1 #include <Windows.h>
  2 #include <AclAPI.h>
  3 #include <stdio.h>
  4 
  5 
  6 BOOL SetOwnerAndPermissions1(SE_OBJECT_TYPE objtype, TCHAR *pszPath)
  7 {
  8     BOOL bRet;
  9     DWORD dwRet;
 10     HANDLE hToken = NULL;
 11     PTOKEN_PRIVILEGES ptp;
 12     BYTE tpbyte[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)];
 13     BYTE bits[SECURITY_MAX_SID_SIZE];
 14     PSECURITY_DESCRIPTOR psd = NULL;
 15     EXPLICIT_ACCESS ea;
 16     PACL paclOld;
 17     PACL paclNew = NULL;
 18     PSID psidOld;
 19     PSID psidNew;
 20 
 21     // Open a handle to the access token for the calling process.
 22     bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
 23     if (!bRet)
 24         goto end;
 25     
 26     // Enable the SeTakeOwnershipPrivilege.
 27     ptp = (PTOKEN_PRIVILEGES)tpbyte;
 28     bRet = LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &ptp->Privileges[0].Luid);
 29     if (!bRet)
 30         goto end;
 31 
 32     // Enable the SeRestorePrivilege.
 33     bRet = LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &ptp->Privileges[1].Luid);
 34     if (!bRet)
 35         goto end;
 36 
 37     // Enable the privileges.
 38     ptp->PrivilegeCount = 2;
 39     ptp->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 40     ptp->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
 41     bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL);
 42     if (bRet)
 43     {
 44         if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
 45         {
 46             bRet = FALSE;
 47             goto end;
 48         }
 49     }
 50 
 51     // Create a SID for the BUILTIN\Administrators group.
 52     psidNew = (PSID)bits;
 53     dwRet = sizeof(bits);
 54     //bRet = CreateWellKnownSid(WinBuiltinUsersSid, NULL, psidNew, &dwRet);// Users group
 55     bRet = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, psidNew, &dwRet);
 56     if (!bRet)
 57         goto end;
 58     bRet = FALSE;
 59 
 60     // Get the object‘s original owner and permissions.
 61     dwRet = GetNamedSecurityInfo(pszPath, objtype, OWNER_SECURITY_INFORMATION |
 62         DACL_SECURITY_INFORMATION, &psidOld, NULL, &paclOld, NULL, &psd);
 63     if (dwRet != ERROR_SUCCESS)
 64         goto end;
 65 
 66     // Set full control for Administrators.
 67     ea.grfAccessMode = SET_ACCESS;
 68     ea.grfAccessPermissions = GENERIC_ALL;
 69     ea.grfInheritance = NO_INHERITANCE;
 70     ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
 71     ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
 72     ea.Trustee.ptstrName = (LPTSTR)psidNew;
 73     ea.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
 74     ea.Trustee.pMultipleTrustee = NULL;
 75     dwRet = SetEntriesInAcl(1, &ea, paclOld, &paclNew);
 76     if (dwRet != ERROR_SUCCESS)
 77         goto end;
 78 
 79     // Set the object‘s owner first.
 80     dwRet = SetNamedSecurityInfo(pszPath, objtype, OWNER_SECURITY_INFORMATION,
 81         psidNew, NULL, NULL, NULL);
 82     if (dwRet != ERROR_SUCCESS)
 83         goto end;
 84 
 85     // Then set the object‘s permissions.
 86     dwRet = SetNamedSecurityInfo(pszPath, objtype, DACL_SECURITY_INFORMATION,
 87         NULL, NULL, paclNew, NULL);
 88     if (dwRet != ERROR_SUCCESS)
 89         goto end;
 90 
 91     // Now you can modify the object.
 92     printf("%ws Success!\n", pszPath);
 93     system("pause");///////////////////////////////////////////////////////////
 94 
 95     // Restore the object‘s permissions first.
 96     dwRet = SetNamedSecurityInfo(pszPath, objtype, DACL_SECURITY_INFORMATION,
 97         NULL, NULL, paclOld, NULL);
 98     if (dwRet != ERROR_SUCCESS)
 99         goto end;
100 
101     // Then restore the object‘s owner.
102     dwRet = SetNamedSecurityInfo(pszPath, objtype, OWNER_SECURITY_INFORMATION ,
103         psidOld, NULL, NULL, NULL);
104     if (dwRet != ERROR_SUCCESS)
105         goto end;
106 
107     // Disable the privileges.
108     ptp->Privileges[0].Attributes = 0;
109     ptp->Privileges[1].Attributes = 0;
110     bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL);
111     if (bRet)
112     {
113         if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
114             bRet = FALSE;
115     }
116 
117 end:
118     if (paclNew)
119         LocalFree(paclNew);
120     if (psd)
121         LocalFree(psd);
122     if (hToken)
123         CloseHandle(hToken);
124     
125     printf("%ws End: %d, %d\n", pszPath, bRet, GetLastError());
126     system("pause");
127 
128     return bRet;
129 }
130 
131 BOOL SetOwnerAndPermissions2(SE_OBJECT_TYPE objtype, HANDLE hProc, HKEY hPreKey, TCHAR *pszPath)
132 {
133     BOOL bRet;
134     DWORD dwRet;
135     HANDLE hToken = NULL;
136     PTOKEN_PRIVILEGES ptp;
137     BYTE tpbyte[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)];
138     BYTE bits[SECURITY_MAX_SID_SIZE];
139     PSECURITY_DESCRIPTOR psd = NULL;
140     EXPLICIT_ACCESS ea;
141     PACL paclOld;
142     PACL paclNew = NULL;
143     PSID psidOld;
144     PSID psidNew;
145     LSTATUS ls;
146     HKEY hKey = NULL;
147     HANDLE hFile = INVALID_HANDLE_VALUE;
148     HANDLE hProcToken = NULL;
149     HANDLE hHandle;
150 
151     // Open a handle to the access token for the calling process.
152     bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
153     if (!bRet)
154         goto end;
155     
156     // Enable the SeTakeOwnershipPrivilege.
157     ptp = (PTOKEN_PRIVILEGES)tpbyte;
158     bRet = LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &ptp->Privileges[0].Luid);
159     if (!bRet)
160         goto end;
161 
162     // Enable the SeRestorePrivilege.
163     bRet = LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &ptp->Privileges[1].Luid);
164     if (!bRet)
165         goto end;
166 
167     // Enable the privileges.
168     ptp->PrivilegeCount = 2;
169     ptp->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
170     ptp->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
171     bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL);
172     if (bRet)
173     {
174         if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
175         {
176             bRet = FALSE;
177             goto end;
178         }
179     }
180 
181     // Create a SID for the BUILTIN\Administrators group.
182     psidNew = (PSID)bits;
183     dwRet = sizeof(bits);
184     //bRet = CreateWellKnownSid(WinBuiltinUsersSid, NULL, psidNew, &dwRet);// Users group
185     bRet = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, psidNew, &dwRet);
186     if (!bRet)
187         goto end;
188     bRet = FALSE;
189 
190     // Open the object with READ_CONTROL|WRITE_OWNER access.
191     if (objtype == SE_REGISTRY_KEY)
192     {
193         ls = RegOpenKeyEx(hPreKey, pszPath, 0, READ_CONTROL | WRITE_OWNER, &hKey);
194         if (ls != ERROR_SUCCESS)
195             goto end;
196         hHandle = hKey;
197     }
198     else if (objtype == SE_FILE_OBJECT)
199     {
200         hFile = CreateFile(pszPath, READ_CONTROL | WRITE_OWNER,
201             FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
202         if (hFile == INVALID_HANDLE_VALUE)
203             goto end;
204         hHandle = hFile;
205     }
206     else if (objtype == SE_KERNEL_OBJECT)
207     {
208         bRet = OpenProcessToken(hProc, READ_CONTROL | WRITE_OWNER, &hProcToken);
209         if (!bRet)
210             goto end;
211         bRet = FALSE;
212         hHandle = hProcToken;
213     }
214 
215     // Get the object‘s original owner and permissions.
216     dwRet = GetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION |
217         DACL_SECURITY_INFORMATION, &psidOld, NULL, &paclOld, NULL, &psd);
218     if (dwRet != ERROR_SUCCESS)
219         goto end;
220 
221     // Set full control for Administrators.
222     ea.grfAccessMode = SET_ACCESS;
223     ea.grfAccessPermissions = GENERIC_ALL;
224     ea.grfInheritance = NO_INHERITANCE;
225     ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
226     ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
227     ea.Trustee.ptstrName = (LPTSTR)psidNew;
228     ea.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
229     ea.Trustee.pMultipleTrustee = NULL;
230     dwRet = SetEntriesInAcl(1, &ea, paclOld, &paclNew);
231     if (dwRet != ERROR_SUCCESS)
232         goto end;
233 
234     // Set the object‘s owner first.
235     dwRet = SetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION,
236         psidNew, NULL, NULL, NULL);
237     if (dwRet != ERROR_SUCCESS)
238         goto end;
239 
240     // Now the object have WRITE_DAC permission, reopen it.
241     if (objtype == SE_REGISTRY_KEY)
242     {
243         RegCloseKey(hKey);
244         hKey = NULL;
245         ls = RegOpenKeyEx(hPreKey, pszPath, 0,
246             READ_CONTROL | WRITE_OWNER | WRITE_DAC, &hKey);
247         if (ls != ERROR_SUCCESS)
248             goto end;
249         hHandle = hKey;
250     }
251     else if (objtype == SE_FILE_OBJECT)
252     {
253         CloseHandle(hFile);
254         hFile = INVALID_HANDLE_VALUE;
255         hFile = CreateFile(pszPath, READ_CONTROL | WRITE_OWNER | WRITE_DAC,
256             FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
257         if (hFile == INVALID_HANDLE_VALUE)
258             goto end;
259         hHandle = hFile;
260     }
261     else if (objtype == SE_KERNEL_OBJECT)
262     {
263         CloseHandle(hProcToken);
264         hProcToken = NULL;
265         bRet = OpenProcessToken(hProc, READ_CONTROL | WRITE_OWNER | WRITE_DAC, &hProcToken);
266         if (!bRet)
267             goto end;
268         bRet = FALSE;
269         hHandle = hProcToken;
270     }
271 
272     // Then set the object‘s permissions.
273     dwRet = SetSecurityInfo(hHandle, objtype, DACL_SECURITY_INFORMATION,
274         NULL, NULL, paclNew, NULL);
275     if (dwRet != ERROR_SUCCESS)
276         goto end;
277 
278     // Now you can modify the object.
279     printf("%ws Success!\n", pszPath);
280     system("pause");///////////////////////////////////////////////////////////
281     
282     // Restore the object‘s permissions first.
283     dwRet = SetSecurityInfo(hHandle, objtype, DACL_SECURITY_INFORMATION,
284         NULL, NULL, paclOld, NULL);
285     if (dwRet != ERROR_SUCCESS)
286         goto end;
287 
288     // Then restore the object‘s owner.
289     dwRet = SetSecurityInfo(hHandle, objtype, OWNER_SECURITY_INFORMATION,
290         psidOld, NULL, NULL, NULL);
291     if (dwRet != ERROR_SUCCESS)
292         goto end;
293 
294     // Disable the privileges.
295     ptp->Privileges[0].Attributes = 0;
296     ptp->Privileges[1].Attributes = 0;
297     bRet = AdjustTokenPrivileges(hToken, FALSE, ptp, sizeof(tpbyte), NULL, NULL);
298     if (bRet)
299     {
300         if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
301             bRet = FALSE;
302     }
303 
304 end:
305     if (hKey)
306         RegCloseKey(hKey);
307     if (hFile != INVALID_HANDLE_VALUE)
308         CloseHandle(hFile);
309     if (hProcToken)
310         CloseHandle(hProcToken);
311     if (paclNew)
312         LocalFree(paclNew);
313     if (psd)
314         LocalFree(psd);
315     if (hToken)
316         CloseHandle(hToken);
317     
318     printf("%ws End: %d, %d\n", pszPath, bRet, GetLastError());
319     system("pause");
320 
321     return bRet;
322 }
323 
324 int main()
325 {
326     SetOwnerAndPermissions1(SE_FILE_OBJECT, TEXT("C:\\Windows\\winhlp32.exe"));
327     SetOwnerAndPermissions1(SE_REGISTRY_KEY,//CLASSES_ROOT, CURRENT_USER, MACHINE, USERS
328         TEXT("MACHINE\\SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}"));
329 
330     printf("\n");
331 
332     SetOwnerAndPermissions2(SE_FILE_OBJECT, NULL, NULL, TEXT("C:\\Windows\\winhlp32.exe"));
333     SetOwnerAndPermissions2(SE_REGISTRY_KEY, NULL, HKEY_LOCAL_MACHINE,
334         TEXT("SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}"));
335     //SetOwnerAndPermissions2(SE_KERNEL_OBJECT, hProc, NULL, NULL);
336 
337     return 0;
338 }