Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

480 lines
9.9 KiB

/*++
Copyright(c) 1995 Microsoft Corporation
MODULE NAME
impersn.c
ABSTRACT
Impersonation routines for the automatic connection service.
AUTHOR
Anthony Discolo (adiscolo) 04-Aug-1995
REVISION HISTORY
mquinton 8/2/96 - stole this code to use in remotesp
--*/
#define UNICODE
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
//#include <stdlib.h>
#include <windows.h>
#include <stdio.h>
//#include <npapi.h>
#include "utils.h"
#include "imperson.h"
// some constant stuff for registry
#define SHELL_REGKEY L"\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
#define SHELL_REGVAL L"shell"
#define DEFAULT_SHELL L"explorer.exe"
// for remotesp dbgout
#if DBG
#define DBGOUT(arg) DbgPrt arg
VOID
DbgPrt(
IN DWORD dwDbgLevel,
IN PUCHAR DbgMessage,
IN ...
);
#else
#define DBGOUT(arg)
#endif
//
// The static information we
// need to impersonate the currently
// logged-in user.
//
HANDLE ghTokenImpersonation = NULL;
//
// Security attributes and descriptor
// necessary for creating shareable handles.
//
SECURITY_ATTRIBUTES SecurityAttributeG;
SECURITY_DESCRIPTOR SecurityDescriptorG;
PSYSTEM_PROCESS_INFORMATION
GetSystemProcessInfo()
/*++
DESCRIPTION
Return a block containing information about all processes
currently running in the system.
ARGUMENTS
None.
RETURN VALUE
A pointer to the system process information or NULL if it could
not be allocated or retrieved.
--*/
{
NTSTATUS status;
PUCHAR pLargeBuffer;
ULONG ulcbLargeBuffer = 64 * 1024;
//
// Get the process list.
//
for (;;) {
pLargeBuffer = VirtualAlloc(
NULL,
ulcbLargeBuffer, MEM_COMMIT, PAGE_READWRITE);
if (pLargeBuffer == NULL) {
LOG((TL_ERROR,
"GetSystemProcessInfo: VirtualAlloc failed (status=0x%x)",
status));
return NULL;
}
status = NtQuerySystemInformation(
SystemProcessInformation,
pLargeBuffer,
ulcbLargeBuffer,
NULL);
if (status == STATUS_SUCCESS) break;
if (status == STATUS_INFO_LENGTH_MISMATCH) {
VirtualFree(pLargeBuffer, 0, MEM_RELEASE);
ulcbLargeBuffer += 8192;
LOG((TL_INFO,
"GetSystemProcesInfo: enlarging buffer to %d",
ulcbLargeBuffer));
}
}
return (PSYSTEM_PROCESS_INFORMATION)pLargeBuffer;
} // GetSystemProcessInfo
PSYSTEM_PROCESS_INFORMATION
FindProcessByName(
IN PSYSTEM_PROCESS_INFORMATION pProcessInfo,
IN LPTSTR lpExeName
)
/*++
DESCRIPTION
Given a pointer returned by GetSystemProcessInfo(), find
a process by name.
ARGUMENTS
pProcessInfo: a pointer returned by GetSystemProcessInfo().
lpExeName: a pointer to a Unicode string containing the
process to be found.
RETURN VALUE
A pointer to the process information for the supplied
process or NULL if it could not be found.
--*/
{
PUCHAR pLargeBuffer = (PUCHAR)pProcessInfo;
ULONG ulTotalOffset = 0;
//
// Look in the process list for lpExeName.
//
for (;;)
{
if (pProcessInfo->ImageName.Buffer != NULL) {
//DBGOUT((
// 3,
// "FindProcessByName: process: %S (%d)",
// pProcessInfo->ImageName.Buffer,
// pProcessInfo->UniqueProcessId
// ));
if (!_wcsicmp(pProcessInfo->ImageName.Buffer, lpExeName))
{
return pProcessInfo;
}
}
//
// Increment offset to next process information block.
//
if (!pProcessInfo->NextEntryOffset)
{
break;
}
ulTotalOffset += pProcessInfo->NextEntryOffset;
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pLargeBuffer[ulTotalOffset];
}
return NULL;
} // FindProcessByName
VOID
FreeSystemProcessInfo(
IN PSYSTEM_PROCESS_INFORMATION pProcessInfo
)
/*++
DESCRIPTION
Free a buffer returned by GetSystemProcessInfo().
ARGUMENTS
pProcessInfo: the pointer returned by GetSystemProcessInfo().
RETURN VALUE
None.
--*/
{
VirtualFree((PUCHAR)pProcessInfo, 0, MEM_RELEASE);
} // FreeSystemProcessInfo
BOOLEAN
SetProcessImpersonationToken(
HANDLE hProcess
)
{
NTSTATUS status;
BOOL fDuplicated = FALSE;
HANDLE hThread, hToken;
static lCookie = 0;
//
// Open the impersonation token for the
// process we want to impersonate.
//
// Note: we use InterlockedExchange as an inexpensive mutex
//
while (InterlockedExchange (&lCookie, 1) != 0)
{
Sleep (50);
}
if (ghTokenImpersonation == NULL)
{
if (!OpenProcessToken(
hProcess,
TOKEN_ALL_ACCESS,
&hToken))
{
InterlockedExchange (&lCookie, 0);
LOG((
TL_ERROR,
"SetProcessImpersonationToken: OpenProcessToken " \
"failed, err=%d",
GetLastError()
));
return FALSE;
}
//
// Duplicate the impersonation token.
//
fDuplicated = DuplicateToken(
hToken,
TokenImpersonation,
&ghTokenImpersonation);
if (!fDuplicated)
{
InterlockedExchange (&lCookie, 0);
LOG((
TL_ERROR,
"SetProcessImpersonationToken: NtSetInformationThread " \
"failed, err=%d",
GetLastError()
));
return FALSE;
}
}
InterlockedExchange (&lCookie, 0);
//
// Set the impersonation token on the current
// thread. We are now running in the same
// security context as the supplied process.
//
hThread = NtCurrentThread();
status = NtSetInformationThread(
hThread,
ThreadImpersonationToken,
(PVOID)&ghTokenImpersonation,
sizeof (ghTokenImpersonation));
if (status != STATUS_SUCCESS)
{
LOG((TL_ERROR,
"SetProcessImpersonationToken: NtSetInformationThread failed (error=%d)",
GetLastError()));
}
if (fDuplicated)
{
CloseHandle(hToken);
CloseHandle(hThread);
}
return (status == STATUS_SUCCESS);
} // SetProcessImpersonationToken
VOID
ClearImpersonationToken()
{
//
// Clear the impersonation token on the current
// thread. We are now running in LocalSystem
// security context.
//
if (!SetThreadToken(NULL, NULL))
{
LOG((TL_ERROR,
"ClearImpersonationToken: SetThreadToken failed (error=%d)",
GetLastError()));
}
} // ClearImpersonationToken
BOOLEAN
GetCurrentlyLoggedOnUser(
HANDLE *phProcess
)
{
BOOLEAN fSuccess = FALSE;
HKEY hkey;
DWORD dwType;
DWORD dwDisp;
WCHAR szShell[512];
PSYSTEM_PROCESS_INFORMATION pSystemInfo, pProcessInfo;
PWCHAR psz;
DWORD dwSize = sizeof (szShell);
NTSTATUS status;
HANDLE hProcess = NULL;
//
// Get the shell process name. We will look for this
// to find out who the currently logged-on user is.
// Create a unicode string that describes this name.
//
wcscpy (szShell, DEFAULT_SHELL);
if (RegCreateKeyEx(
HKEY_LOCAL_MACHINE,
SHELL_REGKEY,
0,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hkey,
&dwDisp) == ERROR_SUCCESS)
{
if (RegQueryValueEx(
hkey,
SHELL_REGVAL,
NULL,
&dwType,
(PBYTE)&szShell,
&dwSize) == ERROR_SUCCESS)
{
//
// Remove parameters from command line.
//
psz = szShell;
while (*psz != L' ' && *psz != L'\0')
psz++;
*psz = L'\0';
}
RegCloseKey(hkey);
}
LOG((TL_INFO,
"ImpersonateCurrentlyLoggedInUser: shell is %S",
&szShell));
//
// Get the process list.
//
pSystemInfo = GetSystemProcessInfo();
//
// See if szShell is running.
//
pProcessInfo = pSystemInfo ?
FindProcessByName(pSystemInfo, (LPTSTR)&szShell) : NULL;
if (pProcessInfo != NULL)
{
HANDLE hToken;
//
// Open the process.
//
hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
(DWORD) ((ULONG_PTR) pProcessInfo->UniqueProcessId)
);
if (hProcess == NULL)
{
LOG((TL_ERROR,
"ImpersonateCurrentlyLoggedInUser: OpenProcess(x%x) failed (dwErr=%d)",
pProcessInfo->UniqueProcessId,
GetLastError()));
}
fSuccess = (hProcess != NULL);
}
//
// Free resources.
//
if (pSystemInfo)
{
FreeSystemProcessInfo(pSystemInfo);
}
//
// Return process handle.
//
*phProcess = hProcess;
return fSuccess;
} // GetCurrentlyLoggedOnUser
VOID
RevertImpersonation()
/*++
DESCRIPTION
Close all open handles associated with the
logged-in user who has just logged out.
ARGUMENTS
None.
RETURN VALUE
None.
--*/
{
CloseHandle (ghTokenImpersonation);
ghTokenImpersonation = NULL;
} // RevertImpersonation