ReactOS  0.4.15-dev-4871-g4471ee4
NtFilterToken.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS API tests
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Tests for the NtFilterToken API
5  * COPYRIGHT: Copyright 2021 George BiČ™oc <george.bisoc@reactos.org>
6  */
7 
8 #include "precomp.h"
9 
10 static
11 HANDLE
13 {
14  BOOL Success;
15  HANDLE Token;
16 
19  &Token);
20  if (!Success)
21  {
22  skip("GetTokenProcess() has failed to get the process' token (error code: %lu)!\n", GetLastError());
23  return NULL;
24  }
25 
26  return Token;
27 }
28 
30 {
32  HANDLE FilteredToken, Token;
33  TOKEN_PRIVILEGES Priv;
34  LUID PrivLuid;
35  ULONG Size;
36  PTOKEN_STATISTICS TokenStats;
37 
38  /* We don't give a token */
40  0,
41  NULL,
42  NULL,
43  NULL,
44  &FilteredToken);
46 
47  /* Get the token from process now */
49 
50  /* We don't give any privileges to delete */
52  0,
53  NULL,
54  NULL,
55  NULL,
56  &FilteredToken);
58 
59  /* Query the total size to hold the statistics */
62  {
63  skip("Failed to query the total size for token statistics structure! (Status -> 0x%lx)\n", Status);
64  return;
65  }
66 
67  /* Total size queried, time to allocate our buffer based on that size */
68  TokenStats = RtlAllocateHeap(RtlGetProcessHeap(), 0, Size);
69  if (TokenStats == NULL)
70  {
71  skip("Failed to allocate our token statistics buffer!\n");
72  return;
73  }
74 
75  /* Time to query our token statistics, prior disabling token's privileges */
77  if (!NT_SUCCESS(Status))
78  {
79  skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
80  return;
81  }
82 
83  trace("Number of privileges before token filtering -- %lu\n\n", TokenStats->PrivilegeCount);
84 
85  /* Disable the privileges and make the token a safer inert one */
88  NULL,
89  NULL,
90  NULL,
91  &FilteredToken);
93 
94  /* We've disabled privileges, query the stats again */
95  Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
96  if (!NT_SUCCESS(Status))
97  {
98  skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
99  return;
100  }
101 
102  trace("Number of privileges after token filtering (privileges disabled with DISABLE_MAX_PRIVILEGE) -- %lu\n\n", TokenStats->PrivilegeCount);
103 
104  /* Close the filtered token and do another test */
105  CloseHandle(FilteredToken);
106 
107  /* Fill in a privilege to delete */
108  Priv.PrivilegeCount = 1;
109 
111  Priv.Privileges[0].Luid = PrivLuid;
112  Priv.Privileges[0].Attributes = 0;
113 
114  /* Delete the privileges */
116  0,
117  NULL,
118  &Priv,
119  NULL,
120  &FilteredToken);
122 
123  /* We've deleted a privilege, query the stats again */
124  Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
125  if (!NT_SUCCESS(Status))
126  {
127  skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
128  return;
129  }
130 
131  trace("Number of privileges after token filtering (manually deleted privilege) -- %lu\n\n", TokenStats->PrivilegeCount);
132 
133  /* We're done */
134  RtlFreeHeap(RtlGetProcessHeap(), 0, TokenStats);
136  CloseHandle(FilteredToken);
137 }
START_TEST(NtFilterToken)
Definition: NtFilterToken.c:29
#define CloseHandle
Definition: compat.h:598
LONG NTSTATUS
Definition: precomp.h:26
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
NTSTATUS NTAPI NtFilterToken(_In_ HANDLE ExistingTokenHandle, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PHANDLE NewTokenHandle)
Creates an access token in a restricted form from the original existing token, that is,...
Definition: tokenlif.c:2071
$ULONG PrivilegeCount
Definition: setypes.h:1019
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
#define ok_hex(expression, result)
Definition: atltest.h:94
#define STATUS_INVALID_HANDLE
Definition: ntstatus.h:245
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
unsigned int BOOL
Definition: ntddk_ex.h:94
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: tokencls.c:473
#define trace
Definition: atltest.h:70
#define TOKEN_QUERY
Definition: setypes.h:924
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define TOKEN_DUPLICATE
Definition: setypes.h:922
#define GetCurrentProcess()
Definition: compat.h:618
static HANDLE GetTokenProcess(VOID)
Definition: NtFilterToken.c:12
$ULONG PrivilegeCount
Definition: setypes.h:1090
#define NULL
Definition: types.h:112
BOOL WINAPI OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
Definition: security.c:296
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]
Definition: setypes.h:1020
#define skip(...)
Definition: atltest.h:64
unsigned int ULONG
Definition: retypes.h:1
#define SE_BACKUP_PRIVILEGE
Definition: security.c:671
#define ConvertPrivLongToLuid(PrivilegeVal, ConvertedPrivLuid)
Definition: precomp.h:44
#define SANDBOX_INERT
Definition: setypes.h:115
#define STATUS_SUCCESS
Definition: shellext.h:65