#include <windows.h>
#include <stdlib.h>
#include <ndk/ntndk.h>
#include <ddk/ntddk.h>
#include <stdio.h>

Include dependency graph for tokentest.c:

Classes
struct	_SID_2

Typedefs
typedef struct _SID_2	SID_2

Functions
void	PrintSid (SID_AND_ATTRIBUTES pSid, TOKEN_OWNER pOwner, TOKEN_PRIMARY_GROUP *pPrimary)

void	DisplayTokenSids (TOKEN_USER pUser, TOKEN_GROUPS pGroups, TOKEN_OWNER pOwner, TOKEN_PRIMARY_GROUP pPrimary)

void	DisplayTokenPrivileges (TOKEN_PRIVILEGES *pPriv)

void	DisplayDacl (PACL pAcl)

PVOID	GetFromToken (HANDLE hToken, TOKEN_INFORMATION_CLASS tic)

void	DisplayToken (HANDLE hTokenSource)

BOOL	EnablePrivilege (LPWSTR wszName)

NTSTATUS	CreateInitialSystemToken (HANDLE *phSystemToken)

int	main (int argc, char *argv[])

Variables
LUID_AND_ATTRIBUTES	InitialPrivilegeSet []

Macro Definition Documentation

◆ _UNICODE

#define _UNICODE

Definition at line 2 of file tokentest.c.

◆ ANONYMOUSUNIONS

#define ANONYMOUSUNIONS

Definition at line 4 of file tokentest.c.

◆ INCLUDE_THE_DDK_HEADERS

#define INCLUDE_THE_DDK_HEADERS

Definition at line 12 of file tokentest.c.

◆ INITIAL_PRIV_DISABLED

#define INITIAL_PRIV_DISABLED 0

Definition at line 118 of file tokentest.c.

◆ INITIAL_PRIV_ENABLED

#define INITIAL_PRIV_ENABLED SE_PRIVILEGE_ENABLED_BY_DEFAULT|SE_PRIVILEGE_ENABLED

Definition at line 117 of file tokentest.c.

◆ NTOS_MODE_USER

#define NTOS_MODE_USER

Definition at line 8 of file tokentest.c.

◆ ROS_ACE

#define ROS_ACE ACE

Definition at line 16 of file tokentest.c.

◆ ROS_ACE_HEADER

#define ROS_ACE_HEADER ACE_HEADER

Definition at line 15 of file tokentest.c.

◆ UNICODE

#define UNICODE

Definition at line 1 of file tokentest.c.

Typedef Documentation

◆ SID_2

typedef struct _SID_2 SID_2

Function Documentation

◆ CreateInitialSystemToken()

NTSTATUS CreateInitialSystemToken ( HANDLE * phSystemToken )

Definition at line 342 of file tokentest.c.

{
    static SID   sidSystem            = { 1, 1, {SECURITY_NT_AUTHORITY}, {SECURITY_LOCAL_SYSTEM_RID} };
    static SID   sidEveryone          = { 1, 1, {SECURITY_WORLD_SID_AUTHORITY}, {SECURITY_WORLD_RID} };
    static SID   sidAuthenticatedUser = { 1, 1, {SECURITY_NT_AUTHORITY}, {SECURITY_AUTHENTICATED_USER_RID} };
    static SID_2 sidAdministrators    = { 1, 2, {SECURITY_NT_AUTHORITY}, {SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS} };
    static const int nGroupCount = 3;
 
    NTSTATUS status;
    ULONG uSize;
    DWORD i;
 
    TOKEN_USER          tkUser;
    TOKEN_OWNER         tkDefaultOwner;
    TOKEN_PRIMARY_GROUP tkPrimaryGroup;
 
    TOKEN_GROUPS*       ptkGroups = 0;
    TOKEN_PRIVILEGES*   ptkPrivileges = 0;
    TOKEN_DEFAULT_DACL  tkDefaultDacl = { 0 };
 
    LARGE_INTEGER tkExpiration;
 
    LUID authId = SYSTEM_LUID;
 
    TOKEN_SOURCE source =
    {
        { '*', '*', 'A', 'N', 'O', 'N', '*', '*' },
        {0, 0}
    };
 
    SECURITY_QUALITY_OF_SERVICE sqos =
    {
        sizeof(sqos),
        SecurityAnonymous,
        SECURITY_STATIC_TRACKING,
        FALSE
    };
 
    OBJECT_ATTRIBUTES oa =
    {
        sizeof(oa),
        0,
        0,
        0,
        0,
        &sqos
    };
 
    tkExpiration.QuadPart = -1;
    status = ZwAllocateLocallyUniqueId(&source.SourceIdentifier);
    if ( status != 0 )
        return status;
 
    tkUser.User.Sid = &sidSystem;
    tkUser.User.Attributes = 0;
 
    // Under WinXP (the only MS OS I've tested) ZwCreateToken()
    // squawks if we use sidAdministrators here -- though running
    // a progrem under AT and using the DisplayToken() function
    // shows that the system token does default ownership to
    // Administrator.
 
    // For now, default ownership to system, since that works
    tkDefaultOwner.Owner = &sidSystem;
    tkPrimaryGroup.PrimaryGroup = &sidSystem;
 
    uSize = sizeof(TOKEN_GROUPS) - sizeof(ptkGroups->Groups);
    uSize += sizeof(SID_AND_ATTRIBUTES) * nGroupCount;
 
    ptkGroups = (TOKEN_GROUPS*) malloc(uSize);
    ptkGroups->GroupCount = nGroupCount;
 
    ptkGroups->Groups[0].Sid = (SID*) &sidAdministrators;
    ptkGroups->Groups[0].Attributes = SE_GROUP_ENABLED;
 
    ptkGroups->Groups[1].Sid = &sidEveryone;
    ptkGroups->Groups[1].Attributes = SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY;
 
    ptkGroups->Groups[2].Sid = &sidAuthenticatedUser;
    ptkGroups->Groups[2].Attributes = SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY;
 
    uSize = sizeof(TOKEN_PRIVILEGES) - sizeof(ptkPrivileges->Privileges);
    uSize += sizeof(LUID_AND_ATTRIBUTES) * sizeof(InitialPrivilegeSet) / sizeof(InitialPrivilegeSet[0]);
    ptkPrivileges = (TOKEN_PRIVILEGES*) malloc(uSize);
    ptkPrivileges->PrivilegeCount = sizeof(InitialPrivilegeSet) / sizeof(InitialPrivilegeSet[0]);
    for (i = 0; i < ptkPrivileges->PrivilegeCount; i++)
    {
        ptkPrivileges->Privileges[i].Luid.HighPart = InitialPrivilegeSet[i].Luid.HighPart;
        ptkPrivileges->Privileges[i].Luid.LowPart = InitialPrivilegeSet[i].Luid.LowPart;
        ptkPrivileges->Privileges[i].Attributes = InitialPrivilegeSet[i].Attributes;
    }
 
    // Calculate the length needed for the ACL
    uSize = sizeof(ACL);
    uSize += sizeof(ACE) + sizeof(sidSystem);
    uSize += sizeof(ACE) + sizeof(sidAdministrators);
    uSize = (uSize & (~3)) + 8;
    tkDefaultDacl.DefaultDacl = (PACL) malloc(uSize);
 
    status = RtlCreateAcl(tkDefaultDacl.DefaultDacl, uSize, ACL_REVISION);
    if ( ! NT_SUCCESS(status) )
        printf("RtlCreateAcl() failed: 0x%08x\n", status);
 
    status = RtlAddAccessAllowedAce(tkDefaultDacl.DefaultDacl, ACL_REVISION, GENERIC_ALL, &sidSystem);
    if ( ! NT_SUCCESS(status) )
        printf("RtlAddAccessAllowedAce() failed: 0x%08x\n", status);
 
    status = RtlAddAccessAllowedAce(tkDefaultDacl.DefaultDacl, ACL_REVISION, GENERIC_READ|GENERIC_EXECUTE|READ_CONTROL, (PSID) &sidAdministrators);
    if ( ! NT_SUCCESS(status) )
        printf("RtlAddAccessAllowedAce() failed: 0x%08x\n", status);
 
    printf("Parameters being passed into ZwCreateToken:\n\n");
    DisplayTokenSids(&tkUser, ptkGroups, &tkDefaultOwner, &tkPrimaryGroup);
    DisplayDacl(tkDefaultDacl.DefaultDacl);
 
    printf("Calling ZwCreateToken()...\n");
    status = ZwCreateToken(phSystemToken,
                           TOKEN_ALL_ACCESS,
                           &oa,
                           TokenPrimary,
                           &authId,
                           &tkExpiration,
                           &tkUser,
                           ptkGroups,
                           ptkPrivileges,
                           &tkDefaultOwner,
                           &tkPrimaryGroup,
                           &tkDefaultDacl,
                           &source);
 
    // Cleanup
    free(ptkGroups);
    free(ptkPrivileges);
    free(tkDefaultDacl.DefaultDacl);
 
    return status;
}

Referenced by main().

◆ DisplayDacl()

void DisplayDacl ( PACL pAcl )

Definition at line 231 of file tokentest.c.

{
    DWORD i;
    NTSTATUS status;
 
    if ( ! pAcl )
    {
        printf("\nNo Default Dacl.\n");
        return;
    }
 
    printf("\nDacl:\n");
    for (i = 0; i < pAcl->AceCount; i++)
    {
        UNICODE_STRING scSid;
        ROS_ACE* pAce;
        LPWSTR wszType = 0;
        PSID pSid;
 
        status = RtlGetAce(pAcl, i, (ROS_ACE**) &pAce);
        if ( ! NT_SUCCESS(status) )
        {
            printf("RtlGetAce(): status = 0x%08x\n", status);
            break;
        }
 
        pSid = (PSID) (pAce + 1);
        if ( pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE )
            wszType = L"allow";
        if ( pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE )
            wszType = L"deny ";
 
        status = RtlConvertSidToUnicodeString(&scSid, pSid, TRUE);
        if ( ! NT_SUCCESS(status) )
        {
            printf("RtlConvertSidToUnicodeString(): status = 0x%08x\n", status);
            break;
        }
 
        printf("%d.) %S %wZ 0x%08x\n", i, wszType, &scSid, pAce->AccessMask);
        LocalFree(scSid.Buffer);
    }
}

Referenced by CreateInitialSystemToken(), and DisplayToken().

◆ DisplayToken()

void DisplayToken ( HANDLE hTokenSource )

Definition at line 300 of file tokentest.c.

{
    TOKEN_USER*          pTokenUser         = (PTOKEN_USER)          GetFromToken(hTokenSource, TokenUser);
    TOKEN_GROUPS*        pTokenGroups       = (PTOKEN_GROUPS)        GetFromToken(hTokenSource, TokenGroups);
    TOKEN_OWNER*         pTokenOwner        = (PTOKEN_OWNER)         GetFromToken(hTokenSource, TokenOwner);
    TOKEN_PRIMARY_GROUP* pTokenPrimaryGroup = (PTOKEN_PRIMARY_GROUP) GetFromToken(hTokenSource, TokenPrimaryGroup);
    TOKEN_PRIVILEGES*    pTokenPrivileges   = (PTOKEN_PRIVILEGES)    GetFromToken(hTokenSource, TokenPrivileges);
    TOKEN_DEFAULT_DACL*  pTokenDefaultDacl  = (PTOKEN_DEFAULT_DACL)  GetFromToken(hTokenSource, TokenDefaultDacl);
 
    DisplayTokenSids(pTokenUser, pTokenGroups, pTokenOwner, pTokenPrimaryGroup);
    // DisplayTokenPrivileges(pTokenPrivileges);
    DisplayDacl(pTokenDefaultDacl->DefaultDacl);
 
    free(pTokenUser);
    free(pTokenGroups);
    free(pTokenOwner);
    free(pTokenPrimaryGroup);
    free(pTokenPrivileges);
    free(pTokenDefaultDacl);
}

Referenced by main().

◆ DisplayTokenPrivileges()

void DisplayTokenPrivileges ( TOKEN_PRIVILEGES * pPriv )

Definition at line 205 of file tokentest.c.

{
    WCHAR buffer[256];
    DWORD i;
 
    printf("\nprivileges:\n");
    for (i = 0; i < pPriv->PrivilegeCount; i++)
    {
        DWORD cbName = sizeof(buffer) / sizeof(buffer[0]);
        LookupPrivilegeName(0, &pPriv->Privileges[i].Luid, buffer, &cbName);
 
        printf("%S{0x%08x, 0x%08x} [", buffer, pPriv->Privileges[i].Luid.HighPart, pPriv->Privileges[i].Luid.LowPart);
 
        if ( pPriv->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED )
            printf("enabled,");
        if ( pPriv->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT )
            printf("default,");
        if ( pPriv->Privileges[i].Attributes & SE_PRIVILEGE_USED_FOR_ACCESS )
            printf("used");
 
        printf("]\n");
    }
}

◆ DisplayTokenSids()

void DisplayTokenSids	(	TOKEN_USER *	pUser,
		TOKEN_GROUPS *	pGroups,
		TOKEN_OWNER *	pOwner,
		TOKEN_PRIMARY_GROUP *	pPrimary
	)

Definition at line 189 of file tokentest.c.

{
    DWORD i;
 
    printf("\nSids:\n");
    PrintSid(&pUser->User, pOwner, pPrimary);
    printf("\nGroups:\n");
    for (i = 0; i < pGroups->GroupCount; i++)
        PrintSid(&pGroups->Groups[i], pOwner, pPrimary);
}

Referenced by CreateInitialSystemToken(), and DisplayToken().

◆ EnablePrivilege()

BOOL EnablePrivilege ( LPWSTR wszName )

Definition at line 323 of file tokentest.c.

{
    HANDLE hToken;
    TOKEN_PRIVILEGES priv = {1, {{{0, 0}, SE_PRIVILEGE_ENABLED}}};
    BOOL bResult;
 
    LookupPrivilegeValue(0, wszName, &priv.Privileges[0].Luid);
 
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
 
    AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof priv, 0, 0);
    bResult = GetLastError() == ERROR_SUCCESS;
 
    CloseHandle(hToken);
    return bResult;
}

Referenced by main().

◆ GetFromToken()

PVOID GetFromToken	(	HANDLE	hToken,
		TOKEN_INFORMATION_CLASS	tic
	)

Definition at line 277 of file tokentest.c.

{
    BOOL bResult;
    DWORD n;
    PBYTE p = 0;
 
    bResult = GetTokenInformation(hToken, tic, 0, 0, &n);
    if ( ! bResult && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
        return 0;
 
    p = (PBYTE) malloc(n);
    if ( ! GetTokenInformation(hToken, tic, p, n, &n) )
    {
        printf("GetFromToken() failed for TOKEN_INFORMATION_CLASS(%d): %d\n", tic, GetLastError());
        free(p);
        return 0;
    }
 
    return p;
}

Referenced by DisplayToken().

◆ main()

int main	(	int argc	,
		char *	argv[]
	)

Definition at line 482 of file tokentest.c.

{
    NTSTATUS Status;
    HANDLE hSystemToken;
    CHAR buffer[512];
    HANDLE hOurToken;
 
        printf("Current process Token:\n");
 
        Status=ZwOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_QUERY_SOURCE, &hOurToken);
    if ( NT_SUCCESS(Status) )
    {
      DisplayToken(hOurToken);
      CloseHandle(hOurToken);
    }
    else
    {
      printf("ZwOpenProcessToken() failed: 0x%08x\n", Status);
    }
 
//#define ENABLE_PRIVILEGE
#ifdef ENABLE_PRIVILEGE
    EnablePrivilege(SE_CREATE_TOKEN_NAME);
#endif
 
    // Now do the other one
    Status = CreateInitialSystemToken(&hSystemToken);
    if ( NT_SUCCESS(Status) )
    {
        printf("System Token: 0x%08x\n", hSystemToken);
        DisplayToken(hSystemToken);
        CloseHandle(hSystemToken);
    }
    else
    {
        printf("CreateInitialSystemToken() return: 0x%08x\n", Status);
    }
 
    printf("press return");
    gets(buffer);
 
    return 0;
}

◆ PrintSid()

void PrintSid	(	SID_AND_ATTRIBUTES *	pSid,
		TOKEN_OWNER *	pOwner,
		TOKEN_PRIMARY_GROUP *	pPrimary
	)

Definition at line 155 of file tokentest.c.

{
    UNICODE_STRING scSid;
 
    RtlConvertSidToUnicodeString(&scSid, pSid->Sid, TRUE);
    printf("%wZ [", &scSid);
    LocalFree(scSid.Buffer);
 
    if ( EqualSid(pSid->Sid, pOwner->Owner) )
        printf("owner,");
 
    if ( EqualSid(pSid->Sid, pPrimary->PrimaryGroup) )
        printf("primary,");
 
    if ( pSid->Attributes & SE_GROUP_ENABLED )
    {
        if ( pSid->Attributes & SE_GROUP_ENABLED_BY_DEFAULT )
            printf("enabled-default,");
        else
            printf("enabled,");
    }
 
    if ( pSid->Attributes & SE_GROUP_LOGON_ID )
        printf("logon,");
 
 
    if ( pSid->Attributes & SE_GROUP_MANDATORY )
        printf("mandatory,");
 
    printf("]\n");
}

Referenced by DisplayTokenSids().

Variable Documentation

◆ InitialPrivilegeSet

LUID_AND_ATTRIBUTES InitialPrivilegeSet[]

Initial value:

=
{
    { { 0x00000007, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000002, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000009, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x0000000f, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000004, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000003, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000005, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x0000000e, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000010, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000014, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000015, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000008, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000016, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000017, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x00000011, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000012, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000013, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x0000000a, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x0000000d, 0x00000000 }, INITIAL_PRIV_ENABLED  },  
    { { 0x0000000c, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x00000019, 0x00000000 }, INITIAL_PRIV_DISABLED },  
    { { 0x0000001c, 0x00000000 }, INITIAL_PRIV_DISABLED },  
}

Definition at line 119 of file tokentest.c.

Referenced by CreateInitialSystemToken().

Macros
#define	UNICODE

#define	_UNICODE

#define	ANONYMOUSUNIONS

#define	NTOS_MODE_USER

#define	INCLUDE_THE_DDK_HEADERS

#define	ROS_ACE_HEADER ACE_HEADER

#define	ROS_ACE ACE

#define	INITIAL_PRIV_ENABLED SE_PRIVILEGE_ENABLED_BY_DEFAULT\|SE_PRIVILEGE_ENABLED

#define	INITIAL_PRIV_DISABLED 0

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ _UNICODE

◆ ANONYMOUSUNIONS

◆ INCLUDE_THE_DDK_HEADERS

◆ INITIAL_PRIV_DISABLED

◆ INITIAL_PRIV_ENABLED

◆ NTOS_MODE_USER

◆ ROS_ACE

◆ ROS_ACE_HEADER

◆ UNICODE

Typedef Documentation

◆ SID_2

Function Documentation

◆ CreateInitialSystemToken()

◆ DisplayDacl()

◆ DisplayToken()

◆ DisplayTokenPrivileges()

◆ DisplayTokenSids()

◆ EnablePrivilege()

◆ GetFromToken()

◆ main()

◆ PrintSid()

Variable Documentation

◆ InitialPrivilegeSet