Reputation: 3
non-default access to an elevated process from a non-elevated process
sorry for bad english
Is it possible for a non-elevated process to get non-Default access rights(E.g. PROCESS_QUERY_INFORMATION) to an elevated process when they both have the same logon session id by changing the elevated-process security descriptor in the process explorer security tab?
i tried to change security descriptor of an elevated process and selected Full Access for the logon session SID.but still in the non-elevated process when i call OpenProcess() with the PROCESS_QUERY_INFORMATION access right it returns ERROR_ACCESS_DENIED.
Upvotes: 0
Views: 234
Answers (1)
Reputation: 33706
begin from vista exist also Mandatory Integrity Control. elevated process have High Mandatory Label (S-1-16-12288) with SYSTEM_MANDATORY_LABEL_NO_WRITE_UP and SYSTEM_MANDATORY_LABEL_NO_READ_UP mask. from another side not elevated process have Medium Mandatory Level (S-1-16-8192) in token. so when it try open process with PROCESS_QUERY_INFORMATION which is part of generic read for process object - we usual fail do this from non-elevated process (medium level) for elevated process (high label and SYSTEM_MANDATORY_LABEL_NO_READ_UP).
for let open with PROCESS_QUERY_INFORMATION elevated process from not elevated - we need change elevated process mandatory label. or set it to medium or low, or remove SYSTEM_MANDATORY_LABEL_NO_READ_UP flag. last option - the best for my look
for remove SYSTEM_MANDATORY_LABEL_NO_READ_UP we can use next code:
// hProcess must have READ_CONTROL | WRITE_OWNER
ULONG RemoveNoReadUp(HANDLE hProcess = NtCurrentProcess())
{
union {
PVOID buf;
PSECURITY_DESCRIPTOR pSD;
};
ULONG cb = 0, rcb = 128;
static volatile UCHAR guz = 0;
PVOID stack = alloca(guz);
ULONG err;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (GetKernelObjectSecurity(hProcess, LABEL_SECURITY_INFORMATION, pSD, cb, &rcb))
{
BOOL bPresent, bDefault;
PACL Acl;
if (!GetSecurityDescriptorSacl(pSD, &bPresent, &Acl, &bDefault))
{
return GetLastError();
}
if (bPresent)
{
if (DWORD AceCount = Acl->AceCount)
{
union {
PVOID pv;
PBYTE pb;
PACE_HEADER pAH;
PSYSTEM_MANDATORY_LABEL_ACE pMLA;
};
pv = Acl + 1;
do
{
if (pAH->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
{
if (pMLA->Mask & SYSTEM_MANDATORY_LABEL_NO_READ_UP)
{
pMLA->Mask &= ~SYSTEM_MANDATORY_LABEL_NO_READ_UP;
return SetKernelObjectSecurity(hProcess, LABEL_SECURITY_INFORMATION, pSD)
? NOERROR : GetLastError();
}
}
} while (pb += pAH->AceSize, --AceCount);
}
}
return ERROR_NOT_FOUND;
}
} while ((err = GetLastError()) == ERROR_INSUFFICIENT_BUFFER);
return err;
}
Upvotes: 1
Related Questions
- Check if a different process is running with elevated privileges
- How to launch non-elevated administrator process from elevated administrator context on Windows 10?
- Determine if User can elevate a process with c++
- Starting process as different user
- Launching process in non-elevated mode from an admin account using CreateProcessWithTokenW()
- Create nonelevated process from elevated process with CreateProcessAsUser function
- C++ Get file location of process without elevated rights
- How to run a process as an administrator from Win32 \C++
- Running a process with lowest possible privileges in winapi
- Executing a process normally from an elevated one