Exemplo n.º 1
0
            /// <summary>Extracts the user account SID associated with a security token.</summary>
            /// <param name="hToken">The security token handle.</param>
            /// <returns>A <see cref="SafePSID"/> instance of the user account SID associated with a security token.</returns>
            public static SafePSID FromToken(HTOKEN hToken)
            {
                var hTok = new SafeHTOKEN((IntPtr)hToken, false);

                using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
                return(new SafePSID(pUserToken.ToStructure <TOKEN_USER>().User.Sid));
            }
Exemplo n.º 2
0
        /****************************************************************************++
         *
         * Description :
         *
         * This function creates a well known sid using User domain. CreateWellKnownSid requires
         * domain sid to be provided to generate such sids. This function first gets the domain sid
         * out of the user information in the token and then generate a well known sid.
         *
         * Arguments:
         *
         * hToken - [supplies] The token for which sid has to be generated
         * sidType - [supplies] The type of well known sid
         * pSid - [receives] The newly create sid
         * pdwSidSize - [Supplies/Receives] The size of the memory allocated for ppSid
         *
         * Returns:
         *
         * Errors returned by GetTokenInformation
         * Errors returned by CreateWellKnownSid
         * E_OUTOFMEMORY In case there is not enough memory
         * Errors returned by GetWindowsAccountDomainSid
         * --***************************************************************************/
        static SafePSID CreateWellKnownSidForAccount(HTOKEN hToken, WELL_KNOWN_SID_TYPE sidType)
        {
            var hTok = new SafeHTOKEN((IntPtr)hToken, false);

            using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);

            //
            // Now get the domain sid from the TokenUser
            //
            Win32Error.ThrowLastErrorIfFalse(GetWindowsAccountDomainSid(pUserToken.ToStructure <TOKEN_USER>().User.Sid, out var pDomainSid));

            return(SafePSID.CreateWellKnown(sidType, pDomainSid));
        }
Exemplo n.º 3
0
 public static IEnumerable <LUID_AND_ATTRIBUTES> GetPrivileges(this SafeHTOKEN hObj) =>
 hObj.GetInfo <PTOKEN_PRIVILEGES>(TOKEN_INFORMATION_CLASS.TokenPrivileges).Privileges;
Exemplo n.º 4
0
 /// <summary>Extracts the user account SID associated with a security token.</summary>
 /// <param name="hToken">The security token handle.</param>
 /// <returns>A <see cref="SafePSID"/> instance of the user account SID associated with a security token.</returns>
 public static SafePSID FromToken(HTOKEN hToken)
 {
     using var hTok = new SafeHTOKEN((IntPtr)hToken, false);
     return(hTok.GetInfo <TOKEN_USER>(TOKEN_INFORMATION_CLASS.TokenUser).User.Sid);
 }
Exemplo n.º 5
0
        /****************************************************************************++
         *
         * Routine Description:
         *
         * Verifies whether specified well-known SID is in the current user token
         *
         * Arguments:
         *
         * sid - one of the WELL_KNOWN_SID_TYPE consts
         * hToken - Optional the token for which we want to test membership
         * pfMember - [Receives] TRUE if specified sid is a member of the user token, false otherwise
         *
         * Notes:
         *
         * -
         *
         * Return Value:
         *
         * Errors returned by CreateWellKnownSid
         * Errors returned by CheckTokenMembership
         * --*****************************************************************************/
        static HRESULT IsMemberOf(WELL_KNOWN_SID_TYPE sid, HTOKEN hToken, out bool pfMember)
        {
            pfMember = false;

            try
            {
                var hTok = new SafeHTOKEN((IntPtr)hToken, false);
                using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);

                SafePSID pSID = null;
                try
                {
                    //
                    // create SID for the authenticated users
                    //
                    pSID = SafePSID.CreateWellKnown(sid);
                }
                catch
                {
                    //
                    // In case of invalid-arg we might need to provide the domain, so create well known sid for domain
                    //
                    pSID = CreateWellKnownSidForAccount(hToken, sid);
                }

                //
                // check whether token has this sid
                //
                if (!CheckTokenMembership(hToken, pSID, out pfMember))
                {
                    var hr = Win32Error.GetLastError().ToHRESULT();

                    // just to be on the safe side (as we don't know that CheckTokenMembership
                    // does not modify fAuthenticated in case of error)
                    pfMember = false;
                    if (hr == HRESULT.E_ACCESSDENIED && hToken.IsNull)
                    {
                        // unable to query the thread token. Open as self and try again
                        using var ttok = SafeHTOKEN.FromThread(GetCurrentThread(), TokenAccess.TOKEN_QUERY);
                        {
                            if (CheckTokenMembership(ttok, pSID, out pfMember))
                            {
                                return(HRESULT.S_OK);
                            }
                            else
                            {
                                // stick with the original error code, but ensure that fMember is correct
                                pfMember = false;
                            }
                        }
                    }
                }

                return(HRESULT.S_OK);
            }
            catch (Exception ex)
            {
                var hr = HRESULT.FromException(ex);
                if (hr == (HRESULT)Win32Error.ERROR_NON_ACCOUNT_SID)
                {
                    return(HRESULT.S_OK);
                }
                return(hr);
            }
        }