Flag: Tornado!
Hurricane!
|
|
Topic created on: January 18, 2013 17:37 CST by drew77  .
Determine if process has been started with limited priviliges
I posted this at MSDN Visual C++ , but no one understands.
This is the batch file I am using to start FF with limited privileges from an Admin account.
:: LimitedUserFirefox.bat Run firefox as a limited user from an admin account
::
:: Put this in C:\WINDOWS
::
C:\WINDOWS\system32\psexec.exe -high -d -e -l "C:\Program Files\Mozilla Firefox\firefox.exe"
I would like to write a program that would determine if a particular process such as firefox.exe, is running with less than admin credentials.
I hope that made sense.
Thanks.
You can read about psexec.exe here.
http://technet.microsoft.com/en-us/sysinternals/bb897553
why write one unless it is for fun when you have one check accesschk from sysinternals and you will find
Builtin\Administrators group is stripped in the TOKEN_INFORMATION when you execute any process with psexec -l
a sample below
drew77:\>dir /b
admsgbox.exe
msgbox.exe
drew77:\>fc admsgbox.exe msgbox.exe
Comparing files admsgbox.exe and MSGBOX.EXE
FC: no differences encountered
drew77:\>..\psexec.exe -high -d -e -l msgbox.exe
PsExec v1.94 - Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
msgbox.exe started with process ID 3988.
drew77:\>admsgbox.exe
drew77:\>..\accesschk.exe -f -p msgbox.exe
Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
[3988] msgbox.exe
RW XXXXX\Admin
RW NT AUTHORITY\SYSTEM
Token:
User: XXXXX\Admin
Groups:
XXXXX\None MANDATORY
Everyone MANDATORY
XXXXX\Debugger Users MANDATORY
XXXXX\HelpLibraryUpdaters MANDATORY
BUILTIN\Administrators DENY,OWNER,MANDATORY
BUILTIN\Users MANDATORY
NT AUTHORITY\INTERACTIVE MANDATORY
NT AUTHORITY\Authenticated Users MANDATORY
XXXXX\S-1-5-5-0-63320-Admin LOGONID,MANDATORY
LOCAL MANDATORY
Privileges:
SeUndockPrivilege ENABLED
SeShutdownPrivilege DISABLED
SeChangeNotifyPrivilege ENABLED
drew77:\>..\accesschk.exe -f -p admsgbox.exe
Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
[3656] admsgbox.exe
RW XXXXX\Admin
RW NT AUTHORITY\SYSTEM
Token:
User: XXXXX\Admin
Groups:
XXXXX\None MANDATORY
Everyone MANDATORY
XXXXX\Debugger Users MANDATORY
XXXXX\HelpLibraryUpdaters MANDATORY
BUILTIN\Administrators OWNER,MANDATORY
BUILTIN\Users MANDATORY
NT AUTHORITY\INTERACTIVE MANDATORY
NT AUTHORITY\Authenticated Users MANDATORY
XXXXX\S-1-5-5-0-63320-Admin LOGONID,MANDATORY
LOCAL MANDATORY
Privileges:
SeAssignPrimaryTokenPrivilege DISABLED
SeCreateTokenPrivilege DISABLED
SeIncreaseQuotaPrivilege DISABLED
SeTcbPrivilege DISABLED
SeTakeOwnershipPrivilege DISABLED
SeChangeNotifyPrivilege ENABLED
SeSecurityPrivilege DISABLED
SeBackupPrivilege DISABLED
SeRestorePrivilege DISABLED
SeSystemtimePrivilege DISABLED
SeShutdownPrivilege DISABLED
SeRemoteShutdownPrivilege DISABLED
SeDebugPrivilege DISABLED
SeSystemEnvironmentPrivilege DISABLED
SeSystemProfilePrivilege DISABLED
SeProfileSingleProcessPrivilege DISABLED
SeIncreaseBasePriorityPrivilege DISABLED
SeLoadDriverPrivilege ENABLED
SeCreatePagefilePrivilege DISABLED
SeUndockPrivilege ENABLED
SeManageVolumePrivilege DISABLED
SeImpersonatePrivilege ENABLED
SeCreateGlobalPrivilege ENABLED
drew77:\>
|
Thanks for the info.
I want to check if I started firefox as a limited user while it is running under an administrative account.
I hope that made sense.
|
|
You have functions like OpenThreadToken and CheckTokenMembership.
|
> drew77: > I hope that made sense.
well not exactly
i dont think psexec runs anything in limited user account if that is what you mean
it iirc uses CreateRestrictedToken to strip the admin some perms and creates a process (the owner would still be admin but with restricted permissions)
to run anything as a limited user account you need an account as limited user you should have logged into it atleast once physically (ie in say xp c:\documents and settings\<limited user>\ should exist
and then in your admin account you should use runas in commandline
viz runas \user:<hostname>\user <firefox>
to verify i dont think you need to write your own whatever when n number of utilities exist
like accesscheck / subinacl etc
and if you still want to do it as a learning exercise or whatever
all it takes is 2 apis or 4 if you want SACL too
openprocess () and GetSecurityInfo() for ownerSID,GroupSid,and DACL
add
openThreadToken and AdjustTokenPrivileges for SE_SECURTIY_NAME privilege and OpenProcess with ACCESS_SYSTEM_SECURITY and GetSecurityInfo()
if you need SACL as Well
(actually i have never practically seen a process having sacl it always return 0 as far as i know
so just 2 apis are sufficient
and use windbg
!sid !acl on the returned buffers when broken in at appropriate place :) for detailed description
(any security experts out there is there a scenerio where a SACL is returned for a running process in xp ??)
a simple code and result for a limited user msgbox
#include <windows.h>
#include <stdio.h>
#include <AclAPI.h>
DWORD SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
LUID luid;
BOOL bRet=FALSE;
if ((LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) !=FALSE )
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
if ( bEnablePrivilege == TRUE)
{
tp.Privileges[0].Attributes= SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes= 0;
}
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);
if (bRet == 0)
{
return GetLastError();
}
else if (GetLastError() == ERROR_SUCCESS)
{
return TRUE;
}
else if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
}
return bRet;
}
int main (int argc , char *argv[] )
{
if (argc !=2 )
{
printf ( "provide Pid of a running process in base 10 radix\n");
exit(FALSE);
}
HANDLE hToken;
DWORD setpriret;
if ((OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))!=FALSE)
{
if (
(( setpriret = SetPrivilege(hToken, SE_SECURITY_NAME, TRUE)) != TRUE) ||
(( setpriret = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) != TRUE)
)
{
printf("Set privilege returned error %x\n",setpriret);
exit(FALSE);
}
CloseHandle(hToken);
}
HANDLE hProcess;
if (( hProcess = OpenProcess(
STANDARD_RIGHTS_REQUIRED | PROCESS_QUERY_INFORMATION | ACCESS_SYSTEM_SECURITY,
FALSE,
atoi(argv[1])
)) == NULL )
{
printf("Open Process (Pid %d) Failed with %d\n",atoi(argv[1]) ,GetLastError());
exit(FALSE);
}
PSID ppsidOwner = 0;
PSID ppsidGroup = 0;
PACL ppDacl = 0;
PACL ppSacl = 0;
PSECURITY_DESCRIPTOR ppSecurityDescriptor = 0;
DWORD getsecinfret = 0;
if (( getsecinfret = GetSecurityInfo(
hProcess,
SE_FILE_OBJECT, // what is it for process
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ,
&ppsidOwner,
&ppsidGroup,
&ppDacl,
&ppSacl,
&ppSecurityDescriptor
)) != ERROR_SUCCESS )
{
printf("GetSecurityInfo Failed with %d\n",getsecinfret);
exit(FALSE);
}
printf(
"Success\n"
"ppsidowner = %x\n"
"ppsidGroup = %x\n"
"ppDacl = %x\n"
"ppSacl = %x\n"
"ppSecurityDescriptor = %x\n",
ppsidOwner,
ppsidGroup,
ppDacl,
ppSacl,
ppSecurityDescriptor
);
LocalFree(ppSecurityDescriptor);
exit(TRUE);
}
run it in windbg or cdb wit this command
cdb -c "bp 401208 \"!sid poi(esp+4) 1;!sid poi(esp+8) 1;!acl poi(esp+c) 1;q\";g;" getsecing.exe 2664
it sets a bp on last printf (address 401208 is in my specific binary ) prints the sid of owner&group, acl of dacl, for a given pid and quits
SID is: S-1-5-21-602162358-1801674531-1417001333-1011 (User: xxxxxx\limiteduser)
SID is: S-1-5-21-602162358-1801674531-1417001333-513 (Group: xxxxxx\None)
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x40
ACL is: ->AceCount : 0x2
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x24
ACL is: ->Ace[0]: ->Mask : 0x001f0fff
ACL is: ->Ace[0]: ->SID: S-1-5-21-602162358-1801674531-1417001333-1011 (User: xxxxxx\limiteduser)
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x14
ACL is: ->Ace[1]: ->Mask : 0x001f0fff
ACL is: ->Ace[1]: ->SID: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
or use subinacl.exe (resource kit download)
=================================
+Process limusemsgbox.exe - 2664
=================================
/control=0x0
/owner =xxxxxx\limiteduser
/primary group =xxxxxx\none
/audit ace count =0
/perm. ace count =2
/pace =xxxxxx\limiteduser ACCESS_ALLOWED_ACE_TYPE-0x0 AccessMask=0x1f0fff
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0 AccessMask=0x1f0fff
Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 0, Syntax errors 0
Last Done : limusemsgbox.exe - 2664
|
Thanks anonymouse.
After seeing your code, I realize that it's pretty complex.
I code in assembly, I think I'll convert your code and study
it.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,321 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}