Jump to content
Sign in to follow this  
Manko

ProDLLer: Unknown code running? Befriend or Kill!

Recommended Posts

Great Program Manko :)

and i used some function of it in my Task Manager

Thanks, Daywalkereg!

If you need anything, don't hesitate to ask! :) (Like explanations of my messy code...)

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

@Manko

Indead a great application !! :)

But 1 thing missing, a search function.

To search on any of the columns for a specific DLL, PID, Description, ....

Using the Example here : _GUICtrlListView_FindText

Regards,

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites

@Manko

Indead a great application !! :)

But 1 thing missing, a search function.

To search on any of the columns for a specific DLL, PID, Description, ....

Thanks, Ptrex!

This it? Update in first post.

Most Recent changes...

; 0.18_23
; Added: Searchfunction, as sugested by ptrex.
; Change: Slight rewrite of module enumeration...
; Fixed: Tooltip not working in non-indented display... now it does...
; Fixed: Forgot to erase old modules on rescan, producing doubles...

; 0.18_22
; Added: Show processorload... Realised I was always checking with another taskmanager...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

This is amazing.... I wish I could code like this. o.o

Thanks! With practice, we all get better. :) But my impatience and love of shortcuts is perhaps not to be wished for, sometimes...

Just broke some important functions... UPDATE!

; 0.18_24
; Added: Listviews will scroll to last found items in listview when searching, especially important if there's only one hit somewhere FAAAR down...
; Fixed: Stupidly destroyed searchbox twice, makeing it impossible to use button "selection" and "listall". Extremely irritating!

UPDATE in first post! I hope to not be hogging forum space correcting stupid misstakes for a while... hrm...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

@Manko

Just did some tests.

This perfect !! :P

Thanks a lot for hearing my request.

I hope I helps you as well.

regards,

ptrex

Thanks, ptrex!

Yeah, now that I've tried this feature out, I quite like it! :unsure:

Good potential for further singling out instances, both in straight and inverted use.

Thanks again for the suggestion!

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

@Manko

Why not adding a function for inject dlls ?

Cheers, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Great application! Thanks for a nice idea. I think you have missed one thing. Can you create sorta like a "context menu" for your list of modules and processes containing the "unload", "kill" actions or another?

@Hammerfist

Thanks!

Actually, I have added code for that in the version I use/develop right now. But since I added some new functions without fully implementing them and since I'm dug down in developing furter one particular function, the app is really in quite an uglier state at the moment.

Though, I guess I might release it as is, just to see if someone comments...

@FIREFOX

Wraithdu has done much on injecting dlls... He made an app that was somewhat similar to mine at that time, that also injected.

Me, I don't see any reason why my app should do it. As I'm qurious... What would you use it for, exactly?

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

You have done really huge work here Manko.

Admirable.

Thanks, trancexx!

Update!

; 0.18_46

; Fixed: Putting a short sleep in the messageloop got rid of the insane CPU-usage I got moving the mouse around in the GUI, with no aparent adverse effects. :D Why dint I do it before???

; Fixed: Renamed some variables to not conflict. (Messageloop vs. Adlib...) (Array out of bounds - crash)

; Fixed: Lost name of drivers in display of SSDT-hooks sometimes. Troubles with logic between hex and int... Solved!

; Fixed: Another conflict between adlib and Messageloop, during Suspendall-state, sometimes when displaying drivers/threads/SSDT... Fixed! (Array out of bounds - crash)

Download in first post!

/Manko [Edit: New version. Posts moved together.]


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

; 0.18_47

; Added: Sanitize and kill - Upped by new trick for killing...

; Fixed: By copying the kernelfile I get the access I need to play with uninitialized kernel even on some restricted Vista systems...

; ...... (It would not even let me open file and since my window is topmost, alert got placed behind it. Irritating!)

; Fixed: Messageboxes are now topmost!

Update in first post!

You think you could list mutexes as well?

Look here for the needs of some.

This unfinished code lists "user objects and handles", mutexes among them... Driver code is needed to better handle "named pipes". ...am researching.... Sorry bout the delay! Other stuff happening in life... :)

#include <WinAPI.au3>   ; _GetPrivilege_SEDEBUG() - by wraithdu - uses this include.
#include <array.au3>    ; Needed to display array in example.

#RequireAdmin

; SystemHandleInformation = 16

;~ typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
;~     USHORT UniqueProcessId;
;~     USHORT CreatorBackTraceIndex;
;~     UCHAR ObjectTypeIndex;
;~     UCHAR HandleAttributes;
;~     USHORT HandleValue;
;~     PVOID Object;
;~     ULONG GrantedAccess;
;~ } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

;~ typedef struct _SYSTEM_HANDLE_INFORMATION {
;~     ULONG NumberOfHandles;
;~     SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];
;~ } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

;~ BOOL DuplicateHandle(

;~     HANDLE hSourceProcessHandle, // handle to process with handle to duplicate       OpenProcess             PROCESS_DUP_HANDLE
;~     HANDLE hSourceHandle,    // handle to duplicate                                  
;~     HANDLE hTargetProcessHandle, // handle to process to duplicate to                GetCurrentProcess       PROCESS_DUP_HANDLE
;~     LPHANDLE lpTargetHandle, // pointer to duplicate handle                          
;~     DWORD dwDesiredAccess,   // access for duplicate handle                          0
;~     BOOL bInheritHandle, // handle inheritance flag                                  0
;~     DWORD dwOptions  // optional actions                                             const $DUPLICATE_SAME_ACCESS = 0x2
;~    );
;~ NtQueryObject(
;~ IN HANDLE ObjectHandle, 
;~ IN OBJECT_INFORMATION_CLASS ObjectInformationClass,         ObjectTypeInformation = 2 , ObjectNameInformation=1
;~ OUT PVOID ObjectInformation, 
;~ IN ULONG Length, 
;~ OUT PULONG ResultLength );
;~ $tag_OBJECT_TYPE=
;~  "ushort Length;" & _
;~  "ushort MaximumLength;" & _
;~  "ptr    ProcessName;" & _
;~  "byte[512]"
$tag_SYSTEM_HANDLE_INFO= _
    "USHORT UniqueProcessId;" & _;
    "USHORT CreatorBackTraceIndex;" & _;
    "ubyte ObjectTypeIndex;" & _;
    "ubyte HandleAttributes;" & _;
    "USHORT HandleValue;" & _;
    "ptr Object;" & _;
    "ptr GrantedAccess";
$tag_OBJECT_TYPE= _             ; TYPE / NAME Doesnt matter... I just want the unicodestring.
    "ushort Length;" & _
    "ushort MaximumLength;" & _
    "ptr    Name;" & _  
    "byte[512]"


; ############# Needed Constants ###################
Global Const $PROCESS_VM_READ=0x10
Global Const $PROCESS_QUERY_INFORMATION = 0x400



; ############ Example code #######################
_GetPrivilege_SEDEBUG() 
$temp=_Handles()
_ArrayDisplay($temp)
; ###############################################




; ############ Here be func! ####################
Func _Handles()
    Local $times[10]
    Local $Mem=DllStructCreate("byte[" & 40000000 & "]")
    Local $ret=dllcall("ntdll.dll", "int", "ZwQuerySystemInformation","int", 16, "ptr", DllStructGetPtr($MEM), "int", DllStructGetSize($MEM), "int*",0)
    Local $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $ret[2]+4)
    Local $dw=DllStructCreate("dword",$ret[2])
    Local $Count=DllStructGetData($dw,1)
    Local $SysHnd_ptr=$ret[2]+4
    Local $SysHnd_Size=DllStructGetSize($SysHnd)
    Local $buffer, $i=0, $lastthread, $m=0, $NextEntryDelta, $k, $temp, $space, $l
    Local $avArray[1000000][10]
    Const $PROCESS_DUP_HANDLE = 0x40
    const $DUPLICATE_SAME_ACCESS = 0x2
    Local $types[40]
    Local $ObjType=DllStructCreate($tag_OBJECT_TYPE)
    While 1
        if $m=$count Then ExitLoop
        $avArray[$i][0]=DllStructGetData($SysHnd, "UniqueProcessId") 
        $avArray[$i][1]=DllStructGetData($SysHnd, "CreatorBackTraceIndex")
        if not $avArray[$i][1] Then $avArray[$i][1]=""
        $avArray[$i][2]=DllStructGetData($SysHnd, "ObjectTypeIndex")
        $avArray[$i][3]=DllStructGetData($SysHnd, "HandleAttributes") 
        if not $avArray[$i][3] Then $avArray[$i][3]=""
        $avArray[$i][4]=ptr(DllStructGetData($SysHnd, "HandleValue")) 
        $avArray[$i][5]=DllStructGetData($SysHnd, "Object") 
        $avArray[$i][6]=DllStructGetData($SysHnd, "GrantedAccess")
        $hProcSource=_WinAPI_OpenProcess(0x1f0fff, 0, $avarray[$i][0])
        $hProcDest=_WinAPI_OpenProcess(0x1f0fff, 0, @AutoItPID)
        $ret=dllcall("kernel32.dll","int","DuplicateHandle","hwnd", $hProcSource, "hwnd", $avarray[$i][4], "hwnd", $hProcDest, _
                                                        "hwnd*", 0, "int",0, "int", 0, "int", $DUPLICATE_SAME_ACCESS)
        $avArray[$i][7]=$ret[4]
        if not $types[$avArray[$i][2]] Then
            dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 2, "ptr", dllstructgetptr($ObjType, 1), _
                                                            "int" ,DllStructGetSize($ObjType), "int*", 0) 
            $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name"))
            $avArray[$i][8]=DllStructGetData($buffer, 1)
            $types[$avArray[$i][2]]=$avArray[$i][8]
        Else
            $avArray[$i][8]=$types[$avArray[$i][2]]
        EndIf
            
            ; Try to filter out NAMED PIPES to not deadlock. Writing a driver to get names would be best. I'm researching...
            if $avArray[$i][2]=28 Then
                if $avArray[$i][6]=0x00120189 Then
                    $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                    $m+=1
                    $i+=1
                    $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                    Continueloop
                EndIf
                if $avArray[$i][6]=0x00100000 Then
                    $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                    $m+=1
                    $i+=1
                    $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                    Continueloop
                EndIf
                if  $avArray[$i][6]=0x0012019F Then
                    if $avArray[$i][3]<2 Then
                        $avArray[$i][9]="    NAMED PIPES ??? - DANGER OF DEADLOCK - SKIPPED ..."
                        $m+=1
                        $i+=1
                        $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
                        Continueloop
                    EndIf
                EndIf
            EndIf
        
;~      if $avArray[$i][0]<>1452 Then   ; single out one PID
;~          $m+=1
;~          ;$i+=1
;~          $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
;~          Continueloop
;~      EndIf

        ; Still checking which accesrights deadlock - Consolewrite...
        ConsoleWrite($avArray[$i][6] & " " & $avArray[$i][2] & " " & $avArray[$i][0] & $avArray[$i][8] & " " & @LF)
        
        Switch $avArray[$i][2]
            Case 5
                $ret1=dllcall("kernel32.dll", "int", "GetProcessId", "hwnd", $ret[4])
                $avArray[$i][9]=$ret1[0]
            Case Else
                if not $avArray[$i][9] Then
                    $ObjType=DllStructCreate($tag_OBJECT_TYPE)
                    dllcall("ntdll.dll", "int", "NtQueryObject", "hwnd", $ret[4], "int", 1, "ptr", dllstructgetptr($ObjType, 1), _
                                                                                            "int" ,DllStructGetSize($ObjType), "int*", 0) 
                    $buffer=DllStructCreate("wchar[256]", DllStructGetData($ObjType, "Name"))
                    $avArray[$i][9]=DllStructGetData($buffer, 1)
                    if not $avArray[$i][9] Then $avArray[$i][9]=""
                EndIf
        EndSwitch
        _WinAPI_CloseHandle($hProcSource)
        _WinAPI_CloseHandle($hProcDest)
        $i+=1
        $m+=1
        $SysHnd=DllStructCreate($tag_SYSTEM_HANDLE_INFO, $SysHnd_ptr+$SysHnd_Size*$m)
        ContinueLoop    
    WEnd
    Redim $avArray[$i][10]
    Return $avArray
EndFunc 


; ####################### 
; ####################### Thanks to wraithdu!
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

/Manko [EDIT: Bugfix of examplecode!]

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Excellent.

What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that)

I'm actually asking what do I need to do to execute privileged instruction without the use of some driver?


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Excellent.

What's the worst that could happen if I would use kernel mode functions from user mode? (I'm aware of restrictions with available space, but let's say I won't be braking that)

I'm actually asking what do I need to do to execute privileged instruction without the use of some driver?

I'm not altogether sure about these things, since I'm quite new with driver-developing...

...but, from usermode we don't have access to kernelspace which makes it impossible to have straight access to kernelmode only structures...

...there are intermediary functions that work in both evironments but often does not reveal all info in userspace...

In this particular case though... Trying to ask for the name of a "named pipe" in "sync-mode" locks my process endefinitely... Or till the app that opened it thus, is closed. (Haven't tested, just been told...)

(In kernel I cold just work on the object, unrestricted, instead of getting stumped by access conditions of the handle... sortof...)

Do you have an example of what you would like to do? Might be easier to answer... (...or not...) :)

PS. Updated examplecode as I had a few stupid misstakes in there... DS.

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Do you have an example of what you would like to do? Might be easier to answer...

/Manko

Read bios cmos.

That is saying access ports 112 and 113. Normally without the driver I'm not allowed. But since nothing is impossible...

edit: been working on both

Edited by trancexx

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

@Manko

I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go:

; #FUNCTION# ;===============================================================================
;
; Name...........: _GetPrivilege_SEDEBUG
; Description ...: Obtains the SE_DEBUG privilege for the running process
; Syntax.........: _GetPrivilege_SEDEBUG()
; Parameters ....: 
; Return values .: Success - Returns True
;                  Failure - Returns False
; Author ........: Erik Pilsits
; Modified.......:
; Remarks .......:
; Related .......: 
; Link ..........;
; Example .......; 
;
; ;==========================================================================================
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $SE_PRIVILEGE_ENABLED = 0x2
    
    Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    If Not $call[0] Then Return False
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "")
    Local $iLuid = $call[3]

    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))

    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0)
    DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

Share this post


Link to post
Share on other sites

@Manko

I rewrote my GetPrivilege function a little, and closed a handle that was mistakenly left open. Here ya go:

; #FUNCTION# ;===============================================================================
;
; Name...........: _GetPrivilege_SEDEBUG
; Description ...: Obtains the SE_DEBUG privilege for the running process
; Syntax.........: _GetPrivilege_SEDEBUG()
; Parameters ....: 
; Return values .: Success - Returns True
;                  Failure - Returns False
; Author ........: Erik Pilsits
; Modified.......:
; Remarks .......:
; Related .......: 
; Link ..........;
; Example .......; 
;
; ;==========================================================================================
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $SE_PRIVILEGE_ENABLED = 0x2
    
    Local $curProc = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", $curProc[0], "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    If Not $call[0] Then Return False
    Local $hToken = $call[3]

    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", "", "str", "SeDebugPrivilege", "int64*", "")
    Local $iLuid = $call[3]

    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))

    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)

    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", 0, "ptr", 0)
    DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG
Let's say DllCall() function fails for some, any reason. What happens?

AutoIt is specific.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Manko, my man! wassap

hey, I just tried to destroy a crashed app with your 'Sanitize and kill' function and guess what? ProDLL'er killed itself! :) I thought for sure it was supposed to kill the process!

Anyway, I'm still confused by all those buttons with limited descriptions - but wasn't there a way to detect if a process was locked up/frozen/crashed?

Btw, I'm trying with my 'Full-Screen Crash Recovery' program to terminate the app - but 'WinGetProcess' and the API call 'GetWindowThreadProcessId' that it uses (I assume) both return the Explorer.exe Process ID for a frozen/crashed app!

Dang.. I'm really getting frustrated here trying to figure out how to close the right process..

On the plus side, remember 'IsHungAppWindow'? It actually returns True for these crashed windows! So there's one plus.. now to find the process ID and terminate it..

*edit: I got it all figured out.. turns out, even though explorer.exe was returned for the crashed apps, explorer.exe was in fact crashed as well! Once it was terminated, WinGetProcess() returned the correct process ID. But termination was impossible at that point. Luckily the windows disappeared from the screen, so I can still consider the Full-Screen Crash Recovery program a success! :) Now to upload the new version..

Edited by ascendant

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By bobflumox
      Hi all,
      My programming knowledge is very basic.
      I have an old script that creates shares and assign permissions. It normally registers SetAcl.ocx if necessary and creates an object to assign permissions.
      The command that registers SetAcl was apparently working fine under Windows 7 but is not working under Windows 10.
      RunWait("regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) As I'm logged in as admin, I changed this command to :
      RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) It seems to terminate correctly but the script still doesn't work as expected.
      To check that, I've created that small script :
      Local $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object not created. Registering SetAcl.ocx" & @CRLF) Local $result = RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE); Use of my admin username to elevate CMD ConsoleWrite("Return code : " & $result & @CRLF) ConsoleWrite("Creating object" & @CRLF) $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object creation failed." & @CRLF) EndIf EndIf It tries to register SetAcl.ocx, return code 0 seems to be fine but still can't use SetAcl.
      But if I go to CMD as admin, run the regsvr32 command and restart my script, it can create the object without issue.
      I know my poor knowledge makes me miss something. Anyone can help me figure this out ?
    • By Gowrisankar
      Dear members of the forum,
      I'm working on a project in which I have to use Image recognition technique. 
      Due to client restrictions, I couldn't use AutoIt for this project. 
      Is there a way to use this DLL "ImageSearchDLL.dll" (which is used to do image recognition steps in AutoIt) in VB.Net to achieve the same result? 
      I have used this DLL few years before and got good results. If there is a latest version of this DLL and if you can share it, that will be helpful too.
      Any guidance is deeply appreciated.
    • By DesireDenied
      Hey guys,
      I having some hard times getting false-positive, probably because I am trying to execute my AutoUpdater.
      Here is my code:
       
      Global $iUpdateTimer = 0 While 1 checkUpdates(10) WEnd Func checkUpdates($iDelay = 10) $iDelay = $iDelay * 1000 * 60 If TimerDiff($iUpdateTimer) > $iDelay Then ConsoleWrite('checking for updates...' & @CRLF) $iUpdateTimer = TimerInit() If FileExists('AutoUpdater.exe') Then ShellExecuteWait('AutoUpdater.exe') ; this is the line which cause my problem EndIf EndFunc And AutoUpdater code:
      #include <MsgBoxConstants.au3> #include <FileConstants.au3> Global $sExecName = 'test.exe' Global $sUpdatePath = @UserProfileDir &'\desktop\AnyAppName\update\'& $sExecName Global $sUserPath = @UserProfileDir &'\desktop\AnyAppName\'& $sExecName Global $sCopyright = 'someUniqueStringHere' If Not FileExists($sUpdatePath) Then Exit 0 If FileGetVersion($sUpdatePath, $FV_LEGALCOPYRIGHT) <> $sCopyright Then Exit 0 ; checking if we really want to update and execute the file If FileGetVersion($sUpdatePath) > FileGetVersion($sUserPath) Then $iResponse = MsgBox(BitOR($MB_YESNO, $MB_ICONQUESTION),'AnyAppName', 'There is an update available, would you like to update?') If $iResponse == $IDYES Then If ProcessExists($sExecName) Then ProcessClose($sExecName) Sleep(500) EndIf FileCopy($sUpdatePath, $sUserPath, $FC_OVERWRITE) Sleep(3000) ShellExecute($sUserPath) Exit 1 EndIf EndIf Exit 0 I am not trying to ask, why is my code is getting recognized as false-positive, because this is quite obvious, but is there any other way to get things done without running external process?
       

    • By nacerbaaziz
      hello autoit team
      is there any wey to check if any process run as admin or no?
      i mean e.g if i want to restart any process, now i have the ability to get the process path and commands line
      what i need is a wey to check if the process was runing as admin or no to restart it with the same state.
      here is the part that am using it to restart the process
      func _processRestart($i_pid, $s_ProcessPath) if not (ProcessExists($i_ProcessPid)) then return SetError(1, 0, -1) local $s_ProcessWorkDir = _WinAPI_GetProcessWorkingDirectory($i_ProcessPid) ProcessClose($i_ProcessPid) ProcessWaitClose($i_ProcessPid) ProcessWait(ShellExecute($i_pid,"", $s_ProcessWorkDir)) ProcessesGetList() return true endFunc thanks in advance
×
×
  • Create New...