PureBasic Forums - English

Posted: **Tue Jul 18, 2006 8:46 pm**

KarLKoX wrote:The archive was updated with some changes.
About the odd, read well the code, i never wrote this, but i set first the privilege with the pid, the param for the ObtainSeDebugPrivilege is just named hProcess but the hProcess is the pid .

Sorry if i sounded disapproveing or something, wasn't ment that way at all, i was editing the post while writing.

What i ment about the Odd thing was that i didn't got any Process with (pid = 40), so how could OpenProcessToken return true ?

so the odd stuff came in wrong here, sorry..

Btw, it should never work for the pid this is why with the modified source you will see that i use GetCurrentProcess_() instead to set the privilege to our process wich then should be able to be used to the target process.

It shouldent ? do you mean the real pid of Explorer (mine = 1436) or when i used OpenProcess on it and got 40, -
! i'm still confused about how it could return true on a pid that does'nt exists

"-

I just came home, will take a closer look in an hour or so..

Okay but, but - (sorry if i sound real stupid here)- but when we use GetCurrentProcess_() we use that (@hToken our own process) in AdjustTokenPrivileges(), or did i just lost it here ? (i don't really understand this Token thing)
Sorry if i talk nonsense here, i need some coffee first

, and then a closer look at what you did, cu later

Best Henrik

Posted: **Tue Jul 18, 2006 9:51 pm**

Hi

I don't understand, you mean that OpenProcessToken() return True with a dummy value, a value you type ? ie : If ObtainSeDebugPrivilege(40) = #False) ...
If so, i ve just checked this with explorer.Exe and OpenProcessToken() return false for me, this is why i use our process value using GetCurrentProcess_().
OpenProcess should not return a value > 0 for explorer.exe (i need to know exactly why).
About token, a token is created when you log on windows, it save security information (user id, group id and your privilege).
A token is associate for all process though OpenProcessToken() retrieve this token for our process then, we can adjust our privilege to this token.
A more robust security privilege access exist using ACL (Access List Control), it is not a windows concept but a posix concept (all unices), it allow a unlimited users to access process to a group different from their, with token, the user must be a user of the same group and this difference allow a lot more things.
I am also a beginner, i never heard about token/acl before this post, this why i need a lot of time to understand why the code don't want to work

Posted: **Wed Jul 19, 2006 12:24 am**

Hi Thank you for the information on token

About ObtainSeDebugPrivilege, (very confused) : Well it does return true.
i did this:

Code: Select all

 hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, hProcess);
  PrintN("hProcess "+Str(hProcess))
  result = OpenProcessToken_(hProcess, #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @hToken)

And result is = true.
I did this because i seen this in some cpp source, if i'm not reading them wrong, he he.
GetCurrentProcess_() btw return -1
and OpenProcessToken_(-1, #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @hToken) will return True with -1

from the win32.hlp (The GetCurrentProcess function returns a pseudohandle for the current process. )
I was goging to post an cpp ex. but i must be hallucinating, can't find it now, guess i need sleep lol. brb. if i find it

Okay found it, i don't know if it's to much to post cpp code here so i just post snips of it, it does'nt inject btw ..
But i think your right it's something about raiseing your privilege with GetCurrentProcess() before you can access
a process with higher privilege, (Zzzz you can't even say what i just said in danish)..
and my cpp skils is just as good at my english ...

Code: Select all

//form main
hp = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid[i] );
		if ( isBadHandle( hp ) )
// bla...
... snip
// now, to the meat of the matter
   if ( dumpToken( hp, showInfo ) )
      ++ interactiveProcesses;
// end main

// from dumpToken
bool dumpToken( HANDLE hp, bool doDisplay /* = true */ )
//bla..
.. snip
if ( ! OpenProcessToken( hp, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &ht ) )
   {
	if ( doDisplay )
		printf( "  OpenProcessToken( T_Q_S ): gle = %lu, "
			"trying without TOKEN_QUERY_SOURCE\n", gle );
		querySource = false;

// end dumpToken

and i btw found a PellesC ex. on injecting a MessageBox in Explore.exe and it works, but of course this one don't use ObtainSeDebugPrivilege .. or dll injecting
sigh

...

Best Henrik

Posted: **Thu Jul 20, 2006 4:40 pm**

Ok, i found why the dll is not mapped to the address space of explorer : i must pass the full path of our dll, it is as simple as that ^_^
So, the code is now :

Code: Select all

; unoptimized strrchr function
Procedure Strrchr(string.s,substr.s)
Protected endpos.l, char.s
  
  endpos = Len(string)
  While 1
    char = Mid(string,endpos,1)
    If char = substr Or endpos <= 0
      Break
    EndIf
    endpos - 1
  Wend

  ProcedureReturn endpos
EndProcedure

Procedure ObtainSeDebugPrivilege(hProcess.l)
  [...]
  curdir.s = Space(#MAX_PATH)
  GetModuleFileName_(GetModuleHandle_(0), @curdir, #MAX_PATH)
  curdir = Mid(curdir, 1, Strrchr(curdir, "\"))
    
  szLibFile = Space(#MAX_PATH)
  szLibFile = curdir + "dll_hook.dll"
  [...]

But the function is not injected, it is because explorer hide the import table, it use import function by ordinal, this is the next step.

Posted: **Thu Jul 20, 2006 7:45 pm**

BUT IT DO, IT FREAKING DO

You are der MAN KarLKoX

It workes from CMD, but not from the ide, this is just F****** fabulous

i nearly gave up, and in original source i even changed the path so it was'nt the full path.

To be honest i never would thought of that, lol

Are you sure i does'nt work from commandline for you ?

But the function is not injected, it is because explorer hide the import table, it use import function by ordinal, this is the next step.

I have not a clue of what the -"import function by ordinal"- is

, but it seems that as long as you do, it can't go wrong

This is the list of modules in the Explorer.exe process that start when windows starts up, this is the one and only explorer process running :
The third last is the Dll_hook

Code: Select all

C:\WINDOWS\Explorer.EXE 1000000
C:\WINDOWS\system32\ntdll.dll 7C900000
C:\WINDOWS\system32\kernel32.dll 7C800000
C:\WINDOWS\system32\msvcrt.dll 77C00000
C:\WINDOWS\system32\ADVAPI32.dll 77DC0000
C:\WINDOWS\system32\RPCRT4.dll 77E70000
C:\WINDOWS\system32\GDI32.dll 77F10000
C:\WINDOWS\system32\USER32.dll 77D30000
C:\WINDOWS\system32\SHLWAPI.dll 77F60000
C:\WINDOWS\system32\SHELL32.dll 7C9C0000
C:\WINDOWS\system32\ole32.dll 774D0000
C:\WINDOWS\system32\OLEAUT32.dll 77110000
C:\WINDOWS\system32\BROWSEUI.dll 75F60000
C:\WINDOWS\system32\SHDOCVW.dll 77750000
C:\WINDOWS\system32\CRYPT32.dll 77A70000
C:\WINDOWS\system32\MSASN1.dll 77B10000
C:\WINDOWS\system32\CRYPTUI.dll 76660000
C:\WINDOWS\system32\WINTRUST.dll 76C20000
C:\WINDOWS\system32\IMAGEHLP.dll 76C80000
C:\WINDOWS\system32\NETAPI32.dll 60930000
C:\WINDOWS\system32\WININET.dll 771A0000
C:\WINDOWS\system32\WLDAP32.dll 76F50000
C:\WINDOWS\system32\VERSION.dll 77BF0000
C:\WINDOWS\system32\UxTheme.dll 5B250000
C:\WINDOWS\system32\ShimEng.dll 5D060000
C:\WINDOWS\AppPatch\AcGenral.DLL 59780000
C:\WINDOWS\system32\WINMM.dll 76B30000
C:\WINDOWS\system32\MSACM32.dll 77BD0000
C:\WINDOWS\system32\USERENV.dll 769B0000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.2180_x-ww_a84f1ff9\comctl32.dll 773C0000
C:\WINDOWS\system32\comctl32.dll 5D5A0000
C:\WINDOWS\system32\appHelp.dll 77B30000
C:\WINDOWS\system32\CLBCATQ.DLL 76FC0000
C:\WINDOWS\system32\COMRes.dll 77040000
C:\WINDOWS\System32\cscui.dll 77A10000
C:\WINDOWS\System32\CSCDLL.dll 765E0000
C:\WINDOWS\system32\themeui.dll 60020000
C:\WINDOWS\system32\Secur32.dll 77FE0000
C:\WINDOWS\system32\MSIMG32.dll 76360000
C:\WINDOWS\system32\xpsp2res.dll 20000000
C:\WINDOWS\system32\SAMLIB.dll 71BC0000
C:\WINDOWS\system32\SETUPAPI.dll 77910000
C:\WINDOWS\system32\urlmon.dll 77250000
C:\WINDOWS\system32\LINKINFO.dll 76970000
C:\WINDOWS\system32\ntshrui.dll 76980000
C:\WINDOWS\system32\ATL.DLL 76B10000
C:\WINDOWS\system32\msi.dll 745E0000
C:\WINDOWS\system32\NETSHELL.dll 763E0000
C:\WINDOWS\system32\rtutils.dll 76E70000
C:\WINDOWS\system32\credui.dll 76BF0000
C:\WINDOWS\system32\WS2_32.dll 71A80000
C:\WINDOWS\system32\WS2HELP.dll 71A70000
C:\WINDOWS\system32\iphlpapi.dll 76D50000
C:\WINDOWS\system32\msieftp.dll 5E2E0000
C:\WINDOWS\system32\MSCTF.dll B50000
C:\WINDOWS\system32\WINSTA.dll 76340000
C:\WINDOWS\system32\webcheck.dll 74AF0000
C:\WINDOWS\system32\WSOCK32.dll 71AA0000
C:\WINDOWS\system32\stobject.dll 76590000
C:\WINDOWS\system32\BatMeter.dll 74AB0000
C:\WINDOWS\system32\POWRPROF.dll 74A90000
C:\WINDOWS\system32\WTSAPI32.dll 76F40000
C:\WINDOWS\system32\wdmaud.drv 72CD0000
C:\WINDOWS\system32\msacm32.drv 72CC0000
C:\WINDOWS\system32\midimap.dll 77BC0000
C:\WINDOWS\system32\rsaenh.dll FFD0000
C:\WINDOWS\system32\MPR.dll 71AF0000
C:\WINDOWS\System32\ntlanman.dll 71BE0000
C:\WINDOWS\System32\NETUI0.dll 71CA0000
C:\WINDOWS\System32\NETUI1.dll 71C60000
C:\WINDOWS\System32\NETRAP.dll 71C50000
C:\WINDOWS\System32\drprov.dll 75F40000
C:\WINDOWS\System32\davclnt.dll 75F50000
C:\Programmer\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 10000000
C:\WINDOWS\system32\shdoclc.dll 1A90000
C:\Programmer\PureBasicV4\All-Source\Inf0Byt3\Hook\KarLKoX\Hook3\dll_hook.dll DA
0000
C:\WINDOWS\system32\CRTDLL.dll 73D40000
C:\WINDOWS\system32\PSAPI.DLL 76BE0000

All right "IMAGEHLP.dll" is'nt injected, it's in other processes i have injected, duno if that's matters, but i used "KERNEL32.DLL",
i have injected half the process running maybe i should reboot soon

Best Regads Henrik

Posted: **Thu Jul 20, 2006 8:52 pm**

Hi As a user with a limited account i need to enter the Pid direct, otherwise it don't work .. ?

Best Henrik

PureBasic Forums - English

C++ to PB. Headaches, white nights, etc..