home *** CD-ROM | disk | FTP | other *** search

---

/ DEFCON 15 / DefCon15.bin / Speakers / Jennings / Extras / incognito / child_process.c

next >

Wrap

C/C++ Source or Header  |  2007-03-12  |  5KB  |  162 lines

---

1. #define _CRT_SECURE_NO_DEPRECATE 1
2. #include <windows.h>
3. #include <stdio.h>
4. #include "handle_arguments.h"
5.  
6. #define BUFSIZE 4096
7.  
8. static HANDLE hChildStdinRd, hChildStdinWr,
9.    hChildStdoutRd, hChildStdoutWr, hStdout;
10.  
11. void CreateChildProcess(HANDLE, char*, PROCESS_INFORMATION*);
12. DWORD WINAPI WriteToPipe(LPVOID);
13. DWORD WINAPI ReadFromPipe(LPVOID);
14.  
15.  
16. void CreateProcessWithPipeComm(HANDLE token, char *command)
17. {
18.     PROCESS_INFORMATION piProcInfo;
19.     SECURITY_ATTRIBUTES saAttr;
20.     DWORD dwThreadId[2];
21.     HANDLE hThread[2];
22.  
23.     // Set the bInheritHandle flag so pipe handles are inherited.
24.     saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
25.     saAttr.bInheritHandle = TRUE;
26.     saAttr.lpSecurityDescriptor = NULL;
27.  
28.     // Get the handle to the current STDOUT.
29.     hStdout = GetStdHandle(STD_OUTPUT_HANDLE);
30.  
31.     // Create a pipe for the child process's STDOUT.
32.     if (!CreatePipe(&hChildStdoutRd, &hChildStdoutWr, &saAttr, 0))
33.     {
34.         output_string("[-] Stdout pipe creation failed\n");
35.         return;
36.     }
37.  
38.     // Ensure the read handle to the pipe for STDOUT is not inherited.
39.     SetHandleInformation( hChildStdoutRd, HANDLE_FLAG_INHERIT, 0);
40.  
41.     // Create a pipe for the child process's STDIN.
42.     if (!CreatePipe(&hChildStdinRd, &hChildStdinWr, &saAttr, 0))
43.     {
44.         output_string("[-] Stdin pipe creation failed\n");
45.         return;
46.     }
47.  
48.     // Ensure the write handle to the pipe for STDIN is not inherited.
49.     SetHandleInformation( hChildStdinWr, HANDLE_FLAG_INHERIT, 0);
50.  
51.     // Now create the child process.
52.     CreateChildProcess(token, command, &piProcInfo);
53.  
54.       hThread[0] = CreateThread(
55.             NULL,              // default security attributes
56.             0,                 // use default stack size
57.             ReadFromPipe,        // thread function
58.             NULL,             // argument to thread function
59.             0,                 // use default creation flags
60.             &dwThreadId[0]);   // returns the thread identifier
61.  
62.     hThread[1] = CreateThread(
63.             NULL,              // default security attributes
64.             0,                 // use default stack size
65.             WriteToPipe,        // thread function
66.             NULL,             // argument to thread function
67.             0,                 // use default creation flags
68.             &dwThreadId[1]);   // returns the thread identifier
69.  
70.     WaitForSingleObject(piProcInfo.hProcess, INFINITE);
71. }
72.  
73. static void CreateChildProcess(HANDLE token, char *command, PROCESS_INFORMATION *piProcInfo)
74. {
75.     STARTUPINFO siStartInfo;
76.     BOOL bFuncRetn = FALSE;
77.     HWINSTA new_winstation, old_winstation;
78.  
79.     // Set up members of the PROCESS_INFORMATION structure.
80.     ZeroMemory( piProcInfo, sizeof(PROCESS_INFORMATION) );
81.  
82.     // Set up members of the STARTUPINFO structure.
83.     ZeroMemory( &siStartInfo, sizeof(STARTUPINFO) );
84.     siStartInfo.cb = sizeof(STARTUPINFO);
85.     siStartInfo.hStdError = hChildStdoutWr;
86.     siStartInfo.hStdOutput = hChildStdoutWr;
87.     siStartInfo.hStdInput = hChildStdinRd;
88.     siStartInfo.dwFlags |= STARTF_USESTDHANDLES;
89.     siStartInfo.lpDesktop = "incognito\\default";
90.  
91.     // Create new window station and save handle to existing one
92.     old_winstation = GetProcessWindowStation();
93.     new_winstation = CreateWindowStationA(
94.                           "incognito",
95.                           (DWORD)NULL,
96.                           MAXIMUM_ALLOWED,
97.                           NULL
98.                           );
99.     
100.     // Set process to new window station and create new desktop object within it
101.     SetProcessWindowStation(new_winstation);
102.     CreateDesktopA(
103.       "default",
104.       NULL,
105.       NULL,
106.       (DWORD)NULL,
107.       GENERIC_ALL,
108.       NULL
109.     );
110.     SetProcessWindowStation(old_winstation);
111.  
112.     // Create the child process.
113.     bFuncRetn = CreateProcessAsUserA(
114.       token,
115.       NULL,
116.       command,     // command line
117.       NULL,          // process security attributes
118.       NULL,          // primary thread security attributes
119.       TRUE,          // handles are inherited
120.       0,             // creation flags
121.       NULL,          // use parent's environment
122.       NULL,          // use parent's current directory
123.       &siStartInfo,  // STARTUPINFO pointer
124.       piProcInfo);  // receives PROCESS_INFORMATION
125.  
126.     if (bFuncRetn == 0)
127.         output_string("[-] Failed to create new process: %d\n", GetLastError());
128. }
129.  
130. static DWORD WINAPI WriteToPipe(LPVOID p)
131. {
132.     DWORD dwRead, dwWritten;
133.     CHAR chBuf[BUFSIZE];
134.  
135.     for (;;)
136.     {
137.         if (!read_counted_input(chBuf, BUFSIZE, &dwRead)) 
138.             break;
139.         chBuf[dwRead-1] = '\n';
140.         if (! WriteFile(hChildStdinWr, chBuf, dwRead,
141.             &dwWritten, NULL)) 
142.             break;
143.     }
144.        return 0;
145. }
146.  
147. static DWORD WINAPI ReadFromPipe(LPVOID p)
148. {
149.    DWORD dwRead;
150.    CHAR chBuf[BUFSIZE];
151.  
152.    for (;;)
153.    {
154.         if( !ReadFile( hChildStdoutRd, chBuf, BUFSIZE, &dwRead,
155.             NULL) || dwRead == 0) break;
156.         if (!output_counted_string(chBuf, dwRead))
157.             break;
158.    }
159.  
160.    return 0;
161. }
162.