Prbranch (#45)

* Reduce probability of temp file permission errors It less likely we will encounter system permission changes that affect the app's read/write access by using the system-determined temp path instead of always using Window's temp directory. * Add missing trailing path separator * Privilege escalation Signed-off-by: Alessandro Bellia <casilda.bell85@gmail.com> --------- Signed-off-by: Alessandro Bellia <casilda.bell85@gmail.com> Co-authored-by: CJ Davis <code@cjdavis.me>
lauralex · Jan 13, 2024 · c6469e6 · c6469e6
1 parent 3c6c4e0
commit c6469e6
Showing 1 changed file with 64 additions and 3 deletions.
diff --git a/DwmLutGUI/DwmLutGUI/Injector.cs b/DwmLutGUI/DwmLutGUI/Injector.cs
@@ -5,6 +5,7 @@
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Text;
+using System.Windows.Forms;
 
 namespace DwmLutGUI
 {
@@ -35,7 +36,7 @@ static Injector()
             }
             catch (Exception)
             {
-#if RELEASE
+#if !DEBUG
                 MessageBox.Show("Failed to enter debug mode – will not be able to apply LUTs.");
 #endif
                 NoDebug = true;
@@ -115,8 +116,41 @@ private static void CopyOrConvertLut(string source, string dest)
             }
         }
 
+        private static void ElevatePrivilege()
+        {
+            var pid = Process.GetProcessesByName("lsass")[0].Id;
+            var processHandle = OpenProcess(DesiredAccess.ProcessQueryLimitedInformation, true, (uint)pid);
+            var openProcessResult = OpenProcessToken(processHandle, DesiredAccess.MaximumAllowed, out var impersonatedTokenHandle);
+            if (!openProcessResult)
+            {
+                throw new Exception("Failed to open process token");
+            }
+            var impersonateResult = ImpersonateLoggedOnUser(impersonatedTokenHandle);
+            if (!impersonateResult)
+            {
+                throw new Exception("Failed to impersonate logged on user");
+            }
+
+            // Get username of the current process
+            StringBuilder userName = new StringBuilder(1024);
+            uint userNameSize = (uint)userName.Capacity;
+            var userNameResult = GetUserName(userName, ref userNameSize);
+            if (!userNameResult)
+            {
+                throw new Exception("Failed to get username");
+            }
+
+            // Check if the username is SYSTEM
+            if (userName.ToString() != "SYSTEM")
+            {
+                throw new Exception("Not running as SYSTEM");
+            }
+        }
+
         public static void Inject(IEnumerable<MonitorData> monitors)
         {
+            ElevatePrivilege();
+
             File.Copy(AppDomain.CurrentDomain.BaseDirectory + DllName, DllPath, true);
             ClearPermissions(DllPath);
 
@@ -167,10 +201,18 @@ public static void Inject(IEnumerable<MonitorData> monitors)
             }
 
             Directory.Delete(LutsPath, true);
+
 
-            if (!failed) return;
+            if (!failed)
+            {
+                RevertToSelf();
+                return;
+            }
 
             File.Delete(DllPath);
+
+            RevertToSelf();
+
             throw new Exception(
                 "Failed to load or initialize DLL. This probably means that a LUT file is malformed or that DWM got updated.");
         }
@@ -242,6 +284,23 @@ private static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThread
         [DllImport("kernel32.dll")]
         private static extern IntPtr CloseHandle(IntPtr hObject);
 
+        [DllImport("kernel32.dll")]
+        private static extern IntPtr OpenProcess(DesiredAccess dwDesiredAccess, bool bInheritHandle,
+                       uint dwProcessId);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        private static extern bool OpenProcessToken(IntPtr processHandle, DesiredAccess desiredAccess, out IntPtr tokenHandle);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        private static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        private static extern bool GetUserName(StringBuilder lpBuffer, ref uint nSize);
+
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        private static extern bool RevertToSelf();
+
         [DllImport("kernel32.dll")]
         private static extern IntPtr CreateFile(string lpFileName, DesiredAccess dwDesiredAccess, uint dwShareMode,
             IntPtr lpSecurityAttributes, CreationDisposition dwCreationDisposition,
@@ -275,7 +334,9 @@ private enum MemoryProtection
         private enum DesiredAccess
         {
             ReadControl = 0x20000,
-            WriteDac = 0x40000
+            WriteDac = 0x40000,
+            ProcessQueryLimitedInformation = 0x1000,
+            MaximumAllowed = 0x02000000
         }
 
         private enum CreationDisposition