in PPLGuardDll/dllexploit.cpp [470:537]
BOOL HardenAntiMalwareServiceToken(HANDLE hProcess)
{
BOOL bResult = FALSE;
HANDLE hToken = NULL;
SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_PROCESS_TRUST_AUTHORITY;
PSID pPPLSID = NULL;
byte saclBuf[4096] = { 0, };
const size_t saclSize = sizeof(saclBuf);
PACL pNewSACL = (PACL)&saclBuf;
DWORD dwStatus = ERROR_SUCCESS;
if (!ProcessIsAMPPL(hProcess))
{
goto end;
}
if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken))
{
LogLastError(L"OpenProcessToken");
goto end;
}
if (!AllocateAndInitializeSid(&sidAuth, SECURITY_PROCESS_TRUST_AUTHORITY_RID_COUNT,
SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID,
SECURITY_PROCESS_PROTECTION_LEVEL_ANTIMALWARE_RID, 0, 0, 0, 0, 0, 0, &pPPLSID))
{
LogLastError(L"AllocateAndInitializeSid");
goto end;
}
if (!InitializeAcl(pNewSACL, saclSize, ACL_REVISION))
{
LogLastError(L"InitializeAcl");
goto end;
}
dwStatus = RtlNtStatusToDosError(RtlAddProcessTrustLabelAce(pNewSACL, ACL_REVISION,
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, pPPLSID,
SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE, TOKEN_READ));
if (ERROR_SUCCESS != dwStatus)
{
SetLastError(dwStatus);
LogLastError(L"RtlAddProcessTrustLabelAce");
goto end;
}
dwStatus = SetSecurityInfo(hToken, SE_KERNEL_OBJECT, PROCESS_TRUST_LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pNewSACL);
if (ERROR_SUCCESS != dwStatus)
{
SetLastError(dwStatus);
LogLastError(L"SetSecurityInfo");
goto end;
}
bResult = TRUE;
end:
if (hToken)
{
CloseHandle(hToken);
}
if (pPPLSID)
{
LocalFree(pPPLSID);
}
return bResult;
}