3

I've got a routine where I process-walk to obtain the HANDLE of each process as I 'walk' down the list (which works fine), but my issue lies when I do:

HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID) where PROCESS_ALL_ACCESS is the access token, handle inheritance is set to FALSE, and pe32 is a PROCESSENTRY32

GetLastError() returns error code 5, and all the handles that are made are addresses which do not correspond to any appropriate process in Spy++32/64 (I've tried building the application under both platform targets, but as you'd expect, the result is the same).

The code for setting SeDebugPrivilege for the host process which I'm using is:

BOOL EnableDebugPrivilege(BOOL bEnable)
{
    HANDLE hToken = nullptr;
    LUID luid;

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) return FALSE;
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) return FALSE;

    TOKEN_PRIVILEGES tokenPriv;
    tokenPriv.PrivilegeCount = 1;
    tokenPriv.Privileges[0].Luid = luid;
    tokenPriv.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;

    if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) return FALSE;

    return TRUE;
}

Some questions that would be helpful to you:

  1. I'm running Windows 7 x64 Professional.
  2. Yes, devenv.exe is started with "Run as Administrator" privileges, which means that the debugger and the application itself are started under the same affinity.
  3. I have tried toggling UAC or running the application with UAC off altogether. Still error code 5.
  4. I just attempted doing it with PROCESS_QUERY_LIMITED_INFORMATION and I receive error code 6, or ERROR_INVALID_HANDLE. Also attempted with PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, result is error 5 again.
  5. SeDebugPrivilege is enabled, verified with SysInternals' Process Explorer. Additionally, all processes that spawn from devenv/whatever the debugger is called inherit SeDebugPrivilege so...this is weird.

Thank you all very much for your time, I'm reaching wits end with this issue :S

David S.
  • 730
  • 1
  • 7
  • 23
  • Possible duplicate of http://stackoverflow.com/questions/169355/vc-2008-openprocess-always-returning-error-5-access-denied – Xearinox Dec 22 '13 at 00:53
  • @Xearinox: I did see that question and applied what the answer(s) said: SeDebugPrivilege. – David S. Dec 22 '13 at 01:02
  • Do you really need PROCESS_ALL_ACCESS rights? – Xearinox Dec 22 '13 at 01:03
  • @Xearinox: I'm writing a DLL injector, so I'd like to be able to inject into any process. – David S. Dec 22 '13 at 01:04
  • Again, do you really need all rights? – Xearinox Dec 22 '13 at 01:09
  • @Xearinox: I just attempted to do `OpenProcess()` with `PROCESS_QUERY_LIMITED_INFORMATION` and `GetLastError()` returns error 6, or `ERROR_INVALID_HANDLE` :( – David S. Dec 22 '13 at 01:26
  • I dont have WIN 7 machine now, so only may guess. Maybe try PROCESS_QUERY_INFORMATION | PROCESS_VM_READ. Maybe EnableDebugPrivilege fails. Maybe you have error in another place. I dont see any error checking. :-) – Xearinox Dec 22 '13 at 01:46
  • @Xearinox: That also gives error 5, but, EnableDebugPrivilege does work - I checked with SysInternals' process explorer. Thank you for your help so far though! :) – David S. Dec 22 '13 at 02:06
  • Error 6 from OpenProcess is not possible because OpenProcess does not have a handle parameter. Check your typing. – Raymond Chen Dec 22 '13 at 02:26
  • @RaymondChen: I'm pretty sure the error is DEC 6, not HEX 6. I'll give it another whirl in a few minutes. – David S. Dec 22 '13 at 03:17
  • [Some processes disallow access via OpenProcess](http://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx). DLL injection is generally considered a bad idea and it will increase the likelihood that your program will be flagged as potential malware. – Raymond Chen Dec 22 '13 at 03:38
  • @RaymondChen: I read the MSDN page too, and while I understand that I can't get a handle to something like csrss or winlogon, I should be able to inject into other applications. I'm working on a videogame trainer and I want to make my own DLL injector, I am well aware of the ill-effects of doing what I am attempting to do. – David S. Dec 22 '13 at 03:43
  • Oh, so you're interested in one specific process. The way you phrased your question it appeared that you were trying to inject into every process. ("obtain the `HANDLE` of each process".) Use Process Explorer to see what the ACL is on the process. That will tell you why you can't access it. – Raymond Chen Dec 22 '13 at 03:46
  • @RaymondChen: Well, I'm writing a general purpose DLL injector so I made a list of HANDLEs so that whenever the user selects the process from the GUI it could just use the one that's already opened and drop its payload instead of having to iterate through the process list multiple times (e.g I can just look up by HANDLE 'locally'). I don't know if this is a bad way of doing it, but if I don't figure it out in a couple of hours I'm going to write it differently. – David S. Dec 22 '13 at 03:55
  • 3
    You are falling into the trap of asking for far more permission than you need. You actually need permission for only one of the processes, so don't ask for permission for all of them. This is like saying, "Everybody please give me your bank account number" even though you really are interested in only your brother's bank account number. – Raymond Chen Dec 22 '13 at 05:04
  • I'm now face with your problem too. Did you success on it? – Han Tran Dec 15 '14 at 02:55
  • @HanTran: I solved this issue by changing something in my linker settings, but I do not remember what so I apologize for this. I remember that the problem went away after I disabled Win Defender and ran the application (the injector in my case) as administrator. – David S. Jan 04 '15 at 19:27
  • @DavidS. Yes, I'm solved my problem by run as administrator too! Look like problem only happen in Windows 7 and up :) – Han Tran Jan 05 '15 at 00:35

1 Answers1

2

Are you sure you are not passing 0 as a process ID value? The system idle process with ID 0 is included in the snapshot under the name [System Process], but you can't open a handle for it as the documentation for OpenProcess specifically says it'll fail. Well it says a bit more:

If the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.

Well, it's not completely true as I was able to open handle to CSRSS (of course, it doesn't actually have the requested rights). But it may fail for some protected processes (audiodg), so you shouldn't not do this. Instead, check the name of the process if it's the one you want.

user2345215
  • 637
  • 5
  • 9
  • I ended up following @RaymondChen's advice and only opening handles to applications that I need to open handles to. It appears that this is a better approach, thanks! :) – David S. Dec 22 '13 at 15:56