Added /SqlConnect

- Added /SqlConnect option to show or replace a connection string in SQL parameters.
- Renamed 'CON' to 'SHOW' in /RecordCrypto as it is more intuitive.
- Compiled/signed binaries for version 1.0.5.0.

Build/WinPriv-hash.txt

@@ -1,30 +1,30 @@
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA256          B10282FB9C3826BFD4082BFB5F8E18E523EACE36E74D19FD25FE92A5DF93A383       x64\WinPriv.exe
-SHA256          2429179899825FF42232D56F6A3E2B7413BF4630E5E646011FFF068A702FD17B       x64\WinPrivCmd.exe
-SHA256          644E57345623D4B8174C5E5A6C05806C1D5024EBCEB019B45647F0BA77BC81F4       x86\WinPriv.exe
-SHA256          1C4033E11901C10241289E4620A81875C5D071A9E22AC0AABE8AE26CBBA70C36       x86\WinPrivCmd.exe
-SHA256          850471A78CB82D441532AAF0971C42EEC8E2FF806F487AD7C3770555CF5FBA96       WinPriv.zip
+SHA256          44A7B0A3CE0D830BF702D1C8274B20BAD04C652C58C2E7558E2E98BC96D0CC53       x64\WinPriv.exe
+SHA256          766A398164A1362A96914969A9267A331AD6770E006933A2AB51C3071C81B13B       x64\WinPrivCmd.exe
+SHA256          0A6703667FB0466DF53CA2353BA7914193F51E041078CA8FA0B8A4925FC61D17       x86\WinPriv.exe
+SHA256          D2B7F3EF11CF5068C462603E56005D86DDE0385BA8AC55E97A7BD4EFC5FE95B3       x86\WinPrivCmd.exe
+SHA256          7C87EE203659216A3120BEF0D471E0E28056FF3FB06328123A6F39C6446476F1       WinPriv.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA1            DEC324669772CF64DDD5DED0D0F76893F1256AF1                               x64\WinPriv.exe
-SHA1            4AFB4286A3084969E9742D7E92EE9EBD7201C0A3                               x64\WinPrivCmd.exe
-SHA1            2E40839DD86A1F618033A7B37C2D2E888063CAB5                               x86\WinPriv.exe
-SHA1            E02A3B6E6B0797C1C6D8A4AB631960BCF791A9F4                               x86\WinPrivCmd.exe
-SHA1            261F99B46AC5C746914EA80AFB6200F565BCCD56                               WinPriv.zip
+SHA1            805E085FA383C1CF884889AF6AB465F2C9A154C9                               x64\WinPriv.exe
+SHA1            E05025496858EF9BEC7B85E22C5A5DC034719EC1                               x64\WinPrivCmd.exe
+SHA1            D4A8AAFCBB9063954CC8E4CF4FBF61F775EE3ABA                               x86\WinPriv.exe
+SHA1            3EAA653961B1395B1183B630DBE40DE8B3574A1F                               x86\WinPrivCmd.exe
+SHA1            788C18EB4EB94676F274923D4C7C61117FAF1B28                               WinPriv.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-MD5             84A8709A90DA2906F3315DAC31DFCC69                                       x64\WinPriv.exe
-MD5             9F912DD63219DA286C3B648C91E5A62F                                       x64\WinPrivCmd.exe
-MD5             391CAAB7F5182910643CC6F621526C5A                                       x86\WinPriv.exe
-MD5             D21A994A4BE441B8DB8B6162BDB05DBD                                       x86\WinPrivCmd.exe
-MD5             77634115439E4D06B47B8019091DD792                                       WinPriv.zip
+MD5             F96DB323A1B0DC49080EACCDEC7A8414                                       x64\WinPriv.exe
+MD5             6A1D22075ACDE86330B5AA835FE715D7                                       x64\WinPrivCmd.exe
+MD5             4CF0CA8512108BE1972F34C23131D4E2                                       x86\WinPriv.exe
+MD5             C878914F7C8DF675C242D19AC2B4A53C                                       x86\WinPrivCmd.exe
+MD5             6C18CD4D9DB90222C7423D39862828E7                                       WinPriv.zip
 
 

WinPriv/WinPriv.cpp

@@ -47,6 +47,7 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 	SetEnvironmentVariable(WINPRIV_EV_BACKUP_RESTORE, L"0");
 	SetEnvironmentVariable(WINPRIV_EV_ADMIN_IMPERSONATE, L"0");
 	SetEnvironmentVariable(WINPRIV_EV_RECORD_CRYPTO, L"");
+	SetEnvironmentVariable(WINPRIV_EV_SQL_CONNECT, L"");
 	SetEnvironmentVariable(WINPRIV_EV_RELAUNCH_MODE, L"0");
 	SetEnvironmentVariable(WINPRIV_EV_PARENT_PID, std::to_wstring(GetCurrentProcessId()).c_str());
 
@@ -294,7 +295,7 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 			SetEnvironmentVariable(WINPRIV_EV_ADMIN_IMPERSONATE, L"1");
 		}
 
-		// instructs winpriv to override all host name lookups
+		// instructs winpriv to record encrypt/decrypt operations
 		else if (_wcsicmp(sArg.c_str(), L"/RecordCrypto") == 0)
 		{
 			const int iArgsRequired = 1;
@@ -306,9 +307,9 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 				return __LINE__;
 			}
 
-			// if not 'CON' then ensure the passed directory exists
+			// if not 'SHOW' then ensure the passed directory exists
 			std::wstring sRecordCrypto(aArgv[iArg + 1]);
-			if (_wcsicmp(sRecordCrypto.c_str(), L"CON") != 0)
+			if (_wcsicmp(sRecordCrypto.c_str(), L"SHOW") != 0)
 			{
 				if (CreateDirectory(sRecordCrypto.c_str(), NULL) == FALSE &&
 					ERROR_ALREADY_EXISTS != GetLastError())
@@ -323,6 +324,24 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 			iArg += iArgsRequired;
 		}
 
+		// instructs winpriv to show or replace sql connection information
+		else if (_wcsicmp(sArg.c_str(), L"/SqlConnect") == 0)
+		{
+			const int iArgsRequired = 1;
+
+			// one additional parameter is required
+			if (iArg + iArgsRequired >= iArgc)
+			{
+				PrintMessage(L"ERROR: Not enough parameters specified for: %s\n", sArg.c_str());
+				return __LINE__;
+			}
+
+			// store the sql connect info in the environment variable to pass to child
+			std::wstring sSqlConnect(aArgv[iArg + 1]);
+			SetEnvironmentVariable(WINPRIV_EV_SQL_CONNECT, sSqlConnect.c_str());
+			iArg += iArgsRequired;
+		}
+
 		// instruct winpriv to display process execution time
 		else if (_wcsicmp(sArg.c_str(), L"/MeasureTime") == 0)
 		{

WinPriv/WinPriv.vcxproj

@@ -34,7 +34,7 @@
     <ProjectGuid>{C9CBD938-2A0F-4D91-81F4-94414751BFBE}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>WinPriv</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
     <ProjectName>WinPriv</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />

WinPriv/WinPrivMisc.cpp

@@ -215,10 +215,16 @@ Optional Switches
    This option records the data being inputted to common Windows encryption 
    functions and the data being outputted from common Windows decryption 
    functions. A separate file will be created for each operation in the 
-   specified directory. If 'CON' is specified instead of a directory path, 
+   specified directory. If 'SHOW' is specified instead of a directory path, 
    information is outputted to the console and message boxes, depending of the 
    type of application.
 
+/SqlConnect <String>
+
+   This option replaces the string used in any ODBC string connection with the
+   one specified. Alternatively, 'SHOW' can be specified to display a 
+   connection string without changing it.
+
 /MeasureTime
 
    This option measures the execution time of the target process and displays

WinPrivLibrary/WinPrivLibraryDetours.cpp

@@ -21,6 +21,7 @@
 #include <ws2tcpip.h>
 #include <mstcpip.h>
 #include <wincrypt.h>
+#include <sqlext.h>
 
 #define _NTDEF_
 #include <ntsecapi.h>
@@ -562,7 +563,7 @@ void RecordCryptoData(LPCWSTR sFunction, PUCHAR pData, DWORD iDataLen)
 
 	// decide whether to output to console or file system
 	LPWSTR sCryptoValue = _wgetenv(WINPRIV_EV_RECORD_CRYPTO);
-	if (_wcsicmp(sCryptoValue, L"CON") == 0)
+	if (_wcsicmp(sCryptoValue, L"SHOW") == 0)
 	{
 		if (IsTextUnicode(pData, iDataLen, NULL))
 		{
@@ -661,6 +662,46 @@ NTSTATUS __stdcall DetourRtlDecryptMemory(_Inout_updates_bytes_(MemorySize) PVOI
 	return iResult;
 }
 
+//   __   __           __   __             ___  __  ___ 
+//  /__` /  \ |       /  ` /  \ |\ | |\ | |__  /  `  |  
+//  .__/ \__X |___    \__, \__/ | \| | \| |___ \__,  |  
+//                                                      
+
+decltype(&SQLDriverConnectA) TrueSQLDriverConnectA = SQLDriverConnectA;
+
+SQLRETURN SQL_API DetourSQLDriverConnectA(SQLHDBC hdbc, SQLHWND hwnd, _In_reads_(cbConnStrIn) SQLCHAR *szConnStrIn,
+	SQLSMALLINT cbConnStrIn, _Out_writes_opt_(cbConnStrOutMax) SQLCHAR *szConnStrOut, SQLSMALLINT cbConnStrOutMax,
+	_Out_opt_ SQLSMALLINT *pcbConnStrOut, SQLUSMALLINT fDriverCompletion)
+{
+	// internally, the ansi function is routed through the wide character function
+	// so we do not need to add any handling logic here
+	return TrueSQLDriverConnectA(hdbc, hwnd, szConnStrIn, cbConnStrIn, szConnStrOut,
+		cbConnStrOutMax, pcbConnStrOut, fDriverCompletion);
+}
+
+decltype(&SQLDriverConnectW) TrueSQLDriverConnectW = SQLDriverConnectW;
+
+SQLRETURN SQL_API DetourSQLDriverConnectW(SQLHDBC hdbc, SQLHWND hwnd, _In_reads_(cchConnStrIn) SQLWCHAR* szConnStrIn,
+	SQLSMALLINT cchConnStrIn, _Out_writes_opt_(cchConnStrOutMax) SQLWCHAR* szConnStrOut, SQLSMALLINT cchConnStrOutMax,
+	_Out_opt_ SQLSMALLINT* pcchConnStrOut, SQLUSMALLINT fDriverCompletion)
+{
+	// decide whether to simply show the sql connection string or replace it
+	LPWSTR sSqlConnect = _wgetenv(WINPRIV_EV_SQL_CONNECT);
+	if (_wcsicmp(sSqlConnect, L"SHOW") == 0)
+	{
+		std::wstring sPassedConnection((LPWSTR) szConnStrIn, (cchConnStrIn == SQL_NTS) ? wcslen(szConnStrIn) : cchConnStrIn);
+		PrintMessage(L"SQL Connection String: %s", sPassedConnection.c_str());
+	}
+	else
+	{
+		szConnStrIn = sSqlConnect;
+		cchConnStrIn = SQL_NTS;
+	}
+
+	return TrueSQLDriverConnectW(hdbc, hwnd, szConnStrIn, cchConnStrIn, szConnStrOut,
+		cchConnStrOutMax, pcchConnStrOut, fDriverCompletion);
+}
+
 //   __   ___ ___  __        __   __                           __   ___        ___      ___
 //  |  \ |__   |  /  \ |  | |__) /__`     |\/|  /\  |\ |  /\  / _` |__   |\/| |__  |\ |  |
 //  |__/ |___  |  \__/ \__/ |  \ .__/     |  | /~~\ | \| /~~\ \__> |___  |  | |___ | \|  |
@@ -719,6 +760,12 @@ EXTERN_C VOID WINAPI DllExtraAttach()
 		DetourAttach(&(PVOID&)TrueRtlDecryptMemory, DetourRtlDecryptMemory);
 	}
 
+	if (VariableNotEmpty(WINPRIV_EV_SQL_CONNECT))
+	{
+		DetourAttach(&(PVOID&)TrueSQLDriverConnectA, DetourSQLDriverConnectA);
+		DetourAttach(&(PVOID&)TrueSQLDriverConnectW, DetourSQLDriverConnectW);
+	}
+
 	if (VariableNotEmpty(WINPRIV_EV_PRIVLIST))
 	{
 		// tokenize the string
@@ -787,4 +834,10 @@ EXTERN_C VOID WINAPI DllExtraDetach()
 		DetourDetach(&(PVOID&)TrueRtlEncryptMemory, DetourRtlEncryptMemory);
 		DetourDetach(&(PVOID&)TrueRtlDecryptMemory, DetourRtlDecryptMemory);
 	}
+
+	if (VariableNotEmpty(WINPRIV_EV_SQL_CONNECT))
+	{
+		DetourDetach(&(PVOID&)TrueSQLDriverConnectA, DetourSQLDriverConnectA);
+		DetourDetach(&(PVOID&)TrueSQLDriverConnectW, DetourSQLDriverConnectW);
+	}
 }

WinPrivShared/WinPrivShared.h

@@ -25,6 +25,7 @@ BOOL AlterCurrentUserPrivs(std::vector<std::wstring> vPrivsToGrant, BOOL bAddRig
 #define WINPRIV_EV_HOST_OVERRIDE L"_WINPRIV_EV_HOST_OVERRIDE_"
 #define WINPRIV_EV_ADMIN_IMPERSONATE L"_WINPRIV_EV_ADMIN_IMPERSONATE_"
 #define WINPRIV_EV_RECORD_CRYPTO L"_WINPRIV_EV_RECORD_CRYPTO_"
+#define WINPRIV_EV_SQL_CONNECT L"_WINPRIV_EV_SQL_CONNECT_"
 
 //
 // Miscellaneous Unicode String Helper Functions