Do I need to adjust token privileges in order to successfully call CreateRemoteThread?

Question

I'm developing a debugging facility for my application to help me diagnose deadlocks. The application runs on my client's machines and so I expect a wide range of operating systems, security policies etc.

The technique I am using is to implement a function in the target application which generates stack traces for all threads, together with other diagnostics information. This is then written to a memory mapped file. I am also creating a utility application that is used to trigger the creation of the diagnostics report, and then read it from the memory mapped file.

Because the target application is expected to be dead, the utility program can't send it a message to trigger the diagnostics collection. Instead I am using CreateRemoteThread so that I can be sure to get a live thread to do the work.

Note that this is different from DLL injection methods which typically use LoadLibrary as the thread proc for CreateRemoteThread. My thread proc is an entry point in the target application. So, I don't need to call WriteProcessMemory.

I've implemented this and in my test environments it works well. According to the documentation of CreateRemoteThread, I need a process handle with the following access rights:

PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ

So, I passed those flags when calling OpenProcess.

Now, at last, to my question: what privileges do I need my token to have in order for the call to OpenProcess to succeed?

In my test environment (Windows 7, UAC enabled, admin user), I have encountered no problems with just a default token. I have seen various sample code that acquires the SE_DEBUG_NAME privilege before calling OpenProcess. My guess is that is needed for WriteProcessMemory when doing DLL injection and that I don't need that privilege. Are there scenarios where I would need to adjust my token's privileges?

I know precisely nothing about Windows security so I would really appreciate wise words from anyone that does!

Answer 1

Ordinarily, if the target process is running in the same context (i.e., as the same user) as the debugger, no privileges are required for either OpenProcess or CreateRemoteThread.

If the target process is running as a different user, or if the process permissions have been modified, you might need to enable SE_DEBUG_NAME before calling OpenProcess. This privilege allows you to open any process, bypassing the security permissions assigned to the process. (This is analogous to the way that the backup/restore privileges allow you to bypass the security permissions on files and directories.)

Some applications modify their own process permissions so that, e.g., the user can't use Task Manager to kill the process. In this case, it's your own code, so that won't be a problem. It is possible in principle for some other software (anti-virus software, for example) to modify the permissions on your process, but I've never heard of it happening, so you probably don't need to worry about enabling SE_DEBUG_NAME.