Martymoose98

NieR:Automata Take Ownership of win store exe [Untested]

Oct 17th, 2021 (edited)
880
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <windows.h>
  2. #include <winternl.h>
  3. #include <accctrl.h>
  4. #include <aclapi.h>
  5. #include <stdio.h>
  6. #include <aclapi.h>
  7.  
  8. //#pragma comment(lib, "cmcfg32.lib")
  9.  
  10. typedef __kernel_entry NTSTATUS (NTAPI *NtCreateFileFn)(
  11.     PHANDLE            FileHandle,
  12.     ACCESS_MASK        DesiredAccess,
  13.     POBJECT_ATTRIBUTES ObjectAttributes,
  14.     PIO_STATUS_BLOCK   IoStatusBlock,
  15.     PLARGE_INTEGER     AllocationSize,
  16.     ULONG              FileAttributes,
  17.     ULONG              ShareAccess,
  18.     ULONG              CreateDisposition,
  19.     ULONG              CreateOptions,
  20.     PVOID              EaBuffer,
  21.     ULONG              EaLength
  22. );
  23.  
  24. typedef VOID (NTAPI* RtlInitUnicodeStringFn)(
  25.     PUNICODE_STRING         DestinationString,
  26.     __drv_aliasesMem PCWSTR SourceString
  27. );
  28.  
  29. NTSTATUS NtOpenProtectedFile(LPWSTR szFilename, PHANDLE phFile)
  30. {
  31.     NTSTATUS Status = 0; //STATUS_SUCCESS
  32.     ACCESS_MASK Access = STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY | FILE_GENERIC_READ;
  33.  
  34.     UNICODE_STRING Filename;
  35.     OBJECT_ATTRIBUTES ObjectAttrib;
  36.     IO_STATUS_BLOCK IoStatusBlock;
  37.     LARGE_INTEGER Size = { 0 };
  38.  
  39.     NtCreateFileFn pNtCreateFile = (NtCreateFileFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
  40.     RtlInitUnicodeStringFn pRtlInitUnicodeString =
  41.         (RtlInitUnicodeStringFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
  42.  
  43.     pRtlInitUnicodeString(&Filename, szFilename);
  44.  
  45.     InitializeObjectAttributes(&ObjectAttrib, &Filename, OBJ_CASE_INSENSITIVE, NULL, NULL);
  46.  
  47.     if (phFile)
  48.     {
  49.         Status = pNtCreateFile(phFile, Access, &ObjectAttrib, &IoStatusBlock, &Size, FILE_ATTRIBUTE_READONLY,
  50.             FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0);
  51.     }
  52.  
  53.     return Status;
  54. }
  55.  
  56.  
  57.  
  58. //Forward declaration of SetPrivilege
  59. BOOL SetPrivilege(
  60.     HANDLE hToken,          // access token handle
  61.     LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
  62.     BOOL bEnablePrivilege   // to enable or disable privilege
  63. );
  64.  
  65. BOOL TakeOwnership(LPTSTR lpszOwnFile)
  66. {
  67.     BOOL bRetval = FALSE;
  68.     HANDLE hToken = NULL;
  69.     PSID pSIDAdmin = NULL;
  70.     PSID pSIDEveryone = NULL;
  71.     PACL pACL = NULL;
  72.     SID_IDENTIFIER_AUTHORITY SIDAuthWorld =  SECURITY_WORLD_SID_AUTHORITY;
  73.     SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
  74.     const int NUM_ACES = 2;
  75.     EXPLICIT_ACCESS ea[NUM_ACES];
  76.     DWORD dwRes;
  77.  
  78.     // Specify the DACL to use.
  79.     // Create a SID for the Everyone group.
  80.     if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
  81.         SECURITY_WORLD_RID,
  82.         0,
  83.         0, 0, 0, 0, 0, 0,
  84.         &pSIDEveryone))
  85.     {
  86.         printf("AllocateAndInitializeSid (Everyone) error %u\n",
  87.             GetLastError());
  88.         goto Cleanup;
  89.     }
  90.  
  91.     // Create a SID for the BUILTIN\Administrators group.
  92.     if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
  93.         SECURITY_BUILTIN_DOMAIN_RID,
  94.         DOMAIN_ALIAS_RID_ADMINS,
  95.         0, 0, 0, 0, 0, 0,
  96.         &pSIDAdmin))
  97.     {
  98.         printf("AllocateAndInitializeSid (Admin) error %u\n",
  99.             GetLastError());
  100.         goto Cleanup;
  101.     }
  102.  
  103.     ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS));
  104.  
  105.     // Set read access for Everyone.
  106.     ea[0].grfAccessPermissions = GENERIC_READ;
  107.     ea[0].grfAccessMode = SET_ACCESS;
  108.     ea[0].grfInheritance = NO_INHERITANCE;
  109.     ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
  110.     ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
  111.     ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
  112.  
  113.     // Set full control for Administrators.
  114.     ea[1].grfAccessPermissions = GENERIC_ALL;
  115.     ea[1].grfAccessMode = SET_ACCESS;
  116.     ea[1].grfInheritance = NO_INHERITANCE;
  117.     ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
  118.     ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
  119.     ea[1].Trustee.ptstrName = (LPTSTR)pSIDAdmin;
  120.  
  121.     if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
  122.         ea,
  123.         NULL,
  124.         &pACL))
  125.     {
  126.         printf("Failed SetEntriesInAcl\n");
  127.         goto Cleanup;
  128.     }
  129.  
  130.     // Try to modify the object's DACL.
  131.     dwRes = SetNamedSecurityInfo(
  132.         lpszOwnFile,                 // name of the object
  133.         SE_FILE_OBJECT,              // type of object
  134.         DACL_SECURITY_INFORMATION,   // change only the object's DACL
  135.         NULL, NULL,                  // do not change owner or group
  136.         pACL,                        // DACL specified
  137.         NULL);                       // do not change SACL
  138.  
  139.     if (ERROR_SUCCESS == dwRes)
  140.     {
  141.         printf("Successfully changed DACL\n");
  142.         bRetval = TRUE;
  143.         // No more processing needed.
  144.         goto Cleanup;
  145.     }
  146.     if (dwRes != ERROR_ACCESS_DENIED)
  147.     {
  148.         printf("First SetNamedSecurityInfo call failed: %u\n",
  149.             dwRes);
  150.         goto Cleanup;
  151.     }
  152.  
  153.     // If the preceding call failed because access was denied,
  154.     // enable the SE_TAKE_OWNERSHIP_NAME privilege, create a SID for
  155.     // the Administrators group, take ownership of the object, and
  156.     // disable the privilege. Then try again to set the object's DACL.
  157.  
  158.     // Open a handle to the access token for the calling process.
  159.     if (!OpenProcessToken(GetCurrentProcess(),
  160.         TOKEN_ADJUST_PRIVILEGES,
  161.         &hToken))
  162.     {
  163.         printf("OpenProcessToken failed: %u\n", GetLastError());
  164.         goto Cleanup;
  165.     }
  166.  
  167.     // Enable the SE_TAKE_OWNERSHIP_NAME privilege.
  168.     if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE))
  169.     {
  170.         printf("You must be logged on as Administrator.\n");
  171.         goto Cleanup;
  172.     }
  173.  
  174.     // Set the owner in the object's security descriptor.
  175.     dwRes = SetNamedSecurityInfo(
  176.         lpszOwnFile,                 // name of the object
  177.         SE_FILE_OBJECT,              // type of object
  178.         OWNER_SECURITY_INFORMATION,  // change only the object's owner
  179.         pSIDAdmin,                   // SID of Administrator group
  180.         NULL,
  181.         NULL,
  182.         NULL);
  183.  
  184.     if (dwRes != ERROR_SUCCESS)
  185.     {
  186.         printf("Could not set owner. Error: %u\n", dwRes);
  187.         goto Cleanup;
  188.     }
  189.  
  190.     // Disable the SE_TAKE_OWNERSHIP_NAME privilege.
  191.     if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, FALSE))
  192.     {
  193.         printf("Failed SetPrivilege call unexpectedly.\n");
  194.         goto Cleanup;
  195.     }
  196.  
  197.     // Try again to modify the object's DACL,
  198.     // now that we are the owner.
  199.     dwRes = SetNamedSecurityInfo(
  200.         lpszOwnFile,                 // name of the object
  201.         SE_FILE_OBJECT,              // type of object
  202.         DACL_SECURITY_INFORMATION,   // change only the object's DACL
  203.         NULL, NULL,                  // do not change owner or group
  204.         pACL,                        // DACL specified
  205.         NULL);                       // do not change SACL
  206.  
  207.     if (dwRes == ERROR_SUCCESS)
  208.     {
  209.         printf("Successfully changed DACL\n");
  210.         bRetval = TRUE;
  211.     }
  212.     else
  213.     {
  214.         printf("Second SetNamedSecurityInfo call failed: %u\n",
  215.             dwRes);
  216.     }
  217.  
  218. Cleanup:
  219.  
  220.     if (pSIDAdmin)
  221.         FreeSid(pSIDAdmin);
  222.  
  223.     if (pSIDEveryone)
  224.         FreeSid(pSIDEveryone);
  225.  
  226.     if (pACL)
  227.         LocalFree(pACL);
  228.  
  229.     if (hToken)
  230.         CloseHandle(hToken);
  231.  
  232.     return bRetval;
  233.  
  234. }
  235.  
  236. BOOL SetPrivilege(
  237.     HANDLE hToken,          // access token handle
  238.     LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
  239.     BOOL bEnablePrivilege   // to enable or disable privilege
  240. )
  241. {
  242.     TOKEN_PRIVILEGES tp;
  243.     LUID luid;
  244.  
  245.     if (!LookupPrivilegeValue(
  246.         NULL,            // lookup privilege on local system
  247.         lpszPrivilege,   // privilege to lookup
  248.         &luid))          // receives LUID of privilege
  249.     {
  250.         printf("LookupPrivilegeValue error: %u\n", GetLastError());
  251.         return FALSE;
  252.     }
  253.  
  254.     tp.PrivilegeCount = 1;
  255.     tp.Privileges[0].Luid = luid;
  256.     //  tp.Privileges[0].Luid.LowPart = 20;
  257.     //  tp.Privileges[0].Luid.HighPart = 0;
  258.  
  259.     if (bEnablePrivilege)
  260.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  261.     else
  262.         tp.Privileges[0].Attributes = 0;
  263.  
  264.     // Enable the privilege or disable all privileges.
  265.  
  266.     if (!AdjustTokenPrivileges(
  267.         hToken,
  268.         FALSE,
  269.         &tp,
  270.         sizeof(TOKEN_PRIVILEGES),
  271.         (PTOKEN_PRIVILEGES)NULL,
  272.         (PDWORD)NULL))
  273.     {
  274.         printf("AdjustTokenPrivileges error: %u\n", GetLastError());
  275.         return FALSE;
  276.     }
  277.  
  278.     if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
  279.     {
  280.         printf("The token does not have the specified privilege. \n");
  281.         return FALSE;
  282.     }
  283.  
  284.     return TRUE;
  285. }
  286.  
  287. #define EXE_FILE "C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
  288. #define EXE_FILEW_ L"C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
  289. #define EXE_FILEW L"\\??\\C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
  290.  
  291. /// <summary>
  292. /// C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg
  293. /// "C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\NieRAutomata.exe"
  294. /// </summary>
  295. /// <param name="argc"></param>
  296. /// <param name="argv"></param>
  297. /// <returns></returns>
  298. int main(int argc, char* argv[])
  299. {
  300.     if (argc <= 0)
  301.         return 1;
  302.  
  303.     EXPLICIT_ACCESS ea = { 0, }, eas[5] = { { 0, }, };
  304.     PACL pacl = 0;
  305.     DWORD rc = 0;
  306.     HANDLE hToken;
  307.  
  308.     ea.grfAccessPermissions = GENERIC_ALL;
  309.     ea.grfAccessMode = DENY_ACCESS;
  310.     ea.grfInheritance = NO_INHERITANCE;
  311.     ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
  312.     ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
  313.     ea.Trustee.ptstrName = TEXT("EVERYONE");
  314.     eas[0] = ea;
  315.  
  316.  
  317.     ea.grfAccessPermissions = GENERIC_ALL;
  318.     ea.grfAccessMode = GRANT_ACCESS;
  319.     ea.grfInheritance = NO_INHERITANCE;
  320.     ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
  321.     ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
  322.     ea.Trustee.ptstrName = TEXT("CURRENT_USER");
  323.     eas[1] = ea;
  324.  
  325.     if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
  326.     {
  327.         SetPrivilege(hToken, SE_SECURITY_NAME, TRUE);
  328.         SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE);
  329.  
  330.         //QuerySecurityAccessMask()
  331.         PSID pOwner;
  332.         PSID pGroup;
  333.         PACL pDacl;
  334.         PACL pSacl;
  335.         PSECURITY_DESCRIPTOR pSecurityDesc;
  336.  
  337.     // rc = GetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, &pOwner, &pGroup, &pDacl, &pSacl &pSecurityDesc);
  338.         TakeOwnership(EXE_FILEW_);
  339.  
  340.         rc = SetEntriesInAcl(2, &eas[0], NULL, &pacl);
  341.  
  342.         rc = SetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
  343.             NULL, NULL, pacl, NULL);
  344.  
  345.  
  346.         HANDLE hFile = CreateFileA(EXE_FILE, GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
  347.             FILE_ATTRIBUTE_READONLY, NULL);
  348.  
  349.         NtOpenProtectedFile(EXE_FILEW, &hFile);
  350.  
  351.  
  352.         if (hFile == INVALID_HANDLE_VALUE)
  353.         {
  354.             printf("CreateFileA error: %u\n", GetLastError());
  355.             return 2;
  356.         }
  357.     }
  358.  
  359.     return 0;
  360. }
RAW Paste Data