//============================================================
// Loads the PKCS#11 driver and
// tests if the driver loaded correctly
// Returns 0 for ok otherwise error code
//============================================================
int loadAndTestDriver(const char* driver, LIBHANDLE* pLibrary, CK_SLOT_ID* slotids, int slots, CK_ULONG slot)
{
CK_TOKEN_INFO tokinfo;
CK_SLOT_INFO slotinfo;
CK_ULONG idlen, i, ok;
CK_RV rv;
int err = ERR_OK;
// initialize
*pLibrary = NULL;
memset(slotids, 0, sizeof(CK_SLOT_ID) * slots);
// try to load the driver
*pLibrary = initPKCS11Library(driver);
if(!(*pLibrary))
SET_LAST_ERROR_RETURN_CODE(ERR_PKCS_LIB_LOAD);
idlen = slots;
rv = GetSlotIds(slotids, &idlen);
ddocDebug(3, "loadAndTestDriver", "RV: %d slots: %ld", (int)rv, (long)idlen);
if (rv != CKR_OK) {
err = ERR_PKCS_SLOT_LIST;
SET_LAST_ERROR(err);
}
if ((slot < 0) || (slot >= idlen)) {
err = ERR_PKCS_WRONG_SLOT;
SET_LAST_ERROR(err);
}
// it's useful to test DLL load status this way:
ok = 0;
for(i = 0; i < idlen; i++) {
rv = GetSlotInfo(&slotinfo, slotids[i]);
if(slotinfo.flags & CKF_TOKEN_PRESENT) {
ddocDebug(3, "loadAndTestDriver", "Read Token: %ld", (long)i);
rv = GetTokenInfo(&tokinfo, slotids[i]); // if !CKR_OK test
tokinfo.label[31] = 0;
ddocDebug(3, "loadAndTestDriver", "RV: %d Token: %s", (int)rv, tokinfo.label);
if(rv != CKR_OK)
slotids[i] = INVALID_SLOTIID; // set bad slotids to 0
else
ok++; // count the good slots
} else {
slotids[i] = INVALID_SLOTIID; // no tokne in this slot
}
}
// fill other slotid's with invalid slotid
for(i = idlen; i < (CK_ULONG)slots; i++)
slotids[i] = INVALID_SLOTIID;
if(ok < slot) {
err = ERR_PKCS_CARD_READ; // if not enough good slots
SET_LAST_ERROR(err);
}
// in case of error try to unload the module and notify caller
if (err) {
if (*pLibrary)
closePKCS11Library(*pLibrary, 0);
*pLibrary = NULL;
}
return err;
}
void CAuthDlg::FillTokenList()
{
m_TokenList.ResetContent();
CStringArray tokenInfo;
if (!GetTokenInfo(tokenInfo))
return;
for (int i = 0; i < tokenInfo.GetSize(); i++)
m_TokenList.AddString(tokenInfo[i]);
}
unsigned int GetProcessIntegrityLevel(HANDLE hToken)
{
std::vector<unsigned char> tokenIL = GetTokenInfo(hToken, TokenIntegrityLevel);
if (tokenIL.size() > 0)
{
PTOKEN_MANDATORY_LABEL il = reinterpret_cast<PTOKEN_MANDATORY_LABEL>(&tokenIL[0]);
return *GetSidSubAuthority(il->Label.Sid, 0);
}
else
{
return 0xFFFFFFFF;
}
}
String^ GetTokenUsername(HANDLE hToken)
{
std::vector<unsigned char> tokenUsername = GetTokenInfo(hToken, TokenUser);
if (tokenUsername.size() > 0)
{
PTOKEN_USER user = reinterpret_cast<PTOKEN_USER>(&tokenUsername[0]);
std::vector<wchar_t> name(MAX_NAME);
std::vector<wchar_t> domain(MAX_NAME);
DWORD dwNameSize = MAX_NAME;
DWORD dwDomainSize = MAX_NAME;
SID_NAME_USE sidNameUse;
String^ ret = "";
if (LookupAccountSid(nullptr, user->User.Sid, &name[0], &dwNameSize, &domain[0], &dwDomainSize, &sidNameUse))
{
ret = gcnew String(&domain[0]);
ret += "\\";
ret += gcnew String(&name[0]);
}
else
{
LPWSTR lpSid;
if (ConvertSidToStringSidW(user->User.Sid, &lpSid))
{
ret = gcnew String(lpSid);
LocalFree(lpSid);
}
}
return ret;
}
return "";
}
BOOL ReadMyToken(
HANDLE hMyToken)
{
HANDLE Token;
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
Token = OpenToken(hMyToken, TOKEN_QUERY);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
return(FALSE);
}
if (!GetTokenInfo(Token, TokenStatistics, (PPVOID)&(pMyToken->TokenStats))) {
DbgPrint("SECEDIT : Failed to read token statistics from token\n");
}
if (!GetTokenInfo(Token, TokenGroups, (PPVOID)&(pMyToken->Groups))) {
DbgPrint("SECEDIT : Failed to read group info from token\n");
}
if (!GetTokenInfo(Token, TokenUser, (PPVOID)&(pMyToken->UserId))) {
DbgPrint("SECEDIT : Failed to read userid from token\n");
}
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&(pMyToken->DefaultOwner))) {
DbgPrint("SECEDIT : Failed to read default owner from token\n");
}
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&(pMyToken->PrimaryGroup))) {
DbgPrint("SECEDIT : Failed to read primary group from token\n");
}
if (!GetTokenInfo(Token, TokenPrivileges, (PPVOID)&(pMyToken->Privileges))) {
DbgPrint("SECEDIT : Failed to read privilege info from token\n");
}
CloseToken(Token);
return(TRUE);
}
//
// Create a primary access token for specified user account
//
HANDLE CreateToken(LPCTSTR szUserName)
{
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityAnonymous, SECURITY_STATIC_TRACKING, FALSE };
HANDLE hToken;
PSID sid;
TOKEN_USER user;
LUID authid = SYSTEM_LUID;
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
TOKEN_SOURCE source = {{'*', '*', 'A', 'N', 'O', 'N', '*', '*'}, {0, 0}};
HANDLE hToken2 = 0;
PTOKEN_STATISTICS stats;
PVOID tokarr[5];
int i;
DWORD status;
// Get address of Nt/ZwCreateToken from NTDLL.DLL
ZwCreateToken = (PVOID)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateToken");
RtlNtStatusToDosError = (PVOID)GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlNtStatusToDosError");
if(ZwCreateToken == 0 || RtlNtStatusToDosError == 0)
return 0;
// Must have SeCreateToken privilege
if(!EnablePrivilege(SE_CREATE_TOKEN_NAME, TRUE)){
DBG("EnablePrivilege failed\n");
}
// Use an existing process token as our basic for a new token
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken))
return 0;
// Convert username to a SID
if((sid = GetUserSid(szUserName)) == 0)
{
CloseHandle(hToken);
return 0;
}
user.User.Attributes = 0;
user.User.Sid = sid;
if(!AllocateLocallyUniqueId(&source.SourceIdentifier))
{
free(sid);
CloseHandle(hToken);
return 0;
}
if(!GetTokenInfo(hToken, TokenStatistics, &stats))
{
free(sid);
CloseHandle(hToken);
return 0;
}
//
// Undocumented ZwCreateToken service: will not work for us
// under WIN2003, will need to do this from WINLOGON process in future?
//
status = ZwCreateToken(&hToken2, TOKEN_ALL_ACCESS, &oa, TokenPrimary,
(PLUID)&authid,
(PLARGE_INTEGER)&stats->ExpirationTime,
&user,
(PTOKEN_GROUPS) GetTokenInfo(hToken, TokenGroups, &tokarr[0]),
(PTOKEN_PRIVILEGES) GetTokenInfo(hToken, TokenPrivileges, &tokarr[1]),
(PTOKEN_OWNER) GetTokenInfo(hToken, TokenOwner, &tokarr[2]),
(PTOKEN_PRIMARY_GROUP) GetTokenInfo(hToken, TokenPrimaryGroup, &tokarr[3]),
(PTOKEN_DEFAULT_DACL) GetTokenInfo(hToken, TokenDefaultDacl, &tokarr[4]),
&source);
for(i = 0; i < 5; i++)
free(tokarr[i]);
free(stats);
free(sid);
CloseHandle(hToken);
SetLastError(RtlNtStatusToDosError(status));
return hToken2;
}
BOOL GetOnePidFromSession(DWORD& dwPid, DWORD dwSessionId)
{
HANDLE hProcessSnap = NULL;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
BOOL bRetCode = FALSE;
PROCESSENTRY32 pe32 = {0};
// DWORD dwActiveSessionId = 0;
DWORD dwProcessSessionId = 0;
PVOID pTokenUserBuf = NULL;
DWORD size = 0;
// 得到 active session id 先
//if ( ! GetActiveSessionID(dwActiveSessionId) )
//{
// return FALSE;
//}
hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (::Process32First(hProcessSnap, &pe32))
{
do
{
if (hProcess != NULL)
{
::CloseHandle(hProcess);
hProcess = NULL;
}
if (hToken != NULL)
{
::CloseHandle(hToken);
hToken = NULL;
}
// 不是explorer.exe进程就直接 continue
if (0 != _tcsicmp(pe32.szExeFile, _T("explorer.exe")))
continue;
// 找到一个PID, whoes session id is identical with the active session id
if (FALSE == ::ProcessIdToSessionId(pe32.th32ProcessID, &dwProcessSessionId)
|| dwProcessSessionId != dwSessionId )
continue;
// 打开进程并且成功得到了token名柄
if (NULL == (hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID)))
continue;
if (FALSE == ::OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken))
continue;
pTokenUserBuf = NULL;
size = 0;
// 成功检索到token的信息
if (FALSE == GetTokenInfo(hToken, TokenUser, &pTokenUserBuf, &size))
continue;
// 从token里拿到sid
// 这个进程的用户不是system时才中止
if (!IsSystemUserSid(((PTOKEN_USER)pTokenUserBuf)->User.Sid))
{
dwPid = pe32.th32ProcessID;
bRetCode = TRUE;
FreeTokenInfo(pTokenUserBuf);
pTokenUserBuf = NULL;
break;
}
FreeTokenInfo(pTokenUserBuf);
pTokenUserBuf = NULL;
}while (::Process32Next(hProcessSnap, &pe32));
}
if (hProcess != NULL)
{
::CloseHandle(hProcess);
hProcess = NULL;
}
if (hToken != NULL)
{
::CloseHandle(hToken);
hToken = NULL;
}
if (hProcessSnap != INVALID_HANDLE_VALUE)
{
::CloseHandle(hProcessSnap);
}
return (bRetCode);
}
BOOL
EditDefaultDacl(
HWND hwndOwner,
HANDLE Instance,
HANDLE MyToken
)
{
NTSTATUS Status;
BOOL Success = FALSE;
DWORD EditResult;
HANDLE Token = NULL;
PTOKEN_DEFAULT_DACL DefaultDacl = NULL;
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PTOKEN_OWNER Owner = NULL;
PTOKEN_PRIMARY_GROUP PrimaryGroup = NULL;
WCHAR string[MAX_STRING_LENGTH];
//
// Get the window text so we can use it as the token name
//
GetWindowTextW(((PMYTOKEN)MyToken)->hwnd, string, sizeof(string)/sizeof(*string));
//
// Get a handle to the token
//
Token = OpenToken(MyToken, TOKEN_QUERY);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
goto CleanupAndExit;
}
//
// Read the default DACL from the token
//
if (!GetTokenInfo(Token, TokenDefaultDacl, (PPVOID)&DefaultDacl)) {
DbgPrint("SECEDIT : Failed to read default DACL from token\n");
goto CleanupAndExit;
}
//
// Get the owner and group of the token
//
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&Owner)) {
DbgPrint("SECEDIT : Failed to read owner from token\n");
goto CleanupAndExit;
}
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&PrimaryGroup)) {
DbgPrint("SECEDIT : Failed to read primary group from token\n");
goto CleanupAndExit;
}
//
// Create a security descriptor
//
SecurityDescriptor = Alloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
if (SecurityDescriptor == NULL) {
DbgPrint("SECEDIT : Failed to allocate security descriptor\n");
goto CleanupAndExit;
}
Status = RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
ASSERT(NT_SUCCESS(Status));
//
// Set the DACL on the security descriptor
//
Status = RtlSetDaclSecurityDescriptor(
SecurityDescriptor,
TRUE, // DACL present
DefaultDacl->DefaultDacl,
FALSE // DACL defaulted
);
ASSERT(NT_SUCCESS(Status));
//
// Put the owner and group in the security descriptor to keep the
// ACL editor happy
//
Status = RtlSetOwnerSecurityDescriptor(
SecurityDescriptor,
Owner->Owner,
FALSE // Owner defaulted
);
ASSERT(NT_SUCCESS(Status));
Status = RtlSetGroupSecurityDescriptor(
SecurityDescriptor,
PrimaryGroup->PrimaryGroup,
FALSE // Owner defaulted
);
ASSERT(NT_SUCCESS(Status));
ASSERT(RtlValidSecurityDescriptor(SecurityDescriptor));
//
// Call the ACL editor, it will call our ApplySecurity function
// to store any ACL changes in the token.
//
Success = EditTokenDefaultAcl(
hwndOwner,
Instance,
string,
MyToken,
SecurityDescriptor,
&EditResult
);
if (!Success) {
DbgPrint("SECEDIT: Failed to edit token DACL\n");
}
CleanupAndExit:
if (DefaultDacl != NULL) {
FreeTokenInfo(DefaultDacl);
}
if (SecurityDescriptor != NULL) {
FreeTokenInfo(SecurityDescriptor);
}
if (PrimaryGroup != NULL) {
FreeTokenInfo(PrimaryGroup);
}
if (Owner != NULL) {
FreeTokenInfo(Owner);
}
if (Token != NULL) {
CloseToken(Token);
}
return(Success);
}
