ReactOS  0.4.13-dev-39-g8b6696f
security.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeAssignPrimaryToken (IN PEPROCESS Process, IN PTOKEN Token)
 
VOID NTAPI PspDeleteProcessSecurity (IN PEPROCESS Process)
 
VOID NTAPI PspDeleteThreadSecurity (IN PETHREAD Thread)
 
NTSTATUS NTAPI PspInitializeProcessSecurity (IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
 
NTSTATUS NTAPI PspWriteTebImpersonationInfo (IN PETHREAD Thread, IN PETHREAD CurrentThread)
 
NTSTATUS NTAPI PspAssignPrimaryToken (IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
 
NTSTATUS NTAPI PspSetPrimaryToken (IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
 
NTSTATUS NTAPI NtOpenProcessToken (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
 
NTSTATUS NTAPI NtOpenProcessTokenEx (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
 
PACCESS_TOKEN NTAPI PsReferencePrimaryToken (PEPROCESS Process)
 
NTSTATUS NTAPI PsOpenTokenOfProcess (IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
 
NTSTATUS NTAPI PsAssignImpersonationToken (IN PETHREAD Thread, IN HANDLE TokenHandle)
 
VOID NTAPI PsRevertToSelf (VOID)
 
VOID NTAPI PsRevertThreadToSelf (IN PETHREAD Thread)
 
NTSTATUS NTAPI PsImpersonateClient (IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken (IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken (IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
VOID NTAPI PsDereferenceImpersonationToken (IN PACCESS_TOKEN ImpersonationToken)
 
VOID NTAPI PsDereferencePrimaryToken (IN PACCESS_TOKEN PrimaryToken)
 
BOOLEAN NTAPI PsDisableImpersonation (IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
 
VOID NTAPI PsRestoreImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
 
NTSTATUS NTAPI NtImpersonateThread (IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
 

Variables

PTOKEN PspBootAccessToken
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file security.c.

Function Documentation

◆ NtImpersonateThread()

NTSTATUS NTAPI NtImpersonateThread ( IN HANDLE  ThreadHandle,
IN HANDLE  ThreadToImpersonateHandle,
IN PSECURITY_QUALITY_OF_SERVICE  SecurityQualityOfService 
)

Definition at line 939 of file security.c.

942 {
943  SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
946  PETHREAD ThreadToImpersonate;
949  PAGED_CODE();
951  "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
952 
953  /* Check if call came from user mode */
954  if (PreviousMode != KernelMode)
955  {
956  /* Enter SEH for probing */
957  _SEH2_TRY
958  {
959  /* Probe QoS */
960  ProbeForRead(SecurityQualityOfService,
962  sizeof(ULONG));
963 
964  /* Capture it */
965  SafeServiceQoS = *SecurityQualityOfService;
966  SecurityQualityOfService = &SafeServiceQoS;
967  }
969  {
970  /* Return the exception code */
972  }
973  _SEH2_END;
974  }
975 
976  /* Reference the thread */
977  Status = ObReferenceObjectByHandle(ThreadHandle,
979  PsThreadType,
980  PreviousMode,
981  (PVOID*)&Thread,
982  NULL);
983  if (NT_SUCCESS(Status))
984  {
985  /* Reference the impersonating thead */
986  Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
988  PsThreadType,
989  PreviousMode,
990  (PVOID*)&ThreadToImpersonate,
991  NULL);
992  if (NT_SUCCESS(Status))
993  {
994  /* Create a client security context */
995  Status = SeCreateClientSecurity(ThreadToImpersonate,
996  SecurityQualityOfService,
997  0,
998  &ClientContext);
999  if (NT_SUCCESS(Status))
1000  {
1001  /* Do the impersonation */
1003  if (ClientContext.ClientToken)
1004  {
1005  /* Dereference the client token if we had one */
1006  ObDereferenceObject(ClientContext.ClientToken);
1007  }
1008  }
1009 
1010  /* Dereference the thread to impersonate */
1011  ObDereferenceObject(ThreadToImpersonate);
1012  }
1013 
1014  /* Dereference the main thread */
1016  }
1017 
1018  /* Return status */
1019  return Status;
1020 }
#define THREAD_IMPERSONATE
Definition: pstypes.h:143
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
POBJECT_TYPE PsThreadType
Definition: thread.c:20
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
Status
Definition: gdiplustypes.h:24
_SEH2_END
Definition: create.c:4424
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
unsigned int ULONG
Definition: retypes.h:1
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12

Referenced by CsrImpersonateClient().

◆ NtOpenProcessToken()

NTSTATUS NTAPI NtOpenProcessToken ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
OUT PHANDLE  TokenHandle 
)

Definition at line 342 of file security.c.

345 {
346  /* Call the newer API */
349  0,
350  TokenHandle);
351 }
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:358
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403

Referenced by CheckTokenMembership(), CsrGetProcessLuid(), CsrSetProcessSecurity(), OpenProcessToken(), RtlCreateUserSecurityObject(), RtlDefaultNpAcl(), SmpAcquirePrivilege(), START_TEST(), and test8().

◆ NtOpenProcessTokenEx()

NTSTATUS NTAPI NtOpenProcessTokenEx ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
IN ULONG  HandleAttributes,
OUT PHANDLE  TokenHandle 
)

Definition at line 358 of file security.c.

362 {
364  HANDLE hToken;
367  PAGED_CODE();
369  "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
370 
371  /* Check if caller was user-mode */
372  if (PreviousMode != KernelMode)
373  {
374  /* Enter SEH for probing */
375  _SEH2_TRY
376  {
377  /* Probe the token handle */
379  }
381  {
382  /* Return the exception code */
384  }
385  _SEH2_END;
386  }
387 
388  /* Validate object attributes */
390 
391  /* Open the process token */
393  if (NT_SUCCESS(Status))
394  {
395  /* Reference it by handle and dereference the pointer */
398  NULL,
401  PreviousMode,
402  &hToken);
404 
405  /* Make sure we got a handle */
406  if (NT_SUCCESS(Status))
407  {
408  /* Enter SEH for write */
409  _SEH2_TRY
410  {
411  /* Return the handle */
412  *TokenHandle = hToken;
413  }
415  {
416  /* Get exception code */
418  }
419  _SEH2_END;
420  }
421  }
422 
423  /* Return status */
424  return Status;
425 }
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:429
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2739
#define PAGED_CODE()
Definition: video.h:57
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:463
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
Status
Definition: gdiplustypes.h:24
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
_SEH2_END
Definition: create.c:4424
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403

Referenced by NtOpenProcessToken(), and START_TEST().

◆ PsAssignImpersonationToken()

NTSTATUS NTAPI PsAssignImpersonationToken ( IN PETHREAD  Thread,
IN HANDLE  TokenHandle 
)

Definition at line 494 of file security.c.

496 {
500  PAGED_CODE();
501  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
502 
503  /* Check if we were given a handle */
504  if (!TokenHandle)
505  {
506  /* Undo impersonation */
508  return STATUS_SUCCESS;
509  }
510 
511  /* Get the token object */
516  (PVOID*)&Token,
517  NULL);
518  if (!NT_SUCCESS(Status)) return(Status);
519 
520  /* Make sure it's an impersonation token */
522  {
523  /* Fail */
525  return STATUS_BAD_TOKEN_TYPE;
526  }
527 
528  /* Get the impersonation level */
530 
531  /* Call the impersonation API */
533  Token,
534  FALSE,
535  FALSE,
537 
538  /* Dereference the token and return status */
540  return Status;
541 }
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:602
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:560
#define KeGetPreviousMode()
Definition: ketypes.h:1081
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define TOKEN_IMPERSONATE
Definition: setypes.h:873
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:390
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(IN PACCESS_TOKEN Token)
Definition: token.c:1768
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
Definition: token.c:1780
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by NtSetInformationThread().

◆ PsDereferenceImpersonationToken()

VOID NTAPI PsDereferenceImpersonationToken ( IN PACCESS_TOKEN  ImpersonationToken)

Definition at line 813 of file security.c.

814 {
815  PAGED_CODE();
816 
817  /* If we got a token, dereference it */
818  if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
819 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57

Referenced by NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), PsImpersonateClient(), and SeReleaseSubjectContext().

◆ PsDereferencePrimaryToken()

VOID NTAPI PsDereferencePrimaryToken ( IN PACCESS_TOKEN  PrimaryToken)

Definition at line 827 of file security.c.

828 {
829  PAGED_CODE();
830 
831  /* Dereference the token*/
832  ObDereferenceObject(PrimaryToken);
833 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57

Referenced by KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtSecureConnectPort(), and SeExchangePrimaryToken().

◆ PsDisableImpersonation()

BOOLEAN NTAPI PsDisableImpersonation ( IN PETHREAD  Thread,
OUT PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 840 of file security.c.

842 {
843  PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
844  LONG OldFlags;
845  PAGED_CODE();
847  "Thread: %p State: %p\n", Thread, ImpersonationState);
848 
849  /* Check if we don't have impersonation */
851  {
852  /* Lock thread security */
854 
855  /* Disable impersonation */
856  OldFlags = PspClearCrossThreadFlag(Thread,
858 
859  /* Make sure nobody disabled it behind our back */
860  if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
861  {
862  /* Copy the old state */
863  Impersonation = Thread->ImpersonationInfo;
864  ImpersonationState->Token = Impersonation->Token;
865  ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
867  ImpersonationState->Level = Impersonation->ImpersonationLevel;
868  }
869 
870  /* Unlock thread security */
872 
873  /* If we had impersonation info, return true */
874  if (Impersonation) return TRUE;
875  }
876 
877  /* Clear everything */
882  return FALSE;
883 }
#define TRUE
Definition: types.h:120
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
long LONG
Definition: pedump.c:60
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119

Referenced by NtOpenThreadTokenEx().

◆ PsImpersonateClient()

NTSTATUS NTAPI PsImpersonateClient ( IN PETHREAD  Thread,
IN PACCESS_TOKEN  Token,
IN BOOLEAN  CopyOnOpen,
IN BOOLEAN  EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 602 of file security.c.

607 {
608  PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
609  PTOKEN OldToken = NULL;
610  PAGED_CODE();
611  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
612 
613  /* Check if we don't have a token */
614  if (!Token)
615  {
616  /* Make sure we're impersonating */
618  {
619  /* We seem to be, lock the thread */
621 
622  /* Make sure we're still impersonating */
624  {
625  /* Disable impersonation */
628 
629  /* Get the token */
630  OldToken = Thread->ImpersonationInfo->Token;
631  }
632 
633  /* Unlock the process and write TEB information */
636  }
637  }
638  else
639  {
640  /* Check if we have impersonation info */
641  Impersonation = Thread->ImpersonationInfo;
642  if (!Impersonation)
643  {
644  /* We need to allocate a new one */
645  Impersonation = ExAllocatePoolWithTag(PagedPool,
646  sizeof(*Impersonation),
648  if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
649 
650  /* Update the pointer */
652  ImpersonationInfo,
653  Impersonation,
654  NULL);
655  if (OldData)
656  {
657  /* Someone beat us to it, free our copy */
658  ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
659  Impersonation = OldData;
660  }
661  }
662 
663  /* Check if this is a job, which we don't support yet */
664  if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
665 
666  /* Lock thread security */
668 
669  /* Check if we're impersonating */
671  {
672  /* Get the token */
673  OldToken = Impersonation->Token;
674  }
675  else
676  {
677  /* Otherwise, enable impersonation */
679  }
680 
681  /* Now fill it out */
682  Impersonation->ImpersonationLevel = ImpersonationLevel;
683  Impersonation->CopyOnOpen = CopyOnOpen;
684  Impersonation->EffectiveOnly = EffectiveOnly;
685  Impersonation->Token = Token;
687 
688  /* Unlock the thread */
690 
691  /* Write impersonation info to the TEB */
693  }
694 
695  /* Dereference the token and return success */
696  if (OldToken) PsDereferenceImpersonationToken(OldToken);
697  return STATUS_SUCCESS;
698 }
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
#define TAG_PS_IMPERSONATION
Definition: tag.h:157
return STATUS_SUCCESS
Definition: btrfs.c:2725
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:813

Referenced by NtOpenThreadTokenEx(), PsAssignImpersonationToken(), and SeImpersonateClientEx().

◆ PsOpenTokenOfProcess()

NTSTATUS NTAPI PsOpenTokenOfProcess ( IN HANDLE  ProcessHandle,
OUT PACCESS_TOKEN Token 
)

Definition at line 463 of file security.c.

465 {
468  PAGED_CODE();
469  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
470 
471  /* Get the Token */
476  (PVOID*)&Process,
477  NULL);
478  if (NT_SUCCESS(Status))
479  {
480  /* Reference the token and dereference the process */
483  }
484 
485  /* Return */
486  return Status;
487 }
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:432
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
POBJECT_TYPE PsProcessType
Definition: process.c:20

Referenced by NtOpenProcessTokenEx().

◆ PspAssignPrimaryToken()

NTSTATUS NTAPI PspAssignPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE  Token,
IN PACCESS_TOKEN AccessToken  OPTIONAL 
)

Definition at line 178 of file security.c.

181 {
182  PACCESS_TOKEN NewToken = AccessToken, OldToken;
184  PAGED_CODE();
185  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186 
187  /* Check if we don't have a pointer */
188  if (!AccessToken)
189  {
190  /* Reference it from the handle */
195  &NewToken,
196  NULL);
197  if (!NT_SUCCESS(Status)) return Status;
198  }
199 
200  /* Exchange tokens */
201  Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202 
203  /* Acquire and release the lock */
206 
207  /* Dereference Tokens and Return */
208  if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209  if (!AccessToken) ObDereferenceObject(NewToken);
210  return Status;
211 }
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Definition: token.c:234
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by PspSetPrimaryToken().

◆ PspDeleteProcessSecurity()

VOID NTAPI PspDeleteProcessSecurity ( IN PEPROCESS  Process)

Definition at line 30 of file security.c.

31 {
32  PAGED_CODE();
33  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34 
35  /* Check if we have a token */
36  if (Process->Token.Object)
37  {
38  /* Deassign it */
40  Process->Token.Object = NULL;
41  }
42 }
VOID NTAPI SeDeassignPrimaryToken(struct _EPROCESS *Process)
#define PAGED_CODE()
Definition: video.h:57
smooth NULL
Definition: ftsmooth.c:416
#define PS_SECURITY_DEBUG
Definition: ps.h:19
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by PspDeleteProcess().

◆ PspDeleteThreadSecurity()

VOID NTAPI PspDeleteThreadSecurity ( IN PETHREAD  Thread)

Definition at line 46 of file security.c.

47 {
49  PAGED_CODE();
50  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51 
52  /* Check if we have active impersonation info */
54  {
55  /* Dereference its token */
56  ObDereferenceObject(ImpersonationInfo->Token);
57  }
58 
59  /* Check if we have impersonation info */
60  if (ImpersonationInfo)
61  {
62  /* Free it */
63  ExFreePool(ImpersonationInfo);
66  }
67 }
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by PspDeleteThread().

◆ PspInitializeProcessSecurity()

NTSTATUS NTAPI PspInitializeProcessSecurity ( IN PEPROCESS  Process,
IN PEPROCESS Parent  OPTIONAL 
)

Definition at line 71 of file security.c.

73 {
75  PTOKEN NewToken, ParentToken;
76  PAGED_CODE();
77  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78 
79  /* If we have a parent, then duplicate the Token */
80  if (Parent)
81  {
82  /* Get the Parent Token */
83  ParentToken = PsReferencePrimaryToken(Parent);
84 
85  /* Duplicate it */
86  Status = SeSubProcessToken(ParentToken,
87  &NewToken,
88  TRUE,
90 
91  /* Dereference the Parent */
92  ObFastDereferenceObject(&Parent->Token, ParentToken);
93 
94  /* Set the new Token */
95  if (NT_SUCCESS(Status))
96  {
97  /* Initailize the fast reference */
98  ObInitializeFastReference(&Process->Token, NewToken);
99  }
100  }
101  else
102  {
103  /* No parent, assign the Boot Token */
106  }
107 
108  /* Return to caller */
109  return Status;
110 }
#define TRUE
Definition: types.h:120
PTOKEN PspBootAccessToken
Definition: security.c:17
LONG NTSTATUS
Definition: precomp.h:26
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn BOOLEAN Physical UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:716
#define PAGED_CODE()
Definition: video.h:57
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
#define PS_SECURITY_DEBUG
Definition: ps.h:19
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:432
Status
Definition: gdiplustypes.h:24
NTSTATUS NTAPI SeSubProcessToken(IN PTOKEN Parent, OUT PTOKEN *Token, IN BOOLEAN InUse, IN ULONG SessionId)
Definition: token.c:672
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
Definition: token.c:862
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:180
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by PspCreateProcess().

◆ PspSetPrimaryToken()

NTSTATUS NTAPI PspSetPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE TokenHandle  OPTIONAL,
IN PACCESS_TOKEN Token  OPTIONAL 
)

Definition at line 215 of file security.c.

218 {
220  BOOLEAN IsChildOrSibling;
221  PACCESS_TOKEN NewToken = Token;
223  BOOLEAN Result, SdAllocated;
226 
227  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228 
229  /* Reference the token by handle if we don't already have a token object */
230  if (!Token)
231  {
235  PreviousMode,
236  (PVOID*)&NewToken,
237  NULL);
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /*
242  * Check whether this token is a child or sibling of the current process token.
243  * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244  * are now performed by a new SeIsTokenAssignableToProcess() helper.
245  */
246  Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247  if (!NT_SUCCESS(Status))
248  {
249  /* Failed, dereference */
250  if (!Token) ObDereferenceObject(NewToken);
251  return Status;
252  }
253  if (!IsChildOrSibling)
254  {
255  Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256  if (!NT_SUCCESS(Status))
257  {
258  /* Failed, dereference */
259  if (!Token) ObDereferenceObject(NewToken);
260  return Status;
261  }
262  }
263 
264  /* Check if this was an independent token */
265  if (!IsChildOrSibling)
266  {
267  /* Make sure we have the privilege to assign a new one */
269  PreviousMode))
270  {
271  /* Failed, dereference */
272  if (!Token) ObDereferenceObject(NewToken);
274  }
275  }
276 
277  /* Assign the token */
279  if (NT_SUCCESS(Status))
280  {
281  /*
282  * We need to completely reverify if the process still has access to
283  * itself under this new token.
284  */
287  &SdAllocated);
288  if (NT_SUCCESS(Status))
289  {
290  /* Setup the security context */
291  SubjectContext.ProcessAuditId = Process;
293  SubjectContext.ClientToken = NULL;
294 
295  /* Do the access check */
298  FALSE,
300  0,
301  NULL,
303  PreviousMode,
304  &Process->GrantedAccess,
305  &AccessStatus);
306 
307  /* Dereference the token and let go the SD */
309  SubjectContext.PrimaryToken);
311 
312  /* Remove access if it failed */
313  if (!Result) Process->GrantedAccess = 0;
314 
315  /* Setup granted access */
316  Process->GrantedAccess |= (PROCESS_VM_OPERATION |
327  }
328  }
329 
330  /* Dereference the token */
331  if (!Token) ObDereferenceObject(NewToken);
332  return Status;
333 }
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
NTSTATUS NTAPI SeIsTokenSibling(IN PTOKEN Token, OUT PBOOLEAN IsSibling)
Definition: token.c:749
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSTATUS NTAPI SeIsTokenChild(IN PTOKEN Token, OUT PBOOLEAN IsChild)
Definition: token.c:716
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
BOOLEAN NTAPI SeSinglePrivilegeCheck(IN LUID PrivilegeValue, IN KPROCESSOR_MODE PreviousMode)
Definition: priv.c:524
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:24
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:150
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define PROCESS_DUP_HANDLE
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
#define PROCESS_SET_QUOTA
Definition: pstypes.h:156
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define PROCESS_VM_WRITE
Definition: pstypes.h:154
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:155
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:432
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
Status
Definition: gdiplustypes.h:24
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
#define PROCESS_TERMINATE
Definition: pstypes.h:149
#define PROCESS_VM_READ
Definition: pstypes.h:153
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PROCESS_VM_OPERATION
Definition: pstypes.h:152
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:157
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
POBJECT_TYPE PsProcessType
Definition: process.c:20

Referenced by NtSetInformationProcess().

◆ PspWriteTebImpersonationInfo()

NTSTATUS NTAPI PspWriteTebImpersonationInfo ( IN PETHREAD  Thread,
IN PETHREAD  CurrentThread 
)

Definition at line 114 of file security.c.

116 {
118  PTEB Teb;
120  BOOLEAN IsImpersonating;
122  PAGED_CODE();
123  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124 
125  /* Sanity check */
126  ASSERT(CurrentThread == PsGetCurrentThread());
127 
128  /* Get process and TEB */
129  Process = Thread->ThreadsProcess;
130  Teb = Thread->Tcb.Teb;
131  if (Teb)
132  {
133  /* Check if we're not in the right process */
134  if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135  {
136  /* Attach to the process */
138  Attached = TRUE;
139  }
140 
141  /* Check if we're in a different thread or acquire rundown */
142  if ((Thread == CurrentThread) ||
144  {
145  /* Check if the thread is impersonating */
146  IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147  if (IsImpersonating)
148  {
149  /* Set TEB data */
150  Teb->ImpersonationLocale = -1;
151  Teb->IsImpersonating = 1;
152  }
153  else
154  {
155  /* Set TEB data */
156  Teb->ImpersonationLocale = 0;
157  Teb->IsImpersonating = 0;
158  }
159  }
160 
161  /* Check if we're in a different thread */
162  if (Thread != CurrentThread)
163  {
164  /* Release protection */
166  }
167 
168  /* Detach */
170  }
171 
172  /* Return to caller */
173  return STATUS_SUCCESS;
174 }
#define TRUE
Definition: types.h:120
KAPC_STATE
Definition: ketypes.h:1273
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
NTKERNELAPI VOID FASTCALL ExReleaseRundownProtection(_Inout_ PEX_RUNDOWN_REF RunRef)
ULONG ImpersonationLocale
Definition: winternl.h:432
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1090
KTHREAD Tcb
Definition: pstypes.h:1034
#define ExAcquireRundownProtection
Definition: ex.h:130
#define PAGED_CODE()
Definition: video.h:57
static BOOL Attached
Definition: vidbios.c:3905
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:701
KAPC_STATE ApcState
Definition: ketypes.h:1668
unsigned char BOOLEAN
static BOOLEAN
Definition: security.c:109
if(!(yy_init))
Definition: macro.lex.yy.c:714
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
ULONG IsImpersonating
Definition: winternl.h:433
Definition: compat.h:484
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:753
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1484
PVOID Teb
Definition: ketypes.h:1697
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by PsImpersonateClient(), and PsRevertThreadToSelf().

◆ PsReferenceEffectiveToken()

PACCESS_TOKEN NTAPI PsReferenceEffectiveToken ( IN PETHREAD  Thread,
OUT IN PTOKEN_TYPE  TokenType,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 705 of file security.c.

709 {
712 
713  PAGED_CODE();
714 
716  "Thread: %p, TokenType: %p\n", Thread, TokenType);
717 
718  /* Check if we don't have impersonation info */
719  Process = Thread->ThreadsProcess;
721  {
722  /* Lock the Process */
724 
725  /* Make sure impersonation is still active */
727  {
728  /* Get the token */
731 
732  /* Return data to caller */
736 
737  /* Unlock the Process */
739  return Token;
740  }
741 
742  /* Unlock the Process */
744  }
745 
746  /* Fast Reference the Token */
748 
749  /* Check if we got the Token or if we got locked */
750  if (!Token)
751  {
752  /* Lock the Process */
754 
755  /* Do a Locked Fast Reference */
757 
758  /* Unlock the Process */
760  }
761 
762  /* Return the token */
764  *EffectiveOnly = FALSE;
765  // NOTE: ImpersonationLevel is left untouched on purpose!
766  return Token;
767 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417

Referenced by SeCreateClientSecurity().

◆ PsReferenceImpersonationToken()

PACCESS_TOKEN NTAPI PsReferenceImpersonationToken ( IN PETHREAD  Thread,
OUT PBOOLEAN  CopyOnOpen,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 774 of file security.c.

778 {
779  PTOKEN Token = NULL;
780  PAGED_CODE();
781  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
782 
783  /* If we don't have impersonation info, just quit */
784  if (!Thread->ActiveImpersonationInfo) return NULL;
785 
786  /* Lock the thread */
788 
789  /* Make sure we still have active impersonation */
791  {
792  /* Return data from caller */
797 
798  /* Set the token */
800  }
801 
802  /* Unlock thread and return impersonation token */
804  return Token;
805 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417

Referenced by GetProcessLuid(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), and SeCaptureSubjectContextEx().

◆ PsReferencePrimaryToken()

PACCESS_TOKEN NTAPI PsReferencePrimaryToken ( PEPROCESS  Process)

Definition at line 432 of file security.c.

433 {
435  PAGED_CODE();
436  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
437 
438  /* Fast Reference the Token */
440 
441  /* Check if we got the Token or if we got locked */
442  if (!Token)
443  {
444  /* Lock the Process */
446 
447  /* Do a Locked Fast Reference */
449 
450  /* Unlock the Process */
452  }
453 
454  /* Return the Token */
455  return Token;
456 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
#define PAGED_CODE()
Definition: video.h:57
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
#define PS_SECURITY_DEBUG
Definition: ps.h:19
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by GetProcessLuid(), KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), NtSecureConnectPort(), PsOpenTokenOfProcess(), PspCreateProcess(), PspCreateThread(), PspExitThread(), PspInitializeProcessSecurity(), PspSetPrimaryToken(), SeCaptureSubjectContextEx(), SeExchangePrimaryToken(), SeIsTokenChild(), and SeIsTokenSibling().

◆ PsRestoreImpersonation()

VOID NTAPI PsRestoreImpersonation ( IN PETHREAD  Thread,
IN PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 890 of file security.c.

892 {
893  PTOKEN Token = NULL;
894  PPS_IMPERSONATION_INFORMATION Impersonation;
895  PAGED_CODE();
897  "Thread: %p State: %p\n", Thread, ImpersonationState);
898 
899  /* Lock thread security */
901 
902  /* Get the impersonation info */
903  Impersonation = Thread->ImpersonationInfo;
904 
905  /* Check if we're impersonating */
907  {
908  /* Get the token */
909  Token = Impersonation->Token;
910  }
911 
912  /* Check if we have an impersonation state */
913  if (ImpersonationState)
914  {
915  /* Fill out the impersonation info */
916  Impersonation->ImpersonationLevel = ImpersonationState->Level;
917  Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
919  Impersonation->Token = ImpersonationState->Token;
920 
921  /* Enable impersonation */
923  }
924  else
925  {
926  /* Disable impersonation */
928  }
929 
930  /* Unlock the thread */
932 
933  /* Dereference the token */
935 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119

Referenced by NtOpenThreadTokenEx().

◆ PsRevertThreadToSelf()

VOID NTAPI PsRevertThreadToSelf ( IN PETHREAD  Thread)

Definition at line 560 of file security.c.

561 {
562  PTOKEN Token = NULL;
563  PAGED_CODE();
564  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
565 
566  /* Make sure we had impersonation information */
568  {
569  /* Lock the thread security */
571 
572  /* Make sure it's still active */
574  {
575  /* Disable impersonation */
577 
578  /* Get the token */
580  }
581 
582  /* Release thread security */
584 
585  /* Check if we had a token */
586  if (Token)
587  {
588  /* Dereference the impersonation token */
590 
591  /* Write impersonation info to the TEB */
593  }
594  }
595 }
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114

Referenced by PsAssignImpersonationToken(), and PsRevertToSelf().

◆ PsRevertToSelf()

VOID NTAPI PsRevertToSelf ( VOID  )

Definition at line 548 of file security.c.

549 {
550  /* Call the per-thread API */
551  PAGED_CODE();
553 }
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:560
#define PAGED_CODE()
Definition: video.h:57

Referenced by CmpCmdHiveOpen(), and VfdIoCtlThread().

◆ SeAssignPrimaryToken()

VOID NTAPI SeAssignPrimaryToken ( IN PEPROCESS  Process,
IN PTOKEN  Token 
)

Definition at line 862 of file token.c.

864 {
865  PAGED_CODE();
866 
867  /* Sanity checks */
868  ASSERT(Token->TokenType == TokenPrimary);
869  ASSERT(!Token->TokenInUse);
870 
871  /* Clean any previous token */
872  if (Process->Token.Object) SeDeassignPrimaryToken(Process);
873 
874  /* Set the new token */
876  Token->TokenInUse = TRUE;
878 }
#define TRUE
Definition: types.h:120
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
VOID NTAPI SeDeassignPrimaryToken(PEPROCESS Process)
Definition: token.c:313
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204

Referenced by PspInitializeProcessSecurity().

Variable Documentation

◆ PspBootAccessToken

PTOKEN PspBootAccessToken

Definition at line 17 of file security.c.

Referenced by PspInitializeProcessSecurity(), and PspInitPhase0().