Determine administrator rights

Vortex · August 17, 2023, 01:00:12 PM

Hello,

A small commandline tool to determine if your user account operates under administrator rights.

IsAdmin64.exe

Success : The user does have administrative privileges.

Code Select

include     IsAdmin64.inc

.data

subkey      db 'S-1-5-19\Environment',0
s1          db 'Failure : The user does not have administrative privileges.',0
s2          db 'Success : The user does have administrative privileges.',0

.code

entry_point PROC PARMAREA=5*QWORD

LOCAL hKey:QWORD
LOCAL string:QWORD
LOCAL retVal:QWORD

    lea     rax,OFFSET [rip+s2]
    mov     string,rax
    mov     retVal,1
    
    invoke  RegOpenKeyEx,HKEY_USERS,ADDR subkey,0,\
            KEY_ALL_ACCESS,ADDR hKey

    test    rax,rax
    jz      @f

    lea     rax,OFFSET [rip+s1]
    mov     string,rax
    mov     retVal,0
    jmp     a1
    
@@:
    invoke  RegCloseKey,hKey
a1:
    invoke  StdOut,string

    invoke  ExitProcess,retVal

entry_point ENDP

StdOut PROC uses r14 r15 string:QWORD PARMAREA=5*QWORD

; Function from the Masm64 package

    ; rcx = text address

LOCAL bwrt:QWORD

    mov     r14,rcx                        ; store address in r14
    mov     rax,r14
    sub     rax,1
@@:
    add     rax,1
    cmp     BYTE PTR [rax],0               ; get the text length
    jne     @B
    sub     rax,r14                        ; sub original address from RAX
    mov     r15,rax                        ; save string length into r15

    invoke  GetStdHandle,STD_OUTPUT_HANDLE
    mov     rcx,rax
    lea     r9,bwrt
    xor     r10,r10
    invoke  WriteFile,rcx,r14,r15,r9,r10

    mov     rax,bwrt                       ; return value is bytes written

    ret

StdOut ENDP

END entry_point

Vortex · October 14, 2023, 11:16:33 AM

An improved version uploaded at the top.

bitcoin · October 17, 2023, 02:05:03 PM

An interesting method, without manipulating tokens. Thanks Vortex.

Vortex · October 17, 2023, 09:31:27 PM

Hi bitcoin,

Thanks, here is another version based on the API function IsUserAnAdmin :

Code Select


.
.
.data

s1          db 'Failure : The user does not have administrative privileges.',0
s2          db 'Success : The user does have administrative privileges.',0
table       dq OFFSET s1,OFFSET s2

.code

entry_point PROC PARMAREA=4*QWORD

LOCAL retVal:QWORD

    invoke  IsUserAnAdmin
    mov     retVal,rax

    mov     rdx,OFFSET table
    mov     rcx,QWORD PTR [rdx+8*rax]

    invoke  StdOut,rcx

    invoke  ExitProcess,retVal

entry_point ENDP
.
.

QuoteRemarks

This function is a wrapper for CheckTokenMembership. It is recommended to call that function directly to determine Administrator group status rather than calling IsUserAnAdmin.

https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-isuseranadmin

News:

Determine administrator rights

Vortex

Vortex

bitcoin

Vortex