static bool StartedInCage()
{
IntPtr security_descriptor = IntPtr.Zero;
IntPtr entries_pointer = IntPtr.Zero;
bool desktop_access_right_status = false;
try
{
var desktop = NativeMethods.GetThreadDesktop(NativeMethods.GetCurrentThreadId());
if (desktop == IntPtr.Zero)
{
throw new NativeCallException("Failed to retrieve desktop handle.");
}
IntPtr owner_sid = IntPtr.Zero;
IntPtr group_sid = IntPtr.Zero;
IntPtr dacl;
IntPtr sacl = IntPtr.Zero;
if (NativeMethods.GetSecurityInfo(
desktop,
NativeMethods.SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out owner_sid,
out group_sid,
out dacl,
out sacl,
out security_descriptor) != 0)
{
throw new NativeCallException("Failed to retrieve security info.");
}
ulong entry_count = 0;
if (NativeMethods.GetExplicitEntriesFromAclW(dacl, ref entry_count, out entries_pointer) != 0)
{
throw new NativeCallException("Failed to retrieve acl entries.");
}
if (entry_count == 3)
{
bool system_sid_correct_access = false;
bool admin_sid_correct_access = false;
bool shark_sid_correct_access = false;
IntPtr shark_entry = entries_pointer;
IntPtr admin_entry = IntPtr.Add(shark_entry, Marshal.SizeOf(typeof(NativeMethods.EXPLICIT_ACCESS)));
IntPtr system_entry = IntPtr.Add(admin_entry, Marshal.SizeOf(typeof(NativeMethods.EXPLICIT_ACCESS)));
NativeMethods.EXPLICIT_ACCESS ea_shark = (NativeMethods.EXPLICIT_ACCESS)Marshal.PtrToStructure(shark_entry, typeof(NativeMethods.EXPLICIT_ACCESS));
NativeMethods.EXPLICIT_ACCESS ea_admin = (NativeMethods.EXPLICIT_ACCESS)Marshal.PtrToStructure(admin_entry, typeof(NativeMethods.EXPLICIT_ACCESS));
NativeMethods.EXPLICIT_ACCESS ea_system = (NativeMethods.EXPLICIT_ACCESS)Marshal.PtrToStructure(system_entry, typeof(NativeMethods.EXPLICIT_ACCESS));
const int GRANT_ACCESS = 1;
const int NO_INHERITANCE = 0;
if (ea_shark.Trustee.TrusteeForm == NativeMethods.TRUSTEE_FORM.TRUSTEE_IS_SID)
{
const NativeMethods.DESKTOP_ACCESS_RIGHTS desired_shark_permissions = NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_READOBJECTS
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_CREATEWINDOW
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_CREATEMENU
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_HOOKCONTROL
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_JOURNALRECORD
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_JOURNALPLAYBACK
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_ENUMERATE
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_WRITEOBJECTS;
if ((ea_shark.grfAccessPermissions & (uint)desired_shark_permissions) == (uint)desired_shark_permissions &&
(ea_shark.grfAccessPermissions & (~((uint)desired_shark_permissions))) == 0 &&
ea_shark.grfAccessMode == GRANT_ACCESS &&
ea_shark.grfInheritance == NO_INHERITANCE)
{
shark_sid_correct_access = true;
}
}
if (ea_admin.Trustee.TrusteeForm == NativeMethods.TRUSTEE_FORM.TRUSTEE_IS_SID)
{
const int nt_security_authority = 5;
const int security_builtin_domain_rid = 32;
const int domain_alias_rid_admins = 544;
var nt_authority = new NativeMethods.SidIdentifierAuthority();
nt_authority.Value = new byte[] { 0, 0, 0, 0, 0, nt_security_authority };
IntPtr admin_sid = IntPtr.Zero;
if (!NativeMethods.AllocateAndInitializeSid(
ref nt_authority,
2,
security_builtin_domain_rid,
domain_alias_rid_admins,
0,
0,
0,
0,
0,
0,
out admin_sid))
{
throw new NativeCallException("Failed to allocate or initialize admin security identifier.");
}
if (ea_admin.Trustee.ptstrName == IntPtr.Zero)
{
throw new NativeCallException("Failed to retrieve admin sid.");
}
else if (NativeMethods.EqualSid(ea_admin.Trustee.ptstrName, admin_sid))
{
NativeMethods.DESKTOP_ACCESS_RIGHTS desired_admin_permissions = NativeMethods.DESKTOP_ACCESS_RIGHTS.DELETE
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_ENUMERATE
| NativeMethods.DESKTOP_ACCESS_RIGHTS.READ_CONTROL
| NativeMethods.DESKTOP_ACCESS_RIGHTS.WRITE_DAC
| NativeMethods.DESKTOP_ACCESS_RIGHTS.WRITE_OWNER;
if ((ea_admin.grfAccessPermissions & (uint)desired_admin_permissions) == (uint)desired_admin_permissions &&
(ea_admin.grfAccessPermissions & (~((uint)desired_admin_permissions))) == 0 &&
ea_admin.grfAccessMode == GRANT_ACCESS &&
ea_admin.grfInheritance == NO_INHERITANCE)
{
admin_sid_correct_access = true;
}
}
if (admin_sid != IntPtr.Zero)
{
NativeMethods.FreeSid(admin_sid);
}
}
if (ea_system.Trustee.TrusteeForm == NativeMethods.TRUSTEE_FORM.TRUSTEE_IS_SID)
{
const int nt_security_authority = 5;
const int security_local_system_rid = 18;
var nt_authority = new NativeMethods.SidIdentifierAuthority();
nt_authority.Value = new byte[] { 0, 0, 0, 0, 0, nt_security_authority };
IntPtr system_sid = IntPtr.Zero;
if (!NativeMethods.AllocateAndInitializeSid(ref nt_authority,
1,
security_local_system_rid,
0,
0,
0,
0,
0,
0,
0,
out system_sid))
{
throw new NativeCallException("Failed to allocate or initialize system security identifier.");
}
if (ea_system.Trustee.ptstrName == IntPtr.Zero)
{
throw new NativeCallException("Failed to retrieve system sid.");
}
else if (NativeMethods.EqualSid(ea_system.Trustee.ptstrName, system_sid))
{
const NativeMethods.DESKTOP_ACCESS_RIGHTS desired_system_permissions = NativeMethods.DESKTOP_ACCESS_RIGHTS.DELETE
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_READOBJECTS
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_CREATEWINDOW
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_CREATEMENU
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_HOOKCONTROL
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_JOURNALRECORD
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_JOURNALPLAYBACK
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_ENUMERATE
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_WRITEOBJECTS
| NativeMethods.DESKTOP_ACCESS_RIGHTS.DESKTOP_SWITCHDESKTOP
| NativeMethods.DESKTOP_ACCESS_RIGHTS.READ_CONTROL
| NativeMethods.DESKTOP_ACCESS_RIGHTS.WRITE_DAC
| NativeMethods.DESKTOP_ACCESS_RIGHTS.WRITE_OWNER;
if ((ea_system.grfAccessPermissions & (uint)desired_system_permissions) == (uint)desired_system_permissions &&
(ea_system.grfAccessPermissions & (~((uint)desired_system_permissions))) == 0 &&
ea_system.grfAccessMode == GRANT_ACCESS &&
ea_system.grfInheritance == NO_INHERITANCE)
{
system_sid_correct_access = true;
}
}
if (system_sid != IntPtr.Zero)
{
NativeMethods.FreeSid(system_sid);
}
}
if (system_sid_correct_access && admin_sid_correct_access && shark_sid_correct_access)
{
desktop_access_right_status = true;
}
}
}
catch (Exception e)
{
MessageBox.Show("Could not determine on which desktop the process is running: " + e.ToString());
Environment.Exit(1);
}
finally
{
NativeMethods.LocalFree(entries_pointer);
NativeMethods.LocalFree(security_descriptor);
}
return(desktop_access_right_status);
}
public bool AddDirectorySecurity(
string fileOrFolder,
string userAccount,
FileSystemRights requestedRights,
AccessControlType controlType,
InheritanceFlags inheritFlag = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags propFlag = PropagationFlags.None,
bool forcePermissions = false)
{
try
{
if (File.Exists(fileOrFolder))
{
var fInfo = new FileInfo(fileOrFolder);
var fSecurity = fInfo.GetAccessControl();
fSecurity.SetAccessRuleProtection(false, true);
fSecurity.AddAccessRule(new FileSystemAccessRule(userAccount, requestedRights, controlType));
fInfo.SetAccessControl(fSecurity);
}
else if (Directory.Exists(fileOrFolder))
{
var dInfo = new DirectoryInfo(fileOrFolder);
var dSecurity = dInfo.GetAccessControl();
//dSecurity.SetAccessRuleProtection(false, true); // This option appears to flip the enable/disable inheritance option.
dSecurity.AddAccessRule(new FileSystemAccessRule(userAccount, requestedRights, inheritFlag, propFlag, controlType));
dInfo.SetAccessControl(dSecurity);
}
else
{
_logger.Log($"Specified file or folder [{fileOrFolder}] does not exist.", Logger.MsgType.ERROR);
return(false);
}
return(true);
}
catch (Exception e)
{
// Force permissions? (e.g. take ownership and try again)
if (forcePermissions)
{
if (!NativeMethods.OpenProcessToken(
Process.GetCurrentProcess().Handle,
NativeMethods.TOKEN_ALL_ACCESS,
out IntPtr hToken))
{
_logger.Log("Unable to open specified process token [OpenProcessToken=" +
Marshal.GetLastWin32Error().ToString() + "].");
return(false);
}
if (!new WindowsHelper(_logger).EnablePrivilege(hToken, NativeMethods.SE_TAKE_OWNERSHIP_NAME))
{
_logger.Log("Failed to enable privilege [SeTakeOwnershipPrivilege].", Logger.MsgType.ERROR);
Marshal.FreeHGlobal(hToken);
return(false);
}
// Administrators group trustee control information.
NativeMethods.EXPLICIT_ACCESS adminGroupAccess = new NativeMethods.EXPLICIT_ACCESS();
NativeMethods.BuildExplicitAccessWithName(
ref adminGroupAccess,
"Administrators",
NativeMethods.ACCESS_MASK.GENERIC_ALL,
NativeMethods.ACCESS_MODE.SET_ACCESS,
NativeMethods.NO_INHERITANCE);
IntPtr acl = IntPtr.Zero;
NativeMethods.SetEntriesInAcl(1, ref adminGroupAccess, IntPtr.Zero, ref acl);
// Allocate SID -- BUILTIN\Administrators.
NativeMethods.SID_IDENTIFIER_AUTHORITY sidNTAuthority = NativeMethods.SECURITY_NT_AUTHORITY;
IntPtr sidAdministrators = IntPtr.Zero;
NativeMethods.AllocateAndInitializeSid(ref sidNTAuthority,
2,
NativeMethods.SECURITY_BUILTIN_DOMAIN_RID,
NativeMethods.DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
ref sidAdministrators);
// Set the owner in the object's security descriptor.
NativeMethods.SetNamedSecurityInfo(
fileOrFolder,
NativeMethods.SE_OBJECT_TYPE.SE_FILE_OBJECT,
NativeMethods.SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION,
sidAdministrators,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero);
/*// Modify the object's DACL.
* NativeMethods.SetNamedSecurityInfo(
* fileOrFolder,
* NativeMethods.SE_OBJECT_TYPE.SE_FILE_OBJECT,
* NativeMethods.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
* IntPtr.Zero,
* IntPtr.Zero,
* acl,
* IntPtr.Zero);*/
NativeMethods.FreeSid(sidAdministrators);
NativeMethods.LocalFree(acl);
return(AddDirectorySecurity(fileOrFolder, userAccount, requestedRights, controlType, inheritFlag, propFlag, false));
}
else
{
_logger.Log(e, "Failed to add filesystem permissions to [" + fileOrFolder + "].");
return(false);
}
}
}
