-2

unfortunately I have a problem concerning injecting svchost. The code looks like that:

#include "Injection.h"
#pragma once 
#include <Windows.h>

DLLInjection::DLLInjection()
{

}
void DLLInjection::InjectDLLTosvchost(LPSTR dllPath)
{
        STARTUPINFO si = {};
        PROCESS_INFORMATION pi = {};

        HMODULE k32 = GetModuleHandle("kernel32.dll");
        CreateProcess(NULL, "svchost.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
        HANDLE mem = VirtualAllocEx(pi.hProcess, NULL, 260, MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE);
        WriteProcessMemory(pi.hProcess, mem, dllPath, 260, NULL);
        QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "LoadLibraryA"), pi.hThread, (ULONG_PTR)mem);
        QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "ExitThread"), pi.hThread, 0);
        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);

}
DLLInjection::~DLLInjection()
{

}

the dll which is executed looks pretty much like that:

#pragma once
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include "funkcje.h"
#include <iostream>
#include <shellapi.h>
#include <windows.h>
#include <tchar.h>
using namespace std;
void Hello()
{
    MessageBox(NULL, (LPCWSTR)L"poczatkowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
    char bufor[512];
    sprintf(bufor, " -add -all -c \"c:\\Users\\Damian\\Desktop\\wwwtesthttpdev.crt\" -s -r LocalMachine root");
    wchar_t bufor2[200];
    mbstowcs(bufor2, bufor, strlen(bufor) + 1);
    LPWSTR ptr = bufor2;
    STARTUPINFO startInfo = { 0 };

    PROCESS_INFORMATION processInfo = { 0 };

    BOOL bSucces = CreateProcess((LPWSTR)(L"c:\\Program Files\\Microsoft SDKs\\Windows\\v7.1A\\Bin\\certmgr.exe"), ptr, NULL, NULL, 0, 0, NULL, NULL, &startInfo, &processInfo);

    if (bSucces)
    {
        cout << "Process Started" << endl
            << "Process ID:  " << processInfo.dwProcessId << endl;
    }
    else
    {
        cout << "Error to start a process    " << GetLastError() << endl;
    }
    MessageBox(NULL, (LPCWSTR)L"koncowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
    cin.get();

}

and the dll is loading fine, because I do have the two messageboxes (one before executing the createProcess command and one after) but the problem is that I do not have rights to successfully make the certmgr.exe command (and it returns the message that certmgr was not successful. If I open the program with administrator rights everything works fine. But it shouldn't work like that. I am trying to get attached to the svchost process which should have administrator rights, but despite doing it I still do not have rights. Can anyone help me answering the question how I can make my program pass the administrator rights to the function that is executed in Dllmain. Thank you in advance!! the error with certmgr

I have also tried with OpenProcess:

bool Process::InjectDll(char * dllName, unsigned int processID)
{
    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
    if (pHandle == INVALID_HANDLE_VALUE)
        return false;
    void * address = VirtualAllocEx(pHandle, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (!WriteProcessMemory(pHandle, address, (LPVOID)dllName, strlen(dllName), NULL))
        return false;
    HMODULE hK32 = GetModuleHandle("Kernel32");
    HANDLE tHandle = CreateRemoteThread(pHandle, NULL, 0,
        (LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "LoadLibraryA"),
        address, 0, NULL);
    WaitForSingleObject(tHandle, INFINITE);
    DWORD dllAddress;
    GetExitCodeThread(tHandle, &dllAddress);
    CloseHandle(tHandle);
    VirtualFreeEx(pHandle, address, 0, MEM_RELEASE);
    tHandle = CreateRemoteThread(pHandle, NULL, 0,
        (LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "FreeLibrary"), (void*
        )&dllAddress, 0, NULL);
    WaitForSingleObject(tHandle, INFINITE);
    CloseHandle(tHandle);
    return true;
}

but it also doesn't work

Dandeiro1992
  • 1
  • 2
  • Elevating user rights in programs is exactly what windows wants to avoid. What makes you think you should be able to do it ? – xyious Oct 30 '17 at 21:06
  • I am trying to get into the process trhat has the rights so expect that the additional code will also have them – Dandeiro1992 Oct 30 '17 at 21:13
  • Please add exact output of `cout << "Error to start a process " << GetLastError() << endl;` – Daniel Trugman Oct 30 '17 at 21:20
  • There is no error output because the process is created. The only thing is that certmgr cannot finish and add the cerrtificate. I've added the picture in the description :) – Dandeiro1992 Oct 30 '17 at 21:38

1 Answers1

0

Using CreateProcess You are running an additional instance of svchost using the default security descriptor (From MSDN):

If lpProcessAttributes is NULL or lpSecurityDescriptor is NULL, the process gets a default security descriptor

And it seems that these privileges are not sufficient to run certmgr.

Instead, if your injector used OpenProcess and injected into the already elevated svchost, you would be able to run certmgr.

Daniel Trugman
  • 8,186
  • 20
  • 41
  • So how could I improve it? – Dandeiro1992 Oct 30 '17 at 21:42
  • I have updated the description :) when it comes to the second solution (with openprocess, I have a problem with writing to memory in the line with WriteProcessMemory) – Dandeiro1992 Oct 30 '17 at 22:02
  • @Dandeiro1992, but of course. Your process doesn't have elevated privileges, so it cannot write to the elevated `svchost`. What you are trying to do is called "privilege escalation" (Execute an app with administrator privileges from an app that have no such privileges). The OS puts a lot of efforts to prevent these kind of attacks. If I would have known how to achieve that, I would probably have some extra cash right now. You could read about **past exploits** that managed to achieve that, but don't expect this kind of information on SO. – Daniel Trugman Oct 30 '17 at 22:13