Running an interactive application with elevated privileges within a Standard User - c++

I am trying to open an interactive application running under the SYSTEM account within the desktop of a standard user(The interactive application has Administrative Privileges). I know this is generally not possible due to session isolation etc. However, I have witnessed applications which does so.
#pragma comment(lib, "advapi32.lib")
using namespace std;
STARTUPINFO GetStartupInfo()
{
STARTUPINFO startupInfo;
ZeroMemory(&startupInfo, sizeof(startupInfo));
startupInfo.cb = sizeof(startupInfo);
startupInfo.lpDesktop = const_cast<LPWSTR>(_T("Winsta0\\default"));
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
return startupInfo;
}
HANDLE SetInfoOnToken(HANDLE existingToken)
{
HANDLE duplicateToken;
DWORD TokenSessionId = 1;
DuplicateTokenEx(existingToken, MAXIMUM_ALLOWED, nullptr, SECURITY_IMPERSONATION_LEVEL::SecurityIdentification, TOKEN_TYPE::TokenPrimary, &duplicateToken);
SetTokenInformation(duplicateToken, TOKEN_INFORMATION_CLASS::TokenSessionId, &TokenSessionId, sizeof(TokenSessionId));
return duplicateToken;
}
bool SetTcbPrivilege(HANDLE hToken)
{
TOKEN_PRIVILEGES tp;
LUID luid;
bool success = LookupPrivilegeValue(NULL, _T("SeTcbPrivilege"), &luid);
if (!success) {
wcout << GetLastError();
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(&hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return false;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) return false;
}
int _tmain(int argc, TCHAR *argv[], TCHAR *envp[])
{
wstring processName = _T("notepad.exe");
TCHAR* name = (wchar_t*)processName.c_str();
DWORD sessionId = 0;
STARTUPINFO startupInfo = GetStartupInfo();
PROCESS_INFORMATION processInformation;
HANDLE processHandle = nullptr;
ZeroMemory(&processInformation, sizeof(processInformation));
HANDLE hToken = GetCurrentProcessToken();
SetTcbPrivilege(hToken);
hToken = SetInfoOnToken(hToken);
bool success = false;
success = CreateProcessAsUser(hToken, nullptr, name, nullptr, nullptr, false, 0, nullptr, nullptr, &startupInfo, &processInformation);
if (success)
{
wcout << "Process started.\n";
}
else
{
wcout << "There was a problem starting the process.\n";
wcout << GetLastError();
return 0;
}
CloseHandle(processInformation.hProcess);
CloseHandle(processInformation.hThread);
return 0;
}
This code works perfectly when started normally. But when run under the SYSTEM account, it does not show the notepad window (I am aware it generally shouldn't, but that is the limitation I am trying to overcome and have seen certain apps doing so). There is however a process for notepad listed in the Task Manager.
What am I missing in the code which returns this unexpected behavior ? I am left with less samples of such scenario, so please provide any suggestions on this.
EDIT:
At this point the process does not run an leaves an ERROR_INVALID_HANDLE error. What am I doing incorrect ? Please suggest.

Related

CreateProcessA fails for some programs

Found the below snippet here on SO:
https://stackoverflow.com/a/35658917/9265719.
It executes a command without creating a window. CreateProcessA() returns TRUE for cmd.exe but for any program in C:\Program Files(x86)\Windows Kits\10\Debuggers\x64\ it returns FALSE and GetLastError() returns 2 (ERROR_PATH_NOT_FOUND).
Why is it failing to create a process for programs in this directory?
#include <iostream>
#include <windows.h>
//
// Execute a command and get the results. (Only standard output)
//
std::string ExecCmd(
char cmd[] // [in] command to execute
)
{
std::string strResult;
HANDLE hPipeRead, hPipeWrite;
SECURITY_ATTRIBUTES saAttr = { sizeof(SECURITY_ATTRIBUTES) };
saAttr.bInheritHandle = TRUE; // Pipe handles are inherited by child process.
saAttr.lpSecurityDescriptor = NULL;
// Create a pipe to get results from child's stdout.
if (!CreatePipe(&hPipeRead, &hPipeWrite, &saAttr, 0))
return strResult;
STARTUPINFOA si = { sizeof(STARTUPINFOA) };
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdOutput = hPipeWrite;
si.hStdError = hPipeWrite;
si.wShowWindow = SW_HIDE; // Prevents cmd window from flashing.
// Requires STARTF_USESHOWWINDOW in dwFlags.
PROCESS_INFORMATION pi = { 0 };
BOOL fSuccess = ::CreateProcessA(NULL, cmd, NULL, NULL, TRUE,
CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
if (!fSuccess)
{
DWORD dw = GetLastError();
CloseHandle(hPipeWrite);
CloseHandle(hPipeRead);
return strResult;
}
bool bProcessEnded = false;
for (; !bProcessEnded;)
{
// Give some timeslice (50 ms), so we won't waste 100% CPU.
bProcessEnded = WaitForSingleObject(pi.hProcess, 50) == WAIT_OBJECT_0;
// Even if process exited - we continue reading, if
// there is some data available over pipe.
for (;;)
{
char buf[1024];
DWORD dwRead = 0;
DWORD dwAvail = 0;
if (!::PeekNamedPipe(hPipeRead, NULL, 0, NULL, &dwAvail, NULL))
break;
if (!dwAvail) // No data available, return
break;
if (!::ReadFile(hPipeRead, buf, min(sizeof(buf) - 1, dwAvail), &dwRead, NULL) || !dwRead)
// Error, the child process might ended
break;
buf[dwRead] = 0;
strResult += buf;
}
} //for
CloseHandle(hPipeWrite);
CloseHandle(hPipeRead);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return strResult;
} //ExecCmd
int main()
{
//char cmd[1000] = R"("C:\WINDOWS\system32\cmd.exe")";
char cmd[1000] = R"("C:\Program Files(x86)\Windows Kits\10\Debuggers\x64\cdb.exe")";
std::string op = ExecCmd(cmd);
std::cout << op.c_str();
}
You are missing a space in the path, between "Program Files" and "(x86)". Should be:
char cmd[1000] = R"("C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe")";

Execute CMD.EXE with CreateProcessWithLogonW() without a new console

I have to run cmd.exe with CreateProcessWithLogonW() but in the context of my program without creating another console, but MSDN says the CREATE_NEW_CONSOLE flag has been set by default. How can I unset this flag so this API doesn't create a new window for my child process?
The following code shows how this API is used in my program. I don't want the new program to run in a new console, but I could not find a solution for that.
BOOL status = FALSE;
DWORD process_flags = 0 | arg_process_flags;
DWORD logon_flags = 0 | arg_logon_flags;
PTSTR duplicate_command_Line;
PPROCESS_INFORMATION ptr_process_info;
STARTUPINFO startup_info;
RtlZeroMemory(&startup_info, sizeof(STARTUPINFO));
startup_info.cb = sizeof(STARTUPINFO);
if (ptr_process_info = arg_process_infos ? arg_process_infos : (PPROCESS_INFORMATION)LocalAlloc(LPTR, sizeof(PROCESS_INFORMATION)))
{
if (duplicate_command_Line = _wcsdup(arg_command_Line))
{
switch (arg_type)
{
case KULL_M_PROCESS_CREATE_NORMAL:
status = CreateProcess(NULL, duplicate_command_Line, NULL, NULL, FALSE, process_flags, NULL, NULL, &startup_info, ptr_process_info);
break;
case KULL_M_PROCESS_CREATE_USER:
status = CreateProcessAsUser(arg_user_token, NULL, duplicate_command_Line, NULL, NULL, FALSE, process_flags, NULL, NULL, &startup_info, ptr_process_info);
break;
case KULL_M_PROCESS_CREATE_LOGON:
status = CreateProcessWithLogonW(arg_user, arg_domain, arg_password, logon_flags, NULL, duplicate_command_Line, process_flags, NULL, NULL, &startup_info, ptr_process_info);
break;
}
if (status && (arg_auto_close_handle || !arg_process_infos))
{
CloseHandle(ptr_process_info->hThread);
CloseHandle(ptr_process_info->hProcess);
}
if (!arg_process_infos)
LocalFree(ptr_process_info);
free(duplicate_command_Line);
}
}
You could redirected input and output of child process
Here's my test program(remove the error checking).
Parent:
#include <windows.h>
#include <iostream>
#define BUFSIZE 4096
void main()
{
printf("in Parent \n");
HANDLE R_In, R_Out, R_err, W_In, W_Out, W_err;
HANDLE hStdout = GetStdHandle(STD_OUTPUT_HANDLE);
HANDLE hStdin = GetStdHandle(STD_INPUT_HANDLE);
SECURITY_ATTRIBUTES saAttr;
BOOL bSuccess;
saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
CreatePipe(&R_In, &W_In, &saAttr, 0);
CreatePipe(&R_Out, &W_Out, &saAttr, 0);
CreatePipe(&R_err, &W_err, &saAttr, 0);
PROCESS_INFORMATION process_info;
STARTUPINFO startup_info;
RtlZeroMemory(&startup_info, sizeof(STARTUPINFO));
startup_info.cb = sizeof(STARTUPINFO);
startup_info.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
startup_info.wShowWindow = SW_HIDE;
startup_info.hStdInput = R_In;
startup_info.hStdOutput = W_Out;
startup_info.hStdError = W_err;
BOOL ret = CreateProcessWithLogonW(L"username",L"domain",L"password", 0,L"ChildProcess.exe",NULL, CREATE_NO_WINDOW,NULL,NULL,&startup_info,&process_info);
CloseHandle(R_In);
CloseHandle(W_Out);
CloseHandle(W_err);
CHAR chBuf[BUFSIZE];
DWORD dwRead, dwWritten;
bSuccess = ReadFile(hStdin, chBuf, BUFSIZE, &dwRead, NULL);
bSuccess = WriteFile(W_In, chBuf, dwRead, &dwWritten, NULL);
while (1)
{
bSuccess = ReadFile(R_Out, chBuf, BUFSIZE, &dwRead, NULL);
if (bSuccess == 0 & GetLastError() == ERROR_BROKEN_PIPE) // child process exit.
break;
bSuccess = WriteFile(hStdout, chBuf, dwRead, &dwWritten, NULL);
}
WaitForSingleObject(process_info.hProcess, INFINITE);
printf("Parent exit\n");
}
Child:
#include <windows.h>
#include <iostream>
#define BUFSIZE 4096
#pragma warning(disable : 4996)
void main()
{
CHAR chBuf[BUFSIZE];
scanf("%s", chBuf);
printf("in Child %s\n", chBuf);
printf("Child exit\n");
return;
}
Result:
Do you mean you don't want to create a new window?
try startup_info.dwFlags = STARTF_USESHOWWINDOW;startup_info.wShowWindow = SW_HIDE; then it won't create a window.
It's been awhile, but passing DETACHED_PROCESS should work.
If not, you can call CreateProcessWithLogonW passing it a win32 binary that you provide (possibly your own with different options) that in turn will call CreateProcess opening cmd.exe without passing CREATE_NEW_CONSOLE.
Unless you're already admin, creating in the same console is utterly impossible, and if you are admin, it's an arcane technique you're better off not using.

How to execute commands from an attached console

I'm coding a WinAPI GUI program that needs calling ftp and possibly other console programs while getting their console output to act accordingly ie. waiting for ftp to complete execution before reading all its output wouldn't do.
My current approach is calling CreateProcess() to create a cmd.exe process potentially hiding the ugly console window, AttachConsole() to make it my own, GetStdHandle() to get input and output handles, SetConsoleCursorPosition() to the end of the console buffer, and WriteConsole() with commands such as ftp\n or dir\n. Yet this commands are written but not executed. However, I can manually use the same console ( using CreateProcess() with CREATE_NEW_CONSOLE flag ) to type ftp press enter and get it executed.
Previous approaches involved:
Calling ftp directly with CreateProcess() and redirected inputs/outputs.
Couldn't get ftp output until the CreateProcess() process had already ended.
Using system().
Was advised against its usage before getting any output.
My current stripped down code:
// Next two structures might be a bit misleading, they were used for the 1. previous
// approach
PROCESS_INFORMATION piProcInfo;
ZeroMemory( &piProcInfo, sizeof(PROCESS_INFORMATION));
STARTUPINFO siStartInfo;
ZeroMemory( &siStartInfo, sizeof(STARTUPINFO) );
siStartInfo.cb = sizeof(STARTUPINFO);
siStartInfo.hStdError = g_hChildStd_OUT_Wr;
siStartInfo.hStdOutput = g_hChildStd_OUT_Wr;
siStartInfo.hStdInput = g_hChildStd_IN_Rd;
siStartInfo.dwFlags |= STARTF_USESTDHANDLES;
SECURITY_ATTRIBUTES security;
security.nLength = sizeof(SECURITY_ATTRIBUTES);
security.lpSecurityDescriptor = NULL;
security.bInheritHandle = FALSE;
CreateProcess( NULL, "cmd", &security, &security, FALSE, NORMAL_PRIORITY_CLASS |
CREATE_NEW_CONSOLE, NULL, NULL, &siStartInfo, &piProcInfo);
uint32_t pidConsole = piProcInfo.dwProcessId;
while ( ! AttachConsole(pidConsole) ){};
HANDLE myConsoleIn, myConsoleOut;
myConsoleIn = GetStdHandle(STD_INPUT_HANDLE);
myConsoleOut = GetStdHandle(STD_OUTPUT_HANDLE);
Sleep(100);
CONSOLE_SCREEN_BUFFER_INFO myConsoleCursorInformation = {};
GetConsoleScreenBufferInfo(myConsoleOut,&myConsoleCursorInformation);
SetConsoleCursorPosition(myConsoleOut,myConsoleCursorInformation.dwSize);
CHAR myConsoleBuffer[200]="dir\n";
DWORD myConsoleProcessed;
WriteConsole( myConsoleOut, myConsoleBuffer, 4, &myConsoleProcessed, NULL);
How can I get a command written in the console to execute? Is there an alternative to my attempt of ending commands with a trailing \n ie. using WriteConsole() with a dir\n or ftp\n argument.
I thought about sending a keypress to the process in question after typing the desired command. Yet the created console needs not only to manually press the enter key but also having dir, ftp or whatever command to be manually typed.
Please feel free to point out any missing information !
How can I get a command written in the console to execute? Is there an
alternative to my attempt of ending commands with a trailing \n ie.
using WriteConsole() with a dir\n or ftp\n argument.
Try the following code to see if it works:
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
const wchar_t *cmdPath = L"C:\\Windows\\System32\\cmd.exe";
wchar_t *cmdArgs = (wchar_t *)L"C:\\Windows\\System32\\cmd.exe /k dir";
BOOL result = CreateProcess(cmdPath, cmdArgs, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
DWORD errCode = GetLastError();
if (!result)
{
std::cout << "Create Process failed: " << GetLastError() << std::endl;
}
/K Run Command and then return to the CMD prompt.
This is useful for testing, to examine variables
Use /C if you want "Run Command and then terminate".
Update: Complete code for communicating with a child process(cmd.exe) using pipes.
HANDLE g_hChildStd_IN_Rd = NULL;
HANDLE g_hChildStd_IN_Wr = NULL;
HANDLE g_hChildStd_OUT_Rd = NULL;
HANDLE g_hChildStd_OUT_Wr = NULL;
#define BUFSIZE 1024
void ErrorExit(LPCTSTR lpszFunction)
{
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0, NULL);
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
StringCchPrintf((LPTSTR)lpDisplayBuf,
LocalSize(lpDisplayBuf) / sizeof(TCHAR),
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
ExitProcess(1);
}
void ReadFromPipe(void)
{
DWORD dwRead, dwWritten;
CHAR chBuf[BUFSIZE];
BOOL bSuccess = FALSE;
HANDLE hParentStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
for (;;)
{
DWORD bytesAvail = 0;
if (!PeekNamedPipe(g_hChildStd_OUT_Rd, NULL, 0, NULL, &bytesAvail, NULL)) {
std::cout << "Failed to call PeekNamedPipe" << std::endl;
}
if (bytesAvail) {
DWORD n;
BOOL success = ReadFile(g_hChildStd_OUT_Rd, chBuf, BUFSIZE, &n, NULL);
if (!success || n == 0) {
}
bSuccess = WriteFile(hParentStdOut, chBuf,n, &dwWritten, NULL);
}
else
{
break;
}
}
}
void WriteToPipe(void)
{
DWORD dwWritten;
BOOL bSuccess = FALSE;
CHAR buf[] = "dir\n";
bSuccess = WriteFile(g_hChildStd_IN_Wr, buf, sizeof(buf)-1, &dwWritten, NULL);
}
int main()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES saAttr;
printf("\n->Start of parent execution.\n");
// Set the bInheritHandle flag so pipe handles are inherited.
saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
// Create a pipe for the child process's STDOUT.
if (!CreatePipe(&g_hChildStd_OUT_Rd, &g_hChildStd_OUT_Wr, &saAttr, 0))
ErrorExit(TEXT("StdoutRd CreatePipe"));
// Ensure the read handle to the pipe for STDOUT is not inherited.
if (!SetHandleInformation(g_hChildStd_OUT_Rd, HANDLE_FLAG_INHERIT, 0))
ErrorExit(TEXT("Stdout SetHandleInformation"));
// Create a pipe for the child process's STDIN.
if (!CreatePipe(&g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr, &saAttr, 0))
ErrorExit(TEXT("Stdin CreatePipe"));
// Ensure the write handle to the pipe for STDIN is not inherited.
if (!SetHandleInformation(g_hChildStd_IN_Wr, HANDLE_FLAG_INHERIT, 0))
ErrorExit(TEXT("Stdin SetHandleInformation"));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(STARTUPINFO);
si.hStdError = g_hChildStd_OUT_Wr;
si.hStdOutput = g_hChildStd_OUT_Wr;
si.hStdInput = g_hChildStd_IN_Rd;
si.dwFlags |= STARTF_USESTDHANDLES;
TCHAR cmdPath[] = TEXT("C:\\Windows\\System32\\cmd.exe");
BOOL result = CreateProcess(cmdPath, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
DWORD errCode = GetLastError();
if (!result)
{
std::cout << "Create Process failed: " << GetLastError() << std::endl;
}
for (;;)
{
ReadFromPipe();
WriteToPipe();
}
}

ReadConsoleInput read only first symbol after press Enter

Excuse me for my English, but I can't solve a problem. Now I am writing Remote Console. It uses QTcpSocket and functions for work with windows console. Almost work perfect, but when I try read from console I need first press Enter and only after this my first letter will read. If I want input second letter I need press Enter again. How can I read every letters that I write?
It's my constructor:
FreeConsole();
dwProcessId = 0 ;
dwErrorId = 0;
std::wstring path = L"cmd.exe";
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
SECURITY_ATTRIBUTES security = {
sizeof(security), NULL, TRUE
};
if(CreateProcess(NULL, (LPWSTR)path.c_str(), NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
dwProcessId = pi.dwProcessId;
}
else
{
dwErrorId = GetLastError();
printf("CreateProcess failed (%d).\n", dwErrorId);
return;
}
Sleep(1000);
if(!AttachConsole(pi.dwProcessId))
{
dwErrorId = GetLastError();
printf( "AttachConsole failed (%d).\n", dwErrorId);
return;
}
and here function where i have a problem:
int Console::readInputFromConsole(DataIn& data)
{
data.inputRecords.resize(40);
HANDLE inputHandle = GetStdHandle(STD_INPUT_HANDLE);
DWORD events = 0;
DWORD unread = 0;
DWORD fdwMode = ENABLE_WINDOW_INPUT | ENABLE_MOUSE_INPUT;
//fdwMode |= ENABLE_VIRTUAL_TERMINAL_PROCESSING;
BOOL bMode = SetConsoleMode(inputHandle, fdwMode);
if(!bMode)
{
std::runtime_error("error with mode");
}
Sleep(20);
BOOL statusUnread = TRUE;
statusUnread = GetNumberOfConsoleInputEvents(inputHandle, &unread);
if(!statusUnread)
throw std::runtime_error("GetNumberOfConsoleInputEvents failed.");
data.inputRecords.resize(unread);
BOOL statusRead = TRUE;
statusRead = ReadConsoleInput(inputHandle, &data.inputRecords[0], unread, &events);
if(!statusRead)
throw std::runtime_error("ReadConsoleInput failed.");
GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &data.consoleScreenBufferInfo);
return 0;
}
I solved problem. I just created unnecessary process on a client computer. It's very stupid, but in this way I just tried to start process in new window.

Problems with opening a process with DEBUG flags

I'm trying to open a process with my debugger using CreateProcess with the DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS flags and the the process is opened, but then when I try to call SymInitialize with the handle I receive, it fails.
This is my code:
#include <windows.h>
#include <stdio.h>
#include <dbghelp.h>
#pragma (lib, "dbghelp.lib");
bool EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
bool ret;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
return FALSE;
if (!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
ret = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
return ret;
}
void main()
{
EnablePrivilege(SE_DEBUG_NAME, TRUE);
STARTUPINFOA startInfo;
PROCESS_INFORMATION processInfo;
ZeroMemory( &startInfo, sizeof(startInfo) );
startInfo.cb = sizeof(startInfo);
ZeroMemory( &processInfo, sizeof(processInfo) );
DWORD creationFlags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION;
const char* comLine = "Some process path and name";
// Start the child process.
if( CreateProcessA( NULL, // No module name (use command line)
(LPSTR)comLine, //argv[1], // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
creationFlags, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&startInfo, // Pointer to STARTUPINFO structure
&processInfo ) // Pointer to PROCESS_INFORMATION structure
== false )
{
printf("FAIL!");
return;
}
SetLastError(0);
bool ok = SymInitialize(processInfo.hProcess, NULL, true);
int err = GetLastError();
}
If I call CreateProcess with no creation flags, symInitialize succeed.
What am I doing wrong?
Your error is result of calling MAKE_HRESULT macro as
MAKE_HRESULT(ERROR_SEVERITY_ERROR, FACILITY_NULL, ERROR_INVALID_DATA)
So your error code is not trash. Documentaion doesn't say what kind of data might be invalid in this context. I will try to see what exactly is causing the problem.
EDIT:
This code works for me
#include <windows.h>
#include <stdio.h>
#include <dbghelp.h>
#include <WinError.h>
bool EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
bool ret;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
return FALSE;
if (!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
ret = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
return ret;
}
void main()
{
EnablePrivilege(SE_DEBUG_NAME, TRUE);
STARTUPINFOA startInfo;
PROCESS_INFORMATION processInfo;
ZeroMemory( &startInfo, sizeof(startInfo) );
startInfo.cb = sizeof(startInfo);
ZeroMemory( &processInfo, sizeof(processInfo) );
DWORD creationFlags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION;
const char* comLine = "C:\\Windows\\Notepad.exe";
// Start the child process.
if( CreateProcessA( NULL, // No module name (use command line)
(LPSTR)comLine,// argv[1], // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
creationFlags, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&startInfo, // Pointer to STARTUPINFO structure
&processInfo ) // Pointer to PROCESS_INFORMATION structure
== false )
{
printf("FAIL!");
return;
}
SetLastError(0);
bool ok = SymInitialize(processInfo.hProcess, NULL, true);
HRESULT err = HRESULT_FROM_WIN32(GetLastError());
}
I don't know why it doesn't for you - I am running windows XP, it might be a difference. For me SymInitialize returns true, and GetLastError returns 0x800700cb, which means only that it didn't found evirnment variable pointing it to directory with symbol files.
This might be stupid question, but perhaps you are missing some debugging libraries in your system? Have you tried installing eg. Debugging Tools for
Windows? I would reccomend 'Download Debugging Tools from the Windows SDK' option - read the description. I guess every programming IDE around would install it for you or have you install it before debugging anything, but it's always best to check.
When process is just created with DEBUG_PROCESS flag no symbols are loaded. It is required to wait for some LOAD_DLL_DEBUG_EVENT and then call SymInitialize().