Process Hacker and Windows discussion

 
Emile
New User
Posts: 2
Joined: 28 Sep 2017 16:05

OpenProcess Windows 10

28 Sep 2017 16:13

Hello,

I am trying to understand how PH is able to open any process on Windows 10 to get the command line (for example) of processes like smss.exe or csrss.exe.
I tried to use AdjustTokenPrivileges to set SEDEBUG token on my program but this only works on Windows 7.
If I try to open smss.exe process with PROCESS_VM_READ it always says Access denied, I can only use PROCESS_QUERY_LIMITED_INFORMATION.
Can you please explain me how PH is able to do an OpenProcess on any process (without Kernel driver).

Regards,
 
User avatar
dmex
Admin
Posts: 1552
Joined: 17 Jan 2011 05:43
Location: Australia

Re: OpenProcess Windows 10

28 Sep 2017 21:26

I am trying to understand how PH is able to open any process on Windows 10 to get the command line (for example) of processes like smss.exe or csrss.exe.
You open a handle with PROCESS_QUERY_LIMITED_INFORMATION access and use NtQueryInformationProcess with the ProcessCommandLineInformation class. You will get a UNICODE_STRING with the commandline for that process.
I tried to use AdjustTokenPrivileges to set SEDEBUG token on my program but this only works on Windows 7.
That's the legacy behavior on Windows 7 (se_debug) since it doesn't have the ProcessCommandLineInformation class. You will need to continue using the legacy behavior on Windows 7 and use the newer behavior on Windows 10.
Can you please explain me how PH is able to do an OpenProcess on any process (without Kernel driver).
It doesn't since there are information classes available to query the information.
 
Emile
New User
Posts: 2
Joined: 28 Sep 2017 16:05

Re: OpenProcess Windows 10

29 Sep 2017 10:24

Thanks a lot, I have to get the command line from the NtQueryInformationProcess instead of getting the PEB and READ the peb :)
 
Camey
Member
Posts: 8
Joined: 30 Sep 2017 08:12
OS: Windows 10 64bits
Location: France

Re: OpenProcess Windows 10

08 Oct 2017 08:40

Hi.

I'm interrested by that too. If i don't say bullshit, you can't open CSRSS on Windows10, it's just working on W7 (for me). Instead of using CSRSS on W10, you have to find a SVCHOST with ALL_ACCESS (like CSRSS on W7).
So i'm trying to code a program who can find the good SVCHOST directly without using ProcessHacker find handle feature. But i have a problem with access right (it's normal) and when i'm checking for all process on my system, i just can find no protected process. So i'm investigate about how to do it like process hacker do.

I don't understand the reply "It doesn't since there are information classes available to query the information". Can you explain it more please? Or explain how to get the "informations classes"?
Can you confirm if PH are using SEDEBUG_PRIVILEGE to do it (on W10)? Or are you using a different method to do? (without kernel).
I don't understand everything for now, so please don't be rude, i'm learning :)

Thank you.
 
User avatar
dmex
Admin
Posts: 1552
Joined: 17 Jan 2011 05:43
Location: Australia

Re: OpenProcess Windows 10

09 Oct 2017 01:11

Can you confirm if PH are using SEDEBUG_PRIVILEGE to do it (on W10)?
Yes.
I don't understand the reply "It doesn't since there are information classes available to query the information". Can you explain it more please? Or explain how to get the "informations classes"?
It depends what you're trying to actually do. Emile was trying to query the commandline and there are information classes for querying that information without OpenProcess access. If you're trying to query something else then it probably has different requirements.
 
Camey
Member
Posts: 8
Joined: 30 Sep 2017 08:12
OS: Windows 10 64bits
Location: France

Re: OpenProcess Windows 10

11 Oct 2017 09:51

Thank you for your reply, now i know it's the way! ;)
 
zer0cat
Member
Posts: 3
Joined: 03 May 2020 17:50
OS: windows 10 64bit
Location: exUSSR

Re: OpenProcess Windows 10

03 May 2020 17:55

Hello
I can't understand.. I run program with Admin rights , but call OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION.. ) in csrss return ERROR ACCESS DENIED.
Why? I only use QUERY_LIMITED_INFORMATION, no ALL_ACCESS or other..
I must have DEBUG PRIVILEGE even for this?

OS is Windows 10.
 
User avatar
dmex
Admin
Posts: 1552
Joined: 17 Jan 2011 05:43
Location: Australia

Re: OpenProcess Windows 10

05 May 2020 12:02

call OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION.. ) in csrss return ERROR ACCESS DENIED.
Why? I only use QUERY_LIMITED_INFORMATION, no ALL_ACCESS or other..
I must have DEBUG PRIVILEGE even for this?

OS is Windows 10.

The ACL for the csrss.exe process doesn't allow query_limited access for anyone except the System user:
https://i.imgur.com/XDKMprh.png

I must have DEBUG PRIVILEGE even for this?

The debug privilege simply bypasses the ACL checking but you can also change the ACL for the process or use a process running as the SYSTEM user.
 
zer0cat
Member
Posts: 3
Joined: 03 May 2020 17:50
OS: windows 10 64bit
Location: exUSSR

Re: OpenProcess Windows 10

08 May 2020 13:18

Thank you, but I can’t understand until the end .. Why do I have administrator rights (READ permission) in this process? I look through the ProcessHacker - security properties. Or where to look? https://imgur.com/a/D624Rd
 
User avatar
dmex
Admin
Posts: 1552
Joined: 17 Jan 2011 05:43
Location: Australia

Re: OpenProcess Windows 10

08 May 2020 13:47

Your screenshot doesn't work
 
zer0cat
Member
Posts: 3
Joined: 03 May 2020 17:50
OS: windows 10 64bit
Location: exUSSR

Re: OpenProcess Windows 10

08 May 2020 19:11