Generating a windows token with SID

Question

0.00/5 (No votes)

See more:

I am working on a project where I have to create a windows token for a given SID. The intention is to generate an elevated token for a standard user. I am aware of an undocumented function "NtCreateToken()" which could do that but I dont get through much workable examples to achieve it.

The following is the code written for that :

typedef NTSTATUS(__stdcall* NtCreateToken)(

PHANDLE TokenHandle,
ACCESS_MASK DesiredAccess,
TokenGeneratorTypes::POBJECT_ATTRIBUTES ObjectAttributes,
TOKEN_TYPE TokenType,
PLUID AuthenticationId,
PLARGE_INTEGER ExpirationTime,
PTOKEN_USER User,
PTOKEN_GROUPS Groups,
TokenGeneratorTypes::PTOKEN_PRIVILEGES Privileges,
PTOKEN_OWNER Owner,
PTOKEN_PRIMARY_GROUP PrimaryGroup,
PTOKEN_DEFAULT_DACL DefaultDacl,
PTOKEN_SOURCE TokenSource
);

LUID GetLuidOfPrivilege(LPCWSTR privilegeName)
{

  PLUID pluid = nullptr;
  LUID luid;
  LookupPrivilegeValue(nullptr, privilegeName, pluid);

  luid.LowPart = pluid->LowPart;
  luid.HighPart = pluid->HighPart;

  return luid;
}


PHANDLE GenerateElevatedToken(LPCWSTR sid)
{
HMODULE hModule = GetModuleHandle(TEXT("ntdll.dll"));
NtCreateToken CreateToken = nullptr;
PSID* psid = nullptr;
TOKEN_PRIMARY_GROUP pgroup;
TOKEN_USER user;
static TOKEN_SOURCE source = { {"User32 "} };
static TOKEN_DEFAULT_DACL tdd;
static TokenGeneratorTypes::_SID Administrators = { SID_REVISION,2,SECURITY_NT_AUTHORITY,{SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_ADMINS} };
static TOKEN_GROUPS groups = { 1,{{&Administrators,SE_GROUP_ENABLED | SE_GROUP_MANDATORY}} };
static SECURITY_QUALITY_OF_SERVICE sqos = {
            sizeof(sqos), SecurityImpersonation, SECURITY_DYNAMIC_TRACKING
};
PHANDLE tokenHandle = nullptr;

static TokenGeneratorTypes::OBJECT_ATTRIBUTES oa = {
    sizeof oa, 0, 0, 0, 0, &sqos
};

HANDLE currentToken;
TOKEN_STATISTICS tstats;
DWORD returnLength;

OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, ¤tToken);

GetTokenInformation(currentToken, TOKEN_INFORMATION_CLASS::TokenStatistics, &tstats, sizeof(tstats), &returnLength);

TokenGeneratorTypes::TOKEN_PRIVILEGES Privileges = {
            25, {
                { {GetLuidOfPrivilege(SE_INCREASE_QUOTA_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_SECURITY_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_TAKE_OWNERSHIP_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_LOAD_DRIVER_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_SYSTEM_PROFILE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_SYSTEMTIME_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_PROF_SINGLE_PROCESS_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_INC_BASE_PRIORITY_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_CREATE_PAGEFILE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_BACKUP_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_RESTORE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_SHUTDOWN_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_DEBUG_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_SYSTEM_ENVIRONMENT_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_CHANGE_NOTIFY_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_REMOTE_SHUTDOWN_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_UNDOCK_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_MANAGE_VOLUME_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_IMPERSONATE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_CREATE_GLOBAL_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_INC_WORKING_SET_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_TIME_ZONE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_CREATE_SYMBOLIC_LINK_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
                { { GetLuidOfPrivilege(SE_TCB_NAME) }, SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }

            } };

if (hModule != 0)
{
    CreateToken = (NtCreateToken)GetProcAddress(hModule, "NtCreateToken");

    if (CreateToken == 0)
    {
        return nullptr;
    }
}
else
{
    return nullptr;
}

ConvertStringSidToSidW(sid,psid);

pgroup = { psid };
user = { psid };

LUID sessionId = {1,0 };
PLUID psessionId = &sessionId;

CreateToken(tokenHandle, TOKEN_ALL_ACCESS, &oa, TokenPrimary,psessionId, &tstats.ExpirationTime, &user,
    &groups, (TokenGeneratorTypes::PTOKEN_PRIVILEGES) & Privileges, 0, &pgroup, &tdd, &source);

return tokenHandle;
}

The token generated from the above function is used to create a process in session id 1. The following is the code for the same :

wstring processName = _T("notepad.exe"); 
TCHAR* name = (wchar_t*)processName.c_str(); 
PROCESS_INFORMATION processInformation; STARTUPINFO startupInfo = GetStartupInfo(); 
ZeroMemory(&processInformation, sizeof(processInformation)); 
std::wstring sid = "....." //Some Valid SID.
PHANDLE tkn = GenerateElevatedToken(sid.c_str()); 
CreateProcessAsUser(tkn, nullptr, name, nullptr, 
nullptr, false, 0, nullptr, nullptr, &startupInfo,  &processInformation);

The isssue I am facing is that, the process simply starts and exits after a few seconds. I can provide more context (including for TokenGeneratorTypes and GetStartupInfo()) if required. Please point out the error with the above code.

What I have tried:

I have tried executing this program with the SeCreateTokenPrivilege enabled. However, still process simply exits.

Posted 16-Jan-21 18:35pm

JoesephMU

Add a Solution

Comments

Stefan_Lang 17-Jan-21 12:59pm

I've never done anything like this, so I'm not posting a solution.

From a quick search, it looks like you have access to server system functionality, so that is something not many developers will have any experience with. The info I got for SeCreateTokenPrvilege only shows you have the right to create a token - not to create one with elevated rights.

This raises the question, why does it need elevated rights?

I suspect that you're calling functions that return with an error because the rights you have are not sufficient. Either that or there is simply an error in your code.

Either way, why don't you use a debugger to find out what is going wrong?

In any case, you should spend more effort into checking the results and errors of functions you call, specifically system functions that are not guranteed to always do what you want depending on various conditions.

JoesephMU 17-Jan-21 13:51pm

Hi,
I am developing this on Visual Studio, so I assume you are mentioning its in-built debugger. The problem with debuging is that, a) I am executing the process in a VM (but developing in the host) and b) SeCreateTokenPrivilege is available only with lsass.exe. So I have developed a curated program which acquires the token from lsass.exe and then executes the program written above. To acheive this both the parent and child process will need to run in an elevated context. I am not aware how to intercept into these programs simultaneously with a debugger in such a situation (If you could provide pointers on that, It would be helpful).
Secondly, the reason I am creating a token with elevated rights is because my project requires me to create an elevated token for a standard user so that he/she could perform privileged operations (this is kind of similar to what corporate privilege managers do, but not exactly the same).

Stefan_Lang 17-Jan-21 14:25pm

As for debugging, I've developped embedded progams and was able to debug them right from my desktop PC. So I assume that something like that should be possible on a VM too. But I've never done that myself. Also that was 15 years ago, and I wasn't the one who set up the debugger. But I suspect that if it is possible at all, there should be useful info at Microsoft. Otherwise you should consider adding logging functionality to help you find out what your program is doing.

As for the rest, that's entirely outside my experience.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)