diff --git a/procgov/AccountPrivilegeModule.cs b/procgov/AccountPrivilegeModule.cs index b5e8bcd..83e12e6 100644 --- a/procgov/AccountPrivilegeModule.cs +++ b/procgov/AccountPrivilegeModule.cs @@ -22,7 +22,8 @@ public static bool IsCurrentUserAdministrator() return principal.IsInRole(WindowsBuiltInRole.Administrator); } - internal static List EnablePrivileges(uint pid, SafeHandle processHandle, string[] privilegeNames) + internal static List EnablePrivileges(uint pid, SafeHandle processHandle, + string[] privilegeNames, TraceEventType errorSeverity) { CheckWin32Result(PInvoke.OpenProcessToken(processHandle, TOKEN_ACCESS_MASK.TOKEN_QUERY | TOKEN_ACCESS_MASK.TOKEN_ADJUST_PRIVILEGES, out var tokenHandle)); @@ -45,7 +46,7 @@ internal static List EnablePrivileges(uint pid, SafeHandle pro var result = Marshal.GetLastWin32Error(); if (result != (int)WIN32_ERROR.NO_ERROR) { - logger.TraceEvent(TraceEventType.Warning, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} " + + logger.TraceEvent(errorSeverity, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} " + "(probably privilege is not available)"); } return new AccountPrivilege(privilegeName, result, previousPrivileges); @@ -55,7 +56,7 @@ internal static List EnablePrivileges(uint pid, SafeHandle pro var result = Marshal.GetLastWin32Error(); if (result != (int)WIN32_ERROR.NO_ERROR) { - logger.TraceEvent(TraceEventType.Warning, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} "); + logger.TraceEvent(errorSeverity, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} "); } return new AccountPrivilege(privilegeName, result, new TOKEN_PRIVILEGES { PrivilegeCount = 0 }); } @@ -67,7 +68,8 @@ internal static List EnablePrivileges(uint pid, SafeHandle pro } } - internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List privileges) + internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List privileges, + TraceEventType errorSeverity) { if (PInvoke.OpenProcessToken(processHandle, TOKEN_ACCESS_MASK.TOKEN_ADJUST_PRIVILEGES, out var tokenHandle)) { @@ -78,7 +80,7 @@ internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List< if (!PInvoke.AdjustTokenPrivileges(tokenHandle, false, priv.ReplacedPrivilege, 0, null, null)) { int winerr = Marshal.GetLastWin32Error(); - logger.TraceEvent(TraceEventType.Error, 0, + logger.TraceEvent(errorSeverity, 0, $"Error while reverting the {priv.PrivilegeName} privilege for process {pid}: 0x{winerr:x}"); } } @@ -91,7 +93,7 @@ internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List< else { int winerr = Marshal.GetLastWin32Error(); - logger.TraceEvent(TraceEventType.Error, 0, $"Error while reverting the privileges for process {pid}: 0x{winerr:x}"); + logger.TraceEvent(errorSeverity, 0, $"Error while reverting the privileges for process {pid}: 0x{winerr:x}"); } } diff --git a/procgov/ProcessModule.cs b/procgov/ProcessModule.cs index d55157d..cdcf5d5 100644 --- a/procgov/ProcessModule.cs +++ b/procgov/ProcessModule.cs @@ -18,7 +18,8 @@ public static Win32Job AssignProcessToJobObject(int pid, SessionSettings session { var currentProcessId = (uint)Environment.ProcessId; using var currentProcessHandle = PInvoke.GetCurrentProcess_SafeHandle(); - var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" }); + var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" }, + TraceEventType.Information); try { @@ -56,13 +57,13 @@ Win32Job OpenOrCreateJob() Debug.Assert(job != null); Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(targetProcessHandle, session)); - AccountPrivilegeModule.EnablePrivileges((uint)pid, targetProcessHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges((uint)pid, targetProcessHandle, session.Privileges, TraceEventType.Error); return job; } finally { - AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv); + AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv, TraceEventType.Information); } } @@ -119,7 +120,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA logger.TraceEvent(TraceEventType.Verbose, 0, $"Process {processId} already assigned to job '{jobName}'."); SetProcessEnvironmentVariables(processId, session.AdditionalEnvironmentVars); - AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges, TraceEventType.Error); } else { @@ -135,13 +136,14 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA logger.TraceEvent(TraceEventType.Verbose, 0, $"Assigning process {processId} to job '{job.JobName}'"); Win32JobModule.AssignProcess(job, processHandle, session.PropagateOnChildProcesses); - AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges, TraceEventType.Error); } } var currentProcessId = (uint)Environment.ProcessId; using var currentProcessHandle = PInvoke.GetCurrentProcess_SafeHandle(); - var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" }); + var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" }, + TraceEventType.Information); try { @@ -166,7 +168,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA // we need to update variables and priviles in the 'job process' manually as we // won't be assigning it to the job to which it is already assigned SetProcessEnvironmentVariables(jobProcessId, session.AdditionalEnvironmentVars); - AccountPrivilegeModule.EnablePrivileges((uint)jobProcessId, jobProcessHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges((uint)jobProcessId, jobProcessHandle, session.Privileges, TraceEventType.Error); job = new Win32Job(jobHandle, jobName, session.ClockTimeLimitInMilliseconds); @@ -198,7 +200,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA } finally { - AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv); + AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv, TraceEventType.Information); } } @@ -235,7 +237,7 @@ public static unsafe Win32Job StartProcessAndAssignToJobObject( session.ClockTimeLimitInMilliseconds); Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(processHandle, session)); - AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges, TraceEventType.Error); CheckWin32Result(PInvoke.ResumeThread(pi.hThread)); @@ -287,7 +289,7 @@ public static unsafe Win32Job StartProcessUnderDebuggerAndAssignToJobObject( session.ClockTimeLimitInMilliseconds); Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(processHandle, session)); - AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges); + AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges, TraceEventType.Error); // resume process main thread by detaching from the debuggee CheckWin32Result(PInvoke.DebugActiveProcessStop(pi.dwProcessId));