Load driver and Inject DLL using impersonate

c++ / delphi package - dll injection and api hooking
Post Reply
elioliveira
Posts: 4
Joined: Fri Jul 24, 2015 11:59 pm

Load driver and Inject DLL using impersonate

Post by elioliveira »

Hello guys,

What's wrong whith my code? I'd like to load driver and inject DLL using impersonte, but it doesn't work at all.

Code: Select all

function Impersonate(const User, PW: string): Boolean;
var
  LogonType,  LogonProvider: Integer;
  strAdminUser, strAdminDomain, strAdminPassword: string;
  TokenHandle: THandle;
begin
  LogonType := LOGON32_LOGON_INTERACTIVE;
  LogonProvider := LOGON32_PROVIDER_DEFAULT;
  strAdminUser := USER;
  strAdminDomain := '';
  strAdminPassword := PW;
  Result := LogonUser(PChar(strAdminUser), nil,
    PChar(strAdminPassword), LogonType, LogonProvider, TokenHandle);
  if Result then
  begin
    Result := ImpersonateLoggedOnUser(TokenHandle);
  end;
end;
 
if Impersonate('SVC-SA.XXD.AAA', 'B#01Va##R$#@!*&') then
   begin
    LoadInjectionDriver('Myprog', 'Prog32.sys', 'Prog64.sys'); 
    StartInjectionDriver('Myprog'); 
    InjectLibrary('Myprog', 'Prog32.dll', ALL_SESSIONS, true)
    RevertToSelf;
 end;
The user SVC-SA.XXD.AAA is Domain admin end is in the local administrator group in end user computer

The function Impersonate is ok. Working fine. I'm using mdCodeHook 3.0

is possible to do it using impersonate? There is another way to do this when applications is loaded by single user, but in code use impersonate?

Thank you so much.

Eli Oliveira.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Load driver and Inject DLL using impersonate

Post by madshi »

Which of those APIs is the first one failing? LogonUser needs the SE_TCB_NAME privilege to work, does the thread/process which calls it have this privilege? Also it seems LogonUser doesn't create a "primary token", whatever that means. You may have to call DuplicateTokenEx to convert it into a primary token. But I don't really know if that's needed for ImpersonateLoggedOnUser.

Finally, I don't really know if ImpersonateLoggedOnUser really allows you to load drivers etc. It's possible that doing such things is only allowed when run inside of a service in some OSs. I don't know for sure, though.
Post Reply