NieR:Automata Take Ownership of win store exe [Untested]

1. #include <windows.h>
2. #include <winternl.h>
3. #include <accctrl.h>
4. #include <aclapi.h>
5. #include <stdio.h>
6. #include <aclapi.h>
7.  
8. //#pragma comment(lib, "cmcfg32.lib")
9.  
10. typedef __kernel_entry NTSTATUS (NTAPI *NtCreateFileFn)(
11.     PHANDLE            FileHandle,
12.     ACCESS_MASK        DesiredAccess,
13.     POBJECT_ATTRIBUTES ObjectAttributes,
14.     PIO_STATUS_BLOCK   IoStatusBlock,
15.     PLARGE_INTEGER     AllocationSize,
16.     ULONG              FileAttributes,
17.     ULONG              ShareAccess,
18.     ULONG              CreateDisposition,
19.     ULONG              CreateOptions,
20.     PVOID              EaBuffer,
21.     ULONG              EaLength
22. );
23.  
24. typedef VOID (NTAPI* RtlInitUnicodeStringFn)(
25.     PUNICODE_STRING         DestinationString,
26.     __drv_aliasesMem PCWSTR SourceString
27. );
28.  
29. NTSTATUS NtOpenProtectedFile(LPWSTR szFilename, PHANDLE phFile)
30. {
31.     NTSTATUS Status = 0; //STATUS_SUCCESS
32.     ACCESS_MASK Access = STANDARD_RIGHTS_ALL | ACCESS_SYSTEM_SECURITY | FILE_GENERIC_READ;
33.  
34.     UNICODE_STRING Filename;
35.     OBJECT_ATTRIBUTES ObjectAttrib;
36.     IO_STATUS_BLOCK IoStatusBlock;
37.     LARGE_INTEGER Size = { 0 };
38.  
39.     NtCreateFileFn pNtCreateFile = (NtCreateFileFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
40.     RtlInitUnicodeStringFn pRtlInitUnicodeString =
41.         (RtlInitUnicodeStringFn)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
42.  
43.     pRtlInitUnicodeString(&Filename, szFilename);
44.  
45.     InitializeObjectAttributes(&ObjectAttrib, &Filename, OBJ_CASE_INSENSITIVE, NULL, NULL);
46.  
47.     if (phFile)
48.     {
49.         Status = pNtCreateFile(phFile, Access, &ObjectAttrib, &IoStatusBlock, &Size, FILE_ATTRIBUTE_READONLY,
50.             FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0);
51.     }
52.  
53.     return Status;
54. }
55.  
56.  
57.  
58. //Forward declaration of SetPrivilege
59. BOOL SetPrivilege(
60.     HANDLE hToken,          // access token handle
61.     LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
62.     BOOL bEnablePrivilege   // to enable or disable privilege
63. );
64.  
65. BOOL TakeOwnership(LPTSTR lpszOwnFile)
66. {
67.     BOOL bRetval = FALSE;
68.     HANDLE hToken = NULL;
69.     PSID pSIDAdmin = NULL;
70.     PSID pSIDEveryone = NULL;
71.     PACL pACL = NULL;
72.     SID_IDENTIFIER_AUTHORITY SIDAuthWorld =  SECURITY_WORLD_SID_AUTHORITY;
73.     SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
74.     const int NUM_ACES = 2;
75.     EXPLICIT_ACCESS ea[NUM_ACES];
76.     DWORD dwRes;
77.  
78.     // Specify the DACL to use.
79.     // Create a SID for the Everyone group.
80.     if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
81.         SECURITY_WORLD_RID,
82.         0,
83.         0, 0, 0, 0, 0, 0,
84.         &pSIDEveryone))
85.     {
86.         printf("AllocateAndInitializeSid (Everyone) error %u\n",
87.             GetLastError());
88.         goto Cleanup;
89.     }
90.  
91.     // Create a SID for the BUILTIN\Administrators group.
92.     if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
93.         SECURITY_BUILTIN_DOMAIN_RID,
94.         DOMAIN_ALIAS_RID_ADMINS,
95.         0, 0, 0, 0, 0, 0,
96.         &pSIDAdmin))
97.     {
98.         printf("AllocateAndInitializeSid (Admin) error %u\n",
99.             GetLastError());
100.         goto Cleanup;
101.     }
102.  
103.     ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS));
104.  
105.     // Set read access for Everyone.
106.     ea[0].grfAccessPermissions = GENERIC_READ;
107.     ea[0].grfAccessMode = SET_ACCESS;
108.     ea[0].grfInheritance = NO_INHERITANCE;
109.     ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
110.     ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
111.     ea[0].Trustee.ptstrName = (LPTSTR)pSIDEveryone;
112.  
113.     // Set full control for Administrators.
114.     ea[1].grfAccessPermissions = GENERIC_ALL;
115.     ea[1].grfAccessMode = SET_ACCESS;
116.     ea[1].grfInheritance = NO_INHERITANCE;
117.     ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
118.     ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
119.     ea[1].Trustee.ptstrName = (LPTSTR)pSIDAdmin;
120.  
121.     if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
122.         ea,
123.         NULL,
124.         &pACL))
125.     {
126.         printf("Failed SetEntriesInAcl\n");
127.         goto Cleanup;
128.     }
129.  
130.     // Try to modify the object's DACL.
131.     dwRes = SetNamedSecurityInfo(
132.         lpszOwnFile,                 // name of the object
133.         SE_FILE_OBJECT,              // type of object
134.         DACL_SECURITY_INFORMATION,   // change only the object's DACL
135.         NULL, NULL,                  // do not change owner or group
136.         pACL,                        // DACL specified
137.         NULL);                       // do not change SACL
138.  
139.     if (ERROR_SUCCESS == dwRes)
140.     {
141.         printf("Successfully changed DACL\n");
142.         bRetval = TRUE;
143.         // No more processing needed.
144.         goto Cleanup;
145.     }
146.     if (dwRes != ERROR_ACCESS_DENIED)
147.     {
148.         printf("First SetNamedSecurityInfo call failed: %u\n",
149.             dwRes);
150.         goto Cleanup;
151.     }
152.  
153.     // If the preceding call failed because access was denied,
154.     // enable the SE_TAKE_OWNERSHIP_NAME privilege, create a SID for
155.     // the Administrators group, take ownership of the object, and
156.     // disable the privilege. Then try again to set the object's DACL.
157.  
158.     // Open a handle to the access token for the calling process.
159.     if (!OpenProcessToken(GetCurrentProcess(),
160.         TOKEN_ADJUST_PRIVILEGES,
161.         &hToken))
162.     {
163.         printf("OpenProcessToken failed: %u\n", GetLastError());
164.         goto Cleanup;
165.     }
166.  
167.     // Enable the SE_TAKE_OWNERSHIP_NAME privilege.
168.     if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE))
169.     {
170.         printf("You must be logged on as Administrator.\n");
171.         goto Cleanup;
172.     }
173.  
174.     // Set the owner in the object's security descriptor.
175.     dwRes = SetNamedSecurityInfo(
176.         lpszOwnFile,                 // name of the object
177.         SE_FILE_OBJECT,              // type of object
178.         OWNER_SECURITY_INFORMATION,  // change only the object's owner
179.         pSIDAdmin,                   // SID of Administrator group
180.         NULL,
181.         NULL,
182.         NULL);
183.  
184.     if (dwRes != ERROR_SUCCESS)
185.     {
186.         printf("Could not set owner. Error: %u\n", dwRes);
187.         goto Cleanup;
188.     }
189.  
190.     // Disable the SE_TAKE_OWNERSHIP_NAME privilege.
191.     if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, FALSE))
192.     {
193.         printf("Failed SetPrivilege call unexpectedly.\n");
194.         goto Cleanup;
195.     }
196.  
197.     // Try again to modify the object's DACL,
198.     // now that we are the owner.
199.     dwRes = SetNamedSecurityInfo(
200.         lpszOwnFile,                 // name of the object
201.         SE_FILE_OBJECT,              // type of object
202.         DACL_SECURITY_INFORMATION,   // change only the object's DACL
203.         NULL, NULL,                  // do not change owner or group
204.         pACL,                        // DACL specified
205.         NULL);                       // do not change SACL
206.  
207.     if (dwRes == ERROR_SUCCESS)
208.     {
209.         printf("Successfully changed DACL\n");
210.         bRetval = TRUE;
211.     }
212.     else
213.     {
214.         printf("Second SetNamedSecurityInfo call failed: %u\n",
215.             dwRes);
216.     }
217.  
218. Cleanup:
219.  
220.     if (pSIDAdmin)
221.         FreeSid(pSIDAdmin);
222.  
223.     if (pSIDEveryone)
224.         FreeSid(pSIDEveryone);
225.  
226.     if (pACL)
227.         LocalFree(pACL);
228.  
229.     if (hToken)
230.         CloseHandle(hToken);
231.  
232.     return bRetval;
233.  
234. }
235.  
236. BOOL SetPrivilege(
237.     HANDLE hToken,          // access token handle
238.     LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
239.     BOOL bEnablePrivilege   // to enable or disable privilege
240. )
241. {
242.     TOKEN_PRIVILEGES tp;
243.     LUID luid;
244.  
245.     if (!LookupPrivilegeValue(
246.         NULL,            // lookup privilege on local system
247.         lpszPrivilege,   // privilege to lookup
248.         &luid))          // receives LUID of privilege
249.     {
250.         printf("LookupPrivilegeValue error: %u\n", GetLastError());
251.         return FALSE;
252.     }
253.  
254.     tp.PrivilegeCount = 1;
255.     tp.Privileges[0].Luid = luid;
256.     //  tp.Privileges[0].Luid.LowPart = 20;
257.     //  tp.Privileges[0].Luid.HighPart = 0;
258.  
259.     if (bEnablePrivilege)
260.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
261.     else
262.         tp.Privileges[0].Attributes = 0;
263.  
264.     // Enable the privilege or disable all privileges.
265.  
266.     if (!AdjustTokenPrivileges(
267.         hToken,
268.         FALSE,
269.         &tp,
270.         sizeof(TOKEN_PRIVILEGES),
271.         (PTOKEN_PRIVILEGES)NULL,
272.         (PDWORD)NULL))
273.     {
274.         printf("AdjustTokenPrivileges error: %u\n", GetLastError());
275.         return FALSE;
276.     }
277.  
278.     if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
279.     {
280.         printf("The token does not have the specified privilege. \n");
281.         return FALSE;
282.     }
283.  
284.     return TRUE;
285. }
286.  
287. #define EXE_FILE "C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
288. #define EXE_FILEW_ L"C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
289. #define EXE_FILEW L"\\??\\C:\\Program Files\\WindowsApps\\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\\NieRAutomata.exe"
290.  
291. /// <summary>
292. /// C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg
293. /// "C:\Program Files\WindowsApps\39EA002F.NieRAutomataPC_1.0.38.0_x64__n746a19ndrrjg\NieRAutomata.exe"
294. /// </summary>
295. /// <param name="argc"></param>
296. /// <param name="argv"></param>
297. /// <returns></returns>
298. int main(int argc, char* argv[])
299. {
300.     if (argc <= 0)
301.         return 1;
302.  
303.     EXPLICIT_ACCESS ea = { 0, }, eas[5] = { { 0, }, };
304.     PACL pacl = 0;
305.     DWORD rc = 0;
306.     HANDLE hToken;
307.  
308.     ea.grfAccessPermissions = GENERIC_ALL;
309.     ea.grfAccessMode = DENY_ACCESS;
310.     ea.grfInheritance = NO_INHERITANCE;
311.     ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
312.     ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
313.     ea.Trustee.ptstrName = TEXT("EVERYONE");
314.     eas[0] = ea;
315.  
316.  
317.     ea.grfAccessPermissions = GENERIC_ALL;
318.     ea.grfAccessMode = GRANT_ACCESS;
319.     ea.grfInheritance = NO_INHERITANCE;
320.     ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
321.     ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
322.     ea.Trustee.ptstrName = TEXT("CURRENT_USER");
323.     eas[1] = ea;
324.  
325.     if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
326.     {
327.         SetPrivilege(hToken, SE_SECURITY_NAME, TRUE);
328.         SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE);
329.  
330.         //QuerySecurityAccessMask()
331.         PSID pOwner;
332.         PSID pGroup;
333.         PACL pDacl;
334.         PACL pSacl;
335.         PSECURITY_DESCRIPTOR pSecurityDesc;
336.  
337.     // rc = GetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, &pOwner, &pGroup, &pDacl, &pSacl &pSecurityDesc);
338.         TakeOwnership(EXE_FILEW_);
339.  
340.         rc = SetEntriesInAcl(2, &eas[0], NULL, &pacl);
341.  
342.         rc = SetNamedSecurityInfoA(EXE_FILE, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
343.             NULL, NULL, pacl, NULL);
344.  
345.  
346.         HANDLE hFile = CreateFileA(EXE_FILE, GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
347.             FILE_ATTRIBUTE_READONLY, NULL);
348.  
349.         NtOpenProtectedFile(EXE_FILEW, &hFile);
350.  
351.  
352.         if (hFile == INVALID_HANDLE_VALUE)
353.         {
354.             printf("CreateFileA error: %u\n", GetLastError());
355.             return 2;
356.         }
357.     }
358.  
359.     return 0;
360. }