CreateProcessWithToken - hidden

[JohnRescue]

Hello,

I am duplicating explorer.exe security token and starting a process with it.

As for code sample, I am basically using slightly edited code code from _Security__CreateProcessWithToken function reference.

Is there any possibility for autoit to wait for the process to end before continuing?  ( RunWait equivalent )

Also, can I set @SW_HIDE flag? ( $iCreationFlags  parameter is not relevant, or appears to be at MSDN )

Thank you for any help or suggestions.

[Valuater]

Maybe... Use RunWait() with a flag... see help file

[KaFu]

STARTUPINFO > wShowWindow

ProcessWaitClose()

[JohnRescue]

Thank you for the advice, below is the function, someone may find it useful.

Only works in Vista or later, since it uses _Security__CreateProcessWithToken

Edited: added info about Vista or later

expandcollapse popup

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>


; #FUNCTION# ====================================================================================================================================
; Name...........: _RunFromProcess
; Description ...: Runs program with same security context as process specified in parameter
; Syntax.........: _RunFromProcess($sCommandLine, $sProcess, [, $sWindow] [, $sWait] )
; Parameters ....: $sCommandLine - Full path to the program to be executed
;                  $sProcess - Process to be used for security token duplication
;                  $sWindow - [ optional ]  Visibility of window, displayed by default 0, hidden with 1
;                  $sWait - [ optional ]  Wait for process to end before continuing with the script, default is not to wait 0, wait with 1
; Requirement(s).: None
; Return values .: Success - PID of created process
;                  Failure - No return value
;                            
; Related .......:
; Link ..........;
; Examples ......;  _RunFromProcess("Notepad.exe", "explorer.exe")
;                   _RunFromProcess("C:\Program Files\Program\program.exe", "explorer.exe", 1, 1)
;                   _RunFromProcess("Program.exe", "explorer.exe", 1, 1)
; ===============================================================================================================================================

Func _RunFromProcess($sCommandLine = "", $sProcess = "" , $sWindow = 0, $sWait = 0)    
    ; Structures needed for creating process
    Local $STARTUPINFO = DllStructCreate($tagSTARTUPINFO)
    Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION)
    
    ; Set process window not to be visible if specified by parameter
    If $sWindow = 1 Then
       DllStructSetData ( $STARTUPINFO, 12, 0x00000001) 
       DllStructSetData ( $STARTUPINFO, 13, @SW_HIDE)
       EndIf
      
    ; Process handle of process specified by parameter
    Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, ProcessExists($sProcess))

    ; If successful
    If $hProcess Then
        ; Token...
        Local $hTokOriginal = _Security__OpenProcessToken($hProcess, $TOKEN_ALL_ACCESS)
        ; Process handle is no longer needed. Close it
        _WinAPI_CloseHandle($hProcess)
        ; If successful
        If $hTokOriginal Then
            ; Duplicate the original token
            Local $hTokDuplicate = _Security__DuplicateTokenEx($hTokOriginal, $TOKEN_ALL_ACCESS, $SECURITYIMPERSONATION, $TOKENPRIMARY)
            ; Close the original token
            _WinAPI_CloseHandle($hTokOriginal)
            ; If successful
            If $hTokDuplicate Then
                ; Create process with this new token
                _Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, @ScriptDir, $STARTUPINFO, $tPROCESS_INFORMATION)
                ; Close that token
                _WinAPI_CloseHandle($hTokDuplicate)
                ; Close get handles
                _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hProcess"))
                _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hThread"))
                $PID = DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
                ; Wait for the process to exit before continuing
                If $sWait = 1 Then ProcessWaitClose($PID)
                ; Return PID of newly created process
                Return $PID
            EndIf
        EndIf
    EndIf
EndFunc   ;==>_RunFromProcess

Edited October 25, 2013 by JohnRescue

[Terenz]

Hi, that example-function give me many Const error, you can please provide a working one? Thanks

Edited October 23, 2013 by Terenz

[JohnRescue]

Hi, that example-function give me many Const error, you can please provide a working one? Thanks

 

Sorry, forgot about includes needed, added to code.

#include <ProcessConstants.au3>

#include <StructureConstants.au3>

#include <SecurityConstants.au3>

#include <Security.au3>

#include <WinAPI.au3>

[Terenz]

Well, for me not work. I'm on XP 32Bit SP3 with the last autoit stable --> 3.3.8.1

I have used one of your example:

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

_RunFromProcess("calc.exe", "explorer.exe")

; #FUNCTION# ============ and the other code

I don't have any error in the scite output:

>Exit code: 0    Time: 1.044

But i don't see the notepad opening

Your code don't have error checking, i have add some to:

If $hProcess Then...Else SetError(0,0,1)
If $hTokOriginal Then...Else SetError(0,0,2)
If $hTokDuplicate Then...Else SetError(0,0,3)

But the exit code is always 0

I have add also:

ConsoleWrite("PID: " & $PID)

And give me 0 like result. i don't know where is the problem with it, please check it out

Edited October 24, 2013 by Terenz

[JohnRescue]

Hello Terenz,

Please try to compile the code and run compiled exe file.

I have only tested it on W7 x64, will test it on XP machine tommorow.

Will add error checking when I have some more time.

[Terenz]

Please try to compile the code and run compiled exe file.

 

I have try it and is the same, nothing happens

[Terenz]

Maybe i have understand where is the problem, is this line:

_Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, @ScriptDir, $STARTUPINFO, $tPROCESS_INFORMATION)

Give me return FALSE = Failure, instead $hProcess, $hTokDuplicate, $hTokOriginal give me a number

EDIT: I have tested also the example:

http://www.autoitscript.com/autoit3/docs/libfunctions/_Security__CreateProcessWithToken.htm

Nothing happens, same problem the return value is FALSE for _Security__CreateProcessWithToken. And based from this document:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682434(v=vs.85).aspx

Seems incompatible with XP:

Requirements

Minimum supported client --> Windows Vista [desktop apps only]

Minimum supported server --> Windows Server 2003 [desktop apps only]

I don't if a workaround exist...

Edited October 24, 2013 by Terenz

[trancexx]

CreateProcessWithToken doesn't exist on XP. It's Vista and above.

[Terenz]

CreateProcessWithToken doesn't exist on XP. It's Vista and above.

 

Yes, thanks for confirmation...i have see it two minute ago

Do you think some workaround exist or is impossible to use _RunFromProcess in XP system?

Edited October 24, 2013 by Terenz

[trancexx]

Yes, thanks for confirmation...i have see it two minute ago

Do you think some workaround exist or is impossible to use _RunFromProcess in XP system?

Your function can't work in that form by default on newer systems where special care about security is taken. Windows XP didn't have need for CreateProcessWithToken, that's the reason it doesn't exist there.

Workaround for that particular function can be for example, CreateProcessAsUser.