Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
Posted: Wed Aug 04, 2010 6:07 pm Post subject: Raise Process Privileges
In Windows, certain files, folders, processes, registry keys and other objects are kept tightly locked down by access control lists (ACLs) that make sure only certain trusted users and processes can access certain things. A lot of "security" software such as anti-virus programs often modifies these ACLs to increase security and protect themselves. Normally, your standard processes can't access things like the "C:\System Volume Information" directory, or files inside "System32\config", and only special system services are allowed to make changes or read them.
However, I have developed a way around this. There's an undocumented API inside ntdll.dll called "RtlAdjustPrivilege" that allows a process to grant itself permissions. The reason it's undocumented is that it can be used to give a process the ability to completely bypass ACLs for files and processes.
Now let me give you an example of how useful (and awesomely powerful) this really is. Open up Notepad, go to File -> Open and try to navigate to "C:\System Volume Information\". You'll have to type it in the bar at the bottom since it's a super-hidden directory. You'll get something along the lines of "Cannot open System Volume Information - Access is denied". Now, if you were to give Notepad the SeBackupPrivilege, you could completely bypass this protection and get access to the goodies inside.
So, how is any of this useful to you without someone putting the work in to make it practical? It isn't really, and that's why I've written a program called RaisePrivilege that launches any Windows executable of your choice and gives it all possible privileges. You can download it from SendSpace, MegaUpload, or FileSurf.ru. Once you've downloaded the archive, extract it and read the readme. It should be self explanatory.
This can be a very powerful tool in the right hands, however it can be absolutely DISASTEROUS in the hands of someone that doesn't know what they're doing. Be extremely careful and make sure you understand what's going on before you start playing with things!
Thanks to opcode0x90 and Jani for their help with understanding DLL injection. _________________
It's not fun unless every exploit mitigation is enabled.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum