Jump to content
Sign in to follow this  

WinAPI and Process Tokens

Recommended Posts


Hello all, I am trying to open a given process to see which tokens it has, and then modify those tokens.

My AutoIT script is running under Windows XP as an Administrative user, and the process I am trying to open is a command window (cmd.exe) running as a standard user.

It looks like I may be able to accomplish this through the Windows API, using a combination of calls to OpenProcessToken, GetTokenInformation, and AdjustTokenPrivileges. I have seen a few examples of OpenProcessToken and AdjustTokenPrivleges (See: Here), but they focus around the debug privilege (SeDebugPrivilege), which doesn't provide any real indicator to me that the code is actually doing anything. I'm a bit more interested in being able to check for and enable "SeTcbPrivilege", basically providing administrative privileges to a process which did not originally have them.

I've tried looking through the MSDN docs, but to be honest, with the lack of usable examples (no technet subscription for me, haha), I really don't understand how to use/call these functions.

#include <WinAPI.au3>

ConsoleWrite(@error & @CRLF)

Func _GetPrivilege_SEDEBUG()

    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]"; count of LUID structs * sizeof LUID struct
    ;   Local $sTOKEN_ADJUST_PRIVILEGES = 0x20
    Local $myPID=ProcessExists("cmd.exe")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "hwnd", $myPID, "dword", 0x20, "int*", "")
;~     _WinAPI_GetCurrentProcess()//$myPID
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeTcbPrivilege", "int64*", "")
;~     SeDebugPrivilege//SeTcbPrivilege

    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "hwnd", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", "", "ptr", "")

    If ($call[0] <> 0) Then
        ConsoleWrite("Privilege = " & ($call[0] <> 0) & @LF)
        Return SetError(0) ; $call[0] <> 0 is success
        ConsoleWrite("Privilege = " & ($call[0] <> 0) & @LF)
        Return SetError(1)
EndFunc   ;==>_GetPrivilege_SEDEBUG

Any thoughts? :)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.