start as trusted installer

3 years ago · c8fa1d9a51
parent f25860207f
commit c8fa1d9a51
2 changed files with 86 additions and 88 deletions
--- a/src/defender-control/trusted.cpp
+++ b/src/defender-control/trusted.cpp
@ -72,19 +72,17 @@ namespace trusted
      return false;
    }

-#if 1
    if (!ImpersonateLoggedOnUser(hDupToken))
    {
      CloseHandle(hDupToken);
      CloseHandle(hSystemToken);
      return false;
    }
-    //#else
+
+    // Not needed?
+    //
    if (!SetThreadToken(0, hDupToken))
-    {
      return false;
-    }
-#endif

    CloseHandle(hDupToken);
    CloseHandle(hSystemToken);
@ -92,91 +90,35 @@ namespace trusted
    return true;
  }

-  // Gives trustedinstaller permissions
-  //
-  bool impersonate_trusted(DWORD pid)
-  {
-    enable_privilege(SE_DEBUG_NAME);
-    enable_privilege(SE_IMPERSONATE_NAME);
-    impersonate_system();
-
-    HANDLE hTIProcess;
-    if ((hTIProcess = OpenProcess(
-      PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION,
-      FALSE,
-      pid)) == nullptr)
-    {
-      return false;
-    }
-
-    HANDLE hTIToken;
-    if (!OpenProcessToken(
-      hTIProcess,
-      MAXIMUM_ALLOWED,
-      &hTIToken))
-    {
-      CloseHandle(hTIProcess);
-      return false;
-    }
-
-    HANDLE hDupToken;
-    SECURITY_ATTRIBUTES tokenAttributes;
-    tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
-    tokenAttributes.lpSecurityDescriptor = nullptr;
-    tokenAttributes.bInheritHandle = FALSE;
-    if (!DuplicateTokenEx(
-      hTIToken,
-      MAXIMUM_ALLOWED,
-      &tokenAttributes,
-      SecurityImpersonation,
-      TokenImpersonation,
-      &hDupToken))
-    {
-      CloseHandle(hTIToken);
-      return false;
-    }
-
-    if (!ImpersonateLoggedOnUser(hDupToken))
-    {
-      CloseHandle(hDupToken);
-      return false;
-    }
-
-    if (!SetThreadToken(0, hDupToken))
-    {
-      return false;
-    }
-
-    return true;
-  }
-
  // Start the trusted installer service
  //
  DWORD start_trusted()
  {
-    SC_HANDLE hSCManager;
-    if ((hSCManager = OpenSCManagerA(
-      nullptr,
-      SERVICES_ACTIVE_DATABASE,
-      GENERIC_EXECUTE)) == nullptr)
-    {
+    auto sc_manager = OpenSCManagerA(
+      nullptr, 
+      SERVICES_ACTIVE_DATABASE, 
+      GENERIC_EXECUTE
+    );
+
+    if (!sc_manager)
      return -1;
-    }

-    SC_HANDLE hService;
-    if ((hService = OpenServiceW(
-      hSCManager,
-      L"TrustedInstaller",
-      GENERIC_READ | GENERIC_EXECUTE)) == nullptr)
+    auto service = OpenServiceA(
+      sc_manager,
+      "TrustedInstaller",
+      GENERIC_READ | GENERIC_EXECUTE
+    );
+
+    if (!service)
    {
-      CloseServiceHandle(hSCManager);
+      CloseServiceHandle(sc_manager);
      return -1;
    }

    SERVICE_STATUS_PROCESS statusBuffer;
    DWORD bytesNeeded;
    while (QueryServiceStatusEx(
-      hService,
+      service,
      SC_STATUS_PROCESS_INFO,
      reinterpret_cast<LPBYTE>(&statusBuffer),
      sizeof(SERVICE_STATUS_PROCESS),
@ -184,10 +126,10 @@ namespace trusted
    {
      if (statusBuffer.dwCurrentState == SERVICE_STOPPED)
      {
-        if (!StartServiceW(hService, 0, nullptr))
+        if (!StartServiceW(service, 0, nullptr))
        {
-          CloseServiceHandle(hService);
-          CloseServiceHandle(hSCManager);
+          CloseServiceHandle(service);
+          CloseServiceHandle(sc_manager);
          return -1;
        }
      }
@ -199,23 +141,78 @@ namespace trusted
      }
      if (statusBuffer.dwCurrentState == SERVICE_RUNNING)
      {
-        CloseServiceHandle(hService);
-        CloseServiceHandle(hSCManager);
+        CloseServiceHandle(service);
+        CloseServiceHandle(sc_manager);
        return statusBuffer.dwProcessId;
      }
    }
-    CloseServiceHandle(hService);
-    CloseServiceHandle(hSCManager);
+    CloseServiceHandle(service);
+    CloseServiceHandle(sc_manager);

    return -1;
  }

-  // Run process with trusted installer privilleges
-  //
-  bool create_process()
+  bool create_process(std::wstring commandLine)
  {
    auto pid = start_trusted();

+    enable_privilege(SE_DEBUG_NAME);
+    enable_privilege(SE_IMPERSONATE_NAME);
+    impersonate_system();
+
+    auto hTIProcess = OpenProcess(
+      PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, 
+      FALSE, pid
+    );
+
+    if (!hTIProcess)
+      return false;
+
+    HANDLE hTIToken;
+    if (!OpenProcessToken(hTIProcess, MAXIMUM_ALLOWED, &hTIToken))
+    {
+      CloseHandle(hTIProcess);
+      return false;
+    }
+
+    HANDLE hDupToken;
+    SECURITY_ATTRIBUTES tokenAttributes;
+    tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+    tokenAttributes.lpSecurityDescriptor = nullptr;
+    tokenAttributes.bInheritHandle = FALSE;
+
+    if (!DuplicateTokenEx(
+      hTIToken, 
+      MAXIMUM_ALLOWED, 
+      &tokenAttributes, 
+      SecurityImpersonation, 
+      TokenImpersonation, 
+      &hDupToken
+    ))
+    {
+      CloseHandle(hTIToken);
+      return false;
+    }
+
+    STARTUPINFOW startupInfo;
+    ZeroMemory(&startupInfo, sizeof(STARTUPINFOW));
+    startupInfo.lpDesktop = (LPWSTR)L"Winsta0\\Default";
+    PROCESS_INFORMATION processInfo;
+    ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION));
+
+    if (!CreateProcessWithTokenW(
+      hDupToken,
+      LOGON_WITH_PROFILE,
+      nullptr,
+      const_cast<LPWSTR>(commandLine.c_str()),
+      CREATE_UNICODE_ENVIRONMENT,
+      nullptr,
+      nullptr,
+      &startupInfo,
+      &processInfo
+    ))
+      return false;
+
    return true;
  }

--- a/src/defender-control/trusted.hpp
+++ b/src/defender-control/trusted.hpp
@ -8,8 +8,9 @@
 namespace trusted
 {
  bool enable_privilege(std::string privilege);
+
  bool impersonate_system();
-  bool impersonate_trusted(DWORD pid);
+
  DWORD start_trusted();

  // Check current permissions for SYSTEM