コード例 #1
0
ファイル: ncbi_os_mswin.cpp プロジェクト: DmitrySigaev/ncbi
static HANDLE s_GetThreadToken(DWORD access)
{
    HANDLE token;
    if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) {
        DWORD res = GetLastError();
        if ( res == ERROR_NO_TOKEN ) {
            if ( !ImpersonateSelf(SecurityImpersonation) ) {
                // Failed to obtain a token for the current thread and user
                CNcbiError::SetFromWindowsError();
                return INVALID_HANDLE_VALUE;
            }
            if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) {
                // Failed to open the current threads token with the required access rights
                CNcbiError::SetFromWindowsError();
                token = INVALID_HANDLE_VALUE;
            }
            RevertToSelf();
        } else {
            // Failed to open the current threads token with the required access rights
            CNcbiError::SetWindowsError(res);
            return NULL;
        }
    }
    return token;
}
コード例 #2
0
ファイル: security.c プロジェクト: jazinga/psutil
int UnsetSeDebug()
{
    HANDLE hToken;
    if(! OpenThreadToken(GetCurrentThread(),
                        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                        FALSE,
                        &hToken)
                        ){
        if(GetLastError() == ERROR_NO_TOKEN){
            if(! ImpersonateSelf(SecurityImpersonation)){
                //Log2File("Error setting impersonation! [UnsetSeDebug()]", L_DEBUG);
                return 0;
            }

            if(!OpenThreadToken(GetCurrentThread(),
                                TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                FALSE,
                                &hToken)
                                ){
                //Log2File("Error Opening Thread Token! [UnsetSeDebug()]", L_DEBUG);
                return 0;
            }
        }
    }

    //now disable SeDebug
    if(!SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)){
        //Log2File("Error unsetting SeDebug Privilege [SetPrivilege()]", L_WARN);
        return 0;
    }

    CloseHandle(hToken);
    return 1;
}
void CWE252_Unchecked_Return_Value__w32ImpersonateSelf_05_bad()
{
    if(staticTrue)
    {
        /* FLAW: Do not check if ImpersonateSelf() fails */
        ImpersonateSelf(SecurityImpersonation);
    }
}
/* good1() reverses the blocks on the goto statement */
static void good1()
{
    goto sink;
sink:
    /* FIX: check for the correct return value */
    if (!ImpersonateSelf(SecurityImpersonation))
    {
        exit(1);
    }
}
void CWE253_Incorrect_Check_of_Function_Return_Value__w32_ImpersonateSelf_18_bad()
{
    goto sink;
sink:
    /* FLAW: ImpersonateSelf() could fail and would return 0 (false), but we are checking to see
     * if the return value is greater than zero (true) */
    if (ImpersonateSelf(SecurityImpersonation) > 0)
    {
        exit(1);
    }
}
/* good2() reverses the bodies in the if statement */
static void good2()
{
    if(staticTrue)
    {
        /* FIX: Check to see if ImpersonateSelf() fails */
        if (!ImpersonateSelf(SecurityImpersonation))
        {
            exit(1);
        }
    }
}
/* good2() reverses the bodies in the if statement */
static void good2()
{
    if(globalFive==5)
    {
        /* FIX: check for the correct return value */
        if (!ImpersonateSelf(SecurityImpersonation))
        {
            exit(1);
        }
    }
}
/* good2() reverses the bodies in the if statement */
static void good2()
{
    if(STATIC_CONST_FIVE==5)
    {
        /* FIX: check for the correct return value */
        if (!ImpersonateSelf(SecurityImpersonation))
        {
            exit(1);
        }
    }
}
コード例 #9
0
ファイル: injector.cpp プロジェクト: jujinesy/apihook
/**
* @brief	adjust privilege
* @param	
* @see		
* @remarks http://support.microsoft.com/kb/131065/EN-US/
* @code		
* @endcode	
* @return	
*/
bool set_privilege(_In_z_ const wchar_t* privilege, _In_ bool enable)
{
	HANDLE token = INVALID_HANDLE_VALUE;
	if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &token) )
	{
		if (ERROR_NO_TOKEN == GetLastError() )
		{
			if ( ImpersonateSelf(SecurityImpersonation)	!= TRUE ) { return FALSE; }

			if (TRUE != OpenThreadToken(GetCurrentThread(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,FALSE,&token) )
			{
				return FALSE;
			}
		}
		else
		{			
			return FALSE;
		}
	}

	TOKEN_PRIVILEGES tp = { 0 };		
	LUID luid = {0};
	DWORD cb = sizeof(TOKEN_PRIVILEGES);
	
	bool ret = false;
	do 
	{
		if(!LookupPrivilegeValueW( NULL, privilege, &luid )) { break; }

		tp.PrivilegeCount = 1;
		tp.Privileges[0].Luid = luid;
		if(enable) 
		{ 
			tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		} 
		else 
		{
			tp.Privileges[0].Attributes = 0;
		}
	
		AdjustTokenPrivileges( token, FALSE, &tp, cb, NULL, NULL );
		if (GetLastError() != ERROR_SUCCESS) { break; }

		ret = true;
	} while (false);
	
	CloseHandle(token);
	return ret;
}
コード例 #10
0
ファイル: access.cpp プロジェクト: KagamiChan/Aegisub
/*
This function is still a proof of concept, it's probably rife with bugs, below
is a short (and incomplete) todo
 * "Basic" checks (Read/Write/File/Dir) checks for FAT32 filesystems which
   requires detecting the filesystem being used.
*/
void Check(fs::path const& file, acs::Type type) {
	DWORD file_attr = GetFileAttributes(file.c_str());
	if ((file_attr & INVALID_FILE_ATTRIBUTES) == INVALID_FILE_ATTRIBUTES) {
		switch (GetLastError()) {
			case ERROR_FILE_NOT_FOUND:
			case ERROR_PATH_NOT_FOUND:
				throw fs::FileNotFound(file);
			case ERROR_ACCESS_DENIED:
				throw fs::ReadDenied(file);
			default:
				throw fs::FileSystemUnknownError(str(boost::format("Unexpected error when getting attributes for \"%s\": %s") % file % util::ErrorString(GetLastError())));
		}
	}

	switch (type) {
		case FileRead:
		case FileWrite:
			if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY)
				throw fs::NotAFile(file);
			break;
		case DirRead:
		case DirWrite:
			if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
				throw fs::NotADirectory(file);
			break;
	}

	SECURITY_INFORMATION info = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION;
	DWORD len = 0;
	GetFileSecurity(file.c_str(), info, nullptr, 0, &len);
	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
		LOG_W("acs/check") << "GetFileSecurity: fatal: " << util::ErrorString(GetLastError());

	std::vector<uint8_t> sd_buff(len);
	SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&sd_buff[0];

	if (!GetFileSecurity(file.c_str(), info, sd, len, &len))
		LOG_W("acs/check") << "GetFileSecurity failed: " << util::ErrorString(GetLastError());

	ImpersonateSelf(SecurityImpersonation);
	HANDLE client_token;
	if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &client_token))
		LOG_W("acs/check") << "OpenThreadToken failed: " << util::ErrorString(GetLastError());

	if (!check_permission(true, sd, client_token))
		throw fs::ReadDenied(file);
	if ((type == DirWrite || type == FileWrite) && !check_permission(false, sd, client_token))
		throw fs::WriteDenied(file);
}
/* good1() uses if(staticFalse) instead of if(staticTrue) */
static void good1()
{
    if(staticFalse)
    {
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        printLine("Benign, fixed string");
    }
    else
    {
        /* FIX: Check to see if ImpersonateSelf() fails */
        if (!ImpersonateSelf(SecurityImpersonation))
        {
            exit(1);
        }
    }
}
/* good1() uses if(STATIC_CONST_FIVE!=5) instead of if(STATIC_CONST_FIVE==5) */
static void good1()
{
    if(STATIC_CONST_FIVE!=5)
    {
        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
        printLine("Benign, fixed string");
    }
    else
    {
        /* FIX: check for the correct return value */
        if (!ImpersonateSelf(SecurityImpersonation))
        {
            exit(1);
        }
    }
}
コード例 #13
0
ファイル: jattach_windows.c プロジェクト: apangin/jattach
// If the process is owned by another user, request SeDebugPrivilege to open it.
// Debug privileges are typically granted to Administrators.
static int enable_debug_privileges() {
    HANDLE hToken;
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) {
        if (!ImpersonateSelf(SecurityImpersonation) ||
            !OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) {
            return 0;
        }
    }

    LUID luid;
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
        return 0;
    }

    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    BOOL success = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
    CloseHandle(hToken);
    return success ? 1 : 0;
}
コード例 #14
0
ファイル: security.c プロジェクト: jazinga/psutil
int SetSeDebug()
{
    HANDLE hToken;
    if(! OpenThreadToken(GetCurrentThread(),
                         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                         FALSE,
                         &hToken)
                         ){
        if (GetLastError() == ERROR_NO_TOKEN){
            if (!ImpersonateSelf(SecurityImpersonation)){
                CloseHandle(hToken);
                return 0;
            }
            if (!OpenThreadToken(GetCurrentThread(),
                                 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                                 FALSE,
                                 &hToken)
                                 ){
                RevertToSelf();
                CloseHandle(hToken);
                return 0;
            }
        }
    }

    // enable SeDebugPrivilege (open any process)
    if (! SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)){
        RevertToSelf();
        CloseHandle(hToken);
        return 0;
    }

    RevertToSelf();
    CloseHandle(hToken);
    return 1;
}
コード例 #15
0
bool set_privilege(_In_z_ const wchar_t* privilege, _In_ bool enable)
{
	if (IsWindowsXPOrGreater())
	{
		HANDLE hToken;
		if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
		{
			if (GetLastError() == ERROR_NO_TOKEN)
			{
				if (ImpersonateSelf(SecurityImpersonation) != TRUE)
				{
					printf("ImpersonateSelf( ) failed. gle=0x%08x", GetLastError());
					return false;
				}

				if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
				{
					printf("OpenThreadToken() failed. gle=0x%08x", GetLastError());
					return false;
				}
			}
			else
			{
				printf("OpenThread() failed. gle=0x%08x", GetLastError());
				return false;
			}
		}

		TOKEN_PRIVILEGES tp = { 0 };
		LUID luid = { 0 };
		DWORD cb = sizeof(TOKEN_PRIVILEGES);
		if (!LookupPrivilegeValue(NULL, privilege, &luid))
		{
			printf("LookupPrivilegeValue() failed. gle=0x%08x", GetLastError());
			CloseHandle(hToken);
			return false;
		}
		tp.PrivilegeCount = 1;
		tp.Privileges[0].Luid = luid;
		if (enable)
		{
			tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		}
		else
		{
			tp.Privileges[0].Attributes = 0;
		}

		if (FALSE == AdjustTokenPrivileges(hToken, FALSE, &tp, cb, NULL, NULL))
		{
			DWORD gle = GetLastError();
			if (gle != ERROR_SUCCESS)
			{
				printf("AdjustTokenPrivileges() failed. gle=0x%08x", GetLastError());
				CloseHandle(hToken);
				return false;
			}
		}

		CloseHandle(hToken);
	}

	return true;
}
コード例 #16
0
ファイル: winfile.c プロジェクト: LitleWaffle/sampleDirectory
/*
** Wrapper around the access() system call.  This code was copied from Tcl
** 8.6 and then modified.
*/
int win32_access(const char *zFilename, int flags){
  int rc = 0;
  PSECURITY_DESCRIPTOR pSd = NULL;
  unsigned long size;
  PSID pSid = NULL;
  BOOL sidDefaulted;
  BOOL impersonated = FALSE;
  SID_IDENTIFIER_AUTHORITY unmapped = {{0, 0, 0, 0, 0, 22}};
  GENERIC_MAPPING genMap;
  HANDLE hToken = NULL;
  DWORD desiredAccess = 0, grantedAccess = 0;
  BOOL accessYesNo = FALSE;
  PRIVILEGE_SET privSet;
  DWORD privSetSize = sizeof(PRIVILEGE_SET);
  wchar_t *zMbcs = fossil_utf8_to_filename(zFilename);
  DWORD attr = GetFileAttributesW(zMbcs);

  if( attr==INVALID_FILE_ATTRIBUTES ){
    /*
     * File might not exist.
     */

    if( GetLastError()!=ERROR_SHARING_VIOLATION ){
      rc = -1; goto done;
    }
  }

  if( flags==F_OK ){
    /*
     * File exists, nothing else to check.
     */

    goto done;
  }

  if( (flags & W_OK)
      && (attr & FILE_ATTRIBUTE_READONLY)
      && !(attr & FILE_ATTRIBUTE_DIRECTORY) ){
    /*
     * The attributes say the file is not writable.  If the file is a
     * regular file (i.e., not a directory), then the file is not
     * writable, full stop.  For directories, the read-only bit is
     * (mostly) ignored by Windows, so we can't ascertain anything about
     * directory access from the attrib data.
     */

    rc = -1; goto done;
  }

  /*
   * It looks as if the permissions are ok, but if we are on NT, 2000 or XP,
   * we have a more complex permissions structure so we try to check that.
   * The code below is remarkably complex for such a simple thing as finding
   * what permissions the OS has set for a file.
   */

  /*
   * First find out how big the buffer needs to be.
   */

  size = 0;
  GetFileSecurityW(zMbcs,
      OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
      DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
      0, 0, &size);

  /*
   * Should have failed with ERROR_INSUFFICIENT_BUFFER
   */

  if( GetLastError()!=ERROR_INSUFFICIENT_BUFFER ){
    /*
     * Most likely case is ERROR_ACCESS_DENIED, which we will convert to
     * EACCES - just what we want!
     */

    rc = -1; goto done;
  }

  /*
   * Now size contains the size of buffer needed.
   */

  pSd = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, size);

  if( pSd==NULL ){
    rc = -1; goto done;
  }

  /*
   * Call GetFileSecurity() for real.
   */

  if( !GetFileSecurityW(zMbcs,
          OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
          DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
          pSd, size, &size) ){
    /*
     * Error getting owner SD
     */

    rc = -1; goto done;
  }

  /*
   * As of Samba 3.0.23 (10-Jul-2006), unmapped users and groups are
   * assigned to SID domains S-1-22-1 and S-1-22-2, where "22" is the
   * top-level authority.  If the file owner and group is unmapped then
   * the ACL access check below will only test against world access,
   * which is likely to be more restrictive than the actual access
   * restrictions.  Since the ACL tests are more likely wrong than
   * right, skip them.  Moreover, the unix owner access permissions are
   * usually mapped to the Windows attributes, so if the user is the
   * file owner then the attrib checks above are correct (as far as they
   * go).
   */

  if( !GetSecurityDescriptorOwner(pSd, &pSid, &sidDefaulted) ||
      memcmp(GetSidIdentifierAuthority(pSid), &unmapped,
             sizeof(SID_IDENTIFIER_AUTHORITY))==0 ){
    goto done; /* Attrib tests say access allowed. */
  }

  /*
   * Perform security impersonation of the user and open the resulting
   * thread token.
   */

  if( !ImpersonateSelf(SecurityImpersonation) ){
    /*
     * Unable to perform security impersonation.
     */

    rc = -1; goto done;
  }
  impersonated = TRUE;

  if( !OpenThreadToken(GetCurrentThread(),
      TOKEN_DUPLICATE | TOKEN_QUERY, FALSE, &hToken) ){
    /*
     * Unable to get current thread's token.
     */

    rc = -1; goto done;
  }

  /*
   * Setup desiredAccess according to the access priveleges we are
   * checking.
   */

  if( flags & R_OK ){
    desiredAccess |= FILE_GENERIC_READ;
  }
  if( flags & W_OK){
    desiredAccess |= FILE_GENERIC_WRITE;
  }

  memset(&genMap, 0, sizeof(GENERIC_MAPPING));
  genMap.GenericRead = FILE_GENERIC_READ;
  genMap.GenericWrite = FILE_GENERIC_WRITE;
  genMap.GenericExecute = FILE_GENERIC_EXECUTE;
  genMap.GenericAll = FILE_ALL_ACCESS;

  /*
   * Perform access check using the token.
   */

  if( !AccessCheck(pSd, hToken, desiredAccess, &genMap, &privSet,
                   &privSetSize, &grantedAccess, &accessYesNo) ){
    /*
     * Unable to perform access check.
     */

    rc = -1; goto done;
  }
  if( !accessYesNo ) rc = -1;

done:

  if( hToken != NULL ){
    CloseHandle(hToken);
  }
  if( impersonated ){
    RevertToSelf();
    impersonated = FALSE;
  }
  if( pSd!=NULL ){
    HeapFree(GetProcessHeap(), 0, pSd);
  }
  fossil_filename_free(zMbcs);
  return rc;
}
コード例 #17
0
/*
 * Attempts to enable the SE_DEBUG_NAME privilege and open the given process.
 */
static HANDLE
doPrivilegedOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId) {
    HANDLE hToken;
    HANDLE hProcess = NULL;
    LUID luid;
    TOKEN_PRIVILEGES tp, tpPrevious;
    DWORD retLength, error;

    /*
     * Get the access token
     */
    if (!OpenThreadToken(GetCurrentThread(),
                         TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
                         FALSE,
                         &hToken)) {
        if (GetLastError() != ERROR_NO_TOKEN) {
            return (HANDLE)NULL;
        }

        /*
         * No access token for the thread so impersonate the security context
         * of the process.
         */
        if (!ImpersonateSelf(SecurityImpersonation)) {
            return (HANDLE)NULL;
        }
        if (!OpenThreadToken(GetCurrentThread(),
                             TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
                             FALSE,
                             &hToken)) {
            return (HANDLE)NULL;
        }
    }

    /*
     * Get LUID for the privilege
     */
    if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
        error = GetLastError();
        CloseHandle(hToken);
        SetLastError(error);
        return (HANDLE)NULL;
    }

    /*
     * Enable the privilege
     */
    ZeroMemory(&tp, sizeof(tp));
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    tp.Privileges[0].Luid = luid;

    error = 0;
    if (AdjustTokenPrivileges(hToken,
                              FALSE,
                              &tp,
                              sizeof(TOKEN_PRIVILEGES),
                              &tpPrevious,
                              &retLength)) {
        /*
         * If we enabled the privilege then attempt to open the
         * process.
         */
        if (GetLastError() == ERROR_SUCCESS) {
            hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
            if (hProcess == NULL) {
                error = GetLastError();
            }
        } else {
            error = ERROR_ACCESS_DENIED;
        }

        /*
         * Revert to the previous privileges
         */
        AdjustTokenPrivileges(hToken,
                              FALSE,
                              &tpPrevious,
                              retLength,
                              NULL,
                              NULL);
    } else {
        error = GetLastError();
    }


    /*
     * Close token and restore error
     */
    CloseHandle(hToken);
    SetLastError(error);

    return hProcess;
}
コード例 #18
0
bool bearlib::terminateProcess(unsigned int PID)
{
	 //取得除錯權限
	 HANDLE hProcess;
	 HANDLE hToken;

	 if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
	 {
	 if (GetLastError() == ERROR_NO_TOKEN)
	 {
	 if (!ImpersonateSelf(SecurityImpersonation))
	 {
	 return false;
	 }


	 if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
	 {
	 return false;
	 }
	 }
	 else
	 {
	 return false;
	 }
	 }

	 //開啟SeDebugPrivilege
	 TOKEN_PRIVILEGES tp = { 0 }; 

	 LUID luid; 
	 DWORD cb = sizeof(TOKEN_PRIVILEGES); 
	 if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
	 {
	 CloseHandle(hToken);
	 return false;
	 }

	 tp.PrivilegeCount = 1; 
	 tp.Privileges[0].Luid = luid; 
	 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 

	 AdjustTokenPrivileges(hToken, FALSE, &tp, cb, NULL, NULL); 
	 if (GetLastError() != ERROR_SUCCESS) 
	 {
	 //無法取得SeDebugPrivilege
	 CloseHandle(hToken);
	 return false;
	 }

	 //開啟程序
	 if((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID)) == NULL)
	 {
	 //無法開啟程序 ... 程序不存在?!
	 CloseHandle(hToken);
	 return false;
	 }

	 if(!TerminateProcess(hProcess, 0xffffffff))
	 {
	 //無法關閉程序?!(遇到那1%了)
	 CloseHandle(hToken);
	 CloseHandle(hProcess);
	 return false;
	 }

	 CloseHandle(hToken);
	 CloseHandle(hProcess);

	 //成功
 return true;
}
コード例 #19
0
MI_Result ScheduleRestart(
    _Outptr_result_maybenull_ MI_Instance **cimErrorDetails)
{
    MI_Uint32 dwError = ERROR_SUCCESS;
    HANDLE hToken;
    MI_Boolean bRevertToSelf = MI_FALSE;
    Intlstr intlstr = Intlstr_Null;
    MI_Result result = MI_RESULT_OK;

    if (cimErrorDetails == NULL)
    {
        return MI_RESULT_INVALID_PARAMETER;
    }
    *cimErrorDetails = NULL;    // Explicitly set *cimErrorDetails to NULL as _Outptr_ requires setting this at least once.

    DSC_EventWriteMessageScheduleReboot();

    GetResourceString(ID_LCMHELPER_SHUTDOWN_MESSAGE, &intlstr);
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &hToken))
    {
        if (GetLastError() == ERROR_NO_TOKEN)
        {
            SetLastError(ERROR_SUCCESS);
            if (!ImpersonateSelf(SecurityImpersonation))
            {
                return GetCimWin32Error(GetLastError(), cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
            }

            if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &hToken))
            {
                RevertToSelf();
                return GetCimWin32Error(GetLastError(), cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
            }

            bRevertToSelf = MI_TRUE;
        }
        else
        {
            return GetCimWin32Error(GetLastError(), cimErrorDetails, ID_LCMHELPER_THREADIMPERSONATION_FAILED);
        }
    }

    result = EnableShutdownPrivilege(hToken, cimErrorDetails);
    if (result != MI_RESULT_OK)
    {
        if (bRevertToSelf)
        {
            RevertToSelf();
        }
        return result;
    }

#ifdef _PREFAST_
#pragma prefast (push)
#pragma prefast (disable: 28159) //This is needed to reconfigure windows server to finish configuring the system by DSC.
#endif /* _PREFAST_ */

    dwError = InitiateSystemShutdownEx(NULL,
                                       (MI_Char*)intlstr.str,
                                       DSC_REBOOT_GRACEPERIOD,
                                       TRUE,
                                       TRUE,
                                       SHTDN_REASON_MAJOR_APPLICATION | SHTDN_REASON_MINOR_MAINTENANCE | SHTDN_REASON_FLAG_PLANNED);

#ifdef _PREFAST_
#pragma prefast (pop)
#endif /* _PREFAST_ */

    if (bRevertToSelf)
    {
        RevertToSelf();
    }

    if (intlstr.str )
    {
        Intlstr_Free(intlstr);
    }

    if (!dwError)
    {
        return GetCimWin32Error(GetLastError(), cimErrorDetails, ID_LCMHELPER_SHUTDOWN_FAILED);
    }

    return MI_RESULT_OK;
}
コード例 #20
0
ファイル: utility.c プロジェクト: Nevermore2015/ndas4windows
BOOL
IsUserAdmin(
    VOID
    )

/*++

Routine Description:

    This routine returns TRUE if the caller's process is a
    member of the Administrators local group.

    Caller is NOT expected to be impersonating anyone and IS
    expected to be able to open their own process and process
    token.

Arguments:

    None.

Return Value:

    TRUE - Caller has Administrators local group.

    FALSE - Caller does not have Administrators local group.

--*/

{
    HANDLE Token;
    BOOL b = FALSE;
    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
    PSID AdministratorsGroup = NULL;

    ImpersonateSelf( SecurityImpersonation );
    
    //
    // Open the process token.
    //
    
    if (OpenThreadToken( GetCurrentThread(), TOKEN_QUERY, FALSE, &Token)) {
        try {

            //
            //  Get SID for Administrators group
            //

            b = AllocateAndInitializeSid(
                    &NtAuthority,
                    2,
                    SECURITY_BUILTIN_DOMAIN_RID,
                    DOMAIN_ALIAS_RID_ADMINS,
                    0, 0, 0, 0, 0, 0,
                    &AdministratorsGroup
                    );
            if (!b) {
                leave;
            }

            //
            //  Check to see if that group is currently enabled.  Failure
            //  means that we aren't administrator
            //

            if (!CheckTokenMembership( Token, AdministratorsGroup, &b )) {
                printf("Failure - %d\n", GetLastError( ));
                b = FALSE;
            }

        } finally {
            CloseHandle(Token);
        }

    }
    
    RevertToSelf( );
    return(b);
}
コード例 #21
0
int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	//UNREFERENCED_PARAMETER(lpCmdLine);

	char **	Command	= 0;
	CommandLineToArg(GetCommandLine(), &Command);
	if( strcmp("Updater", Command[1]) )
	{
		MessageBox(0, "Please start game from Launcher", "Start Error", ERROR);
		ExitProcess(0);
	}

	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

	HANDLE hToken;

	VMBEGIN

	if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
    {
        if (GetLastError() == ERROR_NO_TOKEN)
        {
            if (!ImpersonateSelf(SecurityImpersonation))
			{
				MessageBox(NULL, "Code: 101", "Starter error", NULL);
				return 0;
			}

            if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){
				MessageBox(NULL, "Code: 102", "Starter error", NULL);
				return 0;
            }
         }
        else
            return 0;
     }

	VMEND

	if( !SetPrivilege(hToken, SE_DEBUG_NAME, TRUE) )
    {
		MessageBox(NULL, "Code: 103", "Starter error", NULL);
        CloseHandle(hToken);
        return 0;
    }

	char szCmd[128];
	//DWORD dwTICK = ;
	//DWORD XOR = (DWORD)time(NULL);
	//dwTICK ^= XOR;
	sprintf(szCmd, "main.exe -test -k%d", GetTickCount());

    if( !CreateProcess( NULL,   // No module name (use command line)
        szCmd,        // Command line
        NULL,           // Process handle not inheritable
        NULL,           // Thread handle not inheritable
        FALSE,          // Set handle inheritance to FALSE
        NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED,              // No creation flags
        NULL,           // Use parent's environment block
        NULL,           // Use parent's starting directory 
        &si,            // Pointer to STARTUPINFO structure
        &pi )           // Pointer to PROCESS_INFORMATION structure
    ) 
    {
		MessageBox(NULL, "Code: 104", "Starter error", NULL);
        return 0;
    }

	try
	{
		HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pi.dwProcessId);

		if( !hProcess )
		{
			MessageBox(NULL, "Code: 105", "Starter error", NULL);
			return 0;
		}

		HANDLE hMainThread = OpenThread(THREAD_ALL_ACCESS,FALSE,pi.dwThreadId);

		if( !hMainThread )
		{
			MessageBox(NULL, "Code: 106", "Starter error", NULL);
			return 0;
		}

		VMBEGIN

		DWORD lOfs;
		BYTE jmp[2] = {0xEB,0xFE};
		BYTE original[2] = {0x60,0x9C};

		ReadProcessMemory(hProcess,(LPVOID)MAIN_EIP,original,2,&lOfs);
		WriteProcessMemory(hProcess,(LPVOID)MAIN_EIP,jmp,2,&lOfs);
		ResumeThread(hMainThread);

		CONTEXT context;

		for(int i = 0; i < 50 && context.Eip != MAIN_EIP; i++)	{
			Sleep(100);
			// read the thread context
			context.ContextFlags = CONTEXT_CONTROL;
			GetThreadContext( hMainThread, &context );
		}

		if( context.Eip != MAIN_EIP )
		{
			MessageBox(NULL, "Code: 107", "Starter error", NULL);
			return 0;
		}

		

		HANDLE hThread;
		char szLibPath[_MAX_PATH] = { "zClient.dll" };
		void* pLibRemote;
		HMODULE hKernel32 = ::GetModuleHandle("Kernel32");

		pLibRemote = ::VirtualAllocEx( hProcess, NULL, sizeof(szLibPath),MEM_COMMIT, PAGE_READWRITE );::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,sizeof(szLibPath), NULL );
		hThread = ::CreateRemoteThread( hProcess, NULL, 0,(LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,"LoadLibraryA" ),pLibRemote, 0, NULL );
		::WaitForSingleObject( hThread, INFINITE );

		SuspendThread(hMainThread);
		WriteProcessMemory(hProcess,(LPVOID)MAIN_EIP,original,2,&lOfs);
		ResumeThread(hMainThread);

		CloseHandle(hProcess);
		CloseHandle(hMainThread);

		VMEND
	}
	catch( ... )
	{
	}
	return true;
}
コード例 #22
0
ファイル: extra.c プロジェクト: csilles/cxxr
int winAccessW(const wchar_t *path, int mode)
{
    DWORD attr = GetFileAttributesW(path);

    if(attr == 0xffffffff) return -1;
    if(mode == F_OK) return 0;

    if(mode & X_OK)
	if(!(attr & FILE_ATTRIBUTE_DIRECTORY)) { /* Directory, so OK */
	    /* Look at extension for executables */
	    wchar_t *p = wcsrchr(path, '.');
	    if(p == NULL ||
	       !((wcsicmp(p, L".exe") == 0) || (wcsicmp(p, L".com") == 0) ||
		 (wcsicmp(p, L".bat") == 0) || (wcsicmp(p, L".cmd") == 0)) )
		return -1;
	}
    {
	/* Now look for file security info */
	SECURITY_DESCRIPTOR *sdPtr = NULL;
	DWORD size = 0;
	GENERIC_MAPPING genMap;
	HANDLE hToken = NULL;
	DWORD desiredAccess = 0;
	DWORD grantedAccess = 0;
	BOOL accessYesNo = FALSE;
	PRIVILEGE_SET privSet;
	DWORD privSetSize = sizeof(PRIVILEGE_SET);
	int error;

	/* get size */
	GetFileSecurityW(path,
			 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION
			 | DACL_SECURITY_INFORMATION, 0, 0, &size);
	error = GetLastError();
	if (error != ERROR_INSUFFICIENT_BUFFER) return -1;
	sdPtr = (SECURITY_DESCRIPTOR *) alloca(size);
	if(!GetFileSecurityW(path,
			     OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION
			     | DACL_SECURITY_INFORMATION, sdPtr, size, &size))
	    return -1;
	/*
	 * Perform security impersonation of the user and open the
	 * resulting thread token.
	 */
	if(!ImpersonateSelf(SecurityImpersonation)) return -1;
	if(!OpenThreadToken(GetCurrentThread (),
			    TOKEN_DUPLICATE | TOKEN_QUERY, FALSE,
			    &hToken)) return -1;
	if (mode & R_OK) desiredAccess |= FILE_GENERIC_READ;
	if (mode & W_OK) desiredAccess |= FILE_GENERIC_WRITE;
	if (mode & X_OK) desiredAccess |= FILE_GENERIC_EXECUTE;

	memset(&genMap, 0x0, sizeof (GENERIC_MAPPING));
	genMap.GenericRead = FILE_GENERIC_READ;
	genMap.GenericWrite = FILE_GENERIC_WRITE;
	genMap.GenericExecute = FILE_GENERIC_EXECUTE;
	genMap.GenericAll = FILE_ALL_ACCESS;
	if(!AccessCheck(sdPtr, hToken, desiredAccess, &genMap, &privSet,
			&privSetSize, &grantedAccess, &accessYesNo)) {
	    CloseHandle(hToken);
	    return -1;
	}
	CloseHandle(hToken);
	if (!accessYesNo) return -1;

	if ((mode & W_OK)
	    && !(attr & FILE_ATTRIBUTE_DIRECTORY)
	    && (attr & FILE_ATTRIBUTE_READONLY)) return -1;
    }
    return 0;
}
コード例 #23
0
ファイル: globalHooker.cpp プロジェクト: SummersReign/SoftTH
// Write hook
static bool writeHook(GHOOK *h) {
	if(h->active)
		return true; // Already hooked
	//dbg("Hooking %s/%s", h->dll, h->name);

	memset(h->stub, 0x90, STUBLEN+JMPDATALEN); // Fill stub function with NOP

	// Load library & get proc address
	HINSTANCE hLib = GetModuleHandle(h->dll);
	if(!hLib) {
		dbg("Module not loaded");
		return false;
	}

	//h->funcOrig = (ULONG_PTR*) GetProcAddress((HMODULE) hLib, h->name);
  h->funcOrig = (ULONG_PTR) GetProcAddress((HMODULE) hLib, h->name);
	if(!h->funcOrig) {
		dbg("Export not found in DLL!");
		return false;
	}

	// Walk instructions from beginning of function to find stub data size & stub jmp pos
	BYTE *sJmp = instructionCount((BYTE*) h->funcOrig, 5);
	DWORD slen = (DWORD) (sJmp - (BYTE*)h->funcOrig);// Stub length (without jmp)  
	h->stublen = slen;

	// Open handle to current process
	HANDLE hSelf = NULL; 
	hSelf = OpenProcess(PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, GetCurrentProcessId());
	if(!hSelf) {
		// Openprocess failed, attempt debug access
		HANDLE hToken;
		if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hToken)) {
			ImpersonateSelf(SecurityImpersonation);
			OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, FALSE, &hToken);
		}
		if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) {
			// Debug access failed, propably non-admin user
		 	dbg("writeHook: SetPrivilege failed - Check user permissions");
			return false; // This isn't going to work
		} else {
			// Hey, it worked! Try again...
			hSelf = OpenProcess(PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, GetCurrentProcessId());
			if(!hSelf) {
				dbg("OpenProcess failed");
				return false;
			}
		}
	}

	// Create stub code, copy data from function start & append jmp
	memcpy(h->stub, (void*)h->funcOrig, slen);
	writeJmpOpcode(hSelf, h->stub+slen, (void*) (h->funcOrig+slen));

	if(h->stub[0] == 0xE9) { // 0xE9 = jmp instruction
		// JMP at beginning of previous hook code, must change the offset or it will jump to wrong location
		// New correct position is: jump address + original function pointer - stub function pointer
		ULONG_PTR *jp = (ULONG_PTR*) (h->stub+1);
    ULONG_PTR newjp = *jp + ((BYTE*)h->funcOrig - (BYTE*)h->stub);
		dbg("Existing hook detected at %s/%s, redirecting JMP (0x%08X -> 0x%08X)", h->dll, h->name, *jp, newjp);

		*jp = newjp;
	}

	// Mark stub code executable
	DWORD oldprot = NULL;
	VirtualProtectEx(hSelf, h->stub, STUBLEN+JMPDATALEN, PAGE_EXECUTE_READWRITE, &oldprot);

	// Write jmp to beginning of original function
	writeJmpOpcode(hSelf, (void*)h->funcOrig, (void*) h->funcOver);

	CloseHandle(hSelf);
	//FreeLibrary(hLib);

  dbg("Hooked %s/%s", h->dll, h->name);

	h->active = true;
	return true;
}
コード例 #24
0
//**********************************************************************
//
// FUNCTION:  IsAdmin - This function checks the token of the
//            calling thread to see if the caller belongs to
//            the Administrators group.
//
// PARAMETERS:   none
//
// RETURN VALUE: TRUE if the caller is an administrator on the local
//            machine.  Otherwise, FALSE.
//
//**********************************************************************
BOOL IsAdmin(void)
{
    HANDLE hToken;
    DWORD  dwStatus;
    DWORD  dwAccessMask;
    DWORD  dwAccessDesired;
    DWORD  dwACLSize;
    DWORD  dwStructureSize = sizeof(PRIVILEGE_SET);
    PACL   pACL            = NULL;
    PSID   psidAdmin       = NULL;
    BOOL   bReturn         = FALSE;

    PRIVILEGE_SET   ps;
    GENERIC_MAPPING GenericMapping;

    PSECURITY_DESCRIPTOR     psdAdmin           = NULL;
    SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY;

    __try {

        // AccessCheck() requires an impersonation token.
        ImpersonateSelf(SecurityImpersonation);

        if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken))
        {
            if (GetLastError() != ERROR_NO_TOKEN) __leave;

            // If the thread does not have an access token, we'll
            // examine the access token associated with the process.
            if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) __leave;
        }

        if (!AllocateAndInitializeSid(&SystemSidAuthority, 2,
                                      SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
                                      0, 0, 0, 0, 0, 0, &psidAdmin))
            __leave;

        psdAdmin = LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
        if (psdAdmin == NULL) __leave;

        if (!InitializeSecurityDescriptor(psdAdmin, SECURITY_DESCRIPTOR_REVISION)) __leave;

        // Compute size needed for the ACL.
        dwACLSize = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(psidAdmin) - sizeof(DWORD);

        // Allocate memory for ACL.
        pACL = (PACL)LocalAlloc(LPTR, dwACLSize);
        if (pACL == NULL) __leave;

        // Initialize the new ACL.
        if (!InitializeAcl(pACL, dwACLSize, ACL_REVISION2)) __leave;

        dwAccessMask = ACCESS_READ | ACCESS_WRITE;

        // Add the access-allowed ACE to the DACL.
        if (!AddAccessAllowedAce(pACL, ACL_REVISION2, dwAccessMask, psidAdmin)) __leave;

        // Set the DACL to the SD.
        if (!SetSecurityDescriptorDacl(psdAdmin, TRUE, pACL, FALSE)) __leave;

        // AccessCheck is sensitive about what is in the SD; set
        // the group and owner.
        SetSecurityDescriptorGroup(psdAdmin, psidAdmin, FALSE);
        SetSecurityDescriptorOwner(psdAdmin, psidAdmin, FALSE);

        if (!IsValidSecurityDescriptor(psdAdmin)) __leave;

        dwAccessDesired = ACCESS_READ;

        //
        // Initialize GenericMapping structure even though you
        // do not use generic rights.
        //
        GenericMapping.GenericRead    = ACCESS_READ;
        GenericMapping.GenericWrite   = ACCESS_WRITE;
        GenericMapping.GenericExecute = 0;
        GenericMapping.GenericAll     = ACCESS_READ | ACCESS_WRITE;

        if (!AccessCheck(psdAdmin, hToken, dwAccessDesired,
                         &GenericMapping, &ps, &dwStructureSize, &dwStatus,
                         &bReturn))
        {
            printf("AccessCheck() failed with error %lu\n", GetLastError());
            __leave;
        }

        RevertToSelf();

    }
    __finally
    {
        // Clean up.
        if (pACL) LocalFree(pACL);
        if (psdAdmin) LocalFree(psdAdmin);
        if (psidAdmin) FreeSid(psidAdmin);
    }

    return bReturn;
}