I am trying to forcefully release a named Mutex that another process owns in my process. However, when I try to straight up release the mutex like so, I get the error 288 (ERROR_NOT_OWNER). Clearly, I need to take ownership of the Mutex.
I've tried using GetSecurityInfo and SetSecurityInfo but they seem to be not working.
HANDLE hMyToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hMyToken);
PTOKEN_OWNER pMe = NULL;
DWORD dwLength = 0;
GetTokenInformation(hMyToken, TokenOwner, pMe, NULL, &dwLength);
pMe = (PTOKEN_OWNER)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength);
GetTokenInformation(hMyToken, TokenOwner, pMe, dwLength, &dwLength);
I use the code above to get the current PSID for the owner for later.
HANDLE hMutex = OpenMutexA(MUTEX_ALL_ACCESS, FALSE, "mutexnamehere");
PSID psidOwner = NULL;
PSECURITY_DESCRIPTOR psd;
GetSecurityInfo(hMutex, SE_KERNEL_OBJECT, OWNER_SECURITY_INFORMATION, &psidOwner, NULL, NULL, NULL, &psd);
PSECURITY_DESCRIPTOR psda = NULL;
DWORD dwLength = 0, dwLength2 = sizeof(psidOwner), dwGarbage;
MakeAbsoluteSD(psd, psda, &dwLength, NULL, &dwGarbage, NULL, &dwGarbage, psidOwner, &dwLength2, NULL, &dwGarbage);
psda = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength);
psidOwner = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength2);
MakeAbsoluteSD(psd, psda, &dwLength, NULL, &dwGarbage, NULL, &dwGarbage, psidOwner, &dwLength2, NULL, &dwGarbage);
etSecurityInfo(hMutex, SE_KERNEL_OBJECT, OWNER_SECURITY_INFORMATION, pMe->Owner, NULL, NULL, NULL);
I've been stuck on this for hours. Can anyone give me an idea on what to do? I've tried:
- Setting privileges for my process's tokens (SE_TAKE_OWNERSHIP_NAME, SE_RESTORE_NAME)
- Setting my process's token's group to SE_GROUP_ENABLED
- Using SetSecurityDescriptorOwner
I cannot open the process that owns the Mutex nor can I inject code into that process or enumerate its handles and forcefully close it.
I'm willing to map the Mutex to memory and work with it there.
Aucun commentaire:
Enregistrer un commentaire