Jump to content
Sign in to follow this  

WinAPI and Process Tokens

Recommended Posts


Hello all, I am trying to open a given process to see which tokens it has, and then modify those tokens.

My AutoIT script is running under Windows XP as an Administrative user, and the process I am trying to open is a command window (cmd.exe) running as a standard user.

It looks like I may be able to accomplish this through the Windows API, using a combination of calls to OpenProcessToken, GetTokenInformation, and AdjustTokenPrivileges. I have seen a few examples of OpenProcessToken and AdjustTokenPrivleges (See: Here), but they focus around the debug privilege (SeDebugPrivilege), which doesn't provide any real indicator to me that the code is actually doing anything. I'm a bit more interested in being able to check for and enable "SeTcbPrivilege", basically providing administrative privileges to a process which did not originally have them.

I've tried looking through the MSDN docs, but to be honest, with the lack of usable examples (no technet subscription for me, haha), I really don't understand how to use/call these functions.

#include <WinAPI.au3>

ConsoleWrite(@error & @CRLF)

Func _GetPrivilege_SEDEBUG()

    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]"; count of LUID structs * sizeof LUID struct
    ;   Local $sTOKEN_ADJUST_PRIVILEGES = 0x20
    Local $myPID=ProcessExists("cmd.exe")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "hwnd", $myPID, "dword", 0x20, "int*", "")
;~     _WinAPI_GetCurrentProcess()//$myPID
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeTcbPrivilege", "int64*", "")
;~     SeDebugPrivilege//SeTcbPrivilege

    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "hwnd", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", "", "ptr", "")

    If ($call[0] <> 0) Then
        ConsoleWrite("Privilege = " & ($call[0] <> 0) & @LF)
        Return SetError(0) ; $call[0] <> 0 is success
        ConsoleWrite("Privilege = " & ($call[0] <> 0) & @LF)
        Return SetError(1)
EndFunc   ;==>_GetPrivilege_SEDEBUG

Any thoughts? :)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this