Author Topic: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME  (Read 748 times)

TouEnMasm

  • Member
  • *****
  • Posts: 1568
    • EditMasm
Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« on: October 06, 2020, 07:38:49 PM »
Hello,
I try to make work TerminateProcess in windows 10 and it fail even with a level "requireAdministrator" (MANIFEST).
MSDN say that the process need  the SE_DEBUG_NAME property to make it work.
So i use AdjustTokenPrivileges to try done it.
I try a code given by a "Code Guru" sample,I have compare it  the code given here.
I use it in a dll,not in dll with always the same result,failed.
Is anyone had made it work in Windows 10 (It work on other system) ?.
Fa is a musical note to play with CL

Adamanteus

  • Member
  • **
  • Posts: 240
    • LLC "AMS"
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #1 on: October 06, 2020, 08:23:49 PM »
I've made in console program - it's accept debug privelegies ...

Vortex

  • Member
  • *****
  • Posts: 2506
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #2 on: October 06, 2020, 08:31:02 PM »
Hi TouEnMasm,

What happens when you disable the user account control?

TouEnMasm

  • Member
  • *****
  • Posts: 1568
    • EditMasm
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #3 on: October 06, 2020, 08:33:56 PM »

Quote
What happens when you disable the user account control?
How Can I do That ?
Fa is a musical note to play with CL


TouEnMasm

  • Member
  • *****
  • Posts: 1568
    • EditMasm
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #5 on: October 07, 2020, 03:30:04 AM »
I have find it in french and made test with no more result.
I win gpedit.msc  (groupe policy edit)
Nothing seem disable.
Find a compound solution with all samples
Quote
   .if CreatedprocessInfo.hProcess != 0  ;If a created process is running
      invoke MessageBox,NULL,ADDR MesDetruireProcess,TXT("Un Process est en cours d'éxécution"),MB_YESNO       
      .if eax == IDYES
      ; ne pas lancer deux programmes en meme temps
         ;le process peut s'etre terminé le temps de la messagebox   
         invoke OpenProcess,DELETE or PROCESS_TERMINATE, FALSE,CreatedprocessInfo.dwProcessId
         .if eax != 0
            mov CreatedprocessInfo.hProcess,eax
            invoke TerminateProcess,CreatedprocessInfo.hProcess,0 ;pas de retour
            ;invoke RetrouveMessageErreur,TXT("   TerminateProcess")             
            invoke ResumeThread, CreatedprocessInfo.hThread
              invoke CloseHandle, CreatedprocessInfo.hThread
              invoke CloseHandle, CreatedprocessInfo.hProcess
         ;.else
            ;invoke RetrouveMessageErreur,TXT(" OpenProcess")
         .endif

But this,don't give me the soluce to change the privileges.

Fa is a musical note to play with CL

morgot

  • Member
  • **
  • Posts: 98
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #6 on: October 07, 2020, 07:23:39 AM »
You can use native api - in this case this is simpler. But in Windows 10 there are  several system processes that cannot be terminated with any privileges.

Code: [Select]
.686                   
.model flat, stdcall
option casemap :none

include \masm32\include\windows.inc
include \masm32\macros\macros.asm
uselib ntdll,kernel32,user32

.const
SE_DEBUG_PRIVILEGE equ 20

.data
pid dd 2492 ;PUT HERE YOU PID PROCESS

.data?
hProc dd ?
OldPrivilege dd ?
.code
start:

invoke RtlAdjustPrivilege, SE_DEBUG_PRIVILEGE,TRUE,FALSE,addr OldPrivilege
invoke OpenProcess,PROCESS_TERMINATE,0,pid

.if eax
mov hProc,eax
invoke TerminateProcess,hProc,0
.if !eax
fn MessageBox,0,LastError$(),"TerminateProcess error",MB_OK
.else
fn MessageBox,0,LastError$(),"TerminateProcess suxxess",MB_OK
.endif
.else
fn MessageBox,0,LastError$(),"OpenProcess error",MB_OK
.endif

exit
end start
Sorry for the bad English

mineiro

  • Member
  • ****
  • Posts: 677
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #7 on: October 07, 2020, 08:44:00 AM »
user AW have done a good job in this, did you check this link?
http://masm32.com/board/index.php?topic=8259.0
I'd rather be this ambulant metamorphosis than to have that old opinion about everything

TouEnMasm

  • Member
  • *****
  • Posts: 1568
    • EditMasm
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #8 on: October 07, 2020, 08:06:49 PM »
It seems there is a problem with the return value of AdjustTokenPrivileges
https://docs.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--
The GetLastError function return 0 even when the function don't return ERROR_SUCCESS
Here a piece of prog to test it.
and the compiled microsoft sample
Fa is a musical note to play with CL

morgot

  • Member
  • **
  • Posts: 98
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #9 on: October 07, 2020, 08:44:17 PM »
Code: [Select]
SetPrivilege proc hToken:dword,lpszPrivilege:dword,bEnablePrivilege:dword
local tp:TOKEN_PRIVILEGES
local luid:LUID

invoke LookupPrivilegeValue,0,lpszPrivilege,addr luid
test eax,eax
jz @err
mov tp.PrivilegeCount,1
push luid.LowPart
pop tp.Privileges[0].Luid.LowPart
push luid.HighPart
pop tp.Privileges[0].Luid.HighPart

mov eax,bEnablePrivilege
    .if eax == 1
        mov tp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED
    .else
xor eax,eax
        mov tp.Privileges[0].Attributes,eax
.endif

invoke AdjustTokenPrivileges,hToken,FALSE,addr tp,sizeof TOKEN_PRIVILEGES,0,0
test eax,eax
jz @err

invoke GetLastError
cmp eax,ERROR_NOT_ALL_ASSIGNED
je @err

;ALL OK, return TRUE
xor eax,eax
inc eax
jmp @ex
@err:
fn MessageBox,0,LastError$(),"Last Error Text",MB_OK
xor eax,eax ;else return FALSE
@ex:
ret
SetPrivilege endp

usage

invoke SetPrivilege,hToken,chr$("SeDebugPrivilege"),TRUE
Sorry for the bad English

TouEnMasm

  • Member
  • *****
  • Posts: 1568
    • EditMasm
Re: Windows 10 AdjustTokenPrivileges TerminateProcess SE_DEBUG_NAME
« Reply #10 on: October 08, 2020, 08:12:53 PM »
It seems there is plentifull of  help pages on the subject (too much for me).
I finally think than to avoid microsoft changes another method is a best way.
Createprocees give the processInfo.dwProcessId.
This one can be compare with the one given by EnumWindows.
EnumWindows give the handle (hwnd) of the created process.
And when you have this one,you can do what you want (sendmessge,hwnd,WM_CLOSE,0  or oher thing)
Quote
            invoke EnumWindows,EnumWindowsProc,NULL
;-----------------------------------------------------------------------------------------------------
;################################################################
EnumWindowsProc PROC hwnd:DWORD, lParam:DWORD
   Local dwProcessId:DWORD,lenclass,rexecuteclass[100]:BYTE
   Local infowin:WINDOWINFO
   Local classname[50]:BYTE   
   mov dwProcessId,1
   ;plusieurs instances peuvent exister
   invoke GetWindowThreadProcessId,hwnd,addr dwProcessId
   mov eax,dwProcessId   
   ;.if eax == processInfo.dwProcessId   || eax == processInfo.dwThreadId ;c'est le même,on a sa fenêtre
      ;PuPo HwndEdit,hwnd      
      ;avec sa fenêtre on a sa class
      invoke GetWindowInfo,hwnd,addr infowin
      invoke GetClassName,hwnd,addr rexecuteclass,sizeof rexecuteclass
      
      ;invoke MessageBox,NULL,addr rexecuteclass,TXT("ClassName"),MB_OK
      invoke EcrireRapport,addr rexecuteclass
      mov eax,FALSE ;arréter la boucle
   ;.else
      mov eax,TRUE
   ;.endif   
   ret
EnumWindowsProc ENDP

Fa is a musical note to play with CL