ReactOS  0.4.14-dev-606-g14ebc0b
security.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeAssignPrimaryToken (IN PEPROCESS Process, IN PTOKEN Token)
 
VOID NTAPI PspDeleteProcessSecurity (IN PEPROCESS Process)
 
VOID NTAPI PspDeleteThreadSecurity (IN PETHREAD Thread)
 
NTSTATUS NTAPI PspInitializeProcessSecurity (IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
 
NTSTATUS NTAPI PspWriteTebImpersonationInfo (IN PETHREAD Thread, IN PETHREAD CurrentThread)
 
NTSTATUS NTAPI PspAssignPrimaryToken (IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
 
NTSTATUS NTAPI PspSetPrimaryToken (IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
 
NTSTATUS NTAPI NtOpenProcessToken (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
 
NTSTATUS NTAPI NtOpenProcessTokenEx (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
 
PACCESS_TOKEN NTAPI PsReferencePrimaryToken (PEPROCESS Process)
 
NTSTATUS NTAPI PsOpenTokenOfProcess (IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
 
NTSTATUS NTAPI PsAssignImpersonationToken (IN PETHREAD Thread, IN HANDLE TokenHandle)
 
VOID NTAPI PsRevertToSelf (VOID)
 
VOID NTAPI PsRevertThreadToSelf (IN PETHREAD Thread)
 
NTSTATUS NTAPI PsImpersonateClient (IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken (IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken (IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
VOID NTAPI PsDereferenceImpersonationToken (IN PACCESS_TOKEN ImpersonationToken)
 
VOID NTAPI PsDereferencePrimaryToken (IN PACCESS_TOKEN PrimaryToken)
 
BOOLEAN NTAPI PsDisableImpersonation (IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
 
VOID NTAPI PsRestoreImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
 
NTSTATUS NTAPI NtImpersonateThread (IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
 

Variables

PTOKEN PspBootAccessToken
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file security.c.

Function Documentation

◆ NtImpersonateThread()

NTSTATUS NTAPI NtImpersonateThread ( IN HANDLE  ThreadHandle,
IN HANDLE  ThreadToImpersonateHandle,
IN PSECURITY_QUALITY_OF_SERVICE  SecurityQualityOfService 
)

Definition at line 947 of file security.c.

950 {
951  SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
954  PETHREAD ThreadToImpersonate;
957  PAGED_CODE();
959  "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
960 
961  /* Check if call came from user mode */
962  if (PreviousMode != KernelMode)
963  {
964  /* Enter SEH for probing */
965  _SEH2_TRY
966  {
967  /* Probe QoS */
968  ProbeForRead(SecurityQualityOfService,
970  sizeof(ULONG));
971 
972  /* Capture it */
973  SafeServiceQoS = *SecurityQualityOfService;
974  SecurityQualityOfService = &SafeServiceQoS;
975  }
977  {
978  /* Return the exception code */
980  }
981  _SEH2_END;
982  }
983 
984  /* Reference the thread */
985  Status = ObReferenceObjectByHandle(ThreadHandle,
987  PsThreadType,
988  PreviousMode,
989  (PVOID*)&Thread,
990  NULL);
991  if (NT_SUCCESS(Status))
992  {
993  /* Reference the impersonating thead */
994  Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
996  PsThreadType,
997  PreviousMode,
998  (PVOID*)&ThreadToImpersonate,
999  NULL);
1000  if (NT_SUCCESS(Status))
1001  {
1002  /* Create a client security context */
1003  Status = SeCreateClientSecurity(ThreadToImpersonate,
1004  SecurityQualityOfService,
1005  0,
1006  &ClientContext);
1007  if (NT_SUCCESS(Status))
1008  {
1009  /* Do the impersonation */
1011  if (ClientContext.ClientToken)
1012  {
1013  /* Dereference the client token if we had one */
1014  ObDereferenceObject(ClientContext.ClientToken);
1015  }
1016  }
1017 
1018  /* Dereference the thread to impersonate */
1019  ObDereferenceObject(ThreadToImpersonate);
1020  }
1021 
1022  /* Dereference the main thread */
1024  }
1025 
1026  /* Return status */
1027  return Status;
1028 }
#define THREAD_IMPERSONATE
Definition: pstypes.h:143
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
POBJECT_TYPE PsThreadType
Definition: thread.c:20
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
Status
Definition: gdiplustypes.h:24
_SEH2_END
Definition: create.c:4424
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
unsigned int ULONG
Definition: retypes.h:1
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12

Referenced by CsrImpersonateClient().

◆ NtOpenProcessToken()

NTSTATUS NTAPI NtOpenProcessToken ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
OUT PHANDLE  TokenHandle 
)

Definition at line 350 of file security.c.

353 {
354  /* Call the newer API */
357  0,
358  TokenHandle);
359 }
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:366
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403

Referenced by CheckTokenMembership(), CsrGetProcessLuid(), CsrSetProcessSecurity(), GetCallerLuid(), LsapIsTrustedClient(), OpenProcessToken(), RtlCreateUserSecurityObject(), RtlDefaultNpAcl(), SmpAcquirePrivilege(), START_TEST(), and test8().

◆ NtOpenProcessTokenEx()

NTSTATUS NTAPI NtOpenProcessTokenEx ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
IN ULONG  HandleAttributes,
OUT PHANDLE  TokenHandle 
)

Definition at line 366 of file security.c.

370 {
372  HANDLE hToken;
375  PAGED_CODE();
377  "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
378 
379  /* Check if caller was user-mode */
380  if (PreviousMode != KernelMode)
381  {
382  /* Enter SEH for probing */
383  _SEH2_TRY
384  {
385  /* Probe the token handle */
387  }
389  {
390  /* Return the exception code */
392  }
393  _SEH2_END;
394  }
395 
396  /* Validate object attributes */
398 
399  /* Open the process token */
401  if (NT_SUCCESS(Status))
402  {
403  /* Reference it by handle and dereference the pointer */
406  NULL,
409  PreviousMode,
410  &hToken);
412 
413  /* Make sure we got a handle */
414  if (NT_SUCCESS(Status))
415  {
416  /* Enter SEH for write */
417  _SEH2_TRY
418  {
419  /* Return the handle */
420  *TokenHandle = hToken;
421  }
423  {
424  /* Get exception code */
426  }
427  _SEH2_END;
428  }
429  }
430 
431  /* Return status */
432  return Status;
433 }
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:429
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2739
#define PAGED_CODE()
Definition: video.h:57
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:471
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
Status
Definition: gdiplustypes.h:24
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
_SEH2_END
Definition: create.c:4424
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403

Referenced by NtOpenProcessToken(), and START_TEST().

◆ PsAssignImpersonationToken()

NTSTATUS NTAPI PsAssignImpersonationToken ( IN PETHREAD  Thread,
IN HANDLE  TokenHandle 
)

Definition at line 502 of file security.c.

504 {
508  PAGED_CODE();
509  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
510 
511  /* Check if we were given a handle */
512  if (!TokenHandle)
513  {
514  /* Undo impersonation */
516  return STATUS_SUCCESS;
517  }
518 
519  /* Get the token object */
524  (PVOID*)&Token,
525  NULL);
526  if (!NT_SUCCESS(Status)) return(Status);
527 
528  /* Make sure it's an impersonation token */
530  {
531  /* Fail */
533  return STATUS_BAD_TOKEN_TYPE;
534  }
535 
536  /* Get the impersonation level */
538 
539  /* Call the impersonation API */
541  Token,
542  FALSE,
543  FALSE,
545 
546  /* Dereference the token and return status */
548  return Status;
549 }
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
#define KeGetPreviousMode()
Definition: ketypes.h:1107
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define TOKEN_IMPERSONATE
Definition: setypes.h:873
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:390
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(IN PACCESS_TOKEN Token)
Definition: token.c:1768
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
Definition: token.c:1780
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2938

Referenced by NtSetInformationThread().

◆ PsDereferenceImpersonationToken()

VOID NTAPI PsDereferenceImpersonationToken ( IN PACCESS_TOKEN  ImpersonationToken)

Definition at line 821 of file security.c.

822 {
823  PAGED_CODE();
824 
825  /* If we got a token, dereference it */
826  if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
827 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57

Referenced by NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), PsImpersonateClient(), and SeReleaseSubjectContext().

◆ PsDereferencePrimaryToken()

VOID NTAPI PsDereferencePrimaryToken ( IN PACCESS_TOKEN  PrimaryToken)

Definition at line 835 of file security.c.

836 {
837  PAGED_CODE();
838 
839  /* Dereference the token*/
840  ObDereferenceObject(PrimaryToken);
841 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57

Referenced by KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtSecureConnectPort(), and SeExchangePrimaryToken().

◆ PsDisableImpersonation()

BOOLEAN NTAPI PsDisableImpersonation ( IN PETHREAD  Thread,
OUT PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 848 of file security.c.

850 {
851  PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
852  LONG OldFlags;
853  PAGED_CODE();
855  "Thread: %p State: %p\n", Thread, ImpersonationState);
856 
857  /* Check if we don't have impersonation */
859  {
860  /* Lock thread security */
862 
863  /* Disable impersonation */
864  OldFlags = PspClearCrossThreadFlag(Thread,
866 
867  /* Make sure nobody disabled it behind our back */
868  if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
869  {
870  /* Copy the old state */
871  Impersonation = Thread->ImpersonationInfo;
872  ImpersonationState->Token = Impersonation->Token;
873  ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
875  ImpersonationState->Level = Impersonation->ImpersonationLevel;
876  }
877 
878  /* Unlock thread security */
880 
881  /* If we had impersonation info, return true */
882  if (Impersonation) return TRUE;
883  }
884 
885  /* Clear everything */
890  return FALSE;
891 }
#define TRUE
Definition: types.h:120
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
long LONG
Definition: pedump.c:60
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119

Referenced by NtOpenThreadTokenEx().

◆ PsImpersonateClient()

NTSTATUS NTAPI PsImpersonateClient ( IN PETHREAD  Thread,
IN PACCESS_TOKEN  Token,
IN BOOLEAN  CopyOnOpen,
IN BOOLEAN  EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 610 of file security.c.

615 {
616  PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
617  PTOKEN OldToken = NULL;
618  PAGED_CODE();
619  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
620 
621  /* Check if we don't have a token */
622  if (!Token)
623  {
624  /* Make sure we're impersonating */
626  {
627  /* We seem to be, lock the thread */
629 
630  /* Make sure we're still impersonating */
632  {
633  /* Disable impersonation */
636 
637  /* Get the token */
638  OldToken = Thread->ImpersonationInfo->Token;
639  }
640 
641  /* Unlock the process and write TEB information */
644  }
645  }
646  else
647  {
648  /* Check if we have impersonation info */
649  Impersonation = Thread->ImpersonationInfo;
650  if (!Impersonation)
651  {
652  /* We need to allocate a new one */
653  Impersonation = ExAllocatePoolWithTag(PagedPool,
654  sizeof(*Impersonation),
656  if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
657 
658  /* Update the pointer */
660  ImpersonationInfo,
661  Impersonation,
662  NULL);
663  if (OldData)
664  {
665  /* Someone beat us to it, free our copy */
666  ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
667  Impersonation = OldData;
668  }
669  }
670 
671  /* Check if this is a job, which we don't support yet */
672  if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
673 
674  /* Lock thread security */
676 
677  /* Check if we're impersonating */
679  {
680  /* Get the token */
681  OldToken = Impersonation->Token;
682  }
683  else
684  {
685  /* Otherwise, enable impersonation */
687  }
688 
689  /* Now fill it out */
690  Impersonation->ImpersonationLevel = ImpersonationLevel;
691  Impersonation->CopyOnOpen = CopyOnOpen;
692  Impersonation->EffectiveOnly = EffectiveOnly;
693  Impersonation->Token = Token;
695 
696  /* Unlock the thread */
698 
699  /* Write impersonation info to the TEB */
701  }
702 
703  /* Dereference the token and return success */
704  if (OldToken) PsDereferenceImpersonationToken(OldToken);
705  return STATUS_SUCCESS;
706 }
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
#define TAG_PS_IMPERSONATION
Definition: tag.h:157
return STATUS_SUCCESS
Definition: btrfs.c:2938
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:821

Referenced by NtOpenThreadTokenEx(), PsAssignImpersonationToken(), and SeImpersonateClientEx().

◆ PsOpenTokenOfProcess()

NTSTATUS NTAPI PsOpenTokenOfProcess ( IN HANDLE  ProcessHandle,
OUT PACCESS_TOKEN Token 
)

Definition at line 471 of file security.c.

473 {
476  PAGED_CODE();
477  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
478 
479  /* Get the Token */
484  (PVOID*)&Process,
485  NULL);
486  if (NT_SUCCESS(Status))
487  {
488  /* Reference the token and dereference the process */
491  }
492 
493  /* Return */
494  return Status;
495 }
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
POBJECT_TYPE PsProcessType
Definition: process.c:20

Referenced by NtOpenProcessTokenEx().

◆ PspAssignPrimaryToken()

NTSTATUS NTAPI PspAssignPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE  Token,
IN PACCESS_TOKEN AccessToken  OPTIONAL 
)

Definition at line 178 of file security.c.

181 {
182  PACCESS_TOKEN NewToken = AccessToken, OldToken;
184  PAGED_CODE();
185  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186 
187  /* Check if we don't have a pointer */
188  if (!AccessToken)
189  {
190  /* Reference it from the handle */
195  &NewToken,
196  NULL);
197  if (!NT_SUCCESS(Status)) return Status;
198  }
199 
200  /* Exchange tokens */
201  Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202 
203  /* Acquire and release the lock */
206 
207  /* Dereference Tokens and Return */
208  if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209  if (!AccessToken) ObDereferenceObject(NewToken);
210  return Status;
211 }
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Definition: token.c:234
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by PspSetPrimaryToken().

◆ PspDeleteProcessSecurity()

VOID NTAPI PspDeleteProcessSecurity ( IN PEPROCESS  Process)

Definition at line 30 of file security.c.

31 {
32  PAGED_CODE();
33  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34 
35  /* Check if we have a token */
36  if (Process->Token.Object)
37  {
38  /* Deassign it */
40  Process->Token.Object = NULL;
41  }
42 }
VOID NTAPI SeDeassignPrimaryToken(struct _EPROCESS *Process)
#define PAGED_CODE()
Definition: video.h:57
smooth NULL
Definition: ftsmooth.c:416
#define PS_SECURITY_DEBUG
Definition: ps.h:19
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by PspDeleteProcess().

◆ PspDeleteThreadSecurity()

VOID NTAPI PspDeleteThreadSecurity ( IN PETHREAD  Thread)

Definition at line 46 of file security.c.

47 {
49  PAGED_CODE();
50  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51 
52  /* Check if we have active impersonation info */
54  {
55  /* Dereference its token */
56  ObDereferenceObject(ImpersonationInfo->Token);
57  }
58 
59  /* Check if we have impersonation info */
60  if (ImpersonationInfo)
61  {
62  /* Free it */
63  ExFreePool(ImpersonationInfo);
66  }
67 }
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by PspDeleteThread().

◆ PspInitializeProcessSecurity()

NTSTATUS NTAPI PspInitializeProcessSecurity ( IN PEPROCESS  Process,
IN PEPROCESS Parent  OPTIONAL 
)

Definition at line 71 of file security.c.

73 {
75  PTOKEN NewToken, ParentToken;
76  PAGED_CODE();
77  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78 
79  /* If we have a parent, then duplicate the Token */
80  if (Parent)
81  {
82  /* Get the Parent Token */
83  ParentToken = PsReferencePrimaryToken(Parent);
84 
85  /* Duplicate it */
86  Status = SeSubProcessToken(ParentToken,
87  &NewToken,
88  TRUE,
90 
91  /* Dereference the Parent */
92  ObFastDereferenceObject(&Parent->Token, ParentToken);
93 
94  /* Set the new Token */
95  if (NT_SUCCESS(Status))
96  {
97  /* Initailize the fast reference */
98  ObInitializeFastReference(&Process->Token, NewToken);
99  }
100  }
101  else
102  {
103  /* No parent, assign the Boot Token */
106  }
107 
108  /* Return to caller */
109  return Status;
110 }
#define TRUE
Definition: types.h:120
PTOKEN PspBootAccessToken
Definition: security.c:17
LONG NTSTATUS
Definition: precomp.h:26
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn BOOLEAN Physical UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:728
#define PAGED_CODE()
Definition: video.h:57
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
#define PS_SECURITY_DEBUG
Definition: ps.h:19
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
Status
Definition: gdiplustypes.h:24
NTSTATUS NTAPI SeSubProcessToken(IN PTOKEN Parent, OUT PTOKEN *Token, IN BOOLEAN InUse, IN ULONG SessionId)
Definition: token.c:672
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
Definition: token.c:862
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:180
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2938

Referenced by PspCreateProcess().

◆ PspSetPrimaryToken()

NTSTATUS NTAPI PspSetPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE TokenHandle  OPTIONAL,
IN PACCESS_TOKEN Token  OPTIONAL 
)

Definition at line 215 of file security.c.

218 {
220  BOOLEAN IsChildOrSibling;
221  PACCESS_TOKEN NewToken = Token;
223  BOOLEAN Result, SdAllocated;
226 
227  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228 
229  /* Reference the token by handle if we don't already have a token object */
230  if (!Token)
231  {
235  PreviousMode,
236  (PVOID*)&NewToken,
237  NULL);
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /*
242  * Check whether this token is a child or sibling of the current process token.
243  * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244  * are now performed by a new SeIsTokenAssignableToProcess() helper.
245  */
246  Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247  if (!NT_SUCCESS(Status))
248  {
249  /* Failed, dereference */
250  if (!Token) ObDereferenceObject(NewToken);
251  return Status;
252  }
253  if (!IsChildOrSibling)
254  {
255  Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256  if (!NT_SUCCESS(Status))
257  {
258  /* Failed, dereference */
259  if (!Token) ObDereferenceObject(NewToken);
260  return Status;
261  }
262  }
263 
264  /* Check if this was an independent token */
265  if (!IsChildOrSibling)
266  {
267  /* Make sure we have the privilege to assign a new one */
269  PreviousMode))
270  {
271  /* Failed, dereference */
272  if (!Token) ObDereferenceObject(NewToken);
274  }
275  }
276 
277  /* Assign the token */
279  if (NT_SUCCESS(Status))
280  {
281  /*
282  * We need to completely reverify if the process still has access to
283  * itself under this new token.
284  */
287  &SdAllocated);
288  if (NT_SUCCESS(Status))
289  {
290  /* Setup the security context */
291  SubjectContext.ProcessAuditId = Process;
293  SubjectContext.ClientToken = NULL;
294 
295  /* Do the access check */
298  FALSE,
300  0,
301  NULL,
303  PreviousMode,
304  &Process->GrantedAccess,
305  &AccessStatus);
306 
307  /* Dereference the token and let go the SD */
309  SubjectContext.PrimaryToken);
311 
312  /* Remove access if it failed */
313  if (!Result) Process->GrantedAccess = 0;
314 
315  /* Setup granted access */
316  Process->GrantedAccess |= (PROCESS_VM_OPERATION |
327  }
328 
329  /*
330  * In case LUID device maps are enable, we may not be using
331  * system device map for this process, but a logon LUID based
332  * device map. Because we change primary token, this usage is
333  * no longer valid, so dereference the process device map
334  */
336  }
337 
338  /* Dereference the token */
339  if (!Token) ObDereferenceObject(NewToken);
340  return Status;
341 }
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
NTSTATUS NTAPI SeIsTokenSibling(IN PTOKEN Token, OUT PBOOLEAN IsSibling)
Definition: token.c:749
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSTATUS NTAPI SeIsTokenChild(IN PTOKEN Token, OUT PBOOLEAN IsChild)
Definition: token.c:716
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
BOOLEAN NTAPI SeSinglePrivilegeCheck(IN LUID PrivilegeValue, IN KPROCESSOR_MODE PreviousMode)
Definition: priv.c:524
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:24
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:150
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define PROCESS_DUP_HANDLE
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
#define PROCESS_SET_QUOTA
Definition: pstypes.h:156
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define PROCESS_VM_WRITE
Definition: pstypes.h:154
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:155
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
VOID NTAPI ObDereferenceDeviceMap(IN PEPROCESS Process)
Definition: devicemap.c:456
Status
Definition: gdiplustypes.h:24
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
#define PROCESS_TERMINATE
Definition: pstypes.h:149
#define PROCESS_VM_READ
Definition: pstypes.h:153
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PROCESS_VM_OPERATION
Definition: pstypes.h:152
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:157
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
ULONG NTAPI ObIsLUIDDeviceMapsEnabled(VOID)
Definition: devicemap.c:661
POBJECT_TYPE PsProcessType
Definition: process.c:20

Referenced by NtSetInformationProcess().

◆ PspWriteTebImpersonationInfo()

NTSTATUS NTAPI PspWriteTebImpersonationInfo ( IN PETHREAD  Thread,
IN PETHREAD  CurrentThread 
)

Definition at line 114 of file security.c.

116 {
118  PTEB Teb;
120  BOOLEAN IsImpersonating;
122  PAGED_CODE();
123  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124 
125  /* Sanity check */
126  ASSERT(CurrentThread == PsGetCurrentThread());
127 
128  /* Get process and TEB */
129  Process = Thread->ThreadsProcess;
130  Teb = Thread->Tcb.Teb;
131  if (Teb)
132  {
133  /* Check if we're not in the right process */
134  if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135  {
136  /* Attach to the process */
138  Attached = TRUE;
139  }
140 
141  /* Check if we're in a different thread or acquire rundown */
142  if ((Thread == CurrentThread) ||
144  {
145  /* Check if the thread is impersonating */
146  IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147  if (IsImpersonating)
148  {
149  /* Set TEB data */
150  Teb->ImpersonationLocale = -1;
151  Teb->IsImpersonating = 1;
152  }
153  else
154  {
155  /* Set TEB data */
156  Teb->ImpersonationLocale = 0;
157  Teb->IsImpersonating = 0;
158  }
159  }
160 
161  /* Check if we're in a different thread */
162  if (Thread != CurrentThread)
163  {
164  /* Release protection */
166  }
167 
168  /* Detach */
170  }
171 
172  /* Return to caller */
173  return STATUS_SUCCESS;
174 }
#define TRUE
Definition: types.h:120
KAPC_STATE
Definition: ketypes.h:1273
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
NTKERNELAPI VOID FASTCALL ExReleaseRundownProtection(_Inout_ PEX_RUNDOWN_REF RunRef)
ULONG ImpersonationLocale
Definition: winternl.h:432
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1090
KTHREAD Tcb
Definition: pstypes.h:1034
#define ExAcquireRundownProtection
Definition: ex.h:130
#define PAGED_CODE()
Definition: video.h:57
static BOOL Attached
Definition: vidbios.c:3905
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:701
KAPC_STATE ApcState
Definition: ketypes.h:1668
unsigned char BOOLEAN
static BOOLEAN
Definition: security.c:109
if(!(yy_init))
Definition: macro.lex.yy.c:714
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
ULONG IsImpersonating
Definition: winternl.h:433
Definition: compat.h:492
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:753
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1492
PVOID Teb
Definition: ketypes.h:1697
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:2938

Referenced by PsImpersonateClient(), and PsRevertThreadToSelf().

◆ PsReferenceEffectiveToken()

PACCESS_TOKEN NTAPI PsReferenceEffectiveToken ( IN PETHREAD  Thread,
OUT IN PTOKEN_TYPE  TokenType,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 713 of file security.c.

717 {
720 
721  PAGED_CODE();
722 
724  "Thread: %p, TokenType: %p\n", Thread, TokenType);
725 
726  /* Check if we don't have impersonation info */
727  Process = Thread->ThreadsProcess;
729  {
730  /* Lock the Process */
732 
733  /* Make sure impersonation is still active */
735  {
736  /* Get the token */
739 
740  /* Return data to caller */
744 
745  /* Unlock the Process */
747  return Token;
748  }
749 
750  /* Unlock the Process */
752  }
753 
754  /* Fast Reference the Token */
756 
757  /* Check if we got the Token or if we got locked */
758  if (!Token)
759  {
760  /* Lock the Process */
762 
763  /* Do a Locked Fast Reference */
765 
766  /* Unlock the Process */
768  }
769 
770  /* Return the token */
772  *EffectiveOnly = FALSE;
773  // NOTE: ImpersonationLevel is left untouched on purpose!
774  return Token;
775 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417

Referenced by SeCreateClientSecurity().

◆ PsReferenceImpersonationToken()

PACCESS_TOKEN NTAPI PsReferenceImpersonationToken ( IN PETHREAD  Thread,
OUT PBOOLEAN  CopyOnOpen,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 782 of file security.c.

786 {
787  PTOKEN Token = NULL;
788  PAGED_CODE();
789  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
790 
791  /* If we don't have impersonation info, just quit */
792  if (!Thread->ActiveImpersonationInfo) return NULL;
793 
794  /* Lock the thread */
796 
797  /* Make sure we still have active impersonation */
799  {
800  /* Return data from caller */
805 
806  /* Set the token */
808  }
809 
810  /* Unlock thread and return impersonation token */
812  return Token;
813 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417

Referenced by GetProcessLuid(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), ObpReferenceDeviceMap(), and SeCaptureSubjectContextEx().

◆ PsReferencePrimaryToken()

PACCESS_TOKEN NTAPI PsReferencePrimaryToken ( PEPROCESS  Process)

Definition at line 440 of file security.c.

441 {
443  PAGED_CODE();
444  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
445 
446  /* Fast Reference the Token */
448 
449  /* Check if we got the Token or if we got locked */
450  if (!Token)
451  {
452  /* Lock the Process */
454 
455  /* Do a Locked Fast Reference */
457 
458  /* Unlock the Process */
460  }
461 
462  /* Return the Token */
463  return Token;
464 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
#define PAGED_CODE()
Definition: video.h:57
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
#define PS_SECURITY_DEBUG
Definition: ps.h:19
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57

Referenced by GetProcessLuid(), KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), NtSecureConnectPort(), ObpSetCurrentProcessDeviceMap(), PsOpenTokenOfProcess(), PspCreateProcess(), PspCreateThread(), PspExitThread(), PspInitializeProcessSecurity(), PspSetPrimaryToken(), SeCaptureSubjectContextEx(), SeExchangePrimaryToken(), SeIsTokenChild(), and SeIsTokenSibling().

◆ PsRestoreImpersonation()

VOID NTAPI PsRestoreImpersonation ( IN PETHREAD  Thread,
IN PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 898 of file security.c.

900 {
901  PTOKEN Token = NULL;
902  PPS_IMPERSONATION_INFORMATION Impersonation;
903  PAGED_CODE();
905  "Thread: %p State: %p\n", Thread, ImpersonationState);
906 
907  /* Lock thread security */
909 
910  /* Get the impersonation info */
911  Impersonation = Thread->ImpersonationInfo;
912 
913  /* Check if we're impersonating */
915  {
916  /* Get the token */
917  Token = Impersonation->Token;
918  }
919 
920  /* Check if we have an impersonation state */
921  if (ImpersonationState)
922  {
923  /* Fill out the impersonation info */
924  Impersonation->ImpersonationLevel = ImpersonationState->Level;
925  Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
927  Impersonation->Token = ImpersonationState->Token;
928 
929  /* Enable impersonation */
931  }
932  else
933  {
934  /* Disable impersonation */
936  }
937 
938  /* Unlock the thread */
940 
941  /* Dereference the token */
943 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119

Referenced by NtOpenThreadTokenEx().

◆ PsRevertThreadToSelf()

VOID NTAPI PsRevertThreadToSelf ( IN PETHREAD  Thread)

Definition at line 568 of file security.c.

569 {
570  PTOKEN Token = NULL;
571  PAGED_CODE();
572  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
573 
574  /* Make sure we had impersonation information */
576  {
577  /* Lock the thread security */
579 
580  /* Make sure it's still active */
582  {
583  /* Disable impersonation */
585 
586  /* Get the token */
588  }
589 
590  /* Release thread security */
592 
593  /* Check if we had a token */
594  if (Token)
595  {
596  /* Dereference the impersonation token */
598 
599  /* Write impersonation info to the TEB */
601  }
602  }
603 }
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()
Definition: video.h:57
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114

Referenced by PsAssignImpersonationToken(), and PsRevertToSelf().

◆ PsRevertToSelf()

VOID NTAPI PsRevertToSelf ( VOID  )

Definition at line 556 of file security.c.

557 {
558  /* Call the per-thread API */
559  PAGED_CODE();
561 }
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
#define PAGED_CODE()
Definition: video.h:57

Referenced by CmpCmdHiveOpen(), and VfdIoCtlThread().

◆ SeAssignPrimaryToken()

VOID NTAPI SeAssignPrimaryToken ( IN PEPROCESS  Process,
IN PTOKEN  Token 
)

Definition at line 862 of file token.c.

864 {
865  PAGED_CODE();
866 
867  /* Sanity checks */
868  ASSERT(Token->TokenType == TokenPrimary);
869  ASSERT(!Token->TokenInUse);
870 
871  /* Clean any previous token */
872  if (Process->Token.Object) SeDeassignPrimaryToken(Process);
873 
874  /* Set the new token */
876  Token->TokenInUse = TRUE;
878 }
#define TRUE
Definition: types.h:120
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
VOID NTAPI SeDeassignPrimaryToken(PEPROCESS Process)
Definition: token.c:313
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204

Referenced by PspInitializeProcessSecurity().

Variable Documentation

◆ PspBootAccessToken

PTOKEN PspBootAccessToken

Definition at line 17 of file security.c.

Referenced by PspInitializeProcessSecurity(), and PspInitPhase0().