(original) (raw)

#include #include #include #include BOOL CreateLowProcess(LPTSTR szCommandLine) { BOOL fRet; HANDLE hToken = NULL; HANDLE hNewToken = NULL; PSID pIntegritySid = NULL; TOKEN_MANDATORY_LABEL TIL = {0}; PROCESS_INFORMATION ProcInfo = {0}; STARTUPINFO StartupInfo = {0}; // Low integrity SID _TCHAR szIntegritySid[20] = _T("S-1-16-4096"); fRet = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_ADJUST_DEFAULT | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hToken); if (!fRet) { goto CleanExit; } fRet = DuplicateTokenEx(hToken, 0, NULL, SecurityImpersonation, TokenPrimary, &hNewToken); if (!fRet) { goto CleanExit; } fRet = ConvertStringSidToSid(szIntegritySid, &pIntegritySid); if (!fRet) { goto CleanExit; } TIL.Label.Attributes = SE_GROUP_INTEGRITY; TIL.Label.Sid = pIntegritySid; // // Set the process integrity level // fRet = SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)); if (!fRet) { goto CleanExit; } // // Create the new process at Low integrity // fRet = CreateProcessAsUser(hNewToken, NULL, szCommandLine, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &StartupInfo, &ProcInfo); CleanExit: if (ProcInfo.hProcess != NULL) { CloseHandle(ProcInfo.hProcess); } if (ProcInfo.hThread != NULL) { CloseHandle(ProcInfo.hThread); } LocalFree(pIntegritySid); if (hNewToken != NULL) { CloseHandle(hNewToken); } if (hToken != NULL) { CloseHandle(hToken); } return fRet; } int _tmain(int argc, _TCHAR* argv[]) { if (argc != 2) { _tprintf(_T("Usage: %s [command line of the target program]"), argv[0]); return 1; } return CreateLowProcess(argv[1]); }