Modify process Permissions

The rtladjustprivliege function is encapsulated in Ntdll. dll (loaded before all DLL loads) and is strictly confidential by Microsoft. That is to say, you cannot find any information about it on msdn.

Let's take a look at the definition of this function (given by winehq ):
Ntstatus rtladjustprivilege
(
Ulong privilege,
Boolean enable,
Boolean currentthread,
Pboolean Enabled
)

Parameter description:
Privilege [in] privilege index tochange.
// The required permission name. You can go to msdn to find the content about processtoken & privilege.

Enable [in] if true, then enable the privilege otherwisedisable.
// If it is true, the corresponding permission is enabled. If it is false, the corresponding permission is disabled.

Currentthread [in] if true, then enable in callingthread, otherwise process.
// If this parameter is set to true, only the current thread permission is granted; otherwise, the entire process permission is granted.

Enabled [out] whether privilege was previusly enabled ordisabled.
// Output the status of the original permission (Open | close)

Many people probably haven't heard of his name, but I believe many people have seen it.Process Elevation of PrivilegeProcess
Copy a piece of my write permission.

Bool improveprocpriv ()
{
Handle token;
// Escalate Permissions
If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges, & token ))
{
MessageBox (null, "failed to open process token...", "error", mb_iconstop );
Returnfalse;
}
Token_privileges tkp;
Tkp. privilegecount = 1;
: Lookupprivilegevalue (null, se_debug_name, & tkp. Privileges [0]. luid );
Tkp. Privileges [0]. Attributes = se_privilege_enabled;
If (! Adjusttokenprivileges (token, false, & tkp, sizeof (tkp), null, null ))
{
MessageBox (null, "failed to adjust token permission...", "error", mb_iconstop );
Returnfalse;
}
Closehandle (token );
Return true;
}

Let's take a look. This Elevation of Privilege is almost exhausted...

However, if you have this function, it will be different. You can use only one function to implement this function, and even more functions than the above code...

With proper ide settings and necessary defination, you can use a line of code to implement the functions of the above function.

Rtladjustprivilege (se_debug_name, 1, 0, null );

Body:

Next, let's take a look at how this function runs. By the way, we will learn about the powerful IDA
Ida loads NTDLL. dll (here I load the English version of the symbol automatically downloaded by windbg, which may be slightly different for different Windows versions)

Input the function prototype to IDA for easy reading, and then start to read the assembly code (it's time for the Party and the country to test us ).
Looking at Graph view is really awesome...
Look at the beginning of the function...

MoV EDI, EDI; this sentence is a waste command
Push EBP
MoV EBP, ESP
Sub ESP, 30 h; 48 bytes sub-process domain auto variable
CMP [EBP + currentthread], 1; Determine whether the currentthread parameter is specified as 1
MoV eax, dword_7c97b0c8
MoV [EBP + var_4], eax
MoV eax, [EBP + Enabled]
MoV [EBP + isenabled], eax; bool * isenabled = enabled;
Lea eax, [EBP + var_28]
Push eax
JZ loc_7c931_ B

Determine whether the process permission is adjusted or the thread permission,
Currentthread = true
Push 0
Push 28 h; token_adjust_privileges | token_query
Push 0 fffffffeh; getcurrentthread ()
Call zwopenthreadtoken
JMP loc_7c929a7a

Currentthread = false
Push 28 h; token_adjust_privileges | token_query
Push 0 ffffffffh; getcurrentprocess ()
Call ntopenprocesstoken

Then the two code blocks point to both
Loc_7c929a7a:; I understand. Check whether the process/thread token is successfully opened.
Test eax, eax
Jl short loc_7c929ae4; Skip if the call fails.

If the execution is successful

MoV eax, [EBP + privilege]
MoV [EBP + dwprivilege], eax
MoV Al, [EBP + enable]
Clear XOR ECx and ECx
Neg al
Push ESI
MoV [EBP + newstate], 1
MoV [EBP + var_c], ECx
SBB eax, eax
And eax, 2
MoV [EBP + var_8], eax
Lea eax, [EBP + returnlength]; actual return Length
Push eax
Lea eax, [EBP + oldstate]
Push eax; old privileged pointer
Push 10 h; sizeof (token_privileges)
Lea eax, [EBP + newstate]
Push eax; new privileged pointer
Push ECx; false because there is XOR ECx, ECx
Push [EBP + tokenhandle]
Call ntadjustprivilegeen en; call adjustprivilege en to raise the permission
Push [EBP + tokenhandle]
MoV ESI, eax; eax backup
Call zwclose; close the kernel object handle
Cmp esi, 106 h; Determine ntadjustprivilege execution status: 106 H = status_not_all_assigned
JZ loc_7c947df2

After the execution is successful, output the last parameter.

CMP [EBP + oldstate], 0
MoV ECx, [EBP + isenabled]
Jnz loc_7c929e99

If oldstate! = 0

MoV Al, [EBP + enable]; it should be obvious that the Enable variable is assigned to Al, that is, the last two digits of eax.

If oldstate = 0

MoV eax, [EBP + var_18]
SHR eax, 1
And Al, 1
JMP loc_7c929adf

This is the general process of this function.

You can click F5 here.

Int _ stdcallrtladjustprivilege (INT privilege, char enable, charcurrentthread, int enabled)
{
Int result; // eax @ 2
Signed intadjustresult; // ESI @ 4
Char returnvalue; // Al @ 7
Int V7; // [SP + 2ch] [bp-4h] @ 1
Int isenabled; // [SP + 4 H] [bp-2Ch] @ 1
Int tokenhandle; // [SP + 8 h] [bp-28h] @ 2
Int dwprivilege; // [SP + 20 h] [bp-10h] @ 4
Signed intnewstate; // [SP + 1ch] [bp-14h] @ 4
Int V12; // [SP + 24 h] [BP-CH] @ 4
Int v13; // [SP + 28 h] [bp-8h] @ 4
Int oldstate; // [SP + CH] [bp-24h] @ 4
Char returnlength; // [SP + 0 h] [bp-30h] @ 4
Unsigned intv16; // [SP + 18 h] [bp-18h] @ 11

V7 = dword_7c97b0c8;
Isenabled = enabled;
If (currentthread = 1)
Result = zwopenthreadtoken (-2, 40, 0, & tokenhandle );
Else
Result = ntopenprocesstoken (-1, 40, & tokenhandle );
If (result> = 0)
{
Dwprivilege = privilege;
Newstate = 1;
V12 = 0;
V13 =-(enable! = 0) & 2;
Adjustresult = ntadjustprivilegestoken (tokenhandle, 0, & newstate, 16, & oldstate, & returnlength );
Zwclose (tokenhandle );
If (adjustresult = 262)
Adjustresult =-1073741727;
If (adjustresult> = 0)
{
If (oldstate)
Returnvalue = (V16> 1) & 1;
Else
Returnvalue = Enable;
* (_ Byte *) isenabled = returnvalue;
}
Result = adjustresult;
}
Return result;
}

It seems that the readability is still not high. Look at this...

/*************************************** ***************************************
* Rtladjustprivilege [NTDLL. @]
*
* Enables or disables a privilege from the callingthread or process.
*
* Params
* Privilege [I] privilegeindex to change.
* Enable [I] if true, then enable the privilege otherwise disable.
* Currentthread [I] if true, then enable in callingthread, otherwise process.
* Enabled [O] whether privilege was previusly enabled or disabled.
*
* Returns
* Success: STATUS_SUCCESS.
* Failure: ntstatus code.
*
* See also
* Ntadjustprivilegestoken, ntopenthreadtoken, ntopenprocesstoken.
*
*/
Ntstatus winapi
Rtladjustprivilege (ulong privilege,
Boolean enable,
Boolean currentthread,
Pboolean enabled)
{
Token_privileges newstate;
Token_privileges oldstate;
Ulong returnlength;
Handle tokenhandle;
Ntstatus status;

Trace ("(% d, % s, % s, % P) \ n", privilege, enable? "True": "false ",
Currentthread? "True": "false", enabled );

If (currentthread)
{
Status = ntopenthreadtoken (getcurrentthread (),
Token_adjust_privileges | token_query,
False,
& Tokenhandle );
}
Else
{
Status = ntopenprocesstoken (getcurrentprocess (),
Token_adjust_privileges | token_query,
& Tokenhandle );
}

If (! Nt_success (Status ))
{
Warn ("retrievingtoken handle failed (status % x) \ n", status );
Returnstatus;
}

Oldstate. privilegecount = 1;

Newstate. privilegecount = 1;
Newstate. Privileges [0]. luid. lowpart = privilege;
Newstate. Privileges [0]. luid. highpart = 0;
Newstate. Privileges [0]. Attributes = (enable )? Se_privilege_enabled: 0;

Status = ntadjustprivilegestoken (tokenhandle,
False,
& Newstate,
Sizeof (token_privileges ),
& Oldstate,
& Returnlength );
Ntclose (tokenhandle );
If (status = status_not_all_assigned)
{
Trace ("failedto assign all privileges \ n ");
Returnstatus_privilege_not_held;
}
If (! Nt_success (Status ))
{
Warn ("ntadjustprivilegestoken () failed (status % x) \ n", status );
Returnstatus;
}

If (oldstate. privilegecount = 0)
* Enabled = Enable;
Else
* Enabled = (oldstate. Privileges [0]. Attributes & se_privilege_enabled );

Return STATUS_SUCCESS;
}