Hi all,
for several weeks I've been trying to figure out a way
to use MadCodeHook under XP's limited mode.
I thought that the Runas function could be useful, and
tried to achieve the same result by impersonating an
user with administrative rights.
The problem is, it doesn't work. The impersonation
seems to work fine, but InjectLibrary() doesn't.
Any help is appreciated!!!
Here is my code:
var
hToken: THandle;
dwGLE: DWORD;
begin
if not LogonUser(PChar('username'), PChar('domain'), PChar('password'),
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, hToken)
then
begin
showmessage(pchar(SysErrorMessage(GetLastError)));
exit;
end;
if not ImpersonateLoggedOnUser(hToken) then
begin
showmessage(pchar(SysErrorMessage(GetLastError)));
exit;
end;
if not InjectLibrary(CURRENT_SESSION or SYSTEM_PROCESSES, 'hook.dll')
then
begin
showmessage('DAMN...');
exit;
end;
RevertToSelf;
end;
InjectLibrary and impersonation
Some comments/questions:
(1) Does it work (without LogonUser etc) in an admin account?
(2) Does LogonUser really succeed? On NT4 and w2k you need the SE_TCB_NAME privilege to be enabled for the limited user account, which is not enabled by default. So even if you get that code to run on XP, it will probably fail (due to LogonUser not succeeding) on NT4 and w2k.
(3) It might be that after having logged on you need to enable some of the new privileges you got through logging on. Try calling the following function after having logged on:
madCodeHook calls this during initialization - but that's with the old user, of course.
(1) Does it work (without LogonUser etc) in an admin account?
(2) Does LogonUser really succeed? On NT4 and w2k you need the SE_TCB_NAME privilege to be enabled for the limited user account, which is not enabled by default. So even if you get that code to run on XP, it will probably fail (due to LogonUser not succeeding) on NT4 and w2k.
(3) It might be that after having logged on you need to enable some of the new privileges you got through logging on. Try calling the following function after having logged on:
Code: Select all
procedure EnableAllPrivileges;
type TTokenPrivileges = record
PrivilegeCount : dword;
Privileges : array [0..maxInt shr 4 - 1] of TLUIDAndAttributes;
end;
var c1, c2 : dword;
i1 : integer;
ptp : ^TTokenPrivileges;
begin
if OpenProcessToken(windows.GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, c1) then
try
c2 := 0;
GetTokenInformation(c1, TokenPrivileges, nil, 0, c2);
if c2 <> 0 then begin
ptp := pointer(LocalAlloc(LPTR, c2 * 2));
if GetTokenInformation(c1, TokenPrivileges, ptp, c2 * 2, c2) then begin
for i1 := 0 to integer(ptp^.PrivilegeCount) - 1 do
ptp^.Privileges[i1].Attributes := ptp^.Privileges[i1].Attributes or SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(c1, false, PTokenPrivileges(ptp)^, c2, PTokenPrivileges(nil)^, cardinal(pointer(nil)^));
end;
LocalFree(dword(ptp));
end;
finally CloseHandle(c1) end;
end;Thanks, madshi, for your reply.
> (1) Does it work (without LogonUser etc) in an admin account?
InjectLibrary works fine in my project.
Some people told me that they couldn't run my
program in xp's limited mode, so I tried to use
LogonUser and Impersonation...
but now it doesn't work anymore (tried limited/admin).
> (2) Does LogonUser really succeed? On NT4 and w2k
> you need the SE_TCB_NAME privilege to be enabled
> for the limited user account, which is not enabled
> by default.
Could it work if I add SE_TCB_NAME to your code
like this?
ptp^.Privileges[i1].Attributes := ptp^.Privileges[i1].Attributes or SE_PRIVILEGE_ENABLED or SE_TCB_NAME;
> (3) It might be that after having logged on you
> need to enable some of the new privileges you
> got through logging on. Try calling the following
> function after having logged on:
I tried your code but the program does not work yet.
I think the culprit is my LogonUser code: my
application does not work in an admin account
anymore, after using Impersonation...
Any suggestions?
Thanks!
> (1) Does it work (without LogonUser etc) in an admin account?
InjectLibrary works fine in my project.
Some people told me that they couldn't run my
program in xp's limited mode, so I tried to use
LogonUser and Impersonation...
but now it doesn't work anymore (tried limited/admin).
> (2) Does LogonUser really succeed? On NT4 and w2k
> you need the SE_TCB_NAME privilege to be enabled
> for the limited user account, which is not enabled
> by default.
Could it work if I add SE_TCB_NAME to your code
like this?
ptp^.Privileges[i1].Attributes := ptp^.Privileges[i1].Attributes or SE_PRIVILEGE_ENABLED or SE_TCB_NAME;
> (3) It might be that after having logged on you
> need to enable some of the new privileges you
> got through logging on. Try calling the following
> function after having logged on:
I tried your code but the program does not work yet.
I think the culprit is my LogonUser code: my
application does not work in an admin account
anymore, after using Impersonation...
Any suggestions?
Thanks!
You can't add SE_TCB_NAME like that. A user can have a privilege or not. If the user doesn't have it, you can't programatically add it yourself. That would destroy security!! Every virus could then get itself admin rights! If your user has a specific privilege, it can be enabled or disabled. You can then enable it. But first you must have it.
Anyway, if you're testing it in XP, you don't need SE_TCB_NAME. You need that on w2k and NT4, only.
You don't really use "LogonUser(PChar('username'), PChar('domain'), PChar('password'), ...)", or do you? I mean those "username", "domain" and "password" are just placeholders, right? You're giving in the user name, domain and password of a real user, don't you?
Anyway, if you're testing it in XP, you don't need SE_TCB_NAME. You need that on w2k and NT4, only.
You don't really use "LogonUser(PChar('username'), PChar('domain'), PChar('password'), ...)", or do you? I mean those "username", "domain" and "password" are just placeholders, right? You're giving in the user name, domain and password of a real user, don't you?
Thanks for the quick reply.
Ok, so the problem is: I need to use InjectLibrary with flags CURRENT_SESSION + SYSTEM_PROCESSES in my project, but I don't know how to make the program work in xp/2k limited mode.
My "Impersonation" based code doesn't work.
May you give me help on this problem?
Thanks again.
Of course, they're only placeholders.madshi wrote:You don't really use "LogonUser(PChar('username'), PChar('domain'), PChar('password'), ...)", or do you? I mean those "username", "domain" and "password" are just placeholders, right? You're giving in the user name, domain and password of a real user, don't you?
Ok, so the problem is: I need to use InjectLibrary with flags CURRENT_SESSION + SYSTEM_PROCESSES in my project, but I don't know how to make the program work in xp/2k limited mode.
My "Impersonation" based code doesn't work.
May you give me help on this problem?
Thanks again.
I don't know how to solve it by using LogonUser, especially because it won't work that easily in w2k and NT4 because of the missing SE_TCB_NAME privilige.
The usual way to solve the problem is to use a service. A demo for that is available: Check out the HookProcessTermination demo shipping with madCodeHook.
The usual way to solve the problem is to use a service. A demo for that is available: Check out the HookProcessTermination demo shipping with madCodeHook.