runas...

Just starting out? Need help? Post your questions and find answers here.
ZX80
Enthusiast
Enthusiast
Posts: 330
Joined: Mon Dec 12, 2016 1:37 pm

runas...

Post by ZX80 »

Hello everyone.

How can I launch any process in the Trusted Installer?
Let's take a standard console as an example (as target). I've seen codes on this forum many times to increase/improve the privileges for the current process. To get debugger-level privileges. This runs without error. Good. But what to do next? If I start console now, then cmd-process will not have 'System' specified. Yes, I have admin rights. I also know that this trick can be done using the task scheduler. But maybe someone knows another way? No services or third-party software like psexec, Advanced Run by Nirsoft etc.

Thank you.
User avatar
bgeraghty
User
User
Posts: 52
Joined: Wed Apr 02, 2014 12:45 am
Location: irc.ibotched.it:+6697
Contact:

Re: runas...

Post by bgeraghty »

Sorry If I Kept You Waiting... This could be a start for you.
https://github.com/bgeraghty/cwc-TI-Bac ... in/main.pb
SolveMyIssue_() - No QuickHelp available.
ZX80
Enthusiast
Enthusiast
Posts: 330
Joined: Mon Dec 12, 2016 1:37 pm

Re: runas...

Post by ZX80 »

bgeraghty, thank you very much for your response.

It is interesting. As I expected, this is done using the task scheduler (via ps-script). I'll look at this in more detail a bit later.
Attention! powershell can take a long time to launch. At least when it starts for the first time.

Anyway, thanks again for sharing this.
JHPJHP
Addict
Addict
Posts: 2129
Joined: Sat Oct 09, 2010 3:47 am
Contact:

Re: runas...

Post by JHPJHP »

Hi ZX80,

See Windows Services & Other Stuff\Other_Stuff\RunExeAsSYSTEM\REaS.pb.

1. Type cmd in the available field; hit the Enter key or press the Run button.
2. Type whoami /all in the Command Prompt window; hit the Enter key.

NB*: Added the option to include the rights associated with Truster Installer.
Last edited by JHPJHP on Sat Dec 03, 2022 10:16 pm, edited 7 times in total.
User avatar
ChrisR
Addict
Addict
Posts: 1127
Joined: Sun Jan 08, 2017 10:27 pm
Location: France

Re: runas...

Post by ChrisR »

Until now I was using NSudo

But I will consider using your tool JHPJHP, it worked well :)

Code: Select all

C:\Windows\system32>whoami
autorite nt\système
fryquez
Enthusiast
Enthusiast
Posts: 362
Joined: Mon Dec 21, 2015 8:12 pm

Re: runas...

Post by fryquez »

To distinguish, if you running as Admin, System or TrustedInstaller.

Code: Select all

EnableExplicit

Import "advapi32.lib"
  CheckTokenMembership(a, b, c)
EndImport

Procedure GetAdminLevel()
  
  Protected bIsAdmin.l, bIsToken.l  
  Protected pSidAdministrator, pSidSystem, pSidTrustedInstaller
  Protected NtAuthority.SID_IDENTIFIER_AUTHORITY
  NtAuthority\Value[5]=5 ; SECURITY_NT_AUTHORITY
  
  AllocateAndInitializeSid_(@NtAuthority,
                            2,
                            #SECURITY_BUILTIN_DOMAIN_RID,
                            #DOMAIN_ALIAS_RID_ADMINS,
                            0,
                            0,
                            0,
                            0,
                            0,
                            0,
                            @pSidAdministrator)
    
  AllocateAndInitializeSid_(@NtAuthority,
                            1,
                            #SECURITY_LOCAL_SYSTEM_RID,
                            0,
                            0,
                            0,
                            0,
                            0,
                            0,
                            0,
                            @pSidSystem)
  
  
  #SECURITY_SERVICE_ID_RID_COUNT = 6
  #SECURITY_SERVICE_ID_BASE_RID = $50
  
  #SECURITY_TRUSTED_INSTALLER_RID1 = 956008885
  #SECURITY_TRUSTED_INSTALLER_RID2 = 3418522649
  #SECURITY_TRUSTED_INSTALLER_RID3 = 1831038044
  #SECURITY_TRUSTED_INSTALLER_RID4 = 1853292631
  #SECURITY_TRUSTED_INSTALLER_RID5 = 2271478464
  
  AllocateAndInitializeSid_(@NtAuthority,
                            #SECURITY_SERVICE_ID_RID_COUNT,
                            #SECURITY_SERVICE_ID_BASE_RID,
                            #SECURITY_TRUSTED_INSTALLER_RID1,
                            #SECURITY_TRUSTED_INSTALLER_RID2,
                            #SECURITY_TRUSTED_INSTALLER_RID3,
                            #SECURITY_TRUSTED_INSTALLER_RID4,
                            #SECURITY_TRUSTED_INSTALLER_RID5,
                            0,
                            0,
                            @pSidTrustedInstaller)
  
    
  CheckTokenMembership(#Null, pSidAdministrator, @bIsToken)
  If bIsToken : bIsAdmin = 1 : EndIf
  
  bIsToken = 0
  CheckTokenMembership(#Null, pSidSystem, @bIsToken)
  If bIsToken : bIsAdmin = 2 : EndIf
  
  bIsToken = 0
  CheckTokenMembership(#Null, pSidTrustedInstaller, @bIsToken)
  If bIsToken : bIsAdmin = 3 : EndIf
  
  ProcedureReturn bIsAdmin
    
EndProcedure



CompilerIf #PB_Compiler_IsMainFile
  Debug GetAdminLevel()
CompilerEndIf
AZJIO
Addict
Addict
Posts: 1312
Joined: Sun May 14, 2017 1:48 am

Re: runas...

Post by AZJIO »

User avatar
ChrisR
Addict
Addict
Posts: 1127
Joined: Sun Jan 08, 2017 10:27 pm
Location: France

Re: runas...

Post by ChrisR »

fryquez wrote: Fri Nov 25, 2022 6:38 pm To distinguish, if you running as Admin, System or TrustedInstaller.
Thanks fryquez, good addition :)
It's all good with PB 6.0 C or ASM. Not a concern for me but just to let know, with PB 5.73, there is a Polink error: unresolved external symbol 'CheckTokenMembership'
I Understood with GetAdminLevel, NSudo gives access to TrustedInstaller in addition to System

Thanks AZJIO for the other code to run the application with system rights, to clean the registry or other needs :)
ZX80
Enthusiast
Enthusiast
Posts: 330
Joined: Mon Dec 12, 2016 1:37 pm

Re: runas...

Post by ZX80 »

Wow :!:
An old theme revived !

To be honest, I didn't expect to see so many replies here. Thanks everyone.


ChrisR, see if it works for you.

Code: Select all

EnableExplicit

Prototype.i CheckTokenMembership(TokenHandle, pSidToCheck, pIsMember)
Global CheckTokenMembership.CheckTokenMembership

Prototype.i AllocateAndInitializeSid(pIdentifierAuthority, nSubAuthorityCount, dwSubAuthority0, dwSubAuthority1, dwSubAuthority2, dwSubAuthority3, dwSubAuthority4, dwSubAuthority5, dwSubAuthority6, dwSubAuthority7, pSid)
Global AllocateAndInitializeSid.AllocateAndInitializeSid

Prototype.i FreeSid(pSid)
Global FreeSid.FreeSid

Procedure GetAdminLevel()
  Protected dll
  Protected bIsAdmin.l, bIsToken.l
  Protected pSidAdministrator, pSidSystem, pSidTrustedInstaller
  Protected NtAuthority.SID_IDENTIFIER_AUTHORITY
  NtAuthority\Value[5]=5 ; SECURITY_NT_AUTHORITY
  
  dll=OpenLibrary(#PB_Any,"advapi32.dll")
	If dll
	  CheckTokenMembership = GetFunction(dll,"CheckTokenMembership")
	  If CheckTokenMembership
	    AllocateAndInitializeSid = GetFunction(dll, "AllocateAndInitializeSid")
	    If AllocateAndInitializeSid
	      FreeSid = GetFunction(dll, "FreeSid")
        If FreeSid
          AllocateAndInitializeSid(@NtAuthority,
                                   2,
                                   #SECURITY_BUILTIN_DOMAIN_RID,
                                   #DOMAIN_ALIAS_RID_ADMINS,
                                   0,
                                   0,
                                   0,
                                   0,
                                   0,
                                   0,
                                   @pSidAdministrator)
          
          AllocateAndInitializeSid(@NtAuthority,
                                    1,
                                    #SECURITY_LOCAL_SYSTEM_RID,
                                    0,
                                    0,
                                    0,
                                    0,
                                    0,
                                    0,
                                    0,
                                    @pSidSystem)
          
          #SECURITY_SERVICE_ID_RID_COUNT = 6
          #SECURITY_SERVICE_ID_BASE_RID = $50
          
          #SECURITY_TRUSTED_INSTALLER_RID1 = 956008885
          #SECURITY_TRUSTED_INSTALLER_RID2 = 3418522649
          #SECURITY_TRUSTED_INSTALLER_RID3 = 1831038044
          #SECURITY_TRUSTED_INSTALLER_RID4 = 1853292631
          #SECURITY_TRUSTED_INSTALLER_RID5 = 2271478464
          
          AllocateAndInitializeSid(@NtAuthority,
                                    #SECURITY_SERVICE_ID_RID_COUNT,
                                    #SECURITY_SERVICE_ID_BASE_RID,
                                    #SECURITY_TRUSTED_INSTALLER_RID1,
                                    #SECURITY_TRUSTED_INSTALLER_RID2,
                                    #SECURITY_TRUSTED_INSTALLER_RID3,
                                    #SECURITY_TRUSTED_INSTALLER_RID4,
                                    #SECURITY_TRUSTED_INSTALLER_RID5,
                                    0,
                                    0,
                                    @pSidTrustedInstaller)
          

          CheckTokenMembership(#Null, pSidAdministrator, @bIsToken)
          If bIsToken : bIsAdmin = 1 : EndIf
          
          bIsToken = 0
          CheckTokenMembership(#Null, pSidSystem, @bIsToken)
          If bIsToken : bIsAdmin = 2 : EndIf
          
          bIsToken = 0
          CheckTokenMembership(#Null, pSidTrustedInstaller, @bIsToken)
          If bIsToken : bIsAdmin = 3 : EndIf
          
          FreeSid(pSidAdministrator)
          FreeSid(pSidSystem)
          FreeSid(pSidTrustedInstaller)
        EndIf
      EndIf
    EndIf
	  CloseLibrary(dll)
	EndIf

  ProcedureReturn bIsAdmin
    
EndProcedure



CompilerIf #PB_Compiler_IsMainFile
  Debug GetAdminLevel()
CompilerEndIf
AZJIO, thank you.
I have already seen this code.

fryquez, thank you too.
It will be very helpful.

JHPJHP, thank you.
I really appreciate your contribution, but...
I used to be able to look at your work without any problems, including the source codes. But since some time it became impossible. I'm sorry.

P.S. Sorry, this popup is a bit confusing.
Anyway, thanks for not passing by this topic.
User avatar
ChrisR
Addict
Addict
Posts: 1127
Joined: Sun Jan 08, 2017 10:27 pm
Location: France

Re: runas...

Post by ChrisR »

ZX80 wrote: Sat Nov 26, 2022 11:38 am ChrisR, see if it works for you.
Yes,it works fine with PB 5.73 and with the prototypes and GetFunction addition.
Advapi32.lib has been updated in PB 6.0 and the import is enough.
Post Reply