Sign in to follow this  
Followers 0
sulfurious

Get Integrity Level of a process

1 post in this topic

Hello.

I have been attempting to get the integrity level of a process using OpenProcessToken and GetTokenInformation. Here is what I have been messing with thus far.

#include <Security.au3>
#include <Constants.au3>
#include <securityconstants.au3>
#Include <WinAPI.au3>
#include <array.au3>


Global Const $STANDARD_RIGHTS_REQUIRED = 0x000F0000
Global Const $TOKEN_ALL_ACCESS_P = BitOR($STANDARD_RIGHTS_REQUIRED, $TOKEN_ASSIGN_PRIMARY, $TOKEN_DUPLICATE, $TOKEN_IMPERSONATE, $TOKEN_QUERY, $TOKEN_QUERY_SOURCE, $TOKEN_ADJUST_PRIVILEGES, $TOKEN_ADJUST_GROUPS, $TOKEN_ADJUST_DEFAULT)
Global Const $TOKEN_ALL_ACCESS = BitOR($TOKEN_ALL_ACCESS_P, $TOKEN_ADJUST_SESSIONID)

$TOKEN_READ = 0x00020000+0x0008 ; STANDARD_RIGHTS_READ+TOKEN_QUERY

$ProcessID = ProcessExists("calc.exe")  ;. choose a process that is running
$ProcessHandle = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ProcessID) ;. get handle to process
ConsoleWrite($ProcessHandle & '  process handle' & @CRLF)

$ProcessToken = _Security__OpenProcessToken($ProcessHandle, $TOKEN_ALL_ACCESS)  ;. get token handle using correct access mask
;~ $ProcessToken = _Security__OpenProcessToken($ProcessHandle, $TOKEN_READ)
ConsoleWrite($ProcessToken & '  process token' & @CRLF)

$ProcessInfo = _Security__GetTokenInformationX($ProcessToken, $TOKENINTEGRITYLEVEL) ;. get information using correct class
ConsoleWrite($ProcessInfo & '  process info' & @CRLF)

_ArrayDisplay($ProcessInfo,'ProcessInfo array')

If $ProcessToken Then _WinAPI_CloseHandle($ProcessToken)
If $ProcessHandle Then _WinAPI_CloseHandle($ProcessHandle)

; #FUNCTION# ====================================================================================================================
; Name...........: _Security__GetTokenInformation
; Description ...: Retrieves a specified type of information about an access token
; Syntax.........: _Security__GetTokenInformation($hToken, $iClass)
; Parameters ....: $hToken      - A handle to an  access  token  from  which  information  is  retrieved.  If  $iClass  specifies
;                  +$sTokenSource, the handle must have $TOKEN_QUERY_SOURCE access. For all other $iClass values, the handle must
;                  +have $TOKEN_QUERY access.
;                  $iClass      - Specifies a value to identify the type of information the function retrieves
; Return values .: Success      - A byte structure filled with the requested information
;                  Failure      - 0
; Author ........: Paul Campbell (PaulIA)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........: @@MsdnLink@@ GetTokenInformation
; Example .......:
; ===============================================================================================================================
Func _Security__GetTokenInformationX($hToken, $iClass)
    Local $aResult = DllCall("advapi32.dll", "bool", "GetTokenInformation", "handle", $hToken, "int", $iClass, "ptr", 0, "dword", 0, "dword*", 0)
    If @error Then Return SetError(@error, @extended, 0)
    _ArrayDisplay($aResult,'GetTokenInformation pass 1')
    If Not $aResult[0] Then Return 0

    Local $tBuffer = DllStructCreate("byte[" & $aResult[5] & "]")
    Local $pBuffer = DllStructGetPtr($tBuffer)
    $aResult = DllCall("advapi32.dll", "bool", "GetTokenInformation", "handle", $hToken, "int", $iClass, "ptr", $pBuffer, _
            "dword", $aResult[5], "dword*", 0)
    If @error Then Return SetError(@error, @extended, 0)
    _ArrayDisplay($aResult,'GetTokenInformation pass 2')
    If Not $aResult[0] Then Return 0
    Return $tBuffer
EndFunc   ;==>_Security__GetTokenInformation

You can see I copied _Security_GetTokenInformation() and renamed it and placed it in this script so I could put an _arraydisplay() function in to see the returns.

From what I gather (which is limited), when you you call OpenProcessToken, you must have the right access mask. You can see in my script that I am using $TOKEN_ALL_ACCESS and $TOKEN_READ, from what I have read should give me access to the token information. And during GetTokenInformation, the TokenInformationClass that I should be using is TokenIntegrityLevel, as noted in this example

http://msdn.microsoft.com/en-us/library/bb625966.aspx

If I read correctly, $aResult[0] should contain a True value on success. I don't understand exactly what is wrong with this, but I believe it is due to the TokenInformationLength parameter of the call? I see in the C example that this is the spot perhaps I a missing out on?

pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, 
         dwLengthNeeded);

further, I am unfamiliar with this conversion as well

dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 
        (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));

I am wondering if there is anyone who can teach me what I am missing here.

Sul.

Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0