ntdll: Elevate processes if requested in RtlCreateUserProcess().

Signed-off-by: Zebediah Figura <z.figura12@gmail.com>

ntdll: Elevate processes if requested in RtlCreateUserProcess().
3a8ff538 · Zebediah Figura · Vitaly Lipatov · ab0e3162 · 3a8ff538
Commit 3a8ff538 authored Apr 18, 2021 by Zebediah Figura Committed by Vitaly Lipatov Jul 30, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 74 additions and 5 deletions

process.c dlls/ntdll/process.c +74 -5

No files found.
--- a/dlls/ntdll/process.c
+++ b/dlls/ntdll/process.c
@@ -39,6 +39,9 @@
 WINE_DEFAULT_DEBUG_CHANNEL(process);


+/* we don't want to include winuser.h */
+#define CREATEPROCESS_MANIFEST_RESOURCE_ID ((ULONG_PTR)1)
+
 /******************************************************************************
 *  RtlGetCurrentPeb  [NTDLL.@]
 *
@@ -82,6 +85,63 @@ NTSTATUS WINAPI RtlWow64EnableFsRedirectionEx( ULONG disable, ULONG *old_value )
 }


+static BOOL image_needs_elevation( const UNICODE_STRING *path )
+{
+    ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION run_level;
+    UNICODE_STRING path0;
+    BOOL ret = FALSE;
+    HANDLE handle;
+    ACTCTXW ctx;
+
+    if (RtlDuplicateUnicodeString( 1, path, &path0 ))
+        return FALSE;
+
+    ctx.cbSize = sizeof(ctx);
+    ctx.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID;
+    ctx.lpSource = path0.Buffer;
+    ctx.lpResourceName = (const WCHAR *)CREATEPROCESS_MANIFEST_RESOURCE_ID;
+
+    if (RtlCreateActivationContext( &handle, &ctx ))
+    {
+        RtlFreeUnicodeString( &path0 );
+        return FALSE;
+    }
+
+    if (!RtlQueryInformationActivationContext( 0, handle, NULL, RunlevelInformationInActivationContext,
+                                               &run_level, sizeof(run_level), NULL ))
+    {
+        TRACE( "image requested run level %#x\n", run_level.RunLevel );
+        if (run_level.RunLevel == ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE
+                || run_level.RunLevel == ACTCTX_RUN_LEVEL_REQUIRE_ADMIN)
+            ret = TRUE;
+    }
+    RtlReleaseActivationContext( handle );
+    RtlFreeUnicodeString( &path0 );
+    return ret;
+}
+
+
+static HANDLE get_elevated_token(void)
+{
+    TOKEN_ELEVATION_TYPE type;
+    TOKEN_LINKED_TOKEN linked;
+    NTSTATUS status;
+
+    if ((status = NtQueryInformationToken( GetCurrentThreadEffectiveToken(),
+                                           TokenElevationType, &type, sizeof(type), NULL )))
+        return NULL;
+
+    if (type == TokenElevationTypeFull) return NULL;
+
+
+    if ((status = NtQueryInformationToken( GetCurrentThreadEffectiveToken(),
+                                           TokenLinkedToken, &linked, sizeof(linked), NULL )))
+        return NULL;
+
+    return linked.LinkedToken;
+}
+
+
 /**********************************************************************
 *           RtlWow64GetCurrentMachine  (NTDLL.@)
 */
@@ -294,8 +354,15 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
    PS_CREATE_INFO create_info;
    ULONG_PTR buffer[offsetof( PS_ATTRIBUTE_LIST, Attributes[6] ) / sizeof(ULONG_PTR)];
    PS_ATTRIBUTE_LIST *attr = (PS_ATTRIBUTE_LIST *)buffer;
+    HANDLE elevated_token = NULL;
+    NTSTATUS status;
    UINT pos = 0;

+    /* It's not clear whether we should use path or &params->ImagePathName here,
+     * but Roblox Player tries to pass an empty string for the latter. */
+    if (!token && image_needs_elevation( path ))
+        token = elevated_token = get_elevated_token();
+
    RtlNormalizeProcessParams( params );

    attr->Attributes[pos].Attribute    = PS_ATTRIBUTE_IMAGE_NAME;
@@ -342,11 +409,13 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
    InitializeObjectAttributes( &process_attr, NULL, 0, NULL, process_descr );
    InitializeObjectAttributes( &thread_attr, NULL, 0, NULL, thread_descr );

-    return NtCreateUserProcess( &info->Process, &info->Thread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS,
-                                &process_attr, &thread_attr,
-                                inherit ? PROCESS_CREATE_FLAGS_INHERIT_HANDLES : 0,
-                                THREAD_CREATE_FLAGS_CREATE_SUSPENDED, params,
-                                &create_info, attr );
+    status = NtCreateUserProcess( &info->Process, &info->Thread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS,
+                                  &process_attr, &thread_attr,
+                                  inherit ? PROCESS_CREATE_FLAGS_INHERIT_HANDLES : 0,
+                                  THREAD_CREATE_FLAGS_CREATE_SUSPENDED, params, &create_info, attr );
+
+    if (elevated_token) NtClose( elevated_token );
+    return status;
 }

 /***********************************************************************