impersonate system + better permission check

2024-11-04 12:00:15 +00:00 · 2021-07-20 19:15:15 +10:00 · 2021-07-20 19:15:15 +10:00 · 9715e68db8
commit 9715e68db8
parent 35195a5e49
3 changed files with 114 additions and 2 deletions
--- a/src/defender-control/main.cpp
+++ b/src/defender-control/main.cpp
@ -9,10 +9,15 @@

 int main()
 {
-  if (!strstr(util::get_user().c_str(), "SYSTEM"))
+  if (!trusted::is_system_group())
  {
-    // get current process directory
+    // Because we are a primary token, we can't swap ourselves with an impersonation token
+    // There will always be a need to re-create the process with the token as primary.
+    // 
+    auto path = util::get_current_path();
+    std::cout << path << std::endl;

+    system("pause");
    return 1;
  }

--- a/src/defender-control/trusted.cpp
+++ b/src/defender-control/trusted.cpp
@ -77,6 +77,60 @@ namespace trusted
  //
  bool impersonate_system()
  {
+    auto systemPid = get_pid("winlogon.exe");
+    HANDLE hSystemProcess;
+    if ((hSystemProcess = OpenProcess(
+      PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
+      FALSE,
+      systemPid)) == nullptr)
+    {
+      return false;
+    }
+
+    HANDLE hSystemToken;
+    if (!OpenProcessToken(
+      hSystemProcess,
+      MAXIMUM_ALLOWED,
+      &hSystemToken))
+    {
+      CloseHandle(hSystemProcess);
+      return false;
+    }
+
+    HANDLE hDupToken;
+    SECURITY_ATTRIBUTES tokenAttributes;
+    tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+    tokenAttributes.lpSecurityDescriptor = nullptr;
+    tokenAttributes.bInheritHandle = FALSE;
+    if (!DuplicateTokenEx(
+      hSystemToken,
+      MAXIMUM_ALLOWED,
+      &tokenAttributes,
+      SecurityImpersonation,
+      TokenImpersonation,
+      &hDupToken))
+    {
+      CloseHandle(hSystemToken);
+      return false;
+    }
+
+#if 1
+    if (!ImpersonateLoggedOnUser(hDupToken))
+    {
+      CloseHandle(hDupToken);
+      CloseHandle(hSystemToken);
+      return false;
+    }
+    //#else
+    if (!SetThreadToken(0, hDupToken))
+    {
+      return false;
+    }
+#endif
+
+    CloseHandle(hDupToken);
+    CloseHandle(hSystemToken);
+
    return true;
  }

@ -129,6 +183,12 @@ namespace trusted
      CloseHandle(hDupToken);
      return false;
    }
+
+    if (!SetThreadToken(0, hDupToken))
+    {
+      return false;
+    }
+
    return true;
  }

@ -199,4 +259,45 @@ namespace trusted

  }

+  // Check current permissions
+  //
+  bool is_system_group()
+  {
+    DWORD i, dwSize = 0, dwResult = 0;
+    HANDLE hToken;
+    PTOKEN_USER Ptoken_User;
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
+      return false;
+
+    if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize))
+    {
+      dwResult = GetLastError();
+      if (dwResult != ERROR_INSUFFICIENT_BUFFER)
+        return false;
+    }
+
+    Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize);
+
+    if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize))
+      return FALSE;
+
+    LPWSTR SID = NULL;
+
+    if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID))
+      return false;
+
+    // All SID can be found here
+    // https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
+    // S-1-5-18	Local System	A service account that is used by the operating system.
+    //
+    if (_wcsicmp(L"S-1-5-18", SID) == 0)
+      return true;
+
+    if (Ptoken_User)
+      GlobalFree(Ptoken_User);
+
+    return false;
+  }
+
 }
--- a/src/defender-control/trusted.hpp
+++ b/src/defender-control/trusted.hpp
@ -2,6 +2,8 @@
 #include <Windows.h>
 #include <string>
 #include <TlHelp32.h>
+#include <sddl.h>
+#include <iostream>

 namespace trusted
 {
@ -10,4 +12,8 @@ namespace trusted
  bool impersonate_system();
  bool impersonate_trusted(DWORD pid);
  DWORD start_trusted();
+
+  // Check current permissions
+  //
+  bool is_system_group();
 }