Announcement

Collapse

Forum Guidelines

This forum is for finished source code that is working properly. If you have questions about this or any other source code, please post it in one of the Discussion Forums, not here.
See more
See less

Gaining SeDebugPrivilege, several flavors

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PBWin/PBCC Gaining SeDebugPrivilege, several flavors

    SeDebugPrivilege is a very special (albeit often simple to obtain) access privilege in Windows, where the process essentially tells the OS "I'm a debugger, so you need to let me do whatever I want".
    In many cases where you have issues accessing a privileged object all you need to do is acquire SeDebugPrivilege, and access can then be granted.

    From support.microsoft.com/kb/185215: By setting the SeDebugPrivilege privilege on the running process, you can obtain the process handle of any running application. When obtaining the handle to a process, you can then specify the %PROCESS_ALL_ACCESS flag, which will allow the calling of various Win32 APIs upon that process handle, which you normally could not do. Some of the Win32 APIs that could be successfully called include TerminateProcess and CreateRemoteThread.

    Once your process has obtained SeDebugPrivilege you can even do tricks such as writing to kernel memory from your user-mode process via ZwSystemDebugControl() - yes, without a kernel-mode driver.

    ---

    RtlAdjustPrivilege (static)
    Code:
    %SE_DEBUG_PRIVILEGE = 20
    IF RtlAdjustPrivilege (BYVAL %SE_DEBUG_PRIVILEGE, BYVAL 1, BYVAL 0, bIncBufSize) = 0 THEN Msgbox "Success"
    RtlAdjustPrivilege (dynamic)
    Code:
    %SE_DEBUG_PRIVILEGE = 20
     
    DECLARE FUNCTION RtlAdjustPrivilege (BYVAL lPrivilege AS LONG, BYVAL bEnable AS LONG, BYVAL bCurrentThread  AS LONG, AlreadyEnabled AS LONG) AS LONG
     
    SUB SeDebugPrivDynamic
     LOCAL bIncBufSize AS LONG, hLib AS DWORD, hProc AS DWORD
     hLib = LoadLibrary("ntdll.dll")
     IF hLib THEN
        hProc = GetProcAddress(hLib, "RtlAdjustPrivilege")
        IF hProc THEN CALL DWORD hProc USING RtlAdjustPrivilege (BYVAL %SE_DEBUG_PRIVILEGE, BYVAL 1, BYVAL 0, bIncBufSize)
        FreeLibrary hLib
     END IF
    END SUB
    The following AdjustTokenPrivileges routines are based on 2001 code from Semen Matusovski - and still working fine all these years and major OS releases later - full credit to our good friend! He's in my Top 5 PB'ers Who've Inspired Me

    AdjustTokenPrivileges (static)
    Code:
    FUNCTION EnableDebugPriv AS LONG
          LOCAL hTokenHandle AS LONG, SeDebugNameValue AS Luid, tkp AS TOKEN_PRIVILEGES, i AS LONG
          IF OpenProcessToken(GetCurrentProcess, %TOKEN_ADJUST_PRIVILEGES OR %TOKEN_QUERY, hTokenHandle) THEN
             IF LookupPrivilegeValue ("", $SE_DEBUG_NAME, BYVAL VARPTR(SeDebugNameValue)) THEN
                tkp.PrivilegeCount = 1
                tkp.Privileges(0).Attributes = %SE_PRIVILEGE_ENABLED
                tkp.Privileges(0).pLuid = SeDebugNameValue
                IF AdjustTokenPrivileges(hTokenHandle, %False, tkp, SIZEOF(tkp), BYVAL 0, BYVAL 0) THEN FUNCTION = 1
             END IF
             CloseHandle hTokenHandle
          END IF
    END FUNCTION
    AdjustTokenPrivileges (dynamic)
    Code:
    TYPE LUID
      LowPart AS DWORD
      HighPart AS LONG
    END TYPE
    
    TYPE TOKEN_PRIVILEGES
        PrivilegeCount AS DWORD
        Privileges(0 TO 0) AS LUID_AND_ATTRIBUTES  ' array size may vary
    END TYPE
    
    TYPE LUID_AND_ATTRIBUTES
      pLuid AS LUID
      Attributes AS DWORD
    END TYPE
    
    DECLARE FUNCTION pAdjustTokenPrivileges (BYVAL TokenHandle AS DWORD, BYVAL DisableAllPrivileges AS LONG, NewState AS ANY, BYVAL BufferLength AS DWORD, PreviousState AS ANY, ReturnLength AS DWORD) AS LONG
    DECLARE FUNCTION pOpenProcessToken (BYVAL ProcessHandle AS DWORD, BYVAL DesiredAccess AS DWORD, TokenHandle AS DWORD) AS LONG
    DECLARE FUNCTION pLookupPrivilegeValue (lpSystemName AS ASCIIZ, lpName AS ASCIIZ, lpLuid AS LUID) AS LONG
    
    FUNCTION EnableDebugPriv AS LONG
          LOCAL hTokenHandle AS LONG, SeDebugNameValueAS Luid, tkp AS TOKEN_PRIVILEGES, i AS LONG, L1 AS LONG, L2 AS LONG, L3 AS LONG
          LOCAL hLib AS LONG, hAdjustTokenPrivileges AS LONG, hOpenProcessToken AS LONG, hLookupPrivilegeValue AS LONG
          hLib = LoadLibrary("advapi32.dll")
          IF hLib = 0 THEN EXIT FUNCTION
          hAdjustTokenPrivileges = GetProcAddress(hLib, "AdjustTokenPrivileges")
          IF hAdjustTokenPrivileges = 0 THEN EXIT FUNCTION
          hOpenProcessToken = GetProcAddress(hLib, "OpenProcessToken")
          IF hOpenProcessToken = 0 THEN EXIT FUNCTION
          hLookupPrivilegeValue = GetProcAddress(hLib, "LookupPrivilegeValueA")
          IF hLookupPrivilegeValue = 0 THEN EXIT FUNCTION
          CALL DWORD hOpenProcessToken USING pOpenProcessToken(GetCurrentProcess, %TOKEN_ADJUST_PRIVILEGES OR %TOKEN_QUERY, hTokenHandle) TO L1
          IF L1 THEN
             CALL DWORD hLookupPrivilegeValue USING pLookupPrivilegeValue ("", $SE_DEBUG_NAME, BYVAL VARPTR(SeDebugNameValue)) TO L2
             IF L2 THEN
                tkp.PrivilegeCount = 1
                tkp.Privileges(0).Attributes = %SE_PRIVILEGE_ENABLED
                tkp.Privileges(0).pLuid = SeDebugNameValue
                CALL DWORD hAdjustTokenPrivileges USING pAdjustTokenPrivileges(hTokenHandle, %False, tkp, SIZEOF(tkp), BYVAL 0, BYVAL 0) TO L3
                IF L3 THEN FUNCTION = 1
             END IF
             CloseHandle hTokenHandle
          END IF
    END FUNCTION
    DISABLE SeDebugPrivilege
    Code:
    FUNCTION DisableDebugPriv AS LONG
          LOCAL hTokenHandle AS LONG, SeDebugNameValue AS Luid, tkp AS TOKEN_PRIVILEGES, i AS LONG
          IF OpenProcessToken(GetCurrentProcess, %TOKEN_ADJUST_PRIVILEGES OR %TOKEN_QUERY, hTokenHandle) THEN
             IF LookupPrivilegeValue ("", $SE_DEBUG_NAME, BYVAL VARPTR(SeDebugNameValue)) THEN
                tkp.PrivilegeCount = 1
                tkp.Privileges(0).Attributes = 0  '%SE_PRIVILEGE_REMOVED
                tkp.Privileges(0).pLuid = SeDebugNameValue
                IF AdjustTokenPrivileges(hTokenHandle, %False, tkp, SIZEOF(tkp), BYVAL 0, BYVAL 0) THEN FUNCTION = 1
             END IF
             CloseHandle hTokenHandle
          END IF
    END FUNCTION
    Last edited by Wayne Diamond; 16 Jul 2014, 09:22 AM.
    -
Working...
X