int UnsetSeDebug() { HANDLE hToken; if(! OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ if(GetLastError() == ERROR_NO_TOKEN){ if(! ImpersonateSelf(SecurityImpersonation)){ //Log2File("Error setting impersonation! [UnsetSeDebug()]", L_DEBUG); return 0; } if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ //Log2File("Error Opening Thread Token! [UnsetSeDebug()]", L_DEBUG); return 0; } } } //now disable SeDebug if(!SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)){ //Log2File("Error unsetting SeDebug Privilege [SetPrivilege()]", L_WARN); return 0; } CloseHandle(hToken); return 1; }
static HANDLE s_GetThreadToken(DWORD access) { HANDLE token; if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) { DWORD res = GetLastError(); if ( res == ERROR_NO_TOKEN ) { if ( !ImpersonateSelf(SecurityImpersonation) ) { // Failed to obtain a token for the current thread and user CNcbiError::SetFromWindowsError(); return INVALID_HANDLE_VALUE; } if ( !OpenThreadToken(GetCurrentThread(), access, FALSE, &token) ) { // Failed to open the current threads token with the required access rights CNcbiError::SetFromWindowsError(); token = INVALID_HANDLE_VALUE; } RevertToSelf(); } else { // Failed to open the current threads token with the required access rights CNcbiError::SetWindowsError(res); return NULL; } } return token; }
/** * @brief adjust privilege * @param * @see * @remarks http://support.microsoft.com/kb/131065/EN-US/ * @code * @endcode * @return */ bool set_privilege(_In_z_ const wchar_t* privilege, _In_ bool enable) { HANDLE token = INVALID_HANDLE_VALUE; if (TRUE != OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &token) ) { if (ERROR_NO_TOKEN == GetLastError() ) { if ( ImpersonateSelf(SecurityImpersonation) != TRUE ) { return FALSE; } if (TRUE != OpenThreadToken(GetCurrentThread(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,FALSE,&token) ) { return FALSE; } } else { return FALSE; } } TOKEN_PRIVILEGES tp = { 0 }; LUID luid = {0}; DWORD cb = sizeof(TOKEN_PRIVILEGES); bool ret = false; do { if(!LookupPrivilegeValueW( NULL, privilege, &luid )) { break; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if(enable) { tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; } else { tp.Privileges[0].Attributes = 0; } AdjustTokenPrivileges( token, FALSE, &tp, cb, NULL, NULL ); if (GetLastError() != ERROR_SUCCESS) { break; } ret = true; } while (false); CloseHandle(token); return ret; }
/// <summary> /// Grant current process arbitrary privilege /// </summary> /// <param name="name">Privilege name</param> /// <returns>Status</returns> NTSTATUS Process::GrantPriviledge( const std::basic_string<TCHAR>& name ) { TOKEN_PRIVILEGES Priv, PrivOld; DWORD cbPriv = sizeof(PrivOld); HANDLE hToken; if (!OpenThreadToken( GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken )) { if (GetLastError() != ERROR_NO_TOKEN) return LastNtStatus(); if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken )) return LastNtStatus(); } Priv.PrivilegeCount = 1; Priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; LookupPrivilegeValue( NULL, name.c_str(), &Priv.Privileges[0].Luid ); if (!AdjustTokenPrivileges( hToken, FALSE, &Priv, sizeof(Priv), &PrivOld, &cbPriv )) { CloseHandle( hToken ); return LastNtStatus(); } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { CloseHandle( hToken ); return LastNtStatus(); } return STATUS_SUCCESS; }
L00401608( _unknown_ __ecx, // r2 _unknown_ __edx // r3 ) { _unknown_ _v256; // _cfa_ffffff00 _unknown_ __ebp; // r6 _unknown_ _t2; // _t2 _unknown_ _t5; // _t5 _unknown_ _t6; // _t6 _unknown_ _t7; // _t7 _unknown_ _t10; // _t10 _unknown_ _t11; // _t11 _unknown_ _t12; // _t12 _unknown_ _t14; // _t14 _unknown_ _t15; // _t15 _unknown_ _t20; // _t20 _unknown_ _t21; // _t21 _unknown_ _t22; // _t22 _push(_t21); _t22 = __esp; __esp = __esp - 784; IsWindow(1706949468); OpenThreadToken(0, &_v256 & 0, 0, _t3); ResumeThread(6); __esp = _t22; _pop(__ebp); return; }
/* * sys_getuid * ---------- * * Gets the user information of the user the server is executing as */ DWORD request_sys_config_getuid(Remote *remote, Packet *packet) { Packet *response = packet_create_response(packet); DWORD res = ERROR_SUCCESS; #ifdef _WIN32 CHAR username[512], username_only[512], domainname_only[512]; LPVOID TokenUserInfo[4096]; HANDLE token; DWORD user_length = sizeof(username_only), domain_length = sizeof(domainname_only); DWORD size = sizeof(username), sid_type = 0, returned_tokinfo_length; memset(username, 0, sizeof(username)); memset(username_only, 0, sizeof(username_only)); memset(domainname_only, 0, sizeof(domainname_only)); do { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &token)) { OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token); } if (!GetTokenInformation(token, TokenUser, TokenUserInfo, 4096, &returned_tokinfo_length)) { res = GetLastError(); break; } if (!LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username_only, &user_length, domainname_only, &domain_length, (PSID_NAME_USE)&sid_type)) { res = GetLastError(); break; } // Make full name in DOMAIN\USERNAME format _snprintf(username, 512, "%s\\%s", domainname_only, username_only); username[511] = '\0'; packet_add_tlv_string(response, TLV_TYPE_USER_NAME, username); } while (0); #else CHAR info[512]; uid_t ru, eu, su; gid_t rg, eg, sg; ru = eu = su = rg = eg = sg = 31337; getresuid(&ru, &eu, &su); getresgid(&rg, &eg, &sg); snprintf(info, sizeof(info)-1, "uid=%d, gid=%d, euid=%d, egid=%d, suid=%d, sgid=%d", ru, rg, eu, eg, su, sg); packet_add_tlv_string(response, TLV_TYPE_USER_NAME, info); #endif // Transmit the response packet_transmit_response(res, remote, response); return res; }
HANDLE GetAnonymousToken() { ImpersonateAnonymousToken(GetCurrentThread()); HANDLE hToken; OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken); RevertToSelf(); PSECURITY_DESCRIPTOR pSD; ULONG sd_length; if (!ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;WD)(A;;GA;;;AN)", SDDL_REVISION_1, &pSD, &sd_length)) { printf("Error converting SDDL: %d\n", GetLastError()); exit(1); } TOKEN_DEFAULT_DACL dacl; BOOL bPresent; BOOL bDefaulted; PACL pDACL; GetSecurityDescriptorDacl(pSD, &bPresent, &pDACL, &bDefaulted); dacl.DefaultDacl = pDACL; if (!SetTokenInformation(hToken, TokenDefaultDacl, &dacl, sizeof(dacl))) { printf("Error setting default DACL: %d\n", GetLastError()); exit(1); } return hToken; }
bool DebugToken::Enable() { if (enabled || hDebugToken == NULL) return true; BOOL rc = OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hSavedToken); if (!rc) { hSavedToken = NULL; if (GetLastError()==ERROR_NO_TOKEN) rc = ERROR_SUCCESS; else return false; } rc = SetThreadToken(NULL, hDebugToken); if (!rc) { if (hSavedToken != NULL) { CloseHandle(hSavedToken); hSavedToken = NULL; } return false; } enabled = true; return true; }
BOOL ImpersonateAndCheckAccess(PCtxtHandle phContext, PSECURITY_DESCRIPTOR psdSD, PDWORD pdwAccessGranted) { HANDLE hToken = NULL; // AccessCheck() variables DWORD dwAccessDesired = MAXIMUM_ALLOWED; PRIVILEGE_SET PrivilegeSet; DWORD dwPrivSetSize = sizeof(PRIVILEGE_SET); BOOL fAccessGranted = FALSE; GENERIC_MAPPING GenericMapping = { vncGenericRead, vncGenericWrite, vncGenericExecute, vncGenericAll }; // This only does something if we want to use generic access // rights, like GENERIC_ALL, in our call to AccessCheck(). MapGenericMask(&dwAccessDesired, &GenericMapping); // AccessCheck() requires an impersonation token. if ((fn._ImpersonateSecurityContext(phContext) == SEC_E_OK) && OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken) && AccessCheck(psdSD, hToken, dwAccessDesired, &GenericMapping, &PrivilegeSet, &dwPrivSetSize, pdwAccessGranted, &fAccessGranted)) { // Restrict access to relevant rights only fAccessGranted = AreAnyAccessesGranted(*pdwAccessGranted, ViewOnly | Interact); } // End impersonation fn._RevertSecurityContext(phContext); // Close handles if (hToken) CloseHandle(hToken); return fAccessGranted; }
//***************************************************************************** //* Function Name: DumpToken //* Description: //***************************************************************************** STDMETHODIMP CTestObject::DumpToken (void) { (void) _tprintf (_T("CTestObject::DumpToken\n")); DumpClientBlanket (); HRESULT l_hr = CoImpersonateClient (); if (SUCCEEDED (l_hr)) { HANDLE l_hToken = NULL; if (OpenThreadToken (GetCurrentThread (), TOKEN_QUERY | TOKEN_QUERY_SOURCE, TRUE, &l_hToken)) { ::DumpToken (l_hToken, TRUE); (void)CloseHandle (l_hToken); l_hToken = NULL; } else { DWORD l_dwLastError = GetLastError (); (void) _ftprintf (stderr, _T("OpenThreadToken() failed with %ld\n"), l_dwLastError); } } else { (void) _ftprintf (stderr, _T("CoImpersonateClient() failed with 0x%08lX\n"), l_hr); } return S_OK; }
static int can_create_global_maps(void) { BOOL ok, has_priv; LUID priv_id; PRIVILEGE_SET privs; HANDLE hToken; ok = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken); if (!ok && GetLastError() == ERROR_NO_TOKEN) { /* no thread-specific access token, so try to get process access token */ ok = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken); } if (ok) { ok = LookupPrivilegeValue(NULL, SE_CREATE_GLOBAL_NAME, &priv_id); } if (ok) { privs.PrivilegeCount = 1; privs.Control = PRIVILEGE_SET_ALL_NECESSARY; privs.Privilege[0].Luid = priv_id; privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; ok = PrivilegeCheck(hToken, &privs, &has_priv); } if (ok && !has_priv) { return 0; } else { return 1; } }
/* * @brief Get the token information for the current thread/process. * @param pTokenUser Buffer to receive the token data. * @param dwBufferSize Size of the buffer that will receive the token data. * @returns Indication of success or failure. */ DWORD get_user_token(LPVOID pTokenUser, DWORD dwBufferSize) { DWORD dwResult = 0; DWORD dwReturnedLength = 0; HANDLE hToken; do { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { BREAK_ON_ERROR("[TOKEN] Failed to get a valid token for thread/process."); } } if (!GetTokenInformation(hToken, TokenUser, pTokenUser, dwBufferSize, &dwReturnedLength)) { BREAK_ON_ERROR("[TOKEN] Failed to get token information for thread/process."); } dwResult = ERROR_SUCCESS; } while (0); return dwResult; }
static DWORD _impersonateLevel() { DWORD result = RPC_C_IMP_LEVEL_ANONYMOUS; HANDLE thr = NULL; BOOL status = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &thr); if (status) { SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous; DWORD ret = 0; status = GetTokenInformation(thr, TokenImpersonationLevel, &level, sizeof(SECURITY_IMPERSONATION_LEVEL), &ret); CloseHandle(thr); if (status == FALSE) { result = RPC_C_IMP_LEVEL_ANONYMOUS; } else { switch (level) { case SecurityAnonymous: result = RPC_C_IMP_LEVEL_ANONYMOUS; break; case SecurityIdentification: result = RPC_C_IMP_LEVEL_IDENTIFY; break; case SecurityImpersonation: result = RPC_C_IMP_LEVEL_IMPERSONATE; break; case SecurityDelegation: result = RPC_C_IMP_LEVEL_DELEGATE; break; default: result = RPC_C_IMP_LEVEL_ANONYMOUS; break; } } } else { ULONG error = GetLastError(); if (error == ERROR_NO_IMPERSONATION_TOKEN || error == ERROR_NO_TOKEN) result = RPC_C_IMP_LEVEL_DELEGATE; else if (error == ERROR_CANT_OPEN_ANONYMOUS) result = RPC_C_IMP_LEVEL_ANONYMOUS; else result = RPC_C_IMP_LEVEL_ANONYMOUS; } return result; }
BOOL uac::Am_I_In_Admin_Group(BOOL bCheckAdminMode /*= FALSE*/) { BOOL fAdmin; HANDLE hThread; TOKEN_GROUPS *ptg = NULL; DWORD cbTokenGroups; DWORD dwGroup; PSID psidAdmin; SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY; if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &hThread)) { if (GetLastError() == ERROR_NO_TOKEN) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hThread)) return (FALSE); } else return (FALSE); } if (GetTokenInformation(hThread, TokenGroups, NULL, 0, &cbTokenGroups)) return (FALSE); if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) return (FALSE); if (!(ptg = (TOKEN_GROUPS*)_alloca(cbTokenGroups))) return (FALSE); if (!GetTokenInformation(hThread, TokenGroups, ptg, cbTokenGroups, &cbTokenGroups)) return (FALSE); if (!AllocateAndInitializeSid(&SystemSidAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &psidAdmin)) return (FALSE); fAdmin = FALSE; for (dwGroup = 0; dwGroup < ptg->GroupCount; dwGroup++) { if (EqualSid(ptg->Groups[dwGroup].Sid, psidAdmin)) { if (bCheckAdminMode) { if ((ptg->Groups[dwGroup].Attributes) & SE_GROUP_ENABLED) { fAdmin = TRUE; } } else { fAdmin = TRUE; } break; } } FreeSid(psidAdmin); return (fAdmin); }
CxDlgAccountPassword::CxDlgAccountPassword(CWnd* pParent /*=NULL*/) : CDialog(CxDlgAccountPassword::IDD, pParent) { HANDLE hProcess, hAccessToken; DWORD dwInfoBufferSize, dwDomainSize =1024; TCHAR tchszUser [1024]; TCHAR tchszDomain [1024]; DWORD dwUserNameLen = sizeof(tchszUser); TCHAR InfoBuffer[1000]; PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer; SID_NAME_USE snu; // // Get the domain name that this user is logged on to. This could // also be the local machine name. CString strAccount = _T(""); hProcess = GetCurrentThread(); if (!OpenThreadToken (hProcess,TOKEN_QUERY, TRUE, &hAccessToken)) { if(GetLastError() == ERROR_NO_TOKEN) { // attempt to open the process token, since no thread token // exists BOOL bOk = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hAccessToken); } } if (GetTokenInformation(hAccessToken, TokenUser, InfoBuffer, 1000, &dwInfoBufferSize)) { tchszDomain[0] = _T('\0'); if (LookupAccountSid(NULL, pTokenUser->User.Sid, tchszUser, &dwUserNameLen, tchszDomain, &dwDomainSize, &snu)) { if (tchszDomain[0]) { // // Use the account name of form "DomainName\UserName" if (B_ACCOUNT_CURRENT_USER) strAccount.Format (_T("%s\\%s"), tchszDomain, tchszUser); else strAccount.Format (_T("%s\\%s"), tchszDomain, _T("ingres")); } else { strAccount = B_ACCOUNT_CURRENT_USER? tchszUser: _T("ingres"); } } } //{{AFX_DATA_INIT(CxDlgAccountPassword) m_strAccount = _T(""); m_strPassword = _T(""); m_strConfirmPassword = _T(""); //}}AFX_DATA_INIT m_strAccount = strAccount; }
static int get_token(connection_context *c) { int res = 0; int wres; HANDLE token; if (c->runas) { credentials crd; if (!prepare_credentials(c->runas, &crd)) { hprintf(c->pipe, "error Incorrect runas credentials\n"); goto finish; } wres = LogonUser(crd.user, crd.domain, crd.password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &c->token); if (!wres) { hprintf(c->pipe, "error Cannot LogonUser(%s,%s,%s) %d\n", crd.user, crd.domain, crd.password, GetLastError()); goto finish; } res = 1; goto finish; } else if (c->system) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) { hprintf(c->pipe, "error Cannot OpenProcessToken %d\n", GetLastError()); goto finish; } } else { if (!ImpersonateNamedPipeClient(c->pipe->h)) { hprintf(c->pipe, "error Cannot ImpersonateNamedPipeClient %d\n", GetLastError()); goto finish; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &token)) { hprintf(c->pipe, "error Cannot OpenThreadToken %d\n", GetLastError()); goto finishRevertToSelf; } } if (!DuplicateTokenEx(token, MAXIMUM_ALLOWED, 0, c->implevel, TokenPrimary, &c->token)) { hprintf(c->pipe, "error Cannot Duplicate Token %d\n", GetLastError()); goto finishCloseToken; } res = 1; finishCloseToken: CloseHandle(token); finishRevertToSelf: if (!c->system) { if (!RevertToSelf()) { hprintf(c->pipe, "error Cannot RevertToSelf %d\n", GetLastError()); res = 0; } } finish: return res; }
// If the process is owned by another user, request SeDebugPrivilege to open it. // Debug privileges are typically granted to Administrators. static int enable_debug_privileges() { HANDLE hToken; if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) { if (!ImpersonateSelf(SecurityImpersonation) || !OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) { return 0; } } LUID luid; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { return 0; } TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; BOOL success = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); CloseHandle(hToken); return success ? 1 : 0; }
static void SetTokenObjectIntegrityLevel(DWORD dwIntegrityLevel) { SID_IDENTIFIER_AUTHORITY Sia = SECURITY_MANDATORY_LABEL_AUTHORITY; SECURITY_DESCRIPTOR sd; HANDLE hToken; DWORD dwLength; PACL pAcl; PSID pSid; // Do nothing on OSes where mandatory ACEs are not supported if(pfnAddMandatoryAce == NULL) return; // Initialize blank security descriptor if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) return; // Allocate mandatory label SID if(!AllocateAndInitializeSid(&Sia, 1, dwIntegrityLevel, 0, 0, 0, 0, 0, 0, 0, &pSid)) return; // Open current token if(!OpenThreadToken(GetCurrentThread(), WRITE_OWNER, TRUE, &hToken)) { if(GetLastError() == ERROR_NO_TOKEN) OpenProcessToken(GetCurrentProcess(), WRITE_OWNER, &hToken); } // If succeeded, set the integrity level if(hToken != NULL) { // Create ACL dwLength = sizeof(ACL) + sizeof(SYSTEM_MANDATORY_LABEL_ACE) - sizeof(DWORD) + GetLengthSid(pSid); pAcl = (PACL)HeapAlloc(g_hHeap, 0, dwLength); if(pAcl != NULL) { if(InitializeAcl(pAcl, dwLength, ACL_REVISION)) { if(pfnAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, pSid)) { NtSetSecurityObject(hToken, LABEL_SECURITY_INFORMATION, &sd); } } HeapFree(g_hHeap, 0, pAcl); } } FreeSid(pSid); }
QString DiagnosticsDialog::getUserRights() const { SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID AdministratorsGroup = NULL; HANDLE hToken = NULL; DWORD dwIndex, dwLength = 0; PTOKEN_GROUPS pGroup = NULL; QString rights = tr( "User" ); if ( !OpenThreadToken( GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken ) ) { if ( GetLastError() != ERROR_NO_TOKEN ) return tr( "Unknown - error %1" ).arg( GetLastError() ); if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken ) ) return tr( "Unknown - error %1" ).arg( GetLastError() ); } if ( !GetTokenInformation( hToken, TokenGroups, NULL, dwLength, &dwLength ) ) { if( GetLastError() != ERROR_INSUFFICIENT_BUFFER ) return tr( "Unknown - error %1" ).arg( GetLastError() ); } pGroup = (PTOKEN_GROUPS)GlobalAlloc( GPTR, dwLength ); if ( !GetTokenInformation( hToken, TokenGroups, pGroup, dwLength, &dwLength ) ) { if ( pGroup ) GlobalFree( pGroup ); return tr( "Unknown - error %1" ).arg( GetLastError() );; } if( AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup ) ) { for ( dwIndex = 0; dwIndex < pGroup->GroupCount; dwIndex++ ) { if ( EqualSid( AdministratorsGroup, pGroup->Groups[dwIndex].Sid ) ) { rights = tr( "Administrator" ); break; } } } if ( AdministratorsGroup ) FreeSid( AdministratorsGroup ); if ( pGroup ) GlobalFree( pGroup ); return rights; }
/* This function is still a proof of concept, it's probably rife with bugs, below is a short (and incomplete) todo * "Basic" checks (Read/Write/File/Dir) checks for FAT32 filesystems which requires detecting the filesystem being used. */ void Check(fs::path const& file, acs::Type type) { DWORD file_attr = GetFileAttributes(file.c_str()); if ((file_attr & INVALID_FILE_ATTRIBUTES) == INVALID_FILE_ATTRIBUTES) { switch (GetLastError()) { case ERROR_FILE_NOT_FOUND: case ERROR_PATH_NOT_FOUND: throw fs::FileNotFound(file); case ERROR_ACCESS_DENIED: throw fs::ReadDenied(file); default: throw fs::FileSystemUnknownError(str(boost::format("Unexpected error when getting attributes for \"%s\": %s") % file % util::ErrorString(GetLastError()))); } } switch (type) { case FileRead: case FileWrite: if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) throw fs::NotAFile(file); break; case DirRead: case DirWrite: if ((file_attr & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY) throw fs::NotADirectory(file); break; } SECURITY_INFORMATION info = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION; DWORD len = 0; GetFileSecurity(file.c_str(), info, nullptr, 0, &len); if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) LOG_W("acs/check") << "GetFileSecurity: fatal: " << util::ErrorString(GetLastError()); std::vector<uint8_t> sd_buff(len); SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&sd_buff[0]; if (!GetFileSecurity(file.c_str(), info, sd, len, &len)) LOG_W("acs/check") << "GetFileSecurity failed: " << util::ErrorString(GetLastError()); ImpersonateSelf(SecurityImpersonation); HANDLE client_token; if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &client_token)) LOG_W("acs/check") << "OpenThreadToken failed: " << util::ErrorString(GetLastError()); if (!check_permission(true, sd, client_token)) throw fs::ReadDenied(file); if ((type == DirWrite || type == FileWrite) && !check_permission(false, sd, client_token)) throw fs::WriteDenied(file); }
int SetSeDebug() { HANDLE hToken; if(! OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ if (GetLastError() == ERROR_NO_TOKEN){ if (!ImpersonateSelf(SecurityImpersonation)){ CloseHandle(hToken); return 0; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ RevertToSelf(); CloseHandle(hToken); return 0; } } } // enable SeDebugPrivilege (open any process) if (! SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)){ RevertToSelf(); CloseHandle(hToken); return 0; } RevertToSelf(); CloseHandle(hToken); return 1; }
/* * SftListThreadPriv * * Purpose: * * Test unit for thread elevation check. * */ VOID SftListThreadPriv( VOID ) { DWORD dwLen; bool bRes; HANDLE hToken; BYTE *Buffer; TOKEN_PRIVILEGES *pPrivs; WCHAR text[MAX_PATH]; if (!OpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, &hToken)) return; dwLen = 0; bRes = GetTokenInformation( hToken, TokenPrivileges, NULL, 0, &dwLen ); Buffer = LocalAlloc(LPTR, dwLen); if (Buffer) { bRes = GetTokenInformation( hToken, TokenPrivileges, Buffer, dwLen, &dwLen ); pPrivs = (TOKEN_PRIVILEGES*)Buffer; for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++) { if (pPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) { text[0] = 0; ultostr(pPrivs->Privileges[i].Luid.LowPart, text); _strcat(text, TEXT("\r\n")); OutputDebugString(text); } } LocalFree(Buffer); } CloseHandle(hToken); }
static BOOL AuthzpInitUnderImpersonation(IN OUT PAUTHZ_RESMAN ResMan) { HANDLE hToken; BOOL Ret; Ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken); if (Ret) { Ret = AuthzpQueryToken(ResMan, hToken); CloseHandle(hToken); } return Ret; }
HANDLE CServer::GetToken() { HANDLE hHandle = GetCurrentThread(); HANDLE hToken = INVALID_HANDLE_VALUE; BOOL bRet = OpenThreadToken ( hHandle, TOKEN_READ, TRUE, &hToken ); if(bRet==FALSE) { hHandle = GetCurrentProcess(); bRet=OpenProcessToken(hHandle, TOKEN_READ, &hToken ); } return hToken; }
/** * RevertToPrinterSelf reverts the security context from the current user's context back to the process context. * As spoolss.dll is used by spoolsv.exe, this is usually the SYSTEM security context. * * Unlike the traditional ImpersonateClient and then RevertToSelf approach, we do it the other way round here, * because spoolss.dll is delay-loaded by spoolsv.exe in the current user's context. Use RevertToPrinterSelf then to * return to the SYSTEM context for specific tasks. */ HANDLE WINAPI RevertToPrinterSelf(VOID) { DWORD dwErrorCode; HANDLE hReturnValue = NULL; HANDLE hToken = NULL; // All spoolss code is usually called after impersonating the client. In this case, we can retrieve our current thread impersonation token using OpenThreadToken. // But in rare occasions, spoolss code is also called from a higher-privileged thread that doesn't impersonate the client. Then we don't get an impersonation token. // Anyway, we can't just return nothing in this case, because this is being treated as failure by the caller. So we return the token of the current process. // This behaviour is verified with Windows! if (OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &hToken)) { // Tell the thread to stop impersonating. if (!SetThreadToken(NULL, NULL)) { dwErrorCode = GetLastError(); ERR("SetThreadToken failed with error %lu!\n", dwErrorCode); goto Cleanup; } } else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { dwErrorCode = GetLastError(); ERR("OpenProcessToken failed with error %lu!\n", dwErrorCode); goto Cleanup; } // We were successful, return a token! dwErrorCode = ERROR_SUCCESS; hReturnValue = hToken; // Don't let the cleanup routine close this. hToken = NULL; Cleanup: if (hToken) CloseHandle(hToken); SetLastError(dwErrorCode); return hReturnValue; }
HRESULT COpcSecurity::GetThreadSids(PSID* ppUserSid, PSID* ppGroupSid, BOOL bOpenAsSelf) { BOOL bRes; HRESULT hr; HANDLE hToken = NULL; if (ppUserSid) *ppUserSid = NULL; if (ppGroupSid) *ppGroupSid = NULL; bRes = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, bOpenAsSelf, &hToken); if (!bRes) { // Couldn't open thread token hr = HRESULT_FROM_WIN32(GetLastError()); return hr; } hr = GetTokenSids(hToken, ppUserSid, ppGroupSid); CloseHandle(hToken); return hr; }
gpointer ves_icall_System_Security_Principal_WindowsIdentity_GetCurrentToken (void) { gpointer token = NULL; #ifdef HOST_WIN32 /* Note: This isn't a copy of the Token - we must not close it!!! * http://www.develop.com/kbrown/book/html/whatis_windowsprincipal.html */ /* thread may be impersonating somebody */ if (OpenThreadToken (GetCurrentThread (), MAXIMUM_ALLOWED, 1, &token) == 0) { /* if not take the process identity */ OpenProcessToken (GetCurrentProcess (), MAXIMUM_ALLOWED, &token); } #else token = GINT_TO_POINTER (geteuid ()); #endif return token; }
NTSTATUS kuhl_m_token_whoami(int argc, wchar_t * argv[]) { HANDLE hToken; kprintf(L" * Process Token : "); if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { kuhl_m_token_displayAccount(hToken); CloseHandle(hToken); } else PRINT_ERROR_AUTO(L"OpenProcessToken"); kprintf(L" * Thread Token : "); if(OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) { kuhl_m_token_displayAccount(hToken); CloseHandle(hToken); } else if(GetLastError() == ERROR_NO_TOKEN) kprintf(L"no token\n"); else PRINT_ERROR_AUTO(L"OpenThreadToken"); return STATUS_SUCCESS; }
//----------------------------------------------------------------------------- // Name: getImpersonationToken() // Desc: The method acts as a potential workaround for the fact that the // current thread may not have a token assigned to it, and if not, the // process token is received. //----------------------------------------------------------------------------- bool KG3DCritDumper::getImpersonationToken( HANDLE* phToken ) { *phToken = NULL; if( !OpenThreadToken( GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, phToken) ) { if( GetLastError() == ERROR_NO_TOKEN ) { // No impersonation token for the current thread is available. // Let's go for the process token instead. if( !OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, phToken) ) return false; } else return false; } return true; }
/* setting up/initalizing the connection details */ static int set_connection_details(sspi_auth_ctx* ctx) { SECURITY_STATUS ss; if (ctx->scr->username == NULL) { ctx->scr->username = get_username_from_context(ctx->r->connection->pool, sspiModuleInfo.functable, &ctx->scr->server_context); } if (ctx->scr->username == NULL) return HTTP_INTERNAL_SERVER_ERROR; else construct_username(ctx); if (ctx->r->user == NULL) { ctx->r->user = ctx->scr->username; ctx->r->ap_auth_type = ctx->scr->package; } if (ctx->scr->usertoken == NULL) { if ((ss = sspiModuleInfo.functable->ImpersonateSecurityContext(&ctx->scr->server_context)) != SEC_E_OK) { return HTTP_INTERNAL_SERVER_ERROR; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY_SOURCE | TOKEN_READ, TRUE, &ctx->scr->usertoken)) { sspiModuleInfo.functable->RevertSecurityContext(&ctx->scr->server_context); return HTTP_INTERNAL_SERVER_ERROR; } if ((ss = sspiModuleInfo.functable->RevertSecurityContext(&ctx->scr->server_context)) != SEC_E_OK) { return HTTP_INTERNAL_SERVER_ERROR; } } return OK; }