diff --git a/src/defender-control/main.cpp b/src/defender-control/main.cpp index 89abbdc..aedc1ea 100644 --- a/src/defender-control/main.cpp +++ b/src/defender-control/main.cpp @@ -9,10 +9,15 @@ int main() { - if (!strstr(util::get_user().c_str(), "SYSTEM")) + if (!trusted::is_system_group()) { - // get current process directory + // Because we are a primary token, we can't swap ourselves with an impersonation token + // There will always be a need to re-create the process with the token as primary. + // + auto path = util::get_current_path(); + std::cout << path << std::endl; + system("pause"); return 1; } diff --git a/src/defender-control/trusted.cpp b/src/defender-control/trusted.cpp index 9759cdc..1ebbd6e 100644 --- a/src/defender-control/trusted.cpp +++ b/src/defender-control/trusted.cpp @@ -77,6 +77,60 @@ namespace trusted // bool impersonate_system() { + auto systemPid = get_pid("winlogon.exe"); + HANDLE hSystemProcess; + if ((hSystemProcess = OpenProcess( + PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, + FALSE, + systemPid)) == nullptr) + { + return false; + } + + HANDLE hSystemToken; + if (!OpenProcessToken( + hSystemProcess, + MAXIMUM_ALLOWED, + &hSystemToken)) + { + CloseHandle(hSystemProcess); + return false; + } + + HANDLE hDupToken; + SECURITY_ATTRIBUTES tokenAttributes; + tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES); + tokenAttributes.lpSecurityDescriptor = nullptr; + tokenAttributes.bInheritHandle = FALSE; + if (!DuplicateTokenEx( + hSystemToken, + MAXIMUM_ALLOWED, + &tokenAttributes, + SecurityImpersonation, + TokenImpersonation, + &hDupToken)) + { + CloseHandle(hSystemToken); + return false; + } + +#if 1 + if (!ImpersonateLoggedOnUser(hDupToken)) + { + CloseHandle(hDupToken); + CloseHandle(hSystemToken); + return false; + } + //#else + if (!SetThreadToken(0, hDupToken)) + { + return false; + } +#endif + + CloseHandle(hDupToken); + CloseHandle(hSystemToken); + return true; } @@ -129,6 +183,12 @@ namespace trusted CloseHandle(hDupToken); return false; } + + if (!SetThreadToken(0, hDupToken)) + { + return false; + } + return true; } @@ -199,4 +259,45 @@ namespace trusted } + // Check current permissions + // + bool is_system_group() + { + DWORD i, dwSize = 0, dwResult = 0; + HANDLE hToken; + PTOKEN_USER Ptoken_User; + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) + return false; + + if (!GetTokenInformation(hToken, TokenUser, NULL, dwSize, &dwSize)) + { + dwResult = GetLastError(); + if (dwResult != ERROR_INSUFFICIENT_BUFFER) + return false; + } + + Ptoken_User = (PTOKEN_USER)GlobalAlloc(GPTR, dwSize); + + if (!GetTokenInformation(hToken, TokenUser, Ptoken_User, dwSize, &dwSize)) + return FALSE; + + LPWSTR SID = NULL; + + if (!ConvertSidToStringSidW(Ptoken_User->User.Sid, &SID)) + return false; + + // All SID can be found here + // https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows + // S-1-5-18 Local System A service account that is used by the operating system. + // + if (_wcsicmp(L"S-1-5-18", SID) == 0) + return true; + + if (Ptoken_User) + GlobalFree(Ptoken_User); + + return false; + } + } \ No newline at end of file diff --git a/src/defender-control/trusted.hpp b/src/defender-control/trusted.hpp index b7c8084..d687ed3 100644 --- a/src/defender-control/trusted.hpp +++ b/src/defender-control/trusted.hpp @@ -2,6 +2,8 @@ #include #include #include +#include +#include namespace trusted { @@ -10,4 +12,8 @@ namespace trusted bool impersonate_system(); bool impersonate_trusted(DWORD pid); DWORD start_trusted(); + + // Check current permissions + // + bool is_system_group(); }