C++ – DuplicateHandle: need to OpenProcess, but the access is denied

celevated-privilegesSecuritywinapi

Using windows hooks I send messages to my application, which is notified about Windows events by every application on the system.

To execute marshal of the message parameters, I use shared memories. The external process calls DuplicateHandle, but for sharing the handle with my application instance, it shall call OpenProcess with PROCESS_DUP_HANDLE privilege requirements.

Actually every application is able to send messages using this architecture, even if I need to enable SeDebugPrivilege to the external process. It actually works, except for the 'explorer' process, which doesn't have the SeDebugPrivilege token…

The documentation of AdjustTokenPrivileges states:

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

So, the question is… how to add the SeDebugPrivilege token to 'explorer' process, or alternatively, how to allow 'explorer' process to call OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId)?

Best Answer

I don't understand why you don't use named shared memory. If your shared memory objects have a name, then this objects can be opened without the usage of DuplicateHandle.

If you do have to use DuplicateHandle and need be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) inside of any process I find that you should don't use SeDebugPrivilege. Instead of that you should grant permission of PROCESS_DUP_HANDLE to everyone for the process with pId. If you create a process you can specify security descriptor. If the process is already created you can use OpenProcess, GetSecurityInfo (see http://msdn.microsoft.com/en-us/library/aa446654.aspx) and SetSecurityInfo to modify security descriptor of the process.

To test this approach you can just start Process Explorer (see http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) with administrative rights, open Security tab of the selected process (process with pId) and modify its security descriptor. After that all processes will be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) without to enable SeDebugPrivilege.

Related Solutions

C++ – the difference between #include and #include “filename”

In practice, the difference is in the location where the preprocessor searches for the included file.

For #include <filename> the preprocessor searches in an implementation dependent manner, normally in search directories pre-designated by the compiler/IDE. This method is normally used to include standard library header files.

For #include "filename" the preprocessor searches first in the same directory as the file containing the directive, and then follows the search path used for the #include <filename> form. This method is normally used to include programmer-defined header files.

A more complete description is available in the GCC documentation on search paths.

How does the SQL injection from the “Bobby Tables” XKCD comic work

It drops the students table.

The original code in the school's program probably looks something like

q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')";

This is the naive way to add text input into a query, and is very bad, as you will see.

After the values from the first name, middle name textbox FNMName.Text (which is Robert'); DROP TABLE STUDENTS; --) and the last name textbox LName.Text (let's call it Derper) are concatenated with the rest of the query, the result is now actually two queries separated by the statement terminator (semicolon). The second query has been injected into the first. When the code executes this query against the database, it will look like this

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students; --', 'Derper')

which, in plain English, roughly translates to the two queries:

Add a new record to the Students table with a Name value of 'Robert'

and

Delete the Students table

Everything past the second query is marked as a comment: --', 'Derper')

The ' in the student's name is not a comment, it's the closing string delimiter. Since the student's name is a string, it's needed syntactically to complete the hypothetical query. Injection attacks only work when the SQL query they inject results in valid SQL.

^{^{Edited again as per dan04's astute comment}}

Best Answer

Related Solutions

C++ – the difference between #include and #include “filename”

How does the SQL injection from the “Bobby Tables” XKCD comic work

Related Topic