|
|
/**MOD+**********************************************************************//* Module: reglic.cpp *//* *//* Purpose: Creates and sets appropriate ACLs on MSLicensing registry key *//* This is done during DllRegisterServer which should be called *//* by an Admin so the user should have rights to complete this *//* We do this during control registration as it is the only valid*//* place to do it during the control setup...e.g web CAB setup *//* and Iexpress setups can't handle this by themselves *//* *//* This code was shamelessly stolen from the client ACME setup *//* Copyright(C) Microsoft Corporation 1998-2000 *//* *//****************************************************************************/
#ifndef OS_WINCE
#include <adcg.h>
#include <cryptkey.h>
#include "reglic.h"
#define MSLICENSING_STORE_KEY _T("SOFTWARE\\Microsoft\\MSLicensing\\Store")
typedef DWORD (*PSETENTRIESINACL)( ULONG cCountOfExplicitEntries, // number of entries
PEXPLICIT_ACCESS pListOfExplicitEntries, // buffer
PACL OldAcl, // original ACL
PACL *NewAcl // new ACL
);
//Note, only a user with sufficient privileges will
//be able to complete this operation (same as the DllRegisterServer)
//We don't do anything on failure
BOOL SetupMSLicensingKey(){ OSVERSIONINFOA OsVer; memset(&OsVer, 0x0, sizeof(OSVERSIONINFOA)); OsVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); GetVersionExA(&OsVer);
if (VER_PLATFORM_WIN32_NT == OsVer.dwPlatformId) //It should be Windows NT
{ if(CreateRegAddAcl()) { // generate and write the HWID
if (CreateAndWriteHWID()) { return TRUE; } else { OutputDebugString(_T("FAILED to add Terminal Services MSLicensing HWID")); } } else { OutputDebugString(_T("FAILED to add Terminal Services MSLicensing key")); } } return FALSE;}
BOOLAddACLToObjectSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType ){ SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY CreatorAuthority = SECURITY_CREATOR_SID_AUTHORITY; PSID pAdminSid = NULL; PSID pSystemSid = NULL; PSID pPowerUsersSid = NULL; PSID pCreatorSid = NULL; PSID pUsersSid = NULL; PACL pNewDACL = NULL;
DWORD dwError; BOOL bSuccess = TRUE;
DWORD i;
PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid = NULL; PSETENTRIESINACL pSetEntriesInAcl = NULL; HMODULE pAdvApi32 = NULL; PFREESID_FN pFreeSid = NULL;
PSETSECURITYINFO_FN pSetSecurityInfo;
pAdvApi32 = LoadLibrary(ADVAPI_32_DLL); if (!pAdvApi32) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(pAdvApi32, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
#ifdef UNICODE
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclW" ));#else
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclA" ));#endif
if (!pSetEntriesInAcl) { FreeLibrary( pAdvApi32 ); return(FALSE); }
EXPLICIT_ACCESS ExplicitAccess[5]; //
// Create SIDs - Admins and System
//
bSuccess = pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0, 0, &pPowerUsersSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &CreatorAuthority, 1, SECURITY_CREATOR_OWNER_RID, 0, 0, 0, 0, 0, 0, 0, &pCreatorSid);
bSuccess = bSuccess && pAllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
if (bSuccess) {
//
// Initialize Access structures describing the ACEs we want:
// System Full Control
// Admins Full Control
//
// We'll take advantage of the fact that the unlocked private keys is
// the same as the device parameters key and they are a superset of the
// locked private keys.
//
// When we create the DACL for the private key we'll specify a subset of
// the ExplicitAccess array.
//
for (i = 0; i < 5; i++) { ExplicitAccess[i].grfAccessMode = SET_ACCESS; ExplicitAccess[i].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[i].Trustee.pMultipleTrustee = NULL; ExplicitAccess[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ExplicitAccess[i].Trustee.TrusteeForm = TRUSTEE_IS_SID; ExplicitAccess[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP; } ExplicitAccess[0].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[0].Trustee.ptstrName = (LPTSTR)pAdminSid;
ExplicitAccess[1].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[1].Trustee.ptstrName = (LPTSTR)pSystemSid;
ExplicitAccess[2].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[2].Trustee.ptstrName = (LPTSTR)pCreatorSid;
ExplicitAccess[3].grfAccessPermissions = GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE; ExplicitAccess[3].Trustee.ptstrName = (LPTSTR)pPowerUsersSid;
ExplicitAccess[4].grfAccessPermissions = GENERIC_READ; ExplicitAccess[4].Trustee.ptstrName = (LPTSTR)pUsersSid;
dwError = (DWORD)pSetEntriesInAcl( 5, ExplicitAccess, NULL, &pNewDACL ); pSetSecurityInfo = (PSETSECURITYINFO_FN)GetProcAddress(pAdvApi32,SET_SECURITY_INFO); if (pSetSecurityInfo == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc SetSecurityInfo")); goto ErrorCleanup; }
dwError = pSetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL ); }ErrorCleanup:
pFreeSid = (PFREESID_FN) GetProcAddress(pAdvApi32, FREE_SID);
if(pFreeSid) { if(pAdminSid) pFreeSid(pAdminSid); if(pSystemSid) pFreeSid(pSystemSid); if(pPowerUsersSid) pFreeSid(pPowerUsersSid); if(pCreatorSid) pFreeSid(pCreatorSid); if(pUsersSid) pFreeSid(pUsersSid); } if(pNewDACL) LocalFree(pNewDACL);
if(pAdvApi32) FreeLibrary( pAdvApi32 );
return bSuccess;}
BOOLAddACLToStoreObjectSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType ){ SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY CreatorAuthority = SECURITY_CREATOR_SID_AUTHORITY; PSID pAdminSid = NULL; PSID pSystemSid = NULL; PSID pPowerUsersSid = NULL; PSID pCreatorSid = NULL; PSID pUsersSid = NULL; PACL pNewDACL = NULL;
DWORD dwError; BOOL bSuccess = TRUE;
DWORD i;
PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid = NULL; PSETENTRIESINACL pSetEntriesInAcl = NULL; HMODULE pAdvApi32 = NULL; PFREESID_FN pFreeSid = NULL; PSETSECURITYINFO_FN pSetSecurityInfo; EXPLICIT_ACCESS ExplicitAccess[6];
pAdvApi32 = LoadLibrary(ADVAPI_32_DLL); if (!pAdvApi32) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(pAdvApi32, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
#ifdef UNICODE
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclW" ));#else
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclA" ));#endif
if (!pSetEntriesInAcl) { FreeLibrary( pAdvApi32 ); return(FALSE); } //
// Create SIDs - Admins and System
//
bSuccess = pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0, 0, &pPowerUsersSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &CreatorAuthority, 1, SECURITY_CREATOR_OWNER_RID, 0, 0, 0, 0, 0, 0, 0, &pCreatorSid);
bSuccess = bSuccess && pAllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
if (bSuccess) {
//
// Initialize Access structures describing the ACEs we want:
// System Full Control
// Admins Full Control
//
// We'll take advantage of the fact that the unlocked private keys is
// the same as the device parameters key and they are a superset of the
// locked private keys.
//
// When we create the DACL for the private key we'll specify a subset of
// the ExplicitAccess array.
//
for (i = 0; i < 6; i++) { ExplicitAccess[i].grfAccessMode = SET_ACCESS; ExplicitAccess[i].Trustee.pMultipleTrustee = NULL; ExplicitAccess[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ExplicitAccess[i].Trustee.TrusteeForm = TRUSTEE_IS_SID; ExplicitAccess[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP; } ExplicitAccess[0].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[0].Trustee.ptstrName = (LPTSTR)pAdminSid;
ExplicitAccess[1].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[1].Trustee.ptstrName = (LPTSTR)pSystemSid;
ExplicitAccess[2].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[2].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[2].Trustee.ptstrName = (LPTSTR)pCreatorSid;
ExplicitAccess[3].grfAccessPermissions = GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE; ExplicitAccess[3].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[3].Trustee.ptstrName = (LPTSTR)pPowerUsersSid;
ExplicitAccess[4].grfAccessPermissions = GENERIC_READ | GENERIC_WRITE| KEY_CREATE_SUB_KEY |KEY_SET_VALUE; ExplicitAccess[4].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[4].Trustee.ptstrName = (LPTSTR)pUsersSid;
ExplicitAccess[5].grfAccessPermissions = DELETE; ExplicitAccess[5].grfInheritance = INHERIT_ONLY_ACE | SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[5].Trustee.ptstrName = (LPTSTR)pUsersSid;
dwError = (DWORD)pSetEntriesInAcl( 6, ExplicitAccess, NULL, &pNewDACL ); pSetSecurityInfo = (PSETSECURITYINFO_FN)GetProcAddress(pAdvApi32,SET_SECURITY_INFO); if (pSetSecurityInfo == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc SetSecurityInfo")); goto ErrorCleanup; }
dwError = pSetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL ); }ErrorCleanup:
pFreeSid = (PFREESID_FN) GetProcAddress(pAdvApi32, FREE_SID);
if(pFreeSid) { if(pAdminSid) pFreeSid(pAdminSid); if(pSystemSid) pFreeSid(pSystemSid); if(pPowerUsersSid) pFreeSid(pPowerUsersSid); if(pCreatorSid) pFreeSid(pCreatorSid); if(pUsersSid) pFreeSid(pUsersSid); } if(pNewDACL) LocalFree(pNewDACL);
if(pAdvApi32) FreeLibrary( pAdvApi32 );
return bSuccess;}
BOOLRestoreACLOnKey( HANDLE hObject, SE_OBJECT_TYPE ObjectType ){ SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY CreatorAuthority = SECURITY_CREATOR_SID_AUTHORITY; PSID pAdminSid = NULL; PSID pSystemSid = NULL; PSID pPowerUsersSid = NULL; PSID pCreatorSid = NULL; PSID pUsersSid = NULL; PACL pNewDACL = NULL;
DWORD dwError; BOOL bSuccess = TRUE;
DWORD i;
PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid = NULL; PSETENTRIESINACL pSetEntriesInAcl = NULL; HMODULE pAdvApi32 = NULL; PFREESID_FN pFreeSid = NULL;
PSETSECURITYINFO_FN pSetSecurityInfo;
pAdvApi32 = LoadLibrary(ADVAPI_32_DLL); if (!pAdvApi32) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(pAdvApi32, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
#ifdef UNICODE
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclW" ));#else
pSetEntriesInAcl = reinterpret_cast<PSETENTRIESINACL>(GetProcAddress( pAdvApi32, "SetEntriesInAclA" ));#endif
if (!pSetEntriesInAcl) { FreeLibrary( pAdvApi32 ); return(FALSE); }
EXPLICIT_ACCESS ExplicitAccess[5]; //
// Create SIDs - Admins and System
//
bSuccess = pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0, 0, &pPowerUsersSid);
bSuccess = bSuccess && pAllocateAndInitializeSid( &CreatorAuthority, 1, SECURITY_CREATOR_OWNER_RID, 0, 0, 0, 0, 0, 0, 0, &pCreatorSid);
bSuccess = bSuccess && pAllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
if (bSuccess) {
//
// Initialize Access structures describing the ACEs we want:
// System Full Control
// Admins Full Control
//
// We'll take advantage of the fact that the unlocked private keys is
// the same as the device parameters key and they are a superset of the
// locked private keys.
//
// When we create the DACL for the private key we'll specify a subset of
// the ExplicitAccess array.
//
for (i = 0; i < 5; i++) { ExplicitAccess[i].grfAccessMode = SET_ACCESS; ExplicitAccess[i].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ExplicitAccess[i].Trustee.pMultipleTrustee = NULL; ExplicitAccess[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; ExplicitAccess[i].Trustee.TrusteeForm = TRUSTEE_IS_SID; ExplicitAccess[i].Trustee.TrusteeType = TRUSTEE_IS_GROUP; } ExplicitAccess[0].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[0].Trustee.ptstrName = (LPTSTR)pAdminSid;
ExplicitAccess[1].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[1].Trustee.ptstrName = (LPTSTR)pSystemSid;
ExplicitAccess[2].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[2].Trustee.ptstrName = (LPTSTR)pCreatorSid;
ExplicitAccess[3].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[3].Trustee.ptstrName = (LPTSTR)pPowerUsersSid;
ExplicitAccess[4].grfAccessPermissions = KEY_ALL_ACCESS; ExplicitAccess[4].Trustee.ptstrName = (LPTSTR)pUsersSid;
dwError = (DWORD)pSetEntriesInAcl( 5, ExplicitAccess, NULL, &pNewDACL ); pSetSecurityInfo = (PSETSECURITYINFO_FN)GetProcAddress(pAdvApi32,SET_SECURITY_INFO); if (pSetSecurityInfo == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc SetSecurityInfo")); goto ErrorCleanup; }
dwError = pSetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL ); }ErrorCleanup:
pFreeSid = (PFREESID_FN) GetProcAddress(pAdvApi32, FREE_SID);
if(pFreeSid) { if(pAdminSid) pFreeSid(pAdminSid); if(pSystemSid) pFreeSid(pSystemSid); if(pPowerUsersSid) pFreeSid(pPowerUsersSid); if(pCreatorSid) pFreeSid(pCreatorSid); if(pUsersSid) pFreeSid(pUsersSid); } if(pNewDACL) LocalFree(pNewDACL);
if(pAdvApi32) FreeLibrary( pAdvApi32 );
return bSuccess;}
//
// Create and ACL HKLM\Software\Microsoft\MSLicensing\Store
//
// 1) Set the ACL on MSLicensing, so that Users can only read (inherited).
// 2) Create the Store subkey, and set an ACL so that Users can
// read (inherited), write (inherited), create subkeys, enumerate subkeys,
// and delete subkeys, but not do anything else.
//
BOOL CreateRegAddAcl(VOID){ BOOL fRet = FALSE; DWORD dwDisposition, dwError = NO_ERROR; HKEY hKey = NULL, hKeyStore = NULL;
dwError = RegCreateKeyEx( HKEY_LOCAL_MACHINE, MSLICENSING_REG_KEY, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition );
if (dwError != ERROR_SUCCESS) { return FALSE; }
fRet = AddACLToObjectSecurityDescriptor( hKey, SE_REGISTRY_KEY );
if (!fRet) { goto cleanup; }
dwError = RegCreateKeyEx( hKey, MSLICENSING_STORE_SUBKEY, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKeyStore, &dwDisposition );
if (dwError != ERROR_SUCCESS) { fRet = FALSE; goto cleanup; }
fRet = AddACLToStoreObjectSecurityDescriptor( hKeyStore, SE_REGISTRY_KEY );
cleanup: if (NULL != hKey) { RegCloseKey( hKey ); }
if (NULL != hKeyStore) { RegCloseKey( hKeyStore ); }
return fRet;}
//
// Restore ACL on HKLM\Software\Microsoft\MSLicensing, HardwareID and Store
// and subkeys if they exist on uninstall.
// Grant Users Full control. This is to make it operational with downlevel clients.
//
void RestoreRegAcl(VOID){ DWORD dwDisposition, dwError = NO_ERROR; HKEY hKey = NULL;
dwError = RegCreateKeyEx( HKEY_LOCAL_MACHINE, MSLICENSING_REG_KEY, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition );
if (dwError == ERROR_SUCCESS) { RestoreACLOnKey( hKey, SE_REGISTRY_KEY );
if (NULL != hKey) { RegCloseKey( hKey ); hKey = NULL; } }
// Write HWID to registry
dwError = RegOpenKeyEx( HKEY_LOCAL_MACHINE, MSLICENSING_HWID_KEY, 0, KEY_ALL_ACCESS, &hKey );
if (dwError == ERROR_SUCCESS) { RestoreACLOnKey( hKey, SE_REGISTRY_KEY );
if (NULL != hKey) { RegCloseKey( hKey ); hKey = NULL; } }
dwError = RegOpenKeyEx( HKEY_LOCAL_MACHINE, MSLICENSING_STORE_KEY, 0, KEY_ALL_ACCESS, &hKey );
if (dwError == ERROR_SUCCESS) { RestoreACLOnKey( hKey, SE_REGISTRY_KEY );
if (NULL != hKey) { RegCloseKey( hKey ); hKey = NULL; } }
return;}
//
// Note: this uses low-level ACL APIs because the higher level APIs
// don't exist or have bugs on NT4
//
BOOLAddSidToObjectsSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType, PSID pSid, DWORD dwNewAccess, ACCESS_MODE AccessMode, DWORD dwInheritance, BOOL fKeepExistingAcl ){ BOOL fReturn = FALSE; DWORD dwRet; PACL pOldDacl = NULL, pNewDacl = NULL; PSECURITY_DESCRIPTOR pSecDesc = NULL; HMODULE hModAdvapiDll = NULL; PGETSECURITYINFO_FN pGetSecurityInfo; PSETSECURITYINFO_FN pSetSecurityInfo; PADDACE_FN pAddAce; PGETLENGTHSID_FN pGetLengthSid; PCOPYSID_FN pCopySid; WORD cbAcl; PACCESS_ALLOWED_ACE pAceAllow = NULL; PACCESS_DENIED_ACE pAceDeny = NULL; PISVALIDSID_FN pIsValidSid; WORD cbAce; DWORD cbSid; PSID pSidLocation;
//
// pSid cannot be NULL.
//
if (pSid == NULL) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: NULL pSid")); return(FALSE); }
if ((AccessMode != GRANT_ACCESS) && (AccessMode != DENY_ACCESS)){ SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: only Grant Aces and Deny Access supported")); return(FALSE); }
if (!fKeepExistingAcl) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: only fKeepExistingAcl supported")); return(FALSE); }
hModAdvapiDll = LoadLibrary(ADVAPI_32_DLL);
if (hModAdvapiDll == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: can't load Advapi32.dll")); return(FALSE); }
pIsValidSid = (PISVALIDSID_FN)GetProcAddress(hModAdvapiDll, IS_VALID_SID); if (pIsValidSid == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc IsValidSid")); goto ErrorCleanup; }
if (!pIsValidSid(pSid)) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: bad pSid")); goto ErrorCleanup; }
if (fKeepExistingAcl) { //
// Get the objects security descriptor and current DACL.
//
pGetSecurityInfo = (PGETSECURITYINFO_FN)GetProcAddress(hModAdvapiDll, GET_SECURITY_INFO); if (pGetSecurityInfo == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc GetSecurityInfo")); goto ErrorCleanup; }
dwRet = pGetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, &pSecDesc );
if (dwRet != ERROR_SUCCESS) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: GetSecurityInfo failed")); goto ErrorCleanup; } }
//
// Merge the new ACE into the existing DACL.
//
//
// Calculate size of new ACL, and create it
//
pGetLengthSid = (PGETLENGTHSID_FN)GetProcAddress(hModAdvapiDll,GET_LENGTH_SID); if (pGetLengthSid == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc GetLengthSid")); goto ErrorCleanup; }
cbSid = pGetLengthSid(pSid);
cbAcl = (WORD) (pOldDacl->AclSize + cbSid - sizeof(DWORD));
if (AccessMode == GRANT_ACCESS) { cbAcl += (WORD) sizeof(ACCESS_ALLOWED_ACE); } else { cbAcl += (WORD) sizeof(ACCESS_DENIED_ACE); }
pNewDacl = (PACL) LocalAlloc(LPTR, cbAcl);
if (NULL == pNewDacl) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't allocate ACL")); goto ErrorCleanup; }
CopyMemory(pNewDacl,pOldDacl,pOldDacl->AclSize);
pNewDacl->AclSize = cbAcl;
//
// Create New Ace to be added
//
if (AccessMode == GRANT_ACCESS) { cbAce = (WORD) (sizeof(ACCESS_ALLOWED_ACE) + cbSid - sizeof(DWORD));
pAceAllow = (PACCESS_ALLOWED_ACE) LocalAlloc(LPTR,cbAce);
if (NULL == pAceAllow) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't allocate Ace")); goto ErrorCleanup; }
pAceAllow->Header.AceFlags = (BYTE) dwInheritance; pAceAllow->Header.AceSize = cbAce; pAceAllow->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; pAceAllow->Mask = dwNewAccess;
pSidLocation = (PSID)(&pAceAllow->SidStart); } else { cbAce = (WORD) (sizeof(ACCESS_DENIED_ACE) + cbSid - sizeof(DWORD));
pAceDeny = (PACCESS_DENIED_ACE) LocalAlloc(LPTR,cbAce);
if (NULL == pAceDeny) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't allocate Ace")); goto ErrorCleanup; }
pAceDeny->Header.AceFlags = (BYTE) dwInheritance; pAceDeny->Header.AceSize = cbAce; pAceDeny->Header.AceType = ACCESS_DENIED_ACE_TYPE; pAceDeny->Mask = dwNewAccess;
pSidLocation = (PSID)(&pAceDeny->SidStart); }
pCopySid = (PCOPYSID_FN)GetProcAddress(hModAdvapiDll,COPY_SID); if (pCopySid == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc CopySid")); goto ErrorCleanup; }
if (!pCopySid(cbSid, pSidLocation, pSid)) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: CopySid failed")); goto ErrorCleanup; }
pAddAce = (PADDACE_FN)GetProcAddress(hModAdvapiDll,ADD_ACE); if (pAddAce == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc AddAce")); goto ErrorCleanup; }
if (!pAddAce(pNewDacl, ACL_REVISION, (AccessMode == GRANT_ACCESS) ? MAXDWORD : 0, ((AccessMode == GRANT_ACCESS) ? (PVOID)pAceAllow : (PVOID)pAceDeny), cbAce)) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: AddAce failed")); goto ErrorCleanup; }
//
// Set the new security for the object.
//
pSetSecurityInfo = (PSETSECURITYINFO_FN)GetProcAddress(hModAdvapiDll,SET_SECURITY_INFO); if (pSetSecurityInfo == NULL) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: Can't get proc SetSecurityInfo")); goto ErrorCleanup; }
dwRet = pSetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL );
if (dwRet != ERROR_SUCCESS) { OutputDebugString(_T("AddSidToObjectsSecurityDescriptor: SetSecurityInfo failed")); goto ErrorCleanup; }
fReturn = TRUE;
ErrorCleanup: if (hModAdvapiDll != NULL) { FreeLibrary(hModAdvapiDll); }
if (pNewDacl != NULL) { LocalFree(pNewDacl); }
if (pSecDesc != NULL) { LocalFree(pSecDesc); }
if (pAceAllow != NULL) { LocalFree(pAceAllow); }
if (pAceDeny != NULL) { LocalFree(pAceDeny); }
return(fReturn);}
BOOLDeleteAceFromObjectsSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType, PSID pSid, DWORD dwAccess, ACCESS_MODE AccessMode, DWORD dwInheritance ){ BOOL fReturn = FALSE; DWORD dwRet; PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSecDesc = NULL; HMODULE hModAdvapiDll = NULL; PGETSECURITYINFO_FN pGetSecurityInfo; PSETSECURITYINFO_FN pSetSecurityInfo; PGETACLINFORMATION_FN pGetAclInformation; PDELETEACE_FN pDeleteAce; PGETACE_FN pGetAce; PACCESS_ALLOWED_ACE pAce = NULL; PISVALIDSID_FN pIsValidSid; PEQUALSID_FN pEqualSid; DWORD cAce; ACL_SIZE_INFORMATION aclSizeInfo; PACE_HEADER aceHeader; PACCESS_ALLOWED_ACE aceAllowed;
//
// pSid cannot be NULL.
//
if (pSid == NULL) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: NULL pSid")); return(FALSE); }
//
// We only support GRANT_ACCESS Aces
if (AccessMode != GRANT_ACCESS) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: only Grant Aces allowed")); return(FALSE); }
//
// Load all the functions we'll need
//
hModAdvapiDll = LoadLibrary(ADVAPI_32_DLL);
if (hModAdvapiDll == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: can't load Advapi32.dll")); return(FALSE); }
pIsValidSid = (PISVALIDSID_FN)GetProcAddress(hModAdvapiDll, IS_VALID_SID); if (pIsValidSid == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: Can't get proc IsValidSid")); goto ErrorCleanup; }
pEqualSid = (PEQUALSID_FN)GetProcAddress(hModAdvapiDll, EQUAL_SID); if (pEqualSid == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: Can't get proc EqualSid")); goto ErrorCleanup; }
pDeleteAce = (PDELETEACE_FN)GetProcAddress(hModAdvapiDll,DELETE_ACE); if (pDeleteAce == NULL) { OutputDebugString(_T("DeleteSidToObjectsSecurityDescriptor: Can't get proc DeleteAce")); goto ErrorCleanup; }
pGetAce = (PGETACE_FN)GetProcAddress(hModAdvapiDll,GET_ACE); if (pGetAce == NULL) { OutputDebugString(_T("DeleteSidToObjectsSecurityDescriptor: Can't get proc GetAce")); goto ErrorCleanup; }
pGetSecurityInfo = (PGETSECURITYINFO_FN)GetProcAddress(hModAdvapiDll, GET_SECURITY_INFO); if (pGetSecurityInfo == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: Can't get proc GetSecurityInfo")); goto ErrorCleanup; }
pGetAclInformation = (PGETACLINFORMATION_FN)GetProcAddress(hModAdvapiDll, GET_ACL_INFORMATION); if (pGetAclInformation == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: Can't get proc GetAclInformation")); goto ErrorCleanup; }
pSetSecurityInfo = (PSETSECURITYINFO_FN)GetProcAddress(hModAdvapiDll,SET_SECURITY_INFO); if (pSetSecurityInfo == NULL) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: Can't get proc SetSecurityInfo")); goto ErrorCleanup; }
//
// Make sure Sid passed in is valid
//
if (!pIsValidSid(pSid)) { SetLastError(ERROR_INVALID_PARAMETER); OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: bad pSid")); goto ErrorCleanup; }
//
// Get the object's security descriptor and current DACL.
//
dwRet = pGetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSecDesc );
if (dwRet != ERROR_SUCCESS) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: GetSecurityInfo failed")); goto ErrorCleanup; }
//
// Find the ACE to be deleted
//
if (!pGetAclInformation(pDacl, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: GetAclInformation failed")); goto ErrorCleanup; }
for (cAce = 0; cAce < aclSizeInfo.AceCount; cAce++) { if (!pGetAce(pDacl, cAce, (LPVOID *) &aceHeader)) { continue; }
if (aceHeader->AceType != ACCESS_ALLOWED_ACE_TYPE) { continue; }
aceAllowed = (PACCESS_ALLOWED_ACE)aceHeader;
if ((aceAllowed->Header.AceFlags & INHERITED_ACE) != (dwInheritance & INHERITED_ACE)) { continue; }
if ((aceAllowed->Header.AceFlags & CONTAINER_INHERIT_ACE) != (dwInheritance & CONTAINER_INHERIT_ACE)) { continue; }
if ((aceAllowed->Header.AceFlags & OBJECT_INHERIT_ACE) != (dwInheritance & OBJECT_INHERIT_ACE)) { continue; }
if (aceAllowed->Mask != dwAccess) { continue; }
if (0 == pEqualSid((PSID)&(aceAllowed->SidStart), pSid)) { continue; }
break; }
if (cAce != aclSizeInfo.AceCount) { //
// found one
//
if (!pDeleteAce(pDacl,cAce)) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: DeleteAce failed")); goto ErrorCleanup; }
//
// Set the new security for the object.
//
dwRet = pSetSecurityInfo( hObject, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL );
if (dwRet != ERROR_SUCCESS) { OutputDebugString(_T("DeleteAceFromObjectsSecurityDescriptor: SetSecurityInfo failed")); goto ErrorCleanup; }
}
fReturn = TRUE;
ErrorCleanup: if (hModAdvapiDll != NULL) { FreeLibrary(hModAdvapiDll); }
if (pSecDesc != NULL) { LocalFree(pSecDesc); }
return(fReturn);}
BOOLAddUsersGroupToObjectsSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType, ACCESS_MASK AccessMask, ACCESS_MODE AccessMode, DWORD Inheritance, BOOL fKeepExistingAcl ){ BOOL fReturn = FALSE; DWORD dwRet = ERROR_SUCCESS; PSID pSid = NULL; SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY; HMODULE hModAdvapiDll = NULL; PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid; PFREESID_FN pFreeSid;
//
// Create the SID
//
hModAdvapiDll = LoadLibrary(ADVAPI_32_DLL);
if (hModAdvapiDll == NULL) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(hModAdvapiDll, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
if (!pAllocateAndInitializeSid( &SepNtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pSid )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to AllocateAndInitializeSid()")); goto ErrorCleanup; }
if (!AddSidToObjectsSecurityDescriptor( hObject, ObjectType, pSid, AccessMask, AccessMode, Inheritance, fKeepExistingAcl )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to AddSidToObjectsSecurityDescriptor()")); goto ErrorCleanup; }
fReturn = TRUE;
ErrorCleanup:
if ((hModAdvapiDll != NULL) && (pSid != NULL)) {
pFreeSid = (PFREESID_FN) GetProcAddress(hModAdvapiDll, FREE_SID);
if (pFreeSid != NULL) { pFreeSid(pSid); } }
if (hModAdvapiDll != NULL) { FreeLibrary(hModAdvapiDll); }
SetLastError(dwRet);
return(fReturn);}
BOOLAddTSUsersGroupToObjectsSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType, ACCESS_MASK AccessMask, ACCESS_MODE AccessMode, DWORD Inheritance, BOOL fKeepExistingAcl ){ BOOL fReturn = FALSE; DWORD dwRet = ERROR_SUCCESS; PSID pSid = NULL; SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY; HMODULE hModAdvapiDll = NULL; PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid; PFREESID_FN pFreeSid;
//
// Create the SID
//
hModAdvapiDll = LoadLibrary(ADVAPI_32_DLL);
if (hModAdvapiDll == NULL) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(hModAdvapiDll, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
if (!pAllocateAndInitializeSid( &SepNtAuthority, 1, SECURITY_TERMINAL_SERVER_RID, 0, 0, 0, 0, 0, 0, 0, &pSid )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to AllocateAndInitializeSid()")); goto ErrorCleanup; }
if (!AddSidToObjectsSecurityDescriptor( hObject, ObjectType, pSid, AccessMask, AccessMode, Inheritance, fKeepExistingAcl )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to AddSidToObjectsSecurityDescriptor()")); goto ErrorCleanup; }
fReturn = TRUE;
ErrorCleanup:
if ((hModAdvapiDll != NULL) && (pSid != NULL)) {
pFreeSid = (PFREESID_FN) GetProcAddress(hModAdvapiDll, FREE_SID);
if (pFreeSid != NULL) { pFreeSid(pSid); } }
if (hModAdvapiDll != NULL) { FreeLibrary(hModAdvapiDll); }
SetLastError(dwRet);
return(fReturn);}
BOOLDeleteUsersGroupAceFromObjectsSecurityDescriptor( HANDLE hObject, SE_OBJECT_TYPE ObjectType, ACCESS_MASK AccessMask, ACCESS_MODE AccessMode, DWORD Inheritance ){ BOOL fReturn = FALSE; DWORD dwRet = ERROR_SUCCESS; PSID pSid = NULL; SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY; HMODULE hModAdvapiDll = NULL; PALLOCATEANDINITIALIZESID_FN pAllocateAndInitializeSid; PFREESID_FN pFreeSid;
//
// Create the SID
//
hModAdvapiDll = LoadLibrary(ADVAPI_32_DLL);
if (hModAdvapiDll == NULL) { return(FALSE); }
pAllocateAndInitializeSid = (PALLOCATEANDINITIALIZESID_FN) GetProcAddress(hModAdvapiDll, ALLOCATE_AND_INITITIALIZE_SID); if (pAllocateAndInitializeSid == NULL) { goto ErrorCleanup; }
if (!pAllocateAndInitializeSid( &SepNtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pSid )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to AllocateAndInitializeSid()")); goto ErrorCleanup; }
if (!DeleteAceFromObjectsSecurityDescriptor( hObject, ObjectType, pSid, AccessMask, AccessMode, Inheritance )) { dwRet = GetLastError(); OutputDebugString(_T("Failed to DeleteAceFromObjectsSecurityDescriptor()")); goto ErrorCleanup; }
fReturn = TRUE;
ErrorCleanup:
if ((hModAdvapiDll != NULL) && (pSid != NULL)) {
pFreeSid = (PFREESID_FN) GetProcAddress(hModAdvapiDll, FREE_SID);
if (pFreeSid != NULL) { pFreeSid(pSid); } }
if (hModAdvapiDll != NULL) { FreeLibrary(hModAdvapiDll); }
SetLastError(dwRet);
return(fReturn);}
BOOLCreateAndWriteHWID(VOID){ BOOL fRet = FALSE; DWORD dwDisposition, dwError = NO_ERROR; HKEY hKey = NULL; HWID hwid;
// Write HWID to registry
dwError = RegCreateKeyEx( HKEY_LOCAL_MACHINE, MSLICENSING_HWID_KEY, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition );
if (dwError != ERROR_SUCCESS) { goto cleanup; }
if (dwDisposition == REG_CREATED_NEW_KEY) { // generate HWID
if (LICENSE_STATUS_OK == GenerateClientHWID(&hwid)) {
dwError = RegSetValueEx(hKey, MSLICENSING_HWID_VALUE, 0, REG_BINARY, (LPBYTE)&hwid, sizeof(HWID)); if (dwError != ERROR_SUCCESS) { goto cleanup; } }
fRet = TRUE; } else { fRet = TRUE; }
cleanup: if (NULL != hKey) { RegCloseKey( hKey ); }
return fRet;}
#endif //OS_WINCE
|
