Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

575 lines
16 KiB

/****************************************************************************
PROGRAM: TOKEN.C
PURPOSE: Contains routines that manipulate tokens
****************************************************************************/
#include "SECEDIT.h"
HANDLE AllocMyToken(VOID);
BOOL ReadMyToken(HANDLE);
BOOL WriteMyToken(HWND, HANDLE);
BOOL FreeMyToken(HANDLE);
HANDLE OpenToken(HANDLE, ACCESS_MASK);
BOOL CloseToken(HANDLE);
PVOID AllocTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS);
BOOL GetTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS, PPVOID);
BOOL SetTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS, PVOID);
BOOL FreeTokenInfo(PVOID);
/****************************************************************************
FUNCTION: OpenMyToken
PURPOSE: Opens the token of the process of the specified window.
RETURNS : Handle to mytoken on success, or NULL on failure.
****************************************************************************/
HANDLE OpenMyToken(
HWND hwnd)
{
DWORD ThreadId;
DWORD ProcessId;
PMYTOKEN pMyToken;
HANDLE hMyToken;
ThreadId = GetWindowThreadProcessId(hwnd, &ProcessId);
DbgPrint("Process Id = %ld, ThreadId = %ld\n", ProcessId, ThreadId);
if (ThreadId == 0) {
DbgPrint("SECEDIT: GetWindowThreadProcessId failed\n");
return(NULL);
}
//
// Build a MYTOKEN structure.
hMyToken = AllocMyToken();
if (hMyToken == NULL) {
return(NULL);
}
pMyToken = (PMYTOKEN)hMyToken;
pMyToken->ProcessId = ProcessId;
pMyToken->ThreadId = ThreadId;
if (!ReadMyToken(hMyToken)) {
DbgPrint("SECEDIT : Failed to read token info\n");
Free(pMyToken);
return(NULL);
}
return(hMyToken);
}
/****************************************************************************
FUNCTION: ReadMyToken
PURPOSE: Reads the token info and stores in mytoken structure
RETURNS : TRUE on success, FALSE on failure
****************************************************************************/
BOOL ReadMyToken(
HANDLE hMyToken)
{
HANDLE Token;
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
Token = OpenToken(hMyToken, TOKEN_QUERY);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
return(FALSE);
}
if (!GetTokenInfo(Token, TokenStatistics, (PPVOID)&(pMyToken->TokenStats))) {
DbgPrint("SECEDIT : Failed to read token statistics from token\n");
}
if (!GetTokenInfo(Token, TokenGroups, (PPVOID)&(pMyToken->Groups))) {
DbgPrint("SECEDIT : Failed to read group info from token\n");
}
if (!GetTokenInfo(Token, TokenUser, (PPVOID)&(pMyToken->UserId))) {
DbgPrint("SECEDIT : Failed to read userid from token\n");
}
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&(pMyToken->DefaultOwner))) {
DbgPrint("SECEDIT : Failed to read default owner from token\n");
}
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&(pMyToken->PrimaryGroup))) {
DbgPrint("SECEDIT : Failed to read primary group from token\n");
}
if (!GetTokenInfo(Token, TokenPrivileges, (PPVOID)&(pMyToken->Privileges))) {
DbgPrint("SECEDIT : Failed to read privilege info from token\n");
}
CloseToken(Token);
return(TRUE);
}
/****************************************************************************
FUNCTION: CloseMyToken
PURPOSE: Closes the specified mytoken handle
If fSaveChanges = TRUE, the token information is saved,
otherwise it is discarded.
RETURNS : TRUE on success, FALSE on failure.
****************************************************************************/
BOOL CloseMyToken(
HWND hDlg,
HANDLE hMyToken,
BOOL fSaveChanges)
{
if (fSaveChanges) {
WriteMyToken(hDlg, hMyToken);
}
return FreeMyToken(hMyToken);
}
/****************************************************************************
FUNCTION: AllocMyToken
PURPOSE: Allocates space for mytoken structure.
RETURNS : HANDLE to mytoken or NULL on failure.
****************************************************************************/
HANDLE AllocMyToken(VOID)
{
PMYTOKEN pMyToken;
pMyToken = (PMYTOKEN)Alloc(sizeof(MYTOKEN));
return((HANDLE)pMyToken);
}
/****************************************************************************
FUNCTION: FreeMyToken
PURPOSE: Frees the memory allocated to mytoken structure.
RETURNS : TRUE on success, FALSE on failure.
****************************************************************************/
BOOL FreeMyToken(
HANDLE hMyToken)
{
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
if (pMyToken->TokenStats != NULL) {
FreeTokenInfo((PVOID)(pMyToken->TokenStats));
}
if (pMyToken->UserId != NULL) {
FreeTokenInfo((PVOID)(pMyToken->UserId));
}
if (pMyToken->PrimaryGroup != NULL) {
FreeTokenInfo((PVOID)(pMyToken->PrimaryGroup));
}
if (pMyToken->DefaultOwner != NULL) {
FreeTokenInfo((PVOID)(pMyToken->DefaultOwner));
}
if (pMyToken->Groups != NULL) {
FreeTokenInfo((PVOID)(pMyToken->Groups));
}
if (pMyToken->Privileges != NULL) {
FreeTokenInfo((PVOID)(pMyToken->Privileges));
}
Free((PVOID)pMyToken);
return(TRUE);
}
/****************************************************************************
FUNCTION: WriteMyToken
PURPOSE: Writes the token information out to the token
RETURNS : TRUE on success, FALSE on failure.
****************************************************************************/
BOOL WriteMyToken(
HWND hDlg,
HANDLE hMyToken)
{
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
HANDLE Token;
//
// Save default owner and primary group
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_DEFAULT);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_DEFAULT access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change default owner or primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
// Set default owner
//
if ((pMyToken->DefaultOwner != NULL) &&
(!SetTokenInfo(Token, TokenOwner, (PVOID)(pMyToken->DefaultOwner)))) {
MessageBox(hDlg, "Failed to set default owner", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
// Set primary group
//
if ((pMyToken->PrimaryGroup != NULL) &&
(!SetTokenInfo(Token, TokenPrimaryGroup, (PVOID)(pMyToken->PrimaryGroup)))) {
MessageBox(hDlg, "Failed to set primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
//
// Save group info
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_GROUPS);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_GROUPS access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
if ((pMyToken->Groups != NULL) &&
(!SetTokenInfo(Token, TokenGroups, (PVOID)(pMyToken->Groups)))) {
MessageBox(hDlg, "Failed to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
//
// Change privileges
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_PRIVILEGES);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_PRIVILEGES access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
if ((pMyToken->Privileges != NULL) &&
(!SetTokenInfo(Token, TokenPrivileges, (PVOID)(pMyToken->Privileges)))) {
MessageBox(hDlg, "Failed to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
return(TRUE);
}
/****************************************************************************
FUNCTION: OpenToken
PURPOSE: Opens the token with the specified access
RETURNS : Handle to token on success, or NULL on failure.
****************************************************************************/
HANDLE OpenToken(
HANDLE hMyToken,
ACCESS_MASK DesiredAccess)
{
NTSTATUS Status;
HANDLE Token;
HANDLE Process;
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
DWORD ThreadId = pMyToken->ThreadId;
DWORD ProcessId = pMyToken->ProcessId;
Process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if (Process == NULL) {
DbgPrint("SECEDIT: OpenProcess failed, last error = %ld\n", GetLastError());
return(NULL);
}
Status = NtOpenProcessToken(
Process,
DesiredAccess,
&Token
);
CloseHandle(Process);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: Failed to open token with access = 0x%x, status = 0x%lx\n", DesiredAccess, Status);
return(NULL);
}
return(Token);
}
/****************************************************************************
FUNCTION: CloseToken
PURPOSE: Closes the specified token handle
RETURNS : TRUE on success, FALSE on failure.
****************************************************************************/
BOOL CloseToken(
HANDLE Token)
{
NTSTATUS Status;
Status = NtClose(Token);
return(TRUE);
}
/****************************************************************************
FUNCTION: AllocTokenInfo
PURPOSE: Allocates memory to hold the parameter that
NTQueryInformationToken will return.
Memory should be freed later using FreeTokenInfo
RETURNS : Pointer to allocated memory or NULL on failure
****************************************************************************/
PVOID AllocTokenInfo(
HANDLE Token,
TOKEN_INFORMATION_CLASS TokenInformationClass)
{
NTSTATUS Status;
ULONG InfoLength;
Status = NtQueryInformationToken(
Token, // Handle
TokenInformationClass, // TokenInformationClass
NULL, // TokenInformation
0, // TokenInformationLength
&InfoLength // ReturnLength
);
if (Status != STATUS_BUFFER_TOO_SMALL) {
#ifdef NTBUILD
DbgPrint("SECEDIT: NtQueryInformationToken did NOT return buffer_too_small, status = 0x%lx\n", Status);
#endif
return(NULL);
}
return Alloc(InfoLength);
}
/****************************************************************************
FUNCTION: FreeTokenInfo
PURPOSE: Frees the memory previously allocated with AllocTokenInfo
RETURNS : TRUE on success, otherwise FALSE
****************************************************************************/
BOOL FreeTokenInfo(
PVOID Buffer)
{
return(Free(Buffer));
}
/****************************************************************************
FUNCTION: GetTokenInfo
PURPOSE: Allocates a buffer and reads the specified data
out of the token and into it.
RETURNS : TRUE on success otherwise FALSE.
****************************************************************************/
BOOL GetTokenInfo(
HANDLE Token,
TOKEN_INFORMATION_CLASS TokenInformationClass,
PPVOID pBuffer)
{
NTSTATUS Status;
ULONG BufferSize;
ULONG InfoLength;
PVOID Buffer;
*pBuffer = NULL; // Prepare for failure
Buffer = AllocTokenInfo(Token, TokenInformationClass);
if (Buffer == NULL) {
return(FALSE);
}
BufferSize = (ULONG)GetAllocSize(Buffer);
Status = NtQueryInformationToken(
Token, // Handle
TokenInformationClass, // TokenInformationClass
Buffer, // TokenInformation
BufferSize, // TokenInformationLength
&InfoLength // ReturnLength
);
if (!NT_SUCCESS(Status)) {
#ifdef NTBUILD
DbgPrint("SECEDIT: NtQueryInformationToken failed, status = 0x%lx\n", Status);
#endif
FreeTokenInfo(Buffer);
return(FALSE);
}
if (InfoLength > BufferSize) {
#ifdef NTBUILD
DbgPrint("SECEDIT: NtQueryInformationToken failed, DataSize > BufferSize");
#endif
FreeTokenInfo(Buffer);
return(FALSE);
}
*pBuffer = Buffer;
return(TRUE);
}
/****************************************************************************
FUNCTION: SetTokenInfo
PURPOSE: Sets the specified information in the given token.
RETURNS : TRUE on success otherwise FALSE.
****************************************************************************/
BOOL SetTokenInfo(
HANDLE Token,
TOKEN_INFORMATION_CLASS TokenInformationClass,
PVOID Buffer)
{
NTSTATUS Status;
ULONG BufferSize;
BufferSize = (ULONG)GetAllocSize(Buffer);
switch (TokenInformationClass) {
case TokenOwner:
case TokenPrimaryGroup:
case TokenDefaultDacl:
Status = NtSetInformationToken(
Token, // Handle
TokenInformationClass, // TokenInformationClass
Buffer, // TokenInformation
BufferSize // TokenInformationLength
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtSetInformationToken failed, info class = 0x%x, status = 0x%lx\n",
TokenInformationClass, Status);
return(FALSE);
}
break;
case TokenGroups:
Status = NtAdjustGroupsToken(
Token, // Handle
FALSE, // Reset to default
(PTOKEN_GROUPS)Buffer, // New State
BufferSize, // Buffer Length
NULL, // Previous State
NULL // Return Length
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtAdjustGroupsToken failed, status = 0x%lx\n", Status);
return(FALSE);
}
break;
case TokenPrivileges:
Status = NtAdjustPrivilegesToken(
Token, // Handle
FALSE, // Disable all privileges
(PTOKEN_PRIVILEGES)Buffer, // New State
BufferSize, // Buffer Length
NULL, // Previous State
NULL // Return Length
);
if (!NT_SUCCESS(Status)) {
DbgPrint("SECEDIT: NtAdjustPrivilegesToken failed, status = 0x%lx\n", Status);
return(FALSE);
}
break;
default:
// Unrecognised information type
DbgPrint("SECEDIT: SetTokenInfo passed unrecognised infoclass, class = 0x%x\n", TokenInformationClass);
return(FALSE);
}
return(TRUE);
}