Mr_Cl0ud9
Mr_Cl0ud9

Reputation: 1

A question about Windows process privilege escalation

I try to use OpenProcess() function to read some information from the "System" process. But I always get the error code 5 which means ERROR_ACCESS_DENIED.

I have used AdjustTokenPrivileges() function to get the debug privilege and it still not works. I just don't know what's wrong with my code. Here is part of my code:

int GetInfo()
{
    PROCESSENTRY32 pe32{ sizeof(PROCESSENTRY32) };
    THREADENTRY32 th32{ sizeof(THREADENTRY32) };
    MODULEENTRY32 md32{ sizeof(MODULEENTRY32) };
    PWCHAR Name;
    DWORD id = 0;

    int err = 0;

    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE)
    {
        return -1;
    }

    BOOL pResult = Process32First(hProcessSnap, &pe32);
    while (pResult)
    {
        Name = pe32.szExeFile;
        if (lstrcmpW(Name, L"System") == 0)
        {
            id = pe32.th32ProcessID;
            PrivilegeEscalation();
            HANDLE ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, false, pe32.th32ProcessID);
            err = GetLastError();
            cout << err << endl;
            cout << "The thread number of System is : " << pe32.cntThreads << endl;
            CloseHandle(ProcessHandle);
            break;
        }
        pResult = Process32Next(hProcessSnap, &pe32);
    }

    CloseHandle(hProcessSnap);
    return 0;

BOOL PrivilegeEscalation()
{
    HANDLE hToken;
    TOKEN_PRIVILEGES Tp;

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
        return FALSE;
    }

    Tp.PrivilegeCount = 1;
    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Tp.Privileges[0].Luid);
    Tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken, FALSE, &Tp, sizeof(Tp), NULL, NULL);

    //int err = GetLastError();
    CloseHandle(hToken);
    return TRUE;
}

Upvotes: 0

Views: 84

Answers (1)

Anders
Anders

Reputation: 101764

The System process is not a real process, it represents the kernel. You can't expect all process related functions to work on it.

If you are cloning something like Process Explorer, call the undocumented NT API like the Windows Task manager has been doing all its life.

Upvotes: 1

Related Questions