search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.06k stars 425 forks source link

Update process_privilege.cpp #75

Closed JohnLaTwC closed 3 years ago

JohnLaTwC commented 3 years ago

In calls to AdjustTokenPrivileges GetLastError is not guaranteed to be set on ERROR_SUCCESS. The function returns a BOOL so GetLastError() should only be checked if it returns FALSE.

hasherezade commented 3 years ago

Hmm, check the original code that it was based upon - as I mentioned in the comment

it is here

Also as the documentation says it IS guaranteed to be set to ERROR_SUCCES if all the requested privileges are adjusted.

To determine whether the function adjusted all of the specified privileges, call GetLastError, which returns one of the following values when the function succeeds:

Return code Description
ERROR_SUCCESS The function adjusted all specified privileges.
ERROR_NOT_ALL_ASSIGNED The token does not have one or more of the privileges specified in the NewState parameter. The function may succeed with this error value even if no privileges were adjusted. The PreviousState parameter indicates the privileges that were adjusted.
JohnLaTwC commented 3 years ago

I checked the sources and you are right. This API can have a partially succeeded state (where some but not all privileges were adjusted). I see that the code always sets last error even in the ERROR_SUCCESS case to account for this.