// Remembers a SYSTEM token and its owner name if applicable
_Use_decl_annotations_ static bool EopmonpCheckProcessToken(HANDLE pid,
void* context) {
PAGED_CODE();
UNREFERENCED_PARAMETER(context);
const char* NTAPI PsGetProcessImageFileName(_In_ PEPROCESS Process);
// Get EPROCESS
PEPROCESS process = nullptr;
auto status = PsLookupProcessByProcessId(pid, &process);
if (!NT_SUCCESS(status)) {
return true;
}
// Test if a process name of this pid matches with any of known system
// processes.
const auto process_name = PsGetProcessImageFileName(process);
for (auto system_process_name : kEopmonpSystemProcessNames) {
if (!RtlEqualMemory(process_name, system_process_name,
strlen(system_process_name) + 1)) {
continue;
}
// System process found
const auto token = PsReferencePrimaryToken(process);
// Initialize g_eopmonp_offset_to_token if not yet
if (!g_eopmonp_offset_to_token && !EopmonpInitTokenOffset(process, token)) {
PsDereferencePrimaryToken(token);
ObfDereferenceObject(process);
return false; // error. cannot continue
}
// PLACE TO IMPROVE:
// EopMon updates a list of system processes' tokens and IDs only once,
// while some of them like csrss.exe and winlogon.exe can be terminated and
// re-launched when a use logout and logon to the system. One solution would
// be installing process notification callback and maintain the latest
// system process list.
g_eopmonp_system_process_tokens->emplace_back(token, system_process_name);
g_eopmonp_system_process_ids->push_back(pid);
HYPERPLATFORM_LOG_INFO("System Token %p with PID=%Iu %s", token, pid,
system_process_name);
PsDereferencePrimaryToken(token);
}
ObfDereferenceObject(process);
return true;
}
NTSTATUS dc_create_close_irp(PDEVICE_OBJECT dev_obj, PIRP irp)
{
PIO_STACK_LOCATION irp_sp = IoGetCurrentIrpStackLocation(irp);
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS process;
PACCESS_TOKEN token;
/* get requestor process */
process = IoGetRequestorProcess(irp);
if (process == NULL) process = IoGetCurrentProcess();
if (irp_sp->MajorFunction == IRP_MJ_CREATE)
{
/* check process token */
if ( (token = PsReferencePrimaryToken(process)) == NULL || SeTokenIsAdmin(token) == FALSE ) {
status = STATUS_ACCESS_DENIED;
}
if (token != NULL) PsDereferencePrimaryToken(token);
}
if (irp_sp->MajorFunction == IRP_MJ_CLOSE)
{
/* unlock all memory locked by this process */
mm_unlock_user_memory(NULL, process);
/* syncronize all encryptions */
dc_sync_all_encs();
}
return dc_complete_irp(irp, status, 0);
}
NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS pProcess = NULL;
PACCESS_TOKEN pAccessToken = NULL;
PKIWI_NT6_PRIVILEGES pPrivileges;
PULONG pPid = (PULONG) bufferIn;
if(KiwiOsIndex >= KiwiOsIndex_VISTA)
{
if(pPid && (szBufferIn == sizeof(ULONG)))
status = PsLookupProcessByProcessId((HANDLE) *pPid, &pProcess);
else
pProcess = PsGetCurrentProcess();
if(NT_SUCCESS(status) && pProcess)
{
if(pAccessToken = PsReferencePrimaryToken(pProcess))
{
status = kprintf(outBuffer, L"All privileges for the access token from %u/%-14S\n", PsGetProcessId(pProcess), PsGetProcessImageFileName(pProcess));
pPrivileges = (PKIWI_NT6_PRIVILEGES) (((ULONG_PTR) pAccessToken) + EPROCESS_OffSetTable[KiwiOsIndex][TokenPrivs]);
pPrivileges->Present[0] = pPrivileges->Enabled[0] /*= pPrivileges->EnabledByDefault[0]*/ = 0xfc;
pPrivileges->Present[1] = pPrivileges->Enabled[1] /*= pPrivileges->EnabledByDefault[1]*/ = //...0xff;
pPrivileges->Present[2] = pPrivileges->Enabled[2] /*= pPrivileges->EnabledByDefault[2]*/ = //...0xff;
pPrivileges->Present[3] = pPrivileges->Enabled[3] /*= pPrivileges->EnabledByDefault[3]*/ = 0xff;
pPrivileges->Present[4] = pPrivileges->Enabled[4] /*= pPrivileges->EnabledByDefault[4]*/ = 0x0f;
PsDereferencePrimaryToken(pAccessToken);
}
if(pProcess != PsGetCurrentProcess())
ObDereferenceObject(pProcess);
}
}
else status = STATUS_NOT_SUPPORTED;
return status;
}
// Terminates a given process and wait for its completion.
_Use_decl_annotations_ static void EopmonpTerminateProcessWorkerRoutine(
void* parameter) {
PAGED_CODE();
// HYPERPLATFORM_COMMON_DBG_BREAK();
const auto context = reinterpret_cast<EopmonWorkQueueItem*>(parameter);
const auto dodgy_pid = context->dodgy_pid;
const auto system_process_name = context->system_process_name;
const auto process_handle = EopmonpOpenProcess(dodgy_pid);
if (!process_handle) {
goto exit;
}
// Terminate it and wait
auto status = EopmonpTerminateProcessTree(process_handle, dodgy_pid);
if (status == STATUS_PROCESS_IS_TERMINATING) {
goto exit_with_close;
}
// log stuff
const auto process_path = EopmonpGetProcessPathByHandle(process_handle);
if (!process_path) {
HYPERPLATFORM_LOG_INFO(
"Exploitation detected. Process %Iu has been killed. Stolen token from "
"%s",
dodgy_pid, system_process_name);
goto exit_with_close;
}
PEPROCESS process = nullptr;
status = PsLookupProcessByProcessId(dodgy_pid, &process);
if (!NT_SUCCESS(status)) {
HYPERPLATFORM_LOG_INFO(
"Exploitation detected. Process %Iu has been killed. Stolen token from "
"%s. Image= %wZ",
dodgy_pid, system_process_name, process_path);
ExFreePoolWithTag(process_path, kHyperPlatformCommonPoolTag);
goto exit_with_close;
}
const auto token = PsReferencePrimaryToken(process);
HYPERPLATFORM_LOG_INFO(
"Exploitation detected. Process %Iu has been killed. Stolen token %p "
"from %s. Image= %wZ",
dodgy_pid, token, system_process_name, process_path);
PsDereferencePrimaryToken(token);
ObfDereferenceObject(process);
ExFreePoolWithTag(process_path, kHyperPlatformCommonPoolTag);
exit_with_close:;
ZwClose(process_handle);
// Delete this PID from ones being marked as already queued
for (auto& pid_being_killed : g_eopmonp_processes_being_killed) {
if (pid_being_killed == dodgy_pid) {
pid_being_killed = nullptr;
}
}
exit:;
ExFreePoolWithTag(context, kHyperPlatformCommonPoolTag);
}
/*
* @implemented
*/
NTSTATUS
NTAPI
NtSecureConnectPort(OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE Qos,
IN OUT PPORT_VIEW ClientView OPTIONAL,
IN PSID ServerSid OPTIONAL,
IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL)
{
ULONG ConnectionInfoLength = 0;
PLPCP_PORT_OBJECT Port, ClientPort;
KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
NTSTATUS Status = STATUS_SUCCESS;
HANDLE Handle;
PVOID SectionToMap;
PLPCP_MESSAGE Message;
PLPCP_CONNECTION_MESSAGE ConnectMessage;
PETHREAD Thread = PsGetCurrentThread();
ULONG PortMessageLength;
LARGE_INTEGER SectionOffset;
PTOKEN Token;
PTOKEN_USER TokenUserInfo;
PAGED_CODE();
LPCTRACE(LPC_CONNECT_DEBUG,
"Name: %wZ. Qos: %p. Views: %p/%p. Sid: %p\n",
PortName,
Qos,
ClientView,
ServerView,
ServerSid);
/* Validate client view */
if ((ClientView) && (ClientView->Length != sizeof(PORT_VIEW)))
{
/* Fail */
return STATUS_INVALID_PARAMETER;
}
/* Validate server view */
if ((ServerView) && (ServerView->Length != sizeof(REMOTE_PORT_VIEW)))
{
/* Fail */
return STATUS_INVALID_PARAMETER;
}
/* Check if caller sent connection information length */
if (ConnectionInformationLength)
{
/* Retrieve the input length */
ConnectionInfoLength = *ConnectionInformationLength;
}
/* Get the port */
Status = ObReferenceObjectByName(PortName,
0,
NULL,
PORT_CONNECT,
LpcPortObjectType,
PreviousMode,
NULL,
(PVOID *)&Port);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to reference port '%wZ': 0x%lx\n", PortName, Status);
return Status;
}
/* This has to be a connection port */
if ((Port->Flags & LPCP_PORT_TYPE_MASK) != LPCP_CONNECTION_PORT)
{
/* It isn't, so fail */
ObDereferenceObject(Port);
return STATUS_INVALID_PORT_HANDLE;
}
/* Check if we have a SID */
if (ServerSid)
{
/* Make sure that we have a server */
if (Port->ServerProcess)
{
/* Get its token and query user information */
Token = PsReferencePrimaryToken(Port->ServerProcess);
//Status = SeQueryInformationToken(Token, TokenUser, (PVOID*)&TokenUserInfo);
// FIXME: Need SeQueryInformationToken
Status = STATUS_SUCCESS;
TokenUserInfo = ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_USER), TAG_SE);
TokenUserInfo->User.Sid = ServerSid;
PsDereferencePrimaryToken(Token);
/* Check for success */
if (NT_SUCCESS(Status))
{
/* Compare the SIDs */
if (!RtlEqualSid(ServerSid, TokenUserInfo->User.Sid))
{
/* Fail */
Status = STATUS_SERVER_SID_MISMATCH;
}
/* Free token information */
ExFreePoolWithTag(TokenUserInfo, TAG_SE);
}
}
else
{
/* Invalid SID */
Status = STATUS_SERVER_SID_MISMATCH;
}
/* Check if SID failed */
if (!NT_SUCCESS(Status))
{
/* Quit */
ObDereferenceObject(Port);
return Status;
}
}
/* Create the client port */
Status = ObCreateObject(PreviousMode,
LpcPortObjectType,
NULL,
PreviousMode,
NULL,
sizeof(LPCP_PORT_OBJECT),
0,
0,
(PVOID *)&ClientPort);
if (!NT_SUCCESS(Status))
{
/* Failed, dereference the server port and return */
ObDereferenceObject(Port);
return Status;
}
/* Setup the client port */
RtlZeroMemory(ClientPort, sizeof(LPCP_PORT_OBJECT));
ClientPort->Flags = LPCP_CLIENT_PORT;
ClientPort->ConnectionPort = Port;
ClientPort->MaxMessageLength = Port->MaxMessageLength;
ClientPort->SecurityQos = *Qos;
InitializeListHead(&ClientPort->LpcReplyChainHead);
InitializeListHead(&ClientPort->LpcDataInfoChainHead);
/* Check if we have dynamic security */
if (Qos->ContextTrackingMode == SECURITY_DYNAMIC_TRACKING)
{
/* Remember that */
ClientPort->Flags |= LPCP_SECURITY_DYNAMIC;
}
else
{
/* Create our own client security */
Status = SeCreateClientSecurity(Thread,
Qos,
FALSE,
&ClientPort->StaticSecurity);
if (!NT_SUCCESS(Status))
{
/* Security failed, dereference and return */
ObDereferenceObject(ClientPort);
return Status;
}
}
/* Initialize the port queue */
Status = LpcpInitializePortQueue(ClientPort);
if (!NT_SUCCESS(Status))
{
/* Failed */
ObDereferenceObject(ClientPort);
return Status;
}
/* Check if we have a client view */
if (ClientView)
{
/* Get the section handle */
Status = ObReferenceObjectByHandle(ClientView->SectionHandle,
SECTION_MAP_READ |
SECTION_MAP_WRITE,
MmSectionObjectType,
PreviousMode,
(PVOID*)&SectionToMap,
NULL);
if (!NT_SUCCESS(Status))
{
/* Fail */
ObDereferenceObject(Port);
return Status;
}
/* Set the section offset */
SectionOffset.QuadPart = ClientView->SectionOffset;
/* Map it */
Status = MmMapViewOfSection(SectionToMap,
PsGetCurrentProcess(),
&ClientPort->ClientSectionBase,
0,
0,
&SectionOffset,
&ClientView->ViewSize,
ViewUnmap,
0,
PAGE_READWRITE);
/* Update the offset */
ClientView->SectionOffset = SectionOffset.LowPart;
/* Check for failure */
if (!NT_SUCCESS(Status))
{
/* Fail */
ObDereferenceObject(SectionToMap);
ObDereferenceObject(Port);
return Status;
}
/* Update the base */
ClientView->ViewBase = ClientPort->ClientSectionBase;
/* Reference and remember the process */
ClientPort->MappingProcess = PsGetCurrentProcess();
ObReferenceObject(ClientPort->MappingProcess);
}
else
{
/* No section */
SectionToMap = NULL;
}
/* Normalize connection information */
if (ConnectionInfoLength > Port->MaxConnectionInfoLength)
{
/* Use the port's maximum allowed value */
ConnectionInfoLength = Port->MaxConnectionInfoLength;
}
/* Allocate a message from the port zone */
Message = LpcpAllocateFromPortZone();
if (!Message)
{
/* Fail if we couldn't allocate a message */
if (SectionToMap) ObDereferenceObject(SectionToMap);
ObDereferenceObject(ClientPort);
return STATUS_NO_MEMORY;
}
/* Set pointer to the connection message and fill in the CID */
ConnectMessage = (PLPCP_CONNECTION_MESSAGE)(Message + 1);
Message->Request.ClientId = Thread->Cid;
/* Check if we have a client view */
if (ClientView)
{
/* Set the view size */
Message->Request.ClientViewSize = ClientView->ViewSize;
/* Copy the client view and clear the server view */
RtlCopyMemory(&ConnectMessage->ClientView,
ClientView,
sizeof(PORT_VIEW));
RtlZeroMemory(&ConnectMessage->ServerView, sizeof(REMOTE_PORT_VIEW));
}
else
{
/* Set the size to 0 and clear the connect message */
Message->Request.ClientViewSize = 0;
RtlZeroMemory(ConnectMessage, sizeof(LPCP_CONNECTION_MESSAGE));
}
/* Set the section and client port. Port is NULL for now */
ConnectMessage->ClientPort = NULL;
ConnectMessage->SectionToMap = SectionToMap;
/* Set the data for the connection request message */
Message->Request.u1.s1.DataLength = (CSHORT)ConnectionInfoLength +
sizeof(LPCP_CONNECTION_MESSAGE);
Message->Request.u1.s1.TotalLength = sizeof(LPCP_MESSAGE) +
Message->Request.u1.s1.DataLength;
Message->Request.u2.s2.Type = LPC_CONNECTION_REQUEST;
/* Check if we have connection information */
if (ConnectionInformation)
{
/* Copy it in */
RtlCopyMemory(ConnectMessage + 1,
ConnectionInformation,
ConnectionInfoLength);
}
/* Acquire the port lock */
KeAcquireGuardedMutex(&LpcpLock);
/* Check if someone already deleted the port name */
if (Port->Flags & LPCP_NAME_DELETED)
{
/* Fail the request */
Status = STATUS_OBJECT_NAME_NOT_FOUND;
}
else
{
/* Associate no thread yet */
Message->RepliedToThread = NULL;
/* Generate the Message ID and set it */
Message->Request.MessageId = LpcpNextMessageId++;
if (!LpcpNextMessageId) LpcpNextMessageId = 1;
Thread->LpcReplyMessageId = Message->Request.MessageId;
/* Insert the message into the queue and thread chain */
InsertTailList(&Port->MsgQueue.ReceiveHead, &Message->Entry);
InsertTailList(&Port->LpcReplyChainHead, &Thread->LpcReplyChain);
Thread->LpcReplyMessage = Message;
/* Now we can finally reference the client port and link it*/
ObReferenceObject(ClientPort);
ConnectMessage->ClientPort = ClientPort;
/* Enter a critical region */
KeEnterCriticalRegion();
}
/* Add another reference to the port */
ObReferenceObject(Port);
/* Release the lock */
KeReleaseGuardedMutex(&LpcpLock);
/* Check for success */
if (NT_SUCCESS(Status))
{
LPCTRACE(LPC_CONNECT_DEBUG,
"Messages: %p/%p. Ports: %p/%p. Status: %lx\n",
Message,
ConnectMessage,
Port,
ClientPort,
Status);
/* If this is a waitable port, set the event */
if (Port->Flags & LPCP_WAITABLE_PORT) KeSetEvent(&Port->WaitEvent,
1,
FALSE);
/* Release the queue semaphore and leave the critical region */
LpcpCompleteWait(Port->MsgQueue.Semaphore);
KeLeaveCriticalRegion();
/* Now wait for a reply */
LpcpConnectWait(&Thread->LpcReplySemaphore, PreviousMode);
}
/* Check for failure */
if (!NT_SUCCESS(Status)) goto Cleanup;
/* Free the connection message */
SectionToMap = LpcpFreeConMsg(&Message, &ConnectMessage, Thread);
/* Check if we got a message back */
if (Message)
{
/* Check for new return length */
if ((Message->Request.u1.s1.DataLength -
sizeof(LPCP_CONNECTION_MESSAGE)) < ConnectionInfoLength)
{
/* Set new normalized connection length */
ConnectionInfoLength = Message->Request.u1.s1.DataLength -
sizeof(LPCP_CONNECTION_MESSAGE);
}
/* Check if we had connection information */
if (ConnectionInformation)
{
/* Check if we had a length pointer */
if (ConnectionInformationLength)
{
/* Return the length */
*ConnectionInformationLength = ConnectionInfoLength;
}
/* Return the connection information */
RtlCopyMemory(ConnectionInformation,
ConnectMessage + 1,
ConnectionInfoLength );
}
/* Make sure we had a connected port */
if (ClientPort->ConnectedPort)
{
/* Get the message length before the port might get killed */
PortMessageLength = Port->MaxMessageLength;
/* Insert the client port */
Status = ObInsertObject(ClientPort,
NULL,
PORT_ALL_ACCESS,
0,
(PVOID *)NULL,
&Handle);
if (NT_SUCCESS(Status))
{
/* Return the handle */
*PortHandle = Handle;
LPCTRACE(LPC_CONNECT_DEBUG,
"Handle: %p. Length: %lx\n",
Handle,
PortMessageLength);
/* Check if maximum length was requested */
if (MaxMessageLength) *MaxMessageLength = PortMessageLength;
/* Check if we had a client view */
if (ClientView)
{
/* Copy it back */
RtlCopyMemory(ClientView,
&ConnectMessage->ClientView,
sizeof(PORT_VIEW));
}
/* Check if we had a server view */
if (ServerView)
{
/* Copy it back */
RtlCopyMemory(ServerView,
&ConnectMessage->ServerView,
sizeof(REMOTE_PORT_VIEW));
}
}
}
else
{
/* No connection port, we failed */
if (SectionToMap) ObDereferenceObject(SectionToMap);
/* Acquire the lock */
KeAcquireGuardedMutex(&LpcpLock);
/* Check if it's because the name got deleted */
if (!(ClientPort->ConnectionPort) ||
(Port->Flags & LPCP_NAME_DELETED))
{
/* Set the correct status */
Status = STATUS_OBJECT_NAME_NOT_FOUND;
}
else
{
/* Otherwise, the caller refused us */
Status = STATUS_PORT_CONNECTION_REFUSED;
}
/* Release the lock */
KeReleaseGuardedMutex(&LpcpLock);
/* Kill the port */
ObDereferenceObject(ClientPort);
}
/* Free the message */
LpcpFreeToPortZone(Message, 0);
}
else
{
/* No reply message, fail */
if (SectionToMap) ObDereferenceObject(SectionToMap);
ObDereferenceObject(ClientPort);
Status = STATUS_PORT_CONNECTION_REFUSED;
}
/* Return status */
ObDereferenceObject(Port);
return Status;
Cleanup:
/* We failed, free the message */
SectionToMap = LpcpFreeConMsg(&Message, &ConnectMessage, Thread);
/* Check if the semaphore got signaled */
if (KeReadStateSemaphore(&Thread->LpcReplySemaphore))
{
/* Wait on it */
KeWaitForSingleObject(&Thread->LpcReplySemaphore,
WrExecutive,
KernelMode,
FALSE,
NULL);
}
/* Check if we had a message and free it */
if (Message) LpcpFreeToPortZone(Message, 0);
/* Dereference other objects */
if (SectionToMap) ObDereferenceObject(SectionToMap);
ObDereferenceObject(ClientPort);
/* Return status */
ObDereferenceObject(Port);
return Status;
}
NTSTATUS
NtOpenThreadToken(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle
)
/*++
Routine Description:
Open a token object associated with a thread and return a handle that
may be used to access that token.
Arguments:
ThreadHandle - Specifies the thread whose token is to be opened.
DesiredAccess - Is an access mask indicating which access types
are desired to the token. These access types are reconciled
with the Discretionary Access Control list of the token to
determine whether the accesses will be granted or denied.
OpenAsSelf - Is a boolean value indicating whether the access should
be made using the calling thread's current security context, which
may be that of a client if impersonating, or using the caller's
process-level security context. A value of FALSE indicates the
caller's current context should be used un-modified. A value of
TRUE indicates the request should be fulfilled using the process
level security context.
This parameter is necessary to allow a server process to open
a client's token when the client specified IDENTIFICATION level
impersonation. In this case, the caller would not be able to
open the client's token using the client's context (because you
can't create executive level objects using IDENTIFICATION level
impersonation).
TokenHandle - Receives the handle of the newly opened token.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_NO_TOKEN - Indicates an attempt has been made to open a
token associated with a thread that is not currently
impersonating a client.
STATUS_CANT_OPEN_ANONYMOUS - Indicates the client requested anonymous
impersonation level. An anonymous token can not be openned.
--*/
{
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PVOID Token;
PTOKEN NewToken = NULL;
BOOLEAN CopyOnOpen;
BOOLEAN EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
SE_IMPERSONATION_STATE DisabledImpersonationState;
BOOLEAN RestoreImpersonationState = FALSE;
HANDLE LocalHandle;
SECURITY_DESCRIPTOR SecurityDescriptor;
OBJECT_ATTRIBUTES ObjectAttributes;
PACL NewAcl = NULL;
PETHREAD Thread;
PETHREAD OriginalThread = NULL;
PACCESS_TOKEN PrimaryToken;
SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
//
// Probe parameters
//
if (PreviousMode != KernelMode) {
try {
ProbeForWriteHandle(TokenHandle);
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
} // end_try
} //end_if
//
// Valdiate access to the thread and obtain a pointer to the
// thread's token (if there is one). If successful, this will
// cause the token's reference count to be incremented.
//
// This routine disabled impersonation as necessary to properly
// honor the OpenAsSelf flag.
//
Status = SepOpenTokenOfThread( ThreadHandle,
OpenAsSelf,
((PACCESS_TOKEN *)&Token),
&OriginalThread,
&CopyOnOpen,
&EffectiveOnly,
&ImpersonationLevel
);
if (!NT_SUCCESS(Status)) {
return Status;
}
//
// The token was successfully referenced.
//
//
// We need to create and/or open a token object, so disable impersonation
// if necessary.
//
if (OpenAsSelf) {
RestoreImpersonationState = PsDisableImpersonation(
PsGetCurrentThread(),
&DisabledImpersonationState
);
}
//
// If the CopyOnOpen flag is not set, then the token can be
// opened directly. Otherwise, the token must be duplicated,
// and a handle to the duplicate returned.
//
if (CopyOnOpen) {
//
// Create the new security descriptor for the token.
//
// We must obtain the correct SID to put into the Dacl. Do this
// by finding the process associated with the passed thread
// and grabbing the User SID out of that process's token.
// If we just use the current SubjectContext, we'll get the
// SID of whoever is calling us, which isn't what we want.
//
Status = ObReferenceObjectByHandle(
ThreadHandle,
THREAD_ALL_ACCESS,
PsThreadType,
KernelMode,
(PVOID)&Thread,
NULL
);
//
// Verify that the handle is still pointer to the same thread\
// BUGBUG: wrong error code.
//
if (NT_SUCCESS(Status) && (Thread != OriginalThread)) {
Status = STATUS_OBJECT_TYPE_MISMATCH;
}
if (NT_SUCCESS(Status)) {
PrimaryToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
Status = SepCreateImpersonationTokenDacl(
(PTOKEN)Token,
PrimaryToken,
&NewAcl
);
PsDereferencePrimaryToken( PrimaryToken );
if (NT_SUCCESS( Status )) {
if (NewAcl != NULL) {
//
// There exist tokens that either do not have security descriptors at all,
// or have security descriptors, but do not have DACLs. In either case, do
// nothing.
//
Status = RtlCreateSecurityDescriptor ( &SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION );
ASSERT( NT_SUCCESS( Status ));
Status = RtlSetDaclSecurityDescriptor (
&SecurityDescriptor,
TRUE,
NewAcl,
FALSE
);
ASSERT( NT_SUCCESS( Status ));
}
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
0L,
NULL,
NewAcl == NULL ? NULL : &SecurityDescriptor
);
//
// Open a copy of the token
//
Status = SepDuplicateToken(
(PTOKEN)Token, // ExistingToken
&ObjectAttributes, // ObjectAttributes
EffectiveOnly, // EffectiveOnly
TokenImpersonation, // TokenType
ImpersonationLevel, // ImpersonationLevel
KernelMode, // RequestorMode must be kernel mode
&NewToken
);
if (NT_SUCCESS( Status )) {
//
// Reference the token so it doesn't go away
//
ObReferenceObject(NewToken);
//
// Insert the new token
//
Status = ObInsertObject( NewToken,
NULL,
DesiredAccess,
0,
(PVOID *)NULL,
&LocalHandle
);
}
}
}
} else {
//
// We do not have to modify the security on the token in the static case,
// because in all the places in the system where impersonation takes place
// over a secure transport (e.g., LPC), CopyOnOpen is set. The only reason
// we'be be here is if the impersonation is taking place because someone did
// an NtSetInformationThread and passed in a token.
//
// In that case, we absolutely do not want to give the caller guaranteed
// access, because that would allow anyone who has access to a thread to
// impersonate any of that thread's clients for any access.
//
//
// Open the existing token
//
Status = ObOpenObjectByPointer(
(PVOID)Token, // Object
0, // HandleAttributes
NULL, // AccessState
DesiredAccess, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
&LocalHandle // Handle
);
}
if (NewAcl != NULL) {
ExFreePool( NewAcl );
}
if (RestoreImpersonationState) {
PsRestoreImpersonation(
PsGetCurrentThread(),
&DisabledImpersonationState
);
}
//
// And decrement the reference count of the existing token to counter
// the action performed by PsOpenTokenOfThread. If the open
// was successful, the handle will have caused the token's
// reference count to have been incremented.
//
ObDereferenceObject( Token );
if (NT_SUCCESS( Status ) && CopyOnOpen) {
//
// Assign the newly duplicated token to the thread.
//
PsImpersonateClient( Thread,
NewToken,
FALSE, // turn off CopyOnOpen flag
EffectiveOnly,
ImpersonationLevel
);
}
//
// We've impersonated the token so let go of oure reference
//
if (NewToken != NULL) {
ObDereferenceObject( NewToken );
}
if (CopyOnOpen && (Thread != NULL)) {
ObDereferenceObject( Thread );
}
if (OriginalThread != NULL) {
ObDereferenceObject(OriginalThread);
}
//
// Return the new handle
//
if (NT_SUCCESS(Status)) {
try { *TokenHandle = LocalHandle; }
except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); }
}
return Status;
}
