Last active
May 24, 2022 06:28
-
-
Save bitRAKE/d4c7e6d91adc963af8486d0abefc9e65 to your computer and use it in GitHub Desktop.
Checks if the current process in running with elevation ...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; kernel32.dll, advapi32.dll, 79 bytes | |
| CheckElevation: | |
| virtual at RBP-.FRAME | |
| rq 4 | |
| .P5 dq ? | |
| .hTok dq ? ; HANDLE | |
| .tLen dd ? | |
| .tInfo TOKEN_ELEVATION | |
| _align 16 | |
| .FRAME := $ - $$ | |
| end virtual | |
| enter .FRAME,0 | |
| GetCurrentProcess | |
| xchg rcx,rax | |
| OpenProcessToken rcx, TOKEN_QUERY, ADDR .hTok | |
| xchg ecx,eax ; BOOL | |
| jrcxz .fail | |
| GetTokenInformation [.hTok], TokenElevation,\ | |
| ADDR .tInfo, sizeof TOKEN_ELEVATION, ADDR .tLen | |
| test eax,eax ; BOOL | |
| jnz .close_handle | |
| ; forward function fail | |
| mov [.tInfo.TokenIsElevated],eax | |
| .close_handle: | |
| CloseHandle [.hTok] | |
| mov ecx,[.tInfo.TokenIsElevated] | |
| .fail: | |
| leave | |
| retn | |
| ; result in ECX, use JRCXZ to respond to boolean value |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment