DuplicateHandle: need to OpenProcess, but the access is denied

views:

answers:

+2 Q:

DuplicateHandle: need to OpenProcess, but the access is denied

Using windows hooks I send messages to my application, which is notified about Windows events by every application on the system.

To execute marshal of the message parameters, I use shared memories. The external process calls DuplicateHandle, but for sharing the handle with my application instance, it shall call OpenProcess with PROCESS_DUP_HANDLE privilege requirements.

Actually every application is able to send messages using this architecture, even if I need to enable SeDebugPrivilege to the external process. It actually works, except for the 'explorer' process, which doesn't have the SeDebugPrivilege token...

The documentation of AdjustTokenPrivileges states:

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

So, the question is... how to add the SeDebugPrivilege token to 'explorer' process, or alternatively, how to allow 'explorer' process to call OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId)?

+1 A:

Is this what you're trying to accomplish?

Create a block of shared memory in the "external" process.
Use DuplicateHandle to create a handle to that memory in your application
Use a window message to send the handle value to your application
Access the shared memory in your application

If I've understood correctly, then you don't need to open the handle to your application process at all. Instead, just give the shared memory block a deterministic name, such as SharedMem_XXX where XXX is the PID of the external process. Then, send the PID to your application using a window message. It can then recreate the name and use it to open the shared memory block.

Peter Ruderman 2010-08-03 21:27:23

Nice solution, but this will work only if I use SendMessage and not if I use PostMessage, since the application could send more than one message before application process messages. I try to replace PostMessage with SendMessage, and see if system performance are affected. Thank you for being illuminating!

Luca 2010-08-03 21:50:51

You're welcome. I don't quite understand what you mean by PostMessage versus SendMessage, but this may have to do with your architecture. If you could provide more details about what you're trying to accomplish, I could probably be more helpful.

Peter Ruderman 2010-08-03 21:57:34

Depending on exactly what you're doing, there are other IPC mechanisms that might suit your needs better, such as Window Messages, Named Pipes, or Remote Procedure Calls.

Peter Ruderman 2010-08-03 21:59:35

+2 A:

I don't understand why you don't use named shared memory. If your shared memory objects have a name, then this objects can be opened without the usage of DuplicateHandle.

If you do have to use DuplicateHandle and need be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) inside of any process I find that you should don't use SeDebugPrivilege. Instead of that you should grant permission of PROCESS_DUP_HANDLE to everyone for the process with pId. If you create a process you can specify security descriptor. If the process is already created you can use OpenProcess, GetSecurityInfo (see http://msdn.microsoft.com/en-us/library/aa446654.aspx) and SetSecurityInfo to modify security descriptor of the process.

To test this approach you can just start Process Explorer (see http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) with administrative rights, open Security tab of the selected process (process with pId) and modify its security descriptor. After that all processes will be able to use OpenProcess(PROCESS_DUP_HANDLE, FALSE, pId) without to enable SeDebugPrivilege.

Oleg 2010-08-03 21:53:42

It seems exactly what I need! What SID is corresponding to PROCESS_DUP_HANDLE? (I'm unable to modify process SID with ProcEx... :()

Luca 2010-08-03 22:12:52

PROCESS_DUP_HANDLE is An access mask that specifies the access rights controlled by the ACE (see http://msdn.microsoft.com/en-us/library/aa374868.aspx). The SID which you choose can be the well knows SID of Everyone group (see http://msdn.microsoft.com/en-us/library/aa379649.aspx). If you not familiar with Security Descriptors I recommend you use ConvertStringSidToSid or ConvertStringSecurityDescriptorToSecurityDescriptor where is is possible and use security descriptor definition language (SDDL) (see http://msdn.microsoft.com/en-us/library/aa379567.aspx).

Oleg 2010-08-03 22:31:45

I found this: http://stackoverflow.com/questions/1909084/is-there-a-way-to-modify-a-process-dacl-in-c (message destination is a managed process). It works, but cannot setup access mask for WellKnownSidType.LogonIdsSid, which 'explorer' belongs to (cannot create a SecurityIdentifier of type LogonIdsSid). Sigh.

Luca 2010-08-03 23:43:22

You can use `WellKnownSidType.InteractiveSid` (NT AUTHORITY\INTERACTIVE) or `WellKnownSidType.WorldSid` (Everyone) instead of LogonIdsSid. It will also work.

Oleg 2010-08-04 00:06:09

Yes, it works but... if I run the application as "Administrator", external application cannot call OpenProcess even if I give all permissions. I is reasonable, since the process with Administrator rights cannot be opened by process with lower privilege.

Luca 2010-08-04 08:03:04

Probably you should examine the security descriptor of the process running under "Administrator" for a deny entries (like ACEs) and remove there exactly with the same way as you add entries.

Oleg 2010-08-04 08:53:14

ansaurus

tags:

views:

answers:

DuplicateHandle: need to OpenProcess, but the access is denied

related questions