bool DebugToken::Enable()
{
if (enabled || hDebugToken == NULL)
return true;
BOOL rc = OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hSavedToken);
if (!rc)
{
hSavedToken = NULL;
if (GetLastError()==ERROR_NO_TOKEN)
rc = ERROR_SUCCESS;
else
return false;
}
rc = SetThreadToken(NULL, hDebugToken);
if (!rc)
{
if (hSavedToken != NULL)
{
CloseHandle(hSavedToken);
hSavedToken = NULL;
}
return false;
}
enabled = true;
return true;
}
NTSTATUS kuhl_m_token_revert(int argc, wchar_t * argv[])
{
if(SetThreadToken(NULL, NULL))
kuhl_m_token_whoami(0, NULL);
else
PRINT_ERROR_AUTO(L"SetThreadToken");
return STATUS_SUCCESS;
}
BOOL CALLBACK kuhl_m_token_list_or_elevate_callback(HANDLE hToken, DWORD ptid, PVOID pvArg)
{
HANDLE hNewToken;
TOKEN_STATISTICS tokenStats;
DWORD szNeeded;
BOOL isUserOK = TRUE;
PKUHL_M_TOKEN_ELEVATE_DATA pData = (PKUHL_M_TOKEN_ELEVATE_DATA) pvArg;
PWSTR name, domainName;
if(ptid != GetCurrentProcessId())
{
if(GetTokenInformation(hToken, TokenStatistics, &tokenStats, sizeof(TOKEN_STATISTICS), &szNeeded))
{
if(pData->pUsername)
{
if(kull_m_token_getNameDomainFromToken(hToken, &name, &domainName, NULL, NULL))
{
isUserOK = (_wcsicmp(name, pData->pUsername) == 0);
LocalFree(name);
LocalFree(domainName);
}
} else if(pData->tokenId)
isUserOK = (pData->tokenId == tokenStats.TokenId.LowPart);
if(isUserOK && DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, (tokenStats.TokenType == TokenPrimary) ? SecurityDelegation : tokenStats.ImpersonationLevel, TokenImpersonation, &hNewToken))
{
if(pData->pSid)
{
isUserOK = FALSE;
if(!CheckTokenMembership(hNewToken, pData->pSid, &isUserOK))
PRINT_ERROR_AUTO(L"CheckTokenMembership");
}
if(isUserOK)
{
kprintf(L"%u\t", ptid);
kuhl_m_token_displayAccount(hToken);
if(pData->elevateIt)
{
if(SetThreadToken(NULL, hNewToken))
{
kprintf(L" -> Impersonated !\n");
kuhl_m_token_whoami(0, NULL);
isUserOK = FALSE;
}
else PRINT_ERROR_AUTO(L"SetThreadToken");
}
}
else isUserOK = TRUE;
CloseHandle(hNewToken);
}
else isUserOK = TRUE;
}
}
return isUserOK;
}
Win32ThreadImpersonator(HANDLE hToken)
{
BOOL ok = SetThreadToken(NULL, hToken);
if (!ok)
{
DWORD dwErr = GetLastError();
RCF_THROW( Exception(
_RcfError_Win32ApiError("SetThreadToken()"),
dwErr) );
}
}
void* __stdcall CsrClientCallServerHook(void* a, void* b, DWORD c, void* d)
{
void* ret = nullptr;
printf("In ClientCall hook %08X\n", c);
if (c == 0x10010005)
{
printf("Set Anonymous Token: %d\n", SetThreadToken(nullptr, GetAnonymousToken()));
}
ret = g_pCsgClientCallServer(a, b, c, d);
RevertToSelf();
return ret;
}
bool DebugToken::Revert()
{
if (!enabled)
return true;
BOOL rc = SetThreadToken(NULL, hSavedToken);
if (!rc)
return false;
if (hSavedToken != NULL)
{
CloseHandle(hSavedToken);
hSavedToken = NULL;
}
enabled = false;
return true;
}
/**
* RevertToPrinterSelf reverts the security context from the current user's context back to the process context.
* As spoolss.dll is used by spoolsv.exe, this is usually the SYSTEM security context.
*
* Unlike the traditional ImpersonateClient and then RevertToSelf approach, we do it the other way round here,
* because spoolss.dll is delay-loaded by spoolsv.exe in the current user's context. Use RevertToPrinterSelf then to
* return to the SYSTEM context for specific tasks.
*/
HANDLE WINAPI
RevertToPrinterSelf(VOID)
{
DWORD dwErrorCode;
HANDLE hReturnValue = NULL;
HANDLE hToken = NULL;
// All spoolss code is usually called after impersonating the client. In this case, we can retrieve our current thread impersonation token using OpenThreadToken.
// But in rare occasions, spoolss code is also called from a higher-privileged thread that doesn't impersonate the client. Then we don't get an impersonation token.
// Anyway, we can't just return nothing in this case, because this is being treated as failure by the caller. So we return the token of the current process.
// This behaviour is verified with Windows!
if (OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hToken))
{
// Tell the thread to stop impersonating.
if (!SetThreadToken(NULL, NULL))
{
dwErrorCode = GetLastError();
ERR("SetThreadToken failed with error %lu!\n", dwErrorCode);
goto Cleanup;
}
}
else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
dwErrorCode = GetLastError();
ERR("OpenProcessToken failed with error %lu!\n", dwErrorCode);
goto Cleanup;
}
// We were successful, return a token!
dwErrorCode = ERROR_SUCCESS;
hReturnValue = hToken;
// Don't let the cleanup routine close this.
hToken = NULL;
Cleanup:
if (hToken)
CloseHandle(hToken);
SetLastError(dwErrorCode);
return hReturnValue;
}
/**
* @see RevertToPrinterSelf
*/
BOOL WINAPI
ImpersonatePrinterClient(HANDLE hToken)
{
DWORD cbReturned;
DWORD dwErrorCode;
TOKEN_TYPE Type;
// Sanity check
if (!hToken)
{
dwErrorCode = ERROR_INVALID_HANDLE;
goto Cleanup;
}
// Get the type of the supplied token.
if (!GetTokenInformation(hToken, TokenType, &Type, sizeof(TOKEN_TYPE), &cbReturned))
{
dwErrorCode = GetLastError();
ERR("GetTokenInformation failed with error %lu!\n", dwErrorCode);
goto Cleanup;
}
// Check if this is an impersonation token and only set it as the thread token in this case.
// This is not always an impersonation token, see RevertToPrinterSelf.
if (Type == TokenImpersonation)
{
if (!SetThreadToken(NULL, hToken))
{
dwErrorCode = GetLastError();
ERR("SetThreadToken failed with error %lu!\n", dwErrorCode);
goto Cleanup;
}
}
Cleanup:
if (hToken)
CloseHandle(hToken);
SetLastError(dwErrorCode);
return (dwErrorCode == ERROR_SUCCESS);
}
/*++
Routine Name:
CPTManager::GetMergedTicket
Routine Description:
This routine retrieves a merged PrintTicket at the requested scope given the base
and delta PrintTickets as IXMLDOMDocument2 interface pointers
Arguments:
ptScope - The scope at which the merge should take place
pDelta - The delta PrintTicket as an IXMLDOMDocument2 pointer
pBase - The base PrintTicket as an IXMLDOMDocument2 pointer
ppResult - The resulting PrintTicket after the merge has completed
Return Value:
HRESULT
S_OK - On success
E_* - On error
--*/
HRESULT
CPTManager::GetMergedTicket(
_In_ CONST EPrintTicketScope ptScope,
_In_ CONST IXMLDOMDocument2* pDelta,
_In_ IXMLDOMDocument2* pBase,
_Outptr_ IXMLDOMDocument2** ppResult
)
{
ASSERTMSG(pDelta != NULL, "NULL PT reference part passed.\n");
ASSERTMSG(pBase != NULL, "NULL base PT passed.\n");
ASSERTMSG(ppResult != NULL, "NULL out PT passed.\n");
HRESULT hr = S_OK;
if (SUCCEEDED(hr = CHECK_HANDLE(m_hProvider, E_PENDING)) &&
SUCCEEDED(hr = CHECK_POINTER(ppResult, E_POINTER)) &&
SUCCEEDED(hr = CHECK_POINTER(pDelta, E_POINTER)) &&
SUCCEEDED(hr = CHECK_POINTER(pBase, E_POINTER)))
{
*ppResult = NULL;
}
CComPtr<IStream> pResultStream(NULL);
CComPtr<IStream> pBaseStream(NULL);
CComPtr<IStream> pDeltaStream(NULL);
CComPtr<IXMLDOMDocument2> pNewPT(NULL);
//
// Create a new DOM doc based off the result ticket and
// assign to the resultant DOM doc
//
try
{
CComBSTR bstrErrorMessage;
if (SUCCEEDED(hr) &&
SUCCEEDED(hr = CreateStreamOnHGlobal(NULL, TRUE, &pResultStream)) &&
SUCCEEDED(hr = pBase->QueryInterface(IID_IStream, reinterpret_cast<VOID**>(&pBaseStream))) &&
SUCCEEDED(hr = const_cast<IXMLDOMDocument2*>(pDelta)->QueryInterface(IID_IStream, reinterpret_cast<VOID**>(&pDeltaStream))))
{
if (SetThreadToken(NULL, m_hToken))
{
if (SUCCEEDED(hr = PTMergeAndValidatePrintTicket(m_hProvider,
pBaseStream,
pDeltaStream,
ptScope,
pResultStream,
&bstrErrorMessage)))
{
if (SUCCEEDED(hr = SetPTFromStream(pResultStream, &pNewPT)))
{
//
// Assign the outgoing element pointer - detach from CComPtr to release ownership
//
*ppResult = pNewPT.Detach();
}
}
else
{
CStringXDA cstrMessage;
CStringXDA cstrError(bstrErrorMessage);
cstrMessage.Format("PTMergeAndValidatePrintTicket failed with message: %s\n", cstrError);
ERR(cstrMessage.GetBuffer());
}
//
// Always revert back to the default security context
//
if (!SetThreadToken(NULL, NULL))
{
//
// We couldn't revert the security context. The filter pipeline
// manager will clean up the thread when operation is complete,
// when it is determined that the security context was not
// reverted. Since there are no security implications with
// running this filter in an elevated context, we can
// continue to run.
//
}
}
else
{
hr = HRESULT_FROM_WIN32(GetLastError());
//
// If SetThreadToken fails, GetLastError will return an error
//
_Analysis_assume_(FAILED(hr));
}
}
}
catch (CXDException& e)
{
hr = e;
}
ERR_ON_HR(hr);
return hr;
}
/*++
Routine Name:
CPTManager::GetCapabilities
Routine Description:
This routine retrieves a PrintCapabilities document given a PrintTicket
Arguments:
pTicket - Pointer to the PrintTicket as a DOM document
pTicket - Pointer to a DOM document pointer that recieves the PrintCapabilities
Return Value:
HRESULT
S_OK - On success
E_* - On error
--*/
HRESULT
CPTManager::GetCapabilities(
_In_ IXMLDOMDocument2* pTicket,
_Outptr_ IXMLDOMDocument2** ppCapabilities
)
{
HRESULT hr = S_OK;
if (SUCCEEDED(hr = CHECK_POINTER(pTicket, E_POINTER)) &&
SUCCEEDED(hr = CHECK_POINTER(ppCapabilities, E_POINTER)))
{
*ppCapabilities = NULL;
CComBSTR bstrError;
CComPtr<IStream> pPTIn(NULL);
CComPtr<IStream> pPCOut(NULL);
CComPtr<IXMLDOMDocument2> pCapabilitiesDoc(NULL);
//
// Create the PrintCapabilities DOM document, retrieve the IStreams from the
// DOM documents and call the PT api to retrieve the capabilities document
//
if (SUCCEEDED(hr = pCapabilitiesDoc.CoCreateInstance(CLSID_DOMDocument60)) &&
SUCCEEDED(hr = pTicket->QueryInterface(IID_IStream, reinterpret_cast<VOID**>(&pPTIn))) &&
SUCCEEDED(hr = pCapabilitiesDoc->QueryInterface(IID_IStream, reinterpret_cast<VOID**>(&pPCOut))))
{
if (SetThreadToken(NULL, m_hToken))
{
if (SUCCEEDED(hr = PTGetPrintCapabilities(m_hProvider, pPTIn, pPCOut, &bstrError)))
{
LARGE_INTEGER cbMove = {0};
if (SUCCEEDED(hr = pPCOut->Seek(cbMove, STREAM_SEEK_SET, NULL)))
{
*ppCapabilities = pCapabilitiesDoc.Detach();
}
}
else
{
try
{
CStringXDA cstrError(bstrError);
ERR(cstrError.GetBuffer());
}
catch (CXDException&)
{
}
}
//
// Always revert back to the default security context
//
if (!SetThreadToken(NULL, NULL))
{
//
// We couldn't revert the security context. The filter pipeline
// manager will clean up the thread when operation is complete,
// when it is determined that the security context was not
// reverted. Since there are no security implications with
// running this filter in an elevated context, we can
// continue to run.
//
}
}
else
{
hr = HRESULT_FROM_WIN32(GetLastError());
//
// If SetThreadToken fails, GetLastError will return an error
//
_Analysis_assume_(FAILED(hr));
}
}
}
ERR_ON_HR(hr);
return hr;
}
/*++
Routine Name:
CPTManager::Initialise
Routine Description:
This routine Initialises the PrintTicket manager with the default PrintTicket
and the device name.
Arguments:
pDefaultTicketStream - Pointer to the default user PrintTicket as an IStream
bstrPrinterName - The name of the printer
userToken - The user's security token
Return Value:
HRESULT
S_OK - On success
E_* - On error
--*/
HRESULT
CPTManager::Initialise(
_In_ IPrintReadStream* pDefaultTicketStream,
_In_z_ BSTR bstrPrinterName,
_In_ HANDLE userToken
)
{
HRESULT hr = S_OK;
m_hToken = userToken;
//
// If the provider is already open close it
//
CloseProvider();
if (SUCCEEDED(hr = CHECK_POINTER(pDefaultTicketStream, E_POINTER)))
{
if (SysStringLen(bstrPrinterName) <= 0)
{
hr = E_INVALIDARG;
}
}
//
// We need to impersonate the user who submitted the job
// in order to always have sufficient rights to call
// PTOpenProvider.
//
if (SUCCEEDED(hr))
{
if (SetThreadToken(NULL, m_hToken))
{
//
// Open the PT interface and initialise PrintTickets
//
if (SUCCEEDED(hr = PTOpenProvider(bstrPrinterName, 1, &m_hProvider)))
{
CComPtr<IStream> pPTStream(NULL);
pPTStream.Attach(new(std::nothrow) CPrintReadStreamToIStream(pDefaultTicketStream));
if (SUCCEEDED(hr = CHECK_POINTER(pPTStream, E_OUTOFMEMORY)))
{
hr = InitialisePrintTickets(pPTStream);
}
}
//
// Always revert back to the default security context
//
if (!SetThreadToken(NULL, NULL))
{
//
// We couldn't revert the security context. The filter pipeline
// manager will clean up the thread when operation is complete,
// when it is determined that the security context was not
// reverted. Since there are no security implications with
// running this filter in an elevated context, we can
// continue to run.
//
}
}
else
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
}
ERR_ON_HR(hr);
return hr;
}
void MI_CALL MSFT_DSCLocalConfigManager_Invoke_GetConfiguration(
_In_opt_ MSFT_DSCLocalConfigManager_Self* self,
_In_ MI_Context* context,
_In_opt_z_ const MI_Char* nameSpace,
_In_opt_z_ const MI_Char* className,
_In_opt_z_ const MI_Char* methodName,
_In_ const MSFT_DSCLocalConfigManager* instanceName,
_In_opt_ const MSFT_DSCLocalConfigManager_GetConfiguration* in)
{
MI_Result miResult;
MI_Instance *cimErrorDetails = NULL;
MI_InstanceA outInstances = {0};
MI_Value val;
MI_Uint32 bufferIndex = 0;
MSFT_DSCLocalConfigManager_GetConfiguration outputObject;
HANDLE m_clientThreadToken;
MI_UNREFERENCED_PARAMETER(self);
MI_UNREFERENCED_PARAMETER(nameSpace);
MI_UNREFERENCED_PARAMETER(className);
MI_UNREFERENCED_PARAMETER(methodName);
MI_UNREFERENCED_PARAMETER(instanceName);
MI_UNREFERENCED_PARAMETER(in);
if(!in->configurationData.exists)
{
MI_Context_PostResult(context, MI_RESULT_INVALID_PARAMETER);
return;
}
if(!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
if (!SetThreadToken(NULL, NULL))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_REVERTSELF_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_GetConfiguration_Construct(&outputObject, context);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_CONSTRUCTGET_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
GetRealBufferIndex( &(in->configurationData.value), &bufferIndex);
miResult = CallGetConfiguration(in->configurationData.value.data + bufferIndex,
in->configurationData.value.size - bufferIndex, &outInstances,
context, &cimErrorDetails);
if(miResult != MI_RESULT_OK)
{
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
MSFT_DSCLocalConfigManager_GetConfiguration_Destruct(&outputObject);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
val.instancea.data = outInstances.data;
val.instancea.size = outInstances.size;
miResult = MI_Context_WriteStreamParameter(context, L"configurations", &val, MI_INSTANCEA, 0);
CleanUpInstanceCache(&outInstances);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_WRITEGET_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
MSFT_DSCLocalConfigManager_GetConfiguration_Destruct(&outputObject);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_GetConfiguration_Set_MIReturn(&outputObject, 0);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_SETGET_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
MSFT_DSCLocalConfigManager_GetConfiguration_Destruct(&outputObject);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_GetConfiguration_Post(&outputObject, context);
MSFT_DSCLocalConfigManager_GetConfiguration_Destruct(&outputObject);
if (!SetThreadToken(NULL, m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_RESUMEIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
CloseHandle(m_clientThreadToken);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_POSTGET_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
MI_Context_PostResult(context, MI_RESULT_OK);
}
~Win32ThreadImpersonator()
{
SetThreadToken(NULL, NULL);
}
void MI_CALL MSFT_DSCLocalConfigManager_Invoke_SendMetaConfiguration(
_In_opt_ MSFT_DSCLocalConfigManager_Self* self,
_In_ MI_Context* context,
_In_opt_z_ const MI_Char* nameSpace,
_In_opt_z_ const MI_Char* className,
_In_opt_z_ const MI_Char* methodName,
_In_ const MSFT_DSCLocalConfigManager* instanceName,
_In_opt_ const MSFT_DSCLocalConfigManager_SendMetaConfiguration* in)
{
MI_Result miResult;
MI_Instance *cimErrorDetails = NULL;
HANDLE m_clientThreadToken;
MI_UNREFERENCED_PARAMETER(self);
MI_UNREFERENCED_PARAMETER(nameSpace);
MI_UNREFERENCED_PARAMETER(className);
MI_UNREFERENCED_PARAMETER(methodName);
MI_UNREFERENCED_PARAMETER(instanceName);
MI_UNREFERENCED_PARAMETER(in);
if(!in->MetaConfiguration.exists)
{
MI_Context_PostResult(context, MI_RESULT_INVALID_PARAMETER);
return;
}
if(!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
if (!SetThreadToken(NULL, NULL))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_REVERTSELF_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
miResult = SetMetaConfig(in->MetaConfiguration.value, &cimErrorDetails);
if (!SetThreadToken(NULL, m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_RESUMEIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
CloseHandle(m_clientThreadToken);
if(miResult != MI_RESULT_OK)
{
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
MI_Context_PostResult(context, MI_RESULT_OK);
}
void MI_CALL MSFT_DSCLocalConfigManager_Invoke_ApplyConfiguration(
_In_opt_ MSFT_DSCLocalConfigManager_Self* self,
_In_ MI_Context* context,
_In_opt_z_ const MI_Char* nameSpace,
_In_opt_z_ const MI_Char* className,
_In_opt_z_ const MI_Char* methodName,
_In_ const MSFT_DSCLocalConfigManager* instanceName,
_In_opt_ const MSFT_DSCLocalConfigManager_ApplyConfiguration* in)
{
MI_Result miResult;
MI_Instance *cimErrorDetails = NULL;
MSFT_DSCLocalConfigManager_ApplyConfiguration outputObject;
HANDLE m_clientThreadToken;
MI_UNREFERENCED_PARAMETER(self);
MI_UNREFERENCED_PARAMETER(nameSpace);
MI_UNREFERENCED_PARAMETER(className);
MI_UNREFERENCED_PARAMETER(methodName);
MI_UNREFERENCED_PARAMETER(instanceName);
MI_UNREFERENCED_PARAMETER(in);
if(!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
if (!SetThreadToken(NULL, NULL))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_REVERTSELF_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_ApplyConfiguration_Construct(&outputObject, context);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_CONSTRUCTAPPLY_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
miResult = CallConsistencyEngine(context, &cimErrorDetails);
if(miResult != MI_RESULT_OK)
{
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_ApplyConfiguration_Set_MIReturn(&outputObject, 0);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_SETAPPLY_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
SetThreadToken(NULL, m_clientThreadToken);
CloseHandle(m_clientThreadToken);
return;
}
miResult = MSFT_DSCLocalConfigManager_ApplyConfiguration_Post(&outputObject, context);
MSFT_DSCLocalConfigManager_ApplyConfiguration_Destruct(&outputObject);
if (!SetThreadToken(NULL, m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_RESUMEIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
CloseHandle(m_clientThreadToken);
if(miResult != MI_RESULT_OK)
{
GetCimMIError(miResult, &cimErrorDetails, ID_LCMHELPER_POSTAPPLY_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
MI_Context_PostResult(context, MI_RESULT_OK);
}
//
// Assert an NT privilege for this thread.
//
BOOL
AssertPrivilege(
IN LPCSTR PrivilegeName
)
{
BOOL b;
HANDLE hThread;
HANDLE hProcess;
TOKEN_PRIVILEGES tokenPrivileges, oldTokenPrivileges;
DWORD oldPrivilegesLength;
b = OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, TRUE, &hThread);
if (!b) {
if (GetLastError() != ERROR_NO_TOKEN) {
return b;
}
b = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &hProcess);
if (!b) {
return b;
}
b = DuplicateTokenEx(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY |
TOKEN_IMPERSONATE, NULL, SecurityImpersonation,
TokenImpersonation, &hThread);
if (!b) {
CloseHandle(hProcess);
return b;
}
b = SetThreadToken(NULL, hThread);
if (!b) {
CloseHandle(hProcess);
CloseHandle(hThread);
return b;
}
CloseHandle(hProcess);
}
ZeroMemory(&tokenPrivileges, sizeof(tokenPrivileges));
b = LookupPrivilegeValue(NULL,PrivilegeName,&tokenPrivileges.Privileges[0].Luid);
if (!b) {
return b;
}
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
b = AdjustTokenPrivileges(hThread, FALSE, &tokenPrivileges,
sizeof(tokenPrivileges), &oldTokenPrivileges,
&oldPrivilegesLength);
CloseHandle(hThread);
return b;
}
void impersonateToGetData(PCSTR user, PCSTR domain, PCSTR password, PCSTR kdc, PSID *sid, DWORD *rid, PCSTR usingWhat)
{
NTSTATUS status;
DWORD ret, *aRid, *usage;
ANSI_STRING aUser, aKdc, aDomain, aPass, aProg;
UNICODE_STRING uUser, uKdc, uDomain, uPass, uProg;
SAMPR_HANDLE hServerHandle, hDomainHandle;
PSID domainSid;
HANDLE hToken, hNewToken;
PROCESS_INFORMATION processInfos;
STARTUPINFOW startupInfo;
RtlZeroMemory(&startupInfo, sizeof(STARTUPINFOW));
startupInfo.cb = sizeof(STARTUPINFOW);
RtlInitString(&aUser, user);
RtlInitString(&aKdc, kdc);
RtlInitString(&aDomain, domain);
RtlInitString(&aPass, password);
RtlInitString(&aProg, usingWhat ? usingWhat : "winver.exe");
if(NT_SUCCESS(RtlAnsiStringToUnicodeString(&uUser, &aUser, TRUE)))
{
if(NT_SUCCESS(RtlAnsiStringToUnicodeString(&uKdc, &aKdc, TRUE)))
{
if(NT_SUCCESS(RtlAnsiStringToUnicodeString(&uDomain, &aDomain, TRUE)))
{
if(NT_SUCCESS(RtlAnsiStringToUnicodeString(&uPass, &aPass, TRUE)))
{
if(NT_SUCCESS(RtlAnsiStringToUnicodeString(&uProg, &aProg, TRUE)))
{
if(CreateProcessWithLogonW(uUser.Buffer, uDomain.Buffer, uPass.Buffer, LOGON_NETCREDENTIALS_ONLY, uProg.Buffer, NULL, CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInfos))
{
if(OpenProcessToken(processInfos.hProcess, TOKEN_DUPLICATE, &hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, SecurityDelegation, TokenImpersonation, &hNewToken))
{
if(SetThreadToken(NULL, hNewToken))
{
kprintf("[AUTH] Impersonation\n");
if(!(*sid && *rid))
{
kprintf("[SID/RID] \'%s @ %s\' must be translated to SID/RID\n", user, domain);
status = SamConnect(&uKdc, &hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, FALSE);
if(NT_SUCCESS(status))
{
status = SamLookupDomainInSamServer(hServerHandle, &uDomain, &domainSid);
if(NT_SUCCESS(status))
{
status = SamOpenDomain(hServerHandle, DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP, domainSid, &hDomainHandle);
if(NT_SUCCESS(status))
{
status = SamLookupNamesInDomain(hDomainHandle, 1, &uUser, &aRid, &usage);
if(NT_SUCCESS(status))
*rid = *aRid;
else PRINT_ERROR("SamLookupNamesInDomain %08x\n", status);
}
else PRINT_ERROR("SamOpenDomain %08x\n", status);
ret = GetLengthSid(domainSid);
if(*sid = (PSID) LocalAlloc(LPTR, ret))
{
if(!CopySid(ret, *sid, domainSid))
{
*sid = (PSID) LocalFree(*sid);
PRINT_ERROR_AUTO("CopySid");
}
}
SamFreeMemory(domainSid);
}
else PRINT_ERROR("SamLookupDomainInSamServer %08x\n", status);
SamCloseHandle(hServerHandle);
}
else PRINT_ERROR("SamConnect %08x\n", status);
}
RevertToSelf();
}
else PRINT_ERROR_AUTO("SetThreadToken");
CloseHandle(hNewToken);
}
else PRINT_ERROR_AUTO("DuplicateTokenEx");
CloseHandle(hToken);
}
else PRINT_ERROR_AUTO("OpenProcessToken");
TerminateProcess(processInfos.hProcess, 0);
CloseHandle(processInfos.hProcess);
CloseHandle(processInfos.hThread);
}
else PRINT_ERROR_AUTO("CreateProcessWithLogonW");
RtlFreeUnicodeString(&uProg);
}
RtlFreeUnicodeString(&uPass);
}
RtlFreeUnicodeString(&uDomain);
}
RtlFreeUnicodeString(&uKdc);
}
RtlFreeUnicodeString(&uUser);
}
}
void MI_CALL MSFT_DSCLocalConfigManager_Invoke_SendConfigurationApply(
_In_opt_ MSFT_DSCLocalConfigManager_Self* self,
_In_ MI_Context* context,
_In_opt_z_ const MI_Char* nameSpace,
_In_opt_z_ const MI_Char* className,
_In_opt_z_ const MI_Char* methodName,
_In_ const MSFT_DSCLocalConfigManager* instanceName,
_In_opt_ const MSFT_DSCLocalConfigManager_SendConfigurationApply* in)
{
MI_Result miResult;
MI_Instance *cimErrorDetails = NULL;
MI_Uint32 bufferIndex = 0;
HANDLE m_clientThreadToken;
MI_UNREFERENCED_PARAMETER(self);
MI_UNREFERENCED_PARAMETER(nameSpace);
MI_UNREFERENCED_PARAMETER(className);
MI_UNREFERENCED_PARAMETER(methodName);
MI_UNREFERENCED_PARAMETER(instanceName);
MI_UNREFERENCED_PARAMETER(in);
if(!in->ConfigurationData.exists)
{
MI_Context_PostResult(context, MI_RESULT_INVALID_PARAMETER);
return;
}
if(!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
if (!SetThreadToken(NULL, NULL))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_REVERTSELF_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
GetRealBufferIndex( &(in->ConfigurationData.value), &bufferIndex);
miResult = CallSetConfiguration(in->ConfigurationData.value.data + bufferIndex,
in->ConfigurationData.value.size - bufferIndex, LCM_SETFLAGS_DEFAULT, context, &cimErrorDetails);
if (!SetThreadToken(NULL, m_clientThreadToken))
{
GetCimWin32Error(GetLastError(), &cimErrorDetails, ID_LCMHELPER_RESUMEIMPERSONATION_FAILED);
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
CloseHandle(m_clientThreadToken);
return;
}
CloseHandle(m_clientThreadToken);
if(miResult != MI_RESULT_OK)
{
MI_PostCimError(context, cimErrorDetails);
MI_Instance_Delete(cimErrorDetails);
return;
}
MI_Context_PostResult(context, MI_RESULT_OK);
}