|
|
|
@ -77,6 +77,60 @@ namespace trusted
|
|
|
|
|
//
|
|
|
|
|
bool impersonate_system()
|
|
|
|
|
{
|
|
|
|
|
auto systemPid = get_pid("winlogon.exe");
|
|
|
|
|
HANDLE hSystemProcess;
|
|
|
|
|
if ((hSystemProcess = OpenProcess(
|
|
|
|
|
PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
|
|
|
|
|
FALSE,
|
|
|
|
|
systemPid)) == nullptr)
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HANDLE hSystemToken;
|
|
|
|
|
if (!OpenProcessToken(
|
|
|
|
|
hSystemProcess,
|
|
|
|
|
MAXIMUM_ALLOWED,
|
|
|
|
|
&hSystemToken))
|
|
|
|
|
{
|
|
|
|
|
CloseHandle(hSystemProcess);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HANDLE hDupToken;
|
|
|
|
|
SECURITY_ATTRIBUTES tokenAttributes;
|
|
|
|
|
tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
|
|
|
|
|
tokenAttributes.lpSecurityDescriptor = nullptr;
|
|
|
|
|
tokenAttributes.bInheritHandle = FALSE;
|
|
|
|
|
if (!DuplicateTokenEx(
|
|
|
|
|
hSystemToken,
|
|
|
|
|
MAXIMUM_ALLOWED,
|
|
|
|
|
&tokenAttributes,
|
|
|
|
|
SecurityImpersonation,
|
|
|
|
|
TokenImpersonation,
|
|
|
|
|
&hDupToken))
|
|
|
|
|
{
|
|
|
|
|
CloseHandle(hSystemToken);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#if 1
|
|
|
|
|
if (!ImpersonateLoggedOnUser(hDupToken))
|
|
|
|
|
{
|
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
CloseHandle(hSystemToken);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
//#else
|
|
|
|
|
if (!SetThreadToken(0, hDupToken))
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
CloseHandle(hSystemToken);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -129,6 +183,12 @@ namespace trusted
|
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!SetThreadToken(0, hDupToken))
|
|
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -199,4 +259,45 @@ namespace trusted
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check current permissions
|
|
|
|
|
//
|
|
|
|
|
bool is_system_group()
|
|
|
|
|
{
|
|
|
|
|
DWORD i, dwSize = 0, dwResult = 0;
|
|
|
|
|
HANDLE hToken;
|
|
|
|
|
PTOKEN_USER Ptoken_User;
|
|
|
|
|
|
|
|
|
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize))
|
|
|
|
|
{
|
|
|
|
|
dwResult = GetLastError();
|
|
|
|
|
if (dwResult != ERROR_INSUFFICIENT_BUFFER)
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize);
|
|
|
|
|
|
|
|
|
|
if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize))
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
LPWSTR SID = NULL;
|
|
|
|
|
|
|
|
|
|
if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// All SID can be found here
|
|
|
|
|
// https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
|
|
|
|
|
// S-1-5-18 Local System A service account that is used by the operating system.
|
|
|
|
|
//
|
|
|
|
|
if (_wcsicmp(L"S-1-5-18", SID) == 0)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
if (Ptoken_User)
|
|
|
|
|
GlobalFree(Ptoken_User);
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|