ReactOS 0.4.15-dev-7918-g2a2556c
Macros | Functions | Variables
security.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeAssignPrimaryToken (IN PEPROCESS Process, IN PTOKEN Token)
 
VOID NTAPI PspDeleteProcessSecurity (IN PEPROCESS Process)
 
VOID NTAPI PspDeleteThreadSecurity (IN PETHREAD Thread)
 
NTSTATUS NTAPI PspInitializeProcessSecurity (IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
 
NTSTATUS NTAPI PspWriteTebImpersonationInfo (IN PETHREAD Thread, IN PETHREAD CurrentThread)
 
NTSTATUS NTAPI PspAssignPrimaryToken (IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
 
NTSTATUS NTAPI PspSetPrimaryToken (IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
 
NTSTATUS NTAPI NtOpenProcessToken (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
 
NTSTATUS NTAPI NtOpenProcessTokenEx (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
 
PACCESS_TOKEN NTAPI PsReferencePrimaryToken (PEPROCESS Process)
 
NTSTATUS NTAPI PsOpenTokenOfProcess (IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
 
NTSTATUS NTAPI PsAssignImpersonationToken (IN PETHREAD Thread, IN HANDLE TokenHandle)
 
VOID NTAPI PsRevertToSelf (VOID)
 
VOID NTAPI PsRevertThreadToSelf (IN PETHREAD Thread)
 
NTSTATUS NTAPI PsImpersonateClient (IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken (IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken (IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
VOID NTAPI PsDereferenceImpersonationToken (IN PACCESS_TOKEN ImpersonationToken)
 
VOID NTAPI PsDereferencePrimaryToken (IN PACCESS_TOKEN PrimaryToken)
 
BOOLEAN NTAPI PsDisableImpersonation (IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
 
VOID NTAPI PsRestoreImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
 
NTSTATUS NTAPI NtImpersonateThread (IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
 

Variables

PTOKEN PspBootAccessToken
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file security.c.

Function Documentation

◆ NtImpersonateThread()

NTSTATUS NTAPI NtImpersonateThread ( IN HANDLE  ThreadHandle,
IN HANDLE  ThreadToImpersonateHandle,
IN PSECURITY_QUALITY_OF_SERVICE  SecurityQualityOfService 
)

Definition at line 1036 of file security.c.

1039{
1040 SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
1041 SECURITY_CLIENT_CONTEXT ClientContext;
1042 PETHREAD Thread;
1043 PETHREAD ThreadToImpersonate;
1044 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
1045 NTSTATUS Status;
1046 PAGED_CODE();
1047 PSTRACE(PS_SECURITY_DEBUG,
1048 "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
1049
1050 /* Check if call came from user mode */
1051 if (PreviousMode != KernelMode)
1052 {
1053 /* Enter SEH for probing */
1054 _SEH2_TRY
1055 {
1056 /* Probe QoS */
1057 ProbeForRead(SecurityQualityOfService,
1058 sizeof(SECURITY_QUALITY_OF_SERVICE),
1059 sizeof(ULONG));
1060
1061 /* Capture it */
1062 SafeServiceQoS = *SecurityQualityOfService;
1063 SecurityQualityOfService = &SafeServiceQoS;
1064 }
1065 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1066 {
1067 /* Return the exception code */
1068 _SEH2_YIELD(return _SEH2_GetExceptionCode());
1069 }
1070 _SEH2_END;
1071 }
1072
1073 /* Reference the thread */
1074 Status = ObReferenceObjectByHandle(ThreadHandle,
1075 THREAD_DIRECT_IMPERSONATION,
1076 PsThreadType,
1077 PreviousMode,
1078 (PVOID*)&Thread,
1079 NULL);
1080 if (NT_SUCCESS(Status))
1081 {
1082 /* Reference the impersonating thead */
1083 Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
1084 THREAD_IMPERSONATE,
1085 PsThreadType,
1086 PreviousMode,
1087 (PVOID*)&ThreadToImpersonate,
1088 NULL);
1089 if (NT_SUCCESS(Status))
1090 {
1091 /* Create a client security context */
1092 Status = SeCreateClientSecurity(ThreadToImpersonate,
1093 SecurityQualityOfService,
1094 0,
1095 &ClientContext);
1096 if (NT_SUCCESS(Status))
1097 {
1098 /* Do the impersonation */
1099 SeImpersonateClient(&ClientContext, Thread);
1100 if (ClientContext.ClientToken)
1101 {
1102 /* Dereference the client token if we had one */
1103 ObDereferenceObject(ClientContext.ClientToken);
1104 }
1105 }
1106
1107 /* Dereference the thread to impersonate */
1108 ObDereferenceObject(ThreadToImpersonate);
1109 }
1110
1111 /* Dereference the main thread */
1112 ObDereferenceObject(Thread);
1113 }
1114
1115 /* Return status */
1116 return Status;
1117}
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_EvalMethod.c:87
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
NULL
#define NULL
Definition: types.h:112
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ExGetPreviousMode
#define ExGetPreviousMode
Definition: ex.h:140
ProbeForRead
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
_SEH2_END
#define _SEH2_END
Definition: filesup.c:22
_SEH2_TRY
#define _SEH2_TRY
Definition: filesup.c:19
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
Status
Status
Definition: gdiplustypes.h:25
EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
THREAD_IMPERSONATE
#define THREAD_IMPERSONATE
Definition: pstypes.h:151
THREAD_DIRECT_IMPERSONATION
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:152
SeImpersonateClient
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
SeCreateClientSecurity
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
KernelMode
#define KernelMode
Definition: asm.h:34
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
PsThreadType
POBJECT_TYPE PsThreadType
Definition: thread.c:20
ObReferenceObjectByHandle
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
PSTRACE
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
PS_SECURITY_DEBUG
#define PS_SECURITY_DEBUG
Definition: ps.h:19
_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:159
_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:34
_SEH2_YIELD
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:162
_ETHREAD
Definition: pstypes.h:1102
_SECURITY_CLIENT_CONTEXT
Definition: imports.h:289
_SECURITY_QUALITY_OF_SERVICE
Definition: lsa.idl:63
ULONG
uint32_t ULONG
Definition: typedefs.h:59
KPROCESSOR_MODE
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
ObDereferenceObject
#define ObDereferenceObject
Definition: obfuncs.h:203
PreviousMode
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103

Referenced by CsrImpersonateClient().

◆ NtOpenProcessToken()

NTSTATUS NTAPI NtOpenProcessToken ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
OUT PHANDLE  TokenHandle 
)

Definition at line 350 of file security.c.

353{
354 /* Call the newer API */
355 return NtOpenProcessTokenEx(ProcessHandle,
356 DesiredAccess,
357 0,
358 TokenHandle);
359}
ProcessHandle
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
TokenHandle
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:726
NtOpenProcessTokenEx
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:366
DesiredAccess
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658

Referenced by CheckTokenMembership(), CsrGetProcessLuid(), CsrSetProcessSecurity(), GetCallerLuid(), GetToken(), GetTokenProcess(), LsapIsTrustedClient(), OpenProcessToken(), RtlCreateUserSecurityObject(), RtlDefaultNpAcl(), SmpAcquirePrivilege(), START_TEST(), and test8().

◆ NtOpenProcessTokenEx()

NTSTATUS NTAPI NtOpenProcessTokenEx ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
IN ULONG  HandleAttributes,
OUT PHANDLE  TokenHandle 
)

Definition at line 366 of file security.c.

370{
371 PACCESS_TOKEN Token;
372 HANDLE hToken;
373 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
374 NTSTATUS Status;
375 PAGED_CODE();
376 PSTRACE(PS_SECURITY_DEBUG,
377 "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
378
379 /* Check if caller was user-mode */
380 if (PreviousMode != KernelMode)
381 {
382 /* Enter SEH for probing */
383 _SEH2_TRY
384 {
385 /* Probe the token handle */
386 ProbeForWriteHandle(TokenHandle);
387 }
388 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
389 {
390 /* Return the exception code */
391 _SEH2_YIELD(return _SEH2_GetExceptionCode());
392 }
393 _SEH2_END;
394 }
395
396 /* Validate object attributes */
397 HandleAttributes = ObpValidateAttributes(HandleAttributes, PreviousMode);
398
399 /* Open the process token */
400 Status = PsOpenTokenOfProcess(ProcessHandle, &Token);
401 if (NT_SUCCESS(Status))
402 {
403 /* Reference it by handle and dereference the pointer */
404 Status = ObOpenObjectByPointer(Token,
405 HandleAttributes,
406 NULL,
407 DesiredAccess,
408 SeTokenObjectType,
409 PreviousMode,
410 &hToken);
411 ObDereferenceObject(Token);
412
413 /* Make sure we got a handle */
414 if (NT_SUCCESS(Status))
415 {
416 /* Enter SEH for write */
417 _SEH2_TRY
418 {
419 /* Return the handle */
420 *TokenHandle = hToken;
421 }
422 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
423 {
424 /* Get exception code */
425 Status = _SEH2_GetExceptionCode();
426 }
427 _SEH2_END;
428 }
429 }
430
431 /* Return status */
432 return Status;
433}
HandleAttributes
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:433
PsOpenTokenOfProcess
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:471
SeTokenObjectType
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
ObpValidateAttributes
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
ObOpenObjectByPointer
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2742
ProbeForWriteHandle
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43

Referenced by NtOpenProcessToken(), and START_TEST().

◆ PsAssignImpersonationToken()

NTSTATUS NTAPI PsAssignImpersonationToken ( IN PETHREAD  Thread,
IN HANDLE  TokenHandle 
)

Definition at line 502 of file security.c.

504{
505 PACCESS_TOKEN Token;
506 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
507 NTSTATUS Status;
508 PAGED_CODE();
509 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
510
511 /* Check if we were given a handle */
512 if (!TokenHandle)
513 {
514 /* Undo impersonation */
515 PsRevertThreadToSelf(Thread);
516 return STATUS_SUCCESS;
517 }
518
519 /* Get the token object */
520 Status = ObReferenceObjectByHandle(TokenHandle,
521 TOKEN_IMPERSONATE,
522 SeTokenObjectType,
523 KeGetPreviousMode(),
524 (PVOID*)&Token,
525 NULL);
526 if (!NT_SUCCESS(Status)) return(Status);
527
528 /* Make sure it's an impersonation token */
529 if (SeTokenType(Token) != TokenImpersonation)
530 {
531 /* Fail */
532 ObDereferenceObject(Token);
533 return STATUS_BAD_TOKEN_TYPE;
534 }
535
536 /* Get the impersonation level */
537 ImpersonationLevel = SeTokenImpersonationLevel(Token);
538
539 /* Call the impersonation API */
540 Status = PsImpersonateClient(Thread,
541 Token,
542 FALSE,
543 FALSE,
544 ImpersonationLevel);
545
546 /* Dereference the token and return status */
547 ObDereferenceObject(Token);
548 return Status;
549}
FALSE
#define FALSE
Definition: types.h:117
SECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
TokenImpersonation
@ TokenImpersonation
Definition: imports.h:274
SeTokenType
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
KeGetPreviousMode
#define KeGetPreviousMode()
Definition: ketypes.h:1115
PsRevertThreadToSelf
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
PsImpersonateClient
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
SeTokenImpersonationLevel
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(_In_ PACCESS_TOKEN Token)
Gathers the security impersonation level of an access token.
Definition: token.c:2059
STATUS_BAD_TOKEN_TYPE
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:404
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:156
TOKEN_IMPERSONATE
#define TOKEN_IMPERSONATE
Definition: setypes.h:927

Referenced by NtSetInformationThread().

◆ PsDereferenceImpersonationToken()

VOID NTAPI PsDereferenceImpersonationToken ( IN PACCESS_TOKEN  ImpersonationToken)

Definition at line 910 of file security.c.

911{
912 PAGED_CODE();
913
914 /* If we got a token, dereference it */
915 if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
916}

◆ PsDereferencePrimaryToken()

VOID NTAPI PsDereferencePrimaryToken ( IN PACCESS_TOKEN  PrimaryToken)

Definition at line 924 of file security.c.

925{
926 PAGED_CODE();
927
928 /* Dereference the token*/
929 ObDereferenceObject(PrimaryToken);
930}

◆ PsDisableImpersonation()

BOOLEAN NTAPI PsDisableImpersonation ( IN PETHREAD  Thread,
OUT PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 937 of file security.c.

939{
940 PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
941 LONG OldFlags;
942 PAGED_CODE();
943 PSTRACE(PS_SECURITY_DEBUG,
944 "Thread: %p State: %p\n", Thread, ImpersonationState);
945
946 /* Check if we don't have impersonation */
947 if (Thread->ActiveImpersonationInfo)
948 {
949 /* Lock thread security */
950 PspLockThreadSecurityExclusive(Thread);
951
952 /* Disable impersonation */
953 OldFlags = PspClearCrossThreadFlag(Thread,
954 CT_ACTIVE_IMPERSONATION_INFO_BIT);
955
956 /* Make sure nobody disabled it behind our back */
957 if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
958 {
959 /* Copy the old state */
960 Impersonation = Thread->ImpersonationInfo;
961 ImpersonationState->Token = Impersonation->Token;
962 ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
963 ImpersonationState->EffectiveOnly = Impersonation->EffectiveOnly;
964 ImpersonationState->Level = Impersonation->ImpersonationLevel;
965 }
966
967 /* Unlock thread security */
968 PspUnlockThreadSecurityExclusive(Thread);
969
970 /* If we had impersonation info, return true */
971 if (Impersonation) return TRUE;
972 }
973
974 /* Clear everything */
975 ImpersonationState->Token = NULL;
976 ImpersonationState->CopyOnOpen = FALSE;
977 ImpersonationState->EffectiveOnly = FALSE;
978 ImpersonationState->Level = SecurityAnonymous;
979 return FALSE;
980}
TRUE
#define TRUE
Definition: types.h:120
OldFlags
SHORT OldFlags
Definition: fxioqueue.cpp:1325
CT_ACTIVE_IMPERSONATION_INFO_BIT
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:241
SecurityAnonymous
@ SecurityAnonymous
Definition: lsa.idl:55
LONG
long LONG
Definition: pedump.c:60
PspLockThreadSecurityExclusive
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PspUnlockThreadSecurityExclusive
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
PspClearCrossThreadFlag
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_ETHREAD::ImpersonationInfo
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1143
_ETHREAD::ActiveImpersonationInfo
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1181
_PS_IMPERSONATION_INFORMATION
Definition: pstypes.h:1068
_PS_IMPERSONATION_INFORMATION::Token
PACCESS_TOKEN Token
Definition: pstypes.h:1069
_PS_IMPERSONATION_INFORMATION::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1072
_PS_IMPERSONATION_INFORMATION::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: pstypes.h:1071
_PS_IMPERSONATION_INFORMATION::CopyOnOpen
BOOLEAN CopyOnOpen
Definition: pstypes.h:1070
_SE_IMPERSONATION_STATE::Token
PACCESS_TOKEN Token
Definition: setypes.h:116
_SE_IMPERSONATION_STATE::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: setypes.h:118
_SE_IMPERSONATION_STATE::CopyOnOpen
BOOLEAN CopyOnOpen
Definition: setypes.h:117
_SE_IMPERSONATION_STATE::Level
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119
ImpersonationState
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189

Referenced by NtOpenThreadTokenEx().

◆ PsImpersonateClient()

NTSTATUS NTAPI PsImpersonateClient ( IN PETHREAD  Thread,
IN PACCESS_TOKEN  Token,
IN BOOLEAN  CopyOnOpen,
IN BOOLEAN  EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 610 of file security.c.

615{
616 PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
617 PTOKEN OldToken = NULL, ProcessToken = NULL;
618 BOOLEAN CopiedToken = FALSE;
619 PACCESS_TOKEN NewToken, ImpersonationToken;
620 PEJOB Job;
621 NTSTATUS Status;
622
623 PAGED_CODE();
624 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
625
626 /* Check if we don't have a token */
627 if (!Token)
628 {
629 /* Make sure we're impersonating */
630 if (Thread->ActiveImpersonationInfo)
631 {
632 /* We seem to be, lock the thread */
633 PspLockThreadSecurityExclusive(Thread);
634
635 /* Make sure we're still impersonating */
636 if (Thread->ActiveImpersonationInfo)
637 {
638 /* Disable impersonation */
639 PspClearCrossThreadFlag(Thread,
640 CT_ACTIVE_IMPERSONATION_INFO_BIT);
641
642 /* Get the token */
643 OldToken = Thread->ImpersonationInfo->Token;
644 }
645
646 /* Unlock the process and write TEB information */
647 PspUnlockThreadSecurityExclusive(Thread);
648 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
649 }
650 }
651 else
652 {
653 /* Check if we have impersonation info */
654 Impersonation = Thread->ImpersonationInfo;
655 if (!Impersonation)
656 {
657 /* We need to allocate a new one */
658 Impersonation = ExAllocatePoolWithTag(PagedPool,
659 sizeof(*Impersonation),
660 TAG_PS_IMPERSONATION);
661 if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
662
663 /* Update the pointer */
664 OldData = InterlockedCompareExchangePointer((PVOID*)&Thread->
665 ImpersonationInfo,
666 Impersonation,
667 NULL);
668 if (OldData)
669 {
670 /* Someone beat us to it, free our copy */
671 ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
672 Impersonation = OldData;
673 }
674 }
675
676 /*
677 * Assign the token we get from the caller first. The reason
678 * we have to do that is because we're unsure if we can impersonate
679 * in the first place. In the scenario where we cannot then the
680 * last resort is to make a copy of the token and assign that newly
681 * token to the impersonation information.
682 */
683 ImpersonationToken = Token;
684
685 /* Obtain a token from the process */
686 ProcessToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
687 if (!ProcessToken)
688 {
689 /* We can't continue this way without having the process' token... */
690 return STATUS_UNSUCCESSFUL;
691 }
692
693 /* Make sure we can impersonate */
694 if (!SeTokenCanImpersonate(ProcessToken,
695 Token,
696 ImpersonationLevel))
697 {
698 /* We can't, make a copy of the token instead */
699 Status = SeCopyClientToken(Token,
700 SecurityIdentification,
701 KernelMode,
702 &NewToken);
703 if (!NT_SUCCESS(Status))
704 {
705 /* We can't even make a copy of the token? Then bail out... */
706 ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken);
707 return Status;
708 }
709
710 /*
711 * Since we cannot impersonate, assign the newly copied token.
712 * SeCopyClientToken already holds a reference to the copied token,
713 * let the code path below know that it must not reference it twice.
714 */
715 CopiedToken = TRUE;
716 ImpersonationLevel = SecurityIdentification;
717 ImpersonationToken = NewToken;
718 }
719
720 /* We no longer need the process' token */
721 ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken);
722
723 /* Check if this is a job */
724 Job = Thread->ThreadsProcess->Job;
725 if (Job != NULL)
726 {
727 /* No admin allowed in this job */
728 if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN) &&
729 SeTokenIsAdmin(ImpersonationToken))
730 {
731 if (CopiedToken)
732 {
733 ObDereferenceObject(ImpersonationToken);
734 }
735
736 return STATUS_ACCESS_DENIED;
737 }
738
739 /* No restricted tokens allowed in this job */
740 if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN) &&
741 SeTokenIsRestricted(ImpersonationToken))
742 {
743 if (CopiedToken)
744 {
745 ObDereferenceObject(ImpersonationToken);
746 }
747
748 return STATUS_ACCESS_DENIED;
749 }
750
751 /* We don't support job filters yet */
752 if (Job->Filter != NULL)
753 {
754 ASSERT(Job->Filter == NULL);
755 }
756 }
757
758 /* Lock thread security */
759 PspLockThreadSecurityExclusive(Thread);
760
761 /* Check if we're impersonating */
762 if (Thread->ActiveImpersonationInfo)
763 {
764 /* Get the token */
765 OldToken = Impersonation->Token;
766 }
767 else
768 {
769 /* Otherwise, enable impersonation */
770 PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
771 }
772
773 /* Now fill it out */
774 Impersonation->ImpersonationLevel = ImpersonationLevel;
775 Impersonation->CopyOnOpen = CopyOnOpen;
776 Impersonation->EffectiveOnly = EffectiveOnly;
777 Impersonation->Token = ImpersonationToken;
778
779 /* Do not reference the token again if we copied it */
780 if (!CopiedToken)
781 {
782 ObReferenceObject(ImpersonationToken);
783 }
784
785 /* Unlock the thread */
786 PspUnlockThreadSecurityExclusive(Thread);
787
788 /* Write impersonation info to the TEB */
789 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
790 }
791
792 /* Dereference the token and return success */
793 if (OldToken) PsDereferenceImpersonationToken(OldToken);
794 return STATUS_SUCCESS;
795}
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
ExAllocatePoolWithTag
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
PagedPool
#define PagedPool
Definition: env_spec_w32.h:308
JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
Definition: pstypes.h:231
JOB_OBJECT_SECURITY_NO_ADMIN
#define JOB_OBJECT_SECURITY_NO_ADMIN
Definition: pstypes.h:230
InterlockedCompareExchangePointer
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
SecurityIdentification
@ SecurityIdentification
Definition: lsa.idl:56
ASSERT
#define ASSERT(a)
Definition: mode.c:44
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
PsDereferenceImpersonationToken
#define PsDereferenceImpersonationToken(T)
Definition: imports.h:298
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
SeTokenCanImpersonate
BOOLEAN NTAPI SeTokenCanImpersonate(_In_ PTOKEN ProcessToken, _In_ PTOKEN TokenToImpersonate, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Determines whether the server is allowed to impersonate on behalf of a client or not....
Definition: token.c:2207
SeCopyClientToken
NTSTATUS NTAPI SeCopyClientToken(_In_ PACCESS_TOKEN Token, _In_ SECURITY_IMPERSONATION_LEVEL Level, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PACCESS_TOKEN *NewToken)
Copies an existing access token (technically duplicating a new one).
Definition: token.c:1542
PspWriteTebImpersonationInfo
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
SeTokenIsAdmin
BOOLEAN NTAPI SeTokenIsAdmin(_In_ PACCESS_TOKEN Token)
Determines if a token is either an admin token or not. Such condition is checked based upon TOKEN_HAS...
Definition: token.c:2103
SeTokenIsRestricted
BOOLEAN NTAPI SeTokenIsRestricted(_In_ PACCESS_TOKEN Token)
Determines if a token is restricted or not, based upon the token flags.
Definition: token.c:2126
ObFastDereferenceObject
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
PspSetCrossThreadFlag
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
_EJOB
Definition: pstypes.h:1478
_EJOB::SecurityLimitFlags
ULONG SecurityLimitFlags
Definition: pstypes.h:1500
_EJOB::Filter
PPS_JOB_TOKEN_FILTER Filter
Definition: pstypes.h:1502
_TOKEN
Definition: setypes.h:216
TAG_PS_IMPERSONATION
#define TAG_PS_IMPERSONATION
Definition: tag.h:133
STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL
Definition: udferr_usr.h:132
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
ObReferenceObject
#define ObReferenceObject
Definition: obfuncs.h:204
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154

Referenced by PsAssignImpersonationToken(), SeImpersonateClientEx(), SepImpersonateAnonymousToken(), and SepOpenThreadToken().

◆ PsOpenTokenOfProcess()

NTSTATUS NTAPI PsOpenTokenOfProcess ( IN HANDLE  ProcessHandle,
OUT PACCESS_TOKEN Token 
)

Definition at line 471 of file security.c.

473{
474 PEPROCESS Process;
475 NTSTATUS Status;
476 PAGED_CODE();
477 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
478
479 /* Get the Token */
480 Status = ObReferenceObjectByHandle(ProcessHandle,
481 PROCESS_QUERY_INFORMATION,
482 PsProcessType,
483 ExGetPreviousMode(),
484 (PVOID*)&Process,
485 NULL);
486 if (NT_SUCCESS(Status))
487 {
488 /* Reference the token and dereference the process */
489 *Token = PsReferencePrimaryToken(Process);
490 ObDereferenceObject(Process);
491 }
492
493 /* Return */
494 return Status;
495}
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
PROCESS_QUERY_INFORMATION
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:166
PsProcessType
POBJECT_TYPE PsProcessType
Definition: process.c:20
_EPROCESS
Definition: pstypes.h:1261

Referenced by NtOpenProcessTokenEx().

◆ PspAssignPrimaryToken()

NTSTATUS NTAPI PspAssignPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE  Token,
IN PACCESS_TOKEN AccessToken  OPTIONAL 
)

Definition at line 178 of file security.c.

181{
182 PACCESS_TOKEN NewToken = AccessToken, OldToken;
183 NTSTATUS Status;
184 PAGED_CODE();
185 PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186
187 /* Check if we don't have a pointer */
188 if (!AccessToken)
189 {
190 /* Reference it from the handle */
191 Status = ObReferenceObjectByHandle(Token,
192 TOKEN_ASSIGN_PRIMARY,
193 SeTokenObjectType,
194 ExGetPreviousMode(),
195 &NewToken,
196 NULL);
197 if (!NT_SUCCESS(Status)) return Status;
198 }
199
200 /* Exchange tokens */
201 Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202
203 /* Acquire and release the lock */
204 PspLockProcessSecurityExclusive(Process);
205 PspUnlockProcessSecurityExclusive(Process);
206
207 /* Dereference Tokens and Return */
208 if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209 if (!AccessToken) ObDereferenceObject(NewToken);
210 return Status;
211}
SeExchangePrimaryToken
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Replaces the old access token of a process (pointed by the EPROCESS kernel structure) with a new acce...
Definition: token.c:846
PspUnlockProcessSecurityExclusive
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
PspLockProcessSecurityExclusive
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
TOKEN_ASSIGN_PRIMARY
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:925

Referenced by PspSetPrimaryToken().

◆ PspDeleteProcessSecurity()

VOID NTAPI PspDeleteProcessSecurity ( IN PEPROCESS  Process)

Definition at line 30 of file security.c.

31{
32 PAGED_CODE();
33 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34
35 /* Check if we have a token */
36 if (Process->Token.Object)
37 {
38 /* Deassign it */
39 SeDeassignPrimaryToken(Process);
40 Process->Token.Object = NULL;
41 }
42}
SeDeassignPrimaryToken
VOID NTAPI SeDeassignPrimaryToken(_Inout_ PEPROCESS Process)
Removes the primary token of a process.
Definition: token.c:936

Referenced by PspDeleteProcess().

◆ PspDeleteThreadSecurity()

VOID NTAPI PspDeleteThreadSecurity ( IN PETHREAD  Thread)

Definition at line 46 of file security.c.

47{
48 PPS_IMPERSONATION_INFORMATION ImpersonationInfo = Thread->ImpersonationInfo;
49 PAGED_CODE();
50 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51
52 /* Check if we have active impersonation info */
53 if (Thread->ActiveImpersonationInfo)
54 {
55 /* Dereference its token */
56 ObDereferenceObject(ImpersonationInfo->Token);
57 }
58
59 /* Check if we have impersonation info */
60 if (ImpersonationInfo)
61 {
62 /* Free it */
63 ExFreePool(ImpersonationInfo);
64 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
65 Thread->ImpersonationInfo = NULL;
66 }
67}
ExFreePool
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by PspDeleteThread().

◆ PspInitializeProcessSecurity()

NTSTATUS NTAPI PspInitializeProcessSecurity ( IN PEPROCESS  Process,
IN PEPROCESS Parent  OPTIONAL 
)

Definition at line 71 of file security.c.

73{
74 NTSTATUS Status = STATUS_SUCCESS;
75 PTOKEN NewToken, ParentToken;
76 PAGED_CODE();
77 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78
79 /* If we have a parent, then duplicate the Token */
80 if (Parent)
81 {
82 /* Get the Parent Token */
83 ParentToken = PsReferencePrimaryToken(Parent);
84
85 /* Duplicate it */
86 Status = SeSubProcessToken(ParentToken,
87 &NewToken,
88 TRUE,
89 MmGetSessionId(Process));
90
91 /* Dereference the Parent */
92 ObFastDereferenceObject(&Parent->Token, ParentToken);
93
94 /* Set the new Token */
95 if (NT_SUCCESS(Status))
96 {
97 /* Initailize the fast reference */
98 ObInitializeFastReference(&Process->Token, NewToken);
99 }
100 }
101 else
102 {
103 /* No parent, assign the Boot Token */
104 ObInitializeFastReference(&Process->Token, NULL);
105 SeAssignPrimaryToken(Process, PspBootAccessToken);
106 }
107
108 /* Return to caller */
109 return Status;
110}
Parent
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn UINT32 *TableIdx UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:732
MmGetSessionId
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:179
SeSubProcessToken
NTSTATUS NTAPI SeSubProcessToken(_In_ PTOKEN Parent, _Out_ PTOKEN *Token, _In_ BOOLEAN InUse, _In_ ULONG SessionId)
Subtracts a token in exchange of duplicating a new one.
Definition: token.c:1373
SeAssignPrimaryToken
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
PspBootAccessToken
PTOKEN PspBootAccessToken
Definition: security.c:17
ObInitializeFastReference
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:107

Referenced by PspCreateProcess().

◆ PspSetPrimaryToken()

NTSTATUS NTAPI PspSetPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE TokenHandle  OPTIONAL,
IN PACCESS_TOKEN Token  OPTIONAL 
)

Definition at line 215 of file security.c.

218{
219 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
220 BOOLEAN IsChildOrSibling;
221 PACCESS_TOKEN NewToken = Token;
222 NTSTATUS Status, AccessStatus;
223 BOOLEAN Result, SdAllocated;
224 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
225 SECURITY_SUBJECT_CONTEXT SubjectContext;
226
227 PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228
229 /* Reference the token by handle if we don't already have a token object */
230 if (!Token)
231 {
232 Status = ObReferenceObjectByHandle(TokenHandle,
233 TOKEN_ASSIGN_PRIMARY,
234 SeTokenObjectType,
235 PreviousMode,
236 (PVOID*)&NewToken,
237 NULL);
238 if (!NT_SUCCESS(Status)) return Status;
239 }
240
241 /*
242 * Check whether this token is a child or sibling of the current process token.
243 * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244 * are now performed by a new SeIsTokenAssignableToProcess() helper.
245 */
246 Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247 if (!NT_SUCCESS(Status))
248 {
249 /* Failed, dereference */
250 if (!Token) ObDereferenceObject(NewToken);
251 return Status;
252 }
253 if (!IsChildOrSibling)
254 {
255 Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256 if (!NT_SUCCESS(Status))
257 {
258 /* Failed, dereference */
259 if (!Token) ObDereferenceObject(NewToken);
260 return Status;
261 }
262 }
263
264 /* Check if this was an independent token */
265 if (!IsChildOrSibling)
266 {
267 /* Make sure we have the privilege to assign a new one */
268 if (!SeSinglePrivilegeCheck(SeAssignPrimaryTokenPrivilege,
269 PreviousMode))
270 {
271 /* Failed, dereference */
272 if (!Token) ObDereferenceObject(NewToken);
273 return STATUS_PRIVILEGE_NOT_HELD;
274 }
275 }
276
277 /* Assign the token */
278 Status = PspAssignPrimaryToken(Process, NULL, NewToken);
279 if (NT_SUCCESS(Status))
280 {
281 /*
282 * We need to completely reverify if the process still has access to
283 * itself under this new token.
284 */
285 Status = ObGetObjectSecurity(Process,
286 &SecurityDescriptor,
287 &SdAllocated);
288 if (NT_SUCCESS(Status))
289 {
290 /* Setup the security context */
291 SubjectContext.ProcessAuditId = Process;
292 SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
293 SubjectContext.ClientToken = NULL;
294
295 /* Do the access check */
296 Result = SeAccessCheck(SecurityDescriptor,
297 &SubjectContext,
298 FALSE,
299 MAXIMUM_ALLOWED,
300 0,
301 NULL,
302 &PsProcessType->TypeInfo.GenericMapping,
303 PreviousMode,
304 &Process->GrantedAccess,
305 &AccessStatus);
306
307 /* Dereference the token and let go the SD */
308 ObFastDereferenceObject(&Process->Token,
309 SubjectContext.PrimaryToken);
310 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
311
312 /* Remove access if it failed */
313 if (!Result) Process->GrantedAccess = 0;
314
315 /* Setup granted access */
316 Process->GrantedAccess |= (PROCESS_VM_OPERATION |
317 PROCESS_VM_READ |
318 PROCESS_VM_WRITE |
319 PROCESS_QUERY_INFORMATION |
320 PROCESS_TERMINATE |
321 PROCESS_CREATE_THREAD |
322 PROCESS_DUP_HANDLE |
323 PROCESS_CREATE_PROCESS |
324 PROCESS_SET_INFORMATION |
325 STANDARD_RIGHTS_ALL |
326 PROCESS_SET_QUOTA);
327 }
328
329 /*
330 * In case LUID device maps are enable, we may not be using
331 * system device map for this process, but a logon LUID based
332 * device map. Because we change primary token, this usage is
333 * no longer valid, so dereference the process device map
334 */
335 if (ObIsLUIDDeviceMapsEnabled()) ObDereferenceDeviceMap(Process);
336 }
337
338 /* Dereference the token */
339 if (!Token) ObDereferenceObject(NewToken);
340 return Status;
341}
STATUS_PRIVILEGE_NOT_HELD
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
SeAccessCheck
BOOLEAN NTAPI SeAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, _In_ BOOLEAN SubjectContextLocked, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK PreviouslyGrantedAccess, _Out_ PPRIVILEGE_SET *Privileges, _In_ PGENERIC_MAPPING GenericMapping, _In_ KPROCESSOR_MODE AccessMode, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access rights can be given to an object depending on the security descrip...
Definition: accesschk.c:1994
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
PROCESS_TERMINATE
#define PROCESS_TERMINATE
Definition: pstypes.h:157
PROCESS_VM_READ
#define PROCESS_VM_READ
Definition: pstypes.h:161
PROCESS_VM_WRITE
#define PROCESS_VM_WRITE
Definition: pstypes.h:162
PROCESS_CREATE_THREAD
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:158
PROCESS_VM_OPERATION
#define PROCESS_VM_OPERATION
Definition: pstypes.h:160
PROCESS_SET_INFORMATION
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:165
PROCESS_CREATE_PROCESS
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:163
PROCESS_SET_QUOTA
#define PROCESS_SET_QUOTA
Definition: pstypes.h:164
PROCESS_DUP_HANDLE
#define PROCESS_DUP_HANDLE
STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
SeAssignPrimaryTokenPrivilege
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:22
SeIsTokenSibling
NTSTATUS NTAPI SeIsTokenSibling(_In_ PTOKEN Token, _Out_ PBOOLEAN IsSibling)
Checks if the token is a sibling of the other token of the current process that the calling thread is...
Definition: token.c:1482
SeIsTokenChild
NTSTATUS NTAPI SeIsTokenChild(_In_ PTOKEN Token, _Out_ PBOOLEAN IsChild)
Checks if the token is a child of the other token of the current process that the calling thread is i...
Definition: token.c:1433
PspAssignPrimaryToken
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
SeSinglePrivilegeCheck
BOOLEAN NTAPI SeSinglePrivilegeCheck(_In_ LUID PrivilegeValue, _In_ KPROCESSOR_MODE PreviousMode)
Checks if a single privilege is present in the context of the calling thread.
Definition: priv.c:744
ObDereferenceDeviceMap
VOID NTAPI ObDereferenceDeviceMap(IN PEPROCESS Process)
Definition: devicemap.c:456
ObIsLUIDDeviceMapsEnabled
ULONG NTAPI ObIsLUIDDeviceMapsEnabled(VOID)
Definition: devicemap.c:662
ObGetObjectSecurity
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
ObReleaseObjectSecurity
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
_OBJECT_TYPE_INITIALIZER::GenericMapping
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
_OBJECT_TYPE::TypeInfo
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:217
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
Result
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:409
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21

Referenced by NtSetInformationProcess().

◆ PspWriteTebImpersonationInfo()

NTSTATUS NTAPI PspWriteTebImpersonationInfo ( IN PETHREAD  Thread,
IN PETHREAD  CurrentThread 
)

Definition at line 114 of file security.c.

116{
117 PEPROCESS Process;
118 PTEB Teb;
119 BOOLEAN Attached = FALSE;
120 BOOLEAN IsImpersonating;
121 KAPC_STATE ApcState;
122 PAGED_CODE();
123 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124
125 /* Sanity check */
126 ASSERT(CurrentThread == PsGetCurrentThread());
127
128 /* Get process and TEB */
129 Process = Thread->ThreadsProcess;
130 Teb = Thread->Tcb.Teb;
131 if (Teb)
132 {
133 /* Check if we're not in the right process */
134 if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135 {
136 /* Attach to the process */
137 KeStackAttachProcess(&Process->Pcb, &ApcState);
138 Attached = TRUE;
139 }
140
141 /* Check if we're in a different thread or acquire rundown */
142 if ((Thread == CurrentThread) ||
143 (ExAcquireRundownProtection(&Thread->RundownProtect)))
144 {
145 /* Check if the thread is impersonating */
146 IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147 if (IsImpersonating)
148 {
149 /* Set TEB data */
150 Teb->ImpersonationLocale = -1;
151 Teb->IsImpersonating = 1;
152 }
153 else
154 {
155 /* Set TEB data */
156 Teb->ImpersonationLocale = 0;
157 Teb->IsImpersonating = 0;
158 }
159 }
160
161 /* Check if we're in a different thread */
162 if (Thread != CurrentThread)
163 {
164 /* Release protection */
165 ExReleaseRundownProtection(&Thread->RundownProtect);
166 }
167
168 /* Detach */
169 if (Attached) KeUnstackDetachProcess(&ApcState);
170 }
171
172 /* Return to caller */
173 return STATUS_SUCCESS;
174}
ExReleaseRundownProtection
#define ExReleaseRundownProtection
Definition: ex.h:136
ExAcquireRundownProtection
#define ExAcquireRundownProtection
Definition: ex.h:135
if
if(dx< 0)
Definition: linetemp.h:194
ApcState
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1765
BOOLEAN
#define BOOLEAN
Definition: pedump.c:73
KeStackAttachProcess
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:704
KeUnstackDetachProcess
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:756
_ETHREAD::Tcb
KTHREAD Tcb
Definition: pstypes.h:1103
_ETHREAD::RundownProtect
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1159
_KTHREAD::Teb
PVOID Teb
Definition: ketypes.h:1807
_KTHREAD::ApcState
KAPC_STATE ApcState
Definition: ketypes.h:1778
_TEB
Definition: compat.h:836
_TEB::IsImpersonating
ULONG IsImpersonating
Definition: winternl.h:433
_TEB::ImpersonationLocale
ULONG ImpersonationLocale
Definition: winternl.h:432
Attached
static BOOL Attached
Definition: vidbios.c:3905
KAPC_STATE
KAPC_STATE
Definition: ketypes.h:1409

Referenced by PsImpersonateClient(), and PsRevertThreadToSelf().

◆ PsReferenceEffectiveToken()

PACCESS_TOKEN NTAPI PsReferenceEffectiveToken ( IN PETHREAD  Thread,
OUT IN PTOKEN_TYPE  TokenType,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 802 of file security.c.

806{
807 PEPROCESS Process;
808 PACCESS_TOKEN Token = NULL;
809
810 PAGED_CODE();
811
812 PSTRACE(PS_SECURITY_DEBUG,
813 "Thread: %p, TokenType: %p\n", Thread, TokenType);
814
815 /* Check if we don't have impersonation info */
816 Process = Thread->ThreadsProcess;
817 if (Thread->ActiveImpersonationInfo)
818 {
819 /* Lock the Process */
820 PspLockProcessSecurityShared(Process);
821
822 /* Make sure impersonation is still active */
823 if (Thread->ActiveImpersonationInfo)
824 {
825 /* Get the token */
826 Token = Thread->ImpersonationInfo->Token;
827 ObReferenceObject(Token);
828
829 /* Return data to caller */
830 *TokenType = TokenImpersonation;
831 *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
832 *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
833
834 /* Unlock the Process */
835 PspUnlockProcessSecurityShared(Process);
836 return Token;
837 }
838
839 /* Unlock the Process */
840 PspUnlockProcessSecurityShared(Process);
841 }
842
843 /* Fast Reference the Token */
844 Token = ObFastReferenceObject(&Process->Token);
845
846 /* Check if we got the Token or if we got locked */
847 if (!Token)
848 {
849 /* Lock the Process */
850 PspLockProcessSecurityShared(Process);
851
852 /* Do a Locked Fast Reference */
853 Token = ObFastReferenceObjectLocked(&Process->Token);
854
855 /* Unlock the Process */
856 PspUnlockProcessSecurityShared(Process);
857 }
858
859 /* Return the token */
860 *TokenType = TokenPrimary;
861 *EffectiveOnly = FALSE;
862 // NOTE: ImpersonationLevel is left untouched on purpose!
863 return Token;
864}
TokenPrimary
@ TokenPrimary
Definition: imports.h:273
TokenType
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:411
ObFastReferenceObject
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:132
ObFastReferenceObjectLocked
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:119
PspUnlockProcessSecurityShared
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
PspLockProcessSecurityShared
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111

Referenced by SeCreateClientSecurity().

◆ PsReferenceImpersonationToken()

PACCESS_TOKEN NTAPI PsReferenceImpersonationToken ( IN PETHREAD  Thread,
OUT PBOOLEAN  CopyOnOpen,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 871 of file security.c.

875{
876 PTOKEN Token = NULL;
877 PAGED_CODE();
878 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
879
880 /* If we don't have impersonation info, just quit */
881 if (!Thread->ActiveImpersonationInfo) return NULL;
882
883 /* Lock the thread */
884 PspLockThreadSecurityShared(Thread);
885
886 /* Make sure we still have active impersonation */
887 if (Thread->ActiveImpersonationInfo)
888 {
889 /* Return data from caller */
890 ObReferenceObject(Thread->ImpersonationInfo->Token);
891 *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
892 *CopyOnOpen = Thread->ImpersonationInfo->CopyOnOpen;
893 *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
894
895 /* Set the token */
896 Token = Thread->ImpersonationInfo->Token;
897 }
898
899 /* Unlock thread and return impersonation token */
900 PspUnlockThreadSecurityShared(Thread);
901 return Token;
902}
PspUnlockThreadSecurityShared
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
PspLockThreadSecurityShared
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155

Referenced by GetProcessLuid(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), ObpReferenceDeviceMap(), and SeCaptureSubjectContextEx().

◆ PsReferencePrimaryToken()

PACCESS_TOKEN NTAPI PsReferencePrimaryToken ( PEPROCESS  Process)

Definition at line 440 of file security.c.

441{
442 PACCESS_TOKEN Token;
443 PAGED_CODE();
444 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
445
446 /* Fast Reference the Token */
447 Token = ObFastReferenceObject(&Process->Token);
448
449 /* Check if we got the Token or if we got locked */
450 if (!Token)
451 {
452 /* Lock the Process */
453 PspLockProcessSecurityShared(Process);
454
455 /* Do a Locked Fast Reference */
456 Token = ObFastReferenceObjectLocked(&Process->Token);
457
458 /* Unlock the Process */
459 PspUnlockProcessSecurityShared(Process);
460 }
461
462 /* Return the Token */
463 return Token;
464}

Referenced by GetProcessLuid(), KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtSecureConnectPort(), ObpSetCurrentProcessDeviceMap(), PsImpersonateClient(), PsOpenTokenOfProcess(), PspCreateProcess(), PspCreateThread(), PspExitThread(), PspInitializeProcessSecurity(), PspSetPrimaryToken(), SeCaptureSubjectContextEx(), SeExchangePrimaryToken(), SeIsTokenChild(), SeIsTokenSibling(), SepImpersonateAnonymousToken(), and SepOpenThreadToken().

◆ PsRestoreImpersonation()

VOID NTAPI PsRestoreImpersonation ( IN PETHREAD  Thread,
IN PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 987 of file security.c.

989{
990 PTOKEN Token = NULL;
991 PPS_IMPERSONATION_INFORMATION Impersonation;
992 PAGED_CODE();
993 PSTRACE(PS_SECURITY_DEBUG,
994 "Thread: %p State: %p\n", Thread, ImpersonationState);
995
996 /* Lock thread security */
997 PspLockThreadSecurityExclusive(Thread);
998
999 /* Get the impersonation info */
1000 Impersonation = Thread->ImpersonationInfo;
1001
1002 /* Check if we're impersonating */
1003 if (Thread->ActiveImpersonationInfo)
1004 {
1005 /* Get the token */
1006 Token = Impersonation->Token;
1007 }
1008
1009 /* Check if we have an impersonation state */
1010 if (ImpersonationState)
1011 {
1012 /* Fill out the impersonation info */
1013 Impersonation->ImpersonationLevel = ImpersonationState->Level;
1014 Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
1015 Impersonation->EffectiveOnly = ImpersonationState->EffectiveOnly;
1016 Impersonation->Token = ImpersonationState->Token;
1017
1018 /* Enable impersonation */
1019 PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
1020 }
1021 else
1022 {
1023 /* Disable impersonation */
1024 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
1025 }
1026
1027 /* Unlock the thread */
1028 PspUnlockThreadSecurityExclusive(Thread);
1029
1030 /* Dereference the token */
1031 if (Token) ObDereferenceObject(Token);
1032}

Referenced by NtOpenThreadTokenEx().

◆ PsRevertThreadToSelf()

VOID NTAPI PsRevertThreadToSelf ( IN PETHREAD  Thread)

Definition at line 568 of file security.c.

569{
570 PTOKEN Token = NULL;
571 PAGED_CODE();
572 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
573
574 /* Make sure we had impersonation information */
575 if (Thread->ActiveImpersonationInfo)
576 {
577 /* Lock the thread security */
578 PspLockThreadSecurityExclusive(Thread);
579
580 /* Make sure it's still active */
581 if (Thread->ActiveImpersonationInfo)
582 {
583 /* Disable impersonation */
584 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
585
586 /* Get the token */
587 Token = Thread->ImpersonationInfo->Token;
588 }
589
590 /* Release thread security */
591 PspUnlockThreadSecurityExclusive(Thread);
592
593 /* Check if we had a token */
594 if (Token)
595 {
596 /* Dereference the impersonation token */
597 ObDereferenceObject(Token);
598
599 /* Write impersonation info to the TEB */
600 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
601 }
602 }
603}

Referenced by PsAssignImpersonationToken(), and PsRevertToSelf().

◆ PsRevertToSelf()

VOID NTAPI PsRevertToSelf ( VOID  )

Definition at line 556 of file security.c.

557{
558 /* Call the per-thread API */
559 PAGED_CODE();
560 PsRevertThreadToSelf(PsGetCurrentThread());
561}

Referenced by CmpCmdHiveOpen(), and VfdIoCtlThread().

◆ SeAssignPrimaryToken()

VOID NTAPI SeAssignPrimaryToken ( IN PEPROCESS  Process,
IN PTOKEN  Token 
)

Referenced by PspInitializeProcessSecurity().

Variable Documentation

◆ PspBootAccessToken

PTOKEN PspBootAccessToken

Definition at line 17 of file security.c.

Referenced by PspInitializeProcessSecurity(), and PspInitPhase0().