Jump to content
Tuts 4 You

OpenProcess Problem...

LCF-AT

By LCF-AT
in Programming and Coding

Recommended Posts

LCF-AT

LCF-AT

Posted
Posted

Hi guys,

I need some little help again.So I need to build a processlist to get shwon all running processes & to choose any process to read infos / change infos inside etc.Now the problem is that I dont get access to all running process from my system using OpenProcess API with PROCESS_ALL_ACCESS flag.So for almost the half processes I dont get access and get access denied back in eax.How to get access to all processes?OpenProcess API with that flag seems to be not enough in that case.

greetz

atom0s

atom0s

Posted
Posted

Don't use PROCESS_ALL_ACCESS, on newer Windows versions (Vista and up) it requires more privileges to be enabled (SeDebugToken mainly) to be able to use it. Instead, just specify the needed requirements of the handle you wish to open. 

  • Like 1
specx

specx

Posted
Posted

If you want to use it, you can get privileges like this: 

int privileges(){
    HANDLE Token;
    TOKEN_PRIVILEGES tp;
    if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
    {
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
            return 1; //FAIL
        }
        else {
            return 0; //SUCCESS
        }
    }
    return 1;
}

 

  • Like 1
LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi again and thanks for your answer so far.Hhm good ok.So I tried also PROCESS_VM_READ & PROCESS_QUERY_INFORMATION but they also failed.I debuged a other file what can show processes and there I see it only sets some privileges for the own process only...something like that if I did translate it right... 

		invoke GetCurrentProcess
		mov ecx,eax
		invoke OpenProcessToken,ecx,TOKEN_QUERY or TOKEN_ADJUST_PRIVILEGES,addr TOKENHANDLE
		.if eax != 0h
		    invoke LookupPrivilegeValue,NULL,addr szSeDebugPrivilege,addr lpLuid
		    .if eax != 0h
		        
		        xor edx,edx
		        lea eax, TP
		        m2m TP.TOKEN_PRIVILEGES.Privileges,SECURITY_DESCRIPTOR_MIN_LENGTH
		        m2m TP.TOKEN_PRIVILEGES.PrivilegeCount,1
		        invoke AdjustTokenPrivileges,TOKENHANDLE,edx,eax,edx,edx,edx
		        .if eax != 0h
		            invoke CloseHandle,TOKENHANDLE
		        .else
		        invoke CloseHandle,TOKENHANDLE
		        .endif
		    .else
		    invoke CloseHandle,TOKENHANDLE
		    .endif
		.else
		.endif
		nop
		nop
		invoke GetCurrentProcess
		mov ecx,eax
		invoke OpenProcessToken,ecx,TOKEN_QUERY or TOKEN_ADJUST_PRIVILEGES,addr TOKENHANDLE
		.if eax != 0h
		    invoke LookupPrivilegeValue,NULL,addr szSeSecurityPrivilege,addr lpLuid
		    .if eax != 0h
		        
		        xor edx,edx
		        lea eax, TP
		        m2m TP.TOKEN_PRIVILEGES.Privileges,SECURITY_DESCRIPTOR_MIN_LENGTH
		        m2m TP.TOKEN_PRIVILEGES.PrivilegeCount,1
		        invoke AdjustTokenPrivileges,TOKENHANDLE,edx,eax,edx,edx,edx
		        .if eax != 0h
		            invoke CloseHandle,TOKENHANDLE
		        .else
		        invoke CloseHandle,TOKENHANDLE
		        .endif
		    .else
		    invoke CloseHandle,TOKENHANDLE
		    .endif
		.else
		.endif

...so if I use this and later OpenProcess API for all processes then it still dont work (same as before and only get access to half processlist).Or have I do this above with all processes?

greetz

snoopy

snoopy

Posted
Posted

OpenProcess API needs an processid, you need to use GetCurrentProcessId instead of GetCurrentProcess (which retrieves an pseudo handle to the process).

Here is an example I am using:

invoke GetCurrentProcessId                   
mov [ProcessID], eax                    
invoke OpenProcess, PROCESS_QUERY_INFORMATION| PROCESS_VM_OPERATION| PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_TERMINATE, NULL, [ProcessID]
mov [ProcessHandle], eax                         
 

LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi again,

ok after much testing I got it working now.So I see there was any problem with the struct which include another struct with Luid.Any array thing where I just used a free address.Now the code below works. :)

		invoke GetCurrentProcess
		mov ecx,eax
		invoke OpenProcessToken,ecx,TOKEN_QUERY or TOKEN_ADJUST_PRIVILEGES,addr TOKENHANDLE
		.if eax != 0h
		    
		    invoke LookupPrivilegeValue,NULL,addr szSeDebugPrivilege,addr TP.TOKEN_PRIVILEGES.Privileges[0].Luid
		    .if eax != 0h
		        
		        xor edx,edx
		        lea esi, TP
		        m2m TP.TOKEN_PRIVILEGES.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
		        m2m TP.TOKEN_PRIVILEGES.PrivilegeCount,1
		        invoke AdjustTokenPrivileges,TOKENHANDLE,edx,esi,sizeof TP,0,0  
		        .if eax != 0h
		            invoke CloseHandle,TOKENHANDLE
		        .else
		        invoke CloseHandle,TOKENHANDLE
		        .endif
		    .else
		    invoke CloseHandle,TOKENHANDLE
		    .endif
		.else
		.endif
		ret

Thanks again.

PS: So this code I have to use only for all system higher than dwMajorVersion 5 right?

greetz

atom0s

atom0s

Posted
Posted

Windows Vista or higher, yes. No idea what the major id would be considered for that off-hand though.

Windows XP should not require the token adjustment as the flag value was changed during the upgrade to Vista.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...