/*++ Copyright (c) 1989 Microsoft Corporation Module Name: token.c Abstract: This module implements the initialization, open, duplicate and other services of the executive token object. Author: Jim Kelly (JimK) 5-April-1990 Environment: Kernel mode only. Revision History: v15: robertre updated ACL_REVISION --*/ #include "pch.h" #pragma hdrstop BOOLEAN SepComparePrivilegeAndAttributeArrays( IN PLUID_AND_ATTRIBUTES PrivilegeArray1, IN ULONG Count1, IN PLUID_AND_ATTRIBUTES PrivilegeArray2, IN ULONG Count2 ); BOOLEAN SepCompareSidAndAttributeArrays( IN PSID_AND_ATTRIBUTES SidArray1, IN ULONG Count1, IN PSID_AND_ATTRIBUTES SidArray2, IN ULONG Count2 ); #ifdef ALLOC_PRAGMA #pragma alloc_text(PAGE,SeTokenType) #pragma alloc_text(PAGE,SeTokenIsAdmin) #pragma alloc_text(PAGE,SeTokenIsRestricted) #pragma alloc_text(PAGE,SeTokenImpersonationLevel) #pragma alloc_text(PAGE,SeAssignPrimaryToken) #pragma alloc_text(PAGE,SeDeassignPrimaryToken) #pragma alloc_text(PAGE,SeExchangePrimaryToken) #pragma alloc_text(PAGE,SeGetTokenControlInformation) #pragma alloc_text(INIT,SeMakeSystemToken) #pragma alloc_text(INIT,SeMakeAnonymousToken) #pragma alloc_text(INIT,SeMakeAnonymousLogonToken) #pragma alloc_text(PAGE,SeSubProcessToken) #pragma alloc_text(INIT,SepTokenInitialization) #pragma alloc_text(PAGE,NtCreateToken) #pragma alloc_text(PAGE,SepTokenDeleteMethod) #pragma alloc_text(PAGE,SepCreateToken) #pragma alloc_text(PAGE,SepIdAssignableAsOwner) #pragma alloc_text(PAGE,SeIsChildToken) #pragma alloc_text(PAGE,SeIsChildTokenByPointer) #pragma alloc_text(PAGE,NtImpersonateAnonymousToken) #pragma alloc_text(PAGE,NtCompareTokens) #pragma alloc_text(PAGE,SepComparePrivilegeAndAttributeArrays) #pragma alloc_text(PAGE,SepCompareSidAndAttributeArrays) #pragma alloc_text(PAGE,SeAddSaclToProcess) #endif //////////////////////////////////////////////////////////////////////// // // // Global Variables // // // //////////////////////////////////////////////////////////////////////// // // Generic mapping of access types // #ifdef ALLOC_DATA_PRAGMA #pragma data_seg("PAGEDATA") #pragma const_seg("INITCONST") #endif const GENERIC_MAPPING SepTokenMapping = { TOKEN_READ, TOKEN_WRITE, TOKEN_EXECUTE, TOKEN_ALL_ACCESS }; // // Address of token object type descriptor. // POBJECT_TYPE SeTokenObjectType = NULL; // // Used to track whether or not a system token has been created or not. // #if DBG BOOLEAN SystemTokenCreated = FALSE; #endif //DBG // // Used to control the active token diagnostic support provided // #ifdef TOKEN_DIAGNOSTICS_ENABLED ULONG TokenGlobalFlag = 0; #endif // TOKEN_DIAGNOSTICS_ENABLED //////////////////////////////////////////////////////////////////////// // // // Token Object Routines & Methods // // // //////////////////////////////////////////////////////////////////////// TOKEN_TYPE SeTokenType( IN PACCESS_TOKEN Token ) /*++ Routine Description: This function returns the type of an instance of a token (TokenPrimary, or TokenImpersonation). Arguments: Token - Points to the token whose type is to be returned. Return Value: The token's type. --*/ { PAGED_CODE(); return (((PTOKEN)Token)->TokenType); } NTKERNELAPI BOOLEAN SeTokenIsAdmin( IN PACCESS_TOKEN Token ) /*++ Routine Description: Returns if the token is a member of the local admin group. Arguments: Token - Points to the token. Return Value: TRUE - Token contains the local admin group FALSE - no admin. --*/ { PAGED_CODE(); return ((((PTOKEN)Token)->TokenFlags & TOKEN_HAS_ADMIN_GROUP) != 0 ); } NTKERNELAPI BOOLEAN SeTokenIsRestricted( IN PACCESS_TOKEN Token ) /*++ Routine Description: Returns if the token is a restricted token. Arguments: Token - Points to the token. Return Value: TRUE - Token contains restricted sids FALSE - no admin. --*/ { PAGED_CODE(); return ((((PTOKEN)Token)->TokenFlags & TOKEN_IS_RESTRICTED) != 0 ); } SECURITY_IMPERSONATION_LEVEL SeTokenImpersonationLevel( IN PACCESS_TOKEN Token ) /*++ Routine Description: This function returns the impersonation level of a token. The token is assumed to be a TokenImpersonation type token. Arguments: Token - Points to the token whose impersonation level is to be returned. Return Value: The token's impersonation level. --*/ { PAGED_CODE(); return ((PTOKEN)Token)->ImpersonationLevel; } BOOLEAN SepCheckTokenForCoreSystemSids( IN PACCESS_TOKEN Token ) /*++ Routine Description: Perform an access-check against SepImportantProcessSd to determine if the passed token has at least one of the sids present in the ACEs of SepImportantProcessSd. Arguments: Token - a token Return Value: TRUE if Token has at least one of the required SIDs, FALSE otherwise Notes: --*/ { ACCESS_MASK GrantedAccess = 0; NTSTATUS AccessStatus = STATUS_ACCESS_DENIED; PAGED_CODE(); (void) SepAccessCheck( SepImportantProcessSd, NULL, Token, NULL, SEP_QUERY_MEMBERSHIP, NULL, 0, &GenericMappingForMembershipCheck, 0, KernelMode, &GrantedAccess, NULL, &AccessStatus, 0, NULL, NULL ); return AccessStatus == STATUS_SUCCESS; } VOID SeAddSaclToProcess( IN PEPROCESS Process, IN PACCESS_TOKEN Token, IN PVOID Reserved ) /*++ Routine Description: If 'Token' has at least one of the sids present in the ACEs of SepImportantProcessSd, add a SACL to the security descriptor of 'Process' as defined by SepProcessAuditSd. Arguments: Process - process to add SACL to Token - token to examine Return Value: None Notes: --*/ { NTSTATUS Status; SECURITY_INFORMATION SecurityInformationSacl = SACL_SECURITY_INFORMATION; POBJECT_HEADER ObjectHeader; PAGED_CODE(); // quickly return if this feature is disabled // (indicated by SeProcessAuditSd == NULL) // if ( SepProcessAuditSd == NULL ) { return; } // // if the token does not have core system sids then return // without adding SACL. // (see comment on SepImportantProcessSd in seglobal.c for more info) // if (!SepCheckTokenForCoreSystemSids( Token )) { return; } ObjectHeader = OBJECT_TO_OBJECT_HEADER( Process ); // // add SACL to existing security descriptor on 'Process' // Status = ObSetSecurityDescriptorInfo( Process, &SecurityInformationSacl, SepProcessAuditSd, &ObjectHeader->SecurityDescriptor, NonPagedPool, &ObjectHeader->Type->TypeInfo.GenericMapping ); if (!NT_SUCCESS( Status )) { // // STATUS_NO_SECURITY_ON_OBJECT should be returned only once during // boot when the initial system process is created. // if ( Status != STATUS_NO_SECURITY_ON_OBJECT ) { ASSERT( L"SeAddSaclToProcess: ObSetSecurityDescriptorInfo failed" && FALSE ); // // this will bugcheck if SepCrashOnAuditFail is TRUE // SepAuditFailed(); } } } VOID SeAssignPrimaryToken( IN PEPROCESS Process, IN PACCESS_TOKEN Token ) /*++ Routine Description: This function establishes a primary token for a process. Arguments: Token - Points to the new primary token. Return Value: None. --*/ { NTSTATUS Status; PTOKEN NewToken = (PTOKEN)Token; PAGED_CODE(); ASSERT(NewToken->TokenType == TokenPrimary); ASSERT( !NewToken->TokenInUse ); // // audit the assignment of a primary token, if requested // if (SeDetailedAuditing) { SepAuditAssignPrimaryToken( Process, Token ); } // // If the token being assigned to the child process has // any one of the following SIDs, then the process // is considered to be a system process: // -- SeLocalSystemSid // -- SeLocalServiceSid // -- SeNetworkServiceSid // // For such a process, add SACL to its security descriptor // if that option is enabled. If the option is disabled, // this function returns very quickly. // //SeAddSaclToProcess( Process, Token, NULL ); // // Dereference the old token if there is one. // // Processes typically already have a token that must be // dereferenced. There are two cases where this may not // be the situation. First, during phase 0 system initialization, // the initial system process starts out without a token. Second, // if an error occurs during process creation, we may be cleaning // up a process that hasn't yet had a primary token assigned. // if (!ExFastRefObjectNull (Process->Token)) { SeDeassignPrimaryToken( Process ); } ObReferenceObject(NewToken); NewToken->TokenInUse = TRUE; ObInitializeFastReference (&Process->Token, Token); return; } VOID SeDeassignPrimaryToken( IN PEPROCESS Process ) /*++ Routine Description: This function causes a process reference to a token to be dropped. Arguments: Process - Points to the process whose primary token is no longer needed. This is probably only the case at process deletion or when a primary token is being replaced. Return Value: None. --*/ { PTOKEN OldToken = (PTOKEN) ObFastReplaceObject (&Process->Token, NULL); PAGED_CODE(); ASSERT(OldToken->TokenType == TokenPrimary); ASSERT(OldToken->TokenInUse); OldToken->TokenInUse = FALSE; ObDereferenceObject( OldToken ); return; } NTSTATUS SeExchangePrimaryToken( IN PEPROCESS Process, IN PACCESS_TOKEN NewAccessToken, OUT PACCESS_TOKEN *OldAccessToken ) /*++ Routine Description: This function is used to perform the portions of changing a primary token that reference the internals of token structures. The new token is checked to make sure it is not already in use. The !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!! WARNING WARNING WARNING !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!! THIS ROUTINE MUST BE CALLED WITH THE GOBAL !!!!!!!! !!!!!!!! PROCESS SECURITY FIELDS LOCK HELD !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Arguments: Process - Points to the process whose primary token is being exchanged. NewAccessToken - Points to the process's new primary token. OldAccessToken - Receives a pointer to the process's current token. The caller is responsible for dereferencing this token when it is no longer needed. This can't be done while the process security locks are held. Return Value: STATUS_SUCCESS - Everything has been updated. STATUS_TOKEN_ALREADY_IN_USE - A primary token can only be used by a single process. That is, each process must have its own primary token. The token passed to be assigned as the primary token is already in use as a primary token. STATUS_BAD_TOKEN_TYPE - The new token is not a primary token. --*/ { NTSTATUS Status; PTOKEN OldToken = (PTOKEN)ExFastRefGetObject (Process->Token); PTOKEN NewToken = (PTOKEN)NewAccessToken; PAGED_CODE(); // // We need to access the security fields of both tokens. // Access to these fields is guarded by the global Process Security // fields lock. // ASSERT(OldToken->TokenType == TokenPrimary); ASSERT(OldToken->TokenInUse); // // Make sure the new token is a primary token... // if ( NewToken->TokenType != TokenPrimary ) { return(STATUS_BAD_TOKEN_TYPE); } // // and that it is not already in use... // if (NewToken->TokenInUse) { return(STATUS_TOKEN_ALREADY_IN_USE); } // // Ensure SessionId consistent for hydra // NewToken->SessionId = OldToken->SessionId ; // // audit the assignment of a primary token, if requested // if (SeDetailedAuditing) { SepAuditAssignPrimaryToken( Process, NewToken ); } // // If the token being assigned to this process has // any one of the following SIDs, then the process // is considered to be a system process: // -- SeLocalSystemSid // -- SeLocalServiceSid // -- SeNetworkServiceSid // // For such a process, add SACL to its security descriptor // if that option is enabled. If the option is disabled, // this function returns very quickly. // //SeAddSaclToProcess( Process, NewToken, NULL ); // // Switch the tokens // NewToken->TokenInUse = TRUE; ObReferenceObject(NewToken); ObFastReplaceObject (&Process->Token, NewAccessToken); // // Mark the token as "NOT USED" // OldToken->TokenInUse = FALSE; // // Return the pointer to the old token. The caller // is responsible for dereferencing it if they don't need it. // (*OldAccessToken) = OldToken; return (STATUS_SUCCESS); } VOID SeGetTokenControlInformation ( IN PACCESS_TOKEN Token, OUT PTOKEN_CONTROL TokenControl ) /*++ Routine Description: This routine is provided for communication session layers, or any other executive component that needs to keep track of whether a caller's security context has changed between calls. Communication session layers will need to check this, for some security quality of service modes, to determine whether or not a server's security context needs to be updated to reflect changes in the client's security context. This routine will also be useful to communications subsystems that need to retrieve client' authentication information from the local security authority in order to perform a remote authentication. Parameters: Token - Points to the token whose information is to be retrieved. TokenControl - Points to the buffer to receive the token control information. Return Value: None. --*/ { PAGED_CODE(); // // acquire exclusive access to the token // SepAcquireTokenReadLock( (PTOKEN)Token ); // // Grab the data and run // TokenControl->TokenId = ((TOKEN *)Token)->TokenId; TokenControl->AuthenticationId = ((TOKEN *)Token)->AuthenticationId; TokenControl->ModifiedId = ((TOKEN *)Token)->ModifiedId; TokenControl->TokenSource = ((TOKEN *)Token)->TokenSource; SepReleaseTokenReadLock( (PTOKEN)Token ); return; } PACCESS_TOKEN SeMakeSystemToken () /*++ Routine Description: This routine is provided for use by executive components DURING SYSTEM INITIALIZATION ONLY. It creates a token for use by system components. A system token has the following characteristics: - It has LOCAL_SYSTEM as its user ID - It has the following groups with the corresponding attributes: ADMINS_ALIAS EnabledByDefault | Enabled | Owner WORLD EnabledByDefault | Enabled | Mandatory ADMINISTRATORS (alias) Owner (disabled) AUTHENTICATED_USER EnabledByDefault | Enabled | Mandatory - It has LOCAL_SYSTEM as its primary group. - It has the privileges shown in comments below. - It has protection that provides TOKEN_ALL_ACCESS to the LOCAL_SYSTEM ID. - It has a default ACL that grants GENERIC_ALL access to LOCAL_SYSTEM and GENERIC_EXECUTE to WORLD. Parameters: None. Return Value: Pointer to a system token. --*/ { NTSTATUS Status; PVOID Token; SID_AND_ATTRIBUTES UserId; TOKEN_PRIMARY_GROUP PrimaryGroup; PSID_AND_ATTRIBUTES GroupIds; ULONG GroupIdsLength; LUID_AND_ATTRIBUTES Privileges[30]; PACL TokenAcl; PSID Owner; ULONG NormalGroupAttributes; ULONG OwnerGroupAttributes; ULONG Length; OBJECT_ATTRIBUTES TokenObjectAttributes; PSECURITY_DESCRIPTOR TokenSecurityDescriptor; ULONG BufferLength; PVOID Buffer; ULONG_PTR GroupIdsBuffer[128 * sizeof(ULONG) / sizeof(ULONG_PTR)]; TIME_FIELDS TimeFields; LARGE_INTEGER NoExpiration; PAGED_CODE(); // // Make sure only one system token gets created. // #if DBG ASSERT( !SystemTokenCreated ); SystemTokenCreated = TRUE; #endif //DBG // // Set up expiration times // TimeFields.Year = 3000; TimeFields.Month = 1; TimeFields.Day = 1; TimeFields.Hour = 1; TimeFields.Minute = 1; TimeFields.Second = 1; TimeFields.Milliseconds = 1; TimeFields.Weekday = 1; RtlTimeFieldsToTime( &TimeFields, &NoExpiration ); // // // // The amount of memory used in the following is gross overkill, but // // it is freed up immediately after creating the token. // // // // GroupIds = (PSID_AND_ATTRIBUTES)ExAllocatePool( NonPagedPool, 512 ); GroupIds = (PSID_AND_ATTRIBUTES)GroupIdsBuffer; // // Set up the attributes to be assigned to groups // NormalGroupAttributes = (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED ); OwnerGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_OWNER ); // // Set up the user ID // UserId.Sid = SeLocalSystemSid; UserId.Attributes = 0; // // Set up the groups // GroupIds->Sid = SeAliasAdminsSid; (GroupIds+1)->Sid = SeWorldSid; (GroupIds+2)->Sid = SeAuthenticatedUsersSid; GroupIds->Attributes = OwnerGroupAttributes; (GroupIds+1)->Attributes = NormalGroupAttributes; (GroupIds+2)->Attributes = NormalGroupAttributes; GroupIdsLength = (ULONG)LongAlignSize(SeLengthSid(GroupIds->Sid)) + (ULONG)LongAlignSize(SeLengthSid((GroupIds+1)->Sid)) + (ULONG)LongAlignSize(SeLengthSid((GroupIds+2)->Sid)) + sizeof(SID_AND_ATTRIBUTES); ASSERT( GroupIdsLength <= 128 * sizeof(ULONG) ); // // Privileges // // // The privileges in the system token are as follows: // // Privilege Name Attributes // -------------- ---------- // // SeTcbPrivilege enabled/enabled by default // SeCreateTokenPrivilege DISabled/NOT enabled by default // SeTakeOwnershipPrivilege DISabled/NOT enabled by default // SeCreatePagefilePrivilege enabled/enabled by default // SeLockMemoryPrivilege enabled/enabled by default // SeAssignPrimaryTokenPrivilege DISabled/NOT enabled by default // SeIncreaseQuotaPrivilege DISabled/NOT enabled by default // SeIncreaseBasePriorityPrivilege enabled/enabled by default // SeCreatePermanentPrivilege enabled/enabled by default // SeDebugPrivilege enabled/enabled by default // SeAuditPrivilege enabled/enabled by default // SeSecurityPrivilege DISabled/NOT enabled by default // SeSystemEnvironmentPrivilege DISabled/NOT enabled by default // SeChangeNotifyPrivilege enabled/enabled by default // SeBackupPrivilege DISabled/NOT enabled by default // SeRestorePrivilege DISabled/NOT enabled by default // SeShutdownPrivilege DISabled/NOT enabled by default // SeLoadDriverPrivilege DISabled/NOT enabled by default // SeProfileSingleProcessPrivilege enabled/enabled by default // SeSystemtimePrivilege DISabled/NOT enabled by default // SeUndockPrivilege DISabled/NOT enabled by default // // The following privileges are not present, and should never be present in // the local system token: // // SeRemoteShutdownPrivilege no one can come in as local system // SeSyncAgentPrivilege only users specified by the admin can // be sync agents // SeEnableDelegationPrivilege only users specified by the admin can // enable delegation on accounts. // Privileges[0].Luid = SeTcbPrivilege; Privileges[0].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[1].Luid = SeCreateTokenPrivilege; Privileges[1].Attributes = 0; // Only the LSA should enable this. Privileges[2].Luid = SeTakeOwnershipPrivilege; Privileges[2].Attributes = 0; Privileges[3].Luid = SeCreatePagefilePrivilege; Privileges[3].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[4].Luid = SeLockMemoryPrivilege; Privileges[4].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[5].Luid = SeAssignPrimaryTokenPrivilege; Privileges[5].Attributes = 0; // disabled, not enabled by default Privileges[6].Luid = SeIncreaseQuotaPrivilege; Privileges[6].Attributes = 0; // disabled, not enabled by default Privileges[7].Luid = SeIncreaseBasePriorityPrivilege; Privileges[7].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[8].Luid = SeCreatePermanentPrivilege; Privileges[8].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[9].Luid = SeDebugPrivilege; Privileges[9].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[10].Luid = SeAuditPrivilege; Privileges[10].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[11].Luid = SeSecurityPrivilege; Privileges[11].Attributes = 0; // disabled, not enabled by default Privileges[12].Luid = SeSystemEnvironmentPrivilege; Privileges[12].Attributes = 0; // disabled, not enabled by default Privileges[13].Luid = SeChangeNotifyPrivilege; Privileges[13].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[14].Luid = SeBackupPrivilege; Privileges[14].Attributes = 0; // disabled, not enabled by default Privileges[15].Luid = SeRestorePrivilege; Privileges[15].Attributes = 0; // disabled, not enabled by default Privileges[16].Luid = SeShutdownPrivilege; Privileges[16].Attributes = 0; // disabled, not enabled by default Privileges[17].Luid = SeLoadDriverPrivilege; Privileges[17].Attributes = 0; // disabled, not enabled by default Privileges[18].Luid = SeProfileSingleProcessPrivilege; Privileges[18].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[19].Luid = SeSystemtimePrivilege; Privileges[19].Attributes = 0; // disabled, not enabled by default Privileges[20].Luid = SeUndockPrivilege ; Privileges[20].Attributes = 0 ; // disabled, not enabled by default Privileges[21].Luid = SeManageVolumePrivilege ; Privileges[21].Attributes = 0 ; // disabled, not enabled by default //BEFORE ADDING ANOTHER PRIVILEGE ^^ HERE ^^ CHECK THE ARRAY BOUND //ALSO INCREMENT THE PRIVILEGE COUNT IN THE SepCreateToken() call // // Establish the primary group and default owner // PrimaryGroup.PrimaryGroup = SeLocalSystemSid; // Primary group Owner = SeAliasAdminsSid; // Default owner // // Set up an ACL to protect token as well ... // give system full reign of terror. This includes user-mode components // running as part of the system. // Length = (ULONG)sizeof(ACL) + ((ULONG)sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG)) + SeLengthSid( SeLocalSystemSid ) ; TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, Length, 'cAeS'); if ( TokenAcl == NULL ) { return NULL ; } Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); TokenSecurityDescriptor = (PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag( PagedPool, sizeof(SECURITY_DESCRIPTOR), 'dSeS' ); if ( TokenSecurityDescriptor == NULL ) { ExFreePool( TokenAcl ); return NULL ; } Status = RtlCreateSecurityDescriptor( TokenSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor ( TokenSecurityDescriptor, TRUE, TokenAcl, FALSE ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetOwnerSecurityDescriptor ( TokenSecurityDescriptor, SeAliasAdminsSid, FALSE // Owner defaulted ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetGroupSecurityDescriptor ( TokenSecurityDescriptor, SeAliasAdminsSid, FALSE // Group defaulted ); ASSERT( NT_SUCCESS(Status) ); // // Create the system token // #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug DbgPrint("\n Creating system token...\n"); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG InitializeObjectAttributes( &TokenObjectAttributes, NULL, 0, NULL, TokenSecurityDescriptor ); ASSERT(SeSystemDefaultDacl != NULL); Status = SepCreateToken( (PHANDLE)&Token, KernelMode, 0, // No handle created for system token &TokenObjectAttributes, TokenPrimary, (SECURITY_IMPERSONATION_LEVEL)0, (PLUID)&SeSystemAuthenticationId, &NoExpiration, &UserId, 3, // GroupCount GroupIds, GroupIdsLength, 22, // privileges Privileges, Owner, PrimaryGroup.PrimaryGroup, SeSystemDefaultDacl, (PTOKEN_SOURCE)&SeSystemTokenSource, TRUE, // System token NULL, NULL ); ASSERT(NT_SUCCESS(Status)); // // We can free the old one now. // ExFreePool( TokenAcl ); ExFreePool( TokenSecurityDescriptor ); return (PACCESS_TOKEN)Token; } PACCESS_TOKEN SeMakeAnonymousLogonTokenNoEveryone ( VOID ) /*++ Routine Description: This routine is provided for use by executive components DURING SYSTEM INITIALIZATION ONLY. It creates a token for use by system components. A system token has the following characteristics: - It has ANONYMOUS_LOGON as its user ID - It has no privileges - It has protection that provides TOKEN_ALL_ACCESS to the WORLD ID. - It has a default ACL that grants GENERIC_ALL access to WORLD. Parameters: None. Return Value: Pointer to a system token. --*/ { NTSTATUS Status; PVOID Token; SID_AND_ATTRIBUTES UserId; TOKEN_PRIMARY_GROUP PrimaryGroup; PACL TokenAcl; PSID Owner; ULONG Length; OBJECT_ATTRIBUTES TokenObjectAttributes; PSECURITY_DESCRIPTOR TokenSecurityDescriptor; TIME_FIELDS TimeFields; LARGE_INTEGER NoExpiration; PAGED_CODE(); // // Set up expiration times // TimeFields.Year = 3000; TimeFields.Month = 1; TimeFields.Day = 1; TimeFields.Hour = 1; TimeFields.Minute = 1; TimeFields.Second = 1; TimeFields.Milliseconds = 1; TimeFields.Weekday = 1; RtlTimeFieldsToTime( &TimeFields, &NoExpiration ); // // Set up the user ID // UserId.Sid = SeAnonymousLogonSid; UserId.Attributes = 0; // // Establish the primary group and default owner // PrimaryGroup.PrimaryGroup = SeAnonymousLogonSid; // Primary group // // Set up an ACL to protect token as well ... // Let everyone read/write. However, the token is dup'ed before we given // anyone a handle to it. // Length = (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + SeLengthSid( SeWorldSid ) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + SeLengthSid( SeAnonymousLogonSid ); ASSERT( Length < 200 ); TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, 200, 'cAeS'); if ( !TokenAcl ) { return NULL ; } Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeAnonymousLogonSid ); ASSERT( NT_SUCCESS(Status) ); TokenSecurityDescriptor = (PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag( PagedPool, SECURITY_DESCRIPTOR_MIN_LENGTH, 'dSeS' ); if ( !TokenSecurityDescriptor ) { ExFreePool( TokenAcl ); return NULL ; } Status = RtlCreateSecurityDescriptor( TokenSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor ( TokenSecurityDescriptor, TRUE, TokenAcl, FALSE ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetOwnerSecurityDescriptor ( TokenSecurityDescriptor, SeWorldSid, FALSE // Owner defaulted ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetGroupSecurityDescriptor ( TokenSecurityDescriptor, SeWorldSid, FALSE // Group defaulted ); ASSERT( NT_SUCCESS(Status) ); // // Create the system token // #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug DbgPrint("\n Creating system token...\n"); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG InitializeObjectAttributes( &TokenObjectAttributes, NULL, 0, NULL, TokenSecurityDescriptor ); Status = SepCreateToken( (PHANDLE)&Token, KernelMode, 0, // No handle created for system token &TokenObjectAttributes, TokenPrimary, (SECURITY_IMPERSONATION_LEVEL)0, (PLUID)&SeAnonymousAuthenticationId, &NoExpiration, &UserId, 0, // GroupCount NULL, // Group IDs 0, // Group byte count 0, // no privileges NULL, // no Privileges, NULL, PrimaryGroup.PrimaryGroup, TokenAcl, (PTOKEN_SOURCE)&SeSystemTokenSource, TRUE, // System token NULL, NULL ); ASSERT(NT_SUCCESS(Status)); // // We can free the old one now. // ExFreePool( TokenAcl ); ExFreePool( TokenSecurityDescriptor ); return (PACCESS_TOKEN)Token; } PACCESS_TOKEN SeMakeAnonymousLogonToken ( VOID ) /*++ Routine Description: This routine is provided for use by executive components DURING SYSTEM INITIALIZATION ONLY. It creates a token for use by system components. A system token has the following characteristics: - It has ANONYMOUS_LOGON as its user ID - It has the following groups with the corresponding attributes: WORLD EnabledByDefault | Enabled | Mandatory - It has WORLD as its primary group. - It has no privileges - It has protection that provides TOKEN_ALL_ACCESS to the WORLD ID. - It has a default ACL that grants GENERIC_ALL access to WORLD. Parameters: None. Return Value: Pointer to a system token. --*/ { NTSTATUS Status; PVOID Token; SID_AND_ATTRIBUTES UserId; PSID_AND_ATTRIBUTES GroupIds; TOKEN_PRIMARY_GROUP PrimaryGroup; ULONG GroupIdsLength; PACL TokenAcl; PSID Owner; ULONG NormalGroupAttributes; ULONG Length; OBJECT_ATTRIBUTES TokenObjectAttributes; PSECURITY_DESCRIPTOR TokenSecurityDescriptor; ULONG_PTR GroupIdsBuffer[128 * sizeof(ULONG) / sizeof(ULONG_PTR)]; TIME_FIELDS TimeFields; LARGE_INTEGER NoExpiration; PAGED_CODE(); // // Set up expiration times // TimeFields.Year = 3000; TimeFields.Month = 1; TimeFields.Day = 1; TimeFields.Hour = 1; TimeFields.Minute = 1; TimeFields.Second = 1; TimeFields.Milliseconds = 1; TimeFields.Weekday = 1; RtlTimeFieldsToTime( &TimeFields, &NoExpiration ); GroupIds = (PSID_AND_ATTRIBUTES)GroupIdsBuffer; // // Set up the attributes to be assigned to groups // NormalGroupAttributes = (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED ); // // Set up the user ID // UserId.Sid = SeAnonymousLogonSid; UserId.Attributes = 0; // // Set up the groups // GroupIds->Sid = SeWorldSid; GroupIds->Attributes = NormalGroupAttributes; GroupIdsLength = (ULONG)LongAlignSize(SeLengthSid(GroupIds->Sid)) + sizeof(SID_AND_ATTRIBUTES); ASSERT( GroupIdsLength <= 128 * sizeof(ULONG) ); // // Establish the primary group and default owner // PrimaryGroup.PrimaryGroup = SeAnonymousLogonSid; // Primary group // // Set up an ACL to protect token as well ... // give system full reign of terror. This includes user-mode components // running as part of the system. // Let everyone read/write. However, the token is dup'ed before we given // anyone a handle to it. // Length = (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + SeLengthSid( SeWorldSid ) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + SeLengthSid( SeAnonymousLogonSid ); ASSERT( Length < 200 ); TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, 200, 'cAeS'); if ( !TokenAcl ) { return NULL ; } Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeAnonymousLogonSid ); ASSERT( NT_SUCCESS(Status) ); TokenSecurityDescriptor = (PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag( PagedPool, SECURITY_DESCRIPTOR_MIN_LENGTH, 'dSeS' ); if ( !TokenSecurityDescriptor ) { ExFreePool( TokenAcl ); return NULL ; } Status = RtlCreateSecurityDescriptor( TokenSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor ( TokenSecurityDescriptor, TRUE, TokenAcl, FALSE ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetOwnerSecurityDescriptor ( TokenSecurityDescriptor, SeWorldSid, FALSE // Owner defaulted ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetGroupSecurityDescriptor ( TokenSecurityDescriptor, SeWorldSid, FALSE // Group defaulted ); ASSERT( NT_SUCCESS(Status) ); // // Create the system token // #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug DbgPrint("\n Creating system token...\n"); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG InitializeObjectAttributes( &TokenObjectAttributes, NULL, 0, NULL, TokenSecurityDescriptor ); Status = SepCreateToken( (PHANDLE)&Token, KernelMode, 0, // No handle created for system token &TokenObjectAttributes, TokenPrimary, (SECURITY_IMPERSONATION_LEVEL)0, (PLUID)&SeAnonymousAuthenticationId, &NoExpiration, &UserId, 1, // GroupCount GroupIds, GroupIdsLength, 0, // no privileges NULL, // no Privileges, 0, // no privileges PrimaryGroup.PrimaryGroup, TokenAcl, (PTOKEN_SOURCE)&SeSystemTokenSource, TRUE, // System token NULL, NULL ); ASSERT(NT_SUCCESS(Status)); // // We can free the old one now. // ExFreePool( TokenAcl ); ExFreePool( TokenSecurityDescriptor ); return (PACCESS_TOKEN)Token; } NTSTATUS SeSubProcessToken ( IN PACCESS_TOKEN ParentToken, OUT PACCESS_TOKEN *ChildToken, IN BOOLEAN MarkAsActive ) /*++ Routine Description: This routine makes a token for a sub-process that is a duplicate of the parent process's token. Parameters: ParentToken - Pointer to the parent token ChildToken - Receives a pointer to the child process's token. MarkAsActive - Mark the token as active Return Value: STATUS_SUCCESS - Indicates the sub-process's token has been created successfully. Other status values may be returned from memory allocation or object creation services used and typically indicate insufficient resources or quota on the requestor's part. --*/ { PTOKEN NewToken; OBJECT_ATTRIBUTES PrimaryTokenAttributes; NTSTATUS Status; NTSTATUS IgnoreStatus; PAGED_CODE(); InitializeObjectAttributes( &PrimaryTokenAttributes, NULL, 0, NULL, NULL ); #ifdef TOKEN_DEBUG DbgPrint("\nCreating sub-process token...\n"); DbgPrint("Parent token address = 0x%lx\n", ParentProcess->Token); #endif //TOKEN_DEBUG Status = SepDuplicateToken( ParentToken, // ExistingToken &PrimaryTokenAttributes, // ObjectAttributes FALSE, // EffectiveOnly TokenPrimary, // TokenType (SECURITY_IMPERSONATION_LEVEL)0, // ImpersonationLevel KernelMode, // RequestorMode &NewToken // NewToken ); if (NT_SUCCESS(Status)) { // // Insert the new token object, up its ref count but don't create a handle. // Status = ObInsertObject( NewToken, NULL, 0, 0, NULL, NULL); if (NT_SUCCESS(Status)) { NewToken->TokenInUse = MarkAsActive; *ChildToken = NewToken; } else { // // ObInsertObject dereferences the passed object if it // fails, so we don't have to do any cleanup on NewToken // here. // } } return Status; } BOOLEAN SepTokenInitialization ( VOID ) /*++ Routine Description: This function creates the token object type descriptor at system initialization and stores the address of the object type descriptor in global storage. It also created token related global variables. Furthermore, some number of pseudo tokens are created during system initialization. These tokens are tracked down and replaced with real tokens. Arguments: None. Return Value: A value of TRUE is returned if the object type descriptor is successfully initialized. Otherwise a value of FALSE is returned. --*/ { OBJECT_TYPE_INITIALIZER ObjectTypeInitializer; NTSTATUS Status; UNICODE_STRING TypeName; PAGED_CODE(); // // Initialize string descriptor. // RtlInitUnicodeString(&TypeName, L"Token"); #if 0 BUG, BUG Need to get system default ACL to protect token object #endif // // Create object type descriptor. // RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer)); ObjectTypeInitializer.Length = sizeof(ObjectTypeInitializer); ObjectTypeInitializer.InvalidAttributes = OBJ_OPENLINK; ObjectTypeInitializer.GenericMapping = SepTokenMapping; ObjectTypeInitializer.SecurityRequired = TRUE; ObjectTypeInitializer.UseDefaultObject = TRUE; ObjectTypeInitializer.PoolType = PagedPool; ObjectTypeInitializer.ValidAccessMask = TOKEN_ALL_ACCESS; ObjectTypeInitializer.DeleteProcedure = SepTokenDeleteMethod; Status = ObCreateObjectType(&TypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, // BUG, BUG assign real protection &SeTokenObjectType ); #if 0 BUG, BUG Now track down all pseudo tokens used during system initialization BUG, BUG and replace them with real ones. #endif // // If the object type descriptor was successfully created, then // return a value of TRUE. Otherwise return a value of FALSE. // return (BOOLEAN)NT_SUCCESS(Status); } ////////////////////////////////////////////////////////////////////////// // // // Temporary, for Debug only // // // ////////////////////////////////////////////////////////////////////////// #ifdef TOKEN_DEBUG VOID SepDumpToken( IN PTOKEN T ) { ULONG Index; // // Dump a token // DbgPrint("\n"); DbgPrint(" address: 0x%lx \n", ((ULONG)T) ); DbgPrint(" TokenId: (0x%lx, 0x%lx) \n", T->TokenId.HighPart, T->TokenId.LowPart ); if ( (T->AuthenticationId.Data[0] == SeSystemAuthenticationId.Data[0]) && (T->AuthenticationId.Data[1] == SeSystemAuthenticationId.Data[1]) && (T->AuthenticationId.Data[2] == SeSystemAuthenticationId.Data[2]) && (T->AuthenticationId.Data[3] == SeSystemAuthenticationId.Data[3]) ) { DbgPrint(" AuthenticationId: SeSystemAuthenticationId \n"); } else { DbgPrint(" AuthenticationId: (0x%lx, 0x%lx, 0x%lx, 0x%lx) \n", T->AuthenticationId.Data[0], T->AuthenticationId.Data[1], T->AuthenticationId.Data[2], T->AuthenticationId.Data[3] ); } DbgPrint(" ExpirationTime: 0x%lx, 0x%lx \n", T->ExpirationTime.HighPart, T->ExpirationTime.LowPart ); if (T->TokenType == TokenPrimary) { DbgPrint(" TokenType: Primary \n"); } else { if (T->TokenType == TokenImpersonation) { DbgPrint(" TokenType: Impersonation \n"); } else { DbgPrint(" TokenType: (Unknown type, value = 0x%lx) \n", ((ULONG)T-TokenType) ); } } DbgPrint(" ImpersonationLevel: 0x%lx \n", ((ULONG)T->ImpersonationLevel) ); DbgPrint(" TokenSource: (not yet provided) \n"); DbgPrint(" DynamicCharged: 0x%lx \n", T->DynamicCharged); DbgPrint(" UserAndGroupCount: 0x%lx \n", T->UserAndGroupCount); DbgPrint(" PrivilegeCount: 0x%lx \n", T->PrivilegeCount); DbgPrint(" VariableLength: 0x%lx \n", T->VariableLength); DbgPrint(" ModifiedId: (0x%lx, 0x%lx) \n", T->ModifiedId.HighPart, T->ModifiedId.LowPart ); DbgPrint(" DynamicAvailable: 0x%lx \n", T->DynamicAvailable); DbgPrint(" DefaultOwnerIndex: 0x%lx \n", T->DefaultOwnerIndex); DbgPrint(" Address of DynamicPart: 0x%lx \n", (* (PULONG)((PVOID)(&(T->DynamicPart)))) ); DbgPrint(" Address of Default DACL: 0x%lx \n", (* (PULONG)((PVOID)(&(T->DefaultDacl)))) ); DbgPrint(" Address Of Variable Part: 0x%lx \n", &(T->VariablePart) ); DbgPrint("\n"); DbgPrint(" PrimaryGroup:\n"); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->PrimaryGroup)))) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->PrimaryGroup)) ); DbgPrint("\n"); DbgPrint(" UserAndGroups: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups)))) ); DbgPrint(" User ID - \n"); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups[0].Sid)))) ); DbgPrint(" Attributes: 0x%lx \n", (T->UserAndGroups[0].Attributes) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->UserAndGroups[0].Sid)) ); Index = 1; while (Index < T->UserAndGroupCount) { DbgPrint(" Group 0x%lx - \n", Index ); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups[Index].Sid)))) ); DbgPrint(" Attributes: 0x%lx \n", (T->UserAndGroups[Index].Attributes) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->UserAndGroups[Index].Sid)) ); Index += 1; } Index = 0; while (Index < T->RestrictedSidCount) { DbgPrint(" Sid 0x%lx - \n", Index ); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->RestrictedSids[Index].Sid)))) ); DbgPrint(" Attributes: 0x%lx \n", (T->RestrictedSids[Index].Attributes) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->RestrictedSids[Index].Sid)) ); Index += 1; } DbgPrint("\n"); DbgPrint(" Privileges: 0x%lx\n", (* (PULONG)((PVOID)(&(T->Privileges)))) ); Index = 0; while (Index < T->PrivilegeCount) { DbgPrint(" Privilege 0x%lx - \n", Index ); DbgPrint(" Address: 0x%lx \n", (&(T->Privileges[Index])) ); DbgPrint(" LUID: (0x%lx, 0x%lx) \n", T->Privileges[Index].Luid.HighPart, T->Privileges[Index].Luid.LowPart ); DbgPrint(" Attributes: 0x%lx \n", T->Privileges[Index].Attributes ); Index += 1; } return; } #endif //TOKEN_DEBUG NTSTATUS NtCreateToken( OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TOKEN_TYPE TokenType, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PTOKEN_USER User, IN PTOKEN_GROUPS Groups, IN PTOKEN_PRIVILEGES Privileges, IN PTOKEN_OWNER Owner OPTIONAL, IN PTOKEN_PRIMARY_GROUP PrimaryGroup, IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, IN PTOKEN_SOURCE TokenSource ) /*++ Routine Description: Create a token object and return a handle opened for access to that token. This API requires SeCreateTokenPrivilege privilege. Arguments: TokenHandle - Receives the handle of the newly created token. DesiredAccess - Is an access mask indicating which access types the handle is to provide to the new object. ObjectAttributes - Points to the standard object attributes data structure. Refer to the NT Object Management Specification for a description of this data structure. If the token type is TokenImpersonation, then this parameter must specify the impersonation level of the token. TokenType - Type of token to be created. Privilege is required to create any type of token. AuthenticationId - Points to a LUID (or LUID) providing a unique identifier associated with the authentication. This is used within security only, for audit purposes. ExpirationTime - Time at which the token becomes invalid. If this value is specified as zero, then the token has no expiration time. User - Is the user SID to place in the token. Groups - Are the group SIDs to place in the token. Privileges - Are the privileges to place in the token. Owner - (Optionally) identifies an identifier that is to be used as the default owner for the token. If not provided, the user ID is made the default owner. PrimaryGroup - Identifies which of the group IDs is to be the primary group of the token. DefaultDacl - (optionally) establishes an ACL to be used as the default discretionary access protection for the token. TokenSource - Identifies the token source name string and identifier to be assigned to the token. Return Value: STATUS_SUCCESS - Indicates the operation was successful. STATUS_INVALID_OWNER - Indicates the ID provided to be assigned as the default owner of the token does not have an attribute indicating it may be assigned as an owner. STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided via the PrimaryGroup parameter was not among those assigned to the token in the Groups parameter. STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level was provided when attempting to create a token of type TokenImpersonation. --*/ { KPROCESSOR_MODE PreviousMode; NTSTATUS Status; ULONG Ignore; HANDLE LocalHandle = NULL; BOOLEAN SecurityQosPresent = FALSE; SECURITY_ADVANCED_QUALITY_OF_SERVICE CapturedSecurityQos; LUID CapturedAuthenticationId; LARGE_INTEGER CapturedExpirationTime; PSID_AND_ATTRIBUTES CapturedUser = NULL; ULONG CapturedUserLength = 0; ULONG CapturedGroupCount = 0; PSID_AND_ATTRIBUTES CapturedGroups = NULL; ULONG CapturedGroupsLength = 0; ULONG CapturedPrivilegeCount = 0; PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL; ULONG CapturedPrivilegesLength = 0; PSID CapturedOwner = NULL; PSID CapturedPrimaryGroup = NULL; PACL CapturedDefaultDacl = NULL; TOKEN_SOURCE CapturedTokenSource; PVOID CapturedAddress; PAGED_CODE(); PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Probe everything necessary for input to the capture subroutines. // try { ProbeForWriteHandle(TokenHandle); ProbeForReadSmallStructure( ExpirationTime, sizeof(LARGE_INTEGER), sizeof(ULONG) ); ProbeForReadSmallStructure( Groups, sizeof(TOKEN_GROUPS), sizeof(ULONG) ); ProbeForReadSmallStructure( Privileges, sizeof(TOKEN_PRIVILEGES), sizeof(ULONG) ); ProbeForReadSmallStructure( TokenSource, sizeof(TOKEN_SOURCE), sizeof(ULONG) ); if ( ARGUMENT_PRESENT(Owner) ) { ProbeForReadSmallStructure( Owner, sizeof(TOKEN_OWNER), sizeof(ULONG) ); } ProbeForReadSmallStructure( PrimaryGroup, sizeof(TOKEN_PRIMARY_GROUP), sizeof(ULONG) ); if ( ARGUMENT_PRESENT(DefaultDacl) ) { ProbeForReadSmallStructure( DefaultDacl, sizeof(TOKEN_DEFAULT_DACL), sizeof(ULONG) ); } ProbeForReadSmallStructure( AuthenticationId, sizeof(LUID), sizeof(ULONG) ); } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // end_try } //end_if // // Capture the security quality of service. // This capture routine necessarily does some probing of its own. // Status = SeCaptureSecurityQos( ObjectAttributes, PreviousMode, &SecurityQosPresent, &CapturedSecurityQos ); if (!NT_SUCCESS(Status)) { return Status; } if (TokenType == TokenImpersonation) { if (!SecurityQosPresent) { return STATUS_BAD_IMPERSONATION_LEVEL; } // endif } // endif // // Capture the rest of the arguments. // These arguments have already been probed. // try { Status = STATUS_SUCCESS; // // Capture and validate AuthenticationID // RtlCopyLuid( &CapturedAuthenticationId, AuthenticationId ); // // Capture ExpirationTime // CapturedExpirationTime = (*ExpirationTime); // // Capture User // if (NT_SUCCESS(Status)) { Status = SeCaptureSidAndAttributesArray( &(User->User), 1, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedUser, &CapturedUserLength ); } // // Capture Groups // if (NT_SUCCESS(Status)) { CapturedGroupCount = Groups->GroupCount; Status = SeCaptureSidAndAttributesArray( (Groups->Groups), CapturedGroupCount, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedGroups, &CapturedGroupsLength ); } // // Capture Privileges // if (NT_SUCCESS(Status)) { CapturedPrivilegeCount = Privileges->PrivilegeCount; Status = SeCaptureLuidAndAttributesArray( (Privileges->Privileges), CapturedPrivilegeCount, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedPrivileges, &CapturedPrivilegesLength ); } // // Capture Owner // if ( ARGUMENT_PRESENT(Owner) && NT_SUCCESS(Status)) { CapturedAddress = Owner->Owner; Status = SeCaptureSid( (PSID)CapturedAddress, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedOwner ); } // // Capture PrimaryGroup // if (NT_SUCCESS(Status)) { CapturedAddress = PrimaryGroup->PrimaryGroup; Status = SeCaptureSid( (PSID)CapturedAddress, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedPrimaryGroup ); } // // Capture DefaultDacl // if ( ARGUMENT_PRESENT(DefaultDacl) && NT_SUCCESS(Status) ) { CapturedAddress = DefaultDacl->DefaultDacl; if (CapturedAddress != NULL) { Status = SeCaptureAcl( (PACL)CapturedAddress, PreviousMode, NULL, 0, NonPagedPool, TRUE, &CapturedDefaultDacl, &Ignore ); } } // // Capture TokenSource // CapturedTokenSource = (*TokenSource); } except(EXCEPTION_EXECUTE_HANDLER) { if (CapturedUser != NULL) { SeReleaseSidAndAttributesArray( CapturedUser, PreviousMode, TRUE ); } if (CapturedGroups != NULL) { SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE ); } if (CapturedPrivileges != NULL) { SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE ); } if (CapturedOwner != NULL) { SeReleaseSid( CapturedOwner, PreviousMode, TRUE); } if (CapturedPrimaryGroup != NULL) { SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE); } if (CapturedDefaultDacl != NULL) { SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE); } if (SecurityQosPresent == TRUE) { SeFreeCapturedSecurityQos( &CapturedSecurityQos ); } return GetExceptionCode(); } // end_try{} // // Create the token // if (NT_SUCCESS(Status)) { Status = SepCreateToken( &LocalHandle, PreviousMode, DesiredAccess, ObjectAttributes, TokenType, CapturedSecurityQos.ImpersonationLevel, &CapturedAuthenticationId, &CapturedExpirationTime, CapturedUser, CapturedGroupCount, CapturedGroups, CapturedGroupsLength, CapturedPrivilegeCount, CapturedPrivileges, CapturedOwner, CapturedPrimaryGroup, CapturedDefaultDacl, &CapturedTokenSource, FALSE, // Not a system token SecurityQosPresent ? CapturedSecurityQos.ProxyData : NULL, SecurityQosPresent ? CapturedSecurityQos.AuditData : NULL ); } // // Clean up the temporary capture buffers // if (CapturedUser != NULL) { SeReleaseSidAndAttributesArray( CapturedUser, PreviousMode, TRUE); } if (CapturedGroups != NULL) { SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE); } if (CapturedPrivileges != NULL) { SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE); } if (CapturedOwner != NULL) { SeReleaseSid( CapturedOwner, PreviousMode, TRUE); } if (CapturedPrimaryGroup != NULL) { SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE); } if (CapturedDefaultDacl != NULL) { SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE); } if (SecurityQosPresent == TRUE) { SeFreeCapturedSecurityQos( &CapturedSecurityQos ); } // // Return the handle to this new token // if (NT_SUCCESS(Status)) { try { *TokenHandle = LocalHandle; } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } return Status; } //////////////////////////////////////////////////////////////////////// // // // Token Private Routines // // // //////////////////////////////////////////////////////////////////////// VOID SepTokenDeleteMethod ( IN PVOID Token ) /*++ Routine Description: This function is the token object type-specific delete method. It is needed to ensure that all memory allocated for the token gets deallocated. Arguments: Token - Points to the token object being deleted. Return Value: None. --*/ { PAGED_CODE(); #if DBG || TOKEN_LEAK_MONITOR SepRemoveTokenLogonSession( Token ); #endif // // De-reference the logon session referenced by this token object // if ((((TOKEN *)Token)->TokenFlags & TOKEN_SESSION_NOT_REFERENCED ) == 0 ) { SepDeReferenceLogonSession( &(((TOKEN *)Token)->AuthenticationId) ); } // // If the token has an associated Dynamic part, deallocate it. // if (ARGUMENT_PRESENT( ((TOKEN *)Token)->DynamicPart)) { ExFreePool( ((TOKEN *)Token)->DynamicPart ); } // // Free the Proxy and Global audit structures if present. // if (ARGUMENT_PRESENT(((TOKEN *) Token)->ProxyData)) { SepFreeProxyData( ((TOKEN *)Token)->ProxyData ); } if (ARGUMENT_PRESENT(((TOKEN *)Token)->AuditData )) { ExFreePool( (((TOKEN *)Token)->AuditData) ); } if (ARGUMENT_PRESENT(((TOKEN *)Token)->TokenLock )) { ExDeleteResourceLite(((TOKEN *)Token)->TokenLock ); ExFreePool(((TOKEN *)Token)->TokenLock ); } return; } NTSTATUS SepCreateToken( OUT PHANDLE TokenHandle, IN KPROCESSOR_MODE RequestorMode, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TOKEN_TYPE TokenType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PSID_AND_ATTRIBUTES User, IN ULONG GroupCount, IN PSID_AND_ATTRIBUTES Groups, IN ULONG GroupsLength, IN ULONG PrivilegeCount, IN PLUID_AND_ATTRIBUTES Privileges, IN PSID Owner OPTIONAL, IN PSID PrimaryGroup, IN PACL DefaultDacl OPTIONAL, IN PTOKEN_SOURCE TokenSource, IN BOOLEAN SystemToken, IN PSECURITY_TOKEN_PROXY_DATA ProxyData OPTIONAL, IN PSECURITY_TOKEN_AUDIT_DATA AuditData OPTIONAL ) /*++ Routine Description: Create a token object and return a handle opened for access to that token. This API implements the bulk of the work needed for NtCreateToken. All parameters except DesiredAccess and ObjectAttributes are assumed to have been probed and captured. The output parameter (TokenHandle) is expected to be returned to a safe address, rather than to a user mode address that may cause an exception. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! NOTE: This routine is also used to create the initial system token. In that case, the SystemToken parameter is TRUE and no handle is established to the token. Instead, a pointer to the token is returned via the TokenHandle parameter. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Arguments: TokenHandle - Receives the handle of the newly created token. If the SystemToken parameter is specified is true, then this parameter receives a pointer to the token instead of a handle to the token. RequestorMode - The mode of the caller on whose behalf the token is being created. DesiredAccess - Is an access mask indicating which access types the handle is to provide to the new object. ObjectAttributes - Points to the standard object attributes data structure. Refer to the NT Object Management Specification for a description of this data structure. TokenType - Type of token to be created. Privilege is required to create any type of token. ImpersonationLevel - If the token type is TokenImpersonation, then this parameter is used to specify the impersonation level of the token. AuthenticationId - Points to a LUID (or LUID) providing a unique identifier associated with the authentication. This is used within security only, for audit purposes. ExpirationTime - Time at which the token becomes invalid. If this value is specified as zero, then the token has no expiration time. User - Is the user SID to place in the token. GroupCount - Indicates the number of groups in the 'Groups' parameter. This value may be zero, in which case the 'Groups' parameter is ignored. Groups - Are the group SIDs, and their corresponding attributes, to place in the token. GroupsLength - Indicates the length, in bytes, of the array of groups to place in the token. PrivilegeCount - Indicates the number of privileges in the 'Privileges' parameter. This value may be zero, in which case the 'Privileges' parameter is ignored. Privileges - Are the privilege LUIDs, and their corresponding attributes, to place in the token. PrivilegesLength - Indicates the length, in bytes, of the array of privileges to place in the token. Owner - (Optionally) identifies an identifier that is to be used as the default owner for the token. If not provided, the user ID is made the default owner. PrimaryGroup - Identifies which of the group IDs is to be the primary group of the token. DefaultDacl - (optionally) establishes an ACL to be used as the default discretionary access protection for the token. TokenSource - Identifies the token source name string and identifier to be assigned to the token. Return Value: STATUS_SUCCESS - Indicates the operation was successful. STATUS_INVALID_OWNER - Indicates the ID provided to be assigned as the default owner of the token does not have an attribute indicating it may be assigned as an owner. STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided via the PrimaryGroup parameter was not among those assigned to the token in the Groups parameter. STATUS_INVALID_PARAMETER - Indicates that a required parameter, such as User or PrimaryGroup, was not provided with a legitimate value. --*/ { PTOKEN Token; NTSTATUS Status; ULONG PagedPoolSize; ULONG PrimaryGroupLength; ULONG TokenBodyLength; ULONG VariableLength; ULONG DefaultOwnerIndex = 0; PUCHAR Where; ULONG ComputedPrivLength; PSID NextSidFree; ULONG DynamicLength; ULONG DynamicLengthUsed; ULONG SubAuthorityCount; ULONG GroupIndex; ULONG PrivilegeIndex; BOOLEAN OwnerFound; UCHAR TokenFlags = 0; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; LUID NewModifiedId; PERESOURCE TokenLock; #if DBG || TOKEN_LEAK_MONITOR ULONG Frames; #endif PAGED_CODE(); ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) ); // // Make sure the Enabled and Enabled-by-default bits are set on every // mandatory group. // // Also, check to see if the local administrators alias is present. // if so, turn on the flag so that we can do restrictions later // for (GroupIndex=0; GroupIndex < GroupCount; GroupIndex++) { if (Groups[GroupIndex].Attributes & SE_GROUP_MANDATORY) { Groups[GroupIndex].Attributes |= (SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT); } if ( RtlEqualSid( SeAliasAdminsSid, Groups[GroupIndex].Sid ) ) { TokenFlags |= TOKEN_HAS_ADMIN_GROUP ; } } // // Check to see if the token being created is going to be granted // SeChangeNotifyPrivilege. If so, set a flag in the TokenFlags field // so we can find this out quickly. // for (PrivilegeIndex = 0; PrivilegeIndex < PrivilegeCount; PrivilegeIndex++) { if (((RtlEqualLuid(&Privileges[PrivilegeIndex].Luid,&SeChangeNotifyPrivilege)) && (Privileges[PrivilegeIndex].Attributes & SE_PRIVILEGE_ENABLED))) { TokenFlags |= TOKEN_HAS_TRAVERSE_PRIVILEGE; break; } } // // Get a ModifiedId to use // ExAllocateLocallyUniqueId( &NewModifiedId ); // // Validate the owner ID, if provided and establish the default // owner index. // if (!ARGUMENT_PRESENT(Owner)) { DefaultOwnerIndex = 0; } else { if ( RtlEqualSid( Owner, User->Sid ) ) { DefaultOwnerIndex = 0; } else { GroupIndex = 0; OwnerFound = FALSE; while ((GroupIndex < GroupCount) && (!OwnerFound)) { if ( RtlEqualSid( Owner, (Groups[GroupIndex].Sid) ) ) { // // Found a match - make sure it is assignable as owner. // if ( SepArrayGroupAttributes( Groups, GroupIndex ) & SE_GROUP_OWNER ) { DefaultOwnerIndex = GroupIndex + 1; OwnerFound = TRUE; } else { return STATUS_INVALID_OWNER; } // endif Owner attribute set } // endif owner = group GroupIndex += 1; } // endwhile if (!OwnerFound) { return STATUS_INVALID_OWNER; } // endif !OwnerFound } // endif owner = user } // endif owner specified // // Increment the reference count for this logon session // (fail if there is no corresponding logon session.) // Status = SepReferenceLogonSession( AuthenticationId ); if ( !NT_SUCCESS(Status) ) { return Status; } TokenLock = (PERESOURCE)ExAllocatePoolWithTag( NonPagedPool, sizeof( ERESOURCE ), 'dTeS' ); if (TokenLock == NULL) { SepDeReferenceLogonSession( AuthenticationId ); return( STATUS_INSUFFICIENT_RESOURCES ); } // // Calculate the length needed for the variable portion of the token // This includes the User ID, Group IDs, and Privileges // // // Align the privilege chunk by pointer alignment so that the SIDs will // be correctly aligned. Align the Groups Length so that the SID_AND_ATTR // array (which is // ComputedPrivLength = PrivilegeCount * sizeof( LUID_AND_ATTRIBUTES ) ; ComputedPrivLength = ALIGN_UP( ComputedPrivLength, PVOID ); GroupsLength = ALIGN_UP( GroupsLength, PVOID ); VariableLength = GroupsLength + ComputedPrivLength + ALIGN_UP( (GroupCount * sizeof( SID_AND_ATTRIBUTES )), PVOID ) ; SubAuthorityCount = ((SID *)(User->Sid))->SubAuthorityCount; VariableLength += sizeof(SID_AND_ATTRIBUTES) + (ULONG)LongAlignSize(RtlLengthRequiredSid( SubAuthorityCount )); // // Calculate the length needed for the dynamic portion of the token // This includes the default Dacl and the primary group. // SubAuthorityCount = ((SID *)PrimaryGroup)->SubAuthorityCount; DynamicLengthUsed = (ULONG)LongAlignSize(RtlLengthRequiredSid( SubAuthorityCount )); if (ARGUMENT_PRESENT(DefaultDacl)) { DynamicLengthUsed += (ULONG)LongAlignSize(DefaultDacl->AclSize); } DynamicLength = DynamicLengthUsed; // // Now create the token body // TokenBodyLength = FIELD_OFFSET(TOKEN, VariablePart) + VariableLength; if (DynamicLength < TOKEN_DEFAULT_DYNAMIC_CHARGE) { PagedPoolSize = TokenBodyLength + TOKEN_DEFAULT_DYNAMIC_CHARGE; } else { PagedPoolSize = TokenBodyLength + DynamicLength; } Status = ObCreateObject( RequestorMode, // ProbeMode SeTokenObjectType, // ObjectType ObjectAttributes, // ObjectAttributes UserMode, // OwnershipMode NULL, // ParseContext TokenBodyLength, // ObjectBodySize PagedPoolSize, // PagedPoolCharge 0, // NonPagedPoolCharge (PVOID *)&Token // Return pointer to object ); if (!NT_SUCCESS(Status)) { ExFreePool( TokenLock ); SepDeReferenceLogonSession( AuthenticationId ); return Status; } // // After this point, we rely on token deletion to clean up the referenced // logon session if the creation fails. // // // Main Body initialization // Token->TokenLock = TokenLock; ExInitializeResourceLite( Token->TokenLock ); ExAllocateLocallyUniqueId( &(Token->TokenId) ); Token->ParentTokenId = RtlConvertLongToLuid(0); Token->AuthenticationId = (*AuthenticationId); Token->TokenInUse = FALSE; Token->ModifiedId = NewModifiedId; Token->ExpirationTime = (*ExpirationTime); Token->TokenType = TokenType; Token->ImpersonationLevel = ImpersonationLevel; Token->TokenSource = (*TokenSource); Token->TokenFlags = TokenFlags; Token->SessionId = 0; Token->DynamicCharged = PagedPoolSize - TokenBodyLength; Token->DynamicAvailable = 0; Token->DefaultOwnerIndex = DefaultOwnerIndex; Token->DefaultDacl = NULL; Token->VariableLength = VariableLength; #if DBG || TOKEN_LEAK_MONITOR Token->ProcessCid = PsGetCurrentThread()->Cid.UniqueProcess; Token->ThreadCid = PsGetCurrentThread()->Cid.UniqueThread; Token->CreateMethod = 0xC; // Create RtlCopyMemory( Token->ImageFileName, PsGetCurrentProcess()->ImageFileName, min(sizeof(Token->ImageFileName), sizeof(PsGetCurrentProcess()->ImageFileName)) ); Frames = RtlWalkFrameChain( (PVOID)Token->CreateTrace, TRACE_SIZE, 0 ); if (KeGetCurrentIrql() < DISPATCH_LEVEL) { RtlWalkFrameChain( (PVOID)&Token->CreateTrace[Frames], TRACE_SIZE - Frames, 1 ); } SepAddTokenLogonSession(Token); #endif // Ensure SepTokenDeleteMethod knows the buffers aren't allocated yet. Token->ProxyData = NULL; Token->AuditData = NULL; Token->DynamicPart = NULL; if (ARGUMENT_PRESENT( ProxyData )) { Status = SepCopyProxyData( &Token->ProxyData, ProxyData ); if (!NT_SUCCESS(Status)) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } } else { Token->ProxyData = NULL; } if (ARGUMENT_PRESENT( AuditData )) { Token->AuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA )); if (Token->AuditData == NULL) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } *(Token->AuditData) = *AuditData; } else { Token->AuditData = NULL; } // // Variable part initialization // Data is in the following order: // // Privileges array // User (SID_AND_ATTRIBUTES) // Groups (SID_AND_ATTRIBUTES) // Restricted Sids (SID_AND_ATTRIBUTES) // SIDs // Where = (PUCHAR) & Token->VariablePart ; Token->Privileges = (PLUID_AND_ATTRIBUTES) Where ; Token->PrivilegeCount = PrivilegeCount ; RtlCopyMemory( Where, Privileges, PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES) ); ASSERT( ComputedPrivLength >= PrivilegeCount * sizeof( LUID_AND_ATTRIBUTES ) ); Where += ComputedPrivLength ; VariableLength -= ComputedPrivLength ; ASSERT( (((ULONG_PTR) Where ) & (sizeof(PVOID) - 1)) == 0 ); // // Now, copy the sid and attributes arrays. // NextSidFree = (PSID) (Where + (sizeof( SID_AND_ATTRIBUTES ) * (GroupCount + 1) ) ); Token->UserAndGroups = (PSID_AND_ATTRIBUTES) Where ; Token->UserAndGroupCount = GroupCount + 1 ; ASSERT(VariableLength >= ((GroupCount + 1) * (ULONG)sizeof(SID_AND_ATTRIBUTES))); VariableLength -= ((GroupCount + 1) * (ULONG)sizeof(SID_AND_ATTRIBUTES)); Status = RtlCopySidAndAttributesArray( 1, User, VariableLength, (PSID_AND_ATTRIBUTES)Where, NextSidFree, &NextSidFree, &VariableLength ); Where += sizeof( SID_AND_ATTRIBUTES ); ASSERT( (((ULONG_PTR) Where ) & (sizeof(PVOID) - 1)) == 0 ); Status = RtlCopySidAndAttributesArray( GroupCount, Groups, VariableLength, (PSID_AND_ATTRIBUTES)Where, NextSidFree, &NextSidFree, &VariableLength ); ASSERT(NT_SUCCESS(Status)); Token->RestrictedSids = NULL; Token->RestrictedSidCount = 0; // // Dynamic part initialization // Data is in the following order: // // PrimaryGroup (SID) // Default Discreationary Acl (ACL) // Token->DynamicPart = (PULONG)ExAllocatePoolWithTag( PagedPool, DynamicLength, 'dTeS' ); // // The attempt to allocate the DynamicPart of the token may have // failed. Dereference the created object and exit with an error. // if (Token->DynamicPart == NULL) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } Where = (PUCHAR) Token->DynamicPart; Token->PrimaryGroup = (PSID) Where; PrimaryGroupLength = RtlLengthRequiredSid( ((SID *)PrimaryGroup)->SubAuthorityCount ); RtlCopySid( PrimaryGroupLength, (PSID)Where, PrimaryGroup ); Where += (ULONG)LongAlignSize(PrimaryGroupLength); if (ARGUMENT_PRESENT(DefaultDacl)) { Token->DefaultDacl = (PACL)Where; RtlCopyMemory( (PVOID)Where, (PVOID)DefaultDacl, DefaultDacl->AclSize ); } #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug SepDumpToken( Token ); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG // // Insert the token unless it is a system token. // if (!SystemToken) { Status = SeCreateAccessState( &AccessState, &AuxData, DesiredAccess, &SeTokenObjectType->TypeInfo.GenericMapping ); if ( NT_SUCCESS(Status) ) { BOOLEAN PrivilegeHeld; PrivilegeHeld = SeSinglePrivilegeCheck( SeCreateTokenPrivilege, KeGetPreviousMode() ); if (PrivilegeHeld) { Status = ObInsertObject( Token, &AccessState, 0, 0, (PVOID *)NULL, TokenHandle ); } else { Status = STATUS_PRIVILEGE_NOT_HELD; ObDereferenceObject( Token ); } SeDeleteAccessState( &AccessState ); } else { ObDereferenceObject( Token ); } } else { ASSERT( NT_SUCCESS( Status ) ); // // Insert the token unless this is phase0 initialization. The system token is inserted later. // if (!ExFastRefObjectNull (PsGetCurrentProcess()->Token)) { Status = ObInsertObject( Token, NULL, 0, 0, NULL, NULL ); } if (NT_SUCCESS (Status)) { // // Return pointer instead of handle. // (*TokenHandle) = (HANDLE)Token; } else { (*TokenHandle) = NULL; } } return Status; } BOOLEAN SepIdAssignableAsOwner( IN PTOKEN Token, IN ULONG Index ) /*++ Routine Description: This routine returns a boolean value indicating whether the user or group ID in the specified token with the specified index is assignable as the owner of an object. If the index is 0, which is always the USER ID, then the ID is assignable as owner. Otherwise, the ID is that of a group, and it must have the "Owner" attribute set to be assignable. Arguments: Token - Pointer to a locked Token to use. Index - Index into the Token's UserAndGroupsArray. This value is assumed to be valid. Return Value: TRUE - Indicates the index corresponds to an ID that may be assigned as the owner of objects. FALSE - Indicates the index does not correspond to an ID that may be assigned as the owner of objects. --*/ { PAGED_CODE(); if (Index == 0) { return TRUE; } else { return (BOOLEAN) ( (SepTokenGroupAttributes(Token,Index) & SE_GROUP_OWNER) != 0 ); } } NTSTATUS SeIsChildToken( IN HANDLE Token, OUT PBOOLEAN IsChild ) /*++ Routine Description: This routine returns TRUE if the supplied token is a child of the caller's process token. This is done by comparing the ParentTokenId field of the supplied token to the TokenId field of the token from the current subject context. Arguments: Token - Token to check for childhood IsChild - Contains results of comparison. TRUE - The supplied token is a child of the caller's token FALSE- The supplied token is not a child of the caller's token Returns: Status codes from any NT services called. --*/ { PTOKEN CallerToken; PTOKEN SuppliedToken; LUID CallerTokenId; LUID SuppliedParentTokenId; NTSTATUS Status = STATUS_SUCCESS; PEPROCESS Process; *IsChild = FALSE; // // Capture the caller's token and get the token id // Process = PsGetCurrentProcess(); CallerToken = (PTOKEN) PsReferencePrimaryToken(Process); SepAcquireTokenReadLock( CallerToken ); CallerTokenId = CallerToken->TokenId; SepReleaseTokenReadLock( CallerToken ); PsDereferencePrimaryTokenEx(Process, CallerToken); // // Reference the supplied token and get the parent token id. // Status = ObReferenceObjectByHandle( Token, // Handle 0, // DesiredAccess SeTokenObjectType, // ObjectType KeGetPreviousMode(), // AccessMode (PVOID *)&SuppliedToken, // Object NULL // GrantedAccess ); if (NT_SUCCESS(Status)) { SepAcquireTokenReadLock( SuppliedToken ); SuppliedParentTokenId = SuppliedToken->ParentTokenId; SepReleaseTokenReadLock( SuppliedToken ); ObDereferenceObject(SuppliedToken); // // Check to see if the supplied token's parent ID is the ID // of the caller. // if (RtlEqualLuid( &SuppliedParentTokenId, &CallerTokenId )) { *IsChild = TRUE; } } return(Status); } NTSTATUS SeIsChildTokenByPointer( IN PACCESS_TOKEN Token, OUT PBOOLEAN IsChild ) /*++ Routine Description: This routine returns TRUE if the supplied token is a child of the caller's token. This is done by comparing the ParentTokenId field of the supplied token to the TokenId field of the token from the current subject context. Arguments: Token - Token to check for childhood IsChild - Contains results of comparison. TRUE - The supplied token is a child of the caller's token FALSE- The supplied token is not a child of the caller's token Returns: Status codes from any NT services called. --*/ { SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; PTOKEN CallerToken; PTOKEN SuppliedToken; LUID CallerTokenId; LUID SuppliedParentTokenId; NTSTATUS Status = STATUS_SUCCESS; PEPROCESS Process; *IsChild = FALSE; // // Capture the caller's token and get the token id // Process = PsGetCurrentProcess(); CallerToken = (PTOKEN) PsReferencePrimaryToken(Process); SepAcquireTokenReadLock( CallerToken ); CallerTokenId = CallerToken->TokenId; SepReleaseTokenReadLock( CallerToken ); PsDereferencePrimaryTokenEx(Process, CallerToken); SuppliedToken = (PTOKEN) Token ; SepAcquireTokenReadLock( SuppliedToken ); SuppliedParentTokenId = SuppliedToken->ParentTokenId; SepReleaseTokenReadLock( SuppliedToken ); // // Check to see if the supplied token's parent ID is the ID // of the caller. // if (RtlEqualLuid( &SuppliedParentTokenId, &CallerTokenId )) { *IsChild = TRUE; } return(Status); } NTSTATUS NtImpersonateAnonymousToken( IN HANDLE ThreadHandle ) /*++ Routine Description: Impersonates the system's anonymous logon token on this thread. Arguments: ThreadHandle - Handle to the thread to do the impersonation. Return Value: STATUS_SUCCESS - Indicates the operation was successful. STATUS_INVALID_HANDLE - the thread handle is invalid. STATUS_ACCESS_DENIED - The thread handle is not open for impersonation access. --*/ { PETHREAD CallerThread = NULL; NTSTATUS Status = STATUS_SUCCESS; PACCESS_TOKEN Token = NULL; PEPROCESS Process; HANDLE hAnonymousToken = NULL; ULONG RegValue; #define EVERYONE_INCLUDES_ANONYMOUS 1 // // Reference the caller's thread to make sure we can impersonate // Status = ObReferenceObjectByHandle( ThreadHandle, THREAD_IMPERSONATE, PsThreadType, KeGetPreviousMode(), (PVOID *)&CallerThread, NULL ); if (!NT_SUCCESS(Status)) { return Status; } // // Check the AnonymousIncludesEveryone reg key setting. // Status = SepRegQueryDwordValue( L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa", L"EveryoneIncludesAnonymous", &RegValue ); if ( NT_SUCCESS( Status ) && ( RegValue == EVERYONE_INCLUDES_ANONYMOUS )) { hAnonymousToken = SeAnonymousLogonToken; } else { hAnonymousToken = SeAnonymousLogonTokenNoEveryone; }; // // Reference the impersonation token to make sure we are allowed to // impersonate it. // Status = ObReferenceObjectByPointer( hAnonymousToken, TOKEN_IMPERSONATE, SeTokenObjectType, KeGetPreviousMode() ); if (!NT_SUCCESS(Status)) { goto Cleanup; } ObDereferenceObject(hAnonymousToken); Process = PsGetCurrentProcess(); Token = PsReferencePrimaryToken(Process); // // Do not allow anonymous impersonation if the primary token is restricted. // if (SeTokenIsRestricted(Token)) { PsDereferencePrimaryToken(Token); Status = STATUS_ACCESS_DENIED; goto Cleanup; } PsDereferencePrimaryTokenEx(Process, Token); // // Do the impersonation. We want copy on open so the caller can't // actually modify this system's copy of this token. // Status = PsImpersonateClient( CallerThread, hAnonymousToken, TRUE, // copy on open FALSE, // no effective only SecurityImpersonation ); Cleanup: if (CallerThread != NULL) { ObDereferenceObject(CallerThread); } return(Status); } #define SepEqualSidAndAttribute(a, b) \ ((RtlEqualSid((a).Sid, (b).Sid)) && \ ((((a).Attributes ^ (b).Attributes) & \ (SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY)) == 0) \ ) #define SepEqualLuidAndAttribute(a, b) \ ((RtlEqualLuid(&(a).Luid, &(b).Luid)) && \ ((((a).Attributes ^ (b).Attributes) & SE_PRIVILEGE_ENABLED) == 0) \ ) BOOLEAN SepComparePrivilegeAndAttributeArrays( IN PLUID_AND_ATTRIBUTES PrivilegeArray1, IN ULONG Count1, IN PLUID_AND_ATTRIBUTES PrivilegeArray2, IN ULONG Count2 ) /*++ Routine Description: This routine decides whether the given two privilege arrays are equivalent from AccessCheck perspective. Arguments: PrivilegeArray1 - Privilege and attribute array from the first token. Count1 - Number of elements from the first array. PrivilegeArray2 - Privilege and attribute array from the second token. Count2 - Number of elements from the second array. Return Value: TRUE - if the two arrays are equivalent FALSE - otherwise --*/ { ULONG i = 0; ULONG j = 0; ULONG k = 0; // // If the number of privileges are not equal return FALSE. // if ( Count1 != Count2 ) { return FALSE; } // // In most cases when the privilege arrays are the same, the elements will // be ordered in the same manner. Walk the two arrays till we get a mismatch // or exhaust the number of entries in the array. // for ( k = 0; k < Count1; k++ ) { if ( !SepEqualLuidAndAttribute(PrivilegeArray1[k], PrivilegeArray2[k]) ) { break; } } // // If the arrays are identical return TRUE. // if ( k == Count1 ) { return TRUE; } // // Check if all the elements in the first array are present in the second. // for ( i = k; i < Count1; i++ ) { for ( j = k; j < Count2; j++ ) { if ( SepEqualLuidAndAttribute(PrivilegeArray1[i], PrivilegeArray2[j]) ) { break; } } // // The second array does not contain ith element from the first. // if ( j == Count2 ) { return FALSE; } } // // Check if all the elements in the second array are present in the first. // for ( i = k; i < Count2; i++ ) { for ( j = k; j < Count1; j++ ) { if ( SepEqualLuidAndAttribute(PrivilegeArray2[i], PrivilegeArray1[j]) ) { break; } } // // The first array does not contain ith element from the second. // if ( j == Count1 ) { return FALSE; } } // // If we are here, one array is a permutation of the other. Return TRUE. // return TRUE; } BOOLEAN SepCompareSidAndAttributeArrays( IN PSID_AND_ATTRIBUTES SidArray1, IN ULONG Count1, IN PSID_AND_ATTRIBUTES SidArray2, IN ULONG Count2 ) /*++ Routine Description: This routine decides whether the given two sid and attribute arrays are equivalentfrom AccessCheck perspective. Arguments: SidArray1 - Sid and attribute array from the first token. Count1 - Number of elements from the first array. SidArray2 - Sid and attribute array from the second token. Count2 - Number of elements from the second array. Return Value: TRUE - if the two arrays are equivalent FALSE - otherwise --*/ { ULONG i = 0; ULONG j = 0; ULONG k = 0; // // If the number of groups sids are not equal return FALSE. // if ( Count1 != Count2 ) { return FALSE; } // // In most cases when the sid arrays are the same, the elements will // be ordered in the same manner. Walk the two arrays till we get a mismatch // or exhaust the number of entries in the array. // for ( k = 0; k < Count1; k++ ) { if ( !SepEqualSidAndAttribute(SidArray1[k], SidArray2[k]) ) { break; } } // // If the arrays are identical return TRUE. // if ( k == Count1 ) { return TRUE; } // // Check if all the elements in the first array are present in the second. // for ( i = k; i < Count1; i++ ) { for ( j = k; j < Count2; j++ ) { if ( SepEqualSidAndAttribute(SidArray1[i], SidArray2[j]) ) { break; } } // // The second array does not contain ith element from the first. // if ( j == Count2 ) { return FALSE; } } // // Check if all the elements in the second array are present in the first. // for ( i = k; i < Count2; i++ ) { for ( j = k; j < Count1; j++ ) { if ( SepEqualSidAndAttribute(SidArray2[i], SidArray1[j]) ) { break; } } // // The first array does not contain ith element from the second. // if ( j == Count1 ) { return FALSE; } } // // If we are here, one array is a permutation of the other. Return TRUE. // return TRUE; } NTSTATUS NtCompareTokens( IN HANDLE FirstTokenHandle, IN HANDLE SecondTokenHandle, OUT PBOOLEAN Equal ) /*++ Routine Description: This routine decides whether the given two tokens are equivalent from AccessCheck perspective. Two tokens are considered equal if all of the below are true. 1. Every sid present in one token is the present in the other and vice-versa. The access check attributes (SE_GROUP_ENABLED and SE_GROUP_USE_FOR_DENY_ONLY) for these sids should match too. 2. Either none or both the tokens are restricted. 3. If both tokens are restricted then 1 should hold true for RestrictedSids. 4. Every privilege present in the one token should be present in the other and vice-versa. Arguments: FirstTokenHandle - Handle to the first token. The caller must have TOKEN_QUERY access to the token. SecondTokenHandle - Handle to the second token. The caller must have TOKEN_QUERY access to the token. Equal - To return whether the two tokens are equivalent from AccessCheck viewpoint. Return Value: STATUS_SUCCESS - Indicates the operation was successful. --*/ { PTOKEN TokenOne = NULL; PTOKEN TokenTwo = NULL; BOOLEAN RetVal = FALSE; NTSTATUS Status = STATUS_SUCCESS; KPROCESSOR_MODE PreviousMode; PAGED_CODE(); PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForWriteBoolean(Equal); } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // end_try } //end_if // // If its the same handle, return TRUE. // if ( FirstTokenHandle == SecondTokenHandle ) { RetVal = TRUE; goto Cleanup; } // // Reference the first token handle with TOKEN_QUERY access so that it does // not go away. // Status = ObReferenceObjectByHandle( FirstTokenHandle, // Handle TOKEN_QUERY, // DesiredAccess SeTokenObjectType, // ObjectType PreviousMode, // AccessMode (PVOID *)&TokenOne, // Object NULL // GrantedAccess ); if (!NT_SUCCESS(Status)) { TokenOne = NULL; goto Cleanup; } // // Reference the second token handle with TOKEN_QUERY access so that it does // not go away. // Status = ObReferenceObjectByHandle( SecondTokenHandle, // Handle TOKEN_QUERY, // DesiredAccess SeTokenObjectType, // ObjectType PreviousMode, // AccessMode (PVOID *)&TokenTwo, // Object NULL // GrantedAccess ); if (!NT_SUCCESS(Status)) { TokenTwo = NULL; goto Cleanup; } // // Acquire read lock on the first token. // SepAcquireTokenReadLock( TokenOne ); // // Acquire read lock on the second token. // SepAcquireTokenReadLock( TokenTwo ); // // Compare the user sid as well as its relevant attributes. // if ( !SepEqualSidAndAttribute(TokenOne->UserAndGroups[0], TokenTwo->UserAndGroups[0]) ) { goto Cleanup1; } // // Continue if both tokens are unrestricted OR // if both tokens are restricted and Restricted arrays are equal. // Else return UNEQUAL. // if ( SeTokenIsRestricted( (PACCESS_TOKEN) TokenOne )) { if ( !SeTokenIsRestricted( (PACCESS_TOKEN) TokenTwo )) { goto Cleanup1; } RetVal = SepCompareSidAndAttributeArrays( TokenOne->RestrictedSids, TokenOne->RestrictedSidCount, TokenTwo->RestrictedSids, TokenTwo->RestrictedSidCount ); if (!RetVal) { goto Cleanup1; } } else { if ( SeTokenIsRestricted( (PACCESS_TOKEN) TokenTwo )) { goto Cleanup1; } } // // Compare the sid arrays. // RetVal = SepCompareSidAndAttributeArrays( TokenOne->UserAndGroups+1, TokenOne->UserAndGroupCount-1, TokenTwo->UserAndGroups+1, TokenTwo->UserAndGroupCount-1 ); if (!RetVal) { goto Cleanup1; } // // Compare the privilege arrays. // RetVal = SepComparePrivilegeAndAttributeArrays( TokenOne->Privileges, TokenOne->PrivilegeCount, TokenTwo->Privileges, TokenTwo->PrivilegeCount ); Cleanup1: SepReleaseTokenReadLock( TokenOne ); SepReleaseTokenReadLock( TokenTwo ); Cleanup: if ( TokenOne != NULL) { ObDereferenceObject( TokenOne ); } if ( TokenTwo != NULL) { ObDereferenceObject( TokenTwo ); } try { *Equal = RetVal; } except(EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); } return Status; }