/******************************************************************************\ * This is a part of the Microsoft Source Code Samples. * Copyright 1995 - 1997 Microsoft Corporation. * All rights reserved. * This source code is only intended as a supplement to * Microsoft Development Tools and/or WinHelp documentation. * See these sources for detailed information regarding the * Microsoft samples programs. \******************************************************************************/ /*++ Copyright (c) 1997 Microsoft Corporation Module Name: SrvUtil.c Abstract: The server component of Remote. It spawns a child process and redirects the stdin/stdout/stderr of child to itself. Waits for connections from clients - passing the output of child process to client and the input from clients to child process. Author: Rajivendra Nath 2-Jan-1992 Dave Hart 30 May 1997 split from Server.c Environment: Console App. User mode. Revision History: --*/ #include #include "Remote.h" #include "Server.h" #include #define DEFAULT_SECURITY_DESCRIPTOR L"D:(A;;FA;;;BA)(A;;FA;;;CO)(A;;0x1301bf;;;WD)" #define REGISTRY_PATH L"Software\\Microsoft\\Remote" #define REGISTRY_VALUE L"DefaultSecurity" #define COMMANDFORMAT "%c%-20s [%-12s %s]\n%08x%c" #define CMDSTRING(OutBuff,OutSize,InpBuff,Client,szTime,ForceShow) \ { \ char *pch; \ \ for (pch = InpBuff; \ *pch; \ pch++) { \ \ if (ENDMARK == *pch || \ BEGINMARK == *pch) { \ \ *pch = '`'; \ } \ } \ \ OutSize = \ sprintf( \ (OutBuff), \ COMMANDFORMAT, \ BEGINMARK, \ (InpBuff), \ (Client)->Name, \ (szTime), \ (ForceShow) ? 0 : (Client)->dwID, \ ENDMARK \ ); \ } /*************************************************************/ // GetFormattedTime -- returns pointer to formatted time // // returns pointer to static buffer, only the main thread // should use this. // PCHAR GetFormattedTime( BOOL bDateToo ) { static char szTime[64]; int cch = 0; if (bDateToo) { cch = GetDateFormat( LOCALE_USER_DEFAULT, 0, NULL, // current date "ddd", // short day of week szTime, sizeof szTime ); // cch includes null terminator, change it to // a space to separate from time. szTime[ cch - 1 ] = ' '; } // // Get time and format to characters // GetTimeFormat( LOCALE_USER_DEFAULT, TIME_NOSECONDS, NULL, // use current time NULL, // use default format szTime + cch, (sizeof szTime) - cch ); return szTime; } /*************************************************************/ BOOL FilterCommand( REMOTE_CLIENT *cl, char *buff, int dread ) { char tmpchar; DWORD tmp; int len, i; DWORD ThreadID; char inp_buff[2048]; char ch[3]; if (dread==0) return(FALSE); buff[dread]=0; if (buff[0]==COMMANDCHAR) { switch(buff[1]) { case 'k': case 'K': if (INVALID_HANDLE_VALUE != hWriteChildStdIn) { printf("Remote: killing child softly, @K again to be more convincing.\n"); CancelIo( hWriteChildStdIn ); CloseHandle( hWriteChildStdIn ); hWriteChildStdIn = INVALID_HANDLE_VALUE; GenerateConsoleCtrlEvent(CTRL_CLOSE_EVENT, 0); SleepEx(200, TRUE); cPendingCtrlCEvents++; GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0); SleepEx(20, TRUE); GenerateConsoleCtrlEvent(CTRL_BREAK_EVENT, 0); } else { printf("Remote: Resorting to TerminateProcess.\n"); TerminateProcess(ChldProc, ERROR_PROCESS_ABORTED); } break; case 's': case 'S': CloseHandle( (HANDLE) _beginthreadex( NULL, // security 0, // default stack size SendStatus, (void *) cl->PipeWriteH, 0, // not suspended &ThreadID )); break; case 'p': case 'P': { char *msg; msg = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 4096 ); if ( ! msg) { break; } sprintf(msg,"From %s %s [%s]\n\n%s\n",cl->Name,cl->UserName,GetFormattedTime(TRUE),&buff[2]); if (WriteFileSynch(hWriteTempFile,msg,strlen(msg),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } CloseHandle( (HANDLE) CreateThread( // no CRT for ShowPopup NULL, // security 0, // default stack size ShowPopup, (void *) msg, 0, // not suspended &ThreadID )); break; } case 'm': case 'M': buff[dread-2]=0; CMDSTRING(inp_buff,len,buff,cl,GetFormattedTime(TRUE),TRUE); if (WriteFileSynch(hWriteTempFile,inp_buff,len,&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } break; case '@': buff[dread-2]=0; CMDSTRING(inp_buff,len,&buff[1],cl,GetFormattedTime(FALSE),FALSE); if (WriteFileSynch(hWriteTempFile,inp_buff,len,&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } // // Remove the first @ sign // MoveMemory(buff,&buff[1],dread-1); buff[dread-1]=' '; return(FALSE); //Send it it to the chile process default : ZeroMemory(inp_buff, sizeof(inp_buff)); strncpy(inp_buff, "** Unknown Command **\n", sizeof(inp_buff)-1); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; // we do this below // StartServerToClientFlow(); } case 'h': case 'H': _snprintf(inp_buff,sizeof(inp_buff), "%cM: To Send Message\n",COMMANDCHAR); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; } _snprintf(inp_buff,sizeof(inp_buff), "%cP: To Generate popup\n",COMMANDCHAR); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; } _snprintf(inp_buff,sizeof(inp_buff), "%cK: To kill the server\n",COMMANDCHAR); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; } _snprintf(inp_buff,sizeof(inp_buff), "%cQ: To Quit client\n",COMMANDCHAR); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; } _snprintf(inp_buff,sizeof(inp_buff), "%cH: This Help\n",COMMANDCHAR); if (WriteFileSynch(hWriteTempFile,inp_buff,strlen(inp_buff),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; } StartServerToClientFlow(); break; } return(TRUE); } if ((buff[0]<26)) { BOOL ret=FALSE; _snprintf(ch, sizeof(ch), "^%c", buff[0] + 'A' - 1); if (buff[0]==CTRLC) { // show this even to this client CMDSTRING(inp_buff,len,ch,cl,GetFormattedTime(FALSE),TRUE); cPendingCtrlCEvents++; GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0); ret = TRUE; // Already sent to child } else { CMDSTRING(inp_buff,len,ch,cl,GetFormattedTime(FALSE),FALSE); } if (WriteFileSynch(hWriteTempFile,inp_buff,len,&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } return(ret); //FALSE:send it to child StdIn } // options here are CRLF(\r\n) or just LF(\n) if (buff[dread-2] == 13) { i = 2; // 13 is CR } else { i = 1; } tmpchar=buff[dread-i]; buff[dread-i]=0; CMDSTRING(inp_buff,len,buff,cl,GetFormattedTime(FALSE),FALSE); buff[dread-i]=tmpchar; if (WriteFileSynch(hWriteTempFile,inp_buff,len,&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } return(FALSE); } /*************************************************************/ HANDLE ForkChildProcess( // Creates a new process char *cmd, // Redirects its stdin,stdout PHANDLE inH, // and stderr - returns the PHANDLE outH // corresponding pipe ends. ) { SECURITY_ATTRIBUTES lsa; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE ChildIn; HANDLE ChildOut, ChildOutDup; HANDLE hWriteChild; HANDLE hReadChild; BOOL Success; BOOL // pipeex.c APIENTRY MyCreatePipeEx( OUT LPHANDLE lpReadPipe, OUT LPHANDLE lpWritePipe, IN LPSECURITY_ATTRIBUTES lpPipeAttributes, IN DWORD nSize, DWORD dwReadMode, DWORD dwWriteMode ); lsa.nLength=sizeof(SECURITY_ATTRIBUTES); lsa.lpSecurityDescriptor=NULL; lsa.bInheritHandle=TRUE; // // Create Parent_Write to ChildStdIn Pipe. Then // duplicate the parent copy to a noninheritable // handle and close the inheritable one so that // the child won't be holding open a handle to // the server end of its stdin pipe when we try // to nuke that pipe to close the child. // Success = MyCreatePipeEx( &ChildIn, &hWriteChild, &lsa, 0, 0, FILE_FLAG_OVERLAPPED) && DuplicateHandle( GetCurrentProcess(), hWriteChild, GetCurrentProcess(), inH, 0, // ignored b/c SAME_ACCESS FALSE, // not inheritable DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE ); if (!Success) { ErrorExit("Could Not Create Parent-->Child Pipe"); } // //Create ChildStdOut/stderr to Parent_Read pipe // Success = MyCreatePipeEx( &hReadChild, &ChildOut, &lsa, 0, FILE_FLAG_OVERLAPPED, 0) && DuplicateHandle( GetCurrentProcess(), hReadChild, GetCurrentProcess(), outH, 0, // ignored b/c SAME_ACCESS FALSE, // not inheritable DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE ) && DuplicateHandle( GetCurrentProcess(), ChildOut, GetCurrentProcess(), &ChildOutDup, 0, // ignored b/c SAME_ACCESS TRUE, // inheritable DUPLICATE_SAME_ACCESS ); if (!Success) { ErrorExit("Could Not Create Child-->Parent Pipe"); } ZeroMemory(&si, sizeof(si)); si.cb = sizeof(STARTUPINFO); si.dwFlags = STARTF_USESTDHANDLES; si.hStdInput = ChildIn; si.hStdOutput = ChildOut; si.hStdError = ChildOutDup; si.wShowWindow = SW_SHOW; // // Create Child Process // if ( ! CreateProcess( NULL, cmd, NULL, NULL, TRUE, GetPriorityClass( GetCurrentProcess() ), NULL, NULL, &si, &pi)) { if (GetLastError()==2) { printf("Executable %s not found\n",cmd); } else { printf("CreateProcess(%s) failed, error %d.\n", cmd, GetLastError()); } ErrorExit("Could Not Create Child Process"); } // // Close unneccesary Handles // CloseHandle(ChildIn); CloseHandle(ChildOut); CloseHandle(ChildOutDup); CloseHandle(pi.hThread); pidChild = pi.dwProcessId; return(pi.hProcess); } // // SendStatus runs as its own thread, with C runtime available. // DWORD WINAPI SendStatus( LPVOID lpSendStatusParm ) { HANDLE hClientPipe = (HANDLE) lpSendStatusParm; char *pch; DWORD tmp; PREMOTE_CLIENT pClient; OVERLAPPED ol; char buff[2048]; char szSep[] = " ------------------------------\n"; // // Since we're in our own thread we need our own // overlapped structure for our client pipe writes. // ZeroMemory(&ol, sizeof(ol)); ol.hEvent = CreateEvent( NULL, // security TRUE, // auto-reset FALSE, // initially nonsignaled NULL // unnamed ); // // Dump the closing client list // pch = buff; EnterCriticalSection(&csClosingClientList); for (pClient = (PREMOTE_CLIENT) ClosingClientListHead.Flink; pClient != (PREMOTE_CLIENT) &ClosingClientListHead; pClient = (PREMOTE_CLIENT) pClient->Links.Flink ) { if (pch + 60 > buff + sizeof(buff)) { break; } pch += sprintf(pch, "%d: %s %s (Disconnected)\n", pClient->dwID, pClient->Name, pClient->UserName); } LeaveCriticalSection(&csClosingClientList); WriteFileSynch(hClientPipe, buff, (DWORD)(pch - buff), &tmp, 0, &ol); WriteFileSynch(hClientPipe, szSep, sizeof(szSep) - 1, &tmp, 0, &ol); // // Dump the normal client list // pch = buff; EnterCriticalSection(&csClientList); for (pClient = (PREMOTE_CLIENT) ClientListHead.Flink; pClient != (PREMOTE_CLIENT) &ClientListHead; pClient = (PREMOTE_CLIENT) pClient->Links.Flink ) { if (pch + 60 > buff + sizeof(buff)) { break; } pch += sprintf(pch, "%d: %s %s\n", pClient->dwID, pClient->Name, pClient->UserName); } LeaveCriticalSection(&csClientList); WriteFileSynch(hClientPipe, buff, (DWORD)(pch - buff), &tmp, 0, &ol); WriteFileSynch(hClientPipe, szSep, sizeof(szSep) - 1, &tmp, 0, &ol); // // Dump the handshaking client list // pch = buff; EnterCriticalSection(&csHandshakingList); for (pClient = (PREMOTE_CLIENT) HandshakingListHead.Flink; pClient != (PREMOTE_CLIENT) &HandshakingListHead; pClient = (PREMOTE_CLIENT) pClient->Links.Flink ) { if (pch + 60 > buff + sizeof(buff)) { break; } pch += sprintf(pch, "%d: %s %s (Connecting)\n", pClient->dwID, pClient->Name, pClient->UserName); } LeaveCriticalSection(&csHandshakingList); WriteFileSynch(hClientPipe, buff, (DWORD)(pch - buff), &tmp, 0, &ol); WriteFileSynch(hClientPipe, szSep, sizeof(szSep) - 1, &tmp, 0, &ol); // // Dump summary information. // pch = buff; pch += sprintf(pch, "REMOTE /C %s \"%s\"\n", HostName, PipeName); pch += sprintf(pch, "Command: %s\n", ChildCmd); pch += sprintf(pch, "Windows NT %d.%d build %d \n", OsVersionInfo.dwMajorVersion, OsVersionInfo.dwMinorVersion, OsVersionInfo.dwBuildNumber); WriteFileSynch(hClientPipe, buff, (DWORD)(pch - buff), &tmp, 0, &ol); WriteFileSynch(hClientPipe, szSep, sizeof(szSep) - 1, &tmp, 0, &ol); CloseHandle(ol.hEvent); return 0; } /*************************************************************/ DWORD // NO CRT for ShowPopup WINAPI ShowPopup( void *vpArg ) { char *msg = (char *) vpArg; MessageBox(GetActiveWindow(),msg,"** REMOTE.EXE **",MB_OK|MB_SETFOREGROUND); HeapFree(hHeap, 0, msg); return(0); } /*************************************************************/ // // SrvCtrlHand is the console event handler for the server side // of remote. If our stdin is a console handle, we've disabled // generation of ^C events by the console code. Therefore // any we see are either generated by us for the benefit of // our child processes sharing the console, or generated by // some other process. We want to ignore the ones we generate // (since we're already done with everything that needs to be // done at that point), and also ignore ^C's generated by // other processes since we don't need to do anything with those. // For example if someone runs: // // remote /s "remote /s cmd inner" outer // // Then local keyboard ^C's will be read by the outer remote.exe // from its stdin handle, then it will generate a CTRL_C_EVENT that // all processes in the console will see, including both remote.exe's // and the child cmd.exe. So the handler needs do nothing but indicate // the event was handled by returning TRUE so the default handler // won't kill us. For ^BREAK we want to specifically kill our child // process so that cmd.exe and others that ignore ^BREAK will go away. // Of course this won't kill our grandchildren and so on. Oh well. // // For all other events we return FALSE and let the default handler // have it. // BOOL WINAPI SrvCtrlHand( DWORD event ) { BOOL bRet = FALSE; DWORD cb; DWORD dwTempFileOffset; OVERLAPPED ol; char szTime[64]; char szCmd[128]; if (event == CTRL_BREAK_EVENT) { TerminateProcess(ChldProc, 3); bRet = TRUE; } else if (event == CTRL_C_EVENT) { if ( ! cPendingCtrlCEvents ) { // // This came from the local keyboard or // was generated by another process in // this console. Echo it as a local // command. We have use GetTimeFormat // here not our GetFormattedTime since // the latter is for the use of the // main thread only. // GetTimeFormat( LOCALE_USER_DEFAULT, TIME_NOSECONDS, NULL, // use current time NULL, // use default format szTime, sizeof(szTime) ); CMDSTRING(szCmd, cb, "^C", pLocalClient, szTime, TRUE); ZeroMemory(&ol, sizeof(ol)); ol.hEvent = CreateEvent( NULL, // security TRUE, // auto-reset FALSE, // initially nonsignaled NULL // unnamed ); // // Practically all writes to the tempfile are happening on // the primary server thread. We're on a Ctrl-C thread. // We can't start the server to client I/O going after // writing because we're on the wrong thread, so we // punt. To fix this we need an event we can signal // that causes the main thread to call StartServerToClientFlow. // dwTempFileOffset = dwWriteFilePointer; dwWriteFilePointer += cb; WriteFileSynch(hWriteTempFile, szCmd, cb, &cb, dwTempFileOffset, &ol); // wrong thread // StartServerToClientFlow(); CloseHandle(ol.hEvent); } else { // // We generated this event in response to a ^C received from // a client, it's already been displayed to all clients. // cPendingCtrlCEvents--; } bRet = TRUE; } return bRet; } /*************************************************************/ typedef BOOL (STRINGSDTOSDW)( LPWSTR String, DWORD Version, PSECURITY_DESCRIPTOR * pSD, PULONG SDSize ); typedef STRINGSDTOSDW * PSTRINGSDTOSDW ; typedef BOOL (SDTOSTRINGSDW)( PSECURITY_DESCRIPTOR SD, DWORD StringVersion, SECURITY_INFORMATION SecInfo, LPWSTR * StringDescriptor, PULONG Size ); typedef SDTOSTRINGSDW * PSDTOSTRINGSDW ; BOOL SddlToSecurityDescriptor( LPWSTR String, DWORD Version, PSECURITY_DESCRIPTOR * pSD, PULONG SDSize ) { HMODULE hModule ; PSTRINGSDTOSDW pStringSecurityDescriptorToSecurityDescriptor ; BOOL Success = FALSE ; PSECURITY_DESCRIPTOR sd ; hModule = GetModuleHandle( "advapi32.dll" ); if ( hModule ) { pStringSecurityDescriptorToSecurityDescriptor = (PSTRINGSDTOSDW) GetProcAddress( hModule, "ConvertStringSecurityDescriptorToSecurityDescriptorW" ); if ( pStringSecurityDescriptorToSecurityDescriptor ) { Success = pStringSecurityDescriptorToSecurityDescriptor( String, Version, pSD, SDSize); return Success ; } } sd = LocalAlloc( LMEM_FIXED, sizeof( SECURITY_DESCRIPTOR ) ); if ( sd ) { InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION ); SetSecurityDescriptorDacl( sd, TRUE, NULL, FALSE ); *pSD = sd ; if ( SDSize ) { *SDSize = sizeof( SECURITY_DESCRIPTOR ); } return TRUE ; } return FALSE ; } /*************************************************************/ BOOL SDtoStringSD( PSECURITY_DESCRIPTOR pSD, DWORD Version, SECURITY_INFORMATION SecInfo, LPWSTR * StringSD, PULONG StringSize ) { HMODULE hModule ; PSDTOSTRINGSDW pSDtoStringSD ; BOOL Success = FALSE ; hModule = GetModuleHandle( "advapi32.dll" ); if ( hModule ) { pSDtoStringSD = (PSDTOSTRINGSDW) GetProcAddress( hModule, "ConvertSecurityDescriptorToStringSecurityDescriptorW" ); if ( pSDtoStringSD ) { Success = pSDtoStringSD(pSD, Version, SecInfo, StringSD, StringSize ); FreeLibrary( hModule ); return Success ; } } return FALSE ; } /*************************************************************/ PSECURITY_DESCRIPTOR FormatSecurityDescriptor( CHAR * * DenyNames, DWORD DenyCount, CHAR * * Names, DWORD Count) { PSECURITY_DESCRIPTOR Sd; PACL Acl; DWORD i; PSID Sids; DWORD SidLength ; CHAR ReferencedDomain[ MAX_PATH ]; UCHAR SidBuffer[ 8 * sizeof(DWORD) + 8 ]; DWORD DomainLen ; SID_NAME_USE Use; DWORD SdLen; SdLen = sizeof(SECURITY_DESCRIPTOR) + DenyCount * (sizeof( ACCESS_DENIED_ACE ) ) + DenyCount * GetSidLengthRequired( 8 ) + Count * (sizeof( ACCESS_ALLOWED_ACE ) ) + sizeof(ACL) + (Count * GetSidLengthRequired( 8 ) ); Sd = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, SdLen ); if ( !Sd ) { ErrorExit("Could not allocate SD"); } InitializeSecurityDescriptor( Sd, SECURITY_DESCRIPTOR_REVISION ); Acl = (PACL)( (PUCHAR) Sd + sizeof( SECURITY_DESCRIPTOR) ); InitializeAcl( Acl, SdLen - sizeof( SECURITY_DESCRIPTOR) , ACL_REVISION ); Sids = SidBuffer; for (i = 0 ; i < DenyCount ; i ++ ) { SidLength = sizeof( SidBuffer ); DomainLen = MAX_PATH ; if (! LookupAccountName(NULL, DenyNames[ i ], Sids, &SidLength, ReferencedDomain, &DomainLen, &Use ) ) { _snprintf( ReferencedDomain, MAX_PATH, "Unable to find account %s", DenyNames[ i ]); ErrorExit( ReferencedDomain ); } // // Got the sid. Now, add it as an access denied ace: // AddAccessDeniedAce( Acl, ACL_REVISION, FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_CREATE_PIPE_INSTANCE, Sids ); } for (i = 0 ; i < Count ; i ++ ) { SidLength = sizeof( SidBuffer ); DomainLen = MAX_PATH ; if (! LookupAccountName(NULL, Names[ i ], Sids, &SidLength, ReferencedDomain, &DomainLen, &Use ) ) { _snprintf( ReferencedDomain, MAX_PATH, "Unable to find account %s", Names[ i ]); ErrorExit( ReferencedDomain ); } // // Got the sid. Now, add it as an access allowed ace: // AddAccessAllowedAce(Acl, ACL_REVISION, FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_CREATE_PIPE_INSTANCE, Sids ); } // // Now the ACL should be complete, so set it into the SD and return: // SetSecurityDescriptorDacl( Sd, TRUE, Acl, FALSE ); return Sd ; } /*************************************************************/ VOID CloseClient( REMOTE_CLIENT *pClient ) { DWORD tmp; char Buf[200]; #if DBG if (pClient->ServerFlags & ~SFLG_VALID) { printf("pClient %p looks nasty in CloseClient.\n", pClient); ErrorExit("REMOTE_CLIENT structure corrupt."); } #endif // // If we're still active (on the normal client list) // start tearing things down and move to the closing // list. // if (pClient->ServerFlags & SFLG_CLOSING) { return; } if (pClient->ServerFlags & SFLG_HANDSHAKING) { MoveClientToNormalList(pClient); } MoveClientToClosingList(pClient); pClient->ServerFlags |= SFLG_CLOSING; if (pClient->PipeWriteH != INVALID_HANDLE_VALUE) { TRACE(CONNECT, ("Disconnecting %d PipeWriteH (%p).\n", pClient->dwID, pClient->PipeWriteH)); CancelIo(pClient->PipeWriteH); DisconnectNamedPipe(pClient->PipeWriteH); CloseHandle(pClient->PipeWriteH); } if (pClient->PipeReadH != INVALID_HANDLE_VALUE && pClient->PipeReadH != pClient->PipeWriteH) { TRACE(CONNECT, ("Disconnecting %d PipeReadH (%p).\n", pClient->dwID, pClient->PipeReadH)); CancelIo(pClient->PipeReadH); DisconnectNamedPipe(pClient->PipeReadH); CloseHandle(pClient->PipeReadH); } if (pClient->rSaveFile != INVALID_HANDLE_VALUE) { CancelIo(pClient->rSaveFile); CloseHandle(pClient->rSaveFile); } pClient->rSaveFile = pClient->PipeWriteH = pClient->PipeReadH = INVALID_HANDLE_VALUE; if ( ! bShuttingDownServer ) { ZeroMemory(Buf, sizeof(Buf)); _snprintf(Buf, sizeof(Buf)-1, "\n**Remote: Disconnected from %s %s [%s]\n", pClient->Name, pClient->UserName, GetFormattedTime(TRUE)); if (WriteFileSynch(hWriteTempFile,Buf,strlen(Buf),&tmp,dwWriteFilePointer,&olMainThread)) { dwWriteFilePointer += tmp; StartServerToClientFlow(); } } return; } BOOL FASTCALL HandleSessionError( PREMOTE_CLIENT pClient, DWORD dwError ) { if (pClient->ServerFlags & SFLG_CLOSING) { return TRUE; } if (dwError) { if (ERROR_BROKEN_PIPE == dwError || ERROR_OPERATION_ABORTED == dwError || ERROR_NO_DATA == dwError ) { CloseClient(pClient); return TRUE; } SetLastError(dwError); ErrorExit("Unhandled session error."); } return FALSE; } VOID FASTCALL CleanupTempFiles( PSZ pszTempDir ) { HANDLE hSearch; WIN32_FIND_DATA FindData; char szPath[MAX_PATH + 1] = {0}; char szFile[MAX_PATH + 1]; // // pszTempDir, from GetTempPath, has a trailing backslash. // _snprintf(szPath, sizeof(szPath)-1, "%sREM*.tmp", pszTempDir); hSearch = FindFirstFile(szPath, &FindData); if (INVALID_HANDLE_VALUE != hSearch) { do { ZeroMemory(szFile, sizeof(szFile)); _snprintf(szFile, sizeof(szFile)-1, "%s%s", pszTempDir, FindData.cFileName); DeleteFile(szFile); } while (FindNextFile(hSearch, &FindData)); FindClose(hSearch); } } VOID SaveDacl( PSECURITY_DESCRIPTOR psd ) { HKEY hKey ; int err ; DWORD disp ; LPWSTR StringSD ; DWORD StringLen; err = RegCreateKeyExW( HKEY_LOCAL_MACHINE, REGISTRY_PATH, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey, &disp ); if ( err == 0 ) { if ( SDtoStringSD(sdPublic, 1, DACL_SECURITY_INFORMATION, &StringSD, &StringLen ) ) { err = RegSetValueExW( hKey, REGISTRY_VALUE, 0, REG_SZ, (LPBYTE) StringSD, StringLen * sizeof(WCHAR) ); } RegCloseKey( hKey ); } } #pragma prefast(push) #pragma prefast(disable: 248) // NULL dacl is by design here, really VOID FASTCALL SetupSecurityDescriptors( VOID ) { int i; int err ; HKEY hKey ; PWSTR TextSD ; DWORD Type ; DWORD Size ; PSID Everyone ; PACL pDacl ; SID_IDENTIFIER_AUTHORITY World = SECURITY_WORLD_SID_AUTHORITY ; PSECURITY_DESCRIPTOR psd ; pDacl = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 12 + sizeof( ACCESS_ALLOWED_ACE ) + sizeof( ACL )); psd = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof( SECURITY_DESCRIPTOR )); // // initialize the struct // saLocalNamedObjects.nLength = sizeof( SECURITY_ATTRIBUTES ); if ( (pDacl != NULL) && (psd != NULL ) ) { if ( AllocateAndInitializeSid(&World, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &Everyone) ) { InitializeAcl(pDacl, 12 + sizeof( ACCESS_ALLOWED_ACE ) + sizeof( ACL ), ACL_REVISION); AddAccessAllowedAce(pDacl, ACL_REVISION, EVENT_ALL_ACCESS | MUTEX_ALL_ACCESS | SYNCHRONIZE, Everyone ); InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION ); SetSecurityDescriptorDacl( psd, TRUE, pDacl, FALSE ); saLocalNamedObjects.bInheritHandle = FALSE ; saLocalNamedObjects.lpSecurityDescriptor = psd ; HeapFree(GetProcessHeap(), 0, Everyone ); } } // // Initialize the wide-open security descriptor. // if ( !SddlToSecurityDescriptor(DEFAULT_SECURITY_DESCRIPTOR, 1, &sdPublic, NULL ) ) { sdPublic = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof( SECURITY_DESCRIPTOR ) ); if ( sdPublic ) { InitializeSecurityDescriptor( sdPublic, SECURITY_DESCRIPTOR_REVISION ); SetSecurityDescriptorDacl( sdPublic, TRUE, NULL, FALSE ); } } saPublic.nLength = sizeof(saPublic); saPublic.lpSecurityDescriptor = sdPublic; // // if /u was specified once or more, build the security descriptor to // enforce it. // saPipe.nLength = sizeof(saPipe); if ( DaclNameCount || DaclDenyNameCount ) { saPipe.lpSecurityDescriptor = FormatSecurityDescriptor( DaclDenyNames, DaclDenyNameCount, DaclNames, DaclNameCount ); if ( SaveDaclToRegistry ) { SaveDacl( saPipe.lpSecurityDescriptor ); } if (DaclNameCount) { fputs( "\nProtected Server! Only the following users or groups can connect:\n", stdout ); for (i = 0 ; i < (int) DaclNameCount ; i++) { printf( " %s\n", DaclNames[i] ); } } if (DaclDenyNameCount) { fputs("The following users or groups explicitly cannot connect:\n", stdout ); for (i = 0 ; i < (int) DaclDenyNameCount ; i++) { printf(" %s\n", DaclDenyNames[i] ); } } } else { saPipe.lpSecurityDescriptor = sdPublic; err = RegOpenKeyExW( HKEY_LOCAL_MACHINE, REGISTRY_PATH, 0, KEY_READ, &hKey ); if ( err == 0 ) { err = RegQueryValueExW( hKey, REGISTRY_VALUE, 0, &Type, NULL, &Size ); if ( err != ERROR_FILE_NOT_FOUND ) { TextSD = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Size ); if ( TextSD ) { err = RegQueryValueExW( hKey, REGISTRY_VALUE, 0, &Type, (LPBYTE) TextSD, &Size ); if ( err == 0 ) { SddlToSecurityDescriptor( TextSD, 1, &saPipe.lpSecurityDescriptor, NULL ); } } } RegCloseKey( hKey ); } } } #pragma prefast(pop)