Try to create a connection to the CSRSS

CsrpConnectToServer.c

NTSTATUS CsrpConnectToServer(PHANDLE pCsrPortHandle)
{
	WCHAR SessionDir[256] = { 0 };
	ULONG SessionId = 0;
	UNICODE_STRING CsrPortName = { 0 };
	NTSTATUS status = 0;
	LARGE_INTEGER CsrSectionViewSize = { 0 };
	HANDLE CsrSectionHandle = nullptr;
	PORT_VIEW LpcWrite = { 0 };
	REMOTE_PORT_VIEW LpcRead = { 0 };
	SECURITY_QUALITY_OF_SERVICE SecurityQos = { 0 };
	CSR_API_CONNECTINFO ConnectionInfo = { 0 };
	ULONG ConnectionInfoLength = sizeof(CSR_API_CONNECTINFO);
	SID_IDENTIFIER_AUTHORITY NtSidAuthority = { SECURITY_NT_AUTHORITY };
	PSID SystemSid = NULL;

	//fpRtlAppendUnicodeToString

	HMODULE ntdll = GetModuleHandleA("ntdll.dll");
	fpRtlAppendUnicodeToString _RtlAppendUnicodeToString = (fpRtlAppendUnicodeToString)GetProcAddress(ntdll, "RtlAppendUnicodeToString");
	fpNtCreateSection _NtCreateSection = (fpNtCreateSection)GetProcAddress(ntdll, "NtCreateSection");
	fpNtClose _NtClose = (fpNtClose)GetProcAddress(ntdll, "NtClose");
	fpRtlAllocateAndInitializeSid _RtlAllocateAndInitializeSid = (fpRtlAllocateAndInitializeSid)GetProcAddress(ntdll, "RtlAllocateAndInitializeSid");
	fpRtlFreeSid _RtlFreeSid = (fpRtlFreeSid)GetProcAddress(ntdll, "RtlFreeSid");
	fpNtSecureConnectPort _NtSecureConnectPort = (fpNtSecureConnectPort)GetProcAddress(ntdll, "NtSecureConnectPort");

#if defined(_M_X64) // x64
	PPEB Peb = (PPEB)__readgsqword(0x60);
#else // x86
	PPEB Peb = (PPEB)__readfsdword(0x30);
#endif
	SessionId = Peb->SessionId;

	/* Setup the Object Directory path */
	if (!SessionId)
	{
		/* Use the raw path */
		wcscpy_s(SessionDir, WIN_OBJ_DIR);
	}
	else
	{
		/* Use the session path */
		swprintf_s(SessionDir, MAX_PATH, L"%ws\\%ld%ws", SESSION_DIR, SessionId, WIN_OBJ_DIR);
	}


	CsrPortName.Length = 0;
	CsrPortName.MaximumLength = 2 * wcslen(SessionDir) + 18;
	// TODO: use -> RtlAllocateHeap(CsrHeap, NtdllBaseTag, CrsPortName.MaximumLength);
	CsrPortName.imgBuffer = (PWCH)calloc(CsrPortName.MaximumLength, 1);
	if (!CsrPortName.imgBuffer) {
		goto cleanup;
	}

	_RtlAppendUnicodeToString(&CsrPortName, SessionDir);
	_RtlAppendUnicodeToString(&CsrPortName, L"\\");
	_RtlAppendUnicodeToString(&CsrPortName, L"ApiPort");


	/* Create a section for the port memory */
	CsrSectionViewSize.QuadPart = CSR_CSRSS_SECTION_SIZE;
	status = _NtCreateSection(
		&CsrSectionHandle,
		SECTION_ALL_ACCESS,
		NULL,
		&CsrSectionViewSize,
		PAGE_READWRITE,
		SEC_RESERVE,
		NULL);

	if (!NT_SUCCESS(status))
	{
		printf("Failure allocating CSR Section\n");
		goto cleanup;
	}

	/* Set up the port view structures to match them with the section */
	LpcWrite.Length = sizeof(PORT_VIEW);
	LpcWrite.SectionHandle = CsrSectionHandle;
	LpcWrite.SectionOffset = 0;
	LpcWrite.ViewSize = CsrSectionViewSize.u.LowPart;
	LpcWrite.ViewBase = 0;
	LpcWrite.ViewRemoteBase = 0;
	LpcRead.Length = sizeof(REMOTE_PORT_VIEW);
	LpcRead.ViewSize = 0;
	LpcRead.ViewBase = 0;

	/* Setup the QoS */
	SecurityQos.ImpersonationLevel = SecurityImpersonation;
	SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
	SecurityQos.EffectiveOnly = TRUE;

	/* Setup the connection info */
	ConnectionInfo.DebugFlags = 0;

	/* Create a SID for us */
	status = _RtlAllocateAndInitializeSid(
		&NtSidAuthority,
		1,
		SECURITY_LOCAL_SYSTEM_RID,
		0,
		0,
		0,
		0,
		0,
		0,
		0,
		&SystemSid
	);

	if (!NT_SUCCESS(status))
	{
		printf("Couldn't allocate SID\n");
		goto cleanup;
	}

	/* Connect to the port */
	status = _NtSecureConnectPort(
		pCsrPortHandle,
		&CsrPortName,
		&SecurityQos,
		&LpcWrite,
		SystemSid,
		&LpcRead,
		NULL,
		&ConnectionInfo,
		&ConnectionInfoLength
	);

	if (!NT_SUCCESS(status))
	{
		printf("Couldn't connect to CSR port, status: 0x%x\n", status);
		goto cleanup;
	}

	printf("Got Csr port handle: 0x%x\n", *pCsrPortHandle);

cleanup:

	if (CsrPortName.imgBuffer)
		free(CsrPortName.imgBuffer);
	if (CsrSectionHandle)
		_NtClose(CsrSectionHandle);
	if (SystemSid)
		_RtlFreeSid(SystemSid);

	return status;
}