A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #32718  by zer0cat
 Sat Mar 23, 2019 1:23 pm
Hello
There is a program that runs with the SYSTEM privileges .
But it don't works with some actions in Windows, such as enumerate network shares, etc.

What I can do ?
 #32723  by zer0cat
 Sat Mar 23, 2019 7:17 pm
Yes, I have the source code, but the program is so large as to publish the code on the forum.

The program is written in C, it searches for files by mask (and tracks the creation of new ones) and deletes / changes depending on the task. The problem is that it works from SYSTEM, but at the same time it cannot access the network shares. I see error - ERROR_NO_SUCH_LOGON_SESSION.
 #32725  by Brock
 Sat Mar 23, 2019 9:59 pm
Are you positive that the error isn't correct?

You might try impersonating the logged on user while you access the network shares. It's kind of a bit hackish but it may work for you
Code: Select all
HANDLE hToken = 0;
ULONG SessionId = WTSGetActiveConsoleSessionId();

if (WTSQueryUserToken(SessionId, &hToken))
{
if (ImpersonateLoggedOnUser(hToken))
{
 // do network share stuff here
 RevertToSelf();
}
 CloseHandle(hToken);
}
 #32726  by Vrtule
 Sat Mar 23, 2019 11:35 pm
As far as I know, network drives are local to the user that connects them, meaning they are not (directly) visible to oth.er users. That also implies a network drive, e.g. Q:, can be mapped to place A for user X and to place B for user Y.