/enum_process_mitigation.cpp Secret
Created
November 1, 2019 23:09
A simple program for enumerating existing mitigations present within a process.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <Windows.h> | |
#include <tlhelp32.h> | |
#include <processthreadsapi.h> | |
bool SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege); | |
void GetProtection(int pid, const char *exe) { | |
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY dynamicCodePolicy; | |
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY signaturePolicy; | |
HANDLE pHandle = OpenProcess(PROCESS_QUERY_INFORMATION, false, pid); | |
if (pHandle == INVALID_HANDLE_VALUE) { | |
printf("[!] Error opening handle to %d\n", pid); | |
return; | |
} | |
// Actually retrieve the mitigation policy for ACG | |
if (!GetProcessMitigationPolicy(pHandle, ProcessDynamicCodePolicy, &dynamicCodePolicy, sizeof(dynamicCodePolicy))) { | |
printf("[!] Could not enum PID %d [%d]\n", pid, GetLastError()); | |
return; | |
} | |
if (dynamicCodePolicy.ProhibitDynamicCode) { | |
printf("[%s] - ProhibitDynamicCode\n", exe); | |
} | |
if (dynamicCodePolicy.AllowRemoteDowngrade) { | |
printf("[%s] - AllowRemoteDowngrade\n", exe); | |
} | |
if (dynamicCodePolicy.AllowThreadOptOut) { | |
printf("[%s] - AllowThreadOptOut\n", exe); | |
} | |
// Retrieve mitigation policy for loading arbitrary DLLs | |
if (!GetProcessMitigationPolicy(pHandle, ProcessSignaturePolicy, &signaturePolicy, sizeof(signaturePolicy))) { | |
printf("Could not enum PID %d\n", pid); | |
return; | |
} | |
if (signaturePolicy.AuditMicrosoftSignedOnly) { | |
printf("[%s] AuditMicrosoftSignedOnly\n", exe); | |
} | |
if (signaturePolicy.AuditStoreSignedOnly) { | |
printf("[%s] - AuditStoreSignedOnly\n", exe); | |
} | |
if (signaturePolicy.MicrosoftSignedOnly) { | |
printf("[%s] - MicrosoftSignedOnly\n", exe); | |
} | |
if (signaturePolicy.MitigationOptIn) { | |
printf("[%s] - MitigationOptIn\n", exe); | |
} | |
if (signaturePolicy.StoreSignedOnly) { | |
printf("[%s] - StoreSignedOnly\n", exe); | |
} | |
} | |
int main() | |
{ | |
HANDLE snapshot; | |
PROCESSENTRY32 ppe; | |
HANDLE accessToken; | |
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &accessToken)) { | |
printf("[!] Error opening process token\n"); | |
return 1; | |
} | |
// Provide ourself with SeDebugPrivilege to increase our enumeration chances | |
SetPrivilege(accessToken, SE_DEBUG_NAME); | |
// Prepare handle to enumerate running processes | |
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); | |
if (snapshot == INVALID_HANDLE_VALUE) { | |
printf("[!] Error: CreateToolhelp32Snapshot\n"); | |
return 2; | |
} | |
ppe.dwSize = sizeof(PROCESSENTRY32); | |
Process32First(snapshot, &ppe); | |
do { | |
// Enumerate process mitigations | |
GetProtection(ppe.th32ProcessID, ppe.szExeFile); | |
} while (Process32Next(snapshot, &ppe)); | |
} | |
bool SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege) { | |
TOKEN_PRIVILEGES tp; | |
LUID luid; | |
if (!LookupPrivilegeValue( | |
NULL, | |
lpszPrivilege, | |
&luid)) | |
{ | |
printf("[!] LookupPrivilegeValue error: %u\n", GetLastError()); | |
return FALSE; | |
} | |
tp.PrivilegeCount = 1; | |
tp.Privileges[0].Luid = luid; | |
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; | |
if (!AdjustTokenPrivileges( | |
hToken, | |
FALSE, | |
&tp, | |
sizeof(TOKEN_PRIVILEGES), | |
(PTOKEN_PRIVILEGES)NULL, | |
(PDWORD)NULL)) | |
{ | |
printf("[!] AdjustTokenPrivileges error: %u\n", GetLastError()); | |
return FALSE; | |
} | |
return TRUE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment