impersonate system + better permission check

src/defender-control/main.cpp

@@ -9,10 +9,15 @@
 
 int main()
 {
-  if (!strstr(util::get_user().c_str(), "SYSTEM"))
+  if (!trusted::is_system_group())
   {
-    // get current process directory
+    // Because we are a primary token, we can't swap ourselves with an impersonation token
+    // There will always be a need to re-create the process with the token as primary.
+    // 
+    auto path = util::get_current_path();
+    std::cout << path << std::endl;
 
+    system("pause");
     return 1;
   }
 

src/defender-control/trusted.cpp

@@ -77,6 +77,60 @@ namespace trusted
   //
   bool impersonate_system()
   {
+    auto systemPid = get_pid("winlogon.exe");
+    HANDLE hSystemProcess;
+    if ((hSystemProcess = OpenProcess(
+      PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
+      FALSE,
+      systemPid)) == nullptr)
+    {
+      return false;
+    }
+
+    HANDLE hSystemToken;
+    if (!OpenProcessToken(
+      hSystemProcess,
+      MAXIMUM_ALLOWED,
+      &hSystemToken))
+    {
+      CloseHandle(hSystemProcess);
+      return false;
+    }
+
+    HANDLE hDupToken;
+    SECURITY_ATTRIBUTES tokenAttributes;
+    tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+    tokenAttributes.lpSecurityDescriptor = nullptr;
+    tokenAttributes.bInheritHandle = FALSE;
+    if (!DuplicateTokenEx(
+      hSystemToken,
+      MAXIMUM_ALLOWED,
+      &tokenAttributes,
+      SecurityImpersonation,
+      TokenImpersonation,
+      &hDupToken))
+    {
+      CloseHandle(hSystemToken);
+      return false;
+    }
+
+#if 1
+    if (!ImpersonateLoggedOnUser(hDupToken))
+    {
+      CloseHandle(hDupToken);
+      CloseHandle(hSystemToken);
+      return false;
+    }
+    //#else
+    if (!SetThreadToken(0, hDupToken))
+    {
+      return false;
+    }
+#endif
+
+    CloseHandle(hDupToken);
+    CloseHandle(hSystemToken);
+
     return true;
   }
 
@@ -129,6 +183,12 @@ namespace trusted
       CloseHandle(hDupToken);
       return false;
     }
+
+    if (!SetThreadToken(0, hDupToken))
+    {
+      return false;
+    }
+
     return true;
   }
 
@@ -199,4 +259,45 @@ namespace trusted
 
   }
 
+  // Check current permissions
+  //
+  bool is_system_group()
+  {
+    DWORD i, dwSize = 0, dwResult = 0;
+    HANDLE hToken;
+    PTOKEN_USER Ptoken_User;
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
+      return false;
+
+    if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize))
+    {
+      dwResult = GetLastError();
+      if (dwResult != ERROR_INSUFFICIENT_BUFFER)
+        return false;
+    }
+
+    Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize);
+
+    if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize))
+      return FALSE;
+
+    LPWSTR SID = NULL;
+
+    if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID))
+      return false;
+
+    // All SID can be found here
+    // https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
+    // S-1-5-18	Local System	A service account that is used by the operating system.
+    //
+    if (_wcsicmp(L"S-1-5-18", SID) == 0)
+      return true;
+
+    if (Ptoken_User)
+      GlobalFree(Ptoken_User);
+
+    return false;
+  }
+
 }

src/defender-control/trusted.hpp

@@ -2,6 +2,8 @@
 #include <Windows.h>
 #include <string>
 #include <TlHelp32.h>
+#include <sddl.h>
+#include <iostream>
 
 namespace trusted
 {
@@ -10,4 +12,8 @@ namespace trusted
   bool impersonate_system();
   bool impersonate_trusted(DWORD pid);
   DWORD start_trusted();
+
+  // Check current permissions
+  //
+  bool is_system_group();
 }