ReactOS  0.4.15-dev-2979-gfd8baca
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: ntoskrnl/ps/security.c
5  * PURPOSE: Process Manager: Process/Thread Security
6  * PROGRAMMERS: Alex Ionescu (alex.ionescu@reactos.org)
7  * Eric Kohl
8  * Thomas Weidenmueller (w3seek@reactos.org)
9  */
10 
11 /* INCLUDES ******************************************************************/
12 
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16 
18 
19 VOID
20 NTAPI
24 );
25 
26 /* PRIVATE FUNCTIONS *********************************************************/
27 
28 VOID
29 NTAPI
31 {
32  PAGED_CODE();
33  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34 
35  /* Check if we have a token */
36  if (Process->Token.Object)
37  {
38  /* Deassign it */
40  Process->Token.Object = NULL;
41  }
42 }
43 
44 VOID
45 NTAPI
47 {
49  PAGED_CODE();
50  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51 
52  /* Check if we have active impersonation info */
54  {
55  /* Dereference its token */
56  ObDereferenceObject(ImpersonationInfo->Token);
57  }
58 
59  /* Check if we have impersonation info */
60  if (ImpersonationInfo)
61  {
62  /* Free it */
63  ExFreePool(ImpersonationInfo);
66  }
67 }
68 
70 NTAPI
73 {
75  PTOKEN NewToken, ParentToken;
76  PAGED_CODE();
77  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78 
79  /* If we have a parent, then duplicate the Token */
80  if (Parent)
81  {
82  /* Get the Parent Token */
83  ParentToken = PsReferencePrimaryToken(Parent);
84 
85  /* Duplicate it */
86  Status = SeSubProcessToken(ParentToken,
87  &NewToken,
88  TRUE,
90 
91  /* Dereference the Parent */
92  ObFastDereferenceObject(&Parent->Token, ParentToken);
93 
94  /* Set the new Token */
95  if (NT_SUCCESS(Status))
96  {
97  /* Initailize the fast reference */
98  ObInitializeFastReference(&Process->Token, NewToken);
99  }
100  }
101  else
102  {
103  /* No parent, assign the Boot Token */
106  }
107 
108  /* Return to caller */
109  return Status;
110 }
111 
112 NTSTATUS
113 NTAPI
115  IN PETHREAD CurrentThread)
116 {
118  PTEB Teb;
120  BOOLEAN IsImpersonating;
122  PAGED_CODE();
123  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124 
125  /* Sanity check */
126  ASSERT(CurrentThread == PsGetCurrentThread());
127 
128  /* Get process and TEB */
129  Process = Thread->ThreadsProcess;
130  Teb = Thread->Tcb.Teb;
131  if (Teb)
132  {
133  /* Check if we're not in the right process */
134  if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135  {
136  /* Attach to the process */
138  Attached = TRUE;
139  }
140 
141  /* Check if we're in a different thread or acquire rundown */
142  if ((Thread == CurrentThread) ||
144  {
145  /* Check if the thread is impersonating */
146  IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147  if (IsImpersonating)
148  {
149  /* Set TEB data */
150  Teb->ImpersonationLocale = -1;
151  Teb->IsImpersonating = 1;
152  }
153  else
154  {
155  /* Set TEB data */
156  Teb->ImpersonationLocale = 0;
157  Teb->IsImpersonating = 0;
158  }
159  }
160 
161  /* Check if we're in a different thread */
162  if (Thread != CurrentThread)
163  {
164  /* Release protection */
166  }
167 
168  /* Detach */
170  }
171 
172  /* Return to caller */
173  return STATUS_SUCCESS;
174 }
175 
176 NTSTATUS
177 NTAPI
179  IN HANDLE Token,
180  IN PACCESS_TOKEN AccessToken OPTIONAL)
181 {
182  PACCESS_TOKEN NewToken = AccessToken, OldToken;
184  PAGED_CODE();
185  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186 
187  /* Check if we don't have a pointer */
188  if (!AccessToken)
189  {
190  /* Reference it from the handle */
195  &NewToken,
196  NULL);
197  if (!NT_SUCCESS(Status)) return Status;
198  }
199 
200  /* Exchange tokens */
201  Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202 
203  /* Acquire and release the lock */
206 
207  /* Dereference Tokens and Return */
208  if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209  if (!AccessToken) ObDereferenceObject(NewToken);
210  return Status;
211 }
212 
213 NTSTATUS
214 NTAPI
218 {
220  BOOLEAN IsChildOrSibling;
221  PACCESS_TOKEN NewToken = Token;
223  BOOLEAN Result, SdAllocated;
226 
227  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228 
229  /* Reference the token by handle if we don't already have a token object */
230  if (!Token)
231  {
235  PreviousMode,
236  (PVOID*)&NewToken,
237  NULL);
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /*
242  * Check whether this token is a child or sibling of the current process token.
243  * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244  * are now performed by a new SeIsTokenAssignableToProcess() helper.
245  */
246  Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247  if (!NT_SUCCESS(Status))
248  {
249  /* Failed, dereference */
250  if (!Token) ObDereferenceObject(NewToken);
251  return Status;
252  }
253  if (!IsChildOrSibling)
254  {
255  Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256  if (!NT_SUCCESS(Status))
257  {
258  /* Failed, dereference */
259  if (!Token) ObDereferenceObject(NewToken);
260  return Status;
261  }
262  }
263 
264  /* Check if this was an independent token */
265  if (!IsChildOrSibling)
266  {
267  /* Make sure we have the privilege to assign a new one */
269  PreviousMode))
270  {
271  /* Failed, dereference */
272  if (!Token) ObDereferenceObject(NewToken);
274  }
275  }
276 
277  /* Assign the token */
279  if (NT_SUCCESS(Status))
280  {
281  /*
282  * We need to completely reverify if the process still has access to
283  * itself under this new token.
284  */
287  &SdAllocated);
288  if (NT_SUCCESS(Status))
289  {
290  /* Setup the security context */
291  SubjectContext.ProcessAuditId = Process;
293  SubjectContext.ClientToken = NULL;
294 
295  /* Do the access check */
298  FALSE,
300  0,
301  NULL,
303  PreviousMode,
304  &Process->GrantedAccess,
305  &AccessStatus);
306 
307  /* Dereference the token and let go the SD */
309  SubjectContext.PrimaryToken);
311 
312  /* Remove access if it failed */
313  if (!Result) Process->GrantedAccess = 0;
314 
315  /* Setup granted access */
316  Process->GrantedAccess |= (PROCESS_VM_OPERATION |
327  }
328 
329  /*
330  * In case LUID device maps are enable, we may not be using
331  * system device map for this process, but a logon LUID based
332  * device map. Because we change primary token, this usage is
333  * no longer valid, so dereference the process device map
334  */
336  }
337 
338  /* Dereference the token */
339  if (!Token) ObDereferenceObject(NewToken);
340  return Status;
341 }
342 
343 /* FUNCTIONS *****************************************************************/
344 
345 /*
346  * @implemented
347  */
348 NTSTATUS
349 NTAPI
353 {
354  /* Call the newer API */
357  0,
358  TokenHandle);
359 }
360 
361 /*
362  * @implemented
363  */
364 NTSTATUS
365 NTAPI
370 {
372  HANDLE hToken;
375  PAGED_CODE();
377  "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
378 
379  /* Check if caller was user-mode */
380  if (PreviousMode != KernelMode)
381  {
382  /* Enter SEH for probing */
383  _SEH2_TRY
384  {
385  /* Probe the token handle */
387  }
389  {
390  /* Return the exception code */
392  }
393  _SEH2_END;
394  }
395 
396  /* Validate object attributes */
398 
399  /* Open the process token */
401  if (NT_SUCCESS(Status))
402  {
403  /* Reference it by handle and dereference the pointer */
406  NULL,
409  PreviousMode,
410  &hToken);
412 
413  /* Make sure we got a handle */
414  if (NT_SUCCESS(Status))
415  {
416  /* Enter SEH for write */
417  _SEH2_TRY
418  {
419  /* Return the handle */
420  *TokenHandle = hToken;
421  }
423  {
424  /* Get exception code */
426  }
427  _SEH2_END;
428  }
429  }
430 
431  /* Return status */
432  return Status;
433 }
434 
435 /*
436  * @implemented
437  */
439 NTAPI
441 {
443  PAGED_CODE();
444  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
445 
446  /* Fast Reference the Token */
448 
449  /* Check if we got the Token or if we got locked */
450  if (!Token)
451  {
452  /* Lock the Process */
454 
455  /* Do a Locked Fast Reference */
457 
458  /* Unlock the Process */
460  }
461 
462  /* Return the Token */
463  return Token;
464 }
465 
466 /*
467  * @implemented
468  */
469 NTSTATUS
470 NTAPI
473 {
476  PAGED_CODE();
477  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
478 
479  /* Get the Token */
484  (PVOID*)&Process,
485  NULL);
486  if (NT_SUCCESS(Status))
487  {
488  /* Reference the token and dereference the process */
491  }
492 
493  /* Return */
494  return Status;
495 }
496 
497 /*
498  * @implemented
499  */
500 NTSTATUS
501 NTAPI
504 {
508  PAGED_CODE();
509  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
510 
511  /* Check if we were given a handle */
512  if (!TokenHandle)
513  {
514  /* Undo impersonation */
516  return STATUS_SUCCESS;
517  }
518 
519  /* Get the token object */
524  (PVOID*)&Token,
525  NULL);
526  if (!NT_SUCCESS(Status)) return(Status);
527 
528  /* Make sure it's an impersonation token */
530  {
531  /* Fail */
533  return STATUS_BAD_TOKEN_TYPE;
534  }
535 
536  /* Get the impersonation level */
538 
539  /* Call the impersonation API */
541  Token,
542  FALSE,
543  FALSE,
545 
546  /* Dereference the token and return status */
548  return Status;
549 }
550 
551 /*
552  * @implemented
553  */
554 VOID
555 NTAPI
557 {
558  /* Call the per-thread API */
559  PAGED_CODE();
561 }
562 
563 /*
564  * @implemented
565  */
566 VOID
567 NTAPI
569 {
570  PTOKEN Token = NULL;
571  PAGED_CODE();
572  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
573 
574  /* Make sure we had impersonation information */
576  {
577  /* Lock the thread security */
579 
580  /* Make sure it's still active */
582  {
583  /* Disable impersonation */
585 
586  /* Get the token */
588  }
589 
590  /* Release thread security */
592 
593  /* Check if we had a token */
594  if (Token)
595  {
596  /* Dereference the impersonation token */
598 
599  /* Write impersonation info to the TEB */
601  }
602  }
603 }
604 
605 /*
606  * @implemented
607  */
608 NTSTATUS
609 NTAPI
615 {
616  PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
617  PTOKEN OldToken = NULL, ProcessToken = NULL;
618  PACCESS_TOKEN NewToken, ImpersonationToken;
619  PEJOB Job;
621 
622  PAGED_CODE();
623  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
624 
625  /* Check if we don't have a token */
626  if (!Token)
627  {
628  /* Make sure we're impersonating */
630  {
631  /* We seem to be, lock the thread */
633 
634  /* Make sure we're still impersonating */
636  {
637  /* Disable impersonation */
640 
641  /* Get the token */
642  OldToken = Thread->ImpersonationInfo->Token;
643  }
644 
645  /* Unlock the process and write TEB information */
648  }
649  }
650  else
651  {
652  /* Check if we have impersonation info */
653  Impersonation = Thread->ImpersonationInfo;
654  if (!Impersonation)
655  {
656  /* We need to allocate a new one */
657  Impersonation = ExAllocatePoolWithTag(PagedPool,
658  sizeof(*Impersonation),
660  if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
661 
662  /* Update the pointer */
664  ImpersonationInfo,
665  Impersonation,
666  NULL);
667  if (OldData)
668  {
669  /* Someone beat us to it, free our copy */
670  ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
671  Impersonation = OldData;
672  }
673  }
674 
675  /*
676  * Assign the token we get from the caller first. The reason
677  * we have to do that is because we're unsure if we can impersonate
678  * in the first place. In the scenario where we cannot then the
679  * last resort is to make a copy of the token and assign that newly
680  * token to the impersonation information.
681  */
682  ImpersonationToken = Token;
683 
684  /* Obtain a token from the process */
685  ProcessToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
686  if (!ProcessToken)
687  {
688  /* We can't continue this way without having the process' token... */
689  return STATUS_UNSUCCESSFUL;
690  }
691 
692  /* Make sure we can impersonate */
693  if (!SeTokenCanImpersonate(ProcessToken,
694  Token,
696  {
697  /* We can't, make a copy of the token instead */
700  KernelMode,
701  &NewToken);
702  if (!NT_SUCCESS(Status))
703  {
704  /* We can't even make a copy of the token? Then bail out... */
705  ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken);
706  return Status;
707  }
708 
709  /* Since we cannot impersonate, assign the newly copied token */
710  ImpersonationToken = NewToken;
711  }
712 
713  /* We no longer need the process' token */
714  ObFastDereferenceObject(&Thread->ThreadsProcess->Token, ProcessToken);
715 
716  /* Check if this is a job */
717  Job = Thread->ThreadsProcess->Job;
718  if (Job != NULL)
719  {
720  /* No admin allowed in this job */
722  SeTokenIsAdmin(ImpersonationToken))
723  {
724  return STATUS_ACCESS_DENIED;
725  }
726 
727  /* No restricted tokens allowed in this job */
729  SeTokenIsRestricted(ImpersonationToken))
730  {
731  return STATUS_ACCESS_DENIED;
732  }
733 
734  /* We don't support job filters yet */
735  if (Job->Filter != NULL)
736  {
737  ASSERT(Job->Filter == NULL);
738  }
739  }
740 
741  /* Lock thread security */
743 
744  /* Check if we're impersonating */
746  {
747  /* Get the token */
748  OldToken = Impersonation->Token;
749  }
750  else
751  {
752  /* Otherwise, enable impersonation */
754  }
755 
756  /* Now fill it out */
757  Impersonation->ImpersonationLevel = ImpersonationLevel;
758  Impersonation->CopyOnOpen = CopyOnOpen;
759  Impersonation->EffectiveOnly = EffectiveOnly;
760  Impersonation->Token = ImpersonationToken;
761  ObReferenceObject(ImpersonationToken);
762 
763  /* Unlock the thread */
765 
766  /* Write impersonation info to the TEB */
768  }
769 
770  /* Dereference the token and return success */
771  if (OldToken) PsDereferenceImpersonationToken(OldToken);
772  return STATUS_SUCCESS;
773 }
774 
775 /*
776  * @implemented
777  */
779 NTAPI
784 {
787 
788  PAGED_CODE();
789 
791  "Thread: %p, TokenType: %p\n", Thread, TokenType);
792 
793  /* Check if we don't have impersonation info */
794  Process = Thread->ThreadsProcess;
796  {
797  /* Lock the Process */
799 
800  /* Make sure impersonation is still active */
802  {
803  /* Get the token */
806 
807  /* Return data to caller */
811 
812  /* Unlock the Process */
814  return Token;
815  }
816 
817  /* Unlock the Process */
819  }
820 
821  /* Fast Reference the Token */
823 
824  /* Check if we got the Token or if we got locked */
825  if (!Token)
826  {
827  /* Lock the Process */
829 
830  /* Do a Locked Fast Reference */
832 
833  /* Unlock the Process */
835  }
836 
837  /* Return the token */
839  *EffectiveOnly = FALSE;
840  // NOTE: ImpersonationLevel is left untouched on purpose!
841  return Token;
842 }
843 
844 /*
845  * @implemented
846  */
848 NTAPI
853 {
854  PTOKEN Token = NULL;
855  PAGED_CODE();
856  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
857 
858  /* If we don't have impersonation info, just quit */
859  if (!Thread->ActiveImpersonationInfo) return NULL;
860 
861  /* Lock the thread */
863 
864  /* Make sure we still have active impersonation */
866  {
867  /* Return data from caller */
872 
873  /* Set the token */
875  }
876 
877  /* Unlock thread and return impersonation token */
879  return Token;
880 }
881 
882 #undef PsDereferenceImpersonationToken
883 /*
884  * @implemented
885  */
886 VOID
887 NTAPI
889 {
890  PAGED_CODE();
891 
892  /* If we got a token, dereference it */
893  if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
894 }
895 
896 #undef PsDereferencePrimaryToken
897 /*
898  * @implemented
899  */
900 VOID
901 NTAPI
903 {
904  PAGED_CODE();
905 
906  /* Dereference the token*/
907  ObDereferenceObject(PrimaryToken);
908 }
909 
910 /*
911  * @implemented
912  */
913 BOOLEAN
914 NTAPI
917 {
918  PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
919  LONG OldFlags;
920  PAGED_CODE();
922  "Thread: %p State: %p\n", Thread, ImpersonationState);
923 
924  /* Check if we don't have impersonation */
926  {
927  /* Lock thread security */
929 
930  /* Disable impersonation */
933 
934  /* Make sure nobody disabled it behind our back */
936  {
937  /* Copy the old state */
938  Impersonation = Thread->ImpersonationInfo;
939  ImpersonationState->Token = Impersonation->Token;
940  ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
942  ImpersonationState->Level = Impersonation->ImpersonationLevel;
943  }
944 
945  /* Unlock thread security */
947 
948  /* If we had impersonation info, return true */
949  if (Impersonation) return TRUE;
950  }
951 
952  /* Clear everything */
957  return FALSE;
958 }
959 
960 /*
961  * @implemented
962  */
963 VOID
964 NTAPI
967 {
968  PTOKEN Token = NULL;
969  PPS_IMPERSONATION_INFORMATION Impersonation;
970  PAGED_CODE();
972  "Thread: %p State: %p\n", Thread, ImpersonationState);
973 
974  /* Lock thread security */
976 
977  /* Get the impersonation info */
978  Impersonation = Thread->ImpersonationInfo;
979 
980  /* Check if we're impersonating */
982  {
983  /* Get the token */
984  Token = Impersonation->Token;
985  }
986 
987  /* Check if we have an impersonation state */
988  if (ImpersonationState)
989  {
990  /* Fill out the impersonation info */
991  Impersonation->ImpersonationLevel = ImpersonationState->Level;
992  Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
994  Impersonation->Token = ImpersonationState->Token;
995 
996  /* Enable impersonation */
998  }
999  else
1000  {
1001  /* Disable impersonation */
1003  }
1004 
1005  /* Unlock the thread */
1007 
1008  /* Dereference the token */
1010 }
1011 
1012 NTSTATUS
1013 NTAPI
1015  IN HANDLE ThreadToImpersonateHandle,
1016  IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
1017 {
1018  SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
1020  PETHREAD Thread;
1021  PETHREAD ThreadToImpersonate;
1023  NTSTATUS Status;
1024  PAGED_CODE();
1026  "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
1027 
1028  /* Check if call came from user mode */
1029  if (PreviousMode != KernelMode)
1030  {
1031  /* Enter SEH for probing */
1032  _SEH2_TRY
1033  {
1034  /* Probe QoS */
1035  ProbeForRead(SecurityQualityOfService,
1037  sizeof(ULONG));
1038 
1039  /* Capture it */
1040  SafeServiceQoS = *SecurityQualityOfService;
1041  SecurityQualityOfService = &SafeServiceQoS;
1042  }
1044  {
1045  /* Return the exception code */
1047  }
1048  _SEH2_END;
1049  }
1050 
1051  /* Reference the thread */
1052  Status = ObReferenceObjectByHandle(ThreadHandle,
1054  PsThreadType,
1055  PreviousMode,
1056  (PVOID*)&Thread,
1057  NULL);
1058  if (NT_SUCCESS(Status))
1059  {
1060  /* Reference the impersonating thead */
1061  Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
1063  PsThreadType,
1064  PreviousMode,
1065  (PVOID*)&ThreadToImpersonate,
1066  NULL);
1067  if (NT_SUCCESS(Status))
1068  {
1069  /* Create a client security context */
1070  Status = SeCreateClientSecurity(ThreadToImpersonate,
1071  SecurityQualityOfService,
1072  0,
1073  &ClientContext);
1074  if (NT_SUCCESS(Status))
1075  {
1076  /* Do the impersonation */
1078  if (ClientContext.ClientToken)
1079  {
1080  /* Dereference the client token if we had one */
1081  ObDereferenceObject(ClientContext.ClientToken);
1082  }
1083  }
1084 
1085  /* Dereference the thread to impersonate */
1086  ObDereferenceObject(ThreadToImpersonate);
1087  }
1088 
1089  /* Dereference the main thread */
1091  }
1092 
1093  /* Return status */
1094  return Status;
1095 }
1096 /* EOF */
NTSTATUS NTAPI NtImpersonateThread(IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
Definition: security.c:1014
enum _SECURITY_IMPERSONATION_LEVEL * PSECURITY_IMPERSONATION_LEVEL
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:429
NTSTATUS NTAPI SeCopyClientToken(IN PACCESS_TOKEN Token, IN SECURITY_IMPERSONATION_LEVEL Level, IN KPROCESSOR_MODE PreviousMode, OUT PACCESS_TOKEN *NewToken)
Definition: token.c:1136
#define IN
Definition: typedefs.h:39
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
NTSTATUS NTAPI PspSetPrimaryToken(IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
Definition: security.c:215
KAPC_STATE
Definition: ketypes.h:1280
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
NTSTATUS NTAPI SeIsTokenSibling(IN PTOKEN Token, OUT PBOOLEAN IsSibling)
Definition: token.c:1097
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1072
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:366
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:166
#define THREAD_IMPERSONATE
Definition: pstypes.h:151
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
PTOKEN PspBootAccessToken
Definition: security.c:17
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
NTKERNELAPI VOID FASTCALL ExReleaseRundownProtection(_Inout_ PEX_RUNDOWN_REF RunRef)
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSTATUS NTAPI SeIsTokenChild(IN PTOKEN Token, OUT PBOOLEAN IsChild)
Definition: token.c:1064
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:568
enum _TOKEN_TYPE * PTOKEN_TYPE
NTSTATUS NTAPI PspInitializeProcessSecurity(IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
Definition: security.c:71
VOID NTAPI SeDeassignPrimaryToken(struct _EPROCESS *Process)
#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
Definition: pstypes.h:231
#define KeGetPreviousMode()
Definition: ketypes.h:1107
LONG NTSTATUS
Definition: precomp.h:26
ULONG ImpersonationLocale
Definition: winternl.h:432
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1159
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KTHREAD Tcb
Definition: pstypes.h:1103
#define ExAcquireRundownProtection
Definition: ex.h:133
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:132
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:875
BOOLEAN NTAPI SeSinglePrivilegeCheck(IN LUID PrivilegeValue, IN KPROCESSOR_MODE PreviousMode)
Definition: priv.c:520
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:20
#define TOKEN_IMPERSONATE
Definition: setypes.h:877
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn BOOLEAN Physical UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:728
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Definition: token.c:577
if(dx==0 &&dy==0)
Definition: linetemp.h:174
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2738
#define JOB_OBJECT_SECURITY_NO_ADMIN
Definition: pstypes.h:230
BOOLEAN NTAPI SeTokenIsRestricted(IN PACCESS_TOKEN Token)
Definition: token.c:2242
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:158
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
static BOOL Attached
Definition: vidbios.c:3905
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1143
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:704
long LONG
Definition: pedump.c:60
KAPC_STATE ApcState
Definition: ketypes.h:1710
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define PROCESS_DUP_HANDLE
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:471
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
VOID NTAPI PsRestoreImpersonation(IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
Definition: security.c:965
unsigned char BOOLEAN
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:404
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
static BOOLEAN
Definition: security.c:109
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(IN PACCESS_TOKEN Token)
Definition: token.c:2203
#define PROCESS_SET_QUOTA
Definition: pstypes.h:164
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
BOOLEAN NTAPI PsDisableImpersonation(IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
Definition: security.c:915
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
Definition: token.c:2215
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define PROCESS_VM_WRITE
Definition: pstypes.h:162
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
_In_ PVOID ClientContext
Definition: netioddk.h:55
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
#define ObDereferenceObject
Definition: obfuncs.h:203
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2652
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:107
#define PS_SECURITY_DEBUG
Definition: ps.h:19
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:163
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1181
#define STATUS_UNSUCCESSFUL
Definition: udferr_usr.h:132
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
char * PBOOLEAN
Definition: retypes.h:11
POBJECT_TYPE PsThreadType
Definition: thread.c:20
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:454
PPS_JOB_TOKEN_FILTER Filter
Definition: pstypes.h:1502
NTSTATUS NTAPI PsAssignImpersonationToken(IN PETHREAD Thread, IN HANDLE TokenHandle)
Definition: security.c:502
ULONG SecurityLimitFlags
Definition: pstypes.h:1500
ULONG IsImpersonating
Definition: winternl.h:433
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
VOID NTAPI ObDereferenceDeviceMap(IN PEPROCESS Process)
Definition: devicemap.c:456
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
NTSTATUS NTAPI SeSubProcessToken(IN PTOKEN Parent, OUT PTOKEN *Token, IN BOOLEAN InUse, IN ULONG SessionId)
Definition: token.c:1020
SHORT OldFlags
Definition: fxioqueue.cpp:1325
Definition: compat.h:694
_SEH2_END
Definition: create.c:4400
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
#define PROCESS_TERMINATE
Definition: pstypes.h:157
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:756
BOOLEAN NTAPI SeTokenCanImpersonate(_In_ PTOKEN ProcessToken, _In_ PTOKEN TokenToImpersonate, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Ensures that client impersonation can occur by checking if the token we're going to assign as the imp...
Definition: token.c:2286
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1679
BOOLEAN NTAPI SeTokenIsAdmin(IN PACCESS_TOKEN Token)
Definition: token.c:2228
#define NULL
Definition: types.h:112
PVOID Teb
Definition: ketypes.h:1739
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:902
VOID NTAPI PspDeleteProcessSecurity(IN PEPROCESS Process)
Definition: security.c:30
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
#define PROCESS_VM_READ
Definition: pstypes.h:161
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:241
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define OUT
Definition: typedefs.h:40
#define ObReferenceObject
Definition: obfuncs.h:204
unsigned int ULONG
Definition: retypes.h:1
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
Definition: token.c:1212
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:119
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:179
#define PROCESS_VM_OPERATION
Definition: pstypes.h:160
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:165
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:152
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:780
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
#define TAG_PS_IMPERSONATION
Definition: tag.h:157
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
ULONG NTAPI ObIsLUIDDeviceMapsEnabled(VOID)
Definition: devicemap.c:662
PACCESS_TOKEN Token
Definition: setypes.h:116
POBJECT_TYPE PsProcessType
Definition: process.c:20
VOID NTAPI PspDeleteThreadSecurity(IN PETHREAD Thread)
Definition: security.c:46
ULONG ACCESS_MASK
Definition: nt_native.h:40
VOID NTAPI PsRevertToSelf(VOID)
Definition: security.c:556
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
#define PAGED_CODE()
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888