3
votes

Using windows hooks I send messages to my application, which is notified about Windows events by every application on the system.

To execute marshal of the message parameters, I use shared memories. The external process calls DuplicateHandle, but for sharing the handle with my application instance, it shall call OpenProcess with PROCESS_DUP_HANDLE privilege requirements.

Actually every application is able to send messages using this architecture, even if I need to enable SeDebugPrivilege to the external process. It actually works, except for the 'explorer' process, which doesn't have the SeDebugPrivilege token...

The documentation of AdjustTokenPrivileges states:

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

So, the question is... how to add the SeDebugPrivilege token to 'explorer' process, or alternatively, how to allow 'explorer' process to call OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId)?

2

2 Answers

4
votes

I don't understand why you don't use named shared memory. If your shared memory objects have a name, then this objects can be opened without the usage of DuplicateHandle.

If you do have to use DuplicateHandle and need be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) inside of any process I find that you should don't use SeDebugPrivilege. Instead of that you should grant permission of PROCESS_DUP_HANDLE to everyone for the process with pId. If you create a process you can specify security descriptor. If the process is already created you can use OpenProcess, GetSecurityInfo (see http://msdn.microsoft.com/en-us/library/aa446654.aspx) and SetSecurityInfo to modify security descriptor of the process.

To test this approach you can just start Process Explorer (see http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) with administrative rights, open Security tab of the selected process (process with pId) and modify its security descriptor. After that all processes will be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) without to enable SeDebugPrivilege.

1
votes

Is this what you're trying to accomplish?

  1. Create a block of shared memory in the "external" process.
  2. Use DuplicateHandle to create a handle to that memory in your application
  3. Use a window message to send the handle value to your application
  4. Access the shared memory in your application

If I've understood correctly, then you don't need to open the handle to your application process at all. Instead, just give the shared memory block a deterministic name, such as SharedMem_XXX where XXX is the PID of the external process. Then, send the PID to your application using a window message. It can then recreate the name and use it to open the shared memory block.