Link to home
Start Free TrialLog in
Avatar of mars
mars

asked on

Thread token !!!

I have a service application starting with LocalSystem account.

In an other process using an IPC with this service, i would assign the service thread token (the thread with LocalSystem account) TO one of my process thread token in order to execute some restricted Win32 functions.

Suppose i have IN my process, the Service Process Handle and the thread token (with LocalSystem account). Do you have sample code making this ?

  1) Duplicate the service handles in the process space.
  2) Assign this handle to my process thread.
  3) Executes some privileged codes
  4) Restore initial process thread
 
ASKER CERTIFIED SOLUTION
Avatar of NickRepin
NickRepin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mars
mars

ASKER

When i take a look at DuplicateHandle, i need more precision about source and target handle.

Here is the DuplicateHandle() syntax:

BOOL DuplicateHandle(
  HANDLE hSourceProcessHandle,  // handle to the source process
  HANDLE hSourceHandle,         // handle to duplicate
  HANDLE hTargetProcessHandle,  // handle to process to duplicate to
  LPHANDLE lpTargetHandle,  // pointer to duplicate handle
  DWORD dwDesiredAccess,    // access for duplicate handle
  BOOL bInheritHandle,      // handle inheritance flag
  DWORD dwOptions           // optional actions
);

If i remember well. Only HWND handles are available in all processes without duplication. In the duplicate handle function, i must pass PROCESS and THREAD TOKEN handles from my service to my client process, but if i use these handles in my client process, these handles does not represent anything in the context of my client process. So, the DuplicateHandle() will fail.
It would be easier if you placed the priviledged code into the service process to eliminate a need in the impersonation.

You have to duplicate only the service thread handle, not the token. The token you'll get via OpenThreadToken().

You cay call DuplicateHandle() either in the service process, or in the client. I think it's better to do it in the service process.

Here are the steps:

*****Client*********
// Sends request to the Service,
// and passes its own process id:

sendRequest(GetCurrentProcessId())

*****Service********
// Receives request,
// opens the client process

DWORD dwClientProcessId=recvRequest();

HANDLE hClientProcess=OpenProcess(PROCESS_DUP_HANDLE,FALSE,dwClientProcessId);

// Duplicates the service thread handle for the client

HANDLE hServiceThread;
DuplicateHandle(GetCurrentProcess(),GetCurrentThread(),hClientProcess,&hServiceThread,THREAD_ALL_ACCESS,FALSE,0);

//hServiceThread is valid in the context of the client process.
// Send hServiceThread back to the client

sendAnswerRequest(hServiceThread);


*******Client************
// Receives the service thread handle

HANDLE hServiceThread=getAnswer()

HANDLE hToken;
OpenThreadToken(hServiceThread,
TOKEN_EXECUTE,FALSE,&hToken);

CloseHandle(hServiceThread)

SetThreadToken(GetCurrentThread(),hToken)

// Priviledged code

RevertToSelf();

CloseHandle(hToken);