ReactOS  0.4.13-dev-101-g0ca4b50
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: ntoskrnl/ps/security.c
5  * PURPOSE: Process Manager: Process/Thread Security
6  * PROGRAMMERS: Alex Ionescu (alex.ionescu@reactos.org)
7  * Eric Kohl
8  * Thomas Weidenmueller (w3seek@reactos.org)
9  */
10 
11 /* INCLUDES ******************************************************************/
12 
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16 
17 PTOKEN PspBootAccessToken;
18 
19 VOID
20 NTAPI
21 SeAssignPrimaryToken(
22  IN PEPROCESS Process,
23  IN PTOKEN Token
24 );
25 
26 /* PRIVATE FUNCTIONS *********************************************************/
27 
28 VOID
29 NTAPI
30 PspDeleteProcessSecurity(IN PEPROCESS Process)
31 {
32  PAGED_CODE();
33  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34 
35  /* Check if we have a token */
36  if (Process->Token.Object)
37  {
38  /* Deassign it */
39  SeDeassignPrimaryToken(Process);
40  Process->Token.Object = NULL;
41  }
42 }
43 
44 VOID
45 NTAPI
46 PspDeleteThreadSecurity(IN PETHREAD Thread)
47 {
48  PPS_IMPERSONATION_INFORMATION ImpersonationInfo = Thread->ImpersonationInfo;
49  PAGED_CODE();
50  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51 
52  /* Check if we have active impersonation info */
53  if (Thread->ActiveImpersonationInfo)
54  {
55  /* Dereference its token */
56  ObDereferenceObject(ImpersonationInfo->Token);
57  }
58 
59  /* Check if we have impersonation info */
60  if (ImpersonationInfo)
61  {
62  /* Free it */
63  ExFreePool(ImpersonationInfo);
64  PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
65  Thread->ImpersonationInfo = NULL;
66  }
67 }
68 
69 NTSTATUS
70 NTAPI
71 PspInitializeProcessSecurity(IN PEPROCESS Process,
72  IN PEPROCESS Parent OPTIONAL)
73 {
74  NTSTATUS Status = STATUS_SUCCESS;
75  PTOKEN NewToken, ParentToken;
76  PAGED_CODE();
77  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78 
79  /* If we have a parent, then duplicate the Token */
80  if (Parent)
81  {
82  /* Get the Parent Token */
83  ParentToken = PsReferencePrimaryToken(Parent);
84 
85  /* Duplicate it */
86  Status = SeSubProcessToken(ParentToken,
87  &NewToken,
88  TRUE,
89  MmGetSessionId(Process));
90 
91  /* Dereference the Parent */
92  ObFastDereferenceObject(&Parent->Token, ParentToken);
93 
94  /* Set the new Token */
95  if (NT_SUCCESS(Status))
96  {
97  /* Initailize the fast reference */
98  ObInitializeFastReference(&Process->Token, NewToken);
99  }
100  }
101  else
102  {
103  /* No parent, assign the Boot Token */
104  ObInitializeFastReference(&Process->Token, NULL);
105  SeAssignPrimaryToken(Process, PspBootAccessToken);
106  }
107 
108  /* Return to caller */
109  return Status;
110 }
111 
112 NTSTATUS
113 NTAPI
114 PspWriteTebImpersonationInfo(IN PETHREAD Thread,
115  IN PETHREAD CurrentThread)
116 {
117  PEPROCESS Process;
118  PTEB Teb;
119  BOOLEAN Attached = FALSE;
120  BOOLEAN IsImpersonating;
121  KAPC_STATE ApcState;
122  PAGED_CODE();
123  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124 
125  /* Sanity check */
126  ASSERT(CurrentThread == PsGetCurrentThread());
127 
128  /* Get process and TEB */
129  Process = Thread->ThreadsProcess;
130  Teb = Thread->Tcb.Teb;
131  if (Teb)
132  {
133  /* Check if we're not in the right process */
134  if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135  {
136  /* Attach to the process */
137  KeStackAttachProcess(&Process->Pcb, &ApcState);
138  Attached = TRUE;
139  }
140 
141  /* Check if we're in a different thread or acquire rundown */
142  if ((Thread == CurrentThread) ||
143  (ExAcquireRundownProtection(&Thread->RundownProtect)))
144  {
145  /* Check if the thread is impersonating */
146  IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147  if (IsImpersonating)
148  {
149  /* Set TEB data */
150  Teb->ImpersonationLocale = -1;
151  Teb->IsImpersonating = 1;
152  }
153  else
154  {
155  /* Set TEB data */
156  Teb->ImpersonationLocale = 0;
157  Teb->IsImpersonating = 0;
158  }
159  }
160 
161  /* Check if we're in a different thread */
162  if (Thread != CurrentThread)
163  {
164  /* Release protection */
165  ExReleaseRundownProtection(&Thread->RundownProtect);
166  }
167 
168  /* Detach */
169  if (Attached) KeUnstackDetachProcess(&ApcState);
170  }
171 
172  /* Return to caller */
173  return STATUS_SUCCESS;
174 }
175 
176 NTSTATUS
177 NTAPI
178 PspAssignPrimaryToken(IN PEPROCESS Process,
179  IN HANDLE Token,
180  IN PACCESS_TOKEN AccessToken OPTIONAL)
181 {
182  PACCESS_TOKEN NewToken = AccessToken, OldToken;
183  NTSTATUS Status;
184  PAGED_CODE();
185  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186 
187  /* Check if we don't have a pointer */
188  if (!AccessToken)
189  {
190  /* Reference it from the handle */
191  Status = ObReferenceObjectByHandle(Token,
192  TOKEN_ASSIGN_PRIMARY,
193  SeTokenObjectType,
194  ExGetPreviousMode(),
195  &NewToken,
196  NULL);
197  if (!NT_SUCCESS(Status)) return Status;
198  }
199 
200  /* Exchange tokens */
201  Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202 
203  /* Acquire and release the lock */
204  PspLockProcessSecurityExclusive(Process);
205  PspUnlockProcessSecurityExclusive(Process);
206 
207  /* Dereference Tokens and Return */
208  if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209  if (!AccessToken) ObDereferenceObject(NewToken);
210  return Status;
211 }
212 
213 NTSTATUS
214 NTAPI
215 PspSetPrimaryToken(IN PEPROCESS Process,
216  IN HANDLE TokenHandle OPTIONAL,
217  IN PACCESS_TOKEN Token OPTIONAL)
218 {
219  KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
220  BOOLEAN IsChildOrSibling;
221  PACCESS_TOKEN NewToken = Token;
222  NTSTATUS Status, AccessStatus;
223  BOOLEAN Result, SdAllocated;
224  PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
225  SECURITY_SUBJECT_CONTEXT SubjectContext;
226 
227  PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228 
229  /* Reference the token by handle if we don't already have a token object */
230  if (!Token)
231  {
232  Status = ObReferenceObjectByHandle(TokenHandle,
233  TOKEN_ASSIGN_PRIMARY,
234  SeTokenObjectType,
235  PreviousMode,
236  (PVOID*)&NewToken,
237  NULL);
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /*
242  * Check whether this token is a child or sibling of the current process token.
243  * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244  * are now performed by a new SeIsTokenAssignableToProcess() helper.
245  */
246  Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247  if (!NT_SUCCESS(Status))
248  {
249  /* Failed, dereference */
250  if (!Token) ObDereferenceObject(NewToken);
251  return Status;
252  }
253  if (!IsChildOrSibling)
254  {
255  Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256  if (!NT_SUCCESS(Status))
257  {
258  /* Failed, dereference */
259  if (!Token) ObDereferenceObject(NewToken);
260  return Status;
261  }
262  }
263 
264  /* Check if this was an independent token */
265  if (!IsChildOrSibling)
266  {
267  /* Make sure we have the privilege to assign a new one */
268  if (!SeSinglePrivilegeCheck(SeAssignPrimaryTokenPrivilege,
269  PreviousMode))
270  {
271  /* Failed, dereference */
272  if (!Token) ObDereferenceObject(NewToken);
273  return STATUS_PRIVILEGE_NOT_HELD;
274  }
275  }
276 
277  /* Assign the token */
278  Status = PspAssignPrimaryToken(Process, NULL, NewToken);
279  if (NT_SUCCESS(Status))
280  {
281  /*
282  * We need to completely reverify if the process still has access to
283  * itself under this new token.
284  */
285  Status = ObGetObjectSecurity(Process,
286  &SecurityDescriptor,
287  &SdAllocated);
288  if (NT_SUCCESS(Status))
289  {
290  /* Setup the security context */
291  SubjectContext.ProcessAuditId = Process;
292  SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
293  SubjectContext.ClientToken = NULL;
294 
295  /* Do the access check */
296  Result = SeAccessCheck(SecurityDescriptor,
297  &SubjectContext,
298  FALSE,
299  MAXIMUM_ALLOWED,
300  0,
301  NULL,
302  &PsProcessType->TypeInfo.GenericMapping,
303  PreviousMode,
304  &Process->GrantedAccess,
305  &AccessStatus);
306 
307  /* Dereference the token and let go the SD */
308  ObFastDereferenceObject(&Process->Token,
309  SubjectContext.PrimaryToken);
310  ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
311 
312  /* Remove access if it failed */
313  if (!Result) Process->GrantedAccess = 0;
314 
315  /* Setup granted access */
316  Process->GrantedAccess |= (PROCESS_VM_OPERATION |
317  PROCESS_VM_READ |
318  PROCESS_VM_WRITE |
319  PROCESS_QUERY_INFORMATION |
320  PROCESS_TERMINATE |
321  PROCESS_CREATE_THREAD |
322  PROCESS_DUP_HANDLE |
323  PROCESS_CREATE_PROCESS |
324  PROCESS_SET_INFORMATION |
325  STANDARD_RIGHTS_ALL |
326  PROCESS_SET_QUOTA);
327  }
328  }
329 
330  /* Dereference the token */
331  if (!Token) ObDereferenceObject(NewToken);
332  return Status;
333 }
334 
335 /* FUNCTIONS *****************************************************************/
336 
337 /*
338  * @implemented
339  */
340 NTSTATUS
341 NTAPI
342 NtOpenProcessToken(IN HANDLE ProcessHandle,
343  IN ACCESS_MASK DesiredAccess,
344  OUT PHANDLE TokenHandle)
345 {
346  /* Call the newer API */
347  return NtOpenProcessTokenEx(ProcessHandle,
348  DesiredAccess,
349  0,
350  TokenHandle);
351 }
352 
353 /*
354  * @implemented
355  */
356 NTSTATUS
357 NTAPI
358 NtOpenProcessTokenEx(IN HANDLE ProcessHandle,
359  IN ACCESS_MASK DesiredAccess,
360  IN ULONG HandleAttributes,
361  OUT PHANDLE TokenHandle)
362 {
363  PACCESS_TOKEN Token;
364  HANDLE hToken;
365  KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
366  NTSTATUS Status;
367  PAGED_CODE();
368  PSTRACE(PS_SECURITY_DEBUG,
369  "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
370 
371  /* Check if caller was user-mode */
372  if (PreviousMode != KernelMode)
373  {
374  /* Enter SEH for probing */
375  _SEH2_TRY
376  {
377  /* Probe the token handle */
378  ProbeForWriteHandle(TokenHandle);
379  }
380  _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
381  {
382  /* Return the exception code */
383  _SEH2_YIELD(return _SEH2_GetExceptionCode());
384  }
385  _SEH2_END;
386  }
387 
388  /* Validate object attributes */
389  HandleAttributes = ObpValidateAttributes(HandleAttributes, PreviousMode);
390 
391  /* Open the process token */
392  Status = PsOpenTokenOfProcess(ProcessHandle, &Token);
393  if (NT_SUCCESS(Status))
394  {
395  /* Reference it by handle and dereference the pointer */
396  Status = ObOpenObjectByPointer(Token,
397  HandleAttributes,
398  NULL,
399  DesiredAccess,
400  SeTokenObjectType,
401  PreviousMode,
402  &hToken);
403  ObDereferenceObject(Token);
404 
405  /* Make sure we got a handle */
406  if (NT_SUCCESS(Status))
407  {
408  /* Enter SEH for write */
409  _SEH2_TRY
410  {
411  /* Return the handle */
412  *TokenHandle = hToken;
413  }
414  _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
415  {
416  /* Get exception code */
417  Status = _SEH2_GetExceptionCode();
418  }
419  _SEH2_END;
420  }
421  }
422 
423  /* Return status */
424  return Status;
425 }
426 
427 /*
428  * @implemented
429  */
430 PACCESS_TOKEN
431 NTAPI
432 PsReferencePrimaryToken(PEPROCESS Process)
433 {
434  PACCESS_TOKEN Token;
435  PAGED_CODE();
436  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
437 
438  /* Fast Reference the Token */
439  Token = ObFastReferenceObject(&Process->Token);
440 
441  /* Check if we got the Token or if we got locked */
442  if (!Token)
443  {
444  /* Lock the Process */
445  PspLockProcessSecurityShared(Process);
446 
447  /* Do a Locked Fast Reference */
448  Token = ObFastReferenceObjectLocked(&Process->Token);
449 
450  /* Unlock the Process */
451  PspUnlockProcessSecurityShared(Process);
452  }
453 
454  /* Return the Token */
455  return Token;
456 }
457 
458 /*
459  * @implemented
460  */
461 NTSTATUS
462 NTAPI
463 PsOpenTokenOfProcess(IN HANDLE ProcessHandle,
464  OUT PACCESS_TOKEN* Token)
465 {
466  PEPROCESS Process;
467  NTSTATUS Status;
468  PAGED_CODE();
469  PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
470 
471  /* Get the Token */
472  Status = ObReferenceObjectByHandle(ProcessHandle,
473  PROCESS_QUERY_INFORMATION,
474  PsProcessType,
475  ExGetPreviousMode(),
476  (PVOID*)&Process,
477  NULL);
478  if (NT_SUCCESS(Status))
479  {
480  /* Reference the token and dereference the process */
481  *Token = PsReferencePrimaryToken(Process);
482  ObDereferenceObject(Process);
483  }
484 
485  /* Return */
486  return Status;
487 }
488 
489 /*
490  * @implemented
491  */
492 NTSTATUS
493 NTAPI
494 PsAssignImpersonationToken(IN PETHREAD Thread,
495  IN HANDLE TokenHandle)
496 {
497  PACCESS_TOKEN Token;
498  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
499  NTSTATUS Status;
500  PAGED_CODE();
501  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
502 
503  /* Check if we were given a handle */
504  if (!TokenHandle)
505  {
506  /* Undo impersonation */
507  PsRevertThreadToSelf(Thread);
508  return STATUS_SUCCESS;
509  }
510 
511  /* Get the token object */
512  Status = ObReferenceObjectByHandle(TokenHandle,
513  TOKEN_IMPERSONATE,
514  SeTokenObjectType,
515  KeGetPreviousMode(),
516  (PVOID*)&Token,
517  NULL);
518  if (!NT_SUCCESS(Status)) return(Status);
519 
520  /* Make sure it's an impersonation token */
521  if (SeTokenType(Token) != TokenImpersonation)
522  {
523  /* Fail */
524  ObDereferenceObject(Token);
525  return STATUS_BAD_TOKEN_TYPE;
526  }
527 
528  /* Get the impersonation level */
529  ImpersonationLevel = SeTokenImpersonationLevel(Token);
530 
531  /* Call the impersonation API */
532  Status = PsImpersonateClient(Thread,
533  Token,
534  FALSE,
535  FALSE,
536  ImpersonationLevel);
537 
538  /* Dereference the token and return status */
539  ObDereferenceObject(Token);
540  return Status;
541 }
542 
543 /*
544  * @implemented
545  */
546 VOID
547 NTAPI
548 PsRevertToSelf(VOID)
549 {
550  /* Call the per-thread API */
551  PAGED_CODE();
552  PsRevertThreadToSelf(PsGetCurrentThread());
553 }
554 
555 /*
556  * @implemented
557  */
558 VOID
559 NTAPI
560 PsRevertThreadToSelf(IN PETHREAD Thread)
561 {
562  PTOKEN Token = NULL;
563  PAGED_CODE();
564  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
565 
566  /* Make sure we had impersonation information */
567  if (Thread->ActiveImpersonationInfo)
568  {
569  /* Lock the thread security */
570  PspLockThreadSecurityExclusive(Thread);
571 
572  /* Make sure it's still active */
573  if (Thread->ActiveImpersonationInfo)
574  {
575  /* Disable impersonation */
576  PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
577 
578  /* Get the token */
579  Token = Thread->ImpersonationInfo->Token;
580  }
581 
582  /* Release thread security */
583  PspUnlockThreadSecurityExclusive(Thread);
584 
585  /* Check if we had a token */
586  if (Token)
587  {
588  /* Dereference the impersonation token */
589  ObDereferenceObject(Token);
590 
591  /* Write impersonation info to the TEB */
592  PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
593  }
594  }
595 }
596 
597 /*
598  * @implemented
599  */
600 NTSTATUS
601 NTAPI
602 PsImpersonateClient(IN PETHREAD Thread,
603  IN PACCESS_TOKEN Token,
604  IN BOOLEAN CopyOnOpen,
605  IN BOOLEAN EffectiveOnly,
606  IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
607 {
608  PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
609  PTOKEN OldToken = NULL;
610  PAGED_CODE();
611  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
612 
613  /* Check if we don't have a token */
614  if (!Token)
615  {
616  /* Make sure we're impersonating */
617  if (Thread->ActiveImpersonationInfo)
618  {
619  /* We seem to be, lock the thread */
620  PspLockThreadSecurityExclusive(Thread);
621 
622  /* Make sure we're still impersonating */
623  if (Thread->ActiveImpersonationInfo)
624  {
625  /* Disable impersonation */
626  PspClearCrossThreadFlag(Thread,
627  CT_ACTIVE_IMPERSONATION_INFO_BIT);
628 
629  /* Get the token */
630  OldToken = Thread->ImpersonationInfo->Token;
631  }
632 
633  /* Unlock the process and write TEB information */
634  PspUnlockThreadSecurityExclusive(Thread);
635  PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
636  }
637  }
638  else
639  {
640  /* Check if we have impersonation info */
641  Impersonation = Thread->ImpersonationInfo;
642  if (!Impersonation)
643  {
644  /* We need to allocate a new one */
645  Impersonation = ExAllocatePoolWithTag(PagedPool,
646  sizeof(*Impersonation),
647  TAG_PS_IMPERSONATION);
648  if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
649 
650  /* Update the pointer */
651  OldData = InterlockedCompareExchangePointer((PVOID*)&Thread->
652  ImpersonationInfo,
653  Impersonation,
654  NULL);
655  if (OldData)
656  {
657  /* Someone beat us to it, free our copy */
658  ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
659  Impersonation = OldData;
660  }
661  }
662 
663  /* Check if this is a job, which we don't support yet */
664  if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
665 
666  /* Lock thread security */
667  PspLockThreadSecurityExclusive(Thread);
668 
669  /* Check if we're impersonating */
670  if (Thread->ActiveImpersonationInfo)
671  {
672  /* Get the token */
673  OldToken = Impersonation->Token;
674  }
675  else
676  {
677  /* Otherwise, enable impersonation */
678  PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
679  }
680 
681  /* Now fill it out */
682  Impersonation->ImpersonationLevel = ImpersonationLevel;
683  Impersonation->CopyOnOpen = CopyOnOpen;
684  Impersonation->EffectiveOnly = EffectiveOnly;
685  Impersonation->Token = Token;
686  ObReferenceObject(Token);
687 
688  /* Unlock the thread */
689  PspUnlockThreadSecurityExclusive(Thread);
690 
691  /* Write impersonation info to the TEB */
692  PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
693  }
694 
695  /* Dereference the token and return success */
696  if (OldToken) PsDereferenceImpersonationToken(OldToken);
697  return STATUS_SUCCESS;
698 }
699 
700 /*
701  * @implemented
702  */
703 PACCESS_TOKEN
704 NTAPI
705 PsReferenceEffectiveToken(IN PETHREAD Thread,
706  OUT IN PTOKEN_TYPE TokenType,
707  OUT PBOOLEAN EffectiveOnly,
708  OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
709 {
710  PEPROCESS Process;
711  PACCESS_TOKEN Token = NULL;
712 
713  PAGED_CODE();
714 
715  PSTRACE(PS_SECURITY_DEBUG,
716  "Thread: %p, TokenType: %p\n", Thread, TokenType);
717 
718  /* Check if we don't have impersonation info */
719  Process = Thread->ThreadsProcess;
720  if (Thread->ActiveImpersonationInfo)
721  {
722  /* Lock the Process */
723  PspLockProcessSecurityShared(Process);
724 
725  /* Make sure impersonation is still active */
726  if (Thread->ActiveImpersonationInfo)
727  {
728  /* Get the token */
729  Token = Thread->ImpersonationInfo->Token;
730  ObReferenceObject(Token);
731 
732  /* Return data to caller */
733  *TokenType = TokenImpersonation;
734  *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
735  *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
736 
737  /* Unlock the Process */
738  PspUnlockProcessSecurityShared(Process);
739  return Token;
740  }
741 
742  /* Unlock the Process */
743  PspUnlockProcessSecurityShared(Process);
744  }
745 
746  /* Fast Reference the Token */
747  Token = ObFastReferenceObject(&Process->Token);
748 
749  /* Check if we got the Token or if we got locked */
750  if (!Token)
751  {
752  /* Lock the Process */
753  PspLockProcessSecurityShared(Process);
754 
755  /* Do a Locked Fast Reference */
756  Token = ObFastReferenceObjectLocked(&Process->Token);
757 
758  /* Unlock the Process */
759  PspUnlockProcessSecurityShared(Process);
760  }
761 
762  /* Return the token */
763  *TokenType = TokenPrimary;
764  *EffectiveOnly = FALSE;
765  // NOTE: ImpersonationLevel is left untouched on purpose!
766  return Token;
767 }
768 
769 /*
770  * @implemented
771  */
772 PACCESS_TOKEN
773 NTAPI
774 PsReferenceImpersonationToken(IN PETHREAD Thread,
775  OUT PBOOLEAN CopyOnOpen,
776  OUT PBOOLEAN EffectiveOnly,
777  OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
778 {
779  PTOKEN Token = NULL;
780  PAGED_CODE();
781  PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
782 
783  /* If we don't have impersonation info, just quit */
784  if (!Thread->ActiveImpersonationInfo) return NULL;
785 
786  /* Lock the thread */
787  PspLockThreadSecurityShared(Thread);
788 
789  /* Make sure we still have active impersonation */
790  if (Thread->ActiveImpersonationInfo)
791  {
792  /* Return data from caller */
793  ObReferenceObject(Thread->ImpersonationInfo->Token);
794  *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
795  *CopyOnOpen = Thread->ImpersonationInfo->CopyOnOpen;
796  *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
797 
798  /* Set the token */
799  Token = Thread->ImpersonationInfo->Token;
800  }
801 
802  /* Unlock thread and return impersonation token */
803  PspUnlockThreadSecurityShared(Thread);
804  return Token;
805 }
806 
807 #undef PsDereferenceImpersonationToken
808 /*
809  * @implemented
810  */
811 VOID
812 NTAPI
813 PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
814 {
815  PAGED_CODE();
816 
817  /* If we got a token, dereference it */
818  if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
819 }
820 
821 #undef PsDereferencePrimaryToken
822 /*
823  * @implemented
824  */
825 VOID
826 NTAPI
827 PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
828 {
829  PAGED_CODE();
830 
831  /* Dereference the token*/
832  ObDereferenceObject(PrimaryToken);
833 }
834 
835 /*
836  * @implemented
837  */
838 BOOLEAN
839 NTAPI
840 PsDisableImpersonation(IN PETHREAD Thread,
841  OUT PSE_IMPERSONATION_STATE ImpersonationState)
842 {
843  PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
844  LONG OldFlags;
845  PAGED_CODE();
846  PSTRACE(PS_SECURITY_DEBUG,
847  "Thread: %p State: %p\n", Thread, ImpersonationState);
848 
849  /* Check if we don't have impersonation */
850  if (Thread->ActiveImpersonationInfo)
851  {
852  /* Lock thread security */
853  PspLockThreadSecurityExclusive(Thread);
854 
855  /* Disable impersonation */
856  OldFlags = PspClearCrossThreadFlag(Thread,
857  CT_ACTIVE_IMPERSONATION_INFO_BIT);
858 
859  /* Make sure nobody disabled it behind our back */
860  if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
861  {
862  /* Copy the old state */
863  Impersonation = Thread->ImpersonationInfo;
864  ImpersonationState->Token = Impersonation->Token;
865  ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
866  ImpersonationState->EffectiveOnly = Impersonation->EffectiveOnly;
867  ImpersonationState->Level = Impersonation->ImpersonationLevel;
868  }
869 
870  /* Unlock thread security */
871  PspUnlockThreadSecurityExclusive(Thread);
872 
873  /* If we had impersonation info, return true */
874  if (Impersonation) return TRUE;
875  }
876 
877  /* Clear everything */
878  ImpersonationState->Token = NULL;
879  ImpersonationState->CopyOnOpen = FALSE;
880  ImpersonationState->EffectiveOnly = FALSE;
881  ImpersonationState->Level = SecurityAnonymous;
882  return FALSE;
883 }
884 
885 /*
886  * @implemented
887  */
888 VOID
889 NTAPI
890 PsRestoreImpersonation(IN PETHREAD Thread,
891  IN PSE_IMPERSONATION_STATE ImpersonationState)
892 {
893  PTOKEN Token = NULL;
894  PPS_IMPERSONATION_INFORMATION Impersonation;
895  PAGED_CODE();
896  PSTRACE(PS_SECURITY_DEBUG,
897  "Thread: %p State: %p\n", Thread, ImpersonationState);
898 
899  /* Lock thread security */
900  PspLockThreadSecurityExclusive(Thread);
901 
902  /* Get the impersonation info */
903  Impersonation = Thread->ImpersonationInfo;
904 
905  /* Check if we're impersonating */
906  if (Thread->ActiveImpersonationInfo)
907  {
908  /* Get the token */
909  Token = Impersonation->Token;
910  }
911 
912  /* Check if we have an impersonation state */
913  if (ImpersonationState)
914  {
915  /* Fill out the impersonation info */
916  Impersonation->ImpersonationLevel = ImpersonationState->Level;
917  Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
918  Impersonation->EffectiveOnly = ImpersonationState->EffectiveOnly;
919  Impersonation->Token = ImpersonationState->Token;
920 
921  /* Enable impersonation */
922  PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
923  }
924  else
925  {
926  /* Disable impersonation */
927  PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
928  }
929 
930  /* Unlock the thread */
931  PspUnlockThreadSecurityExclusive(Thread);
932 
933  /* Dereference the token */
934  if (Token) ObDereferenceObject(Token);
935 }
936 
937 NTSTATUS
938 NTAPI
939 NtImpersonateThread(IN HANDLE ThreadHandle,
940  IN HANDLE ThreadToImpersonateHandle,
941  IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
942 {
943  SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
944  SECURITY_CLIENT_CONTEXT ClientContext;
945  PETHREAD Thread;
946  PETHREAD ThreadToImpersonate;
947  KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
948  NTSTATUS Status;
949  PAGED_CODE();
950  PSTRACE(PS_SECURITY_DEBUG,
951  "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
952 
953  /* Check if call came from user mode */
954  if (PreviousMode != KernelMode)
955  {
956  /* Enter SEH for probing */
957  _SEH2_TRY
958  {
959  /* Probe QoS */
960  ProbeForRead(SecurityQualityOfService,
961  sizeof(SECURITY_QUALITY_OF_SERVICE),
962  sizeof(ULONG));
963 
964  /* Capture it */
965  SafeServiceQoS = *SecurityQualityOfService;
966  SecurityQualityOfService = &SafeServiceQoS;
967  }
968  _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
969  {
970  /* Return the exception code */
971  _SEH2_YIELD(return _SEH2_GetExceptionCode());
972  }
973  _SEH2_END;
974  }
975 
976  /* Reference the thread */
977  Status = ObReferenceObjectByHandle(ThreadHandle,
978  THREAD_DIRECT_IMPERSONATION,
979  PsThreadType,
980  PreviousMode,
981  (PVOID*)&Thread,
982  NULL);
983  if (NT_SUCCESS(Status))
984  {
985  /* Reference the impersonating thead */
986  Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
987  THREAD_IMPERSONATE,
988  PsThreadType,
989  PreviousMode,
990  (PVOID*)&ThreadToImpersonate,
991  NULL);
992  if (NT_SUCCESS(Status))
993  {
994  /* Create a client security context */
995  Status = SeCreateClientSecurity(ThreadToImpersonate,
996  SecurityQualityOfService,
997  0,
998  &ClientContext);
999  if (NT_SUCCESS(Status))
1000  {
1001  /* Do the impersonation */
1002  SeImpersonateClient(&ClientContext, Thread);
1003  if (ClientContext.ClientToken)
1004  {
1005  /* Dereference the client token if we had one */
1006  ObDereferenceObject(ClientContext.ClientToken);
1007  }
1008  }
1009 
1010  /* Dereference the thread to impersonate */
1011  ObDereferenceObject(ThreadToImpersonate);
1012  }
1013 
1014  /* Dereference the main thread */
1015  ObDereferenceObject(Thread);
1016  }
1017 
1018  /* Return status */
1019  return Status;
1020 }
1021 /* EOF */
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
NtImpersonateThread
NTSTATUS NTAPI NtImpersonateThread(IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonateHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
Definition: security.c:939
PSECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL * PSECURITY_IMPERSONATION_LEVEL
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
SeAccessCheck
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
PsImpersonateClient
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:602
HandleAttributes
_In_ HANDLE _In_opt_ HANDLE _Out_opt_ PHANDLE _In_ ACCESS_MASK _In_ ULONG HandleAttributes
Definition: obfuncs.h:429
IN
#define IN
Definition: typedefs.h:38
STATUS_PRIVILEGE_NOT_HELD
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
_PS_IMPERSONATION_INFORMATION::Token
PACCESS_TOKEN Token
Definition: pstypes.h:1000
PspSetPrimaryToken
NTSTATUS NTAPI PspSetPrimaryToken(IN PEPROCESS Process, IN HANDLE TokenHandle OPTIONAL, IN PACCESS_TOKEN Token OPTIONAL)
Definition: security.c:215
TRUE
#define TRUE
Definition: types.h:120
KAPC_STATE
KAPC_STATE
Definition: ketypes.h:1273
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SeIsTokenSibling
NTSTATUS NTAPI SeIsTokenSibling(IN PTOKEN Token, OUT PBOOLEAN IsSibling)
Definition: token.c:749
_PS_IMPERSONATION_INFORMATION::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: pstypes.h:1003
PspUnlockThreadSecurityExclusive
FORCEINLINE VOID PspUnlockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:188
ImpersonationState
_Inout_ PSE_IMPERSONATION_STATE ImpersonationState
Definition: psfuncs.h:189
_SE_IMPERSONATION_STATE::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: setypes.h:118
PspLockThreadSecurityShared
FORCEINLINE VOID PspLockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:155
_PS_IMPERSONATION_INFORMATION::CopyOnOpen
BOOLEAN CopyOnOpen
Definition: pstypes.h:1001
NtOpenProcessTokenEx
NTSTATUS NTAPI NtOpenProcessTokenEx(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle)
Definition: security.c:358
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
PspClearCrossThreadFlag
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
PROCESS_QUERY_INFORMATION
#define PROCESS_QUERY_INFORMATION
Definition: pstypes.h:158
THREAD_IMPERSONATE
#define THREAD_IMPERSONATE
Definition: pstypes.h:143
PspLockProcessSecurityExclusive
FORCEINLINE VOID PspLockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:133
PspBootAccessToken
PTOKEN PspBootAccessToken
Definition: security.c:17
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
ExReleaseRundownProtection
NTKERNELAPI VOID FASTCALL ExReleaseRundownProtection(_Inout_ PEX_RUNDOWN_REF RunRef)
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
SeIsTokenChild
NTSTATUS NTAPI SeIsTokenChild(IN PTOKEN Token, OUT PBOOLEAN IsChild)
Definition: token.c:716
PsRevertThreadToSelf
VOID NTAPI PsRevertThreadToSelf(IN PETHREAD Thread)
Definition: security.c:560
PTOKEN_TYPE
enum _TOKEN_TYPE * PTOKEN_TYPE
PspInitializeProcessSecurity
NTSTATUS NTAPI PspInitializeProcessSecurity(IN PEPROCESS Process, IN PEPROCESS Parent OPTIONAL)
Definition: security.c:71
SeDeassignPrimaryToken
VOID NTAPI SeDeassignPrimaryToken(struct _EPROCESS *Process)
KeGetPreviousMode
#define KeGetPreviousMode()
Definition: ketypes.h:1081
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
_TEB::ImpersonationLocale
ULONG ImpersonationLocale
Definition: winternl.h:432
_ETHREAD::RundownProtect
EX_RUNDOWN_REF RundownProtect
Definition: pstypes.h:1090
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
_ETHREAD::Tcb
KTHREAD Tcb
Definition: pstypes.h:1034
ExAcquireRundownProtection
#define ExAcquireRundownProtection
Definition: ex.h:130
ObFastReferenceObject
PVOID FASTCALL ObFastReferenceObject(IN PEX_FAST_REF FastRef)
Definition: obref.c:134
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
TOKEN_ASSIGN_PRIMARY
#define TOKEN_ASSIGN_PRIMARY
Definition: setypes.h:871
SeSinglePrivilegeCheck
BOOLEAN NTAPI SeSinglePrivilegeCheck(IN LUID PrivilegeValue, IN KPROCESSOR_MODE PreviousMode)
Definition: priv.c:524
_PS_IMPERSONATION_INFORMATION::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: pstypes.h:1002
ExGetPreviousMode
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
_EPROCESS
Definition: pstypes.h:1191
ObDereferenceObject
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
SeAssignPrimaryTokenPrivilege
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:24
TOKEN_IMPERSONATE
#define TOKEN_IMPERSONATE
Definition: setypes.h:873
NtOpenProcessToken
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:342
Parent
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn BOOLEAN Physical UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:716
SeExchangePrimaryToken
NTSTATUS NTAPI SeExchangePrimaryToken(_In_ PEPROCESS Process, _In_ PACCESS_TOKEN NewAccessToken, _Out_ PACCESS_TOKEN *OldAccessToken)
Definition: token.c:234
ObOpenObjectByPointer
NTSTATUS NTAPI ObOpenObjectByPointer(IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle)
Definition: obhandle.c:2739
PAGED_CODE
#define PAGED_CODE()
Definition: video.h:57
PROCESS_CREATE_THREAD
#define PROCESS_CREATE_THREAD
Definition: pstypes.h:150
_SEH2_TRY
_SEH2_TRY
Definition: create.c:4250
ObReferenceObjectByHandle
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
Attached
static BOOL Attached
Definition: vidbios.c:3905
NTAPI
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
_ETHREAD::ImpersonationInfo
PPS_IMPERSONATION_INFORMATION ImpersonationInfo
Definition: pstypes.h:1074
KeStackAttachProcess
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
Definition: procobj.c:701
LONG
long LONG
Definition: pedump.c:60
_SECURITY_CLIENT_CONTEXT
Definition: imports.h:289
_KTHREAD::ApcState
KAPC_STATE ApcState
Definition: ketypes.h:1668
SECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
PROCESS_DUP_HANDLE
#define PROCESS_DUP_HANDLE
PsOpenTokenOfProcess
NTSTATUS NTAPI PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
Definition: security.c:463
InterlockedCompareExchangePointer
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
PspUnlockProcessSecurityShared
FORCEINLINE VOID PspUnlockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:122
EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
ObReleaseObjectSecurity
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
PsRestoreImpersonation
VOID NTAPI PsRestoreImpersonation(IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
Definition: security.c:890
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
STATUS_BAD_TOKEN_TYPE
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:390
NULL
smooth NULL
Definition: ftsmooth.c:416
SeTokenObjectType
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
Result
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
TokenHandle
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
_ETHREAD
Definition: pstypes.h:1032
SeCreateClientSecurity
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
BOOLEAN
static BOOLEAN
Definition: security.c:109
SeTokenImpersonationLevel
SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel(IN PACCESS_TOKEN Token)
Definition: token.c:1768
PROCESS_SET_QUOTA
#define PROCESS_SET_QUOTA
Definition: pstypes.h:156
ObGetObjectSecurity
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
PsDisableImpersonation
BOOLEAN NTAPI PsDisableImpersonation(IN PETHREAD Thread, OUT PSE_IMPERSONATION_STATE ImpersonationState)
Definition: security.c:840
SeTokenType
NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType(IN PACCESS_TOKEN Token)
Definition: token.c:1780
PreviousMode
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
PROCESS_VM_WRITE
#define PROCESS_VM_WRITE
Definition: pstypes.h:154
_SEH2_YIELD
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
if
if(!(yy_init))
Definition: macro.lex.yy.c:714
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
ProbeForWriteHandle
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
_SECURITY_QUALITY_OF_SERVICE
Definition: lsa.idl:63
ObInitializeFastReference
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:109
PS_SECURITY_DEBUG
#define PS_SECURITY_DEBUG
Definition: ps.h:19
PROCESS_CREATE_PROCESS
#define PROCESS_CREATE_PROCESS
Definition: pstypes.h:155
KPROCESSOR_MODE
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_ETHREAD::ActiveImpersonationInfo
ULONG ActiveImpersonationInfo
Definition: pstypes.h:1112
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
ExAllocatePoolWithTag
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_SE_IMPERSONATION_STATE::CopyOnOpen
BOOLEAN CopyOnOpen
Definition: setypes.h:117
PspAssignPrimaryToken
NTSTATUS NTAPI PspAssignPrimaryToken(IN PEPROCESS Process, IN HANDLE Token, IN PACCESS_TOKEN AccessToken OPTIONAL)
Definition: security.c:178
PBOOLEAN
char * PBOOLEAN
Definition: retypes.h:11
PsThreadType
POBJECT_TYPE PsThreadType
Definition: thread.c:20
ProbeForRead
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
PspSetCrossThreadFlag
#define PspSetCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:25
PHANDLE
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:414
PsAssignImpersonationToken
NTSTATUS NTAPI PsAssignImpersonationToken(IN PETHREAD Thread, IN HANDLE TokenHandle)
Definition: security.c:494
_TEB::IsImpersonating
ULONG IsImpersonating
Definition: winternl.h:433
PspUnlockThreadSecurityShared
FORCEINLINE VOID PspUnlockThreadSecurityShared(IN PETHREAD Thread)
Definition: ps_x.h:166
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:432
_OBJECT_TYPE::TypeInfo
OBJECT_TYPE_INITIALIZER TypeInfo
Definition: obtypes.h:390
_SE_IMPERSONATION_STATE
Definition: setypes.h:115
Status
Status
Definition: gdiplustypes.h:24
PsReferenceImpersonationToken
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:774
ObpValidateAttributes
FORCEINLINE ULONG ObpValidateAttributes(IN ULONG Attributes, IN KPROCESSOR_MODE PreviousMode)
Definition: ob_x.h:22
SeSubProcessToken
NTSTATUS NTAPI SeSubProcessToken(IN PTOKEN Parent, OUT PTOKEN *Token, IN BOOLEAN InUse, IN ULONG SessionId)
Definition: token.c:672
_TEB
Definition: compat.h:484
_SEH2_END
_SEH2_END
Definition: create.c:4424
SeImpersonateClient
NTKERNELAPI VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
_OBJECT_TYPE_INITIALIZER::GenericMapping
GENERIC_MAPPING GenericMapping
Definition: obtypes.h:358
STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
PROCESS_TERMINATE
#define PROCESS_TERMINATE
Definition: pstypes.h:149
KeUnstackDetachProcess
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
Definition: procobj.c:753
DesiredAccess
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
ApcState
_Out_ PKAPC_STATE ApcState
Definition: mm.h:1484
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:189
_KTHREAD::Teb
PVOID Teb
Definition: ketypes.h:1697
PsDereferencePrimaryToken
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:827
PspDeleteProcessSecurity
VOID NTAPI PspDeleteProcessSecurity(IN PEPROCESS Process)
Definition: security.c:30
PspLockProcessSecurityShared
FORCEINLINE VOID PspLockProcessSecurityShared(IN PEPROCESS Process)
Definition: ps_x.h:111
PROCESS_VM_READ
#define PROCESS_VM_READ
Definition: pstypes.h:153
CT_ACTIVE_IMPERSONATION_INFO_BIT
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:225
ObFastDereferenceObject
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
OUT
#define OUT
Definition: typedefs.h:39
ObReferenceObject
#define ObReferenceObject
Definition: obfuncs.h:204
ULONG
unsigned int ULONG
Definition: retypes.h:1
SeAssignPrimaryToken
VOID NTAPI SeAssignPrimaryToken(IN PEPROCESS Process, IN PTOKEN Token)
Definition: token.c:862
ObFastReferenceObjectLocked
PVOID FASTCALL ObFastReferenceObjectLocked(IN PEX_FAST_REF FastRef)
Definition: obref.c:121
MmGetSessionId
ULONG NTAPI MmGetSessionId(IN PEPROCESS Process)
Definition: session.c:180
PROCESS_VM_OPERATION
#define PROCESS_VM_OPERATION
Definition: pstypes.h:152
PspUnlockProcessSecurityExclusive
FORCEINLINE VOID PspUnlockProcessSecurityExclusive(IN PEPROCESS Process)
Definition: ps_x.h:144
PROCESS_SET_INFORMATION
#define PROCESS_SET_INFORMATION
Definition: pstypes.h:157
THREAD_DIRECT_IMPERSONATION
#define THREAD_DIRECT_IMPERSONATION
Definition: pstypes.h:144
PSTRACE
#define PSTRACE(x, fmt,...)
Definition: ps.h:57
_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
PspLockThreadSecurityExclusive
FORCEINLINE VOID PspLockThreadSecurityExclusive(IN PETHREAD Thread)
Definition: ps_x.h:177
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
PsReferenceEffectiveToken
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:705
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
TAG_PS_IMPERSONATION
#define TAG_PS_IMPERSONATION
Definition: tag.h:157
ProcessHandle
_In_ HANDLE ProcessHandle
Definition: mmfuncs.h:403
STATUS_SUCCESS
return STATUS_SUCCESS
Definition: btrfs.c:2725
_TOKEN
Definition: setypes.h:151
PspWriteTebImpersonationInfo
NTSTATUS NTAPI PspWriteTebImpersonationInfo(IN PETHREAD Thread, IN PETHREAD CurrentThread)
Definition: security.c:114
_SE_IMPERSONATION_STATE::Token
PACCESS_TOKEN Token
Definition: setypes.h:116
PsProcessType
POBJECT_TYPE PsProcessType
Definition: process.c:20
PspDeleteThreadSecurity
VOID NTAPI PspDeleteThreadSecurity(IN PETHREAD Thread)
Definition: security.c:46
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
PsRevertToSelf
VOID NTAPI PsRevertToSelf(VOID)
Definition: security.c:548
_SE_IMPERSONATION_STATE::Level
SECURITY_IMPERSONATION_LEVEL Level
Definition: setypes.h:119
ExFreePool
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
TokenType
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
OPTIONAL
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68
_PS_IMPERSONATION_INFORMATION
Definition: pstypes.h:998
PsDereferenceImpersonationToken
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:813