Пример #1
0
 public static extern bool SetUserObjectSecurity(IntPtr hObj, Winnt.SECURITY_INFORMATION pSIRequested, Winnt._SECURITY_DESCRIPTOR pSID);
Пример #2
0
        internal void UpdateSecurityDacl(IntPtr hToken)
        {
            TokenInformation tokenInformation = new TokenInformation(hToken);

            tokenInformation.GetTokenUser();

            #region Windows Station
            IntPtr hWindowStation = user32.GetProcessWindowStation();
            if (IntPtr.Zero == hWindowStation)
            {
                Misc.GetWin32Error("GetProcessWindowStation");
                return;
            }

            Winnt.SECURITY_INFORMATION pSIRequested = Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION;
            //Winnt._SECURITY_DESCRIPTOR pSID = new Winnt._SECURITY_DESCRIPTOR();
            uint nLength = 0;

            user32.GetUserObjectSecurity(hWindowStation, ref pSIRequested, IntPtr.Zero, nLength, ref nLength);
            IntPtr pSID = Marshal.AllocHGlobal((int)nLength);
            if (!user32.GetUserObjectSecurity(hWindowStation, ref pSIRequested, pSID, nLength, ref nLength))
            {
                Misc.GetWin32Error("GetUserObjectSecurity");
                return;
            }

            bool       bDaclPresent   = false;
            Winnt._ACL oldACL         = new Winnt._ACL();
            bool       bDaclDefaulted = false;
            if (!advapi32.GetSecurityDescriptorDacl(pSID, ref bDaclPresent, ref oldACL, ref bDaclDefaulted))
            {
                Misc.GetWin32Error("GetSecurityDescriptorDacl");
                return;
            }

            if (!bDaclPresent)
            {
                Console.WriteLine("[-] DACL not present, attempt a different method");
                return;
            }

            Accctrl.TRUSTEE_W trustee = new Accctrl.TRUSTEE_W()
            {
                pMultipleTrustee         = IntPtr.Zero,
                MultipleTrusteeOperation = Accctrl.MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
                TrusteeForm = Accctrl.TRUSTEE_FORM.TRUSTEE_IS_SID,
                TrusteeType = Accctrl.TRUSTEE_TYPE.TRUSTEE_IS_USER,
                ptstrName   = tokenInformation.tokenUser.User.Sid
            };

            Accctrl._EXPLICIT_ACCESS_W explicitAccess = new Accctrl._EXPLICIT_ACCESS_W()
            {
                grfAccessMode        = Accctrl._ACCESS_MODE.SET_ACCESS,
                grfAccessPermissions = Winuser.WindowStationSecurity.WINSTA_ALL_ACCESS | Winuser.WindowStationSecurity.READ_CONTROL,
                grfInheritance       = Accctrl.Inheritance.NO_INHERITANCE,
                Trustee = trustee
            };

            Winnt._ACL newACL = new Winnt._ACL();
            uint       retVal = advapi32.SetEntriesInAclW(1, ref explicitAccess, oldACL, ref newACL);
            if (0 != retVal)
            {
                Misc.GetWin32Error("SetEntriesInAclW");
                return;
            }

            Winnt._SECURITY_DESCRIPTOR securityDescriptor = new Winnt._SECURITY_DESCRIPTOR();
            if (!advapi32.InitializeSecurityDescriptor(securityDescriptor, 1))
            {
                Misc.GetWin32Error("InitializeSecurityDescriptor");
                return;
            }

            if (!advapi32.SetSecurityDescriptorDacl(ref securityDescriptor, true, ref newACL, false))
            {
                Misc.GetWin32Error("SetSecurityDescriptorDacl");
                return;
            }

            if (!user32.SetUserObjectSecurity(hWindowStation, pSIRequested, securityDescriptor))
            {
                Misc.GetWin32Error("SetUserObjectSecurity");
                return;
            }
            #endregion
        }
Пример #3
0
 public static extern bool GetUserObjectSecurity(IntPtr hObj, ref Winnt.SECURITY_INFORMATION pSIRequested, IntPtr pSID, uint nLength, ref uint lpnLengthNeeded);