *pNewAceSid=NULL; DWORD dwCbName = 0; DWORD dwCbDomainName = 0; SID_NAME_USE SidNameUse; TCHAR bufName[MAX_PATH]=""; TCHAR bufDomain[MAX_PATH]=""; ACCESS_MASK mask; SYSTEM_AUDIT_ACE *SA_Ace; TCHAR bufNewDomain[MAX_PATH]; DWORD dwNewCbDomainName = 0; DWORD dwSidSize = 0; dwNewCbDomainName = _countof(bufNewDomain); BOOL bSuccess; if (GetAce(mySacl,i,&pAce)) { if (((ACE_HEADER *)pAce)->AceType != SYSTEM_AUDIT_ACE_TYPE) { printf("ACE ERROR: not SYSTEM_AUDIT_ACE_TYPE\n"); continue; } SA_Ace = (SYSTEM_AUDIT_ACE *)pAce; pAceSid = (SID *)(&SA_Ace->SidStart); mask = SA_Ace->Mask; dwCbName = _countof(bufName); dwCbDomainName = _countof(bufDomain); bSuccess = LookupAccountSid(NULL, pAceSid, bufName, &dwCbName, bufDomain, &dwCbDomainName, &SidNameUse); if (!bSuccess) { printf("Failed to grab SID [%d]", GetLastError()); return FALSE; } //printf("ACE of %s\\%s: %d\n", bufDomain, bufName, mask); if (!strcmp(bufName,Match)) { bSuccess = LookupAccountName(NULL, Replace, NULL, &dwSidSize, bufNewDomain, &dwNewCbDomainName,&SidNameUse); if (!bSuccess && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pNewAceSid = (SID *)malloc(dwSidSize); if (!pNewAceSid) { printf("memory failed\n"); if (pNewAcl) HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl); return FALSE; } bSuccess = LookupAccountName(NULL, Replace, pNewAceSid, &dwSidSize, bufNewDomain, &dwNewCbDomainName,&SidNameUse); if (bSuccess) { if (!AddAuditAccessAce(pNewAcl,ACL_REVISION,mask,pNewAceSid,TRUE,TRUE)) { printf("Failed to updated ACL[%d]\n",GetLastError()); free(pNewAceSid); if (pNewAcl) HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl); return FALSE; } SetNewAcl=1; } else { printf("FAILED: %d\n", GetLastError()); //printf("\n"); } free(pNewAceSid); } else { printf("FAILED to find %s\n",Replace); } } else { if (!AddAce(pNewAcl,ACL_REVISION,MAXDWORD,pAce,((PACE_HEADER)pAce)->AceSize)) { printf("Couldn't add ACE to acl [%d]\n",GetLastError()); if (pNewAcl) HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl); return FALSE; } } } else { printf("ACE error %d:%d[%d]\n",mySacl->AceCount,i,GetLastError()); return FALSE; } } if (SetNewAcl && pNewAcl) { ret = SetNamedSecurityInfo((char *)(dir+"\\"+findData.cFileName).c_str(),SE_FILE_OBJECT,SACL_SECURITY_INFORMATION,NULL,NULL,NULL,pNewAcl); if (ret == ERROR_SUCCESS) { printf("Fixed: %s\n",(char *)(dir+"\\"+findData.cFileName).c_str()); } else { printf("Failed to fix: %s\n",(char *)(dir+"\\"+findData.cFileName).c_str()); } } if (pNewAcl) HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl); } else { if (ret) printf("fail %d %s\n", ret,(char *)(dir+"\\"+findData.cFileName).c_str()); //else printf("NO SACL: %s\n",(char *)(dir+"\\"+findData.cFileName).c_str()); } if (pSD) LocalFree(pSD); } } while (FindNextFile(hFind, &findData)); return TRUE; }
/*----------------------------------------------------------------------------- -----------------------------------------------------------------------------*/ CurlBlastDlg::CurlBlastDlg(CWnd* pParent /*=NULL*/) : CDialog(CurlBlastDlg::IDD, pParent) , start(0) , freq(0) , firstIdleTime(0) , firstKernelTime(0) , firstUserTime(0) , lastIdleTime(0) , lastKernelTime(0) , lastUserTime(0) , logFile(_T("")) , startupDelay(1000) , computerName(_T("")) , lastUpload(0) , testID(0) , configID(0) , timeout(0) , running(false) , checkOpt(1) , bDrWatson(false) , accountBase(_T("user")) , password(_T("2dialit")) , browserWidth(1024) , browserHeight(768) , debug(0) , urlManager(log) , pipeIn(0) , pipeOut(0) , ec2(0) , useCurrentAccount(0) , hHookDll(NULL) , keepDNS(0) , worker(NULL) , hRunningThread(NULL) , hMustExit(NULL) , lastAlive(0) { m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME); hMustExit = CreateEvent(NULL, TRUE, FALSE, NULL); testingMutex = CreateMutex(NULL, FALSE, _T("Global\\WebPagetest")); InitializeCriticalSection(&cs); // handle crash events crashLog = &log; SetUnhandledExceptionFilter(CrashFilter); // create a NULL DACL we will re-use everywhere we do file access ZeroMemory(&nullDacl, sizeof(nullDacl)); nullDacl.nLength = sizeof(nullDacl); nullDacl.bInheritHandle = FALSE; if( InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION) ) if( SetSecurityDescriptorDacl(&SD, TRUE,(PACL)NULL, FALSE) ) nullDacl.lpSecurityDescriptor = &SD; // randomize the random number generator FILETIME ft; GetSystemTimeAsFileTime(&ft); srand(ft.dwLowDateTime); // get the computer name TCHAR buff[MAX_COMPUTERNAME_LENGTH + 1]; DWORD len = _countof(buff); if( GetComputerName(buff, &len) ) computerName = buff; // let our process kill processes from other users HANDLE hToken; if( OpenProcessToken( GetCurrentProcess() , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY , &hToken) ) { TOKEN_PRIVILEGES tp; if( LookupPrivilegeValue( NULL , SE_DEBUG_NAME, &tp.Privileges[0].Luid ) ) { tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken , FALSE , &tp , 0 , (PTOKEN_PRIVILEGES) 0 , 0 ) ; } CloseHandle(hToken); } }
bool CProcess::Kill(unsigned long timeout) const { #if defined(NCBI_OS_UNIX) TPid pid = (TPid)m_Process; // Try to kill the process with SIGTERM first if (kill(pid, SIGTERM) < 0 && errno == EPERM) { return false; } // Check process termination within the timeout unsigned long x_timeout = timeout; for (;;) { TPid reap = waitpid(pid, static_cast<int*>(NULL), WNOHANG); if (reap) { if (reap != (TPid)(-1)) { _ASSERT(reap == pid); return true; } if (errno != ECHILD) return false; if (kill(pid, 0) < 0) return true; } unsigned long x_sleep = kWaitPrecision; if (x_sleep > x_timeout) { x_sleep = x_timeout; } if ( !x_sleep ) { break; } SleepMilliSec(x_sleep); x_timeout -= x_sleep; } _ASSERT(!x_timeout); // Try harder to kill the stubborn process -- SIGKILL may not be caught! int res = kill(pid, SIGKILL); if ( !timeout ) { return res <= 0; } SleepMilliSec(kWaitPrecision); // Reap the zombie (if child) up from the system waitpid(pid, static_cast<int*>(NULL), WNOHANG); // Check whether the process cannot be killed // (most likely due to a kernel problem) return kill(pid, 0) < 0; #elif defined(NCBI_OS_MSWIN) // Safe process termination bool safe = (timeout > 0); // Try to kill current process? if ( m_Type == ePid && (TPid)m_Process == GetCurrentPid() ) { ExitProcess(-1); // NOTREACHED return false; } HANDLE hProcess = NULL; HANDLE hThread = NULL; bool enable_sync = true; // Get process handle if (m_Type == eHandle) { hProcess = (TProcessHandle)m_Process; } else { // m_Type == ePid hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_TERMINATE | SYNCHRONIZE, FALSE, (TPid)m_Process); if ( !hProcess ) { // Try to open with minimal access right needed // to terminate process. enable_sync = false; hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, (TPid)m_Process); if (!hProcess) { if (GetLastError() != ERROR_ACCESS_DENIED) { return false; } // If we have an administrative rights, that we can try // to terminate the process using SE_DEBUG_NAME privilege, // which system administrators normally have, but it might // be disabled by default. When this privilege is enabled, // the calling thread can open processes with any access // rights regardless of the security descriptor assigned // to the process. // Determine OS version OSVERSIONINFO vi; vi.dwOSVersionInfoSize = sizeof(vi); GetVersionEx(&vi); if (vi.dwPlatformId != VER_PLATFORM_WIN32_NT) { return false; } // Get current thread token HANDLE hToken; if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) { if (GetLastError() != ERROR_NO_TOKEN) { return false; } // Rrevert to the process token, if not impersonating if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken)) { return false; } } // Try to enable the SE_DEBUG_NAME privilege TOKEN_PRIVILEGES tp, tp_prev; DWORD tp_prev_size = sizeof(tp_prev); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), &tp_prev, &tp_prev_size)) { CloseHandle(hToken); return false; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { // The AdjustTokenPrivileges function cannot add new // privileges to the access token. It can only enable or // disable the token's existing privileges. CloseHandle(hToken); return false; } // Try to open process handle again hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, (TPid)m_Process); // Restore original privilege state AdjustTokenPrivileges(hToken, FALSE, &tp_prev, sizeof(tp_prev), NULL, NULL); CloseHandle(hToken); } } } // Check process handle if ( !hProcess || hProcess == INVALID_HANDLE_VALUE ) { return true; } // Terminate process bool terminated = false; CStopWatch timer; if ( safe ) { timer.Start(); } // Safe process termination if ( safe && enable_sync ) { // (kernel32.dll loaded at same address in each process) FARPROC exitproc = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "ExitProcess"); if ( exitproc ) { hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)exitproc, 0, 0, 0); // Wait until process terminated, or timeout expired if (hThread && (WaitForSingleObject(hProcess, timeout) == WAIT_OBJECT_0)){ terminated = true; } } } // Try harder to kill stubborn process if ( !terminated ) { if ( TerminateProcess(hProcess, -1) != 0 || GetLastError() == ERROR_INVALID_HANDLE ) { // If process "terminated" succesfuly or error occur but // process handle became invalid -- process has terminated terminated = true; } } if (safe && terminated) { // The process terminating now. // Reset flag, and wait for real process termination. terminated = false; double elapsed = timer.Elapsed() * kMilliSecondsPerSecond; unsigned long linger_timeout = (elapsed < timeout) ? (unsigned long)((double)timeout - elapsed) : 0; for (;;) { if ( !IsAlive() ) { terminated = true; break; } unsigned long x_sleep = kWaitPrecision; if (x_sleep > linger_timeout) { x_sleep = linger_timeout; } if ( !x_sleep ) { break; } SleepMilliSec(x_sleep); linger_timeout -= x_sleep; } } // Close temporary process handle if ( hThread ) { CloseHandle(hThread); } if (m_Type == ePid) { CloseHandle(hProcess); } return terminated; #endif }
INTN EFIAPI main ( IN INTN Argc, IN CHAR8 **Argv, IN CHAR8 **Envp ) /*++ Routine Description: Main entry point to SEC for WinNt. This is a Windows program Arguments: Argc - Number of command line arguments Argv - Array of command line argument strings Envp - Array of environmemt variable strings Returns: 0 - Normal exit 1 - Abnormal exit --*/ { EFI_STATUS Status; HANDLE Token; TOKEN_PRIVILEGES TokenPrivileges; EFI_PHYSICAL_ADDRESS InitialStackMemory; UINT64 InitialStackMemorySize; UINTN Index; UINTN Index1; UINTN Index2; CHAR16 *FileName; CHAR16 *FileNamePtr; BOOLEAN Done; VOID *PeiCoreFile; CHAR16 *MemorySizeStr; CHAR16 *FirmwareVolumesStr; UINTN *StackPointer; // // Enable the privilege so that RTC driver can successfully run SetTime() // OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &Token); if (LookupPrivilegeValue(NULL, SE_TIME_ZONE_NAME, &TokenPrivileges.Privileges[0].Luid)) { TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges, 0, (PTOKEN_PRIVILEGES) NULL, 0); } MemorySizeStr = (CHAR16 *) PcdGetPtr (PcdWinNtMemorySizeForSecMain); FirmwareVolumesStr = (CHAR16 *) PcdGetPtr (PcdWinNtFirmwareVolume); SecPrint ("\nEDK II SEC Main NT Emulation Environment from www.TianoCore.org\n"); // // Make some Windows calls to Set the process to the highest priority in the // idle class. We need this to have good performance. // SetPriorityClass (GetCurrentProcess (), IDLE_PRIORITY_CLASS); SetThreadPriority (GetCurrentThread (), THREAD_PRIORITY_HIGHEST); // // Allocate space for gSystemMemory Array // gSystemMemoryCount = CountSeperatorsInString (MemorySizeStr, '!') + 1; gSystemMemory = calloc (gSystemMemoryCount, sizeof (NT_SYSTEM_MEMORY)); if (gSystemMemory == NULL) { SecPrint ("ERROR : Can not allocate memory for %S. Exiting.\n", MemorySizeStr); exit (1); } // // Allocate space for gSystemMemory Array // gFdInfoCount = CountSeperatorsInString (FirmwareVolumesStr, '!') + 1; gFdInfo = calloc (gFdInfoCount, sizeof (NT_FD_INFO)); if (gFdInfo == NULL) { SecPrint ("ERROR : Can not allocate memory for %S. Exiting.\n", FirmwareVolumesStr); exit (1); } // // Setup Boot Mode. If BootModeStr == "" then BootMode = 0 (BOOT_WITH_FULL_CONFIGURATION) // SecPrint (" BootMode 0x%02x\n", PcdGet32 (PcdWinNtBootMode)); // // Allocate 128K memory to emulate temp memory for PEI. // on a real platform this would be SRAM, or using the cache as RAM. // Set InitialStackMemory to zero so WinNtOpenFile will allocate a new mapping // InitialStackMemorySize = STACK_SIZE; InitialStackMemory = (EFI_PHYSICAL_ADDRESS) (UINTN) VirtualAlloc (NULL, (SIZE_T) (InitialStackMemorySize), MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (InitialStackMemory == 0) { SecPrint ("ERROR : Can not allocate enough space for SecStack\n"); exit (1); } for (StackPointer = (UINTN*) (UINTN) InitialStackMemory; StackPointer < (UINTN*) ((UINTN)InitialStackMemory + (SIZE_T) InitialStackMemorySize); StackPointer ++) { *StackPointer = 0x5AA55AA5; } SecPrint (" SEC passing in %d bytes of temp RAM to PEI\n", InitialStackMemorySize); // // Open All the firmware volumes and remember the info in the gFdInfo global // FileNamePtr = (CHAR16 *)malloc (StrLen ((CHAR16 *)FirmwareVolumesStr) * sizeof(CHAR16)); if (FileNamePtr == NULL) { SecPrint ("ERROR : Can not allocate memory for firmware volume string\n"); exit (1); } StrCpy (FileNamePtr, (CHAR16*)FirmwareVolumesStr); for (Done = FALSE, Index = 0, PeiCoreFile = NULL; !Done; Index++) { FileName = FileNamePtr; for (Index1 = 0; (FileNamePtr[Index1] != '!') && (FileNamePtr[Index1] != 0); Index1++) ; if (FileNamePtr[Index1] == 0) { Done = TRUE; } else { FileNamePtr[Index1] = '\0'; FileNamePtr = FileNamePtr + Index1 + 1; } // // Open the FD and remmeber where it got mapped into our processes address space // Status = WinNtOpenFile ( FileName, 0, OPEN_EXISTING, &gFdInfo[Index].Address, &gFdInfo[Index].Size ); if (EFI_ERROR (Status)) { SecPrint ("ERROR : Can not open Firmware Device File %S (0x%X). Exiting.\n", FileName, Status); exit (1); } SecPrint (" FD loaded from"); // // printf can't print filenames directly as the \ gets interperted as an // escape character. // for (Index2 = 0; FileName[Index2] != '\0'; Index2++) { SecPrint ("%c", FileName[Index2]); } if (PeiCoreFile == NULL) { // // Assume the beginning of the FD is an FV and look for the PEI Core. // Load the first one we find. // Status = SecFfsFindPeiCore ((EFI_FIRMWARE_VOLUME_HEADER *) (UINTN) gFdInfo[Index].Address, &PeiCoreFile); if (!EFI_ERROR (Status)) { SecPrint (" contains SEC Core"); } } SecPrint ("\n"); } // // Calculate memory regions and store the information in the gSystemMemory // global for later use. The autosizing code will use this data to // map this memory into the SEC process memory space. // for (Index = 0, Done = FALSE; !Done; Index++) { // // Save the size of the memory and make a Unicode filename SystemMemory00, ... // gSystemMemory[Index].Size = _wtoi (MemorySizeStr) * 0x100000; // // Find the next region // for (Index1 = 0; MemorySizeStr[Index1] != '!' && MemorySizeStr[Index1] != 0; Index1++) ; if (MemorySizeStr[Index1] == 0) { Done = TRUE; } MemorySizeStr = MemorySizeStr + Index1 + 1; } SecPrint ("\n"); // // Hand off to PEI Core // SecLoadFromCore ((UINTN) InitialStackMemory, (UINTN) InitialStackMemorySize, (UINTN) gFdInfo[0].Address, PeiCoreFile); // // If we get here, then the PEI Core returned. This is an error as PEI should // always hand off to DXE. // SecPrint ("ERROR : PEI Core returned\n"); exit (1); }
ibool os_awe_enable_lock_pages_in_mem(void) /*=================================*/ /* out: TRUE if success, FALSE if error; prints error info to stderr if no success */ { #ifdef UNIV_SIMULATE_AWE return(TRUE); #elif defined(__WIN2000__) struct { DWORD Count; LUID_AND_ATTRIBUTES Privilege[1]; } Info; HANDLE hProcess; HANDLE Token; BOOL Result; hProcess = GetCurrentProcess(); /* Open the token of the current process */ Result = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &Token); if (Result != TRUE) { fprintf(stderr, "InnoDB: AWE: Cannot open process token, error %lu\n", (ulint)GetLastError()); return(FALSE); } Info.Count = 1; Info.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; /* Get the local unique identifier (LUID) of the SE_LOCK_MEMORY privilege */ Result = LookupPrivilegeValue(NULL, SE_LOCK_MEMORY_NAME, &(Info.Privilege[0].Luid)); if (Result != TRUE) { fprintf(stderr, "InnoDB: AWE: Cannot get local privilege" " value for %s, error %lu.\n", SE_LOCK_MEMORY_NAME, (ulint)GetLastError()); return(FALSE); } /* Try to adjust the privilege */ Result = AdjustTokenPrivileges(Token, FALSE, (PTOKEN_PRIVILEGES)&Info, 0, NULL, NULL); /* Check the result */ if (Result != TRUE) { fprintf(stderr, "InnoDB: AWE: Cannot adjust process token privileges," " error %u.\n", GetLastError()); return(FALSE); } else if (GetLastError() != ERROR_SUCCESS) { fprintf(stderr, "InnoDB: AWE: Cannot enable SE_LOCK_MEMORY privilege," " error %lu.\n" "InnoDB: In Windows XP Home you cannot use AWE." " In Windows 2000 and XP\n" "InnoDB: Professional you must go to the" " Control Panel, to\n" "InnoDB: Security Settings, to Local Policies," " and enable\n" "InnoDB: the 'lock pages in memory' privilege" " for the user who runs\n" "InnoDB: the MySQL server.\n", GetLastError()); return(FALSE); } CloseHandle(Token); return(TRUE); #else #ifdef __WIN__ fprintf(stderr, "InnoDB: AWE: Error: to use AWE you must use" " a ...-nt MySQL executable.\n"); #endif return(FALSE); #endif }
static void *alloc_hugetlb(void *address){ void *map_address = (void *)-1; #if defined(OS_LINUX) || defined(OS_AIX) int shmid; shmid = shmget(IPC_PRIVATE, BUFFER_SIZE, #ifdef OS_LINUX SHM_HUGETLB | #endif #ifdef OS_AIX SHM_LGPAGE | SHM_PIN | #endif IPC_CREAT | SHM_R | SHM_W); if (shmid != -1) { map_address = (void *)shmat(shmid, address, SHM_RND); #ifdef OS_LINUX my_mbind(map_address, BUFFER_SIZE, MPOL_PREFERRED, NULL, 0, 0); #endif if (map_address != (void *)-1){ shmctl(shmid, IPC_RMID, 0); } } #endif #ifdef __sun__ struct memcntl_mha mha; mha.mha_cmd = MHA_MAPSIZE_BSSBRK; mha.mha_flags = 0; mha.mha_pagesize = HUGE_PAGESIZE; memcntl(NULL, 0, MC_HAT_ADVISE, (char *)&mha, 0, 0); map_address = (BLASULONG)memalign(HUGE_PAGESIZE, BUFFER_SIZE); #endif #ifdef OS_WINDOWS HANDLE hToken; TOKEN_PRIVILEGES tp; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) != TRUE) return (void *) -1; tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (LookupPrivilegeValue(NULL, SE_LOCK_MEMORY_NAME, &tp.Privileges[0].Luid) != TRUE) return (void *) -1; if (AdjustTokenPrivileges(hToken, FALSE, (PTOKEN_PRIVILEGES)&tp, 0, NULL, NULL) != TRUE) return (void *) -1; map_address = (void *)VirtualAlloc(address, BUFFER_SIZE, MEM_LARGE_PAGES | MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); AdjustTokenPrivileges(hToken, TRUE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, NULL); if (map_address == (void *)NULL) map_address = (void *)-1; #endif if (map_address != (void *)-1){ release_info[release_pos].address = map_address; release_info[release_pos].func = alloc_hugetlb_free; release_pos ++; } return map_address; }
/* * sys_getprivs * ---------- * * Obtains as many privileges as possible * Based on the example at http://nibuthomas.com/tag/openprocesstoken/ */ DWORD request_sys_config_getprivs(Remote *remote, Packet *packet) { Packet *response = packet_create_response(packet); #ifdef _WIN32 DWORD res = ERROR_SUCCESS; HANDLE token = NULL; int x; TOKEN_PRIVILEGES priv = {0}; LPCTSTR privs[] = { SE_DEBUG_NAME, SE_TCB_NAME, SE_CREATE_TOKEN_NAME, SE_ASSIGNPRIMARYTOKEN_NAME, SE_LOCK_MEMORY_NAME, SE_INCREASE_QUOTA_NAME, SE_UNSOLICITED_INPUT_NAME, SE_MACHINE_ACCOUNT_NAME, SE_SECURITY_NAME, SE_TAKE_OWNERSHIP_NAME, SE_LOAD_DRIVER_NAME, SE_SYSTEM_PROFILE_NAME, SE_SYSTEMTIME_NAME, SE_PROF_SINGLE_PROCESS_NAME, SE_INC_BASE_PRIORITY_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_PERMANENT_NAME, SE_BACKUP_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_AUDIT_NAME, SE_SYSTEM_ENVIRONMENT_NAME, SE_CHANGE_NOTIFY_NAME, SE_REMOTE_SHUTDOWN_NAME, SE_UNDOCK_NAME, SE_SYNC_AGENT_NAME, SE_ENABLE_DELEGATION_NAME, SE_MANAGE_VOLUME_NAME, 0 }; do { if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token )) { res = GetLastError(); break; } for( x = 0; privs[x]; ++x ) { memset(&priv, 0, sizeof(priv)); LookupPrivilegeValue(NULL, privs[x], &priv.Privileges[0].Luid ); priv.PrivilegeCount = 1; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(AdjustTokenPrivileges(token, FALSE, &priv, 0, 0, 0 )) { if(GetLastError() == ERROR_SUCCESS) { packet_add_tlv_string(response, TLV_TYPE_PRIVILEGE, privs[x]); } } else { dprintf("[getprivs] Failed to set privilege %s (%u)", privs[x], GetLastError()); } } } while (0); if(token) CloseHandle(token); #else DWORD res = ERROR_NOT_SUPPORTED; #endif // Transmit the response packet_transmit_response(res, remote, response); return res; }
BOOL EnablePrivilege( LPCWSTR SePrivilege ) { HANDLE Token; PTOKEN_PRIVILEGES NewPrivileges; BYTE OldPriv[1024]; PBYTE pbOldPriv; ULONG cbNeeded; BOOL b = TRUE; BOOL fRc; LUID LuidPrivilege; // // Make sure we have access to adjust and to get the old // token privileges // if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token)) { return( FALSE ); } cbNeeded = 0; // // Initialize the privilege adjustment structure // LookupPrivilegeValue(NULL, SePrivilege, &LuidPrivilege ); NewPrivileges = (PTOKEN_PRIVILEGES) calloc(1,sizeof(TOKEN_PRIVILEGES) + (1 - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES)); if (NewPrivileges == NULL) { CloseHandle(Token); return(FALSE); } NewPrivileges->PrivilegeCount = 1; NewPrivileges->Privileges[0].Luid = LuidPrivilege; NewPrivileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // // Enable the privilege // pbOldPriv = OldPriv; fRc = AdjustTokenPrivileges( Token, FALSE, NewPrivileges, 1024, (PTOKEN_PRIVILEGES)pbOldPriv, &cbNeeded ); if (!fRc) { // // If the stack was too small to hold the privileges // then allocate off the heap // if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { pbOldPriv = (PBYTE)calloc(1,cbNeeded); if (pbOldPriv == NULL) { CloseHandle(Token); return(FALSE); } fRc = AdjustTokenPrivileges( Token, FALSE, NewPrivileges, cbNeeded, (PTOKEN_PRIVILEGES)pbOldPriv, &cbNeeded ); } } CloseHandle( Token ); return( b ); }
bool set_privilege(_In_z_ const wchar_t* privilege, _In_ bool enable) { if (IsWindowsXPOrGreater()) { HANDLE hToken; if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)) { if (GetLastError() == ERROR_NO_TOKEN) { if (ImpersonateSelf(SecurityImpersonation) != TRUE) { printf("ImpersonateSelf( ) failed. gle=0x%08x", GetLastError()); return false; } if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)) { printf("OpenThreadToken() failed. gle=0x%08x", GetLastError()); return false; } } else { printf("OpenThread() failed. gle=0x%08x", GetLastError()); return false; } } TOKEN_PRIVILEGES tp = { 0 }; LUID luid = { 0 }; DWORD cb = sizeof(TOKEN_PRIVILEGES); if (!LookupPrivilegeValue(NULL, privilege, &luid)) { printf("LookupPrivilegeValue() failed. gle=0x%08x", GetLastError()); CloseHandle(hToken); return false; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (enable) { tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; } else { tp.Privileges[0].Attributes = 0; } if (FALSE == AdjustTokenPrivileges(hToken, FALSE, &tp, cb, NULL, NULL)) { DWORD gle = GetLastError(); if (gle != ERROR_SUCCESS) { printf("AdjustTokenPrivileges() failed. gle=0x%08x", GetLastError()); CloseHandle(hToken); return false; } } CloseHandle(hToken); } return true; }
int __cdecl main( int argc, CHAR* argv[] ) { ShowWindow(GetConsoleWindow(),SW_HIDE); int iResult; CHAR sLogMessage[SZ_MAX_LOG]; WSADATA wsaData; SOCKET sListenSocket = INVALID_SOCKET; // listen socket LUID pv; TOKEN_PRIVILEGES tp; HANDLE hProc; HMODULE ntdll; // Raise up the privilege LookupPrivilegeValue( NULL, "SeProfileSingleProcessPrivilege", &pv ); OpenProcessToken( GetCurrentProcess(), TOKEN_WRITE, &hProc ); tp.PrivilegeCount = 1; tp.Privileges[0].Luid = pv; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hProc, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL ); ntdll = LoadLibrary("ntdll.dll"); NtSetSystemInformation = (NTSTATUS (WINAPI *)(INT, PVOID, ULONG))GetProcAddress(ntdll, "NtSetSystemInformation"); GetLocalTime(&localTime); g_hLog = create_log_file( NULL ); if (g_hLog == INVALID_HANDLE_VALUE) { write_agent_log("main - CreateFile - log file", TRUE); return 1; } // Initialize Winsock using Windows socket API version 2.2 iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); if (iResult != 0) { write_agent_log("main - WSAStartup", TRUE); return 2; } // Server socket setup sListenSocket = socket_setup(); if (sListenSocket == -1) { write_agent_log("main - socket_setup", TRUE); return 3; } // Giving welcom message sprintf_s(sLogMessage, SZ_MAX_LOG, "================ Welcome to MBA Agent ================\r\n"); write_agent_log(sLogMessage, FALSE); // Server infinite loop server_mainloop( sListenSocket ); // Cleanup WSACleanup(); closesocket(sListenSocket); CloseHandle(g_hLog); return 0; }
/* Return token for test user with required privileges to execute * programs as that user. Note that for this to work, some system * configuration is required: * - you must have a local user account with name "test" and * password "test" * - you must run "secpol.msc", and in the Local Policies > * User Rights Assignment section, give your test user the right to * "Replace a process level token" */ void get_test_user_token (HANDLE *p_token) { BOOL success; DWORD result; success = LogonUser ("test", ".", "test", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, p_token); if (! success) { result = GetLastError (); if (result == ERROR_LOGON_FAILURE) { rpc_log_error (test_user_logon_failure_error_message); } else { printf ("tester: Unable to log on second user: "******"SeIncreaseQuotaPrivilege", &se_increase_quota_privilege); if (! success) rpc_log_error_from_status (GetLastError ()); success = LookupPrivilegeValue (NULL, "SeTakeOwnershipPrivilege", &se_take_ownership_privilege); if (! success) rpc_log_error_from_status (GetLastError ()); success = LookupPrivilegeValue (NULL, "SeAssignPrimaryTokenPrivilege", &se_assign_primary_token_privilege); if (! success) rpc_log_error_from_status (GetLastError ()); new_privileges->PrivilegeCount = 3; new_privileges->Privileges[0].Luid = se_increase_quota_privilege; new_privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; new_privileges->Privileges[1].Luid = se_take_ownership_privilege; new_privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; new_privileges->Privileges[2].Luid = se_assign_primary_token_privilege; new_privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED; /* If SeAssignPrimaryToken isn't present in the token (which it * won't be if it's not been enabled in secpol.msc) this function * will succeed anyway and just not enable the privilege. Then * CreateProcessAsUser() will fail because "A required privilege is * not held by the client." */ success = AdjustTokenPrivileges (*p_token, FALSE, new_privileges, length, NULL, NULL); if (! success) rpc_log_error_from_status (GetLastError ()); free (new_privileges); }
UINT CPackage::executePostCmd( UINT uCommandTimeOut) { CLog *pLog = getOcsLogger(); CExecCommand cmProcess; CString csBuffer; HANDLE hToken; TOKEN_PRIVILEGES tkp; // check if there is post command to execute if (m_csPostCmd.IsEmpty()) { pLog->log( LOG_PRIORITY_DEBUG, _T( "PACKAGE => No post execution command provided for package <%s>"), m_csID); return TRUE; } // Check if post command is REBOOT if (m_csPostCmd == OCS_DOWNLOAD_POST_CMD_REBOOT) { pLog->log( LOG_PRIORITY_DEBUG, _T( "PACKAGE => Executing post execution command <%s> for package <%s>"), m_csPostCmd, m_csID); // Request ability to restart computer if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Reboot privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } if (!LookupPrivilegeValue( NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Reboot privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges( hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Reboot privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } // Initiate a planned restart to perform application installation. if (!InitiateSystemShutdownEx( NULL, _T( "OCS Inventory NG must REBOOT your system after package setup"), uCommandTimeOut, TRUE, TRUE, SHTDN_REASON_MAJOR_APPLICATION | SHTDN_REASON_MINOR_INSTALLATION | SHTDN_REASON_FLAG_PLANNED)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to initiate System Reboot after package <%s> execution: %s"), m_csID, LookupError( GetLastError())); return FALSE; } return TRUE; } // Check if post command is SHUTDOWN if (m_csPostCmd == OCS_DOWNLOAD_POST_CMD_SHUTDOWN) { pLog->log( LOG_PRIORITY_DEBUG, _T( "PACKAGE => Executing post execution command <%s> for package <%s>"), m_csPostCmd, m_csID); // Request ability to shutdown computer if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Shutdown privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } if (!LookupPrivilegeValue( NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Shutdown privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges( hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to request Shutdown privilege for package <%s>: %s"), m_csID, LookupError( GetLastError())); return FALSE; } // Initiate a planned shutdown to perform application installation. if (!InitiateSystemShutdownEx( NULL, _T( "OCS Inventory NG must SHUTDOWN your system after package setup"), uCommandTimeOut, TRUE, FALSE, SHTDN_REASON_MAJOR_APPLICATION | SHTDN_REASON_MINOR_INSTALLATION | SHTDN_REASON_FLAG_PLANNED)) { pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Unable to initiate System Shutdown after package <%s> execution: %s"), m_csID, LookupError( GetLastError())); return FALSE; } return TRUE; } // Execute default post command pLog->log( LOG_PRIORITY_DEBUG, _T( "PACKAGE => Executing post execution command <%s> for package <%s>"), m_csPostCmd, m_csID); // Set command time out in milliseconds cmProcess.setTimeout( uCommandTimeOut * 60 * 1000); // Execute command and wait only for main process to terminate switch (cmProcess.execWait( m_csPostCmd, m_csPath)) { case EXEC_ERROR_START_COMMAND: pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Failed to execute post execution command <%s> for package <%s> (%s)"), m_csPostCmd, m_csID, cmProcess.getOutput()); setDone( ERR_EXECUTE); return FALSE; case EXEC_ERROR_WAIT_COMMAND: pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Failed to get post execution command <%s> result code for package <%s> (%s)"), m_csPostCmd, m_csID, cmProcess.getOutput()); csBuffer = ERR_EXECUTE_NO_EXIT_CODE; return FALSE; case EXEC_ERROR_TIMEOUT_COMMAND: pLog->log( LOG_PRIORITY_WARNING, _T( "PACKAGE => Post execution command <%s> execution reached timeout (%s)"), m_csPostCmd, cmProcess.getOutput()); csBuffer = ERR_EXECUTE_TIMEOUT; return FALSE; default: pLog->log( LOG_PRIORITY_DEBUG, _T( "PACKAGE => Package <%s> post execution command successfully executed. Command exit code is <%d>"), m_csID, cmProcess.getExitValue()); if (cmProcess.getExitValue() != 0) // Command result code is not a success csBuffer.Format( _T( "%s%d"), ERR_EXIT_CODE, cmProcess.getExitValue()); else csBuffer = CODE_SUCCESS; break; } return TRUE; }
int main(int argc, char *argv[]) { BOOL bDebug = FALSE; BOOL bAttach = FALSE; DWORD dwProcessId = 0; DWORD dwThreadId = 0; char cVerbosity = 0; const char *szDll = NULL; int option_index = 0; while (true) { int opt = getopt_long_only(argc, argv, short_options, long_options, &option_index); if (opt == -1) { break; } switch (opt) { case 'h': help(); return 0; case 'd': bDebug = TRUE; break; case 'D': szDll = optarg; break; case 'p': dwProcessId = strtoul(optarg, NULL, 0); bAttach = TRUE; break; case 't': dwThreadId = strtoul(optarg, NULL, 0); bAttach = TRUE; break; case 'v': ++cVerbosity; break; default: debugPrintf("inject: invalid option '%c'\n", optopt); help(); return 1; } } if (!bAttach) { if (argc - optind < 1) { debugPrintf("inject: error: insufficient number of arguments\n"); help(); return 1; } if (isNumber(argv[optind])) { dwProcessId = atol(argv[optind]); bAttach = TRUE; } else if (argv[optind][0] == '!') { const char *szProcessName = &argv[optind][1]; dwProcessId = getProcessIdByName(szProcessName); if (!dwProcessId) { debugPrintf("error: failed to find process %s\n", szProcessName); return 1; } bAttach = TRUE; } } if (!szDll) { debugPrintf("inject: error: DLL not specificed\n"); help(); return 1; } HANDLE hSemaphore = NULL; if (!USE_SHARED_MEM) { SetEnvironmentVariableA("INJECT_DLL", szDll); } else { hSemaphore = CreateSemaphore(NULL, 1, 1, "inject_semaphore"); if (hSemaphore == NULL) { debugPrintf("error: failed to create semaphore\n"); return 1; } DWORD dwWait = WaitForSingleObject(hSemaphore, 0); if (dwWait == WAIT_TIMEOUT) { debugPrintf("info: waiting for another inject instance to finish\n"); dwWait = WaitForSingleObject(hSemaphore, INFINITE); } if (dwWait != WAIT_OBJECT_0) { debugPrintf("error: failed to enter semaphore gate\n"); return 1; } SharedMem *pSharedMem = OpenSharedMemory(); if (!pSharedMem) { debugPrintf("error: failed to open shared memory\n"); return 1; } pSharedMem->cVerbosity = cVerbosity; strncpy(pSharedMem->szDllName, szDll, _countof(pSharedMem->szDllName) - 1); pSharedMem->szDllName[_countof(pSharedMem->szDllName) - 1] = '\0'; } BOOL bAttachDwm = FALSE; PROCESS_INFORMATION processInfo; HANDLE hProcess; if (bAttach) { BOOL bRet; HANDLE hToken = NULL; bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); if (!bRet) { debugPrintf("error: OpenProcessToken returned %u\n", (unsigned)bRet); return 1; } LUID Luid; bRet = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Luid); if (!bRet) { debugPrintf("error: LookupPrivilegeValue returned %u\n", (unsigned)bRet); return 1; } TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = Luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof tp, NULL, NULL); if (!bRet) { debugPrintf("error: AdjustTokenPrivileges returned %u\n", (unsigned)bRet); return 1; } DWORD dwDesiredAccess = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE; hProcess = OpenProcess( dwDesiredAccess, FALSE /* bInheritHandle */, dwProcessId); if (!hProcess) { logLastError("failed to open process"); return 1; } char szProcess[MAX_PATH]; DWORD dwRet = GetModuleFileNameEx(hProcess, 0, szProcess, sizeof szProcess); assert(dwRet); if (dwRet && stricmp(getBaseName(szProcess), "dwm.exe") == 0) { bAttachDwm = TRUE; } } else { std::string commandLine; char sep = 0; for (int i = optind; i < argc; ++i) { const char *arg = argv[i]; if (sep) { commandLine.push_back(sep); } if (needsQuote(arg)) { quoteArg(commandLine, arg); } else { commandLine.append(arg); } sep = ' '; } STARTUPINFO startupInfo; memset(&startupInfo, 0, sizeof startupInfo); startupInfo.cb = sizeof startupInfo; // Create the process in suspended state if (!CreateProcessA( NULL, const_cast<char *>(commandLine.c_str()), // only modified by CreateProcessW 0, // process attributes 0, // thread attributes TRUE, // inherit handles CREATE_SUSPENDED, NULL, // environment NULL, // current directory &startupInfo, &processInfo)) { DWORD dwLastError = GetLastError(); fprintf(stderr, "inject: error: failed to execute %s (%lu)\n", commandLine.c_str(), dwLastError); if (dwLastError == ERROR_ELEVATION_REQUIRED) { fprintf(stderr, "error: target program requires elevated priviledges and must be started from an Administrator Command Prompt, or UAC must be disabled\n"); } return 1; } hProcess = processInfo.hProcess; } /* * XXX: Mixed architecture don't quite work. See also * http://www.corsix.org/content/dll-injection-and-wow64 */ { typedef BOOL (WINAPI *PFNISWOW64PROCESS)(HANDLE, PBOOL); PFNISWOW64PROCESS pfnIsWow64Process; pfnIsWow64Process = (PFNISWOW64PROCESS) GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process"); if (pfnIsWow64Process) { BOOL isParentWow64 = FALSE; BOOL isChildWow64 = FALSE; if (pfnIsWow64Process(GetCurrentProcess(), &isParentWow64) && pfnIsWow64Process(hProcess, &isChildWow64) && isParentWow64 != isChildWow64) { debugPrintf("error: binaries mismatch: you need to use the " #ifdef _WIN64 "32-bits" #else "64-bits" #endif " apitrace binaries to trace this application\n"); TerminateProcess(hProcess, 1); return 1; } } } if (bAttachDwm && IsWindows8OrGreater()) { // Switch to Microsoft Basic Display Driver before injecting, so that // we don't trace with it. devconDisable(DEVCON_CLASS_DISPLAY); Sleep(1000); } const char *szDllName; szDllName = "injectee.dll"; char szDllPath[MAX_PATH]; GetModuleFileNameA(NULL, szDllPath, sizeof szDllPath); getDirName(szDllPath); strncat(szDllPath, szDllName, sizeof szDllPath - strlen(szDllPath) - 1); if (bDebug) { if (!attachDebugger(GetProcessId(hProcess))) { if (!bAttach) { TerminateProcess(hProcess, 1); } return 1; } } #if 1 if (!injectDll(hProcess, szDllPath)) { if (!bAttach) { TerminateProcess(hProcess, 1); } return 1; } #endif DWORD exitCode; if (bAttach) { if (bAttachDwm) { restartDwmComposition(hProcess); } else { fprintf(stderr, "Press any key when finished tracing\n"); getchar(); ejectDll(hProcess, szDllPath); } if (dwThreadId) { HANDLE hThread = OpenThread(THREAD_SUSPEND_RESUME, TRUE, dwThreadId); if (hThread) { ResumeThread(hThread); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); } else { debugPrintf("inject: failed to open thread %lu\n", dwThreadId); } return 0; } exitCode = 0; } else { // Start main process thread ResumeThread(processInfo.hThread); // Wait for it to finish WaitForSingleObject(hProcess, INFINITE); if (pSharedMem && !pSharedMem->bReplaced) { debugPrintf("warning: %s was never used: application probably does not use this API\n", szDll); } exitCode = ~0; GetExitCodeProcess(hProcess, &exitCode); CloseHandle(processInfo.hThread); } CloseHandle(hProcess); if (hSemaphore) { ReleaseSemaphore(hSemaphore, 1, NULL); CloseHandle(hSemaphore); } return (int)exitCode; }
BOOL CKillDBGApp::InitInstance() { // InitCommonControlsEx() is required on Windows XP if an application // manifest specifies use of ComCtl32.dll version 6 or later to enable // visual styles. Otherwise, any window creation will fail. INITCOMMONCONTROLSEX InitCtrls; InitCtrls.dwSize = sizeof(InitCtrls); // Set this to include all the common control classes you want to use // in your application. InitCtrls.dwICC = ICC_WIN95_CLASSES; InitCommonControlsEx(&InitCtrls); Scintilla_RegisterClasses(m_hInstance); CWinApp::InitInstance(); // Standard initialization // If you are not using these features and wish to reduce the size // of your final executable, you should remove from the following // the specific initialization routines you do not need // Change the registry key under which our settings are stored // TODO: You should modify this string to be something appropriate // such as the name of your company or organization SetRegistryKey(_T("KillDBG")); // To create the main window, this code creates a new frame window // object and then sets it as the application's main window object //提升自身到 Debug Privilege HANDLE hProcess=GetCurrentProcess(); HANDLE hToken; BOOL bRet=FALSE; if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken)) { LUID luid; if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount=1; tp.Privileges[0].Luid=luid; tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) { bRet=(GetLastError() == ERROR_SUCCESS); } } CloseHandle(hToken); } if (!bRet) { MessageBox(NULL,_T("提升进程权限到SE_DEBUG_NAME失败,可能会导致部分进程无法调试"),NULL,MB_OK | MB_ICONWARNING); } // 加载配置 if (!load_app_confgi()) { load_default_config(); } //创建主窗口 main_frame = new CMainFrame; if (!main_frame) return FALSE; m_pMainWnd = main_frame; // create and load the frame with its resources main_frame->LoadFrame(IDR_MAINFRAME,WS_OVERLAPPEDWINDOW | FWS_ADDTOTITLE, NULL,NULL); // The one and only window has been initialized, so show and update it main_frame->ShowWindow(SW_SHOW); main_frame->UpdateWindow(); // call DragAcceptFiles only if there's a suffix // In an SDI app, this should occur after ProcessShellCommand return TRUE; }
BOOL GrantDebugPrivilege ( ) /*++ Routine Description: Enables the debug privilege (SE_DEBUG_NAME) for this process. This is necessary if we want to retrieve wait chains for processes not owned by the current user. Arguments: None. Return Value: TRUE if this privilege could be enabled; FALSE otherwise. --*/ { BOOL fSuccess = FALSE; HANDLE TokenHandle = NULL; TOKEN_PRIVILEGES TokenPrivileges; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)) { printf("Couldn't get process token"); goto Cleanup; } TokenPrivileges.PrivilegeCount = 1; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &TokenPrivileges.Privileges[0].Luid)) { printf("Couldn't lookup SeDebugPrivilege name"); goto Cleanup; } TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TokenPrivileges), NULL, NULL)) { printf("Couldn't revoke debug privilege"); goto Cleanup; } fSuccess = TRUE; Cleanup: if (TokenHandle) { CloseHandle(TokenHandle); } return fSuccess; }
// Simple app to inject a reflective DLL into a process vis its process ID. int main( int argc, char * argv[] ) { HANDLE hFile = NULL; HANDLE hModule = NULL; HANDLE hProcess = NULL; HANDLE hToken = NULL; LPVOID lpBuffer = NULL; DWORD dwLength = 0; DWORD dwBytesRead = 0; DWORD dwProcessId = 0; DWORD dwExitCode = 1; TOKEN_PRIVILEGES priv = {0}; #ifdef WIN_X64 char * cpDllFile = "reflective_dll.x64.dll"; #else char * cpDllFile = "reflective_dll.dll"; #endif do { // Usage: inject.exe [string] [pid] [dll_file] if( argc == 2 ) dwProcessId = GetCurrentProcessId(); else dwProcessId = atoi( argv[2] ); if( argc >= 4 ) cpDllFile = argv[3]; hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if( hFile == INVALID_HANDLE_VALUE ) BREAK_WITH_ERROR( "Failed to open the DLL file" ); dwLength = GetFileSize( hFile, NULL ); if( dwLength == INVALID_FILE_SIZE || dwLength == 0 ) BREAK_WITH_ERROR( "Failed to get the DLL file size" ); lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength ); if( !lpBuffer ) BREAK_WITH_ERROR( "Failed to get the DLL file size" ); if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE ) BREAK_WITH_ERROR( "Failed to alloc a buffer!" ); if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) { priv.PrivilegeCount = 1; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) ) AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ); CloseHandle( hToken ); } hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId ); if( !hProcess ) BREAK_WITH_ERROR( "Failed to open the target process" ); hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL, MYFUNCTION_HASH, argv[1], (DWORD)(strlen(argv[1]) + 1)); if( !hModule ) BREAK_WITH_ERROR( "Failed to inject the DLL" ); printf( "[+] Injected the '%s' DLL into process %d.\n", cpDllFile, dwProcessId ); WaitForSingleObject( hModule, -1 ); if ( !GetExitCodeThread( hModule, &dwExitCode ) ) BREAK_WITH_ERROR( "Failed to get exit code of thread" ); printf( "[+] Created thread exited with code %d.\n", dwExitCode ); } while( 0 ); if( lpBuffer ) HeapFree( GetProcessHeap(), 0, lpBuffer ); if( hProcess ) CloseHandle( hProcess ); return dwExitCode; }
/***************************************************************** LoggedSetLockPagesPrivilege: a function to obtain or release the privilege of locking physical pages. Inputs: HANDLE hProcess: Handle for the process for which the privilege is needed BOOL bEnable: Enable (TRUE) or disable? Return value: TRUE indicates success, FALSE failure. *****************************************************************/ BOOL LoggedSetLockPagesPrivilege ( HANDLE hProcess, BOOL bEnable) { struct { DWORD Count; LUID_AND_ATTRIBUTES Privilege [1]; } Info; HANDLE Token; BOOL Result; // Open the token. Result = OpenProcessToken ( hProcess, TOKEN_ADJUST_PRIVILEGES, & Token); if( Result != TRUE ) { printf( "Cannot open process token.\n" ); return FALSE; } // Enable or disable? Info.Count = 1; if( bEnable ) { Info.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; } else { Info.Privilege[0].Attributes = 0; } // Get the LUID. Result = LookupPrivilegeValue ( NULL, SE_LOCK_MEMORY_NAME, &(Info.Privilege[0].Luid)); if( Result != TRUE ) { printf( "Cannot get privilege for %s.\n", SE_LOCK_MEMORY_NAME ); return FALSE; } // Adjust the privilege. Result = AdjustTokenPrivileges ( Token, FALSE, (PTOKEN_PRIVILEGES) &Info, 0, NULL, NULL); // Check the result. if( Result != TRUE ) { printf ("Cannot adjust token privileges (%u)\n", GetLastError() ); return FALSE; } else { if( GetLastError() != ERROR_SUCCESS ) { printf ("Cannot enable the SE_LOCK_MEMORY_NAME privilege; "); printf ("please check the local policy.\n"); return FALSE; } } CloseHandle( Token ); return TRUE; }
/* * Attempts to enable the SE_DEBUG_NAME privilege and open the given process. */ static HANDLE doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId) { HANDLE hToken; HANDLE hProcess = NULL; LUID luid; TOKEN_PRIVILEGES tp, tpPrevious; DWORD retLength, error; /* * Get the access token */ if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hToken)) { if (GetLastError() != ERROR_NO_TOKEN) { return (HANDLE)NULL; } /* * No access token for the thread so impersonate the security context * of the process. */ if (!ImpersonateSelf(SecurityImpersonation)) { return (HANDLE)NULL; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hToken)) { return (HANDLE)NULL; } } /* * Get LUID for the privilege */ if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { error = GetLastError(); CloseHandle(hToken); SetLastError(error); return (HANDLE)NULL; } /* * Enable the privilege */ ZeroMemory(&tp, sizeof(tp)); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid = luid; error = 0; if (AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &retLength)) { /* * If we enabled the privilege then attempt to open the * process. */ if (GetLastError() == ERROR_SUCCESS) { hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); if (hProcess == NULL) { error = GetLastError(); } } else { error = ERROR_ACCESS_DENIED; } /* * Revert to the previous privileges */ AdjustTokenPrivileges(hToken, FALSE, &tpPrevious, retLength, NULL, NULL); } else { error = GetLastError(); } /* * Close token and restore error */ CloseHandle(hToken); SetLastError(error); return hProcess; }
bool AddLocalPrivilege(int ePriv) { if (ePriv < 0 || ePriv >= NUMELMS(g_aPrivs)) { ASSERT(!"unsupported priv requested"); return false; } if ( ! ls.hToken) { if ( ! OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, TRUE, &ls.hToken)) { if (GetLastError() == ERROR_NO_TOKEN) { if ( ! OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &ls.hToken)) return false; } else return false; } } // have we queried this already? if (ls.aCurr[ePriv].Luid.LowPart || ls.aCurr[ePriv].Luid.HighPart) { return (ls.aCurr[ePriv].Attributes & SE_PRIVILEGE_ENABLED) != 0; } PLUID pluid = &g_aPrivs[ePriv].luid; if ( ! pluid->LowPart && ! pluid->HighPart && ! LookupPrivilegeValue(NULL, g_aPrivs[ePriv].psz, &g_aPrivs[ePriv].luid)) { return false; } TOKEN_PRIVILEGES tp = {1}; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid = *pluid; TOKEN_PRIVILEGES tpOrig = {1}; tpOrig.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tpOrig.Privileges[0].Luid = *pluid; // // enable or disable the privilege // DWORD cb = sizeof(tpOrig); if ( ! AdjustTokenPrivileges(ls.hToken, FALSE, &tp, cb, &tpOrig, &cb)) { bprintfl(*g_pbpDiag, " %d passed, %d needed", sizeof(tpOrig), cb); return false; } ls.aOrig[ePriv].Luid = tpOrig.Privileges[0].Luid; ls.aOrig[ePriv].Attributes = tpOrig.Privileges[0].Attributes; ls.aCurr[ePriv].Luid = tp.Privileges[0].Luid; ls.aCurr[ePriv].Attributes = tp.Privileges[0].Attributes; return true; }
DWORD WINAPI InstallReactOS(HINSTANCE hInstance) { TCHAR szBuffer[MAX_PATH]; HANDLE token; TOKEN_PRIVILEGES privs; HKEY hKey; HINF hShortcutsInf; InitializeSetupActionLog(FALSE); LogItem(SYSSETUP_SEVERITY_INFORMATION, L"Installing ReactOS"); if (!InitializeProfiles()) { FatalError("InitializeProfiles() failed"); return 0; } CreateTempDir(L"TEMP"); CreateTempDir(L"TMP"); if (GetWindowsDirectory(szBuffer, sizeof(szBuffer) / sizeof(TCHAR))) { if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, KEY_WRITE, &hKey) == ERROR_SUCCESS) { RegSetValueExW(hKey, L"PathName", 0, REG_SZ, (LPBYTE)szBuffer, (wcslen(szBuffer) + 1) * sizeof(WCHAR)); RegSetValueExW(hKey, L"SystemRoot", 0, REG_SZ, (LPBYTE)szBuffer, (wcslen(szBuffer) + 1) * sizeof(WCHAR)); RegCloseKey(hKey); } PathAddBackslash(szBuffer); _tcscat(szBuffer, _T("system")); CreateDirectory(szBuffer, NULL); } if (!CommonInstall()) return 0; InstallWizard(); InstallSecurity(); SetAutoAdminLogon(); hShortcutsInf = SetupOpenInfFileW(L"shortcuts.inf", NULL, INF_STYLE_WIN4, NULL); if (hShortcutsInf == INVALID_HANDLE_VALUE) { FatalError("Failed to open shortcuts.inf"); return 0; } if (!CreateShortcuts(hShortcutsInf, L"ShortcutFolders")) { FatalError("CreateShortcuts() failed"); return 0; } SetupCloseInfFile(hShortcutsInf); /* ROS HACK, as long as NtUnloadKey is not implemented */ { NTSTATUS Status = NtUnloadKey(NULL); if (Status == STATUS_NOT_IMPLEMENTED) { /* Create the Administrator profile */ PROFILEINFOW ProfileInfo; HANDLE hToken; BOOL ret; ret = LogonUserW(AdminInfo.Name, AdminInfo.Domain, AdminInfo.Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken); if (!ret) { FatalError("LogonUserW() failed!"); return 0; } ZeroMemory(&ProfileInfo, sizeof(PROFILEINFOW)); ProfileInfo.dwSize = sizeof(PROFILEINFOW); ProfileInfo.lpUserName = L"Administrator"; ProfileInfo.dwFlags = PI_NOUI; LoadUserProfileW(hToken, &ProfileInfo); CloseHandle(hToken); } else { DPRINT1("ROS HACK not needed anymore. Please remove it\n"); } } /* END OF ROS HACK */ SetupCloseInfFile(hSysSetupInf); SetSetupType(0); LogItem(SYSSETUP_SEVERITY_INFORMATION, L"Installing ReactOS done"); TerminateSetupActionLog(); if (AdminInfo.Name != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, AdminInfo.Name); if (AdminInfo.Domain != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, AdminInfo.Domain); if (AdminInfo.Password != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, AdminInfo.Password); /* Get shutdown privilege */ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) { FatalError("OpenProcessToken() failed!"); return 0; } if (!LookupPrivilegeValue( NULL, SE_SHUTDOWN_NAME, &privs.Privileges[0].Luid)) { FatalError("LookupPrivilegeValue() failed!"); return 0; } privs.PrivilegeCount = 1; privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges( token, FALSE, &privs, 0, (PTOKEN_PRIVILEGES)NULL, NULL) == 0) { FatalError("AdjustTokenPrivileges() failed!"); return 0; } ExitWindowsEx(EWX_REBOOT, 0); return 0; }
void Utils::Misc::shutdownComputer(ShutdownAction action) { #if (defined(Q_OS_UNIX) && !defined(Q_OS_MAC)) && defined(QT_DBUS_LIB) // Use dbus to power off / suspend the system if (action != ShutdownAction::Shutdown) { // Some recent systems use systemd's logind QDBusInterface login1Iface("org.freedesktop.login1", "/org/freedesktop/login1", "org.freedesktop.login1.Manager", QDBusConnection::systemBus()); if (login1Iface.isValid()) { if (action == ShutdownAction::Suspend) login1Iface.call("Suspend", false); else login1Iface.call("Hibernate", false); return; } // Else, other recent systems use UPower QDBusInterface upowerIface("org.freedesktop.UPower", "/org/freedesktop/UPower", "org.freedesktop.UPower", QDBusConnection::systemBus()); if (upowerIface.isValid()) { if (action == ShutdownAction::Suspend) upowerIface.call("Suspend"); else upowerIface.call("Hibernate"); return; } // HAL (older systems) QDBusInterface halIface("org.freedesktop.Hal", "/org/freedesktop/Hal/devices/computer", "org.freedesktop.Hal.Device.SystemPowerManagement", QDBusConnection::systemBus()); if (action == ShutdownAction::Suspend) halIface.call("Suspend", 5); else halIface.call("Hibernate"); } else { // Some recent systems use systemd's logind QDBusInterface login1Iface("org.freedesktop.login1", "/org/freedesktop/login1", "org.freedesktop.login1.Manager", QDBusConnection::systemBus()); if (login1Iface.isValid()) { login1Iface.call("PowerOff", false); return; } // Else, other recent systems use ConsoleKit QDBusInterface consolekitIface("org.freedesktop.ConsoleKit", "/org/freedesktop/ConsoleKit/Manager", "org.freedesktop.ConsoleKit.Manager", QDBusConnection::systemBus()); if (consolekitIface.isValid()) { consolekitIface.call("Stop"); return; } // HAL (older systems) QDBusInterface halIface("org.freedesktop.Hal", "/org/freedesktop/Hal/devices/computer", "org.freedesktop.Hal.Device.SystemPowerManagement", QDBusConnection::systemBus()); halIface.call("Shutdown"); } #endif #ifdef Q_OS_MAC AEEventID EventToSend; if (action != ShutdownAction::Shutdown) EventToSend = kAESleep; else EventToSend = kAEShutDown; AEAddressDesc targetDesc; static const ProcessSerialNumber kPSNOfSystemProcess = { 0, kSystemProcess }; AppleEvent eventReply = {typeNull, NULL}; AppleEvent appleEventToSend = {typeNull, NULL}; OSStatus error = AECreateDesc(typeProcessSerialNumber, &kPSNOfSystemProcess, sizeof(kPSNOfSystemProcess), &targetDesc); if (error != noErr) return; error = AECreateAppleEvent(kCoreEventClass, EventToSend, &targetDesc, kAutoGenerateReturnID, kAnyTransactionID, &appleEventToSend); AEDisposeDesc(&targetDesc); if (error != noErr) return; error = AESend(&appleEventToSend, &eventReply, kAENoReply, kAENormalPriority, kAEDefaultTimeout, NULL, NULL); AEDisposeDesc(&appleEventToSend); if (error != noErr) return; AEDisposeDesc(&eventReply); #endif #ifdef Q_OS_WIN HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // pointer to token structure if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return; // Get the LUID for shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Get shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); // Cannot test the return value of AdjustTokenPrivileges. if (GetLastError() != ERROR_SUCCESS) return; if (action == ShutdownAction::Suspend) SetSuspendState(false, false, false); else if (action == ShutdownAction::Hibernate) SetSuspendState(true, false, false); else InitiateSystemShutdownA(0, QCoreApplication::translate("misc", "qBittorrent will shutdown the computer now because all downloads are complete.").toLocal8Bit().data(), 10, true, false); // Disable shutdown privilege. tkp.Privileges[0].Attributes = 0; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0); #endif }
int can_switch_ids( void ) { #ifdef WIN32 static bool HasChecked = false; // can't switch users if we're not root/SYSTEM if ( ! HasChecked) { // begin by assuming we can't switch ID's SwitchIds = FALSE; // if we are running as LocalSystem, then we really Shouldn't // run jobs without switching users first, and we can be certain // that this account has all of the needed privs. PSID psid = my_user_Sid(); if (psid) { if (EqualSid(psid, const_cast<SID*>(&sids.LocalSystem))) SwitchIds = TRUE; free(psid); } // if SwitchIds is FALSE, then we know we aren't the system account, // So if we allow non-system accounts to switch ids // set SwitchIds to true if we have the necessary privileges // if ( ! SwitchIds && ! only_SYSTEM_can_switch_ids) { static const LPCTSTR needed[] = { SE_INCREASE_QUOTA_NAME, //needed by CreateProcessAsUser //SE_TCB_NAME, //needed on Win2k to CreateProcessAsUser SE_PROF_SINGLE_PROCESS_NAME, //needed?? to get CPU% and Memory/Disk useage for our children SE_CREATE_GLOBAL_NAME, //needed to create named shared memory SE_CHANGE_NOTIFY_NAME, //needed by CreateProcessAsUser SE_SECURITY_NAME, //needed to change file ACL's SE_TAKE_OWNERSHIP_NAME, //needed to take ownership of files //SE_CREATE_TOKEN_NAME, //needed? //SE_ASSIGNPRIMARYTOKEN_NAME //needed? //SE_IMPERSONATE_NAME, //needed? }; struct { PRIVILEGE_SET set; LUID_AND_ATTRIBUTES a[COUNTOF(needed)]; } privs = { 0, PRIVILEGE_SET_ALL_NECESSARY }; LUID_AND_ATTRIBUTES * pla = &privs.set.Privilege[0]; for (int ii = 0; ii < COUNTOF(needed); ++ii) { LookupPrivilegeValue(NULL, needed[0], &pla->Luid); pla->Attributes = SE_PRIVILEGE_ENABLED; ++pla; } privs.set.PrivilegeCount = (pla - &privs.set.Privilege[0]); HANDLE hToken = NULL; if ( ! OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken)) { dprintf(D_ALWAYS, "can_switch_ids: OpenProcessToken failed error = %d", GetLastError()); } else { BOOL fEnabled = false; if ( ! PrivilegeCheck(hToken, &privs.set, &fEnabled)) { dprintf(D_ALWAYS, "can_switch_ids: PrivilegeCheck failed error = %d", GetLastError()); } else { SwitchIds = fEnabled; } CloseHandle(hToken); } } HasChecked = true; } #else // *NIX static bool HasCheckedIfRoot = false; // can't switch users if we're not root/SYSTEM if (!HasCheckedIfRoot) { if (!is_root()) { SwitchIds = FALSE; } HasCheckedIfRoot = true; } #endif return SwitchIds; }
/* * Inject an arbitrary DLL into a process running in specific Windows session. */ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer, char * cpCommandLine ) { DWORD dwResult = ERROR_INVALID_HANDLE; CREATETOOLHELP32SNAPSHOT pCreateToolhelp32Snapshot = NULL; PROCESS32FIRST pProcess32First = NULL; PROCESS32NEXT pProcess32Next = NULL; HANDLE hProcessSnap = NULL; HMODULE hKernel = NULL; HANDLE hToken = NULL; BOOL bUseBruteForce = TRUE; PROCESSENTRY32 pe32 = {0}; do { // If we can, get SeDebugPrivilege... if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) { TOKEN_PRIVILEGES priv = {0}; priv.PrivilegeCount = 1; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) ) { if( AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ) ); dprintf("[SESSION] session_inject. Got SeDebugPrivilege!" ); } CloseHandle( hToken ); } hKernel = LoadLibrary( "kernel32" ); if( !hKernel ) break; pCreateToolhelp32Snapshot = (CREATETOOLHELP32SNAPSHOT)GetProcAddress( hKernel, "CreateToolhelp32Snapshot" ); pProcess32First = (PROCESS32FIRST)GetProcAddress( hKernel, "Process32First" ); pProcess32Next = (PROCESS32NEXT)GetProcAddress( hKernel, "Process32Next" ); if( !pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next ) break; hProcessSnap = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) break; pe32.dwSize = sizeof( PROCESSENTRY32 ); if( !pProcess32First( hProcessSnap, &pe32 ) ) break; bUseBruteForce = FALSE; do { if( dwSessionId == session_id( pe32.th32ProcessID ) ) { // On Windows 2008R2 we Blue Screen the box if we inject via APC injection // into the target sessions instance of csrss.exe!!! so we filter it out... if( strstr( pe32.szExeFile, "csrss.exe" ) ) continue; dwResult = ps_inject( pe32.th32ProcessID, pDllBuffer, cpCommandLine ); if( dwResult == ERROR_SUCCESS ) { dprintf( "[SESSION] session_inject. Injected into process %d (%s)", pe32.th32ProcessID, pe32.szExeFile ); break; } } } while( pProcess32Next( hProcessSnap, &pe32 ) ); } while( 0 ); if( hProcessSnap ) CloseHandle( hProcessSnap ); if( hKernel ) FreeLibrary( hKernel ); // On NT4 we must brute force the process list... if( bUseBruteForce ) dwResult = _session_inject_bruteforce( dwSessionId, pDllBuffer, cpCommandLine ); return dwResult; }
RTDECL(int) RTSystemShutdown(RTMSINTERVAL cMsDelay, uint32_t fFlags, const char *pszLogMsg) { AssertPtrReturn(pszLogMsg, VERR_INVALID_POINTER); AssertReturn(!(fFlags & ~RTSYSTEM_SHUTDOWN_VALID_MASK), VERR_INVALID_PARAMETER); PRTUTF16 pwszLogMsg; int rc = RTStrToUtf16(pszLogMsg, &pwszLogMsg); if (RT_FAILURE(rc)) return rc; DWORD cSecsTimeout = (cMsDelay + 499) / 1000; BOOL fRebootAfterShutdown = (fFlags & RTSYSTEM_SHUTDOWN_ACTION_MASK) == RTSYSTEM_SHUTDOWN_REBOOT ? TRUE : FALSE; BOOL fForceAppsClosed = fFlags & RTSYSTEM_SHUTDOWN_FORCE ? TRUE : FALSE; /* * Do the */ if (InitiateSystemShutdownW(NULL /*pwszMachineName = NULL = localhost*/, pwszLogMsg, cSecsTimeout, fForceAppsClosed, fRebootAfterShutdown)) rc = (fFlags & RTSYSTEM_SHUTDOWN_ACTION_MASK) == RTSYSTEM_SHUTDOWN_HALT ? VINF_SYS_MAY_POWER_OFF : VINF_SUCCESS; else { /* If we failed because of missing privileges, try get the right to shut down the system and call the api again. */ DWORD dwErr = GetLastError(); rc = RTErrConvertFromWin32(dwErr); if (dwErr == ERROR_ACCESS_DENIED) { HANDLE hToken = NULL; if (OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, TRUE /*OpenAsSelf*/, &hToken)) dwErr = NO_ERROR; else { dwErr = GetLastError(); if (dwErr == ERROR_NO_TOKEN) { if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) dwErr = NO_ERROR; else dwErr = GetLastError(); } } if (dwErr == NO_ERROR) { union { TOKEN_PRIVILEGES TokenPriv; char ab[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)]; } u; u.TokenPriv.PrivilegeCount = 1; u.TokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (LookupPrivilegeValue(NULL /*localhost*/, SE_SHUTDOWN_NAME, &u.TokenPriv.Privileges[0].Luid)) { if (AdjustTokenPrivileges(hToken, FALSE /*DisableAllPrivileges*/, &u.TokenPriv, RT_OFFSETOF(TOKEN_PRIVILEGES, Privileges[1]), NULL, NULL) ) { if (InitiateSystemShutdownW(NULL /*pwszMachineName = NULL = localhost*/, pwszLogMsg, cSecsTimeout, fForceAppsClosed, fRebootAfterShutdown)) rc = (fFlags & RTSYSTEM_SHUTDOWN_ACTION_MASK) == RTSYSTEM_SHUTDOWN_HALT ? VINF_SYS_MAY_POWER_OFF : VINF_SUCCESS; else { dwErr = GetLastError(); rc = RTErrConvertFromWin32(dwErr); } } CloseHandle(hToken); } } } } RTUtf16Free(pwszLogMsg); return rc; }