Skip to content

Commit

Permalink
debug priv for win process
Browse files Browse the repository at this point in the history
  • Loading branch information
yehoudie committed Sep 16, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 9552c6b commit 552c0d6
Showing 3 changed files with 117 additions and 5 deletions.
7 changes: 6 additions & 1 deletion src/ProcessHandlerWin.c
Original file line number Diff line number Diff line change
@@ -15,6 +15,8 @@
#include "utils/Helper.h"
#include "utils/Strings.h"

//#include "utils/win/processes.h"

#define PAGE_R_W_E ((PAGE_READONLY|PAGE_READWRITE|PAGE_WRITECOPY|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY))

typedef int (*MemInfoCallback)(HANDLE, MEMORY_BASIC_INFORMATION*);
@@ -800,7 +802,10 @@ BOOL openProcess(HANDLE* process, uint32_t pid)
{
// uint32_t lpExitCode = 0;

(*process) = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
uint32_t access = PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION;
//uint32_t access = PROCESS_ALL_ACCESS;

(*process) = OpenProcess(access, FALSE, pid);
if ((*process) == NULL)
{
printf("ERROR (0x%lx): OpenProcess %u failed\n", GetLastError(), pid);
24 changes: 20 additions & 4 deletions src/hexter.c
Original file line number Diff line number Diff line change
@@ -30,6 +30,7 @@
#elif defined(_WIN32)
#include <process.h>
#include <time.h>
#include "utils/win/processes.h"
#include "ProcessHandlerWin.h"
#endif
#include "utils/Strings.h"
@@ -154,10 +155,25 @@ int run(const char payload_format, const char* raw_payload)

if ( pid == 0 )
pid = getpid();
//#if defined(__linux__) || defined(__linux) || defined(linux)
// pid = getpid();
//#elif defined(_WIN32)
//#endif

#ifdef _WIN32
if ( IsProcessElevated(pid) )
{
debug_info("elevated!\n");
PCHAR privileges[1] = {
SE_DEBUG_NAME
};
ULONG privilegesCount = _countof(privileges);

s = AddPrivileges(privileges, privilegesCount);
if ( s != 0 )
{
EPrint("AddPrivileges failed! (0x%x)\n", GetLastError());
}
debug_info("debug enabled!\n");
}
#endif

file_size = getSizeOfProcess(pid);
if ( file_size == 0 )
return -2;
91 changes: 91 additions & 0 deletions src/utils/win/processes.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
#pragma once

typedef struct _MODULE_INFO {
PVOID Base;
ULONG Size;
} MODULE_INFO, *PMODULE_INFO;


/**
*
*/
INT AddPrivileges(
PCHAR *Privileges,
UINT32 PrivilegeCount
)
{
INT s = 0;
HANDLE htoken;
ULONG i;

TOKEN_PRIVILEGES* p = NULL;

if ( OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &htoken) )
{
size_t htokenSize = sizeof(TOKEN_PRIVILEGES) + (PrivilegeCount-1) * sizeof(LUID_AND_ATTRIBUTES);
p = (PTOKEN_PRIVILEGES)malloc(htokenSize);
if ( !p )
{
s = GetLastError();
goto clean;
}

for ( i = 0; i < PrivilegeCount; i++ )
{
if ( !LookupPrivilegeValueA(NULL, Privileges[i], &(p->Privileges[i].Luid)) )
{
s = GetLastError();
goto clean;
}

p->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
p->PrivilegeCount = PrivilegeCount;

if ( !AdjustTokenPrivileges(htoken, FALSE, p, (ULONG)htokenSize, NULL, NULL)
|| GetLastError() != ERROR_SUCCESS )
{
s = GetLastError();
goto clean;
}
}
else
{
s = GetLastError();
goto clean;
}

clean:
if ( p )
free(p);

return s;
}

BOOL IsProcessElevated()
{
BOOL fIsElevated = FALSE;
HANDLE hToken = NULL;
TOKEN_ELEVATION elevation;
DWORD dwSize;

if ( !OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken) )
{
goto clean; // if Failed, we treat as False
}

if (!GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize))
{
goto clean;// if Failed, we treat as False
}

fIsElevated = elevation.TokenIsElevated;

clean:
if (hToken)
{
CloseHandle(hToken);
hToken = NULL;
}
return fIsElevated;
}

0 comments on commit 552c0d6

Please sign in to comment.