mirror of
https://github.com/gnif/LookingGlass.git
synced 2024-11-22 13:37:22 +00:00
[host] service: use SYSTEM token attached to the current process
Since with the service, we are already running as SYSTEM, we don't need to use dupeSystemProcessToken to get the token for SYSTEM. This removes the need for having SeDebugPrivilege, SeTcbPrivilege, and SeAssignPrimaryTokenPrivilege, or otherwise doing sketchy things. Furthermore, we now only open the token with the privileges we actually need.
This commit is contained in:
parent
16ee1a825c
commit
ebda52b18b
@ -158,73 +158,6 @@ bool disablePriv(const char * name)
|
|||||||
return adjustPriv(name, 0);
|
return adjustPriv(name, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
HANDLE dupeSystemProcessToken(void)
|
|
||||||
{
|
|
||||||
DWORD count = 0;
|
|
||||||
DWORD returned;
|
|
||||||
do
|
|
||||||
{
|
|
||||||
count += 512;
|
|
||||||
DWORD pids[count];
|
|
||||||
EnumProcesses(pids, count * sizeof(DWORD), &returned);
|
|
||||||
}
|
|
||||||
while(returned / sizeof(DWORD) == count);
|
|
||||||
|
|
||||||
DWORD pids[count];
|
|
||||||
EnumProcesses(pids, count * sizeof(DWORD), &returned);
|
|
||||||
returned /= sizeof(DWORD);
|
|
||||||
|
|
||||||
char systemSidBuf[SECURITY_MAX_SID_SIZE];
|
|
||||||
PSID systemSid = (PSID) systemSidBuf;
|
|
||||||
DWORD cbSystemSid = sizeof systemSidBuf;
|
|
||||||
|
|
||||||
if (!CreateWellKnownSid(WinLocalSystemSid, NULL, systemSid, &cbSystemSid))
|
|
||||||
{
|
|
||||||
doLog("failed to create local system SID");
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
for(DWORD i = 0; i < returned; ++i)
|
|
||||||
{
|
|
||||||
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pids[i]);
|
|
||||||
if (!hProcess)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
HANDLE hToken;
|
|
||||||
if (!OpenProcessToken(hProcess,
|
|
||||||
TOKEN_QUERY | TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_QUERY_SOURCE |
|
|
||||||
TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_EXECUTE, &hToken))
|
|
||||||
goto err_proc;
|
|
||||||
|
|
||||||
DWORD tmp;
|
|
||||||
char userBuf[1024];
|
|
||||||
TOKEN_USER * user = (TOKEN_USER *)userBuf;
|
|
||||||
if (!GetTokenInformation(hToken, TokenUser, user, sizeof(userBuf), &tmp))
|
|
||||||
goto err_token;
|
|
||||||
|
|
||||||
if (EqualSid(user->User.Sid, systemSid))
|
|
||||||
{
|
|
||||||
CloseHandle(hProcess);
|
|
||||||
|
|
||||||
// duplicate the token so we can use it
|
|
||||||
HANDLE hDupe = NULL;
|
|
||||||
if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation,
|
|
||||||
TokenPrimary, &hDupe))
|
|
||||||
hDupe = NULL;
|
|
||||||
|
|
||||||
CloseHandle(hToken);
|
|
||||||
return hDupe;
|
|
||||||
}
|
|
||||||
|
|
||||||
err_token:
|
|
||||||
CloseHandle(hToken);
|
|
||||||
err_proc:
|
|
||||||
CloseHandle(hProcess);
|
|
||||||
}
|
|
||||||
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
void Launch(void)
|
void Launch(void)
|
||||||
{
|
{
|
||||||
if (service.process)
|
if (service.process)
|
||||||
@ -239,32 +172,29 @@ void Launch(void)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!enablePriv(SE_DEBUG_NAME))
|
HANDLE hSystemToken;
|
||||||
{
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE |
|
||||||
doLog("failed to enable " SE_DEBUG_NAME);
|
TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | TOKEN_ADJUST_DEFAULT,
|
||||||
return;
|
&hSystemToken))
|
||||||
}
|
|
||||||
|
|
||||||
HANDLE hToken = dupeSystemProcessToken();
|
|
||||||
if (!hToken)
|
|
||||||
{
|
{
|
||||||
doLog("failed to get the system process token\n");
|
doLog("failed to get the system process token\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!disablePriv(SE_DEBUG_NAME))
|
HANDLE hToken;
|
||||||
doLog("failed to disable " SE_DEBUG_NAME);
|
if (!DuplicateTokenEx(hSystemToken, 0, NULL, SecurityAnonymous,
|
||||||
|
TokenPrimary, &hToken))
|
||||||
|
{
|
||||||
|
doLog("failed to duplicate the system process token\n");
|
||||||
|
CloseHandle(hSystemToken);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
CloseHandle(hSystemToken);
|
||||||
|
|
||||||
DWORD origSessionID, targetSessionID, returnedLen;
|
DWORD origSessionID, targetSessionID, returnedLen;
|
||||||
GetTokenInformation(hToken, TokenSessionId, &origSessionID,
|
GetTokenInformation(hToken, TokenSessionId, &origSessionID,
|
||||||
sizeof(origSessionID), &returnedLen);
|
sizeof(origSessionID), &returnedLen);
|
||||||
|
|
||||||
if (!enablePriv(SE_TCB_NAME))
|
|
||||||
{
|
|
||||||
doLog("failed to enable " SE_TCB_NAME);
|
|
||||||
goto fail_token;
|
|
||||||
}
|
|
||||||
|
|
||||||
targetSessionID = WTSGetActiveConsoleSessionId();
|
targetSessionID = WTSGetActiveConsoleSessionId();
|
||||||
if (origSessionID != targetSessionID)
|
if (origSessionID != targetSessionID)
|
||||||
{
|
{
|
||||||
@ -277,9 +207,6 @@ void Launch(void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!disablePriv(SE_TCB_NAME))
|
|
||||||
doLog("failed to disable " SE_TCB_NAME);
|
|
||||||
|
|
||||||
LPVOID pEnvironment = NULL;
|
LPVOID pEnvironment = NULL;
|
||||||
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
|
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
|
||||||
{
|
{
|
||||||
@ -288,12 +215,6 @@ void Launch(void)
|
|||||||
goto fail_token;
|
goto fail_token;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
|
|
||||||
{
|
|
||||||
doLog("failed to enable " SE_ASSIGNPRIMARYTOKEN_NAME);
|
|
||||||
goto fail_token;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!enablePriv(SE_INCREASE_QUOTA_NAME))
|
if (!enablePriv(SE_INCREASE_QUOTA_NAME))
|
||||||
{
|
{
|
||||||
doLog("failed to enable " SE_INCREASE_QUOTA_NAME);
|
doLog("failed to enable " SE_INCREASE_QUOTA_NAME);
|
||||||
@ -345,9 +266,6 @@ void Launch(void)
|
|||||||
if (!disablePriv(SE_INCREASE_QUOTA_NAME))
|
if (!disablePriv(SE_INCREASE_QUOTA_NAME))
|
||||||
doLog("failed to disable " SE_INCREASE_QUOTA_NAME);
|
doLog("failed to disable " SE_INCREASE_QUOTA_NAME);
|
||||||
|
|
||||||
if (!disablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
|
|
||||||
doLog("failed to disable " SE_ASSIGNPRIMARYTOKEN_NAME);
|
|
||||||
|
|
||||||
CloseHandle(pi.hThread);
|
CloseHandle(pi.hThread);
|
||||||
service.process = pi.hProcess;
|
service.process = pi.hProcess;
|
||||||
service.running = true;
|
service.running = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user