-1

I have knowledge of java and python ,but any language containing C in its name is so hard to understand and learn. Recently i was trying to create BSOD in windows using NtRaiseHardError and after few (unsuccessful) tries in c++ I turned to c#.

Using code from here i was able to make a program and cause bsod. Later i tried to fully understand the code but i can not understand what RtlAdjustPrivilege is doing.

I see that it is some kind of privilege changing but while program is running i see no administrator password prompts despite the fact that i am using user account so i believe that it is not escalating to admin privileges. If someone know what exactly this function does or how it works please explain it. This is how it is implemented:

To import it:

[DllImport("ntdll.dll")]
private static extern uint RtlAdjustPrivilege
(
    int Privilege,
    bool bEnablePrivilege,
    bool IsThreadPrivilege,
    out bool PreviousValue
);

And later use it:

RtlAdjustPrivilege(19, true, false, out bool previousValue);
JustHobby
  • 483
  • 7
  • 11

1 Answers1

3

19 is SE_SHUTDOWN_PRIVILEGE - declared in wdm.h.

RtlAdjustPrivilege open current process (if IsThreadPrivilege := false ) or current thread (if IsThreadPrivilege := true )token, then call ZwAdjustPrivilegeToken (AdjustTokenPrivileges is thin shell over this api) and finally close open token.

The ZwAdjustPrivilegeToken (AdjustTokenPrivileges) function enables or disables privileges in the specified access token. but privilege must be already in token

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • @JustHobby - yes. correct. only enable or disable single privilege. if want more - better call `AdjustTokenPrivileges` – RbMm Jun 28 '18 at 14:05
  • Thanks for help @RbMm – JustHobby Jun 28 '18 at 14:09
  • @JustHobby of course this api "undocumented", but exported from ntdll.dll in all windows versions and by my opinion - always will be exported. it allow more simply adjust single privilege. we need more - of course `AdjustTokenPrivileges`(or `ZwAdjustPrivilegeToken`) more efficient here, but several time call `RtlAdjustPrivilege` also not too bad. and function return `NTSATUS` - `long` (can assume and `int`- this is the same), but not `uint` - in sense this is signed result and we compare it for >= 0 (ok) or (<0 fail) – RbMm Jun 28 '18 at 14:18
  • I know it is "undocumented" but it was simple to call so i used it any way. I am not very got at windows programming but i think i will use AdjustTokenPrivileges next time if i can get same results. Thanks again. – JustHobby Jun 28 '18 at 14:24