Low sev bug: SetPrivilege leaks handle to hToken in error path. There are other copies of this function in the project.
BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv)
{
LUID luid;
TOKEN_PRIVILEGES privs;
HANDLE hToken = NULL;
DWORD dwBufLen = 0;
char buf[1024];
ZeroMemory(&luid, sizeof(luid));
if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false;
privs.PrivilegeCount = 1;
privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid));
! if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) <<< hToken acquired
return false;
if (!AdjustTokenPrivileges(hToken, FALSE, &privs,
sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen))
+ CloseHandle(hToken)
return false;
CloseHandle(hProcess);
CloseHandle(hToken);
return true;
}
Low sev bug:
SetPrivilegeleaks handle tohTokenin error path. There are other copies of this function in the project.BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv) { LUID luid; TOKEN_PRIVILEGES privs; HANDLE hToken = NULL; DWORD dwBufLen = 0; char buf[1024]; ZeroMemory(&luid, sizeof(luid)); if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false; privs.PrivilegeCount = 1; privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid)); ! if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) <<< hToken acquired return false; if (!AdjustTokenPrivileges(hToken, FALSE, &privs, sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen)) + CloseHandle(hToken) return false; CloseHandle(hProcess); CloseHandle(hToken); return true; }DetectWindowsCopyOnWriteForAPI/d-dr-registers/Engine.cpp
Line 63 in 7bb1a6f