ReactOS  0.4.15-dev-1197-g8081ba9
security.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeAssignPrimaryToken (IN PEPROCESS Process, IN PTOKEN Token)
 
VOID NTAPI PspDeleteProcessSecurity (IN PEPROCESS Process)
 
VOID NTAPI PspDeleteThreadSecurity (IN PETHREAD Thread)
 
NTSTATUS NTAPI PspInitializeProcessSecurity (IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
 
NTSTATUS NTAPI PspWriteTebImpersonationInfo (IN PETHREAD Thread, IN PETHREAD CurrentThread)
 
NTSTATUS NTAPI PspAssignPrimaryToken (IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
 
NTSTATUS NTAPI PspSetPrimaryToken (IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
 
NTSTATUS NTAPI NtOpenProcessToken (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
 
NTSTATUS NTAPI NtOpenProcessTokenEx (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
 
PACCESS_TOKEN NTAPI PsReferencePrimaryToken (PEPROCESS Process)
 
NTSTATUS NTAPI PsOpenTokenOfProcess (IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
 
NTSTATUS NTAPI PsAssignImpersonationToken (IN PETHREAD Thread, IN HANDLE TokenHandle)
 
VOID NTAPI PsRevertToSelf (VOID)
 
VOID NTAPI PsRevertThreadToSelf (IN PETHREAD Thread)
 
NTSTATUS NTAPI PsImpersonateClient (IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken (IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken (IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
 
VOID NTAPI PsDereferenceImpersonationToken (IN PACCESS_TOKEN ImpersonationToken)
 
VOID NTAPI PsDereferencePrimaryToken (IN PACCESS_TOKEN PrimaryToken)
 
BOOLEAN NTAPI PsDisableImpersonation (IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
 
VOID NTAPI PsRestoreImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
 
NTSTATUS NTAPI NtImpersonateThread (IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
 

Variables

PTOKEN PspBootAccessToken
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file security.c.

Function Documentation

◆ NtImpersonateThread()

NTSTATUS NTAPI NtImpersonateThread ( IN HANDLE  ThreadHandle,
IN HANDLE  ThreadToImpersonateHandle,
IN PSECURITY_QUALITY_OF_SERVICE  SecurityQualityOfService 
)

Definition at line 973 of file security.c.

976 {
977  SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
980  PETHREAD ThreadToImpersonate;
983  PAGED_CODE();
985  "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
986 
987  /* Check if call came from user mode */
988  if (PreviousMode != KernelMode)
989  {
990  /* Enter SEH for probing */
991  _SEH2_TRY
992  {
993  /* Probe QoS */
994  ProbeForRead(SecurityQualityOfService,
996  sizeof(ULONG));
997 
998  /* Capture it */
999  SafeServiceQoS = *SecurityQualityOfService;
1000  SecurityQualityOfService = &SafeServiceQoS;
1001  }
1003  {
1004  /* Return the exception code */
1006  }
1007  _SEH2_END;
1008  }
1009 
1010  /* Reference the thread */
1011  Status = ObReferenceObjectByHandle(ThreadHandle,
1013  PsThreadType,
1014  PreviousMode,
1015  (PVOID*)&Thread,
1016  NULL);
1017  if (NT_SUCCESS(Status))
1018  {
1019  /* Reference the impersonating thead */
1020  Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
1022  PsThreadType,
1023  PreviousMode,
1024  (PVOID*)&ThreadToImpersonate,
1025  NULL);
1026  if (NT_SUCCESS(Status))
1027  {
1028  /* Create a client security context */
1029  Status = SeCreateClientSecurity(ThreadToImpersonate,
1030  SecurityQualityOfService,
1031  0,
1032  &ClientContext);
1033  if (NT_SUCCESS(Status))
1034  {
1035  /* Do the impersonation */
1037  if (ClientContext.ClientToken)
1038  {
1039  /* Dereference the client token if we had one */
1040  ObDereferenceObject(ClientContext.ClientToken);
1041  }
1042  }
1043 
1044  /* Dereference the thread to impersonate */
1045  ObDereferenceObject(ThreadToImpersonate);
1046  }
1047 
1048  /* Dereference the main thread */
1050  }
1051 
1052  /* Return status */
1053  return Status;
1054 }
#define THREAD_IMPERSONATE
Definition: pstypes.h:143
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
POBJECT_TYPE PsThreadType
Definition: thread.c:20
Status
Definition: gdiplustypes.h:24
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
_SEH2_END
Definition: create.c:4400
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
unsigned int ULONG
Definition: retypes.h:1
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
#define PAGED_CODE()

Referenced by CsrImpersonateClient().

◆ NtOpenProcessToken()

NTSTATUS NTAPI NtOpenProcessToken ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
OUT PHANDLE  TokenHandle 
)

Definition at line 350 of file security.c.

353 {
354  /* Call the newer API */
357  0,
358  TokenHandle);
359 }
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:366
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403

Referenced by CheckTokenMembership(), CsrGetProcessLuid(), CsrSetProcessSecurity(), GetCallerLuid(), LsapIsTrustedClient(), OpenProcessToken(), RtlCreateUserSecurityObject(), RtlDefaultNpAcl(), SmpAcquirePrivilege(), START_TEST(), and test8().

◆ NtOpenProcessTokenEx()

NTSTATUS NTAPI NtOpenProcessTokenEx ( IN HANDLE  ProcessHandle,
IN ACCESS_MASK  DesiredAccess,
IN ULONG  HandleAttributes,
OUT PHANDLE  TokenHandle 
)

Definition at line 366 of file security.c.

370 {
372  HANDLE hToken;
375  PAGED_CODE();
377  "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
378 
379  /* Check if caller was user-mode */
380  if (PreviousMode != KernelMode)
381  {
382  /* Enter SEH for probing */
383  _SEH2_TRY
384  {
385  /* Probe the token handle */
387  }
389  {
390  /* Return the exception code */
392  }
393  _SEH2_END;
394  }
395 
396  /* Validate object attributes */
398 
399  /* Open the process token */
401  if (NT_SUCCESS(Status))
402  {
403  /* Reference it by handle and dereference the pointer */
406  NULL,
409  PreviousMode,
410  &hToken);
412 
413  /* Make sure we got a handle */
414  if (NT_SUCCESS(Status))
415  {
416  /* Enter SEH for write */
417  _SEH2_TRY
418  {
419  /* Return the handle */
420  *TokenHandle = hToken;
421  }
423  {
424  /* Get exception code */
426  }
427  _SEH2_END;
428  }
429  }
430 
431  /* Return status */
432  return Status;
433 }
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:429
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2739
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:471
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
#define PS_SECURITY_DEBUG
Definition: ps.h:19
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
Status
Definition: gdiplustypes.h:24
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
_SEH2_END
Definition: create.c:4400
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
#define PAGED_CODE()

Referenced by NtOpenProcessToken(), and START_TEST().

◆ PsAssignImpersonationToken()

NTSTATUS NTAPI PsAssignImpersonationToken ( IN PETHREAD  Thread,
IN HANDLE  TokenHandle 
)

Definition at line 502 of file security.c.

504 {
508  PAGED_CODE();
509  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
510 
511  /* Check if we were given a handle */
512  if (!TokenHandle)
513  {
514  /* Undo impersonation */
516  return STATUS_SUCCESS;
517  }
518 
519  /* Get the token object */
524  (PVOID*)&Token,
525  NULL);
526  if (!NT_SUCCESS(Status)) return(Status);
527 
528  /* Make sure it's an impersonation token */
530  {
531  /* Fail */
533  return STATUS_BAD_TOKEN_TYPE;
534  }
535 
536  /* Get the impersonation level */
538 
539  /* Call the impersonation API */
541  Token,
542  FALSE,
543  FALSE,
545 
546  /* Dereference the token and return status */
548  return Status;
549 }
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
#define KeGetPreviousMode()
Definition: ketypes.h:1107
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define TOKEN_IMPERSONATE
Definition: setypes.h:873
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define FALSE
Definition: types.h:117
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:404
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(IN PACCESS_TOKEN Token)
Definition: token.c:1768
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
Definition: token.c:1780
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:3014
#define PAGED_CODE()

Referenced by NtSetInformationThread().

◆ PsDereferenceImpersonationToken()

VOID NTAPI PsDereferenceImpersonationToken ( IN PACCESS_TOKEN  ImpersonationToken)

Definition at line 847 of file security.c.

848 {
849  PAGED_CODE();
850 
851  /* If we got a token, dereference it */
852  if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
853 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()

Referenced by NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), PsImpersonateClient(), and SeReleaseSubjectContext().

◆ PsDereferencePrimaryToken()

VOID NTAPI PsDereferencePrimaryToken ( IN PACCESS_TOKEN  PrimaryToken)

Definition at line 861 of file security.c.

862 {
863  PAGED_CODE();
864 
865  /* Dereference the token*/
866  ObDereferenceObject(PrimaryToken);
867 }
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define PAGED_CODE()

Referenced by KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtSecureConnectPort(), and SeExchangePrimaryToken().

◆ PsDisableImpersonation()

BOOLEAN NTAPI PsDisableImpersonation ( IN PETHREAD  Thread,
OUT PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 874 of file security.c.

876 {
877  PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
878  LONG OldFlags;
879  PAGED_CODE();
881  "Thread: %p State: %p\n", Thread, ImpersonationState);
882 
883  /* Check if we don't have impersonation */
885  {
886  /* Lock thread security */
888 
889  /* Disable impersonation */
890  OldFlags = PspClearCrossThreadFlag(Thread,
892 
893  /* Make sure nobody disabled it behind our back */
894  if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
895  {
896  /* Copy the old state */
897  Impersonation = Thread->ImpersonationInfo;
898  ImpersonationState->Token = Impersonation->Token;
899  ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
901  ImpersonationState->Level = Impersonation->ImpersonationLevel;
902  }
903 
904  /* Unlock thread security */
906 
907  /* If we had impersonation info, return true */
908  if (Impersonation) return TRUE;
909  }
910 
911  /* Clear everything */
916  return FALSE;
917 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1014
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
long LONG
Definition: pedump.c:60
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:233
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119
#define PAGED_CODE()

Referenced by NtOpenThreadTokenEx().

◆ PsImpersonateClient()

NTSTATUS NTAPI PsImpersonateClient ( IN PETHREAD  Thread,
IN PACCESS_TOKEN  Token,
IN BOOLEAN  CopyOnOpen,
IN BOOLEAN  EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 610 of file security.c.

615 {
616  PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
617  PTOKEN OldToken = NULL;
618  PEJOB Job;
619 
620  PAGED_CODE();
621  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
622 
623  /* Check if we don't have a token */
624  if (!Token)
625  {
626  /* Make sure we're impersonating */
628  {
629  /* We seem to be, lock the thread */
631 
632  /* Make sure we're still impersonating */
634  {
635  /* Disable impersonation */
638 
639  /* Get the token */
640  OldToken = Thread->ImpersonationInfo->Token;
641  }
642 
643  /* Unlock the process and write TEB information */
646  }
647  }
648  else
649  {
650  /* Check if we have impersonation info */
651  Impersonation = Thread->ImpersonationInfo;
652  if (!Impersonation)
653  {
654  /* We need to allocate a new one */
655  Impersonation = ExAllocatePoolWithTag(PagedPool,
656  sizeof(*Impersonation),
658  if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
659 
660  /* Update the pointer */
662  ImpersonationInfo,
663  Impersonation,
664  NULL);
665  if (OldData)
666  {
667  /* Someone beat us to it, free our copy */
668  ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
669  Impersonation = OldData;
670  }
671  }
672 
673  /* FIXME: If the process token can't impersonate, we need to make a copy instead */
674 
675  /* Check if this is a job */
676  Job = Thread->ThreadsProcess->Job;
677  if (Job != NULL)
678  {
679  /* No admin allowed in this job */
682  {
683  return STATUS_ACCESS_DENIED;
684  }
685 
686  /* No restricted tokens allowed in this job */
689  {
690  return STATUS_ACCESS_DENIED;
691  }
692 
693  /* We don't support job filters yet */
694  if (Job->Filter != NULL)
695  {
696  ASSERT(Job->Filter == NULL);
697  }
698  }
699 
700  /* Lock thread security */
702 
703  /* Check if we're impersonating */
705  {
706  /* Get the token */
707  OldToken = Impersonation->Token;
708  }
709  else
710  {
711  /* Otherwise, enable impersonation */
713  }
714 
715  /* Now fill it out */
716  Impersonation->ImpersonationLevel = ImpersonationLevel;
717  Impersonation->CopyOnOpen = CopyOnOpen;
718  Impersonation->EffectiveOnly = EffectiveOnly;
719  Impersonation->Token = Token;
721 
722  /* Unlock the thread */
724 
725  /* Write impersonation info to the TEB */
727  }
728 
729  /* Dereference the token and return success */
730  if (OldToken) PsDereferenceImpersonationToken(OldToken);
731  return STATUS_SUCCESS;
732 }
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1014
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
Definition: pstypes.h:223
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define JOB_OBJECT_SECURITY_NO_ADMIN
Definition: pstypes.h:222
BOOLEAN NTAPI SeTokenIsRestricted(IN PACCESS_TOKEN Token)
Definition: token.c:1807
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
PPS_JOB_TOKEN_FILTER Filter
Definition: pstypes.h:1444
ULONG SecurityLimitFlags
Definition: pstypes.h:1442
BOOLEAN NTAPI SeTokenIsAdmin(IN PACCESS_TOKEN Token)
Definition: token.c:1793
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:233
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
#define TAG_PS_IMPERSONATION
Definition: tag.h:157
return STATUS_SUCCESS
Definition: btrfs.c:3014
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
#define PAGED_CODE()
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:847

Referenced by NtOpenThreadTokenEx(), PsAssignImpersonationToken(), and SeImpersonateClientEx().

◆ PsOpenTokenOfProcess()

NTSTATUS NTAPI PsOpenTokenOfProcess ( IN HANDLE  ProcessHandle,
OUT PACCESS_TOKEN Token 
)

Definition at line 471 of file security.c.

473 {
476  PAGED_CODE();
477  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
478 
479  /* Get the Token */
484  (PVOID*)&Process,
485  NULL);
486  if (NT_SUCCESS(Status))
487  {
488  /* Reference the token and dereference the process */
491  }
492 
493  /* Return */
494  return Status;
495 }
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
POBJECT_TYPE PsProcessType
Definition: process.c:20
#define PAGED_CODE()

Referenced by NtOpenProcessTokenEx().

◆ PspAssignPrimaryToken()

NTSTATUS NTAPI PspAssignPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE  Token,
IN PACCESS_TOKEN AccessToken  OPTIONAL 
)

Definition at line 178 of file security.c.

181 {
182  PACCESS_TOKEN NewToken = AccessToken, OldToken;
184  PAGED_CODE();
185  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186 
187  /* Check if we don't have a pointer */
188  if (!AccessToken)
189  {
190  /* Reference it from the handle */
195  &NewToken,
196  NULL);
197  if (!NT_SUCCESS(Status)) return Status;
198  }
199 
200  /* Exchange tokens */
201  Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202 
203  /* Acquire and release the lock */
206 
207  /* Dereference Tokens and Return */
208  if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209  if (!AccessToken) ObDereferenceObject(NewToken);
210  return Status;
211 }
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Definition: token.c:234
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define PAGED_CODE()

Referenced by PspSetPrimaryToken().

◆ PspDeleteProcessSecurity()

VOID NTAPI PspDeleteProcessSecurity ( IN PEPROCESS  Process)

Definition at line 30 of file security.c.

31 {
32  PAGED_CODE();
33  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34 
35  /* Check if we have a token */
36  if (Process->Token.Object)
37  {
38  /* Deassign it */
40  Process->Token.Object = NULL;
41  }
42 }
VOID NTAPI SeDeassignPrimaryToken(struct _EPROCESS *Process)
smooth NULL
Definition: ftsmooth.c:416
#define PS_SECURITY_DEBUG
Definition: ps.h:19
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define PAGED_CODE()

Referenced by PspDeleteProcess().

◆ PspDeleteThreadSecurity()

VOID NTAPI PspDeleteThreadSecurity ( IN PETHREAD  Thread)

Definition at line 46 of file security.c.

47 {
49  PAGED_CODE();
50  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51 
52  /* Check if we have active impersonation info */
54  {
55  /* Dereference its token */
56  ObDereferenceObject(ImpersonationInfo->Token);
57  }
58 
59  /* Check if we have impersonation info */
60  if (ImpersonationInfo)
61  {
62  /* Free it */
63  ExFreePool(ImpersonationInfo);
66  }
67 }
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:233
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PAGED_CODE()

Referenced by PspDeleteThread().

◆ PspInitializeProcessSecurity()

NTSTATUS NTAPI PspInitializeProcessSecurity ( IN PEPROCESS  Process,
IN PEPROCESS Parent  OPTIONAL 
)

Definition at line 71 of file security.c.

73 {
75  PTOKEN NewToken, ParentToken;
76  PAGED_CODE();
77  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78 
79  /* If we have a parent, then duplicate the Token */
80  if (Parent)
81  {
82  /* Get the Parent Token */
83  ParentToken = PsReferencePrimaryToken(Parent);
84 
85  /* Duplicate it */
86  Status = SeSubProcessToken(ParentToken,
87  &NewToken,
88  TRUE,
90 
91  /* Dereference the Parent */
92  ObFastDereferenceObject(&Parent->Token, ParentToken);
93 
94  /* Set the new Token */
95  if (NT_SUCCESS(Status))
96  {
97  /* Initailize the fast reference */
98  ObInitializeFastReference(&Process->Token, NewToken);
99  }
100  }
101  else
102  {
103  /* No parent, assign the Boot Token */
106  }
107 
108  /* Return to caller */
109  return Status;
110 }
PTOKEN PspBootAccessToken
Definition: security.c:17
#define TRUE
Definition: types.h:120
LONG NTSTATUS
Definition: precomp.h:26
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn BOOLEAN Physical UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:728
smooth NULL
Definition: ftsmooth.c:416
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
#define PS_SECURITY_DEBUG
Definition: ps.h:19
Status
Definition: gdiplustypes.h:24
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
NTSTATUS NTAPI SeSubProcessToken(IN PTOKEN Parent, OUT PTOKEN *Token, IN BOOLEAN InUse, IN ULONG SessionId)
Definition: token.c:672
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
Definition: token.c:862
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:180
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:3014
#define PAGED_CODE()

Referenced by PspCreateProcess().

◆ PspSetPrimaryToken()

NTSTATUS NTAPI PspSetPrimaryToken ( IN PEPROCESS  Process,
IN HANDLE TokenHandle  OPTIONAL,
IN PACCESS_TOKEN Token  OPTIONAL 
)

Definition at line 215 of file security.c.

218 {
220  BOOLEAN IsChildOrSibling;
221  PACCESS_TOKEN NewToken = Token;
223  BOOLEAN Result, SdAllocated;
226 
227  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228 
229  /* Reference the token by handle if we don't already have a token object */
230  if (!Token)
231  {
235  PreviousMode,
236  (PVOID*)&NewToken,
237  NULL);
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /*
242  * Check whether this token is a child or sibling of the current process token.
243  * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244  * are now performed by a new SeIsTokenAssignableToProcess() helper.
245  */
246  Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247  if (!NT_SUCCESS(Status))
248  {
249  /* Failed, dereference */
250  if (!Token) ObDereferenceObject(NewToken);
251  return Status;
252  }
253  if (!IsChildOrSibling)
254  {
255  Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256  if (!NT_SUCCESS(Status))
257  {
258  /* Failed, dereference */
259  if (!Token) ObDereferenceObject(NewToken);
260  return Status;
261  }
262  }
263 
264  /* Check if this was an independent token */
265  if (!IsChildOrSibling)
266  {
267  /* Make sure we have the privilege to assign a new one */
269  PreviousMode))
270  {
271  /* Failed, dereference */
272  if (!Token) ObDereferenceObject(NewToken);
274  }
275  }
276 
277  /* Assign the token */
279  if (NT_SUCCESS(Status))
280  {
281  /*
282  * We need to completely reverify if the process still has access to
283  * itself under this new token.
284  */
287  &SdAllocated);
288  if (NT_SUCCESS(Status))
289  {
290  /* Setup the security context */
291  SubjectContext.ProcessAuditId = Process;
293  SubjectContext.ClientToken = NULL;
294 
295  /* Do the access check */
298  FALSE,
300  0,
301  NULL,
303  PreviousMode,
304  &Process->GrantedAccess,
305  &AccessStatus);
306 
307  /* Dereference the token and let go the SD */
309  SubjectContext.PrimaryToken);
311 
312  /* Remove access if it failed */
313  if (!Result) Process->GrantedAccess = 0;
314 
315  /* Setup granted access */
316  Process->GrantedAccess |= (PROCESS_VM_OPERATION |
327  }
328 
329  /*
330  * In case LUID device maps are enable, we may not be using
331  * system device map for this process, but a logon LUID based
332  * device map. Because we change primary token, this usage is
333  * no longer valid, so dereference the process device map
334  */
336  }
337 
338  /* Dereference the token */
339  if (!Token) ObDereferenceObject(NewToken);
340  return Status;
341 }
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
NTSTATUS NTAPI SeIsTokenSibling(IN PTOKEN Token, OUT PBOOLEAN IsSibling)
Definition: token.c:749
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSTATUS NTAPI SeIsTokenChild(IN PTOKEN Token, OUT PBOOLEAN IsChild)
Definition: token.c:716
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
BOOLEAN NTAPI SeSinglePrivilegeCheck(IN LUID PrivilegeValue, IN KPROCESSOR_MODE PreviousMode)
Definition: priv.c:524
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:24
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:150
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define FALSE
Definition: types.h:117
#define PROCESS_DUP_HANDLE
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
#define PROCESS_SET_QUOTA
Definition: pstypes.h:156
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define PROCESS_VM_WRITE
Definition: pstypes.h:154
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define PS_SECURITY_DEBUG
Definition: ps.h:19
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:155
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
Status
Definition: gdiplustypes.h:24
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
VOID NTAPI ObDereferenceDeviceMap(IN PEPROCESS Process)
Definition: devicemap.c:456
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
#define PROCESS_TERMINATE
Definition: pstypes.h:149
#define PROCESS_VM_READ
Definition: pstypes.h:153
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PROCESS_VM_OPERATION
Definition: pstypes.h:152
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:157
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
ULONG NTAPI ObIsLUIDDeviceMapsEnabled(VOID)
Definition: devicemap.c:661
POBJECT_TYPE PsProcessType
Definition: process.c:20

Referenced by NtSetInformationProcess().

◆ PspWriteTebImpersonationInfo()

NTSTATUS NTAPI PspWriteTebImpersonationInfo ( IN PETHREAD  Thread,
IN PETHREAD  CurrentThread 
)

Definition at line 114 of file security.c.

116 {
118  PTEB Teb;
120  BOOLEAN IsImpersonating;
122  PAGED_CODE();
123  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124 
125  /* Sanity check */
126  ASSERT(CurrentThread == PsGetCurrentThread());
127 
128  /* Get process and TEB */
129  Process = Thread->ThreadsProcess;
130  Teb = Thread->Tcb.Teb;
131  if (Teb)
132  {
133  /* Check if we're not in the right process */
134  if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135  {
136  /* Attach to the process */
138  Attached = TRUE;
139  }
140 
141  /* Check if we're in a different thread or acquire rundown */
142  if ((Thread == CurrentThread) ||
144  {
145  /* Check if the thread is impersonating */
146  IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147  if (IsImpersonating)
148  {
149  /* Set TEB data */
150  Teb->ImpersonationLocale = -1;
151  Teb->IsImpersonating = 1;
152  }
153  else
154  {
155  /* Set TEB data */
156  Teb->ImpersonationLocale = 0;
157  Teb->IsImpersonating = 0;
158  }
159  }
160 
161  /* Check if we're in a different thread */
162  if (Thread != CurrentThread)
163  {
164  /* Release protection */
166  }
167 
168  /* Detach */
170  }
171 
172  /* Return to caller */
173  return STATUS_SUCCESS;
174 }
KAPC_STATE
Definition: ketypes.h:1279
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
NTKERNELAPI VOID FASTCALL ExReleaseRundownProtection(_Inout_ PEX_RUNDOWN_REF RunRef)
#define TRUE
Definition: types.h:120
ULONG ImpersonationLocale
Definition: winternl.h:432
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1101
KTHREAD Tcb
Definition: pstypes.h:1045
#define ExAcquireRundownProtection
Definition: ex.h:130
static BOOL Attached
Definition: vidbios.c:3905
#define FALSE
Definition: types.h:117
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:701
KAPC_STATE ApcState
Definition: ketypes.h:1668
unsigned char BOOLEAN
static BOOLEAN
Definition: security.c:109
if(!(yy_init))
Definition: macro.lex.yy.c:714
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
ULONG IsImpersonating
Definition: winternl.h:433
Definition: compat.h:583
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:753
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1492
PVOID Teb
Definition: ketypes.h:1697
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
return STATUS_SUCCESS
Definition: btrfs.c:3014
#define PAGED_CODE()

Referenced by PsImpersonateClient(), and PsRevertThreadToSelf().

◆ PsReferenceEffectiveToken()

PACCESS_TOKEN NTAPI PsReferenceEffectiveToken ( IN PETHREAD  Thread,
OUT IN PTOKEN_TYPE  TokenType,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 739 of file security.c.

743 {
746 
747  PAGED_CODE();
748 
750  "Thread: %p, TokenType: %p\n", Thread, TokenType);
751 
752  /* Check if we don't have impersonation info */
753  Process = Thread->ThreadsProcess;
755  {
756  /* Lock the Process */
758 
759  /* Make sure impersonation is still active */
761  {
762  /* Get the token */
765 
766  /* Return data to caller */
770 
771  /* Unlock the Process */
773  return Token;
774  }
775 
776  /* Unlock the Process */
778  }
779 
780  /* Fast Reference the Token */
782 
783  /* Check if we got the Token or if we got locked */
784  if (!Token)
785  {
786  /* Lock the Process */
788 
789  /* Do a Locked Fast Reference */
791 
792  /* Unlock the Process */
794  }
795 
796  /* Return the token */
798  *EffectiveOnly = FALSE;
799  // NOTE: ImpersonationLevel is left untouched on purpose!
800  return Token;
801 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1014
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
#define FALSE
Definition: types.h:117
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
#define PAGED_CODE()

Referenced by SeCreateClientSecurity().

◆ PsReferenceImpersonationToken()

PACCESS_TOKEN NTAPI PsReferenceImpersonationToken ( IN PETHREAD  Thread,
OUT PBOOLEAN  CopyOnOpen,
OUT PBOOLEAN  EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel 
)

Definition at line 808 of file security.c.

812 {
813  PTOKEN Token = NULL;
814  PAGED_CODE();
815  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
816 
817  /* If we don't have impersonation info, just quit */
818  if (!Thread->ActiveImpersonationInfo) return NULL;
819 
820  /* Lock the thread */
822 
823  /* Make sure we still have active impersonation */
825  {
826  /* Return data from caller */
831 
832  /* Set the token */
834  }
835 
836  /* Unlock thread and return impersonation token */
838  return Token;
839 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1014
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
smooth NULL
Definition: ftsmooth.c:416
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
#define ObReferenceObject
Definition: obfuncs.h:204
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
#define PAGED_CODE()

Referenced by GetProcessLuid(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), ObpReferenceDeviceMap(), and SeCaptureSubjectContextEx().

◆ PsReferencePrimaryToken()

PACCESS_TOKEN NTAPI PsReferencePrimaryToken ( PEPROCESS  Process)

Definition at line 440 of file security.c.

441 {
443  PAGED_CODE();
444  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
445 
446  /* Fast Reference the Token */
448 
449  /* Check if we got the Token or if we got locked */
450  if (!Token)
451  {
452  /* Lock the Process */
454 
455  /* Do a Locked Fast Reference */
457 
458  /* Unlock the Process */
460  }
461 
462  /* Return the Token */
463  return Token;
464 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
#define PS_SECURITY_DEBUG
Definition: ps.h:19
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define PAGED_CODE()

Referenced by GetProcessLuid(), KsecGetKeyData(), NtCloseObjectAuditAlarm(), NtOpenThreadTokenEx(), NtSecureConnectPort(), ObpSetCurrentProcessDeviceMap(), PsOpenTokenOfProcess(), PspCreateProcess(), PspCreateThread(), PspExitThread(), PspInitializeProcessSecurity(), PspSetPrimaryToken(), SeCaptureSubjectContextEx(), SeExchangePrimaryToken(), SeIsTokenChild(), and SeIsTokenSibling().

◆ PsRestoreImpersonation()

VOID NTAPI PsRestoreImpersonation ( IN PETHREAD  Thread,
IN PSE_IMPERSONATION_STATE  ImpersonationState 
)

Definition at line 924 of file security.c.

926 {
927  PTOKEN Token = NULL;
928  PPS_IMPERSONATION_INFORMATION Impersonation;
929  PAGED_CODE();
931  "Thread: %p State: %p\n", Thread, ImpersonationState);
932 
933  /* Lock thread security */
935 
936  /* Get the impersonation info */
937  Impersonation = Thread->ImpersonationInfo;
938 
939  /* Check if we're impersonating */
941  {
942  /* Get the token */
943  Token = Impersonation->Token;
944  }
945 
946  /* Check if we have an impersonation state */
947  if (ImpersonationState)
948  {
949  /* Fill out the impersonation info */
950  Impersonation->ImpersonationLevel = ImpersonationState->Level;
951  Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
953  Impersonation->Token = ImpersonationState->Token;
954 
955  /* Enable impersonation */
957  }
958  else
959  {
960  /* Disable impersonation */
962  }
963 
964  /* Unlock the thread */
966 
967  /* Dereference the token */
969 }
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1014
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:233
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
PACCESS_TOKEN Token
Definition: setypes.h:116
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119
#define PAGED_CODE()

Referenced by NtOpenThreadTokenEx().

◆ PsRevertThreadToSelf()

VOID NTAPI PsRevertThreadToSelf ( IN PETHREAD  Thread)

Definition at line 568 of file security.c.

569 {
570  PTOKEN Token = NULL;
571  PAGED_CODE();
572  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
573 
574  /* Make sure we had impersonation information */
576  {
577  /* Lock the thread security */
579 
580  /* Make sure it's still active */
582  {
583  /* Disable impersonation */
585 
586  /* Get the token */
588  }
589 
590  /* Release thread security */
592 
593  /* Check if we had a token */
594  if (Token)
595  {
596  /* Dereference the impersonation token */
598 
599  /* Write impersonation info to the TEB */
601  }
602  }
603 }
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1085
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
#define PS_SECURITY_DEBUG
Definition: ps.h:19
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1123
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:233
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
#define PAGED_CODE()

Referenced by PsAssignImpersonationToken(), and PsRevertToSelf().

◆ PsRevertToSelf()

VOID NTAPI PsRevertToSelf ( VOID  )

Definition at line 556 of file security.c.

557 {
558  /* Call the per-thread API */
559  PAGED_CODE();
561 }
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
#define PAGED_CODE()

Referenced by CmpCmdHiveOpen(), and VfdIoCtlThread().

◆ SeAssignPrimaryToken()

VOID NTAPI SeAssignPrimaryToken ( IN PEPROCESS  Process,
IN PTOKEN  Token 
)

Definition at line 862 of file token.c.

864 {
865  PAGED_CODE();
866 
867  /* Sanity checks */
868  ASSERT(Token->TokenType == TokenPrimary);
869  ASSERT(!Token->TokenInUse);
870 
871  /* Clean any previous token */
872  if (Process->Token.Object) SeDeassignPrimaryToken(Process);
873 
874  /* Set the new token */
876  Token->TokenInUse = TRUE;
878 }
#define TRUE
Definition: types.h:120
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
VOID NTAPI SeDeassignPrimaryToken(PEPROCESS Process)
Definition: token.c:313
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define ObReferenceObject
Definition: obfuncs.h:204
#define PAGED_CODE()

Referenced by PspInitializeProcessSecurity().

Variable Documentation

◆ PspBootAccessToken

PTOKEN PspBootAccessToken

Definition at line 17 of file security.c.

Referenced by PspInitializeProcessSecurity(), and PspInitPhase0().