StoneHeart Posted September 5, 2013 Posted September 5, 2013 I'm trying to allocate memory on lsass.exe process but it always fail.Other tools i try like sam password dump works. What could be the problem? Example code i use to allocate memory on that process. // Enable the debug privilege if( SetDebugPrivilege() != 0 ) // Get the LSASS pid dwPid = GetLsassPid(); // Open lsass hLsassProc = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPid );. // Allocate memory in remote proc pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT, PAGE_READWRITE );Result: pRemoteAlloc = NULL GetLastError = 5 .... I'm using win 7 x86 sp1 and vsc++ 2010
CondZero Posted September 5, 2013 Posted September 5, 2013 I assume you checked your return values when setting the debug priviledge.And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess. You might try this (note changes in BOLD): // Open lsasshLsassProc = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwPid );.// Allocate memory in remote procpRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE ); If the above doesn't work, then you might try investigating SetDebugPrivilege()as you are getting : ERROR_ACCESS_DENIED Access is denied.5 (0x5) Good Luck
deepzero Posted September 5, 2013 Posted September 5, 2013 you also need admin privileges for this. Simply double-clikcing the .exe or running it in the debugger doesnt suffice. try right click -> run as admin
StoneHeart Posted September 6, 2013 Author Posted September 6, 2013 I assume you checked your return values when setting the debug priviledge.And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess. You might try this (note changes in BOLD): // Open lsasshLsassProc = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwPid );.// Allocate memory in remote procpRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE ); If the above doesn't work, then you might try investigating SetDebugPrivilege()as you are getting : ERROR_ACCESS_DENIEDAccess is denied.5 (0x5)Good Luck I have tried the bold one before but still no avail =\ If i try it on none system process it works. SetDebugPrivilege don't have problem as getlasterror always returns 0. So what could be the problem? Do you have any example which successfully allocate memory on system process?
CondZero Posted September 7, 2013 Posted September 7, 2013 Do you have any example which successfully allocate memory on system process? Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see. Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process that you are trying to OpenProcess. /* The following function activates the SeDebugPrivilege for the current process. First, it accesses current process token by calling OpenProcessToken with the appropriate rights. Then, it looks up the LUID value associated with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. Finally it activates this privilege through a call to AdjustTokenPrivileges, passing it a properly filled TOKEN_PRIVILEGES structure. */ int LoadSeDebugPrivilege(void) { HANDLE hToken=0; LUID Val; TOKEN_PRIVILEGES tp; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return(GetLastError()); if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val)) return(GetLastError()); tp.PrivilegeCount = 1; tp.Privileges[0].Luid = Val; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL)) return(GetLastError()); CloseHandle(hToken); return 1; } BR, CZ
mrexodia Posted September 8, 2013 Posted September 8, 2013 (edited) can allocate stuff in winlogon.exe here... GetProcessID function by unknown... LoadSeDebugPrivilege from CondZero abovesystem_alloc.rar Edited September 8, 2013 by Mr. eXoDia
StoneHeart Posted September 9, 2013 Author Posted September 9, 2013 Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see. Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process that you are trying to OpenProcess. /*The following function activates the SeDebugPrivilege for the current process. First, it accesses current process token by calling OpenProcessToken with the appropriate rights. Then, it looks up the LUID value associated with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. Finally it activates this privilege through a call to AdjustTokenPrivileges, passing it a properly filled TOKEN_PRIVILEGES structure.*/int LoadSeDebugPrivilege(void){ HANDLE hToken=0; LUID Val; TOKEN_PRIVILEGES tp; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return(GetLastError()); if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val)) return(GetLastError()); tp.PrivilegeCount = 1; tp.Privileges[0].Luid = Val; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL)) return(GetLastError()); CloseHandle(hToken); return 1;} BR, CZ I think the problem isnt coming form the privilege thingy. GLE always return 0 even with your sample. can allocate stuff in winlogon.exe here... GetProcessID function by unknown... LoadSeDebugPrivilege from CondZero above Ive tested your sample and i didnt work on my win 7 but it does work on win xp (same with my source). ... Anyway thanks for the reply
mrexodia Posted September 10, 2013 Posted September 10, 2013 hi, do you have admin rights? i used win7 (x64) too
StoneHeart Posted September 11, 2013 Author Posted September 11, 2013 hi,do you have admin rights? i used win7 (x64) too Tried in many times and also disable uac but still the same.Maybe my win 7 x86 sp1 got bug or something lol
mrexodia Posted September 13, 2013 Posted September 13, 2013 strange indeed, I can allocated memory at lsass.exe without problems (using the above code)
Peter Ferrie Posted September 13, 2013 Posted September 13, 2013 Tried in many times and also disable uac but still the same.Maybe my win 7 x86 sp1 got bug or something lolBut you didn't answer the question - do you have admin rights? Did you actually elevate to admin first? 1
StoneHeart Posted September 14, 2013 Author Posted September 14, 2013 But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first? Yes! ... Nevermind, i've already slove this issues
Peter Ferrie Posted September 20, 2013 Posted September 20, 2013 Nevermind, i've already slove this issues Great, but posts like this are unhelpful. Please describe the solution so that others might learn. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now