You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
575 lines
16 KiB
575 lines
16 KiB
/****************************************************************************
|
|
|
|
PROGRAM: TOKEN.C
|
|
|
|
PURPOSE: Contains routines that manipulate tokens
|
|
|
|
****************************************************************************/
|
|
|
|
#include "SECEDIT.h"
|
|
|
|
HANDLE AllocMyToken(VOID);
|
|
BOOL ReadMyToken(HANDLE);
|
|
BOOL WriteMyToken(HWND, HANDLE);
|
|
BOOL FreeMyToken(HANDLE);
|
|
HANDLE OpenToken(HANDLE, ACCESS_MASK);
|
|
BOOL CloseToken(HANDLE);
|
|
PVOID AllocTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS);
|
|
BOOL GetTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS, PPVOID);
|
|
BOOL SetTokenInfo(HANDLE, TOKEN_INFORMATION_CLASS, PVOID);
|
|
BOOL FreeTokenInfo(PVOID);
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: OpenMyToken
|
|
|
|
PURPOSE: Opens the token of the process of the specified window.
|
|
|
|
RETURNS : Handle to mytoken on success, or NULL on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
HANDLE OpenMyToken(
|
|
HWND hwnd)
|
|
{
|
|
DWORD ThreadId;
|
|
DWORD ProcessId;
|
|
PMYTOKEN pMyToken;
|
|
HANDLE hMyToken;
|
|
|
|
ThreadId = GetWindowThreadProcessId(hwnd, &ProcessId);
|
|
|
|
DbgPrint("Process Id = %ld, ThreadId = %ld\n", ProcessId, ThreadId);
|
|
|
|
if (ThreadId == 0) {
|
|
DbgPrint("SECEDIT: GetWindowThreadProcessId failed\n");
|
|
return(NULL);
|
|
}
|
|
|
|
//
|
|
// Build a MYTOKEN structure.
|
|
|
|
hMyToken = AllocMyToken();
|
|
if (hMyToken == NULL) {
|
|
return(NULL);
|
|
}
|
|
|
|
pMyToken = (PMYTOKEN)hMyToken;
|
|
|
|
pMyToken->ProcessId = ProcessId;
|
|
pMyToken->ThreadId = ThreadId;
|
|
|
|
if (!ReadMyToken(hMyToken)) {
|
|
DbgPrint("SECEDIT : Failed to read token info\n");
|
|
Free(pMyToken);
|
|
return(NULL);
|
|
}
|
|
|
|
return(hMyToken);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: ReadMyToken
|
|
|
|
PURPOSE: Reads the token info and stores in mytoken structure
|
|
|
|
RETURNS : TRUE on success, FALSE on failure
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL ReadMyToken(
|
|
HANDLE hMyToken)
|
|
{
|
|
HANDLE Token;
|
|
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
|
|
|
|
Token = OpenToken(hMyToken, TOKEN_QUERY);
|
|
|
|
if (Token == NULL) {
|
|
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
|
|
return(FALSE);
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenStatistics, (PPVOID)&(pMyToken->TokenStats))) {
|
|
DbgPrint("SECEDIT : Failed to read token statistics from token\n");
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenGroups, (PPVOID)&(pMyToken->Groups))) {
|
|
DbgPrint("SECEDIT : Failed to read group info from token\n");
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenUser, (PPVOID)&(pMyToken->UserId))) {
|
|
DbgPrint("SECEDIT : Failed to read userid from token\n");
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&(pMyToken->DefaultOwner))) {
|
|
DbgPrint("SECEDIT : Failed to read default owner from token\n");
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&(pMyToken->PrimaryGroup))) {
|
|
DbgPrint("SECEDIT : Failed to read primary group from token\n");
|
|
}
|
|
|
|
if (!GetTokenInfo(Token, TokenPrivileges, (PPVOID)&(pMyToken->Privileges))) {
|
|
DbgPrint("SECEDIT : Failed to read privilege info from token\n");
|
|
}
|
|
|
|
CloseToken(Token);
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: CloseMyToken
|
|
|
|
PURPOSE: Closes the specified mytoken handle
|
|
If fSaveChanges = TRUE, the token information is saved,
|
|
otherwise it is discarded.
|
|
|
|
RETURNS : TRUE on success, FALSE on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL CloseMyToken(
|
|
HWND hDlg,
|
|
HANDLE hMyToken,
|
|
BOOL fSaveChanges)
|
|
{
|
|
if (fSaveChanges) {
|
|
WriteMyToken(hDlg, hMyToken);
|
|
}
|
|
|
|
return FreeMyToken(hMyToken);
|
|
}
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: AllocMyToken
|
|
|
|
PURPOSE: Allocates space for mytoken structure.
|
|
|
|
RETURNS : HANDLE to mytoken or NULL on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
HANDLE AllocMyToken(VOID)
|
|
{
|
|
PMYTOKEN pMyToken;
|
|
|
|
pMyToken = (PMYTOKEN)Alloc(sizeof(MYTOKEN));
|
|
|
|
return((HANDLE)pMyToken);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: FreeMyToken
|
|
|
|
PURPOSE: Frees the memory allocated to mytoken structure.
|
|
|
|
RETURNS : TRUE on success, FALSE on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL FreeMyToken(
|
|
HANDLE hMyToken)
|
|
{
|
|
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
|
|
|
|
if (pMyToken->TokenStats != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->TokenStats));
|
|
}
|
|
|
|
if (pMyToken->UserId != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->UserId));
|
|
}
|
|
|
|
if (pMyToken->PrimaryGroup != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->PrimaryGroup));
|
|
}
|
|
|
|
if (pMyToken->DefaultOwner != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->DefaultOwner));
|
|
}
|
|
|
|
if (pMyToken->Groups != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->Groups));
|
|
}
|
|
|
|
if (pMyToken->Privileges != NULL) {
|
|
FreeTokenInfo((PVOID)(pMyToken->Privileges));
|
|
}
|
|
|
|
Free((PVOID)pMyToken);
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: WriteMyToken
|
|
|
|
PURPOSE: Writes the token information out to the token
|
|
|
|
RETURNS : TRUE on success, FALSE on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL WriteMyToken(
|
|
HWND hDlg,
|
|
HANDLE hMyToken)
|
|
{
|
|
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
|
|
HANDLE Token;
|
|
|
|
//
|
|
// Save default owner and primary group
|
|
//
|
|
|
|
Token = OpenToken(hMyToken, TOKEN_ADJUST_DEFAULT);
|
|
|
|
if (Token == NULL) {
|
|
|
|
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_DEFAULT access\n");
|
|
MessageBox(hDlg, "Failed to open token with access required\nUnable to change default owner or primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
|
|
} else {
|
|
|
|
// Set default owner
|
|
//
|
|
if ((pMyToken->DefaultOwner != NULL) &&
|
|
(!SetTokenInfo(Token, TokenOwner, (PVOID)(pMyToken->DefaultOwner)))) {
|
|
MessageBox(hDlg, "Failed to set default owner", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
}
|
|
|
|
// Set primary group
|
|
//
|
|
if ((pMyToken->PrimaryGroup != NULL) &&
|
|
(!SetTokenInfo(Token, TokenPrimaryGroup, (PVOID)(pMyToken->PrimaryGroup)))) {
|
|
MessageBox(hDlg, "Failed to set primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
}
|
|
|
|
CloseToken(Token);
|
|
}
|
|
|
|
//
|
|
// Save group info
|
|
//
|
|
|
|
Token = OpenToken(hMyToken, TOKEN_ADJUST_GROUPS);
|
|
|
|
if (Token == NULL) {
|
|
|
|
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_GROUPS access\n");
|
|
MessageBox(hDlg, "Failed to open token with access required\nUnable to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
|
|
} else {
|
|
|
|
if ((pMyToken->Groups != NULL) &&
|
|
(!SetTokenInfo(Token, TokenGroups, (PVOID)(pMyToken->Groups)))) {
|
|
MessageBox(hDlg, "Failed to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
}
|
|
|
|
CloseToken(Token);
|
|
}
|
|
|
|
|
|
//
|
|
// Change privileges
|
|
//
|
|
|
|
Token = OpenToken(hMyToken, TOKEN_ADJUST_PRIVILEGES);
|
|
|
|
if (Token == NULL) {
|
|
|
|
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_PRIVILEGES access\n");
|
|
MessageBox(hDlg, "Failed to open token with access required\nUnable to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
|
|
} else {
|
|
|
|
if ((pMyToken->Privileges != NULL) &&
|
|
(!SetTokenInfo(Token, TokenPrivileges, (PVOID)(pMyToken->Privileges)))) {
|
|
MessageBox(hDlg, "Failed to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
|
|
}
|
|
|
|
CloseToken(Token);
|
|
}
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: OpenToken
|
|
|
|
PURPOSE: Opens the token with the specified access
|
|
|
|
RETURNS : Handle to token on success, or NULL on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
HANDLE OpenToken(
|
|
HANDLE hMyToken,
|
|
ACCESS_MASK DesiredAccess)
|
|
{
|
|
NTSTATUS Status;
|
|
HANDLE Token;
|
|
HANDLE Process;
|
|
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
|
|
DWORD ThreadId = pMyToken->ThreadId;
|
|
DWORD ProcessId = pMyToken->ProcessId;
|
|
|
|
Process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
|
if (Process == NULL) {
|
|
DbgPrint("SECEDIT: OpenProcess failed, last error = %ld\n", GetLastError());
|
|
return(NULL);
|
|
}
|
|
|
|
Status = NtOpenProcessToken(
|
|
Process,
|
|
DesiredAccess,
|
|
&Token
|
|
);
|
|
|
|
CloseHandle(Process);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
DbgPrint("SECEDIT: Failed to open token with access = 0x%x, status = 0x%lx\n", DesiredAccess, Status);
|
|
return(NULL);
|
|
}
|
|
|
|
return(Token);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: CloseToken
|
|
|
|
PURPOSE: Closes the specified token handle
|
|
|
|
RETURNS : TRUE on success, FALSE on failure.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL CloseToken(
|
|
HANDLE Token)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
Status = NtClose(Token);
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: AllocTokenInfo
|
|
|
|
PURPOSE: Allocates memory to hold the parameter that
|
|
NTQueryInformationToken will return.
|
|
Memory should be freed later using FreeTokenInfo
|
|
|
|
RETURNS : Pointer to allocated memory or NULL on failure
|
|
|
|
****************************************************************************/
|
|
|
|
PVOID AllocTokenInfo(
|
|
HANDLE Token,
|
|
TOKEN_INFORMATION_CLASS TokenInformationClass)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG InfoLength;
|
|
|
|
Status = NtQueryInformationToken(
|
|
Token, // Handle
|
|
TokenInformationClass, // TokenInformationClass
|
|
NULL, // TokenInformation
|
|
0, // TokenInformationLength
|
|
&InfoLength // ReturnLength
|
|
);
|
|
|
|
if (Status != STATUS_BUFFER_TOO_SMALL) {
|
|
#ifdef NTBUILD
|
|
DbgPrint("SECEDIT: NtQueryInformationToken did NOT return buffer_too_small, status = 0x%lx\n", Status);
|
|
#endif
|
|
return(NULL);
|
|
}
|
|
|
|
return Alloc(InfoLength);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: FreeTokenInfo
|
|
|
|
PURPOSE: Frees the memory previously allocated with AllocTokenInfo
|
|
|
|
RETURNS : TRUE on success, otherwise FALSE
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL FreeTokenInfo(
|
|
PVOID Buffer)
|
|
{
|
|
return(Free(Buffer));
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: GetTokenInfo
|
|
|
|
PURPOSE: Allocates a buffer and reads the specified data
|
|
out of the token and into it.
|
|
|
|
RETURNS : TRUE on success otherwise FALSE.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL GetTokenInfo(
|
|
HANDLE Token,
|
|
TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
PPVOID pBuffer)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG BufferSize;
|
|
ULONG InfoLength;
|
|
PVOID Buffer;
|
|
|
|
*pBuffer = NULL; // Prepare for failure
|
|
|
|
Buffer = AllocTokenInfo(Token, TokenInformationClass);
|
|
if (Buffer == NULL) {
|
|
return(FALSE);
|
|
}
|
|
|
|
BufferSize = (ULONG)GetAllocSize(Buffer);
|
|
|
|
Status = NtQueryInformationToken(
|
|
Token, // Handle
|
|
TokenInformationClass, // TokenInformationClass
|
|
Buffer, // TokenInformation
|
|
BufferSize, // TokenInformationLength
|
|
&InfoLength // ReturnLength
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
#ifdef NTBUILD
|
|
DbgPrint("SECEDIT: NtQueryInformationToken failed, status = 0x%lx\n", Status);
|
|
#endif
|
|
FreeTokenInfo(Buffer);
|
|
return(FALSE);
|
|
}
|
|
|
|
if (InfoLength > BufferSize) {
|
|
#ifdef NTBUILD
|
|
DbgPrint("SECEDIT: NtQueryInformationToken failed, DataSize > BufferSize");
|
|
#endif
|
|
FreeTokenInfo(Buffer);
|
|
return(FALSE);
|
|
}
|
|
|
|
*pBuffer = Buffer;
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
FUNCTION: SetTokenInfo
|
|
|
|
PURPOSE: Sets the specified information in the given token.
|
|
|
|
RETURNS : TRUE on success otherwise FALSE.
|
|
|
|
****************************************************************************/
|
|
|
|
BOOL SetTokenInfo(
|
|
HANDLE Token,
|
|
TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
PVOID Buffer)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG BufferSize;
|
|
|
|
BufferSize = (ULONG)GetAllocSize(Buffer);
|
|
|
|
switch (TokenInformationClass) {
|
|
|
|
case TokenOwner:
|
|
case TokenPrimaryGroup:
|
|
case TokenDefaultDacl:
|
|
|
|
Status = NtSetInformationToken(
|
|
Token, // Handle
|
|
TokenInformationClass, // TokenInformationClass
|
|
Buffer, // TokenInformation
|
|
BufferSize // TokenInformationLength
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
DbgPrint("SECEDIT: NtSetInformationToken failed, info class = 0x%x, status = 0x%lx\n",
|
|
TokenInformationClass, Status);
|
|
return(FALSE);
|
|
}
|
|
break;
|
|
|
|
|
|
case TokenGroups:
|
|
|
|
Status = NtAdjustGroupsToken(
|
|
Token, // Handle
|
|
FALSE, // Reset to default
|
|
(PTOKEN_GROUPS)Buffer, // New State
|
|
BufferSize, // Buffer Length
|
|
NULL, // Previous State
|
|
NULL // Return Length
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
DbgPrint("SECEDIT: NtAdjustGroupsToken failed, status = 0x%lx\n", Status);
|
|
return(FALSE);
|
|
}
|
|
break;
|
|
|
|
|
|
case TokenPrivileges:
|
|
|
|
Status = NtAdjustPrivilegesToken(
|
|
Token, // Handle
|
|
FALSE, // Disable all privileges
|
|
(PTOKEN_PRIVILEGES)Buffer, // New State
|
|
BufferSize, // Buffer Length
|
|
NULL, // Previous State
|
|
NULL // Return Length
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
DbgPrint("SECEDIT: NtAdjustPrivilegesToken failed, status = 0x%lx\n", Status);
|
|
return(FALSE);
|
|
}
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
// Unrecognised information type
|
|
DbgPrint("SECEDIT: SetTokenInfo passed unrecognised infoclass, class = 0x%x\n", TokenInformationClass);
|
|
|
|
return(FALSE);
|
|
}
|
|
|
|
return(TRUE);
|
|
}
|