ReactOS 0.4.15-dev-8109-gd7be748
NtFilterToken.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS API tests
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Tests for the NtFilterToken API
5 * COPYRIGHT: Copyright 2021 George Bișoc <george.bisoc@reactos.org>
6 */
7
8#include "precomp.h"
9
10static
13{
16
19 &Token);
20 if (!Success)
21 {
22 skip("GetTokenProcess() has failed to get the process' token (error code: %lu)!\n", GetLastError());
23 return NULL;
24 }
25
26 return Token;
27}
28
30{
32 HANDLE FilteredToken, Token;
34 ULONG Size;
35 PTOKEN_STATISTICS TokenStats;
36
37 /* We don't give a token */
39 0,
40 NULL,
41 NULL,
42 NULL,
43 &FilteredToken);
45
46 /* Get the token from process now */
48
49 /* We don't give any privileges to delete */
51 0,
52 NULL,
53 NULL,
54 NULL,
55 &FilteredToken);
57
58 /* Query the total size to hold the statistics */
61 {
62 skip("Failed to query the total size for token statistics structure! (Status -> 0x%lx)\n", Status);
63 return;
64 }
65
66 /* Total size queried, time to allocate our buffer based on that size */
67 TokenStats = RtlAllocateHeap(RtlGetProcessHeap(), 0, Size);
68 if (TokenStats == NULL)
69 {
70 skip("Failed to allocate our token statistics buffer!\n");
71 return;
72 }
73
74 /* Time to query our token statistics, prior disabling token's privileges */
76 if (!NT_SUCCESS(Status))
77 {
78 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
79 return;
80 }
81
82 trace("Number of privileges before token filtering -- %lu\n\n", TokenStats->PrivilegeCount);
83
84 /* Disable the privileges and make the token a safer inert one */
87 NULL,
88 NULL,
89 NULL,
90 &FilteredToken);
92
93 /* We've disabled privileges, query the stats again */
94 Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
95 if (!NT_SUCCESS(Status))
96 {
97 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
98 return;
99 }
100
101 trace("Number of privileges after token filtering (privileges disabled with DISABLE_MAX_PRIVILEGE) -- %lu\n\n", TokenStats->PrivilegeCount);
102
103 /* Close the filtered token and do another test */
104 CloseHandle(FilteredToken);
105
106 /* Fill in a privilege to delete */
107 Priv.PrivilegeCount = 1;
108
110 Priv.Privileges[0].Attributes = 0;
111
112 /* Delete the privileges */
114 0,
115 NULL,
116 &Priv,
117 NULL,
118 &FilteredToken);
120
121 /* We've deleted a privilege, query the stats again */
122 Status = NtQueryInformationToken(FilteredToken, TokenStatistics, TokenStats, Size, &Size);
123 if (!NT_SUCCESS(Status))
124 {
125 skip("Failed to query the token statistics! (Status -> 0x%lx)\n", Status);
126 return;
127 }
128
129 trace("Number of privileges after token filtering (manually deleted privilege) -- %lu\n\n", TokenStats->PrivilegeCount);
130
131 /* We're done */
132 RtlFreeHeap(RtlGetProcessHeap(), 0, TokenStats);
134 CloseHandle(FilteredToken);
135}
static HANDLE GetTokenProcess(VOID)
Definition: NtFilterToken.c:12
#define ok_hex(expression, result)
Definition: atltest.h:94
#define trace
Definition: atltest.h:70
#define skip(...)
Definition: atltest.h:64
#define START_TEST(x)
Definition: atltest.h:75
LONG NTSTATUS
Definition: precomp.h:26
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
#define NULL
Definition: types.h:112
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
BOOL WINAPI OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
Definition: security.c:294
#define CloseHandle
Definition: compat.h:739
#define GetCurrentProcess()
Definition: compat.h:759
@ Success
Definition: eventcreate.c:712
unsigned int BOOL
Definition: ntddk_ex.h:94
Status
Definition: gdiplustypes.h:25
#define SE_BACKUP_PRIVILEGE
Definition: security.c:671
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
#define SANDBOX_INERT
Definition: setypes.h:115
#define STATUS_INVALID_HANDLE
Definition: ntstatus.h:245
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
$ULONG PrivilegeCount
Definition: setypes.h:1023
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]
Definition: setypes.h:1024
$ULONG PrivilegeCount
Definition: setypes.h:1094
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: tokencls.c:473
NTSTATUS NTAPI NtFilterToken(_In_ HANDLE ExistingTokenHandle, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PHANDLE NewTokenHandle)
Creates an access token in a restricted form from the original existing token, that is,...
Definition: tokenlif.c:2075
uint32_t ULONG
Definition: typedefs.h:59
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533
DWORD WINAPI GetLastError(void)
Definition: except.c:1042
FORCEINLINE LUID NTAPI_INLINE RtlConvertUlongToLuid(_In_ ULONG Val)
Definition: rtlfuncs.h:3541
#define TOKEN_DUPLICATE
Definition: setypes.h:926
#define TOKEN_QUERY
Definition: setypes.h:928
@ TokenStatistics
Definition: setypes.h:975