superg

Hi, please post an example for the registry. Thanks!

Looks great! I appreciate your efforts. I will test more on a domain when I return to work next week; until then enjoy your weekend!

Hmm, sorry to hear that... it should still be protected from third party applications which aren't running with elevated privileges. That's better than all 3rd party apps. Perhaps creating a "companion process" which enforces file/process DACL's on UVK and will restart UVK if its' terminated unexpectedly? That could also be a step closer...

Try killing your "protected process" with pskill -t {pid} or taskkill /pid {pid} from the command prompt (ran as administrator), you should be able to. If not, perhaps another test would be to write a separate script granting yourself termination (or all) rights to the "protected" process and then terminating it. You should be able to... hence not a major issue for anyone other than those without administrator rights.

No trojan plans here... more like security policy enforcement. I'm actually working on my own in-house "policy enforcement" program to ensure certain IT sec/mgt related programs are not uninstalled, suspended, terminated, or disabled by certain non-admin domain users. There are a several processes I need to ensure are always available (unless I, as the domain administrator, specifically disable them) such as backup and monitoring agents. Certain domain users have been disabling these at will. Besides, as you can see, I already posted working code (in Python) so converting to AutoIt shouldn't be much more of a "security risk", IMHOP. I suppose the same argument could be made for file security DACL's... deny all rights except for read and execute. All that being said, if one has administrator rights all these protections could be undone easily enough, so the benefit is really the ability to restrict non-domain admin users (and to permit rights for admins (think of an advanced killtasker which grants all necessary rights to a process prior to killing it)). Anyhow, I appreciate you looking into it! I enjoy SetACL myself and have requested they extend functionality to secure processes as well in their forum, so perhaps we'll see more of this! superg MCNE, MCSE, Security+

Hi, I've written a script in Python which successfully modifies the DACL for a given SE_KERNEL_OBJECT process ID. I'd like to convert this into AutoIt, and Permissions.au3 seems to be the place to do it. Specifically, we'll need to add the GetSecurityInfo(), SetKernelObjectSecurity(), and GetKernelObjectSecurity() functions. Func _getSecurityInfo($handle, $ObjectType, $SecurityInfo) Local $ppsidOwner = DllStructCreate("ptr") Local $ppsidGroup = DllStructCreate("ptr") Local $ppDacl = DllStructCreate("ptr") Local $ppSacl = DllStructCreate("ptr") Local $ppSecurityDescriptor = DllStructCreate("ptr") Local $aResult = DllCall($h__Advapi32Dll, "long", "GetSecurityInfo", _ "ptr", $handle, _ "int", $ObjectType, _ "dword", $SecurityInfo, _ "ptr", DllStructGetPtr($ppsidOwner, 0), _ "ptr", DllStructGetPtr($ppsidGroup, 0), _ "ptr", DllStructGetPtr($ppDacl, 1), _ "ptr", DllStructGetPtr($ppSacl, 0), _ "ptr", DllStructGetPtr($ppSecurityDescriptor, 0)) If @error Then Return SetError(@error, @extended, -1) Return $aResult EndFunc ;==>getSecurityInfo Func _GetKernelObjectSecurity($handle, $RequestedInformation) If $ResourcesState = 0 Then _InitiatePermissionResources() Local $pSecurityDescriptor = DllStructCreate("ptr") Local $lpnLengthNeeded = DllStructCreate("ptr") Local $aRet = DllCall($h__Advapi32Dll, "dword", "GetKernelObjectSecurity ", _ "handle", $handle, _ "dword", $RequestedInformation, _ "ptr", DllStructGetPtr($pSecurityDescriptor, 1), _ "dword", 0, _ "ptr", DllStructGetPtr($lpnLengthNeeded, 1)) If @error Then Return SetError(@error,0,0) Return $aRet EndFunc ;==>_GetKernelObjectSecurity Working Python Script - This prevents users from Terminating, Suspending, Changing Rights, and Changing Ownership of any given process ID. import win32security,win32api,win32con,win32process,sys if (len(sys.argv) > 1): pid=int(sys.argv[1]) print "Process:",pid else: pid=win32api.GetCurrentProcessId() # # Find the SIDs for Everyone, the Admin group and the current user # everyone, domain, type = win32security.LookupAccountName ("", "Everyone") print everyone,"Everyone" admins, domain, type = win32security.LookupAccountName ("", "Administrators") print admins,"Admins" user, domain, type = win32security.LookupAccountName ("", win32api.GetUserName ()) print user,"User" new_privs = ((win32security.LookupPrivilegeValue('',win32security.SE_SECURITY_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_TCB_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_SHUTDOWN_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_RESTORE_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_TAKE_OWNERSHIP_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_CREATE_PERMANENT_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_ENABLE_DELEGATION_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_CHANGE_NOTIFY_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_DEBUG_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_PROF_SINGLE_PROCESS_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_SYSTEM_PROFILE_NAME),win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue('',win32security.SE_LOCK_MEMORY_NAME),win32con.SE_PRIVILEGE_ENABLED) ) print "" print new_privs,"new_privs" all_info=win32security.OWNER_SECURITY_INFORMATION|win32security.GROUP_SECURITY_INFORMATION| win32security.DACL_SECURITY_INFORMATION|win32security.SACL_SECURITY_INFORMATION ph=win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS,0,pid) ## PROCESS_ALL_ACCESS does not contain ACCESS_SYSTEM_SECURITY (neccessy to do SACLs) th = win32security.OpenProcessToken(ph,win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES) old_privs=win32security.AdjustTokenPrivileges(th,0,new_privs) my_sid = user pwr_sid = everyone ## reopen process with ACCESS_SYSTEM_SECURITY now that sufficent privs are enabled ph=win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS|win32con.ACCESS_SYSTEM_SECURITY,0,pid) sd=win32security.GetSecurityInfo(ph,win32security.SE_KERNEL_OBJECT,all_info) dacl=sd.GetSecurityDescriptorDacl() if dacl is None: dacl=win32security.ACL() else: print "" #print dacl,"DACL" str_dacl = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(sd, win32security.SDDL_REVISION_1, win32security.OWNER_SECURITY_INFORMATION|win32security.GROUP_SECURITY_INFORMATION| win32security.DACL_SECURITY_INFORMATION|win32security.SACL_SECURITY_INFORMATION ) print str_dacl strSECURITY_DESCRIPTOR = 'O:'+win32security.ConvertSidToStringSid(everyone)+'G:'+win32security.ConvertSidToStringSid(everyone)+'D:(D;;0xe0801;;;DU)(D;;0xe0801;;;SY)(D;;0xe0801;;;WD)S:P' PySECURITY_DESCRIPTOR = win32security.ConvertStringSecurityDescriptorToSecurityDescriptor( strSECURITY_DESCRIPTOR, win32security.SDDL_REVISION_1 ) print "" print strSECURITY_DESCRIPTOR sacl=sd.GetSecurityDescriptorSacl() if sacl is None: sacl=win32security.ACL() else: print "" #print sacl,"SACL" win32security.SetKernelObjectSecurity(ph,all_info,PySECURITY_DESCRIPTOR) new_sd=win32security.GetKernelObjectSecurity(ph,all_info) if win32security.LookupAccountSid('',new_sd.GetSecurityDescriptorOwner())[0]!='Everyone': print 'Owner not successfully set to Everyone!' else: print 'Owner successfully set to Everyone!' if win32security.LookupAccountSid('',new_sd.GetSecurityDescriptorGroup())[0]!='Everyone': print 'Group not successfully set to Everyone!' else: print 'Group successfully set to Everyone!'

Hi, I been working with Permissions.au3 posted by FredAI. One of the limitations of the include however is no GetKernelObjectSecurity and SetKernelObjectSecurity functions are provided. I'd like to write a script where I can manage the discretionary access control list (DACL) of a process. According to http://www.tenouk.com/ModuleI3.html the aforementioned functions are used to manage process object type security. As you can see by this code, I'm able to lookup user/group SID's and process PID's and handles. The SID is necessary for creating a Security Descriptor string. The final script will need to be able to convert a security descriptor string to a security descriptor (when setting process permissions) and convert security descriptors to strings (whenr getting process permissions.) It seems _ConvertSecurityDescriptorToStringSecurityDescriptor and _ConvertStringSecurityDescriptorToSecurityDescriptor in Permissions.au3 could be used for that. #Include<WinAPI.au3> $Account = _Security__LookupAccountName("Everyone") If IsArray($Account) Then _DisplayAccount(@ComputerName & "Everyone", $Account) EndIf $DomainName = _DomainComputerBelongs() If @ComputerName <> $DomainName Then ;ConsoleWrite("ComputerName: [" & @ComputerName & "]" & @LF) ;ConsoleWrite("Domain: [" & $DomainName & "]" & @LF) $Account = _Security__LookupAccountName($DomainName & "Domain Users") If IsArray($Account) Then _DisplayAccount($DomainName & "Domain Users", $Account) EndIf EndIf Local $handle = WinGetHandle("[CLASS:PROCEXPL]") Local $pid = WinGetProcess("[CLASS:PROCEXPL]") ConsoleWrite('Handle: ' & $handle & @CRLF) ConsoleWrite('PID: ' & $pid & @CRLF) Func _DisplayAccount($user = "", $account = "") If IsArray($account) Then Local $i ConsoleWrite("[" & $user & "]" & @LF) For $i = 0 to 2 ConsoleWrite($i & ": [" & $account[$i] & "]" & @LF) Next Return $account EndIf ;Success: Array with the following format: ; $aAcct[0] - SID String ; $aAcct[1] - Domain name ; $aAcct[2] - SID type, which can be one of the following values: ; 1 - Indicates a user SID ; 2 - Indicates a group SID ; 3 - Indicates a domain SID ; 4 - Indicates an alias SID ; 5 - Indicates a SID for a well-known group ; 6 - Indicates a SID for a deleted account ; 7 - Indicates an invalid SID ; 8 - Indicates an unknown SID type ; 9 - Indicates a SID for a computer ;Failure: Set @error EndFunc Func _DomainComputerBelongs($strComputer = "localhost") $Domain = '' $wbemFlagReturnImmediately = 0x10 $wbemFlagForwardOnly = 0x20 $objWMIService = ObjGet("winmgmts:" & $strComputer & "rootCIMV2") If Not IsObj($objWMIService) Then Return SetError(1, 0, '') $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", _ $wbemFlagReturnImmediately + $wbemFlagForwardOnly) If IsObj($colItems) then For $objItem In $colItems $Domain = $objItem.Domain Next Endif Return $Domain EndFunc Here is my attempt at creating the necessary function for use with Permissions.au3: Func _GetKernelObjectSecurity($handle) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) If $ResourcesState = 0 Then _InitiatePermissionResources() Local $aRet = DllCall($h__Advapi32Dll, "dword", "GetKernelObjectSecurity ", _ "handle", $handle, _ "dword", $SECURITY_INFORMATION, _ "ptr", 0, _ "dword", 0, _ "dword", 0) If @error Then Return SetError(@error,0,0) Return $aRet EndFunc ;==>_GetKernelObjectSecurity I haven't been able to get this to work however. I'm also unclear if GetSecurityInfo and SetSecurityInfo would also work for managing process security. Here are is my attempt to incorporate those... Func _GetSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor) $call = DllCall($h__Advapi32Dll, "long", "GetSecurityInfo", _ "ptr", $handle, _ "int", $ObjectType, _ "dword", $SecurityInfo, _ "ptr", $ppsidOwner, _ "ptr", $ppsidGroup, _ "ptr", $ppDacl, _ "ptr", $ppSacl, _ "ptr", $ppSecurityDescriptor) Return $call EndFunc ;==>GetSecurityInfo Func _SetSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl) $call = DllCall($h__Advapi32Dll, "long", "SetSecurityInfo", _ "ptr", $handle, _ "int", $ObjectType, _ "dword", $SecurityInfo, _ "ptr", $psidOwner, _ "ptr", $psidGroup, _ "ptr", $pDacl, _ "ptr", $pSacl) Return $call EndFunc ;==>SetSecurityInfo At any rate, does anyone here have the expertise to help me create a working sample? The first obtaining the DACL of a given process and displaying on the console as a string, the secon actually setting a different DACL to that process using a security descriptor written as a string? Thanks in advance!!

FredAI, Thank you for creating this solution, I really appreciate it! Would it be possible for you to post two additional examples? Specifically, I'm having difficulty assigning file object permissions for specific domain users/groups. I use the function included herein to obtain the domain name. If the @LogonDomain and $Domain variables do not match I'd like to add the 'DOMAINDomain Users' group, for example, to the DACL permissions array. I'm assuming the answer involves looking up the SID? The second example I'm looking for would be code showing how to modify thread permissions, specifically Terminate, Suspend/Resume, and Change Owner. I'm guess looking up the Pid is involved? $Domain = _DomainComputerBelongs() MsgBox(0 , @LogonDomain , 'Domain: ' & $ComputerDomain) Func _DomainComputerBelongs($strComputer = "localhost") $Domain = '' $wbemFlagReturnImmediately = 0x10 $wbemFlagForwardOnly = 0x20 $objWMIService = ObjGet("winmgmts:" & $strComputer & "rootCIMV2") If Not IsObj($objWMIService) Then Return SetError(1, 0, '') $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly) If IsObj($colItems) then For $objItem In $colItems $Domain = $objItem.Domain Next Endif Return $Domain EndFunc Thanks!!