1

Let me try to explain my situation as detailed as possible. I have 2 processes, process A and process B. Process A runs as administrator and process B does not. Now I want to allow process B to open process A with PROCESS_VM_READ so it can read from process A using ReadProcessMemory.

So I have tried a few things, I decided to look up the token group and token privileges of process B from process A and then call AdjustTokenGroup and AdjustTokenPrivileges on itself so it copies the privileges and groups from process B. Unfortunately I was unable to do this ERROR_CANT_ENABLE_DENY_ONLY. I also tried to give process B the same groups and privileges of process A, this however resulted in ERROR_NOT_ALL_ASSIGNED. When I just copy the token privileges it is still unable to read.

Here is an example of what I tried (in process A):

BOOL MatchPrivilege( HANDLE hProcess )
{
    HANDLE ProcessToken = NULL;
    HANDLE OurProcessToken = NULL;

    if( OpenProcessToken( hProcess, TOKEN_QUERY, &ProcessToken ) && OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS, &OurProcessToken ) )
    {
        DWORD RequiredSizePrivileges = 0;
        GetTokenInformation( ProcessToken, TokenPrivileges, NULL, 0, &RequiredSizePrivileges );

        DWORD RequiredSizeGroups = 0;
        GetTokenInformation( ProcessToken, TokenGroups, NULL, 0, &RequiredSizeGroups );

        if( RequiredSizePrivileges > 0 && RequiredSizeGroups > 0 )
        {
            VOID* ProcessPrivileges = malloc( RequiredSizePrivileges );
            VOID* ProcessGroups = malloc( RequiredSizeGroups );

            DWORD SizePrivileges = 0;
            DWORD SizeGroups = 0;

            if( GetTokenInformation( ProcessToken, TokenPrivileges, ProcessPrivileges, RequiredSizePrivileges, &SizePrivileges ) 
                && GetTokenInformation( ProcessToken, TokenGroups, ProcessGroups, RequiredSizeGroups, &SizeGroups ) )
            {
                if( AdjustTokenPrivileges( OurProcessToken, FALSE, ( TOKEN_PRIVILEGES* )ProcessPrivileges, SizePrivileges, NULL, NULL ) 
                    && AdjustTokenGroups( OurProcessToken, FALSE, ( TOKEN_GROUPS* )ProcessGroups, SizeGroups, NULL, NULL ) )
                {
                    free( ProcessPrivileges );
                    free( ProcessGroups );
                    return TRUE;
                }
            }

            free( ProcessPrivileges );
            free( ProcessGroups );
        }
    }

    return FALSE;
}

All process B does is call OpenProcess with PROCESS_VM_READ and then calls ReadProcessMemory on a valid address of process A. Any help, suggestions and comments are welcome.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
Loran
  • 13
  • 2
  • From [msdn](http://msdn.microsoft.com/en-gb/library/windows/desktop/aa375202(v=vs.85).aspx) "The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges." – Ralara Nov 13 '14 at 16:17
  • What about `SetTokenInformation` on process A based on the information from process B from `GetTokenInformation`? – Loran Nov 13 '14 at 16:27
  • You're going to have the same issue. You can only set information in a token during creation, see the remarks section [here](http://msdn.microsoft.com/en-gb/library/windows/desktop/aa379591(v=vs.85).aspx). – Ralara Nov 13 '14 at 16:37
  • You'll have to launch process B with correct rights to begin with for it to access the memory of process A. – Ralara Nov 13 '14 at 16:37
  • I am asking my users to do that but some users are not following tutorials or anything I have said so I thought there might was a way to fix this. But I didn't know it was actually impossible. Do you maybe have another suggestion of how to transfer a small amount of bytes (0x200) from one process to the other without using a file. – Loran Nov 13 '14 at 17:37
  • [This answer](http://stackoverflow.com/a/13455578/1295063) here may help you with that. – Ralara Nov 14 '14 at 07:17

0 Answers0