Can someone help me use this API?

[1234hotmaster]

hi i be happy if someone can help me use the NtSetInformationProcess@ntdll.dll

i need to set my program's process privileges

i tried

DllCall("ntdll.dll","int", "NtSetInformationProcess","handle",_WinAPI_OpenProcess(512,False,ProcessExists(@ScriptName)),"int",29,"ptr*",1,"long",4)

DllCall("ntdll.dll","int", "NtSetInformationProcess","ptr",_WinAPI_OpenProcess(512,False,ProcessExists(@ScriptName)),"int",29,"int*",1,"int",4)

DllCall("ntdll.dll","int", "NtSetInformationProcess","ptr",_WinAPI_OpenProcess(512,False,ProcessExists(@ScriptName)),"int",29,"int",1,"int",4)

But none seem to work... Am i doing it wrong?

Edited November 15, 2011 by 1234hotmaster

[Shaggi]

#1 seems most correct... bit nasty code though, what are you using this for? :/

you can try to use _WinApi_GetCurrentProcess() instead of openprocess

Edited November 15, 2011 by Shaggi

[1234hotmaster]

Ok but why doesn't it work?

well yea but GetCurrentProcess@User32.dll returns a psuedo handle not a real one but you can make it a real one by using DuplicateHandle@User32.dll but i just used OpenProcess to make it easier

or are the results diffrent? o.o

Nasty? Do you know what this code does then?...

[Shaggi]

it registers your process as critical, and, if terminated, bsods

if using openprocess, are you sure your bitmask includes the necessary flags? did you try with process_all_access? i dont think getcurrentprocess is invalid in any cases, and it has process_all_access.. did you check return? and, did you try with debug privilege?

[1234hotmaster]

then you do.

Ive heard i need to use PROCESS_SET_INFORMATION which is 512 or 0x0200. I also tried opening the process with the PROCESS_ALL_ACCESS and debug priv on a XP virtual machine but didn't seem to work. Also tested on a Windows 7 x64 bit.

The func for allowing debug priv which i found in the forum is:

Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

I also tried checking for the return which was -1073741727 aka "A required privilege is not held by the client." - ResHacker

I'm really confused... i also try'd using the debug priv in the Memory.au3 but that also didn't seem to work...

And also thanks for replying I've seen threads that never got replied even in years

Edit: Solved it myself

Ofc thanks to Shaggi for saying check the return value

Damn good thing tried it in a virtual machine it blow up when i closed the program

Edited November 16, 2011 by 1234hotmaster