Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Process Hacker development discussion
User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Wed Oct 24, 2012 3:56 pm

Hi,

for some special device operation with Zw/NtPlugPlayControl(...) i need to have the SeTcbPrivilege wich is only held by some service/process running in "NT AUTHORITY\SYSTEM". The privilege can be enabled for the admin users by setting some group policy property, but this is not the way you will do that if you need to be able to run that from code. There are some ways in gaining access or starting a process with the LocalSystem user like running it from task scheduler or creating a service and starting the operation from within. The last one i am aware of is by doing some OpenProcess->OpenProcessToken->DuplicateToken->ImpersonateLoggedOnUser[DO WORK HERE]->RevertToSelf but this also needs me to walk the running service processes until i find a candidate and then duplicate the token from there. Is there any other "better" way to do this, maybe some other API or method? I need to run some code inside some thread that will call this function.

Thanks in advance,...

K.

Zorkov Igor
Member
Posts: 77
OS: Windows 7, 8, 8.1
Location: Russia
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby Zorkov Igor » Thu Oct 25, 2012 5:17 am

Run process as SYSTEM
Attachments
run-as-system.zip
(733.78 KiB) Downloaded 226 times

User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 12:00 pm

Zorkov Igor wrote:Run process as SYSTEM


Thats nice code, thank you. :thumbup:

User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 1:52 pm

Zorkov Igor wrote:Run process as SYSTEM



Uhh,...its Pascal,... :o :D

Zorkov Igor
Member
Posts: 77
OS: Windows 7, 8, 8.1
Location: Russia
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby Zorkov Igor » Thu Oct 25, 2012 2:09 pm

There are not a lot of code to translate.

User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 4:15 pm

Zorkov Igor wrote:There are not a lot of code to translate.

I am not used to read/write Pascal, but its pretty easy to understand and i already made it work. Thank you. I do have a question on the the CreateProcessAsSystemW_XP function: Why do i have to impersonate the current running thread into the system account and then call CreateProcessAsUserW() on windows XP based systems? Isnt just calling CreateProcessAsUserW() with the token sufficient enough here? Why impersonate the thread first and then call the function and finally revert for sure?

User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Fri Nov 02, 2012 5:09 am

Zorkov Igor wrote:There are not a lot of code to translate.


The code works perfect, thank you again. I have one more question: How can i enable a single Token Privilege that is available but disabled by default on the aquired token?

Thanks in advance,...

K.

User avatar
wj32
Founder
Posts: 721
OS: Windows
Location: Australia
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby wj32 » Tue Nov 06, 2012 4:46 am

What's wrong with using AdjustTokenPrivileges?

User avatar
keremg
Plugin Developer
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Tue Nov 06, 2012 6:40 am

wj32 wrote:What's wrong with using AdjustTokenPrivileges?


Yes, thats it, you are right :-D


Return to “Source code”

Who is online

Users browsing this forum: No registered users and 2 guests

cron