BOOLEAN
SepServerTestIdentification(
BOOLEAN StaticTest,
BOOLEAN EffectiveOnly
)
{
BOOLEAN CompletionStatus = TRUE;
//////////////////////////////////////////////////////////////////////////
// //
// Identification Use Test //
// //
//////////////////////////////////////////////////////////////////////////
DbgPrint("Se: Identification Use ... ");
SepServerWaitForNextConnect();
SepServerGetNextMessage();
SepServerImpersonateClient();
Status = NtOpenThreadToken(
SepServerThread,
TOKEN_ALL_ACCESS,
TRUE,
&ClientToken
); SEASSERT_SUCCESS(Status);
SepServerRevertToSelf();
Status = NtQueryInformationToken(
ClientToken,
TokenStatistics,
&ClientTokenStatistics,
(ULONG)sizeof(TOKEN_STATISTICS),
&IgnoreLength
); SEASSERT_SUCCESS(Status);
if ( (ClientTokenStatistics.TokenType == TokenImpersonation) &&
(ClientTokenStatistics.ImpersonationLevel == SecurityIdentification)
) {
DbgPrint(" Succeeded\n");
} else {
DbgPrint("* ! FAILED (srvr) ! *\n");
CompletionStatus = FALSE;
}
SepServerCompleteMessage();
SepServerDropConnection();
//
// Appease the compiler Gods..
//
if (StaticTest) {;}
if (EffectiveOnly) {;}
return CompletionStatus;
}
static NTSTATUS NTAPI PhpOpenThreadTokenObject(
_Out_ PHANDLE Handle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ PVOID Context
)
{
return NtOpenThreadToken(
(HANDLE)Context,
DesiredAccess,
TRUE,
Handle
);
}
/*
* @implemented
*/
BOOL WINAPI
OpenThreadToken(HANDLE ThreadHandle,
DWORD DesiredAccess,
BOOL OpenAsSelf,
PHANDLE TokenHandle)
{
NTSTATUS Status;
Status = NtOpenThreadToken(ThreadHandle,
DesiredAccess,
OpenAsSelf,
TokenHandle);
if (!NT_SUCCESS(Status))
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
return TRUE;
}
BOOL IsPrivileged(
PPRIVILEGE_SET ppSet)
{
HANDLE hToken;
NTSTATUS Status;
BOOLEAN bResult = FALSE;
UNICODE_STRING strSubSystem;
/*
* Impersonate the client
*/
if (!CsrImpersonateClient(NULL))
return FALSE;
/*
* Open the client's token
*/
RtlInitUnicodeString(&strSubSystem, L"USER32");
if (NT_SUCCESS(Status = NtOpenThreadToken(NtCurrentThread(), TOKEN_QUERY,
(BOOLEAN)TRUE, &hToken))) {
/*
* Perform the check
*/
Status = NtPrivilegeCheck(hToken, ppSet, &bResult);
NtPrivilegeObjectAuditAlarm(&strSubSystem, NULL, hToken,
0, ppSet, bResult);
NtClose(hToken);
if (!bResult) {
SetLastError(ERROR_ACCESS_DENIED);
}
}
CsrRevertToSelf();
if (!NT_SUCCESS(Status))
SetLastError(RtlNtStatusToDosError(Status));
/*
* Return result of privilege check
*/
return (BOOL)(bResult && NT_SUCCESS(Status));
}
/*++
* @name CsrGetProcessLuid
* @implemented NT4
*
* The CsrGetProcessLuid routine gets the LUID of the given process.
*
* @param hProcess
* Optional handle to the process whose LUID should be returned.
*
* @param Luid
* Pointer to a LUID Pointer which will receive the CSR Process' LUID.
*
* @return STATUS_SUCCESS in case of success, STATUS_UNSUCCESSFUL otherwise.
*
* @remarks If hProcess is not supplied, then the current thread's token will
* be used. If that too is missing, then the current process' token
* will be used.
*
*--*/
NTSTATUS
NTAPI
CsrGetProcessLuid(IN HANDLE hProcess OPTIONAL,
OUT PLUID Luid)
{
HANDLE hToken = NULL;
NTSTATUS Status;
ULONG Length;
PTOKEN_STATISTICS TokenStats;
/* Check if we have a handle to a CSR Process */
if (!hProcess)
{
/* We don't, so try opening the Thread's Token */
Status = NtOpenThreadToken(NtCurrentThread(),
TOKEN_QUERY,
FALSE,
&hToken);
/* Check for success */
if (!NT_SUCCESS(Status))
{
/* If we got some other failure, then return and quit */
if (Status != STATUS_NO_TOKEN) return Status;
/* We don't have a Thread Token, use a Process Token */
hProcess = NtCurrentProcess();
hToken = NULL;
}
}
/* Check if we have a token by now */
if (!hToken)
{
/* No token yet, so open the Process Token */
Status = NtOpenProcessToken(hProcess,
TOKEN_QUERY,
&hToken);
if (!NT_SUCCESS(Status))
{
/* Still no token, return the error */
return Status;
}
}
/* Now get the size we'll need for the Token Information */
Status = NtQueryInformationToken(hToken,
TokenStatistics,
NULL,
0,
&Length);
/* Allocate memory for the Token Info */
if (!(TokenStats = RtlAllocateHeap(CsrHeap, 0, Length)))
{
/* Fail and close the token */
NtClose(hToken);
return STATUS_NO_MEMORY;
}
/* Now query the information */
Status = NtQueryInformationToken(hToken,
TokenStatistics,
TokenStats,
Length,
&Length);
/* Close the handle */
NtClose(hToken);
/* Check for success */
if (NT_SUCCESS(Status))
{
/* Return the LUID */
*Luid = TokenStats->AuthenticationId;
}
/* Free the query information */
RtlFreeHeap(CsrHeap, 0, TokenStats);
/* Return the Status */
return Status;
}
VOID PhpInitializeThreadMenu(
_In_ PPH_EMENU Menu,
_In_ HANDLE ProcessId,
_In_ PPH_THREAD_ITEM *Threads,
_In_ ULONG NumberOfThreads
)
{
PPH_EMENU_ITEM item;
if (NumberOfThreads == 0)
{
PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
}
else if (NumberOfThreads == 1)
{
// All menu items are enabled by default.
}
else
{
ULONG menuItemsMultiEnabled[] =
{
ID_THREAD_TERMINATE,
ID_THREAD_SUSPEND,
ID_THREAD_RESUME,
ID_THREAD_COPY
};
ULONG i;
PhSetFlagsAllEMenuItems(Menu, PH_EMENU_DISABLED, PH_EMENU_DISABLED);
// These menu items are capable of manipulating
// multiple threads.
for (i = 0; i < sizeof(menuItemsMultiEnabled) / sizeof(ULONG); i++)
{
PhEnableEMenuItem(Menu, menuItemsMultiEnabled[i], TRUE);
}
}
// Remove irrelevant menu items.
if (WindowsVersion < WINDOWS_VISTA)
{
// Remove I/O priority.
if (item = PhFindEMenuItem(Menu, 0, L"I/O Priority", 0))
PhDestroyEMenuItem(item);
// Remove page priority.
if (item = PhFindEMenuItem(Menu, 0, L"Page Priority", 0))
PhDestroyEMenuItem(item);
}
PhEnableEMenuItem(Menu, ID_THREAD_TOKEN, FALSE);
// Priority
if (NumberOfThreads == 1)
{
HANDLE threadHandle;
ULONG threadPriority = THREAD_PRIORITY_ERROR_RETURN;
IO_PRIORITY_HINT ioPriority = -1;
ULONG pagePriority = -1;
ULONG id = 0;
if (NT_SUCCESS(PhOpenThread(
&threadHandle,
ThreadQueryAccess,
Threads[0]->ThreadId
)))
{
THREAD_BASIC_INFORMATION basicInfo;
if (NT_SUCCESS(PhGetThreadBasicInformation(threadHandle, &basicInfo)))
{
threadPriority = basicInfo.BasePriority;
}
if (WindowsVersion >= WINDOWS_VISTA)
{
PhGetThreadIoPriority(threadHandle, &ioPriority);
PhGetThreadPagePriority(threadHandle, &pagePriority);
}
// Token
{
HANDLE tokenHandle;
if (NT_SUCCESS(NtOpenThreadToken(
threadHandle,
TOKEN_QUERY,
TRUE,
&tokenHandle
)))
{
PhEnableEMenuItem(Menu, ID_THREAD_TOKEN, TRUE);
NtClose(tokenHandle);
}
}
NtClose(threadHandle);
}
switch (threadPriority)
{
case THREAD_PRIORITY_TIME_CRITICAL + 1:
case THREAD_PRIORITY_TIME_CRITICAL:
id = ID_PRIORITY_TIMECRITICAL;
break;
case THREAD_PRIORITY_HIGHEST:
id = ID_PRIORITY_HIGHEST;
break;
case THREAD_PRIORITY_ABOVE_NORMAL:
id = ID_PRIORITY_ABOVENORMAL;
break;
case THREAD_PRIORITY_NORMAL:
id = ID_PRIORITY_NORMAL;
break;
case THREAD_PRIORITY_BELOW_NORMAL:
id = ID_PRIORITY_BELOWNORMAL;
break;
case THREAD_PRIORITY_LOWEST:
id = ID_PRIORITY_LOWEST;
break;
case THREAD_PRIORITY_IDLE:
case THREAD_PRIORITY_IDLE - 1:
id = ID_PRIORITY_IDLE;
break;
}
if (id != 0)
{
PhSetFlagsEMenuItem(Menu, id,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK);
}
if (ioPriority != -1)
{
id = 0;
switch (ioPriority)
{
case IoPriorityVeryLow:
id = ID_IOPRIORITY_VERYLOW;
break;
case IoPriorityLow:
id = ID_IOPRIORITY_LOW;
break;
case IoPriorityNormal:
id = ID_IOPRIORITY_NORMAL;
break;
case IoPriorityHigh:
id = ID_IOPRIORITY_HIGH;
break;
}
if (id != 0)
{
PhSetFlagsEMenuItem(Menu, id,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK);
}
}
if (pagePriority != -1)
{
id = 0;
switch (pagePriority)
{
case MEMORY_PRIORITY_VERY_LOW:
id = ID_PAGEPRIORITY_VERYLOW;
break;
case MEMORY_PRIORITY_LOW:
id = ID_PAGEPRIORITY_LOW;
break;
case MEMORY_PRIORITY_MEDIUM:
id = ID_PAGEPRIORITY_MEDIUM;
break;
case MEMORY_PRIORITY_BELOW_NORMAL:
id = ID_PAGEPRIORITY_BELOWNORMAL;
break;
case MEMORY_PRIORITY_NORMAL:
id = ID_PAGEPRIORITY_NORMAL;
break;
}
if (id != 0)
{
PhSetFlagsEMenuItem(Menu, id,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK,
PH_EMENU_CHECKED | PH_EMENU_RADIOCHECK);
}
}
}
}
/*
* @implemented
*/
BOOL WINAPI
CheckTokenMembership(IN HANDLE ExistingTokenHandle,
IN PSID SidToCheck,
OUT PBOOL IsMember)
{
PISECURITY_DESCRIPTOR SecurityDescriptor = NULL;
ACCESS_MASK GrantedAccess;
struct
{
PRIVILEGE_SET PrivilegeSet;
LUID_AND_ATTRIBUTES Privileges[4];
} PrivBuffer;
ULONG PrivBufferSize = sizeof(PrivBuffer);
GENERIC_MAPPING GenericMapping =
{
STANDARD_RIGHTS_READ,
STANDARD_RIGHTS_WRITE,
STANDARD_RIGHTS_EXECUTE,
STANDARD_RIGHTS_ALL
};
PACL Dacl;
ULONG SidLen;
HANDLE hToken = NULL;
NTSTATUS Status, AccessStatus;
/* doesn't return gracefully if IsMember is NULL! */
*IsMember = FALSE;
SidLen = RtlLengthSid(SidToCheck);
if (ExistingTokenHandle == NULL)
{
Status = NtOpenThreadToken(NtCurrentThread(),
TOKEN_QUERY,
FALSE,
&hToken);
if (Status == STATUS_NO_TOKEN)
{
/* we're not impersonating, open the primary token */
Status = NtOpenProcessToken(NtCurrentProcess(),
TOKEN_QUERY | TOKEN_DUPLICATE,
&hToken);
if (NT_SUCCESS(Status))
{
HANDLE hNewToken = FALSE;
BOOL DupRet;
/* duplicate the primary token to create an impersonation token */
DupRet = DuplicateTokenEx(hToken,
TOKEN_QUERY | TOKEN_IMPERSONATE,
NULL,
SecurityImpersonation,
TokenImpersonation,
&hNewToken);
NtClose(hToken);
if (!DupRet)
{
WARN("Failed to duplicate the primary token!\n");
return FALSE;
}
hToken = hNewToken;
}
}
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
}
else
{
hToken = ExistingTokenHandle;
}
/* create a security descriptor */
SecurityDescriptor = RtlAllocateHeap(RtlGetProcessHeap(),
0,
sizeof(SECURITY_DESCRIPTOR) +
sizeof(ACL) + SidLen +
sizeof(ACCESS_ALLOWED_ACE));
if (SecurityDescriptor == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* set the owner and group */
Status = RtlSetOwnerSecurityDescriptor(SecurityDescriptor,
SidToCheck,
FALSE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = RtlSetGroupSecurityDescriptor(SecurityDescriptor,
SidToCheck,
FALSE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* create the DACL */
Dacl = (PACL)(SecurityDescriptor + 1);
Status = RtlCreateAcl(Dacl,
sizeof(ACL) + SidLen + sizeof(ACCESS_ALLOWED_ACE),
ACL_REVISION);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
0x1,
SidToCheck);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* assign the DACL to the security descriptor */
Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
TRUE,
Dacl,
FALSE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* it's time to perform the access check. Just use _some_ desired access right
(same as for the ACE) and see if we're getting it granted. This indicates
our SID is a member of the token. We however can't use a generic access
right as those aren't mapped and return an error (STATUS_GENERIC_NOT_MAPPED). */
Status = NtAccessCheck(SecurityDescriptor,
hToken,
0x1,
&GenericMapping,
&PrivBuffer.PrivilegeSet,
&PrivBufferSize,
&GrantedAccess,
&AccessStatus);
if (NT_SUCCESS(Status) && NT_SUCCESS(AccessStatus) && (GrantedAccess == 0x1))
{
*IsMember = TRUE;
}
Cleanup:
if (hToken != NULL && hToken != ExistingTokenHandle)
{
NtClose(hToken);
}
if (SecurityDescriptor != NULL)
{
RtlFreeHeap(RtlGetProcessHeap(),
0,
SecurityDescriptor);
}
if (!NT_SUCCESS(Status))
{
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
return TRUE;
}
/******************************************************************************
* OpenThreadToken [ADVAPI32.@]
*
* PARAMS
* thread []
* desiredaccess []
* openasself []
* thandle []
*/
BOOL WINAPI
OpenThreadToken( HANDLE ThreadHandle, DWORD DesiredAccess,
BOOL OpenAsSelf, HANDLE *TokenHandle)
{
CallWin32ToNt (NtOpenThreadToken(ThreadHandle, DesiredAccess, OpenAsSelf, TokenHandle));
}
BOOLEAN
SepServerTestAnonymous(
BOOLEAN StaticTest,
BOOLEAN EffectiveOnly
)
{
BOOLEAN CompletionStatus = TRUE;
//////////////////////////////////////////////////////////////////////////
// //
// Anonymous Use Test //
// //
//////////////////////////////////////////////////////////////////////////
if (!StaticTest) {
//
// No action for dynamic test
//
return TRUE;
}
DbgPrint("Se: Anonymous Use ... ");
SepServerWaitForNextConnect();
SepServerGetNextMessage();
SepServerImpersonateClient();
Status = NtOpenThreadToken(
SepServerThread,
TOKEN_ALL_ACCESS,
TRUE,
&ClientToken
);
SepServerRevertToSelf();
if (Status == STATUS_CANT_OPEN_ANONYMOUS) {
DbgPrint(" Succeeded\n");
} else {
DbgPrint("* ! FAILED (srvr) ! *\n");
DbgPrint("Status is: 0x%lx \n", Status );
CompletionStatus = FALSE;
}
SepServerCompleteMessage();
SepServerDropConnection();
//
// Appease the compiler Gods..
//
if (EffectiveOnly) {;}
return CompletionStatus;
}
HANDLE
WINAPI
BaseGetNamedObjectDirectory(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS Status;
HANDLE DirHandle, BnoHandle, Token, NewToken;
if (BaseNamedObjectDirectory) return BaseNamedObjectDirectory;
if (NtCurrentTeb()->IsImpersonating)
{
Status = NtOpenThreadToken(NtCurrentThread(),
TOKEN_IMPERSONATE,
TRUE,
&Token);
if (!NT_SUCCESS(Status)) return BaseNamedObjectDirectory;
NewToken = NULL;
Status = NtSetInformationThread(NtCurrentThread(),
ThreadImpersonationToken,
&NewToken,
sizeof(HANDLE));
if (!NT_SUCCESS (Status))
{
NtClose(Token);
return BaseNamedObjectDirectory;
}
}
else
{
Token = NULL;
}
RtlAcquirePebLock();
if (BaseNamedObjectDirectory) goto Quickie;
InitializeObjectAttributes(&ObjectAttributes,
&BaseStaticServerData->NamedObjectDirectory,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = NtOpenDirectoryObject(&BnoHandle,
DIRECTORY_QUERY |
DIRECTORY_TRAVERSE |
DIRECTORY_CREATE_OBJECT |
DIRECTORY_CREATE_SUBDIRECTORY,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{
Status = NtOpenDirectoryObject(&DirHandle,
DIRECTORY_TRAVERSE,
&ObjectAttributes);
if (NT_SUCCESS(Status))
{
InitializeObjectAttributes(&ObjectAttributes,
(PUNICODE_STRING)&Restricted,
OBJ_CASE_INSENSITIVE,
DirHandle,
NULL);
Status = NtOpenDirectoryObject(&BnoHandle,
DIRECTORY_QUERY |
DIRECTORY_TRAVERSE |
DIRECTORY_CREATE_OBJECT |
DIRECTORY_CREATE_SUBDIRECTORY,
&ObjectAttributes);
NtClose(DirHandle);
}
}
if (NT_SUCCESS(Status)) BaseNamedObjectDirectory = BnoHandle;
Quickie:
RtlReleasePebLock();
if (Token)
{
NtSetInformationThread(NtCurrentThread(),
ThreadImpersonationToken,
&Token,
sizeof(Token));
NtClose(Token);
}
return BaseNamedObjectDirectory;
}
