MSDN programmers can't understand what it is I am looking for.
I am trying to figure what psexec.exe is doing when it starts a program with restricted credentials from an Admin account.
I loaded psexec in Olly.
and Set New Arguments to -high -d -e -l "C:\Program Files\Mozilla Firefox\firefox.exe
I drew a blank.
Did I make it clear so folks can understand ?
Andy
There is a program that can do it, so I think it's doable.
You may try your luck with CreateProcessAsUser (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx).
There is Drop Your Rights (XP application only) (http://board.flatassembler.net/topic.php?t=9624), maybe you can get some ideas from it.
qWord,
You are right, I think I will need at least these three.
IDA was a big help.
This project is gonna take a while. :t
CreateProcessAsUser
ImpersonateLoggedOnUser function
LsaEnumerateAccountRights function
I think maybe I can use CreateRestrictedToken and make my own version of psexec to restrict the token when FF is started ??
I searched here and at the old forum and found no code that demonstrates it's use.
Quote from: qWord on January 19, 2013, 12:04:11 PM
You may try your luck with CreateProcessAsUser (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx).
CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.
CreateProcessWithLogonW is a lot simpler:
.386
.model flat, stdcall
option casemap:none
.nolist
.nocref
_WIN32_WINNT equ 501h
include \wininc\include\windows.inc
include \wininc\include\tchar.inc
.list
.cref
includelib <kernel32.lib>
includelib <advapi32.lib>
includelib <user32.lib>
includelib <shell32.lib>
CStr macro text:vararg
local xxx
.const
xxx db text,0
.code
exitm <offset xxx>
endm
_T macro text:vararg
local xxx
.const
xxx dw L(text),0
.code
exitm <offset xxx>
endm
.code
StartInteractiveClientProcess PROC lpszUsername:LPWSTR, lpszDomain:LPWSTR, lpszPassword:LPWSTR, lpCommandLine:LPWSTR
local bResult:BOOL
local pi:PROCESS_INFORMATION
local _si:STARTUPINFOW
local buffer[512]:byte
invoke RtlZeroMemory, addr _si, sizeof _si
mov _si.cb, sizeof _si
invoke CreateProcessWithLogonW, lpszUsername, lpszDomain, lpszPassword, LOGON_WITH_PROFILE,
NULL, lpCommandLine, NORMAL_PRIORITY_CLASS or CREATE_NEW_CONSOLE,
NULL, NULL, addr _si, addr pi
mov bResult, eax
.if eax
invoke CloseHandle, pi.hProcess
invoke CloseHandle, pi.hThread
.else
invoke GetLastError
invoke wsprintf, addr buffer, CStr('CreateProcessWithLogonW("%S") failed [%u]'), lpCommandLine, eax
invoke MessageBox, NULL, addr buffer, NULL, MB_OK
.endif
mov eax, bResult
ret
StartInteractiveClientProcess ENDP
main PROC argc:dword, argv:ptr ptr byte
;--- get password for user "japheth"
mov ecx,argc
.if ( ecx < 2 )
mov eax, NULL
.else
mov eax,argv
mov eax,[eax+4]
.endif
invoke StartInteractiveClientProcess, _T("japheth"), _T("."), eax, _T("d:\firefox\firefox.exe")
ret
main ENDP
start proc
local argc:dword
invoke GetCommandLineW
mov ecx, eax
invoke CommandLineToArgvW, ecx, addr argc
invoke main, argc, eax
invoke ExitProcess, eax
start endp
END start
This is a sample found somewhere at MS and translated to assembly from C.
It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.
Thanks, I will look it over.
I know I shouldn't but I often run as an admin.
Internet is done under restrictions such as using psexec.
I got tired to doing so many Runas commands.
Andy
Not an answer to your original question, but still relevant:
1. Open "Computer Management" (right-click on My Computer -> Manage);
2. Select: System Tools -> Local Users and Groups -> Groups;
3. Double-click on "Power Users";
4. Click the "Add" button;
5. Type your username, OK;
6. You can now do (almost) everything you want without running as administrator.
I am on the power user group but also on admin group.
Do I take myself off the admin list ?
Then only log off if I want to do an admin things ?
Andy
just be sure you know how to bring up an admin account if you have to change it back :P
Who do think created the admin acct. :t
Quote from: japheth on January 22, 2013, 03:07:30 PM
Quote from: qWord on January 19, 2013, 12:04:11 PM
You may try your luck with CreateProcessAsUser (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx).
CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.
CreateProcessWithLogonW is a lot simpler:
This is a sample found somewhere at MS and translated to assembly from C.
It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.
C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto
I downloaded your includes and libraries.
Quote from: Magnum on January 23, 2013, 02:25:19 PM
C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto
I downloaded your includes and libraries.
Cool! In case this is kind of a bug report: this forum not the right place for WinInc bug reports.
But, since I'm such a nice guy, I attached a Masm32 version
Sorry, I thought I had done something wrong.
Thanks.