|
|
/*************************************************************************
** execsvr.c** Remote CreateProcess server to allow programs to be started on a given* Session. Needed for OLE2 support.** NOTE: Maybe this should be converted to RPC in the future when we* have more time so that it can be a more general facility.** copyright notice: Microsoft, 1997** Author:***************************************************************************/
#define UNICODE 1
#include "precomp.h"
#pragma hdrstop
#include <execsrv.h>
#include <wincrypt.h>
HANDLE ExecThreadHandle = NULL;HANDLE ExecServerPipe = NULL;
static HANDLE ghUserToken = NULL;extern CRITICAL_SECTION GlobalsLock;
DWORDExecServerThread( LPVOID lpThreadParameter );
BOOLEANProcessExecRequest( HANDLE hPipe, PCHAR pBuf, DWORD AmountRead );
HANDLEImpersonateUser( HANDLE UserToken, HANDLE ThreadHandle );
BOOLStopImpersonating( HANDLE ThreadHandle );
HANDLE CreateExecSrvPipe( LPCTSTR lpPipeName );
/*****************************************************************************
* * CtxExecServerLogon * * Notify the Exec Server service that a user has logged on * * ENTRY: * Param1 (input/output) * Comments * * EXIT: * STATUS_SUCCESS - no error * ****************************************************************************/
VOIDCtxExecServerLogon( HANDLE hToken ){
EnterCriticalSection( &GlobalsLock );
//
// Store information about the current user
// so we can create processes under their account
// as needed.
//
ghUserToken = hToken;
LeaveCriticalSection( &GlobalsLock );}
/*****************************************************************************
* * CtxExecServerLogoff * * Notify the Exec Server service that a user has logged off * * ENTRY: * Param1 (input/output) * Comments * * EXIT: * STATUS_SUCCESS - no error * ****************************************************************************/
VOIDCtxExecServerLogoff(){
EnterCriticalSection( &GlobalsLock );
//
// Release information stored about the current logged
// on user.
//
ghUserToken = NULL;
LeaveCriticalSection( &GlobalsLock );}
//-----------------------------------------------------
// Helper functions copied from SALEM
// (nt\termsrv\remdsk\server\sessmgr\helper.cpp)
//-----------------------------------------------------
DWORDGenerateRandomBytes( IN DWORD dwSize, IN OUT LPBYTE pbBuffer )/*++
Description:
Generate fill buffer with random bytes.
Parameters:
dwSize : Size of buffer pbBuffer point to. pbBuffer : Pointer to buffer to hold the random bytes.
Returns:
TRUE/FALSE
--*/{ HCRYPTPROV hProv = (HCRYPTPROV)NULL; DWORD dwStatus = ERROR_SUCCESS;
//
// Create a Crypto Provider to generate random number
//
if( !CryptAcquireContext( &hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) ) { dwStatus = GetLastError(); goto CLEANUPANDEXIT; }
if( !CryptGenRandom(hProv, dwSize, pbBuffer) ) { dwStatus = GetLastError(); }
CLEANUPANDEXIT:
if( (HCRYPTPROV)NULL != hProv ) { CryptReleaseContext( hProv, 0 ); }
return dwStatus;}
DWORDGenerateRandomString( IN DWORD dwSizeRandomSeed, IN OUT LPTSTR* pszRandomString )/*++
--*/{ PBYTE lpBuffer = NULL; DWORD dwStatus = ERROR_SUCCESS; BOOL bSuccess; DWORD cbConvertString = 0;
if( 0 == dwSizeRandomSeed || NULL == pszRandomString ) { dwStatus = ERROR_INVALID_PARAMETER; ASSERT(FALSE); goto CLEANUPANDEXIT; }
*pszRandomString = NULL;
lpBuffer = (PBYTE)LocalAlloc( LPTR, dwSizeRandomSeed ); if( NULL == lpBuffer ) { dwStatus = GetLastError(); goto CLEANUPANDEXIT; }
dwStatus = GenerateRandomBytes( dwSizeRandomSeed, lpBuffer );
if( ERROR_SUCCESS != dwStatus ) { goto CLEANUPANDEXIT; }
// Convert to string
// cbConvertString will include the NULL character
bSuccess = CryptBinaryToString( lpBuffer, dwSizeRandomSeed, CRYPT_STRING_BASE64, NULL, &cbConvertString ); if( FALSE == bSuccess ) { dwStatus = GetLastError(); goto CLEANUPANDEXIT; }
*pszRandomString = (LPTSTR)LocalAlloc( LPTR, cbConvertString*sizeof(TCHAR) ); if( NULL == *pszRandomString ) { dwStatus = GetLastError(); goto CLEANUPANDEXIT; }
bSuccess = CryptBinaryToString( lpBuffer, dwSizeRandomSeed, CRYPT_STRING_BASE64, *pszRandomString, &cbConvertString ); if( FALSE == bSuccess ) { dwStatus = GetLastError(); } else { if( (*pszRandomString)[cbConvertString - 1] == '\n' && (*pszRandomString)[cbConvertString - 2] == '\r' ) { (*pszRandomString)[cbConvertString - 2] = 0; } }
CLEANUPANDEXIT:
if( ERROR_SUCCESS != dwStatus ) { if( NULL != *pszRandomString ) { LocalFree(*pszRandomString); *pszRandomString = NULL; } }
if( NULL != lpBuffer ) { LocalFree(lpBuffer); }
return dwStatus;}
/*****************************************************************************
* * StartExecServerThread * * Start the remote exec server thread. * * ENTRY: * Param1 (input/output) * Comments * * EXIT: * STATUS_SUCCESS - no error * ****************************************************************************/
BOOLEANStartExecServerThread(){ DWORD ThreadId; BOOL Result; WCHAR szPipeName[EXECSRVPIPENAMELEN]; SECURITY_ATTRIBUTES SecurityAttributes; PSECURITY_ATTRIBUTES pSecurityAttributes = NULL; PSECURITY_DESCRIPTOR lpSecurityDescriptor = NULL; LPTSTR pszRandomString = NULL; ULONG RandomLen; DWORD dwStatus = ERROR_SUCCESS;
#if DBG
OutputDebugString (TEXT("EXECSERVERSYSTEM: Starting ExecServerThread\n"));#endif
RandomLen = sizeof(szPipeName)/sizeof(WCHAR) - 30;
dwStatus = GenerateRandomString( RandomLen, &pszRandomString ); if( ERROR_SUCCESS != dwStatus ) { return FALSE; }
// the string generated is always greater than what we ask
pszRandomString[RandomLen] = L'\0';
_snwprintf(&szPipeName[0], EXECSRVPIPENAMELEN, L"\\\\.\\Pipe\\TerminalServer\\%ws\\%d", pszRandomString, NtCurrentPeb()->SessionId); szPipeName[EXECSRVPIPENAMELEN-1] = L'\0';
ExecServerPipe = CreateExecSrvPipe( &szPipeName[0] ); if( ExecServerPipe == (HANDLE)-1 ) { OutputDebugString (TEXT("EXECSRV: Could not get pipe for ExecSrvr\n")); return( FALSE ); }
WinStationSetInformation( SERVERNAME_CURRENT, NtCurrentPeb()->SessionId, WinStationExecSrvSystemPipe, &szPipeName[0], sizeof(szPipeName) ); ExecThreadHandle = CreateThread( NULL, // Use default ACL
0, // Same stack size
ExecServerThread, // Start address
(LPVOID)ExecServerPipe, // Parameter
0, // Creation flags
&ThreadId // Get the id back here
);
if( ExecThreadHandle == NULL ) { OutputDebugString (TEXT("WLEXECSERVER: Could not create server thread Error\n")); return(FALSE); }
return(TRUE);}
/*****************************************************************************
* * ExecServerThread * * Thread that listens on the named pipe for remote exec service * requests and executes them. Passes the results back to the caller. * * ENTRY: * lpThreadParameter (input) * Handle to exec server pipe * * EXIT: * STATUS_SUCCESS - no error * ****************************************************************************/
DWORDExecServerThread( LPVOID lpThreadParameter ){ BOOL Result; DWORD AmountRead; CHAR *pBuf; HANDLE hPipe = (HANDLE)lpThreadParameter;
pBuf = LocalAlloc(LMEM_FIXED, EXECSRV_BUFFER_SIZE );
if (pBuf == NULL) { OutputDebugString (TEXT("WLEXECSERVER: ExecServerThread : nomemory \n")); return(STATUS_NO_MEMORY); }
while( 1 ) {
// read the pipe for a request (pipe is in message mode)
Result = ConnectNamedPipe( hPipe, NULL ); if( !Result ) { OutputDebugString (TEXT("WLEXECSERVER: ConnectNamePipe failed\n")); LocalFree( pBuf ); return(FALSE); }
// read the request from the pipe
Result = ReadFile( hPipe, pBuf, EXECSRV_BUFFER_SIZE, &AmountRead, NULL );
if( Result ) { ProcessExecRequest( hPipe, pBuf, AmountRead ); } else { OutputDebugString (TEXT("WLEXECSERVER: Error reading pipe after connect\n")); // Could handle the to big error, but this means mismatched client
}
// wait until the client reads out the reply
Result = FlushFileBuffers( hPipe );#if DBG
if( Result == 0 ) { OutputDebugString (TEXT("EXECSRV: FlushFileBuffers failed! \n")); }#endif
// disconnect the name pipe
Result = DisconnectNamedPipe( hPipe );#if DBG
if( Result == 0 ) { OutputDebugString (TEXT("EXECSRV: Disconnect Named Pipe failed! Error \n")); }#endif
}}
/*****************************************************************************
* * ProcessExecRequest * * Do the work of processing a remote exec request * * ENTRY: * hPipe (input) * Pipe handle for reply * * pBuf (input) * Request buffer * * AmountRead (input) * Amount in request buffer * * EXIT: * STATUS_SUCCESS - no error * ****************************************************************************/
BOOLEANProcessExecRequest( HANDLE hPipe, PCHAR pBuf, DWORD AmountRead ){ DWORD AmountWrote; BOOL Result; HANDLE ImpersonationHandle = NULL; SECURITY_ATTRIBUTES saProcess; EXECSRV_REPLY Rep; HANDLE LocalProc = NULL; HANDLE RemoteProc = NULL; HANDLE LocalhProcess = NULL; HANDLE LocalhThread = NULL; PEXECSRV_REQUEST p = (PEXECSRV_REQUEST)pBuf; LPVOID lpEnvironment = NULL; HANDLE hUserToken=NULL; BOOL bEnvBlockCreatedLocally = FALSE;
#if DBG
KdPrint(("WLEXECSERVER: AmountRead = %d, pBuf->Size= %d \n", AmountRead, p->Size ));#endif
RtlZeroMemory(&Rep,sizeof(EXECSRV_REPLY));
if( AmountRead < sizeof(EXECSRV_REQUEST) ) { // drop the request
OutputDebugString (TEXT("WLEXECSERVER: BAD EXECSRV Request size (WinLogon)\n")); return(FALSE); }
// normalize the pointers
if( p->lpszImageName ) { p->lpszImageName = (PWCHAR)(((ULONG_PTR)p->lpszImageName) + pBuf); if( ( (PCHAR)p->lpszImageName > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->lpszImageName < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST))) ) { OutputDebugString (TEXT("WLEXECSERVER: Invalid image name pointer\n")); // drop the request
return(FALSE); } }
if( p->lpszCommandLine ) { p->lpszCommandLine = (PWCHAR)(((ULONG_PTR)p->lpszCommandLine) + pBuf); if( ((PCHAR)p->lpszCommandLine > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->lpszCommandLine < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST)))) { OutputDebugString (TEXT("WLEXECSERVER: Invalid command line pointer\n")); // drop the request
return(FALSE); } }
if( p->lpszCurDir ) { p->lpszCurDir = (PWCHAR)(((ULONG_PTR)p->lpszCurDir) + pBuf); if( ((PCHAR)p->lpszCurDir > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->lpszCurDir < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST))) ) { OutputDebugString (TEXT("WLEXECSERVER: Invalid CurDir pointer\n")); // drop the request
return(FALSE); } }
if( p->StartInfo.lpDesktop ) { p->StartInfo.lpDesktop = (PWCHAR)(((ULONG_PTR)p->StartInfo.lpDesktop) + pBuf); if( ((PCHAR)p->StartInfo.lpDesktop > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->StartInfo.lpDesktop < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST))) ) { OutputDebugString (TEXT("WLEXECSERVER: Invalid StartInfo.lpDesktop pointer\n")); // drop the request
return(FALSE); } }
if( p->StartInfo.lpTitle ) { p->StartInfo.lpTitle = (PWCHAR)(((ULONG_PTR)p->StartInfo.lpTitle) + pBuf); if( ((PCHAR)p->StartInfo.lpTitle > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->StartInfo.lpTitle < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST))) ) { OutputDebugString (TEXT("WLEXECSERVER: Invalid StartInfo.lpTitle pointer\n")); // drop the request
return(FALSE); } }
if (p->lpvEnvironment ) { p->lpvEnvironment = (PWCHAR)(((ULONG_PTR)p->lpvEnvironment) + pBuf); if( ((PCHAR)p->lpvEnvironment > (PCHAR)(pBuf+AmountRead)) || ((PCHAR)p->lpvEnvironment < (PCHAR)(pBuf + sizeof(EXECSRV_REQUEST))) ) { OutputDebugString (TEXT("WLEXECSERVER: Invalid env pointer\n")); // drop the request
return(FALSE); } }
// We do not know what the reserved is, so make sure it is NULL
p->StartInfo.lpReserved = NULL;
//if( p->lpszImageName )
//OutputDebugString (TEXT("WLEXECSERVER: Got request ImageName :%ws:\n", p->lpszImageName));
//if( p->lpszCommandLine )
//OutputDebugString (TEXT("WLEXECSERVER: Got request command line :%ws:\n", p->lpszCommandLine));
//OutputDebugString (TEXT("WLEXECSERVER: CreateFlags 0x%x\n",p->fdwCreate));
//OutputDebugString (TEXT("System Flag 0x%x\n",p->System));
//
// Can only service user security level requests when a user is logged on.
//
if( !p->System ) {
EnterCriticalSection( &GlobalsLock );
if (ghUserToken == NULL) {#if DBG
OutputDebugString (TEXT("WLEXECSERVER: No USER Logged On for USER CreateProcess Request!\n"));#endif
LeaveCriticalSection( &GlobalsLock ); return( FALSE ); }
//
// We need to open the remote process in order to duplicate the user token.
// But for that, we need to impersonate the named pipe client.
//
if ( ImpersonateNamedPipeClient( hPipe ) == 0 ) { LeaveCriticalSection( &GlobalsLock ); return( FALSE ); }
//
// Get the handle to remote process
//
RemoteProc = OpenProcess( PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION, FALSE, // no inherit
p->RequestingProcessId );
if( RemoteProc == NULL ) { OutputDebugString (TEXT("WLEXECSERVER: Could not get handle to remote process \n")); //
// on retail builds we can not duplicate a handle into
// service controller process
//
// The handles are not used by SCM right now, we must
// have another way to pass handles if this function
// is used by other services.
//
ASSERT( FALSE ); // Should not happen in WinLogon
RevertToSelf(); // Imperonation of named pipe client had succeeded.
LeaveCriticalSection( &GlobalsLock ); goto ReturnError; }
if ( !RevertToSelf() ) { ASSERT( FALSE ); // This RevertToSelf should not fail.
LeaveCriticalSection( &GlobalsLock ); return( FALSE ); }
//
// Get the handle to current process
//
LocalProc = OpenProcess( PROCESS_DUP_HANDLE|PROCESS_QUERY_INFORMATION, FALSE, // no inherit
GetCurrentProcessId() );
if( LocalProc == NULL ) { OutputDebugString (TEXT("WLEXECSERVER: Could not get handle to local process\n")); LeaveCriticalSection( &GlobalsLock ); goto ReturnError; }
// decide if we are creating the new process for the currntly logged in user, or a
// new user
if (p->hToken) { //
// we are dealing with a new user, for which we have a token comming from
// services.exe (for SecLogon)
//
Result = DuplicateHandle( RemoteProc, // Source of the handle (us)
p->hToken, // Source handle
LocalProc, // Target of the handle
&hUserToken, // Target handle
0, // ignored since DUPLICATE_SAME_ACCESS is set
FALSE, // no inherit on the handle
DUPLICATE_SAME_ACCESS );
if( !Result ) { OutputDebugString (TEXT("WLEXECSERVER: Error duping process handle to target process\n")); LeaveCriticalSection( &GlobalsLock ); goto ReturnError; }
} else { hUserToken=ghUserToken; // currently logged in user
}
lpEnvironment = p->lpvEnvironment ;
//
// Create Environment Block if we have none
//
if ( !lpEnvironment ) { if (!CreateEnvironmentBlock (&lpEnvironment, hUserToken, FALSE)) { KdPrint(("WLEXECSERVER: CreateEnvironmentBlock() Failed\n")); } else { bEnvBlockCreatedLocally = TRUE; } }
//
// If we are to run the process under USER security, impersonate
// the user.
//
// This will also access check the users access to the exe image as well.
//
ImpersonationHandle = ImpersonateUser(hUserToken, NULL ); if (ImpersonationHandle == NULL) { OutputDebugString (TEXT("WLEXECSERVER: failed to impersonate user\n")); LeaveCriticalSection( &GlobalsLock ); goto ReturnError; }
LeaveCriticalSection( &GlobalsLock );
// this environment block is UNICODE
p->fdwCreate |= CREATE_UNICODE_ENVIRONMENT;
Result = CreateProcessAsUserW( hUserToken, p->lpszImageName, p->lpszCommandLine, NULL, // &saProcess,
NULL, // &p->saThread
p->fInheritHandles, p->fdwCreate, lpEnvironment, p->lpszCurDir, &p->StartInfo, &Rep.ProcInfo );
if ( bEnvBlockCreatedLocally ) { DestroyEnvironmentBlock (lpEnvironment); } } else { // If creating system, force separate WOW
p->fdwCreate |= CREATE_SEPARATE_WOW_VDM;
// CreateProcessAsUser() does not take a NULL token for SYSTEM
Result = CreateProcessW( p->lpszImageName, p->lpszCommandLine, NULL, // &saProcess,
NULL, // &p->saThread
p->fInheritHandles, p->fdwCreate, NULL, //p->lpvEnvironment
p->lpszCurDir, &p->StartInfo, &Rep.ProcInfo ); }
if( !Result ){ if( ImpersonationHandle ) { StopImpersonating(ImpersonationHandle); } //
// Rep.Result = FALSE;
// Rep.LastError = GetLastError();
// Result = WriteFile( hPipe, &Rep, sizeof(Rep), &AmountWrote, NULL );
// OutputDebugString (TEXT("WLEXECSERVER: Error in CreateProcess\n"));
// return(FALSE);
goto ReturnError; }
// Stop impersonating the process
if( ImpersonationHandle ) { StopImpersonating(ImpersonationHandle); }
if (!Result) { OutputDebugString (TEXT("ExecServer: failed to resume new process thread\n")); CloseHandle(Rep.ProcInfo.hProcess); CloseHandle(Rep.ProcInfo.hThread); goto ReturnError; }
//
// do any tricky handle DUP stuff
//
LocalhProcess = Rep.ProcInfo.hProcess; LocalhThread = Rep.ProcInfo.hThread;
Result = DuplicateHandle( LocalProc, // Source of the handle (us)
Rep.ProcInfo.hProcess, // Source handle
RemoteProc, // Target of the handle
&Rep.ProcInfo.hProcess, // Target handle
0, // ignored since DUPLICATE_SAME_ACCESS is set
FALSE, // no inherit on the handle
DUPLICATE_SAME_ACCESS );
if( !Result ) { OutputDebugString (TEXT("WLEXECSERVER: Error duping process handle to target process\n")); }
//
// If the program got launched into the shared WOW virtual machine,
// then the hThread will be NULL.
//
if( Rep.ProcInfo.hThread != NULL ) { Result = DuplicateHandle( LocalProc, // Source of the handle (us)
Rep.ProcInfo.hThread, // Source handle
RemoteProc, // Target of the handle
&Rep.ProcInfo.hThread, // Target handle
0, // ignored since DUPLICATE_SAME_ACCESS is set
FALSE, // no inherit on the handle
DUPLICATE_SAME_ACCESS );
if( !Result ) { //OutputDebugString (TEXT("WLEXECSERVER: Error %d duping thread handle to target process, Handle 0x%x, ThreadId 0x%x\n",GetLastError(),Rep.ProcInfo.hThread,Rep.ProcInfo.dwThreadId));
} }
//OutputDebugString (TEXT("WLXEXECSERVER: Success for %d type exec\n",p->System));
//
// build the reply packet with the handle valid in the context
// of the requesting process
//
Rep.Result = TRUE; Rep.LastError = 0; Result = WriteFile( hPipe, &Rep, sizeof(Rep), &AmountWrote, NULL );
if( !Result ) { OutputDebugString (TEXT("WLEXECSERVER: Error sending reply \n")); }
//
// close our versions of the handles. The requestors references
// are now the main ones
//
if( LocalProc != NULL ) CloseHandle( LocalProc );
if( RemoteProc != NULL ) CloseHandle( RemoteProc );
if( LocalhProcess != NULL ) CloseHandle( LocalhProcess );
if( LocalhThread != NULL ) CloseHandle( LocalhThread );
if (hUserToken && (hUserToken != ghUserToken)) { CloseHandle( hUserToken ); } return (BOOLEAN)Result;
ReturnError: Rep.Result = FALSE; Rep.LastError = GetLastError();
//OutputDebugString (TEXT("WLXEXECSERVER: Error %d for %d type exec\n",Rep.LastError,p->System));
Result = WriteFile( hPipe, &Rep, sizeof(Rep), &AmountWrote, NULL );
if( LocalProc != NULL ) CloseHandle( LocalProc );
if( RemoteProc != NULL ) CloseHandle( RemoteProc );
if( LocalhProcess != NULL ) CloseHandle( LocalhProcess );
if( LocalhThread != NULL ) CloseHandle( LocalhThread );
if (hUserToken && (hUserToken != ghUserToken) ) { CloseHandle( hUserToken ); } return (BOOLEAN)Result;}
/***************************************************************************\
* FUNCTION: ImpersonateUser** PURPOSE: Impersonates the user by setting the users token* on the specified thread. If no thread is specified the token* is set on the current thread.** RETURNS: Handle to be used on call to StopImpersonating() or NULL on failure* If a non-null thread handle was passed in, the handle returned will* be the one passed in. (See note)** NOTES: Take care when passing in a thread handle and then calling* StopImpersonating() with the handle returned by this routine.* StopImpersonating() will close any thread handle passed to it -* even yours !**\***************************************************************************/
HANDLEImpersonateUser( HANDLE UserToken, HANDLE ThreadHandle ){ NTSTATUS Status, IgnoreStatus; SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE ImpersonationToken; BOOL ThreadHandleOpened = FALSE;
if (ThreadHandle == NULL) {
//
// Get a handle to the current thread.
// Once we have this handle, we can set the user's impersonation
// token into the thread and remove it later even though we ARE
// the user for the removal operation. This is because the handle
// contains the access rights - the access is not re-evaluated
// at token removal time.
//
Status = NtDuplicateObject( NtCurrentProcess(), // Source process
NtCurrentThread(), // Source handle
NtCurrentProcess(), // Target process
&ThreadHandle, // Target handle
THREAD_SET_THREAD_TOKEN,// Access
0L, // Attributes
DUPLICATE_SAME_ATTRIBUTES ); if (!NT_SUCCESS(Status)) { KdPrint(("ImpersonateUser : Failed to duplicate thread handle, status = 0x%lx", Status)); return(NULL); }
ThreadHandleOpened = TRUE; }
//
// If the usertoken is NULL, there's nothing to do
//
if (UserToken != NULL) {
//
// UserToken is a primary token - create an impersonation token version
// of it so we can set it on our thread
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, //UserProcessData->NewThreadTokenSD);
NULL);
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation; SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; SecurityQualityOfService.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
Status = NtDuplicateToken( UserToken, TOKEN_IMPERSONATE | TOKEN_READ, &ObjectAttributes, FALSE, TokenImpersonation, &ImpersonationToken ); if (!NT_SUCCESS(Status)) {
KdPrint(("Failed to duplicate users token to create" " impersonation thread, status = 0x%lx\n", Status));
if (ThreadHandleOpened) { IgnoreStatus = NtClose(ThreadHandle); ASSERT(NT_SUCCESS(IgnoreStatus)); }
return(NULL); }
//
// Set the impersonation token on this thread so we 'are' the user
//
Status = NtSetInformationThread( ThreadHandle, ThreadImpersonationToken, (PVOID)&ImpersonationToken, sizeof(ImpersonationToken) ); //
// We're finished with our handle to the impersonation token
//
IgnoreStatus = NtClose(ImpersonationToken); ASSERT(NT_SUCCESS(IgnoreStatus));
//
// Check we set the token on our thread ok
//
if (!NT_SUCCESS(Status)) {
KdPrint(( "Failed to set user impersonation token on winlogon thread, status = 0x%lx", Status));
if (ThreadHandleOpened) { IgnoreStatus = NtClose(ThreadHandle); ASSERT(NT_SUCCESS(IgnoreStatus)); }
return(NULL); }
}
return(ThreadHandle);
}
/***************************************************************************\
* FUNCTION: StopImpersonating** PURPOSE: Stops impersonating the client by removing the token on the* current thread.** PARAMETERS: ThreadHandle - handle returned by ImpersonateUser() call.** RETURNS: TRUE on success, FALSE on failure** NOTES: If a thread handle was passed in to ImpersonateUser() then the* handle returned was one and the same. If this is passed to* StopImpersonating() the handle will be closed. Take care !** HISTORY:** 04-21-92 Davidc Created.*\***************************************************************************/
BOOLStopImpersonating( HANDLE ThreadHandle ){ NTSTATUS Status, IgnoreStatus; HANDLE ImpersonationToken;
//
// Remove the user's token from our thread so we are 'ourself' again
//
ImpersonationToken = NULL;
Status = NtSetInformationThread( ThreadHandle, ThreadImpersonationToken, (PVOID)&ImpersonationToken, sizeof(ImpersonationToken) ); //
// We're finished with the thread handle
//
IgnoreStatus = NtClose(ThreadHandle); ASSERT(NT_SUCCESS(IgnoreStatus));
if (!NT_SUCCESS(Status)) { KdPrint(("Failed to remove user impersonation token from winlogon thread, status = 0x%lx", Status)); }
return(NT_SUCCESS(Status));}
//---------------------------------------------------------------------------------------
//
// CreateExecSrvPipe
// Creates exec server named pipe with appropriate DACL. It allows access only to local
// system, local service and network service.
// It return handle to the newly created pipe. If the operation fails, it returns
// INVALID_HANDLE_VALUE.
//
//---------------------------------------------------------------------------------------
HANDLE CreateExecSrvPipe( LPCTSTR lpPipeName ){ HANDLE hPipe = INVALID_HANDLE_VALUE; NTSTATUS Status; SECURITY_ATTRIBUTES SecAttr; PSID pSystemSid = NULL; PSID pLocalServiceSid = NULL; PSID pNetworkServiceSid = NULL; PSECURITY_DESCRIPTOR pSd = NULL; PACL pDacl; ULONG AclLength; SID_IDENTIFIER_AUTHORITY SystemAuth = SECURITY_NT_AUTHORITY;
// Allocate and Initialize the "System" Sid.
Status = RtlAllocateAndInitializeSid( &SystemAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Allocate and Initialize the "Local Service" Sid.
Status = RtlAllocateAndInitializeSid( &SystemAuth, 1, SECURITY_LOCAL_SERVICE_RID, 0, 0, 0, 0, 0, 0, 0, &pLocalServiceSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Allocate and Initialize the "Network Service" Sid.
Status = RtlAllocateAndInitializeSid( &SystemAuth, 1, SECURITY_NETWORK_SERVICE_RID, 0, 0, 0, 0, 0, 0, 0, &pNetworkServiceSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Allocate space for the security descriptor.
AclLength = (ULONG)sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid( pSystemSid ) + RtlLengthSid( pLocalServiceSid ) + RtlLengthSid( pNetworkServiceSid ) - 3 * sizeof( ULONG );
pSd = (PSECURITY_DESCRIPTOR) LocalAlloc( LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH + AclLength ); if (pSd == NULL) { goto CreatePipeErr; }
pDacl = (PACL) ((BYTE*)(pSd) + SECURITY_DESCRIPTOR_MIN_LENGTH);
// Set up a new ACL with no ACE.
Status = RtlCreateAcl( pDacl, AclLength, ACL_REVISION2 ); if ( !NT_SUCCESS(Status) ) { goto CreatePipeErr; }
// System access
Status = RtlAddAccessAllowedAce( pDacl, ACL_REVISION2, GENERIC_READ | GENERIC_WRITE, pSystemSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Local Service access
Status = RtlAddAccessAllowedAce( pDacl, ACL_REVISION2, GENERIC_READ | GENERIC_WRITE, pLocalServiceSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Network Service access
Status = RtlAddAccessAllowedAce( pDacl, ACL_REVISION2, GENERIC_READ | GENERIC_WRITE, pNetworkServiceSid ); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Now initialize security descriptors that export this protection
Status = RtlCreateSecurityDescriptor(pSd, SECURITY_DESCRIPTOR_REVISION1); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
Status = RtlSetDaclSecurityDescriptor(pSd, TRUE, pDacl, FALSE); if (!NT_SUCCESS(Status)) { goto CreatePipeErr; }
// Fill the Security Attributes
ZeroMemory(&SecAttr, sizeof(SecAttr)); SecAttr.nLength = sizeof(SECURITY_ATTRIBUTES); SecAttr.lpSecurityDescriptor = pSd; SecAttr.bInheritHandle = FALSE;
hPipe = CreateNamedPipeW( lpPipeName, PIPE_ACCESS_DUPLEX, PIPE_WAIT | PIPE_READMODE_MESSAGE | PIPE_TYPE_MESSAGE, PIPE_UNLIMITED_INSTANCES, EXECSRV_BUFFER_SIZE, EXECSRV_BUFFER_SIZE, 0, &SecAttr );
// It's very unlikely, but still make sure that pipe with this name does not exist.
if (GetLastError() == ERROR_ALREADY_EXISTS) { NtClose( hPipe ); hPipe = INVALID_HANDLE_VALUE; }
CreatePipeErr:
// Free the SIDs
if ( pSystemSid ) { RtlFreeSid( pSystemSid ); }
if ( pLocalServiceSid ) { RtlFreeSid( pLocalServiceSid ); }
if ( pNetworkServiceSid ) { RtlFreeSid( pNetworkServiceSid ); }
if (pSd) { LocalFree(pSd); }
return hPipe;}
|
