Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <winternl.h>
- #include <accctrl.h>
- #include <aclapi.h>
- #include <stdio.h>
- #include <aclapi.h>
- //#pragma comment(lib, "cmcfg32.lib")
- typedef __kernel_entry NTSTATUS (NTAPI *NtCreateFileFn)(
- PHANDLE FileHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes,
- PIO_STATUS_BLOCK IoStatusBlock,
- PLARGE_INTEGER AllocationSize,
- ULONG FileAttributes,
- ULONG ShareAccess,
- ULONG CreateDisposition,
- ULONG CreateOptions,
- PVOID EaBuffer,
- ULONG EaLength
- );
- typedef VOID (NTAPI* RtlInitUnicodeStringFn)(
- PUNICODE_STRING DestinationString,
- __drv_aliasesMem PCWSTR SourceString
- );
- NTSTATUS NtOpenProtectedFile(LPWSTR szFilename, PHANDLE phFile)
- {
- NTSTATUS Status = 0; //STATUS_SUCCESS
- ACCESS_MASK Access = STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY | FILE_GENERIC_READ;
- UNICODE_STRING Filename;
- OBJECT_ATTRIBUTES ObjectAttrib;
- IO_STATUS_BLOCK IoStatusBlock;
- LARGE_INTEGER Size = { 0 };
- NtCreateFileFn pNtCreateFile = (NtCreateFileFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
- RtlInitUnicodeStringFn pRtlInitUnicodeString =
- (RtlInitUnicodeStringFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
- pRtlInitUnicodeString(&Filename, szFilename);
- InitializeObjectAttributes(&ObjectAttrib, &Filename, OBJ_CASE_INSENSITIVE, NULL, NULL);
- if (phFile)
- {
- Status = pNtCreateFile(phFile, Access, &ObjectAttrib, &IoStatusBlock, &Size, FILE_ATTRIBUTE_READONLY,
- FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0);
- }
- return Status;
- }
- //Forward declaration of SetPrivilege
- BOOL SetPrivilege(
- HANDLE hToken, // access token handle
- LPCTSTR lpszPrivilege, // name of privilege to enable/disable
- BOOL bEnablePrivilege // to enable or disable privilege
- );
- BOOL TakeOwnership(LPTSTR lpszOwnFile)
- {
- BOOL bRetval = FALSE;
- HANDLE hToken = NULL;
- PSID pSIDAdmin = NULL;
- PSID pSIDEveryone = NULL;
- PACL pACL = NULL;
- SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
- SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
- const int NUM_ACES = 2;
- EXPLICIT_ACCESS ea[NUM_ACES];
- DWORD dwRes;
- // Specify the DACL to use.
- // Create a SID for the Everyone group.
- if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
- SECURITY_WORLD_RID,
- 0,
- 0, 0, 0, 0, 0, 0,
- &pSIDEveryone))
- {
- printf("AllocateAndInitializeSid (Everyone) error %u\n",
- GetLastError());
- goto Cleanup;
- }
- // Create a SID for the BUILTIN\Administrators group.
- if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
- SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_ADMINS,
- 0, 0, 0, 0, 0, 0,
- &pSIDAdmin))
- {
- printf("AllocateAndInitializeSid (Admin) error %u\n",
- GetLastError());
- goto Cleanup;
- }
- ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS));
- // Set read access for Everyone.
- ea[0].grfAccessPermissions = GENERIC_READ;
- ea[0].grfAccessMode = SET_ACCESS;
- ea[0].grfInheritance = NO_INHERITANCE;
- ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
- ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
- // Set full control for Administrators.
- ea[1].grfAccessPermissions = GENERIC_ALL;
- ea[1].grfAccessMode = SET_ACCESS;
- ea[1].grfInheritance = NO_INHERITANCE;
- ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
- ea[1].Trustee.ptstrName = (LPTSTR)pSIDAdmin;
- if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
- ea,
- NULL,
- &pACL))
- {
- printf("Failed SetEntriesInAcl\n");
- goto Cleanup;
- }
- // Try to modify the object's DACL.
- dwRes = SetNamedSecurityInfo(
- lpszOwnFile, // name of the object
- SE_FILE_OBJECT, // type of object
- DACL_SECURITY_INFORMATION, // change only the object's DACL
- NULL, NULL, // do not change owner or group
- pACL, // DACL specified
- NULL); // do not change SACL
- if (ERROR_SUCCESS == dwRes)
- {
- printf("Successfully changed DACL\n");
- bRetval = TRUE;
- // No more processing needed.
- goto Cleanup;
- }
- if (dwRes != ERROR_ACCESS_DENIED)
- {
- printf("First SetNamedSecurityInfo call failed: %u\n",
- dwRes);
- goto Cleanup;
- }
- // If the preceding call failed because access was denied,
- // enable the SE_TAKE_OWNERSHIP_NAME privilege, create a SID for
- // the Administrators group, take ownership of the object, and
- // disable the privilege. Then try again to set the object's DACL.
- // Open a handle to the access token for the calling process.
- if (!OpenProcessToken(GetCurrentProcess(),
- TOKEN_ADJUST_PRIVILEGES,
- &hToken))
- {
- printf("OpenProcessToken failed: %u\n", GetLastError());
- goto Cleanup;
- }
- // Enable the SE_TAKE_OWNERSHIP_NAME privilege.
- if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE))
- {
- printf("You must be logged on as Administrator.\n");
- goto Cleanup;
- }
- // Set the owner in the object's security descriptor.
- dwRes = SetNamedSecurityInfo(
- lpszOwnFile, // name of the object
- SE_FILE_OBJECT, // type of object
- OWNER_SECURITY_INFORMATION, // change only the object's owner
- pSIDAdmin, // SID of Administrator group
- NULL,
- NULL,
- NULL);
- if (dwRes != ERROR_SUCCESS)
- {
- printf("Could not set owner. Error: %u\n", dwRes);
- goto Cleanup;
- }
- // Disable the SE_TAKE_OWNERSHIP_NAME privilege.
- if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, FALSE))
- {
- printf("Failed SetPrivilege call unexpectedly.\n");
- goto Cleanup;
- }
- // Try again to modify the object's DACL,
- // now that we are the owner.
- dwRes = SetNamedSecurityInfo(
- lpszOwnFile, // name of the object
- SE_FILE_OBJECT, // type of object
- DACL_SECURITY_INFORMATION, // change only the object's DACL
- NULL, NULL, // do not change owner or group
- pACL, // DACL specified
- NULL); // do not change SACL
- if (dwRes == ERROR_SUCCESS)
- {
- printf("Successfully changed DACL\n");
- bRetval = TRUE;
- }
- else
- {
- printf("Second SetNamedSecurityInfo call failed: %u\n",
- dwRes);
- }
- Cleanup:
- if (pSIDAdmin)
- FreeSid(pSIDAdmin);
- if (pSIDEveryone)
- FreeSid(pSIDEveryone);
- if (pACL)
- LocalFree(pACL);
- if (hToken)
- CloseHandle(hToken);
- return bRetval;
- }
- BOOL SetPrivilege(
- HANDLE hToken, // access token handle
- LPCTSTR lpszPrivilege, // name of privilege to enable/disable
- BOOL bEnablePrivilege // to enable or disable privilege
- )
- {
- TOKEN_PRIVILEGES tp;
- LUID luid;
- if (!LookupPrivilegeValue(
- NULL, // lookup privilege on local system
- lpszPrivilege, // privilege to lookup
- &luid)) // receives LUID of privilege
- {
- printf("LookupPrivilegeValue error: %u\n", GetLastError());
- return FALSE;
- }
- tp.PrivilegeCount = 1;
- tp.Privileges[0].Luid = luid;
- // tp.Privileges[0].Luid.LowPart = 20;
- // tp.Privileges[0].Luid.HighPart = 0;
- if (bEnablePrivilege)
- tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- else
- tp.Privileges[0].Attributes = 0;
- // Enable the privilege or disable all privileges.
- if (!AdjustTokenPrivileges(
- hToken,
- FALSE,
- &tp,
- sizeof(TOKEN_PRIVILEGES),
- (PTOKEN_PRIVILEGES)NULL,
- (PDWORD)NULL))
- {
- printf("AdjustTokenPrivileges error: %u\n", GetLastError());
- return FALSE;
- }
- if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
- {
- printf("The token does not have the specified privilege. \n");
- return FALSE;
- }
- return TRUE;
- }
- #define EXE_FILE "C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
- #define EXE_FILEW_ L"C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
- #define EXE_FILEW L"\\??\\C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
- /// <summary>
- /// C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg
- /// "C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\NieRAutomata.exe"
- /// </summary>
- /// <param name="argc"></param>
- /// <param name="argv"></param>
- /// <returns></returns>
- int main(int argc, char* argv[])
- {
- if (argc <= 0)
- return 1;
- EXPLICIT_ACCESS ea = { 0, }, eas[5] = { { 0, }, };
- PACL pacl = 0;
- DWORD rc = 0;
- HANDLE hToken;
- ea.grfAccessPermissions = GENERIC_ALL;
- ea.grfAccessMode = DENY_ACCESS;
- ea.grfInheritance = NO_INHERITANCE;
- ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
- ea.Trustee.ptstrName = TEXT("EVERYONE");
- eas[0] = ea;
- ea.grfAccessPermissions = GENERIC_ALL;
- ea.grfAccessMode = GRANT_ACCESS;
- ea.grfInheritance = NO_INHERITANCE;
- ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
- ea.Trustee.ptstrName = TEXT("CURRENT_USER");
- eas[1] = ea;
- if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
- {
- SetPrivilege(hToken, SE_SECURITY_NAME, TRUE);
- SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE);
- //QuerySecurityAccessMask()
- PSID pOwner;
- PSID pGroup;
- PACL pDacl;
- PACL pSacl;
- PSECURITY_DESCRIPTOR pSecurityDesc;
- // rc = GetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, &pOwner, &pGroup, &pDacl, &pSacl &pSecurityDesc);
- TakeOwnership(EXE_FILEW_);
- rc = SetEntriesInAcl(2, &eas[0], NULL, &pacl);
- rc = SetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
- NULL, NULL, pacl, NULL);
- HANDLE hFile = CreateFileA(EXE_FILE, GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
- FILE_ATTRIBUTE_READONLY, NULL);
- NtOpenProtectedFile(EXE_FILEW, &hFile);
- if (hFile == INVALID_HANDLE_VALUE)
- {
- printf("CreateFileA error: %u\n", GetLastError());
- return 2;
- }
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement