/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping)
{
if (sd == null)
{
throw new ArgumentNullException("sd");
}
if (token == null)
{
throw new ArgumentNullException("token");
}
using (var sd_buffer = sd.ToSafeBuffer())
{
using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification))
{
uint granted_access;
NtStatus result_status;
using (var privs = new SafePrivilegeSetBuffer())
{
int buffer_length = privs.Length;
NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights,
ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException();
if (result_status.IsSuccess())
{
return(granted_access);
}
return(0);
}
}
}
}
/// <summary>
/// Set the object's security descriptor
/// </summary>
/// <param name="security_desc">The security descriptor to set.</param>
/// <param name="security_information">What parts of the security descriptor to set</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public NtStatus SetSecurityDescriptor(SecurityDescriptor security_desc, SecurityInformation security_information, bool throw_on_error)
{
using (var buffer = security_desc.ToSafeBuffer(true))
{
return(NtSecurity.SetSecurityDescriptor(Handle, buffer, security_information, throw_on_error));
}
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="object_name">The object name, can be null.</param>
/// <param name="attributes">The object attribute flags.</param>
/// <param name="root">An optional root handle, can be SafeKernelObjectHandle.Null. Will duplicate the handle.</param>
/// <param name="sqos">An optional security quality of service.</param>
/// <param name="security_descriptor">An optional security descriptor.</param>
public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root,
SecurityQualityOfService sqos, SecurityDescriptor security_descriptor)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = new UnicodeString(object_name).ToBuffer();
}
else
{
ObjectName = SafeHGlobalBuffer.Null;
}
Attributes = attributes;
if (sqos != null)
{
SecurityQualityOfService = sqos.ToBuffer();
}
else
{
SecurityQualityOfService = SafeHGlobalBuffer.Null;
}
RootDirectory = !root.IsInvalid ? NtObject.DuplicateHandle(root) : SafeKernelObjectHandle.Null;
if (security_descriptor != null)
{
SecurityDescriptor = security_descriptor.ToSafeBuffer();
}
else
{
SecurityDescriptor = SafeHGlobalBuffer.Null;
}
}
private ObjectAttributes(SafeBuffer object_name, AttributeFlags attributes, SafeKernelObjectHandle root,
SecurityQualityOfService sqos, SecurityDescriptor security_descriptor)
{
try {
if (root == null)
{
throw new ArgumentNullException(nameof(root), "Use SafeKernelObjectHandle.Null for a null handle");
}
Length = Marshal.SizeOf(this);
ObjectName = object_name;
Attributes = attributes;
if (sqos != null)
{
SecurityQualityOfService = sqos.ToBuffer();
}
else
{
SecurityQualityOfService = SafeHGlobalBuffer.Null;
}
RootDirectory = !root.IsInvalid ? NtObject.DuplicateHandle(root) : SafeKernelObjectHandle.Null;
if (security_descriptor != null)
{
SecurityDescriptor = security_descriptor.ToSafeBuffer();
}
else
{
SecurityDescriptor = SafeHGlobalBuffer.Null;
}
} catch {
Dispose();
throw;
}
}
internal static SafeBuffer AddSecurityDescriptor(this DisposableList list, SecurityDescriptor sd)
{
if (sd == null)
{
return(SafeHGlobalBuffer.Null);
}
return(list.AddResource(sd.ToSafeBuffer()));
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="base_object">Base object for security descriptor</param>
/// <param name="token">Token for determining user rights</param>
/// <param name="is_directory">True if a directory security descriptor</param>
public SecurityDescriptor(NtObject base_object, NtToken token, bool is_directory) : this()
{
if ((base_object == null) && (token == null))
{
throw new ArgumentNullException();
}
SecurityDescriptor parent_sd = null;
if (base_object != null)
{
parent_sd = base_object.SecurityDescriptor;
}
SecurityDescriptor creator_sd = null;
if (token != null)
{
creator_sd = new SecurityDescriptor
{
Owner = new SecurityDescriptorSid(token.Owner, false),
Group = new SecurityDescriptorSid(token.PrimaryGroup, false),
Dacl = token.DefaultDacl
};
}
NtType type = base_object.NtType;
SafeBuffer parent_sd_buffer = SafeHGlobalBuffer.Null;
SafeBuffer creator_sd_buffer = SafeHGlobalBuffer.Null;
SafeSecurityObjectBuffer security_obj = null;
try
{
if (parent_sd != null)
{
parent_sd_buffer = parent_sd.ToSafeBuffer();
}
if (creator_sd != null)
{
creator_sd_buffer = creator_sd.ToSafeBuffer();
}
GenericMapping mapping = type.GenericMapping;
NtRtl.RtlNewSecurityObject(parent_sd_buffer, creator_sd_buffer, out security_obj, is_directory,
token != null ? token.Handle : SafeKernelObjectHandle.Null, ref mapping).ToNtException();
ParseSecurityDescriptor(security_obj);
}
finally
{
parent_sd_buffer?.Close();
creator_sd_buffer?.Close();
security_obj?.Close();
}
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
{
if (sd == null)
{
throw new ArgumentNullException("sd");
}
if (token == null)
{
throw new ArgumentNullException("token");
}
if (access_rights.IsEmpty)
{
return(AccessMask.Empty);
}
using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
{
using (NtToken imp_token = DuplicateForAccessCheck(token))
{
using (var privs = new SafePrivilegeSetBuffer())
{
int buffer_length = privs.Length;
using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
{
NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
if (result_status.IsSuccess())
{
return(granted_access);
}
return(AccessMask.Empty);
}
}
}
}
}
/// <summary>
/// Create a new WNF state name.
/// </summary>
/// <param name="name_lifetime">The lifetime of the name.</param>
/// <param name="data_scope">The scope of the data.</param>
/// <param name="persist_data">Whether to persist data.</param>
/// <param name="type_id">Optional type ID.</param>
/// <param name="maximum_state_size">Maximum state size.</param>
/// <param name="security_descriptor">Mandatory security descriptor.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The created object.</returns>
public static NtResult <NtWnf> Create(
WnfStateNameLifetime name_lifetime,
WnfDataScope data_scope,
bool persist_data,
WnfTypeId type_id,
int maximum_state_size,
SecurityDescriptor security_descriptor,
bool throw_on_error)
{
if (security_descriptor == null)
{
throw new ArgumentNullException("Must specify a security descriptor");
}
using (var sd_buffer = security_descriptor.ToSafeBuffer()) {
return(NtSystemCalls.NtCreateWnfStateName(out ulong state_name, name_lifetime,
data_scope, persist_data, type_id, maximum_state_size, sd_buffer)
.CreateResult(throw_on_error, () => new NtWnf(state_name)
{
_security_descriptor = security_descriptor
}));
}
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="object_name">The object name, can be null.</param>
/// <param name="attributes">The object attribute flags.</param>
/// <param name="root">An optional root handle, can be SafeKernelObjectHandle.Null. Will duplicate the handle.</param>
/// <param name="sqos">An optional security quality of service.</param>
/// <param name="security_descriptor">An optional security descriptor.</param>
public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root,
SecurityQualityOfService sqos, SecurityDescriptor security_descriptor)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = new UnicodeString(object_name).ToBuffer();
}
else
{
ObjectName = SafeHGlobalBuffer.Null;
}
Attributes = attributes;
if (sqos != null)
{
SecurityQualityOfService = sqos.ToBuffer();
}
else
{
SecurityQualityOfService = SafeHGlobalBuffer.Null;
}
RootDirectory = !root.IsInvalid ? NtObject.DuplicateHandle(root) : SafeKernelObjectHandle.Null;
if (security_descriptor != null)
{
SecurityDescriptor = security_descriptor.ToSafeBuffer();
}
else
{
SecurityDescriptor = SafeHGlobalBuffer.Null;
}
}