Jump to content

Understanding WinAPI security levels in regards to SYSTEM processes

rcmaehl

By rcmaehl
in AutoIt General Help and Support

 Share

Recommended Posts

rcmaehl Universalist

rcmaehl

Posted
Posted (edited)

Hi all,

I'm attempting to mess with some processes running user SYSTEM using WinAPI, mainly _WinAPI_SetProcessAffinityMask(). However, even with both $PROCESS_ALL_ACCESS and $bDebugPriv set to true, I'm getting 0x5 or 0x6 according to _WinAPI_GetLastError(). These appear to be ERROR_ACCESS_DENIED and ERROR_INVALID_HANDLE. I can understand ERROR_ACCESS_DENIED but I am unsure why I'm getting ERROR_INVALID_HANDLE for the majority of them. Perhaps I'm missing some security access or somehow need to set my own process as a protected process? Any assistance is greatly appreciated!

Regards

Edited by rcmaehl

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

  • rcmaehl changed the title to Understanding WinAPI security levels in regards to SYSTEM processes
Confuzzled Universalist

Confuzzled

Posted
Posted (edited)

Any code to see to make it easier to help you?

The functionality you are see here might be as designed to prevent malware writers doing what you appear to be attempting here.

Are you familiar with the Blue Screen of Death error codes? If not, you soon might be!

Are you checking error codes during debugging for every system call? Invalid Handle might be as a result of failure to get a handle due to security restrictions, or something else.

Edited by Confuzzled
rcmaehl Universalist

rcmaehl

Posted
  • Author
Posted (edited)
  On 10/23/2020 at 2:48 AM, Confuzzled said:

Any code to see to make it easier to help you?

Expand  

Here's trying to adjust the Printer Spooler Service Process. It can be done manually through Task Manager, but not through my script.
  

#include <ProcessConstants.au3>
#include <WinAPIHObj.au3>
#include <WinAPIProc.au3>
#include <WinAPISys.au3>

If Not ProcessExists("spoolsv.exe") Then Exit 1
$hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, True, ProcessExists("spoolsv.exe"))
If Not _WinAPI_SetProcessAffinityMask($hProcess, 0x05) Then ConsoleWrite("Failed to adjust affinity, ERR: " & _WinAPI_GetLastError() & @CRLF)
_WinAPI_CloseHandle($hProcess)

 

Edited by rcmaehl

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

  • 7 months later...
jimmyo Seeker

jimmyo

Posted
Posted

Hi rcmaehl,

I'm having the same issue with getting an 'Access Denied' error. How did you solve it? I've tried setting $bInherit and  $bDebugPriv to True, but I still get the same 0X05 error.

I am able to open the process and get its handle, and I'm able to 'get' Process Affinity. 

If I try and 'set' Process Affinity I always get the 'Access Denied' error. 

Here's my test code:

 

#include <Constants.au3>
#include <WinAPIProc.au3>
#include <WinAPIError.au3>
 
; Launch Notepad
Local $sPID = Run("notepad.exe")
Local $hProc
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_OpenProcess.htm
; Returns a handle of an existing process object
; Success:  the process handle to the object.
; Failure:  sets the @error flag to non-zero.
 
$hProc = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $sPID, True)
Msgbox(0"Open Process""Success = " & $hProc & @CRLF & "Error Return: " & _WinAPI_GetLastError() & @CRLF & "Error message = " & _WinAPI_GetLastErrorMessage())
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_GetProcessAffinityMask.htm
; Obtains the affinity masks for the process and the system
;Success:   Array with the following format:
;     $aMask[0] - True on success, otherwise False
;     $aMask[1] - Process affinity mask
;     $aMask[2] - System affinity mask
;Failure:   Sets the @error flag to non-zero, call _WinAPI_GetLastError() to get extended error information
 
Local $aRet = _WinAPI_GetProcessAffinityMask($hProc)
MsgBox(0"Get Process""Success:" & $aRet [0] & @CRLF & "Proc Mask:" & $aRet [1] & @CRLF & "Sys Mask:" & $aRet [2] & @CRLF &  "Error Return: " &  _WinAPI_GetLastError() & @CRLF & "Error Message: " &  _WinAPI_GetLastErrorMessage())
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_SetProcessAffinityMask.htm
; Sets a processor affinity mask for the threads of a specified process
; Success:  True
; Failure:  False, call _WinAPI_GetLastError() to get extended error information
 
Local $hSetAffinity = _WinAPI_SetProcessAffinityMask($hProc, 0x03)
Msgbox(0"Set affinity""Success = "&$hSetaffinity & @CRLF &  "Error Return: " &  _WinAPI_GetLastError() & @CRLF & "Error message = " & _WinAPI_GetLastErrorMessage())
 
; Closes an open object handle
_WinAPI_CloseHandle($hProc)
 
; Close Notepad
WinClose("Untitled - Notepad")
 
Exit
TheXman Universalist

TheXman

Posted
Posted (edited)

You are not only querying process information but your are also trying to set process information.  Try adding $PROCESS_SET_INFORMATION to the _WinAPI_OpenProcess() function.  The following line works for me: 

Change from :

$hProc = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $sPID, True) 

To

$hProc = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION + $PROCESS_SET_INFORMATION, False, $sPID, True)

 

Edited by TheXman

CryptoNG UDF: Cryptography API: Next Gen
jq UDF: Powerful and Flexible JSON Processor | jqPlayground: An Interactive JSON Processor
Xml2Json UDF: Transform XML to JSON | HttpApi UDF: HTTP Server API | Roku Remote: Example Script
About Me
How To Ask Good Questions On Technical And Scientific Forums (Detailed) | How to Ask Good Technical Questions (Brief)

"Any fool can know.  The point is to understand."  -Albert Einstein
"If you think you're a big fish, it's probably because you only swim in small ponds."  ~TheXman

jimmyo Seeker

jimmyo

Posted
Posted

I tried that but it didn't help. 

I found my mistake. It was in the _WinAPI_OpenProcess call.  My key learnings:

1. The handle you need for _WinAPI_GetProcessAffinityMask or _WinAPI_SetProcessAffinityMask  is the "process" handle not the PID or the Window Handle. Use _WinAPI_OpenProcess to get the Process Handle.

2. _WinAPI_OPenProcess needs a constant in the first variable for "$iAccess".  I was only passing "$PROCESS_QUERY_INFORMATION". This is why the GetProcessAffinity was working. I also need to set "$PROCESS_SET_INFORMATION".

3. I updated my code for OpenProcess to this:

$hProc = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION+$PROCESS_SET_INFORMATION, True, $sPID, True)

4. I could have also just used this:

$hProc = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, True, $sPID, True)

5. I actually didn't really have an issue with "Access", I was just not making the correct call in the first variable to OpenProcess. So this works fine for me in terms of "Notepad.exe" which does not require any elevated privileges.

$hProc = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, False, $sPID)

Here is the updated working code for others that run into this problem.

#include <Constants.au3>
#include <WinAPIProc.au3>
#include <WinAPIError.au3>
 
; Launch Notepad
Local $sPID = Run("notepad.exe")
Local $hProc
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_OpenProcess.htm
; Returns a handle of an existing process object
; Success:  the process handle to the object.
; Failure:  sets the @error flag to non-zero.
 
$hProc = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, False, $sPID)
Msgbox(0"Open Process""Success = " & $hProc & @CRLF & "Error Return: " & _WinAPI_GetLastError() & @CRLF & "Error message = " & _WinAPI_GetLastErrorMessage())
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_GetProcessAffinityMask.htm
; Obtains the affinity masks for the process and the system
;Success:   Array with the following format:
;     $aMask[0] - True on success, otherwise False
;     $aMask[1] - Process affinity mask
;     $aMask[2] - System affinity mask
;Failure:   Sets the @error flag to non-zero, call _WinAPI_GetLastError() to get extended error information
 
Local $aRet = _WinAPI_GetProcessAffinityMask($hProc)
MsgBox(0"Get Process""Success:" & $aRet [0] & @CRLF & "Proc Mask:" & $aRet [1] & @CRLF & "Sys Mask:" & $aRet [2] & @CRLF &  "Error Return: " &  _WinAPI_GetLastError() & @CRLF & "Error Message: " &  _WinAPI_GetLastErrorMessage())
 
; https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_SetProcessAffinityMask.htm
; Sets a processor affinity mask for the threads of a specified process
; Success:  True
; Failure:  False, call _WinAPI_GetLastError() to get extended error information
 
Local $hSetAffinity = _WinAPI_SetProcessAffinityMask($hProc, 0x03)
Msgbox(0"Set affinity""Success = "&$hSetaffinity & @CRLF &  "Error Return: " &  _WinAPI_GetLastError() & @CRLF & "Error message = " & _WinAPI_GetLastErrorMessage())
 
; Closes an open object handle
_WinAPI_CloseHandle($hProc)
 
; Close Notepad
WinClose("Untitled - Notepad")
 
Exit
  • Moderators
Melba23 Universalist

Melba23

Posted
  • Moderators
Posted

jimmyo,

When you post code in future please use Code tags - see here how to do it. Thanks in advance for your cooperation.

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

  Reveal hidden contents

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...