diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-03 02:24:32 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-03 10:34:25 +0100 |
commit | 19d6227c1de4d19363a5f63d0e26c91a776defbd (patch) | |
tree | 422229c923ef0e430ba1af38d65780ddc1c233aa /api/rundll32.h | |
parent | api: refactor .inf parsing and check SystemTimeToFileTime for errors (diff) | |
download | wintun-19d6227c1de4d19363a5f63d0e26c91a776defbd.tar.xz wintun-19d6227c1de4d19363a5f63d0e26c91a776defbd.zip |
api: rundll32: repair token spawning semantics
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'api/rundll32.h')
-rw-r--r-- | api/rundll32.h | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/api/rundll32.h b/api/rundll32.h index 61df869..51ea321 100644 --- a/api/rundll32.h +++ b/api/rundll32.h @@ -157,8 +157,8 @@ ExecuteRunDll32( .Response = Response, .ResponseCapacity = ResponseCapacity }; HANDLE ThreadStdout = NULL, ThreadStderr = NULL; - if ((ThreadStdout = CreateThread(&SecurityAttributes, 0, ProcessStdout, &ProcessStdoutState, 0, NULL)) == NULL || - (ThreadStderr = CreateThread(&SecurityAttributes, 0, ProcessStderr, StreamRStderr, 0, NULL)) == NULL) + if ((ThreadStdout = CreateThread(NULL, 0, ProcessStdout, &ProcessStdoutState, 0, NULL)) == NULL || + (ThreadStderr = CreateThread(NULL, 0, ProcessStderr, StreamRStderr, 0, NULL)) == NULL) { Result = LOG_LAST_ERROR(L"Failed to spawn readers"); goto cleanupThreads; @@ -169,14 +169,22 @@ ExecuteRunDll32( .hStdOutput = StreamWStdout, .hStdError = StreamWStderr }; PROCESS_INFORMATION pi; - if (!CreateProcessW(RunDll32Path, CommandLine, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) + HANDLE ProcessToken = GetPrimarySystemTokenFromThread(); + if (!ProcessToken) { - Result = LOG_LAST_ERROR(L"Creating process failed"); + Result = LOG_LAST_ERROR(L"Failed to get primary system token from thread"); goto cleanupThreads; } + if (!CreateProcessAsUserW(ProcessToken, RunDll32Path, CommandLine, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) + { + Result = LOG_LAST_ERROR(L"Failed to create process"); + goto cleanupToken; + } WaitForSingleObject(pi.hProcess, INFINITE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); +cleanupToken: + CloseHandle(ProcessToken); cleanupThreads: if (ThreadStderr) { |