niansa/PolicyToolLib
1
0
Fork 0
mirror of https://gitlab.com/niansa/PolicyToolLib.git synced 2025-03-06 20:48:27 +01:00
Code Releases Activity

Further improved admin impersonation

Browse source
This commit is contained in:
niansa/tuxifan 2023-01-18 23:16:10 +01:00
parent f07479fa36
commit e73e1e0f21
4 changed files with 60 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
modules/AdminImpersonate.hpp
View file

@ -14,6 +14,9 @@ class AdminImpersonate : public ModuleBase {
inline static decltype(&CheckTokenMembership) TrueCheckTokenMembership; inline static decltype(&CheckTokenMembership) TrueCheckTokenMembership;
inline static decltype(&NtOpenFile) TrueNtOpenFile; inline static decltype(&NtOpenFile) TrueNtOpenFile;
inline static decltype(&NtCreateFile) TrueNtCreateFile; inline static decltype(&NtCreateFile) TrueNtCreateFile;
inline static decltype(&NtAccessCheck) TrueNtAccessCheck;
inline static decltype(&NtAccessCheckAndAuditAlarm) TrueNtAccessCheckAndAuditAlarm;
inline static decltype(&NtPrivilegeCheck) TrueNtPrivilegeCheck;
static static
BOOL __stdcall DetourIsUserAnAdmin() { BOOL __stdcall DetourIsUserAnAdmin() {
@ -22,7 +25,7 @@ class AdminImpersonate : public ModuleBase {
static static
BOOL APIENTRY DetourCheckTokenMembership(_In_opt_ HANDLE TokenHandle, BOOL APIENTRY DetourCheckTokenMembership(_In_opt_ HANDLE TokenHandle,
_In_ PSID SidToCheck, _Out_ PBOOL IsMember) { _In_ PSID SidToCheck, _Out_ PBOOL IsMember) {
// fetch and allocate the local admin structure // fetch and allocate the local admin structure
static SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; static SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
static PSID LocalAdministratorsGroup = NULL; static PSID LocalAdministratorsGroup = NULL;
@ -44,8 +47,8 @@ class AdminImpersonate : public ModuleBase {
static static
NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle, NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess, IN ULONG OpenOptions) { IN ULONG ShareAccess, IN ULONG OpenOptions) {
DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes,
IoStatusBlock, ShareAccess, OpenOptions); IoStatusBlock, ShareAccess, OpenOptions);
@ -58,9 +61,9 @@ class AdminImpersonate : public ModuleBase {
static static
NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess,
IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) {
NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize,
FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
@ -71,21 +74,55 @@ class AdminImpersonate : public ModuleBase {
return iStatus; return iStatus;
} }
static
NTSTATUS NTAPI DetourNtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE Handle, IN ACCESS_MASK AccessMask,
IN PGENERIC_MAPPING pGenericMapping, IN PPRIVILEGE_SET PrivilegeSet, PULONG Unk1, PULONG Unk2, OUT NTSTATUS* Result) {
TrueNtAccessCheck(SecurityDescriptor, Handle, AccessMask, pGenericMapping, PrivilegeSet, Unk1, Unk2, Result);
*Result = STATUS_SUCCESS;
return STATUS_SUCCESS;
}
static
NTSTATUS NTAPI DetourNtAccessCheckAndAuditAlarm(PUNICODE_STRING A, HANDLE B, PUNICODE_STRING C, PUNICODE_STRING D, PSECURITY_DESCRIPTOR E, ACCESS_MASK F,
PGENERIC_MAPPING G, BOOLEAN H, PACCESS_MASK I , PBOOLEAN J, PBOOLEAN K) {
auto res = MessageBoxA(nullptr, "Unsupported method called.", "Policy Tool Warning", MB_CANCELTRYCONTINUE);
switch (res) {
case IDCANCEL: return STATUS_NOT_IMPLEMENTED;
case IDTRYAGAIN: return STATUS_SUCCESS;
case IDCONTINUE: return TrueNtAccessCheckAndAuditAlarm(A, B, C, D, E, F, G, H, I, J, K);
default: abort();
}
}
static
NTSTATUS NTAPI DetourNtPrivilegeCheck(IN HANDLE, PRIVILEGE_SET, OUT PBOOLEAN Result) {
*Result = TRUE;
return STATUS_SUCCESS;
}
public: public:
AdminImpersonate() { AdminImpersonate() {
TrueIsUserAnAdmin = IsUserAnAdmin; TrueIsUserAnAdmin = IsUserAnAdmin;
TrueCheckTokenMembership = CheckTokenMembership; TrueCheckTokenMembership = CheckTokenMembership;
TrueNtOpenFile = reinterpret_cast<decltype(&NtOpenFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtOpenFile")); TrueNtOpenFile = reinterpret_cast<decltype(&NtOpenFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtOpenFile"));
TrueNtCreateFile = reinterpret_cast<decltype(&NtCreateFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtCreateFile")); TrueNtCreateFile = reinterpret_cast<decltype(&NtCreateFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtCreateFile"));
TrueNtAccessCheck = reinterpret_cast<decltype(&NtAccessCheck)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheck"));
TrueNtAccessCheckAndAuditAlarm = reinterpret_cast<decltype(&NtAccessCheckAndAuditAlarm)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheckAndAuditAlarm"));
TrueNtPrivilegeCheck = reinterpret_cast<decltype(&NtPrivilegeCheck)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtPrivilegeCheck"));
DetourAttach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile)); DetourAttach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile));
DetourAttach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile)); DetourAttach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile));
DetourAttach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(IsUserAnAdmin)); DetourAttach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(DetourIsUserAnAdmin));
DetourAttach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(CheckTokenMembership)); DetourAttach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(DetourCheckTokenMembership));
DetourAttach(&reinterpret_cast<PVOID&>(TrueNtAccessCheck), reinterpret_cast<void*>(DetourNtAccessCheck));
DetourAttach(&reinterpret_cast<PVOID&>(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast<void*>(DetourNtAccessCheckAndAuditAlarm));
DetourAttach(&reinterpret_cast<PVOID&>(TrueNtPrivilegeCheck), reinterpret_cast<void*>(DetourNtPrivilegeCheck));
} }
~AdminImpersonate() { ~AdminImpersonate() {
DetourDetach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile)); DetourDetach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile));
DetourDetach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile)); DetourDetach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile));
DetourDetach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(IsUserAnAdmin)); DetourDetach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(DetourIsUserAnAdmin));
DetourDetach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(CheckTokenMembership)); DetourDetach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(DetourCheckTokenMembership));
DetourDetach(&reinterpret_cast<PVOID&>(TrueNtAccessCheck), reinterpret_cast<void*>(DetourNtAccessCheck));
DetourDetach(&reinterpret_cast<PVOID&>(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast<void*>(DetourNtAccessCheckAndAuditAlarm));
DetourDetach(&reinterpret_cast<PVOID&>(TrueNtPrivilegeCheck), reinterpret_cast<void*>(DetourNtPrivilegeCheck));
} }
}; };

12
modules/LibInherit.hpp
View file

@ -12,9 +12,9 @@ class LibInherit : public ModuleBase {
static static
BOOL WINAPI DetourCreateProcessA(_In_opt_ LPCSTR lpApplicationName, _Inout_opt_ LPSTR lpCommandLine, BOOL WINAPI DetourCreateProcessA(_In_opt_ LPCSTR lpApplicationName, _Inout_opt_ LPSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCSTR lpCurrentDirectory, _In_ LPSTARTUPINFOA lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation _In_opt_ LPCSTR lpCurrentDirectory, _In_ LPSTARTUPINFOA lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation
) { ) {
return DetourCreateProcessWithDllExA(lpApplicationName, lpCommandLine, lpProcessAttributes, return DetourCreateProcessWithDllExA(lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
@ -23,9 +23,9 @@ class LibInherit : public ModuleBase {
static static
BOOL WINAPI DetourCreateProcessW(_In_opt_ LPCWSTR lpApplicationName, _Inout_opt_ LPWSTR lpCommandLine, BOOL WINAPI DetourCreateProcessW(_In_opt_ LPCWSTR lpApplicationName, _Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory, _In_ LPSTARTUPINFOW lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation _In_opt_ LPCWSTR lpCurrentDirectory, _In_ LPSTARTUPINFOW lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation
) { ) {
return DetourCreateProcessWithDllExW(lpApplicationName, lpCommandLine, lpProcessAttributes, return DetourCreateProcessWithDllExW(lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,

4
modules/PolicyDisable.hpp
View file

@ -15,8 +15,8 @@ class PolicyDisable : public ModuleBase {
static static
NTSTATUS WINAPI DetourNtQueryValueKey(_In_ HANDLE KeyHandle, NTSTATUS WINAPI DetourNtQueryValueKey(_In_ HANDLE KeyHandle,
_In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
_Out_opt_ PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength) { _Out_opt_ PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength) {
// lookup the size for the key name so we can allocate space for it // lookup the size for the key name so we can allocate space for it
DWORD iKeyNameSize; DWORD iKeyNameSize;
if (NtQueryKey(KeyHandle, KeyNameInformation, NULL, 0, &iKeyNameSize) != STATUS_BUFFER_TOO_SMALL) { if (NtQueryKey(KeyHandle, KeyNameInformation, NULL, 0, &iKeyNameSize) != STATUS_BUFFER_TOO_SMALL) {

10
modules/RemoteLockBreak.hpp
View file

@ -13,8 +13,8 @@ class RemoteLockBreak : public ModuleBase {
static static
NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle, NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess, IN ULONG OpenOptions) { IN ULONG ShareAccess, IN ULONG OpenOptions) {
DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes,
IoStatusBlock, ShareAccess, OpenOptions); IoStatusBlock, ShareAccess, OpenOptions);
@ -31,9 +31,9 @@ class RemoteLockBreak : public ModuleBase {
static static
NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess,
IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) {
NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize,
FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);