I have a program based on WPF in C#, and I want to remove the user's privileges for debugging the application (SeDebugPrivilege) (in Release mode at least). What's the best way to go about this ? I've found a couple of ways of doing it in code that requires unsafe calls to unmanaged code. I'd prefer to do this either purely in C# or, even better, via an application manifest or some other means that prevents the user from having the SeDebugPrivilege at all during the execution of my application. Is there anyway of declaring a Windows group and revoking the privilege for the whole group ? The motivation for this is part of a push to better secure my application by following the principles of least privilege. There are other privileges I'm sure I'd like to remove at some point later, but I'd like to worry about one thing at a time.
Disabling the SeDebugPrivilege in C#
1.9k Views Asked by Alex Marshall At
1
There are 1 best solutions below
Related Questions in C#
- Passing arguments to main in C using Eclipse
- kernel module does not print packet info
- error C2016 (C requires that a struct or union has at least one member) and structs typedefs
- Drawing with ncurses, sockets and fork
- How to catch delay-import dll errors (missing dll or symbol) in MinGW(-w64)?
- Configured TTL for A record(s) backing CNAME records
- Allocating memory for pointers inside structures in functions
- Finding articulation point of undirected graph by DFS
- C first fgets() is being skipped while the second runs
- C std library don't appear to be linked in object file
- gcc static library compilation
- How to do a case-insensitive string comparison?
- C programming: Create and write 2D array of files as function
- How to read a file then store to array and then print?
- Function timeouts in C and thread
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in PRIVILEGES
- MySql can not grant privileges to root
- Error: ORA-00955: name is already used by an existing object in Oracle Function
- Different privileges in kernel module execution
- WPF C#-multiple user privileges
- What SQL privileges is it best to use to satisy requirements of most popular CMS
- how to check Local Security Policy rights as non-admin
- _winreg.SaveKey Error - A required privilege is not held by the client
- Ansible "postgresql_user" module "priv" parameter syntax clearification
- Install files in different folder if the privileges is not administrator in Inno Setup
- How can I create a file with limited privilege in Java?
- Whats the privilege required to access ALL_ARGUMENTS in Oracle?
- Restricted PostgreSQL permissions for web app
- Creating new users and grant them privileges
- Check Postgres access for a user
- Allow non-admin process to read from admin process
Related Questions in LEAST-PRIVILEGE
- Restricted PostgreSQL permissions for web app
- Principle of Least Privilege with Entity Framework
- Principle of least privilege and the const keyword
- Entify Framework Inserts require Select permissions
- I want to achieve the following using permission boundary
- How can I create an IAM policy on AWS Secrets Manager to grant a group least privilege access. I only grant access to secrets created or owned. Thnx(:
- I want run my function in limited account with administrator permission
- Can I AutoCreate an IAM role for a Cloudformation stack from the template?
- Spinnaker User Authorization and Instance Permission Restrictions
- Minimum IAM permissions required to attach SG to EC2 Instance?
- How to limit program runtime, memory usage and as a specific user programmatically in Linux
- I have problem with least privilege principle. incrementing a member when an object is created
- Creating a different user for each concern of my application!
- Running an OSX Application with Low Privilege
- Disabling the SeDebugPrivilege in C#
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
I think you may be misunderstanding the effects of privileges such as
SeDebugPrivilege. Whilst you can certainly remove the privilege from process token usingAdjustTokenPrivileges, this does not prevent the application from being debugged, it instead prevents the application itself from performing certain debugging actions. This could however be used to reduce the impact of possible vulnerabilities in your application by preventing it from affecting other processes via means that require the privilege.Note that by default, a user can debug an application they have started themselves even without
SeDebugPrivilege, so even if run as a non-administrative user (which by default will not have the privilege at all) this will not prevent the application from being debugged.There are of course many examples of applications that attempt to detect whether a debugger is attached and they do so with varying levels of success. At best you will be able to make it harder to debug the application but you won't be able to prevent it entirely if you are running on the user's machine.
You could perhaps periodically check
System.Diagnostics.Debugger.IsAttached, and take some action if the value istrue, but it would be relatively straightforward to overcome for someone determined to debug the application.