Jump to content
Sign in to follow this  

Get Integrity Level of a process

Recommended Posts



I have been attempting to get the integrity level of a process using OpenProcessToken and GetTokenInformation. Here is what I have been messing with thus far.

#include <Security.au3>
#include <Constants.au3>
#include <securityconstants.au3>
#Include <WinAPI.au3>
#include <array.au3>

Global Const $STANDARD_RIGHTS_REQUIRED = 0x000F0000


$ProcessID = ProcessExists("calc.exe")  ;. choose a process that is running
$ProcessHandle = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ProcessID) ;. get handle to process
ConsoleWrite($ProcessHandle & '  process handle' & @CRLF)

$ProcessToken = _Security__OpenProcessToken($ProcessHandle, $TOKEN_ALL_ACCESS)  ;. get token handle using correct access mask
;~ $ProcessToken = _Security__OpenProcessToken($ProcessHandle, $TOKEN_READ)
ConsoleWrite($ProcessToken & '  process token' & @CRLF)

$ProcessInfo = _Security__GetTokenInformationX($ProcessToken, $TOKENINTEGRITYLEVEL) ;. get information using correct class
ConsoleWrite($ProcessInfo & '  process info' & @CRLF)

_ArrayDisplay($ProcessInfo,'ProcessInfo array')

If $ProcessToken Then _WinAPI_CloseHandle($ProcessToken)
If $ProcessHandle Then _WinAPI_CloseHandle($ProcessHandle)

; #FUNCTION# ====================================================================================================================
; Name...........: _Security__GetTokenInformation
; Description ...: Retrieves a specified type of information about an access token
; Syntax.........: _Security__GetTokenInformation($hToken, $iClass)
; Parameters ....: $hToken      - A handle to an  access  token  from  which  information  is  retrieved.  If  $iClass  specifies
;                  +$sTokenSource, the handle must have $TOKEN_QUERY_SOURCE access. For all other $iClass values, the handle must
;                  +have $TOKEN_QUERY access.
;                  $iClass      - Specifies a value to identify the type of information the function retrieves
; Return values .: Success      - A byte structure filled with the requested information
;                  Failure      - 0
; Author ........: Paul Campbell (PaulIA)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........: @@MsdnLink@@ GetTokenInformation
; Example .......:
; ===============================================================================================================================
Func _Security__GetTokenInformationX($hToken, $iClass)
    Local $aResult = DllCall("advapi32.dll", "bool", "GetTokenInformation", "handle", $hToken, "int", $iClass, "ptr", 0, "dword", 0, "dword*", 0)
    If @error Then Return SetError(@error, @extended, 0)
    _ArrayDisplay($aResult,'GetTokenInformation pass 1')
    If Not $aResult[0] Then Return 0

    Local $tBuffer = DllStructCreate("byte[" & $aResult[5] & "]")
    Local $pBuffer = DllStructGetPtr($tBuffer)
    $aResult = DllCall("advapi32.dll", "bool", "GetTokenInformation", "handle", $hToken, "int", $iClass, "ptr", $pBuffer, _
            "dword", $aResult[5], "dword*", 0)
    If @error Then Return SetError(@error, @extended, 0)
    _ArrayDisplay($aResult,'GetTokenInformation pass 2')
    If Not $aResult[0] Then Return 0
    Return $tBuffer
EndFunc   ;==>_Security__GetTokenInformation

You can see I copied _Security_GetTokenInformation() and renamed it and placed it in this script so I could put an _arraydisplay() function in to see the returns.

From what I gather (which is limited), when you you call OpenProcessToken, you must have the right access mask. You can see in my script that I am using $TOKEN_ALL_ACCESS and $TOKEN_READ, from what I have read should give me access to the token information. And during GetTokenInformation, the TokenInformationClass that I should be using is TokenIntegrityLevel, as noted in this example


If I read correctly, $aResult[0] should contain a True value on success. I don't understand exactly what is wrong with this, but I believe it is due to the TokenInformationLength parameter of the call? I see in the C example that this is the spot perhaps I a missing out on?


further, I am unfamiliar with this conversion as well

dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 

I am wondering if there is anyone who can teach me what I am missing here.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.