VOID TestPrivateNamespace()
{
HANDLE hBoundaryDescriptor = NULL;
BOOL cond = FALSE;
SECURITY_ATTRIBUTES sa;
BYTE localAdminSID[SECURITY_MAX_SID_SIZE];
PSID pLocalAdminSID = &localAdminSID;
DWORD cbSID = sizeof(localAdminSID);
CHAR text[1000];
do {
RtlSecureZeroMemory(&localAdminSID, sizeof(localAdminSID));
hBoundaryDescriptor = CreateBoundaryDescriptor(TEXT("TestBoundaryDescriptor"), 0);
if (hBoundaryDescriptor == NULL) {
break;
}
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, pLocalAdminSID, &cbSID)) {
break;
}
if (!AddSIDToBoundaryDescriptor(&hBoundaryDescriptor, pLocalAdminSID)) {
break;
}
RtlSecureZeroMemory(&sa, sizeof(sa));
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(TEXT("D:(A;;GA;;;BA)"),
SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL)) {
break;
}
g_hNamespace = CreatePrivateNamespace(&sa, hBoundaryDescriptor, TEXT("Mynamespace2"));
LocalFree(sa.lpSecurityDescriptor);
if (g_hNamespace == NULL) {
ultostr_a(GetLastError(), text);
OutputDebugStringA(text);
break;
}
g_hMutex = CreateMutex(NULL, FALSE, TEXT("Mynamespace2\\TestMutex"));
} while (cond);
}
void CheckInstances()
{
/* Create a SID corresponding to the Local Administrator group */
BYTE localAdminSID[SECURITY_MAX_SID_SIZE];
PSID pLocalAdminSID = &localAdminSID;
DWORD cbSID = sizeof(localAdminSID);
BOOL CreateWellKnownSidResult;
BOOL AddSIDToBoundaryResult;
BOOL ConvertStringResult;
DWORD dwLastError;
/* Create the boundary descriptor
* A new boundary descriptor must have at least one security identifier (SID).
* To add a SID to a boundary descriptor, use the AddSIDToBoundaryDescriptor function.
*/
g_hBoundary = CreateBoundaryDescriptor(g_szBoundary, 0);
/* The CreateWellKnownSid function creates a SID for predefined aliases.
* The first parameter WellKnownSidType is WELL_KNOWN_SID_TYPE enumeration.
* The WELL_KNOWN_SID_TYPE enumeration is a list of commonly used security identifiers (SIDs).
* Programs can pass these values to the CreateWellKnownSid function
* to create a SID from this list.
* Examples of possible values:
* WinBuiltinDomainSid = 25,
* WinBuiltinAdministratorsSid = 26,
* WinBuiltinUsersSid = 27,
* WinBuiltinGuestsSid = 28,
* WinBuiltinPowerUsersSid = 29
* We choose only administrators SID
* DomainSid [in, optional] - A pointer to a SID
* that identifies the domain to use when creating the SID.
* Pass NULL to use the local computer.
* cbSid [in, out]
* A pointer to a DWORD that contains the number of bytes available at pSid.
* The CreateWellKnownSid function stores the number of bytes actually used at this location.
*/
CreateWellKnownSidResult =
CreateWellKnownSid(
WinBuiltinAdministratorsSid,
NULL,
&cbSID,
NULL);
/* If we cannot create SID, we show a message on the interface. */
if (CreateWellKnownSidResult == FALSE)
{
AddText(
TEXT("AddSIDToBoundaryDescriptor failed: %u\r\n"),
GetLastError());
return;
}
/* Associate the Local Admin SID to the boundary descriptor
* --> only applications running under an administrator user
* will be able to access the kernel objects in the same namespace
* The following function
* adds a security identifier (SID) to the specified boundary descriptor.
* The first parameter HANDLE *BoundaryDescriptor is a handle to the boundary descriptor.
* RequiredSid [in] a pointer to a SID structure.
*/
AddSIDToBoundaryResult =
AddSIDToBoundaryDescriptor(
&g_hBoundary,
pLocalAdminSID);
/* If we cannot add the SID to the boundary descriptor,
* we show a message on the interface. */
if (CreateWellKnownSidResult == FALSE)
{
AddText(
TEXT("AddSIDToBoundaryDescriptor failed: %u\r\n"),
GetLastError());
return;
}
/* Create the namespace for Local Administrators only */
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
/* The ConvertStringSecurityDescriptorToSecurityDescriptor function converts
* a string-format security descriptor into a valid, functional security descriptor.
* This function retrieves a security descriptor that the
* ConvertSecurityDescriptorToStringSecurityDescriptor function converted to string format.
* Parameters:
* LPCTSTR StringSecurityDescriptor - A pointer to a null-terminated string containing
* the string-format security descriptor to convert.
*
* The Security Descriptor String Format is a text format for storing
* or transporting information in a security descriptor. The format is a null-terminated string
* with tokens to indicate each of the four main components of a security descriptor:
* owner (O:), primary group (G:), DACL (D:), and SACL (S:).
*
* We use this pattern string
* D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
* dacl_flags - Security descriptor control flags that apply to the DACL.
* The dacl_flags string can be a concatenation of zero or more of the following strings.
*
* DWORD StringSDRevision - Specifies the revision level of the StringSecurityDescriptor string.
* Currently this value must be SDDL_REVISION_1.
* SecurityDescriptor[out] - A pointer to a variable that receives a pointer to the converted security descriptor.
*
*/
ConvertStringResult =
ConvertStringSecurityDescriptorToSecurityDescriptor(
TEXT("D:(A;;GA;;;BA)"),
SDDL_REVISION_1,
&sa.lpSecurityDescriptor,
NULL);
/* If we cannot convert string sequrity descriptor,
* we show a message on the interface. */
if (ConvertStringResult == FALSE)
{
AddText(
TEXT("Security Descriptor creation failed: %u\r\n"),
GetLastError());
return;
}
/* Creates a private namespace.
*
* lpPrivateNamespaceAttributes [in, optional] -
* A pointer to a SECURITY_ATTRIBUTES structure
* that specifies the security attributes of the namespace object.
*
* lpBoundaryDescriptor [in] -
* A descriptor that defines how the namespace is to be isolated.
* The caller must be within this boundary.
* The CreateBoundaryDescriptor function creates a boundary descriptor.
*
* lpAliasPrefix [in] -
* The prefix for the namespace. To create an object in this namespace,
* specify the object name as prefix\objectname.
* The system supports multiple private namespaces with the same name,
* as long as they define different boundaries.
*
* Return value
* If the function succeeds, it returns a handle to the new namespace.
* If the function fails, the return value is NULL.
* To get extended error information, call GetLastError.
*/
g_hNamespace =
CreatePrivateNamespace(
&sa,
g_hBoundary,
g_szNamespace);
/* The memory for sa.lpSecurityDescriptor has been allocated by Convert...
* windows function. It up to us to free the memory.
* Don't forget to release memory for the security descriptor.
*/
LocalFree(sa.lpSecurityDescriptor);
/* Check the private namespace creation result */
dwLastError = GetLastError();
/* If the function has returned null. That means that some error
* has happened. In this case we need to investigate a GetLastError()
*/
if (g_hNamespace == NULL)
{
/* Nothing to do if access is denied
* --> this code must run under a Local Administrator account
*/
if (dwLastError == ERROR_ACCESS_DENIED)
{
AddText(TEXT("Access denied when creating the namespace.\r\n"));
AddText(TEXT(" You must be running as Administrator.\r\n\r\n"));
return;
}
else
{
/* If another instance has already created the namespace,
we need to open it instead. */
if (dwLastError == ERROR_ALREADY_EXISTS)
{
AddText(TEXT("CreatePrivateNamespace failed: %u\r\n"), dwLastError);
/* Try to open existed private namespace
* pBoundaryDescriptor [in] - A descriptor that defines how
* the namespace is to be isolated. The CreateBoundaryDescriptor function
* creates a boundary descriptor.
*/
g_hNamespace = OpenPrivateNamespace(g_hBoundary, g_szNamespace);
/* If the function returns null, that means that some error has happened */
if (g_hNamespace == NULL)
{
AddText(
TEXT(" and OpenPrivateNamespace failed: %u\r\n"),
dwLastError);
return;
}
else
{
g_bNamespaceOpened = TRUE;
AddText(TEXT(" but OpenPrivateNamespace succeeded\r\n\r\n"));
}
}
}
}
/* Try to create the mutex object with a name
* based on the private namespace
*/
TCHAR szMutexName[64];
StringCchPrintf(
szMutexName,
_countof(szMutexName),
TEXT("%s\\%s"),
g_szNamespace,
TEXT("Singleton"));
/* Try to create mutex */
g_hSingleton = CreateMutex(NULL, FALSE, szMutexName);
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
/* There is already an instance of this Singleton object */
AddText(TEXT("Another instance of Singleton is running:\r\n"));
AddText(TEXT("--> Impossible to access application features.\r\n"));
}
else
{
/* First time the Singleton object is created */
AddText(TEXT("First instance of Singleton:\r\n"));
AddText(TEXT("--> Access application features now.\r\n"));
}
}
void CreateNamespaceForUser(LPCWSTR account_name)
{
BYTE sid_bytes[MAX_SID_SIZE];
WCHAR domain[256];
SID_NAME_USE name_use;
DWORD sid_size = MAX_SID_SIZE;
DWORD domain_size = _countof(domain);
if (!LookupAccountName(nullptr, account_name, (PSID)sid_bytes, &sid_size, domain, &domain_size, &name_use))
{
printf("[ERROR] getting SId for account %ls: %d\n", account_name, GetLastError());
return;
}
LPWSTR sid_str;
ConvertSidToStringSid((PSID)sid_bytes, &sid_str);
std::wstring boundary_name = L"IEUser_";
boundary_name += sid_str;
boundary_name += L"_MicrosoftEdge";
BoundaryDescriptor boundry;
if (!boundry.Initialize(boundary_name.c_str()))
{
printf("[ERROR] initializing boundary descriptor: %d\n", GetLastError());
return;
}
PSECURITY_DESCRIPTOR psd;
ULONG sd_size = 0;
std::wstring sddl = L"D:(A;OICI;GA;;;WD)(A;OICI;GA;;;AC)(A;OICI;GA;;;WD)(A;OICI;GA;;;S-1-0-0)";
sddl += L"(A;OICI;GA;;;" + GetCurrentUserSid() + L")";
sddl += L"(A;OICI;GA;;;" + GetCurrentLogonSid() + L")";
sddl += L"S:(ML;OICI;NW;;;S-1-16-0)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl.c_str(), SDDL_REVISION_1, &psd, &sd_size))
{
printf("[ERROR] converting SDDL: %d\n", GetLastError());
return;
}
std::unique_ptr<void, LocalFreeDeleter> sd_buf(psd);
SECURITY_ATTRIBUTES secattr = {};
secattr.nLength = sizeof(secattr);
secattr.lpSecurityDescriptor = psd;
private_namespace ns(CreatePrivateNamespace(&secattr, boundry.boundry_desc(), boundary_name.c_str()));
if (!ns)
{
printf("[ERROR] creating private namespace - %ls: %d\n", boundary_name.c_str(), GetLastError());
return;
}
printf("[SUCCESS] Created Namespace %ls, start Edge as other user\n", boundary_name.c_str());
std::wstring section_name = boundary_name + L"\\!PrivacIE!SharedMem!Settings";
while (true)
{
HANDLE hMapping = OpenFileMapping(FILE_MAP_READ | FILE_MAP_WRITE, FALSE, section_name.c_str());
if (hMapping)
{
printf("[SUCCESS] Opened other user's !PrivacIE!SharedMem!Settings section for write access\n");
return;
}
Sleep(1000);
}
}
void CheckInstances() {
// Create the boundary descriptor, the descriptor is not a kernel object.
// It is a pointer to a user-mode structure containing the definition of the boundary.
g_hBoundary = CreateBoundaryDescriptor(g_szBoundary, 0);
// Create a SID corresponding to the Local Administrator group
BYTE localAdminSID[SECURITY_MAX_SID_SIZE];
PSID pLocalAdminSID = &localAdminSID;
DWORD cbSID = sizeof(localAdminSID);
if (!CreateWellKnownSid(
WinBuiltinAdministratorsSid, NULL, pLocalAdminSID, &cbSID)
) {
AddText(TEXT("AddSIDToBoundaryDescriptor failed: %u\r\n"),
GetLastError());
return;
}
// Associate the Local Admin SID to the boundary descriptor
// --> only applications running under an administrator user
// will be able to access the kernel objects in the same namespace
if (!AddSIDToBoundaryDescriptor(&g_hBoundary, pLocalAdminSID)) {
AddText(TEXT("AddSIDToBoundaryDescriptor failed: %u\r\n"),
GetLastError());
return;
}
// Create the namespace for Local Administrators only
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
TEXT("D:(A;;GA;;;BA)"),
SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL)) {
AddText(TEXT("Security Descriptor creation failed: %u\r\n"), GetLastError());
return;
}
g_hNamespace =
CreatePrivateNamespace(&sa, g_hBoundary, g_szNamespace);
// Don't forget to release memory for the security descriptor
LocalFree(sa.lpSecurityDescriptor);
// Check the private namespace creation result
DWORD dwLastError = GetLastError();
if (g_hNamespace == NULL) {
// Nothing to do if access is denied
// --> this code must run under a Local Administrator account
if (dwLastError == ERROR_ACCESS_DENIED) {
AddText(TEXT("Access denied when creating the namespace.\r\n"));
AddText(TEXT(" You must be running as Administrator.\r\n\r\n"));
return;
} else {
if (dwLastError == ERROR_ALREADY_EXISTS) {
// If another instance has already created the namespace,
// we need to open it instead.
AddText(TEXT("CreatePrivateNamespace failed: %u\r\n"), dwLastError);
g_hNamespace = OpenPrivateNamespace(g_hBoundary, g_szNamespace);
if (g_hNamespace == NULL) {
AddText(TEXT(" and OpenPrivateNamespace failed: %u\r\n"),
dwLastError);
return;
} else {
g_bNamespaceOpened = TRUE;
AddText(TEXT(" but OpenPrivateNamespace succeeded\r\n\r\n"));
}
} else {
AddText(TEXT("Unexpected error occured: %u\r\n\r\n"),
dwLastError);
return;
}
}
}
// Try to create the mutex object with a name
// based on the private namespace
TCHAR szMutexName[64];
StringCchPrintf(szMutexName, _countof(szMutexName), TEXT("%s\\%s"),
g_szNamespace, TEXT("Singleton"));
g_hSingleton = CreateMutex(NULL, FALSE, szMutexName);
if (GetLastError() == ERROR_ALREADY_EXISTS) {
// There is already an instance of this Singleton object
AddText(TEXT("Another instance of Singleton is running:\r\n"));
AddText(TEXT("--> Impossible to access application features.\r\n"));
} else {
// First time the Singleton object is created
AddText(TEXT("First instance of Singleton:\r\n"));
AddText(TEXT("--> Access application features now.\r\n"));
}
}
