Exemple #1
0
        /// <summary>
        /// Do an access check between a security descriptor and a token to determine the allowed access.
        /// </summary>
        /// <param name="sd">The security descriptor</param>
        /// <param name="token">The access token.</param>
        /// <param name="access_rights">The set of access rights to check against</param>
        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
        /// <returns>The allowed access mask as a unsigned integer.</returns>
        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
        public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping)
        {
            if (sd == null)
            {
                throw new ArgumentNullException("sd");
            }

            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            using (var sd_buffer = sd.ToSafeBuffer())
            {
                using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification))
                {
                    uint     granted_access;
                    NtStatus result_status;
                    using (var privs = new SafePrivilegeSetBuffer())
                    {
                        int buffer_length = privs.Length;

                        NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights,
                                                    ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException();
                        if (result_status.IsSuccess())
                        {
                            return(granted_access);
                        }
                        return(0);
                    }
                }
            }
        }
 public static extern NtStatus NtAccessCheck(
     SafeBuffer SecurityDescriptor,
     SafeKernelObjectHandle ClientToken,
     AccessMask DesiredAccess,
     ref GenericMapping GenericMapping,
     SafePrivilegeSetBuffer RequiredPrivilegesBuffer,
     ref int BufferLength,
     out AccessMask GrantedAccess,
     out NtStatus AccessStatus);
        internal PrivilegeCheckResult(SafePrivilegeSetBuffer privileges, bool all_privileges_held)
        {
            var result = privileges.Result;

            LuidAndAttributes[] luids = new LuidAndAttributes[result.PrivilegeCount];
            privileges.Data.ReadArray(0, luids, 0, luids.Length);
            Privileges        = luids.Select(l => new TokenPrivilege(l.Luid, l.Attributes)).ToList().AsReadOnly();
            AllPrivilegesHeld = all_privileges_held;
        }
 public static extern NtStatus NtAccessCheckByType(
     SafeBuffer SecurityDescriptor,
     SafeHandle PrincipalSelfSid,
     SafeKernelObjectHandle ClientToken,
     AccessMask DesiredAccess,
     [In] ObjectTypeList[] ObjectTypeList,
     int ObjectTypeListLength,
     ref GenericMapping GenericMapping,
     SafePrivilegeSetBuffer RequiredPrivilegesBuffer,
     ref int BufferLength,
     out AccessMask GrantedAccess,
     out NtStatus AccessStatus);
Exemple #5
0
        /// <summary>
        /// Do an access check between a security descriptor and a token to determine the allowed access.
        /// </summary>
        /// <param name="sd">The security descriptor</param>
        /// <param name="token">The access token.</param>
        /// <param name="access_rights">The set of access rights to check against</param>
        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
        /// <returns>The allowed access mask as a unsigned integer.</returns>
        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
        public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
                                                  AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
        {
            if (sd == null)
            {
                throw new ArgumentNullException("sd");
            }

            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            if (access_rights.IsEmpty)
            {
                return(AccessMask.Empty);
            }

            using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
            {
                using (NtToken imp_token = DuplicateForAccessCheck(token))
                {
                    using (var privs = new SafePrivilegeSetBuffer())
                    {
                        int buffer_length = privs.Length;

                        using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
                        {
                            NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
                                                              SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
                                                              ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
                            if (result_status.IsSuccess())
                            {
                                return(granted_access);
                            }
                            return(AccessMask.Empty);
                        }
                    }
                }
            }
        }
 public static extern NtStatus NtPrivilegeCheck(
     SafeKernelObjectHandle ClientToken,
     SafePrivilegeSetBuffer RequiredPrivileges,
     [MarshalAs(UnmanagedType.U1)] out bool Result);
Exemple #7
0
 internal AccessCheckResult(NtStatus status, AccessMask granted_access, SafePrivilegeSetBuffer privilege_set)
 {
     Status             = status;
     GrantedAccess      = granted_access;
     PrivilegesRequired = privilege_set?.GetPrivileges() ?? new TokenPrivilege[0];
 }