Process Hacker Discussion Forum

 
User avatar
diversenok
Contributor
Posts: 49
Joined: 26 Jun 2017 17:55
OS: Windows 7 x64
Contact:

Not truly constant columns

10 Jul 2017 14:33

Let's continue our bug-fix marathon ;)

:arrow:  Process Hacker 2.39 & 3.0.782

Main tree view contains several columns, that are not updated even by refresh button. And some of them are not truly constant. If you change Integrity of a process in Token tab it wouldn't be updated in the appropriate column of main window.

Actually, the same thing can happen with User name column, but in much more rare situations. When Sandboxie forces programs to run sandboxed, it changes token on the fly, so PH can show not correct information in that case. It may seems strange, especially without Sandboxie plugin. Oh, and also: where is this plugin in nightly builds plugin system? I just copied SbieSupport.dll from stable release and it works fine, but I couldn't see it in the list.

Image
 
User avatar
dmex
Admin
Posts: 1698
Joined: 17 Jan 2011 05:43

Re: Not truly constant columns

28 Jul 2017 05:28

diversenok wrote: 10 Jul 2017 14:33
When Sandboxie forces programs to run sandboxed, it changes token on the fly
How do you make Sandboxie use a different process token?
 
User avatar
diversenok
Contributor
Posts: 49
Joined: 26 Jun 2017 17:55
OS: Windows 7 x64
Contact:

Re: Not truly constant columns

05 Aug 2017 19:25

All sandboxed processes use token with "NT AUTHORITY\ANONYMOUS LOGON" user and just because of virtualization they think it's a token of current user. Pro version of Sandboxie can intercept any program execution and force it to run inside sandbox. However standard version provides this mechanism too. If you put an executable file somewhere into "C:\Sandbox\%USER%\%SANDBOX%\" and execute it from unsandboxed application Sandboxie will change it token on the fly and put this program to run inside it's sandbox.
 
User avatar
diversenok
Contributor
Posts: 49
Joined: 26 Jun 2017 17:55
OS: Windows 7 x64
Contact:

Re: Not truly constant columns

09 Nov 2018 17:15

Oh, I've just found a reliable and easy way to alter the user of a process and to make PH show outdated information in the main process list. Actually, someone could've used it to partially hide highly privileged processes from PH or Process Explorer by making them seem as running with lower privileges.
Well, at least when you look at them via the main process list. :roll:

The idea is that until the process's token is locked you can easily assign a new one for it. So, the steps are the following:

1) Create a new suspended process under an ordinary lowly privileged user;
2) Wait until PH queries the information for token-related columns;
3) Alter the token to a highly privileged one, maybe even from another user;
4) Resume the process and so lock the token. PH will continue to show the outdated information. :twisted:

Here is a small program that assigns tokens to experiment with.

Funny situation: the token's user and elevation are not changeable, so it seems to be reasonable to query them only once. However, the token itself can be changed even without any additional privileges.
 
User avatar
dmex
Admin
Posts: 1698
Joined: 17 Jan 2011 05:43

Re: Not truly constant columns

12 Nov 2018 22:01

diversenok wrote: 09 Nov 2018 17:15
partially hide highly privileged processes from PH
It would have been nice to give us a heads up first before posting it on a public forum
(especially since I'm in the UK right now and not checking the forum and just the github issues) :?
diversenok wrote: 09 Nov 2018 17:15
Here is a small program that assigns tokens to experiment with.
Why does the code call NtGetNextThread? It doens't seem to be related to the issue.
diversenok wrote: 09 Nov 2018 17:15
the token's user and elevation are not changeable, so it seems to be reasonable to query them only once. However, the token itself can be changed even without any additional privileges.
This is an easy fix and I'll try push those commits tomorrow (when I have decent reception). Thanks for finding/reporting the issue :thumbup:
 
User avatar
diversenok
Contributor
Posts: 49
Joined: 26 Jun 2017 17:55
OS: Windows 7 x64
Contact:

Re: Not truly constant columns

13 Nov 2018 19:05

dmex wrote: 12 Nov 2018 22:01
It would have been nice to give us a heads up first before posting it on a public forum
Sorry, I didn't think about it. The main point about hiding a highly privileged process is that you already need to have one under your control. SeAssignPrimaryTokenPrivilege is required to assign something different from your current token so you either are an admin (and thus can do a lot of more interesting things) or you can alter only not truly important information. But I get it I should've written to you on e-mail first, sorry.
dmex wrote: 12 Nov 2018 22:01
Why does the code call NtGetNextThread? It doens't seem to be related to the issue.
NtSetInformationProcess requires both, a process and it's initial thread handle, besides a token itself.
dmex wrote: 12 Nov 2018 22:01
This is an easy fix and I'll try push those commits tomorrow
Thanks, the fix mostly works, however, the username column is still not updated properly.