private void SetServicePermissions(string name)
{
SecurityIdentifier si = new SecurityIdentifier(SystemAccountIdentifier);
SecurityIdentifier everyone = new SecurityIdentifier(EveryoneIdentifier);
RawSecurityDescriptor securityDescriptor = null;
if (!Security.GetServiceSecurity(name, out securityDescriptor))
{
m_logger.Warn($"Unable to get proper service permissions for {name} because of Win32 error {Marshal.GetLastWin32Error()}");
}
else
{
while (securityDescriptor.DiscretionaryAcl.Count > 0)
{
securityDescriptor.DiscretionaryAcl.RemoveAce(0);
}
ServiceAccessFlags systemFlags = ServiceAccessFlags.WriteOwner | ServiceAccessFlags.WriteDac | ServiceAccessFlags.ReadControl |
ServiceAccessFlags.Delete | ServiceAccessFlags.UserDefinedControl | ServiceAccessFlags.Interrogate | ServiceAccessFlags.PauseContinue |
ServiceAccessFlags.Stop | ServiceAccessFlags.Start | ServiceAccessFlags.EnumerateDependents | ServiceAccessFlags.QueryStatus |
ServiceAccessFlags.QueryConfig;
ServiceAccessFlags everyoneFlags = ServiceAccessFlags.QueryConfig | ServiceAccessFlags.QueryStatus | ServiceAccessFlags.EnumerateDependents |
ServiceAccessFlags.Start | ServiceAccessFlags.Stop | ServiceAccessFlags.PauseContinue | ServiceAccessFlags.Interrogate | ServiceAccessFlags.UserDefinedControl;
securityDescriptor.DiscretionaryAcl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)systemFlags, si, false, null));
securityDescriptor.DiscretionaryAcl.InsertAce(1, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)everyoneFlags, everyone, false, null));
if (!Security.SetServiceSecurity(name, securityDescriptor))
{
m_logger.Warn($"Unable to set proper service permissions for {name} because of Win32 error {Marshal.GetLastWin32Error()}");
}
}
}
// Token: 0x06000737 RID: 1847 RVA: 0x0001ACB0 File Offset: 0x00018EB0
internal void DoNativeServiceTask(string serviceName, ServiceAccessFlags serviceAccessFlags, ManageServiceBase.NativeServiceTaskDelegate task)
{
IntPtr intPtr = IntPtr.Zero;
IntPtr intPtr2 = IntPtr.Zero;
try
{
intPtr = NativeMethods.OpenSCManager(null, null, ServiceControlManagerAccessFlags.AllAccess);
if (IntPtr.Zero == intPtr)
{
base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCannotOpenServiceControllerManager), ErrorCategory.ReadError, null);
}
intPtr2 = NativeMethods.OpenService(intPtr, serviceName, serviceAccessFlags);
if (IntPtr.Zero == intPtr2)
{
base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCannotOpenService(serviceName)), ErrorCategory.ReadError, null);
}
task(intPtr2);
}
finally
{
if (IntPtr.Zero != intPtr2 && !NativeMethods.CloseServiceHandle(intPtr2))
{
this.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCloseServiceHandle), ErrorCategory.InvalidOperation, null, false);
}
if (IntPtr.Zero != intPtr && !NativeMethods.CloseServiceHandle(intPtr))
{
this.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorCloseServiceHandle), ErrorCategory.InvalidOperation, null, false);
}
}
}
protected void LockdownServiceAccess()
{
TaskLogger.Trace("Modifying service ACL to remove Network Logon ACE.", new object[0]);
ServiceAccessFlags serviceAccessFlags = ServiceAccessFlags.ReadControl | ServiceAccessFlags.WriteDac;
base.DoNativeServiceTask(this.Name, serviceAccessFlags, delegate(IntPtr service)
{
string name = this.Name;
IntPtr intPtr = IntPtr.Zero;
IntPtr intPtr2 = IntPtr.Zero;
try
{
int num = 65536;
intPtr = Marshal.AllocHGlobal(num);
int num2;
if (!NativeMethods.QueryServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, intPtr, num, out num2))
{
base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorQueryServiceObjectSecurity(name)), ErrorCategory.InvalidOperation, null);
}
byte[] array = new byte[num2];
Marshal.Copy(intPtr, array, 0, num2);
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(array, 0);
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, rawSecurityDescriptor);
CommonAce commonAce = null;
SecurityIdentifier right = new SecurityIdentifier("S-1-5-11");
for (int i = 0; i < commonSecurityDescriptor.DiscretionaryAcl.Count; i++)
{
CommonAce commonAce2 = (CommonAce)commonSecurityDescriptor.DiscretionaryAcl[i];
if (commonAce2.SecurityIdentifier == right)
{
commonAce = commonAce2;
break;
}
}
if (commonAce == null)
{
TaskLogger.Trace("Service ACL was not modified as Network Logon SID is not found.", new object[0]);
}
else
{
commonSecurityDescriptor.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags);
int binaryLength = commonSecurityDescriptor.BinaryLength;
byte[] array2 = new byte[binaryLength];
commonSecurityDescriptor.GetBinaryForm(array2, 0);
intPtr2 = Marshal.AllocHGlobal(binaryLength);
Marshal.Copy(array2, 0, intPtr2, binaryLength);
if (!NativeMethods.SetServiceObjectSecurity(service, SecurityInfos.DiscretionaryAcl, intPtr2))
{
base.WriteError(TaskWin32Exception.FromErrorCodeAndVerbose(Marshal.GetLastWin32Error(), Strings.ErrorSetServiceObjectSecurity(name)), ErrorCategory.InvalidOperation, null);
}
TaskLogger.Trace("Service ACL modified - Network Logon ACE removed.", new object[0]);
}
}
finally
{
if (IntPtr.Zero != intPtr)
{
Marshal.FreeHGlobal(intPtr);
}
if (IntPtr.Zero != intPtr2)
{
Marshal.FreeHGlobal(intPtr2);
}
}
});
}
public static extern IntPtr OpenService(IntPtr serviceControllerManager, string serviceName, ServiceAccessFlags desiredAccess);