I don't know why, but it seems like many developers thinks that an elevated process can only create an elevated child process. So here's how: (1)
#include <sddl.h>
void CreateLowProcess()
{
BOOL bRet;
HANDLE hToken;
HANDLE hNewToken;
// Notepad is used as an example
WCHAR wszProcessName[MAX_PATH] = L"C:\\Windows\\Notepad.exe";
// Low integrity SID: 0x1000 = 4096. To use Medium integrity, use 0x2000 = 8192
WCHAR wszIntegritySid[20] = L"S-1-16-4096";
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
PROCESS_INFORMATION ProcInfo = {0};
STARTUPINFO StartupInfo = {0};
ULONG ExitCode = 0;
if (OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
{
if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid))
{
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
// Set the process integrity level
if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
{
// Create the new process at Low integrity
bRet = CreateProcessAsUser(hNewToken, NULL, wszProcessName, NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo, &ProcInfo);
}
LocalFree(pIntegritySid);
}
CloseHandle(hNewToken);
}
CloseHandle(hToken);
}
}
---
The code that duplicate the token can easily be skipped on pre-Vista computer.
References
#1 Understanding and Working in Protected Mode Internet Explorer
http://msdn.microsoft.com/library/en-us/ietechcol/dnwebgen/protectedmode.asp
M-A's
technology blog
Monday, 21 May 2007
Subscribe to:
Posts (Atom)