Sign in to follow this  
Followers 0
JohnRescue

CreateProcessWithToken - hidden

13 posts in this topic

Hello,

I am duplicating explorer.exe security token and starting a process with it.

As for code sample, I am basically using slightly edited code code from _Security__CreateProcessWithToken function reference.

Is there any possibility for autoit to wait for the process to end before continuing?  ( RunWait equivalent )

Also, can I set @SW_HIDE flag? ( $iCreationFlags  parameter is not relevant, or appears to be at MSDN )

Thank you for any help or suggestions.

Share this post


Link to post
Share on other sites



Maybe... Use RunWait() with a flag... see help file


NEWHeader1.png

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Thank you for the advice, below is the function, someone may find it useful.

Only works in Vista or later, since it uses _Security__CreateProcessWithToken

Edited: added info about Vista or later

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>


; #FUNCTION# ====================================================================================================================================
; Name...........: _RunFromProcess
; Description ...: Runs program with same security context as process specified in parameter
; Syntax.........: _RunFromProcess($sCommandLine, $sProcess, [, $sWindow] [, $sWait] )
; Parameters ....: $sCommandLine - Full path to the program to be executed
;                  $sProcess - Process to be used for security token duplication
;                  $sWindow - [ optional ]  Visibility of window, displayed by default 0, hidden with 1
;                  $sWait - [ optional ]  Wait for process to end before continuing with the script, default is not to wait 0, wait with 1
; Requirement(s).: None
; Return values .: Success - PID of created process
;                  Failure - No return value
;                            
; Related .......:
; Link ..........;
; Examples ......;  _RunFromProcess("Notepad.exe", "explorer.exe")
;                   _RunFromProcess("C:\Program Files\Program\program.exe", "explorer.exe", 1, 1)
;                   _RunFromProcess("Program.exe", "explorer.exe", 1, 1)
; ===============================================================================================================================================

Func _RunFromProcess($sCommandLine = "", $sProcess = "" , $sWindow = 0, $sWait = 0)    
    ; Structures needed for creating process
    Local $STARTUPINFO = DllStructCreate($tagSTARTUPINFO)
    Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION)
    
    ; Set process window not to be visible if specified by parameter
    If $sWindow = 1 Then
       DllStructSetData ( $STARTUPINFO, 12, 0x00000001) 
       DllStructSetData ( $STARTUPINFO, 13, @SW_HIDE)
       EndIf
      
    ; Process handle of process specified by parameter
    Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, ProcessExists($sProcess))

    ; If successful
    If $hProcess Then
        ; Token...
        Local $hTokOriginal = _Security__OpenProcessToken($hProcess, $TOKEN_ALL_ACCESS)
        ; Process handle is no longer needed. Close it
        _WinAPI_CloseHandle($hProcess)
        ; If successful
        If $hTokOriginal Then
            ; Duplicate the original token
            Local $hTokDuplicate = _Security__DuplicateTokenEx($hTokOriginal, $TOKEN_ALL_ACCESS, $SECURITYIMPERSONATION, $TOKENPRIMARY)
            ; Close the original token
            _WinAPI_CloseHandle($hTokOriginal)
            ; If successful
            If $hTokDuplicate Then
                ; Create process with this new token
                _Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, @ScriptDir, $STARTUPINFO, $tPROCESS_INFORMATION)
                ; Close that token
                _WinAPI_CloseHandle($hTokDuplicate)
                ; Close get handles
                _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hProcess"))
                _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hThread"))
                $PID = DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
                ; Wait for the process to exit before continuing
                If $sWait = 1 Then ProcessWaitClose($PID)
                ; Return PID of newly created process
                Return $PID
            EndIf
        EndIf
    EndIf
EndFunc   ;==>_RunFromProcess
Edited by JohnRescue
1 person likes this

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Hi, that example-function give me many Const error, you can please provide a working one? Thanks

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

Hi, that example-function give me many Const error, you can please provide a working one? Thanks

 

Sorry, forgot about includes needed, added to code.

#include <ProcessConstants.au3>

#include <StructureConstants.au3>

#include <SecurityConstants.au3>

#include <Security.au3>

#include <WinAPI.au3>

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Well, for me not work. I'm on XP 32Bit SP3 with the last autoit stable --> 3.3.8.1

I have used one of your example:

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

_RunFromProcess("calc.exe", "explorer.exe")

; #FUNCTION# ============ and the other code

I don't have any error in the scite output:

>Exit code: 0    Time: 1.044

But i don't see the notepad opening :sweating:

Your code don't have error checking, i have add some to:

If $hProcess Then...Else SetError(0,0,1)
If $hTokOriginal Then...Else SetError(0,0,2)
If $hTokDuplicate Then...Else SetError(0,0,3)

But the exit code is always 0

I have add also:

ConsoleWrite("PID: " & $PID)

And give me 0 like result. i don't know where is the problem with it, please check it out

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

Hello Terenz,

Please try to compile the code and run compiled exe file.

I have only tested it on W7 x64, will test it on XP machine tommorow.

Will add error checking when I have some more time.

Share this post


Link to post
Share on other sites

Please try to compile the code and run compiled exe file.

 

I have try it and is the same, nothing happens


Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

Maybe i have understand where is the problem, is this line:

_Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, @ScriptDir, $STARTUPINFO, $tPROCESS_INFORMATION)

Give me return FALSE = Failure, instead $hProcess, $hTokDuplicate, $hTokOriginal give me a number

EDIT: I have tested also the example:

http://www.autoitscript.com/autoit3/docs/libfunctions/_Security__CreateProcessWithToken.htm

Nothing happens, same problem the return value is FALSE for _Security__CreateProcessWithToken. And based from this document:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682434(v=vs.85).aspx

Seems incompatible with XP:

Requirements

Minimum supported client --> Windows Vista [desktop apps only]

Minimum supported server --> Windows Server 2003 [desktop apps only]

I don't if a workaround exist...

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

CreateProcessWithToken doesn't exist on XP. It's Vista and above.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

CreateProcessWithToken doesn't exist on XP. It's Vista and above.

 

Yes, thanks for confirmation...i have see it two minute ago :(

Do you think some workaround exist or is impossible to use _RunFromProcess in XP system?

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

Yes, thanks for confirmation...i have see it two minute ago :(

Do you think some workaround exist or is impossible to use _RunFromProcess in XP system?

Your function can't work in that form by default on newer systems where special care about security is taken. Windows XP didn't have need for CreateProcessWithToken, that's the reason it doesn't exist there.

Workaround for that particular function can be for example, CreateProcessAsUser.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0