En positionnant une ACL à NULL sur un process, thread ou service, tous les droits sont à accordés à tout le monde…
… ne pas oublier de demander le privilège : SE_SECURITY_NAME (« SeSecurityPrivilege »)
Méthode générique positionnant une ACL NULL sur un HANDLE de processus, thread ou service…
bool nullSdToHandle(PHANDLE monHandle, SE_OBJECT_TYPE monType)
{
PSECURITY_DESCRIPTOR newSD = NULL;
ULONG laTaille;
bool succes = false;
if(BuildSecurityDescriptor(NULL, NULL, 0, NULL, 0, NULL, NULL, &laTaille, &newSD) == ERROR_SUCCESS)
{
switch(monType)
{
case SE_KERNEL_OBJECT:
succes = SetKernelObjectSecurity(*monHandle, DACL_SECURITY_INFORMATION, newSD) != 0;
break;
case SE_SERVICE:
succes = SetServiceObjectSecurity(*reinterpret_cast<SC_HANDLE *>(monHandle), DACL_SECURITY_INFORMATION, newSD) != 0;
break;
}
LocalFree(newSD);
}
return succes;
}
Gestion des processus
bool giveProcessByPID(DWORD pid)
{
bool succes = false;
HANDLE processHandle = OpenProcess(WRITE_DAC | ACCESS_SYSTEM_SECURITY, false, pid);
if(processHandle != NULL)
{
succes = nullSdToHandle(&processHandle);
CloseHandle(processHandle);
}
return succes;
}
Gestion des threads
bool giveThreadByTID(DWORD tid)
{
bool succes = false;
HANDLE threadHandle = OpenThread(WRITE_DAC | ACCESS_SYSTEM_SECURITY, false, tid);
if(threadHandle != NULL)
{
succes = nullSdToHandle(&threadHandle);
CloseHandle(threadHandle);
}
return succes;
}
Gestion des services
bool giveServiceByName(LPCTSTR serviceName)
{
bool succes = false;
SC_HANDLE scHandle = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE);
if(scHandle != NULL)
{
SC_HANDLE serviceHandle = OpenService(scHandle, serviceName, WRITE_DAC | ACCESS_SYSTEM_SECURITY);
if(serviceHandle != NULL)
{
succes = nullSdToHandle(reinterpret_cast<PHANDLE>(&serviceHandle), SE_SERVICE);
CloseServiceHandle(serviceHandle);
}
CloseServiceHandle(scHandle);
}
return succes;
}