Further improved admin impersonation

2025-03-06 20:48:27 +01:00 · 2023-01-18 23:16:10 +01:00 · 2023-01-18 23:16:10 +01:00 · e73e1e0f21
commit e73e1e0f21
parent f07479fa36
4 changed files with 60 additions and 23 deletions
--- a/modules/AdminImpersonate.hpp
+++ b/modules/AdminImpersonate.hpp
@ -14,6 +14,9 @@ class AdminImpersonate : public ModuleBase {
    inline static decltype(&CheckTokenMembership) TrueCheckTokenMembership;
    inline static decltype(&NtOpenFile) TrueNtOpenFile;
    inline static decltype(&NtCreateFile) TrueNtCreateFile;
+    inline static decltype(&NtAccessCheck) TrueNtAccessCheck;
+    inline static decltype(&NtAccessCheckAndAuditAlarm) TrueNtAccessCheckAndAuditAlarm;
+    inline static decltype(&NtPrivilegeCheck) TrueNtPrivilegeCheck;

    static
    BOOL __stdcall DetourIsUserAnAdmin() {
@ -71,21 +74,55 @@ class AdminImpersonate : public ModuleBase {
        return iStatus;
    }

+    static
+    NTSTATUS NTAPI DetourNtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE Handle, IN ACCESS_MASK AccessMask,
+                                       IN PGENERIC_MAPPING pGenericMapping, IN PPRIVILEGE_SET PrivilegeSet, PULONG Unk1, PULONG Unk2, OUT NTSTATUS* Result) {
+        TrueNtAccessCheck(SecurityDescriptor, Handle, AccessMask, pGenericMapping, PrivilegeSet, Unk1, Unk2, Result);
+        *Result = STATUS_SUCCESS;
+        return STATUS_SUCCESS;
+    }
+    static
+    NTSTATUS NTAPI DetourNtAccessCheckAndAuditAlarm(PUNICODE_STRING A, HANDLE B, PUNICODE_STRING C, PUNICODE_STRING D, PSECURITY_DESCRIPTOR E, ACCESS_MASK F,
+                                                    PGENERIC_MAPPING G, BOOLEAN H, PACCESS_MASK I , PBOOLEAN J, PBOOLEAN K) {
+        auto res = MessageBoxA(nullptr, "Unsupported method called.", "Policy Tool Warning", MB_CANCELTRYCONTINUE);
+        switch (res) {
+        case IDCANCEL: return STATUS_NOT_IMPLEMENTED;
+        case IDTRYAGAIN: return STATUS_SUCCESS;
+        case IDCONTINUE: return TrueNtAccessCheckAndAuditAlarm(A, B, C, D, E, F, G, H, I, J, K);
+        default: abort();
+        }
+    }
+
+    static
+    NTSTATUS NTAPI DetourNtPrivilegeCheck(IN HANDLE, PRIVILEGE_SET, OUT PBOOLEAN Result) {
+        *Result = TRUE;
+        return STATUS_SUCCESS;
+    }
+
 public:
    AdminImpersonate() {
        TrueIsUserAnAdmin = IsUserAnAdmin;
        TrueCheckTokenMembership = CheckTokenMembership;
        TrueNtOpenFile = reinterpret_cast<decltype(&NtOpenFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtOpenFile"));
        TrueNtCreateFile = reinterpret_cast<decltype(&NtCreateFile)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtCreateFile"));
+        TrueNtAccessCheck = reinterpret_cast<decltype(&NtAccessCheck)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheck"));
+        TrueNtAccessCheckAndAuditAlarm = reinterpret_cast<decltype(&NtAccessCheckAndAuditAlarm)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheckAndAuditAlarm"));
+        TrueNtPrivilegeCheck = reinterpret_cast<decltype(&NtPrivilegeCheck)>(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtPrivilegeCheck"));
        DetourAttach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile));
        DetourAttach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile));
-        DetourAttach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(IsUserAnAdmin));
-        DetourAttach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(CheckTokenMembership));
+        DetourAttach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(DetourIsUserAnAdmin));
+        DetourAttach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(DetourCheckTokenMembership));
+        DetourAttach(&reinterpret_cast<PVOID&>(TrueNtAccessCheck), reinterpret_cast<void*>(DetourNtAccessCheck));
+        DetourAttach(&reinterpret_cast<PVOID&>(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast<void*>(DetourNtAccessCheckAndAuditAlarm));
+        DetourAttach(&reinterpret_cast<PVOID&>(TrueNtPrivilegeCheck), reinterpret_cast<void*>(DetourNtPrivilegeCheck));
    }
    ~AdminImpersonate() {
        DetourDetach(&reinterpret_cast<PVOID&>(TrueNtOpenFile), reinterpret_cast<void*>(DetourNtOpenFile));
        DetourDetach(&reinterpret_cast<PVOID&>(TrueNtCreateFile), reinterpret_cast<void*>(DetourNtCreateFile));
-        DetourDetach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(IsUserAnAdmin));
-        DetourDetach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(CheckTokenMembership));
+        DetourDetach(&reinterpret_cast<PVOID&>(TrueIsUserAnAdmin), reinterpret_cast<void*>(DetourIsUserAnAdmin));
+        DetourDetach(&reinterpret_cast<PVOID&>(TrueCheckTokenMembership), reinterpret_cast<void*>(DetourCheckTokenMembership));
+        DetourDetach(&reinterpret_cast<PVOID&>(TrueNtAccessCheck), reinterpret_cast<void*>(DetourNtAccessCheck));
+        DetourDetach(&reinterpret_cast<PVOID&>(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast<void*>(DetourNtAccessCheckAndAuditAlarm));
+        DetourDetach(&reinterpret_cast<PVOID&>(TrueNtPrivilegeCheck), reinterpret_cast<void*>(DetourNtPrivilegeCheck));
    }
 };