In the past week I’ve been reading posts in forums, and I realized that many people are surprise that some of their API don’t work. For example InitiateSystemShutDown, SetSystemTime or for that matter terminating a critical process. They don’t work because the calling process requires to have some sort of a privilege on it’s tokens, which are disabled by default. There’s many more API’s then those mentioned above. It may be a good thing for an average user because it increases security, but for us it’s not. In this post I’m going to teach you how to adjust your process tokens privileges and enable debug privileges.
Our goal today is to enable SE_DEBUG_NAME privilege to be able to kill a critical processes (Will cause a crash/BSOD) As you may know to kill a process, we use OpenProcess() and TerminateProcess() The code will look like this:
printf(“Enter PID you want to terminate: “);
scanf (“%d”,&processID);hProcess=OpenProcess(PROCESS_ALL_ACCESS, false, processID);
hTerminate=TerminateProcess(hProcess,0);
This will terminate your average process, but now try to kill “winlogon.exe” for example. Won’t work, why? Open Process Explore And do the fallowing.
As you see SeDebugPrivilege is disable, we are going to enable it. To do so we are going to use 3 API’s : LookupPrivilegeValue(), OpenProcessToken() and AdjustTokenPrivileges()
The first thing we have to do is use LookupPrivilegeValue() to get the LUID (Locally Unique Identifier) of the privilege we want, in our case SE_DEBUG_NAME.
TOKEN_PRIVILEGES Debug_Privileges;
LUID luid;if (!LookupPrivilegeValue (NULL,
SE_DEBUG_NAME,
&luid))
{
printf (“LookupPrivilege() error %u\n”, GetLastError());
CloseHandle (hToken);
return false;
}
If everything went well, we should now received the LUID value of our privilege. Now we are going to use OpenProcessToken(). Since we want to enable or disable the privileges we are going to use this flag: TOKEN_ADJUST_PRIVILEGES. To see a full list of all the available flags visit this page .
HANDLE hToken;
if (!OpenProcessToken (GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken))
{
printf (“OpenProcessToken() error %u\n”, GetLastError());
return false;
}
We are almost done, 1 step to go. This time we are going to use AdjustTokenPrivileges(). We use this adjust the privileges. You can either enable or disable a privilege with this API.
if (!AdjustTokenPrivileges (hToken,
FALSE,
&Debug_Privileges,
0,
NULL,
NULL))
{
printf (“AdjustTokenPrivileges() failed with code %d\n”, GetLastError());
CloseHandle (hToken);
return false;
}
Now if everything went well, open Process Explorer and check is the SE_DEBUG_NAME is still disable, it shouldn’t be.
If it’s blank, it means everything went well (I don’t know why it doesn’t say Enable) If you may think that an API is failing because it requires a privilege, go to your API MSDN page and read the “Remarks” section. It will inform you with everything you need to know. The full sources are below, and if you find any error or any bug, please make me know about them. Thank you for reading.
August 21, 2007 at 12:31 pm
Interesting. very good explanation. thank you.