ReactOS 0.4.15-dev-5893-g1bb4167
NtFilterToken.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS API tests
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Tests for the NtFilterToken API
5 * COPYRIGHT: Copyright 2021 George Bișoc <george.bisoc@reactos.org>
6 */
7
8#include "precomp.h"
9
10static
13{
16
19 &Token);
20 if (!Success)
21 {
22 skip("GetTokenProcess() has failed to get the process' token (error code: %lu)!\n", GetLastError());
23 return NULL;
24 }
25
26 return Token;
27}
28
30{
32 HANDLE FilteredToken, Token;
34 LUID PrivLuid;
35 ULONG Size;
36 PTOKEN_STATISTICS TokenStats;
37
38 /* We don't give a token */
40 0,
41 NULL,
42 NULL,
43 NULL,
44 &FilteredToken);
46
47 /* Get the token from process now */
49
50 /* We don't give any privileges to delete */
52 0,
53 NULL,
54 NULL,
55 NULL,
56 &FilteredToken);
58
59 /* Query the total size to hold the statistics */
62 {
63 skip("Failed to query the total size for token statistics structure! (Status -> 0x%lx)\n", Status);
64 return;
65 }
66
67 /* Total size queried, time to allocate our buffer based on that size */
68 TokenStats = RtlAllocateHeap(RtlGetProcessHeap(), 0, Size);
69 if (TokenStats == NULL)
70 {
71 skip("Failed to allocate our token statistics buffer!\n");
72 return;
73 }
74
75 /* Time to query our token statistics, prior disabling token's privileges */
77 if (!NT_SUCCESS(Status))
78 {
79 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
80 return;
81 }
82
83 trace("Number of privileges before token filtering -- %lu\n\n", TokenStats->PrivilegeCount);
84
85 /* Disable the privileges and make the token a safer inert one */
88 NULL,
89 NULL,
90 NULL,
91 &FilteredToken);
93
94 /* We've disabled privileges, query the stats again */
95 Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
96 if (!NT_SUCCESS(Status))
97 {
98 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
99 return;
100 }
101
102 trace("Number of privileges after token filtering (privileges disabled with DISABLE_MAX_PRIVILEGE) -- %lu\n\n", TokenStats->PrivilegeCount);
103
104 /* Close the filtered token and do another test */
105 CloseHandle(FilteredToken);
106
107 /* Fill in a privilege to delete */
108 Priv.PrivilegeCount = 1;
109
111 Priv.Privileges[0].Luid = PrivLuid;
112 Priv.Privileges[0].Attributes = 0;
113
114 /* Delete the privileges */
116 0,
117 NULL,
118 &Priv,
119 NULL,
120 &FilteredToken);
122
123 /* We've deleted a privilege, query the stats again */
124 Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
125 if (!NT_SUCCESS(Status))
126 {
127 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
128 return;
129 }
130
131 trace("Number of privileges after token filtering (manually deleted privilege) -- %lu\n\n", TokenStats->PrivilegeCount);
132
133 /* We're done */
134 RtlFreeHeap(RtlGetProcessHeap(), 0, TokenStats);
136 CloseHandle(FilteredToken);
137}
static HANDLE GetTokenProcess(VOID)
Definition: NtFilterToken.c:12
#define ok_hex(expression, result)
Definition: atltest.h:94
#define trace
Definition: atltest.h:70
#define skip(...)
Definition: atltest.h:64
#define START_TEST(x)
Definition: atltest.h:75
LONG NTSTATUS
Definition: precomp.h:26
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define NULL
Definition: types.h:112
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
BOOL WINAPI OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
Definition: security.c:296
#define CloseHandle
Definition: compat.h:739
#define GetCurrentProcess()
Definition: compat.h:759
@ Success
Definition: eventcreate.c:712
unsigned int BOOL
Definition: ntddk_ex.h:94
Status
Definition: gdiplustypes.h:25
#define ConvertPrivLongToLuid(PrivilegeVal, ConvertedPrivLuid)
Definition: precomp.h:44
#define SE_BACKUP_PRIVILEGE
Definition: security.c:671
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
#define SANDBOX_INERT
Definition: setypes.h:115
#define STATUS_INVALID_HANDLE
Definition: ntstatus.h:245
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
$ULONG PrivilegeCount
Definition: setypes.h:1019
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]
Definition: setypes.h:1020
$ULONG PrivilegeCount
Definition: setypes.h:1090
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: tokencls.c:473
NTSTATUS NTAPI NtFilterToken(_In_ HANDLE ExistingTokenHandle, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PHANDLE NewTokenHandle)
Creates an access token in a restricted form from the original existing token, that is,...
Definition: tokenlif.c:2071
uint32_t ULONG
Definition: typedefs.h:59
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533
DWORD WINAPI GetLastError(void)
Definition: except.c:1040
#define TOKEN_DUPLICATE
Definition: setypes.h:922
#define TOKEN_QUERY
Definition: setypes.h:924
@ TokenStatistics
Definition: setypes.h:971