Adjusttokenprivileges (process permission modification)

Adjusttokenprivileges (process permission)

Address: http://hi.baidu.com/xuqipi/blog/item/07f43363b3d690630d33fa90.html

Getcurrentprocessid get the ID of the current process openprocesstoken get the process's token handle lookupprivilegevalue Query Process permission adjusttokenprivileges determine the token permission

To perform an OpenProcess operation that specifies write-related access to any process (including system security processes and service processes), you only need to grant the current process the sededebug permission. If a user is administrator or has been granted the corresponding permissions, the user can have this permission. However, even if we use the Administrator account to execute OpenProcess (process_all_access, false, dwprocessid) on a system security process, we still encounter an "access denial" error. Why? In the past, some access permissions of the process are not enabled by default. Therefore, the first thing we need to do is to enable these permissions. Some related API functions include openprocesstoken, lookupprivilegevalue, and adjusttokenprivileges. To modify the access token of a process, first obtain the handle of the Process access token, which can be obtained through openprocesstoken. The prototype of the function is as follows:

Bool openprocesstoken (
Handle processhandle,
DWORD desiredaccess,
Phandle tokenhandle
);
The first parameter is the process handle for modifying the access permission. The third parameter is the returned access token pointer. The second parameter specifies the operation type you want to perform, to modify the token, We need to specify the second parameter token_adjust_privileges (for other parameters, refer to platform SDK ). Through this function, we can get the access token handle of the current process (specify the first parameter of the function as getcurrentprocess ). Then we can call adjusttokenprivileges to modify the access token. The prototype of adjusttokenprivileges is as follows:
Bool adjusttokenprivileges (
Handle tokenhandle, // handle to token
Bool disableallprivileges, // disabling Option
Ptoken_privileges newstate, // privilege information
DWORD bufferlength, // size of Buffer
Ptoken_privileges previusstate, // Original State Buffer
Pdword returnlength // required buffer size
);
The first parameter is the access token handle. The second parameter determines whether to modify the permission or disable all permissions. The third parameter specifies the permission to be modified, is a pointer to the token_privileges structure, which contains an array. Each item in the Data Group specifies the permission type and the operation to be performed. The fourth parameter is the length of the structure previusstate, if previusstate is null, this parameter should be null. The fifth parameter is also a pointer to the token_privileges structure, which stores the information about the access permission before modification. It can be null; the last parameter is the size returned by the actual previusstate structure. Before using this function, let's look at the token_privileges structure. Its declaration is as follows:

Typedef struct _ token_privileges {
DWORD privilegecount;
Luid_and_attributes privileges [];
} Token_privileges, * ptoken_privileges;
Privilegecount refers to the number of elements in the array, followed by an array of the luid_and_attributes type. Let's take a look at the content of the Structure of luid_and_attributes. The declaration is as follows:

Typedef struct _ luid_and_attributes {
Luid;
DWORD attributes;
} Luid_and_attributes, * pluid_and_attributes

The second parameter specifies the operation type to be performed. There are three Optional options: se_privilege_enabled, se_privilege_enabled_by_default, and se_privilege_used_for_access. To enable a permission, specify attributes as se_privilege_enabled. The first parameter refers to the permission type and is a luid value. luid refers to the locally unique identifier. I think you are familiar with the guid, And the guid must be globally unique, as long as the luid is locally unique, it means that it is unique during each operation of the system. In addition, luid is a 64-bit value, which is the same as guid, how can we know the luid value corresponding to a permission? This requires another API function lookupprivilegevalue. Its prototype is as follows:

Bool lookupprivilegevalue (
Lptstr lpsystemname, // system name
Lptstr lpname, // privilege name
Pluid lpluid // locally Unique Identifier
);
The first parameter is the name of the system. If it is specified as null by the local system, the third parameter is the luid pointer, and the second parameter is the name of the permission, for example, "sedebugprivilege ". Some macros with permission names are also defined in winnt. H, such:

# Define se_backup_name text ("SeBackupPrivilege ")

# Define se_restore_name text ("serestoreprivilege ")

# Define se_shutdown_name text ("seshutdownprivilege ")

# Define se_debug_name text ("sedebugprivilege ")

By calling these three functions, we can use OpenProcess (process_all_access, false, dwprocessid) to obtain the handle of any process and specify all access permissions.

 

 

 

ExampleCode 
Inline bool ctoolhelp: enabledebugprivilege (bool fenable/* = true */){
Bool Fok = false;
Handlehtoken = NULL;
If (openprocesstoken (getcurrentprocess (), token_adjust_privileges, & htoken )){
Token_privilegestp;
TP. privilegecount = 1;
Lookupprivilegevalue (null, se_debug_name, & TP. Privileges [0]. luid );
TP. Privileges [0]. Attributes = fenable? Se_privilege_enabled: 0;
Adjusttokenprivileges (htoken, false, & TP, sizeof (TP), null, null );
Fok = (getlasterror () = error_success );
Closehandle (htoken );
}
Return Fok;
}