Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME

[TouEnMasm]

Hello,
I try to make work TerminateProcess in windows 10 and it fail even with a level "requireAdministrator" (MANIFEST).
MSDN say that the process need  the SE_DEBUG_NAME property to make it work.
So i use AdjustTokenPrivileges to try done it.
I try a code given by a "Code Guru" sample,I have compare it  the code given here.
I use it in a dll,not in dll with always the same result,failed.
Is anyone had made it work in Windows 10 (It work on other system) ?.

[Adamanteus]

I've made in console program - it's accept debug privelegies ...

[Vortex]

Hi TouEnMasm,

What happens when you disable the user account control?

[TouEnMasm]

What happens when you disable the user account control?

How Can I do That ?

[Vortex]

https://winaero.com/how-to-turn-off-and-disable-uac-in-windows-10/

[TouEnMasm]

I have find it in french and made test with no more result.
I win gpedit.msc  (groupe policy edit)
Nothing seem disable.
Find a compound solution with all samples

   .if CreatedprocessInfo.hProcess != 0  ;If a created process is running
      invoke MessageBox,NULL,ADDR MesDetruireProcess,TXT("Un Process est en cours d'éxécution"),MB_YESNO       
      .if eax == IDYES
      ; ne pas lancer deux programmes en meme temps
         ;le process peut s'etre terminé le temps de la messagebox   
         invoke OpenProcess,DELETE or PROCESS_TERMINATE, FALSE,CreatedprocessInfo.dwProcessId
         .if eax != 0
            mov CreatedprocessInfo.hProcess,eax
            invoke TerminateProcess,CreatedprocessInfo.hProcess,0 ;pas de retour
            ;invoke RetrouveMessageErreur,TXT("   TerminateProcess")             
            invoke ResumeThread, CreatedprocessInfo.hThread
              invoke CloseHandle, CreatedprocessInfo.hThread
              invoke CloseHandle, CreatedprocessInfo.hProcess
         ;.else
            ;invoke RetrouveMessageErreur,TXT(" OpenProcess")
         .endif

But this,don't give me the soluce to change the privileges.

[morgot]

You can use native api - in this case this is simpler. But in Windows 10 there are  several system processes that cannot be terminated with any privileges.

Code: [Select]

.686                   
.model flat, stdcall
option casemap :none

include \masm32\include\windows.inc
include \masm32\macros\macros.asm
uselib ntdll,kernel32,user32

.const
SE_DEBUG_PRIVILEGE equ 20

.data
pid dd 2492 ;PUT HERE YOU PID PROCESS

.data?
hProc dd ?
OldPrivilege dd ?
.code
start:

invoke RtlAdjustPrivilege, SE_DEBUG_PRIVILEGE,TRUE,FALSE,addr OldPrivilege
invoke OpenProcess,PROCESS_TERMINATE,0,pid

.if eax
mov hProc,eax
invoke TerminateProcess,hProc,0
.if !eax
fn MessageBox,0,LastError$(),"TerminateProcess error",MB_OK
.else
fn MessageBox,0,LastError$(),"TerminateProcess suxxess",MB_OK
.endif
.else
fn MessageBox,0,LastError$(),"OpenProcess error",MB_OK
.endif

exit
end start

[mineiro]

user AW have done a good job in this, did you check this link?
http://masm32.com/board/index.php?topic=8259.0

[TouEnMasm]

It seems there is a problem with the return value of AdjustTokenPrivileges
https://docs.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--
The GetLastError function return 0 even when the function don't return ERROR_SUCCESS
Here a piece of prog to test it.
and the compiled microsoft sample

[morgot]

Code: [Select]

SetPrivilege proc hToken:dword,lpszPrivilege:dword,bEnablePrivilege:dword
local tp:TOKEN_PRIVILEGES
local luid:LUID

invoke LookupPrivilegeValue,0,lpszPrivilege,addr luid
test eax,eax
jz @err
mov tp.PrivilegeCount,1
push luid.LowPart
pop tp.Privileges[0].Luid.LowPart
push luid.HighPart
pop tp.Privileges[0].Luid.HighPart

mov eax,bEnablePrivilege
    .if eax == 1
        mov tp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
    .else
xor eax,eax
        mov tp.Privileges[0].Attributes,eax
.endif

invoke AdjustTokenPrivileges,hToken,FALSE,addr tp,sizeof TOKEN_PRIVILEGES,0,0
test eax,eax
jz @err

invoke GetLastError
cmp eax,ERROR_NOT_ALL_ASSIGNED
je @err

;ALL OK, return TRUE
xor eax,eax
inc eax
jmp @ex
@err:
fn MessageBox,0,LastError$(),"Last Error Text",MB_OK
xor eax,eax ;else return FALSE
@ex:
ret
SetPrivilege endp

usage

invoke SetPrivilege,hToken,chr$("SeDebugPrivilege"),TRUE

[TouEnMasm]

It seems there is plentifull of  help pages on the subject (too much for me).
I finally think than to avoid microsoft changes another method is a best way.
Createprocees give the processInfo.dwProcessId.
This one can be compare with the one given by EnumWindows.
EnumWindows give the handle (hwnd) of the created process.
And when you have this one,you can do what you want (sendmessge,hwnd,WM_CLOSE,0  or oher thing)

            invoke EnumWindows,EnumWindowsProc,NULL
;-----------------------------------------------------------------------------------------------------
;################################################################
EnumWindowsProc PROC hwnd:DWORD, lParam:DWORD
   Local dwProcessId:DWORD,lenclass,rexecuteclass[100]:BYTE
   Local infowin:WINDOWINFO
   Local classname[50]:BYTE   
   mov dwProcessId,1
   ;plusieurs instances peuvent exister
   invoke GetWindowThreadProcessId,hwnd,addr dwProcessId
   mov eax,dwProcessId   
   ;.if eax == processInfo.dwProcessId   || eax == processInfo.dwThreadId ;c'est le même,on a sa fenêtre
      ;PuPo HwndEdit,hwnd      
      ;avec sa fenêtre on a sa class
      invoke GetWindowInfo,hwnd,addr infowin
      invoke GetClassName,hwnd,addr rexecuteclass,sizeof rexecuteclass
      
      ;invoke MessageBox,NULL,addr rexecuteclass,TXT("ClassName"),MB_OK
      invoke EcrireRapport,addr rexecuteclass
      mov eax,FALSE ;arréter la boucle
   ;.else
      mov eax,TRUE
   ;.endif   
   ret
EnumWindowsProc ENDP