Lifting Weight Function rtladjustprivilege ()

Rtladjustprivilege ()
This is in Ntdll. ms, an unknown function in DLL, is not made public because it is so Nb that no help from other functions is needed, with this function alone, you can obtain any process ACL permission!

Let's take a look at the definition of this function (given by winehq ):
Ntstatus rtladjustprivilege
(
Ulong privilege,
Boolean enable,
Boolean currentthread,
Pboolean Enabled
)

Parameter description:
Privilege [in] privilege index to change.
// The required permission name. You can go to msdn to find the process token and privilege content.

Enable [in] if true, then enable the privilege otherwise disable.
// If it is true, the corresponding permission is enabled. If it is false, the corresponding permission is disabled.

Currentthread [in] if true, then enable in calling thread, otherwise process.
// If this parameter is set to true, only the current thread permission is granted; otherwise, the entire process permission is granted.

Enabled [out] whether privilege was previusly enabled or disabled.
// Output the status of the original permission (Open | close). Note: an error occurs when null pointer is assigned to this parameter. I have tested it.

Attached to the definition and example of Delphi, I tested it:

Function rtladjustprivilege (privilege: ulong;
Enable: bool;
Currentthread: bool;
VaR enabled: bool): DWORD; stdcall; External 'ntdll ';

Const
Se_backup_privilege = $11;
Se_restore_privilege = $12;
Se_shutdown_privilege = $13; // shutdown permission
Se_debug_privilege = $14; // debug permission

Delphi call example:

VaR
Enabled: bool;
Begin

If rtladjustprivilege (se_debug_privilege, true, false, enabled) = 0 then
Showmessage ('OK ');

End;

Instant shutdown code VC

# Include <windows. h>

Const unsigned int se_shutdown_privilege = 0x13;

Int main ()
{
Hmodule hdll =: loadlibrary ("NTDLL. dll ");
Typedef int (* type_rtladjustprivilege) (INT, bool, bool, int *);
Typedef int (* type_zwshutdownsystem) (INT );
Type_rtladjustprivilege rtladjustprivilege = (type_rtladjustprivilege) getprocaddress (hdll, "rtladjustprivilege ");
Type_zwshutdownsystem zwshutdownsystem = (type_zwshutdownsystem) getprocaddress (hdll, "zwshutdownsystem ");
Int nen = 0;
Int nresult = rtladjustprivilege (se_shutdown_privilege, true, true, & nen );
If (nresult = 0x0c000007c)
{
Nresult = rtladjustprivilege (se_shutdown_privilege, true, false, & nen );
}
Nresult = zwshutdownsystem (2 );
Freelibrary (hdll );
Return 0;

}

For C ++, the main call Convention is required. The function itself is a C call method. c ++ is a standard call method. Therefore, when declaring a function, add _ stdcall.

typedef int (_stdcall *axi)(int, bool, bool, int*);

Typedef int (_ stdcall * type_rtladjustprivilege) (INT, bool, bool, int *);

The returned value must also be specified as follows: after the experiment, the elevation of permission is successful, but the returned value is null. If the verification result is inaccurate at this time, the success or failure of the subsequent process can only be viewed as successful.