コード例 #1
0
        private void SetServicePermissions(string name)
        {
            SecurityIdentifier si       = new SecurityIdentifier(SystemAccountIdentifier);
            SecurityIdentifier everyone = new SecurityIdentifier(EveryoneIdentifier);

            RawSecurityDescriptor securityDescriptor = null;

            if (!Security.GetServiceSecurity(name, out securityDescriptor))
            {
                m_logger.Warn($"Unable to get proper service permissions for {name} because of Win32 error {Marshal.GetLastWin32Error()}");
            }
            else
            {
                while (securityDescriptor.DiscretionaryAcl.Count > 0)
                {
                    securityDescriptor.DiscretionaryAcl.RemoveAce(0);
                }

                ServiceAccessFlags systemFlags = ServiceAccessFlags.WriteOwner | ServiceAccessFlags.WriteDac | ServiceAccessFlags.ReadControl |
                                                 ServiceAccessFlags.Delete | ServiceAccessFlags.UserDefinedControl | ServiceAccessFlags.Interrogate | ServiceAccessFlags.PauseContinue |
                                                 ServiceAccessFlags.Stop | ServiceAccessFlags.Start | ServiceAccessFlags.EnumerateDependents | ServiceAccessFlags.QueryStatus |
                                                 ServiceAccessFlags.QueryConfig;

                ServiceAccessFlags everyoneFlags = ServiceAccessFlags.QueryConfig | ServiceAccessFlags.QueryStatus | ServiceAccessFlags.EnumerateDependents |
                                                   ServiceAccessFlags.Start | ServiceAccessFlags.Stop | ServiceAccessFlags.PauseContinue | ServiceAccessFlags.Interrogate | ServiceAccessFlags.UserDefinedControl;

                securityDescriptor.DiscretionaryAcl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)systemFlags, si, false, null));
                securityDescriptor.DiscretionaryAcl.InsertAce(1, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)everyoneFlags, everyone, false, null));

                if (!Security.SetServiceSecurity(name, securityDescriptor))
                {
                    m_logger.Warn($"Unable to set proper service permissions for {name} because of Win32 error {Marshal.GetLastWin32Error()}");
                }
            }
        }
コード例 #2
0
        // Token: 0x06000737 RID: 1847 RVA: 0x0001ACB0 File Offset: 0x00018EB0
        internal void DoNativeServiceTask(string serviceName, ServiceAccessFlags serviceAccessFlags, ManageServiceBase.NativeServiceTaskDelegate task)
        {
            IntPtr intPtr  = IntPtr.Zero;
            IntPtr intPtr2 = IntPtr.Zero;

            try
            {
                intPtr = NativeMethods.OpenSCManager(null, null, ServiceControlManagerAccessFlags.AllAccess);
                if (IntPtr.Zero == intPtr)
                {
                    base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCannotOpenServiceControllerManager), ErrorCategory.ReadError, null);
                }
                intPtr2 = NativeMethods.OpenService(intPtr, serviceName, serviceAccessFlags);
                if (IntPtr.Zero == intPtr2)
                {
                    base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCannotOpenService(serviceName)), ErrorCategory.ReadError, null);
                }
                task(intPtr2);
            }
            finally
            {
                if (IntPtr.Zero != intPtr2 && !NativeMethods.CloseServiceHandle(intPtr2))
                {
                    this.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCloseServiceHandle), ErrorCategory.InvalidOperation, null, false);
                }
                if (IntPtr.Zero != intPtr && !NativeMethods.CloseServiceHandle(intPtr))
                {
                    this.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCloseServiceHandle), ErrorCategory.InvalidOperation, null, false);
                }
            }
        }
コード例 #3
0
        protected void LockdownServiceAccess()
        {
            TaskLogger.Trace("Modifying service ACL to remove Network Logon ACE.", new object[0]);
            ServiceAccessFlags serviceAccessFlags = ServiceAccessFlags.ReadControl | ServiceAccessFlags.WriteDac;

            base.DoNativeServiceTask(this.Name, serviceAccessFlags, delegate(IntPtr service)
            {
                string name    = this.Name;
                IntPtr intPtr  = IntPtr.Zero;
                IntPtr intPtr2 = IntPtr.Zero;
                try
                {
                    int num = 65536;
                    intPtr  = Marshal.AllocHGlobal(num);
                    int num2;
                    if (!NativeMethods.QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, intPtr, num, out num2))
                    {
                        base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorQueryServiceObjectSecurity(name)), ErrorCategory.InvalidOperation, null);
                    }
                    byte[] array = new byte[num2];
                    Marshal.Copy(intPtr, array, 0, num2);
                    RawSecurityDescriptor rawSecurityDescriptor       = new RawSecurityDescriptor(array, 0);
                    CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, rawSecurityDescriptor);
                    CommonAce commonAce      = null;
                    SecurityIdentifier right = new SecurityIdentifier("S-1-5-11");
                    for (int i = 0; i < commonSecurityDescriptor.DiscretionaryAcl.Count; i++)
                    {
                        CommonAce commonAce2 = (CommonAce)commonSecurityDescriptor.DiscretionaryAcl[i];
                        if (commonAce2.SecurityIdentifier == right)
                        {
                            commonAce = commonAce2;
                            break;
                        }
                    }
                    if (commonAce == null)
                    {
                        TaskLogger.Trace("Service ACL was not modified as Network Logon SID is not found.", new object[0]);
                    }
                    else
                    {
                        commonSecurityDescriptor.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags);
                        int binaryLength = commonSecurityDescriptor.BinaryLength;
                        byte[] array2    = new byte[binaryLength];
                        commonSecurityDescriptor.GetBinaryForm(array2, 0);
                        intPtr2 = Marshal.AllocHGlobal(binaryLength);
                        Marshal.Copy(array2, 0, intPtr2, binaryLength);
                        if (!NativeMethods.SetServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, intPtr2))
                        {
                            base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorSetServiceObjectSecurity(name)), ErrorCategory.InvalidOperation, null);
                        }
                        TaskLogger.Trace("Service ACL modified - Network Logon ACE removed.", new object[0]);
                    }
                }
                finally
                {
                    if (IntPtr.Zero != intPtr)
                    {
                        Marshal.FreeHGlobal(intPtr);
                    }
                    if (IntPtr.Zero != intPtr2)
                    {
                        Marshal.FreeHGlobal(intPtr2);
                    }
                }
            });
        }
コード例 #4
0
 public static extern IntPtr OpenService(IntPtr serviceControllerManager, string serviceName, ServiceAccessFlags desiredAccess);