/// <summary>
        /// Convert an enumerable access rights to a string
        /// </summary>
        /// <param name="granted_access">The granted access mask.</param>
        /// <param name="generic_mapping">Generic mapping for object type.</param>
        /// <param name="enum_type">Enum type to convert to string.</param>
        /// <param name="map_to_generic">True to try and convert to generic rights where possible.</param>
        /// <returns>The string format of the access rights</returns>
        public static string GrantedAccessAsString(AccessMask granted_access, GenericMapping generic_mapping, Type enum_type, bool map_to_generic)
        {
            if (granted_access == 0)
            {
                return("None");
            }

            AccessMask mapped_access = generic_mapping.MapMask(granted_access);

            if (map_to_generic)
            {
                mapped_access = generic_mapping.UnmapMask(mapped_access);
            }
            else if (generic_mapping.HasAll(granted_access))
            {
                return("Full Access");
            }

            return(AccessRightsToString(enum_type, mapped_access));
        }
 /// <summary>
 /// Checks if an access mask represents a execute permission on this type
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it has execute permissions</returns>
 public bool HasExecutePermission(AccessMask access_mask)
 {
     return(GenericMapping.HasExecute(access_mask));
 }
 /// <summary>
 /// Checks if an access mask represents a read permission on this type
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it has read permissions</returns>
 public bool HasReadPermission(AccessMask access_mask)
 {
     return(GenericMapping.HasRead(access_mask));
 }
Пример #4
0
 /// <summary>
 /// Do an access check between a security descriptor and a token to determine the maximum allowed access.
 /// </summary>
 /// <param name="sd">The security descriptor</param>
 /// <param name="token">The access token.</param>
 /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
 /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
 /// <returns>The maximum allowed access mask as a unsigned integer.</returns>
 /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
 public static AccessMask GetMaximumAccess(SecurityDescriptor sd, NtToken token, Sid principal, GenericMapping generic_mapping)
 {
     return(GetAllowedAccess(sd, token, GenericAccessRights.MaximumAllowed, principal, generic_mapping));
 }
Пример #5
0
 /// <summary>
 /// Do an access check between a security descriptor and a token to determine the allowed access.
 /// </summary>
 /// <param name="sd">The security descriptor</param>
 /// <param name="token">The access token.</param>
 /// <param name="access_rights">The set of access rights to check against</param>
 /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
 /// <returns>The allowed access mask as a unsigned integer.</returns>
 /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
 public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
                                           AccessMask access_rights, GenericMapping generic_mapping)
 {
     return(GetAllowedAccess
                (sd, token, access_rights, null, generic_mapping));
 }
 /// <summary>
 /// Checks if a access mask represents a full permission on this type
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it has full permissions</returns>
 public bool HasFullPermission(uint access_mask)
 {
     access_mask = GenericMapping.MapMask(access_mask);
     return((access_mask & GenericMapping.GenericAll) == GenericMapping.GenericAll);
 }
 public static extern void RtlMapGenericMask(ref AccessMask AccessMask, ref GenericMapping mapping);
 /// <summary>
 /// Checks if an access mask is valid for access of this object type.
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it valid access</returns>
 public bool IsValidAccess(AccessMask access_mask)
 {
     return((GenericMapping.MapMask(access_mask) & ~ValidAccess).IsEmpty);
 }
Пример #9
0
        /// <summary>
        /// Constructor
        /// </summary>
        /// <param name="base_object">Base object for security descriptor</param>
        /// <param name="token">Token for determining user rights</param>
        /// <param name="is_directory">True if a directory security descriptor</param>
        public SecurityDescriptor(NtObject base_object, NtToken token, bool is_directory) : this()
        {
            if ((base_object == null) && (token == null))
            {
                throw new ArgumentNullException();
            }

            SecurityDescriptor parent_sd = null;

            if (base_object != null)
            {
                parent_sd = base_object.SecurityDescriptor;
            }

            SecurityDescriptor creator_sd = null;

            if (token != null)
            {
                creator_sd       = new SecurityDescriptor();
                creator_sd.Owner = new SecurityDescriptorSid(token.Owner, false);
                creator_sd.Group = new SecurityDescriptorSid(token.PrimaryGroup, false);
                creator_sd.Dacl  = token.DefaultDalc;
            }

            NtType type = NtType.GetTypeByName(base_object.NtTypeName);

            SafeBuffer parent_sd_buffer           = SafeHGlobalBuffer.Null;
            SafeBuffer creator_sd_buffer          = SafeHGlobalBuffer.Null;
            SafeSecurityObjectHandle security_obj = null;

            try
            {
                if (parent_sd != null)
                {
                    parent_sd_buffer = parent_sd.ToSafeBuffer();
                }
                if (creator_sd != null)
                {
                    creator_sd_buffer = creator_sd.ToSafeBuffer();
                }

                GenericMapping mapping = type.GenericMapping;
                NtRtl.RtlNewSecurityObject(parent_sd_buffer, creator_sd_buffer, out security_obj, is_directory,
                                           token != null ? token.Handle : SafeKernelObjectHandle.Null, ref mapping).ToNtException();
                ParseSecurityDescriptor(security_obj);
            }
            finally
            {
                if (parent_sd_buffer != null)
                {
                    parent_sd_buffer.Close();
                }
                if (creator_sd_buffer != null)
                {
                    creator_sd_buffer.Close();
                }
                if (security_obj != null)
                {
                    security_obj.Close();
                }
            }
        }
Пример #10
0
 /// <summary>
 /// Do an access check between a security descriptor and a token to determine the maximum allowed access.
 /// </summary>
 /// <param name="sd">The security descriptor</param>
 /// <param name="token">The access token.</param>
 /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
 /// <returns>The maximum allowed access mask as a unsigned integer.</returns>
 /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
 public static uint GetMaximumAccess(SecurityDescriptor sd, NtToken token, GenericMapping generic_mapping)
 {
     return(GetAllowedAccess(sd, token, GenericAccessRights.MaximumAllowed, generic_mapping));
 }
Пример #11
0
        /// <summary>
        /// Do an access check between a security descriptor and a token to determine the allowed access.
        /// </summary>
        /// <param name="sd">The security descriptor</param>
        /// <param name="token">The access token.</param>
        /// <param name="access_rights">The set of access rights to check against</param>
        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
        /// <returns>The allowed access mask as a unsigned integer.</returns>
        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
        public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping)
        {
            if (sd == null)
            {
                throw new ArgumentNullException("sd");
            }

            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            using (var sd_buffer = sd.ToSafeBuffer())
            {
                using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification))
                {
                    uint     granted_access;
                    NtStatus result_status;
                    using (var privs = new SafePrivilegeSetBuffer())
                    {
                        int buffer_length = privs.Length;

                        NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights,
                                                    ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException();
                        if (result_status.IsSuccess())
                        {
                            return(granted_access);
                        }
                        return(0);
                    }
                }
            }
        }
Пример #12
0
 /// <summary>
 /// Map generic access rights to specific access rights for this type
 /// </summary>
 /// <param name="access_mask">The access mask to map</param>
 /// <returns>The mapped access mask</returns>
 public AccessMask MapGenericRights(AccessMask access_mask)
 {
     return GenericMapping.MapMask(access_mask);
 }
 /// <summary>
 /// Map generic access rights to specific access rights for this type
 /// </summary>
 /// <param name="access_mask">The access mask to map</param>
 /// <returns>The mapped access mask</returns>
 public uint MapGenericRights(uint access_mask)
 {
     return(GenericMapping.MapMask(access_mask));
 }
 /// <summary>
 /// Checks if an access mask represents a full permission on this type
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it has full permissions</returns>
 public bool HasFullPermission(AccessMask access_mask)
 {
     return(GenericMapping.HasAll(access_mask));
 }
Пример #15
0
 /// <summary>
 /// Get the maximum access mask for the type's default mandatory access policy.
 /// </summary>
 /// <returns>The allowed access mask for the type with the default policy.</returns>
 public AccessMask GetDefaultMandatoryAccess()
 {
     return(GenericMapping.GetAllowedMandatoryAccess(_type_factory.DefaultMandatoryPolicy));
 }
 /// <summary>
 /// Unmap specific access rights to generic access rights for this type
 /// </summary>
 /// <param name="access_mask">The access mask to unmap</param>
 /// <returns>The unmapped access mask</returns>
 public AccessMask UnmapGenericRights(AccessMask access_mask)
 {
     return(GenericMapping.UnmapMask(access_mask));
 }
Пример #17
0
 /// <summary>
 /// Get a fake type object. This can be used in access checking for operations which need an NtType object
 /// but there's no real NT object.
 /// </summary>
 /// <param name="name">The name of the fake type. Informational only.</param>
 /// <param name="generic_mapping">The GENERIC_MAPPING for security checking.</param>
 /// <param name="access_rights_type">The access rights enumeration type.</param>
 /// <param name="container_access_rights_type">The access rights enumeration type of the object is a container.</param>
 /// <returns>The fake NT type object.</returns>
 public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)
 {
     return(new NtType(name, generic_mapping, access_rights_type, container_access_rights_type, MandatoryLabelPolicy.NoWriteUp));
 }
 /// <summary>
 /// Get a fake type object. This can be used in access checking for operations which need an NtType object
 /// but there's no real NT object.
 /// </summary>
 /// <param name="name">The name of the fake type. Informational only.</param>
 /// <param name="generic_mapping">The GENERIC_MAPPING for security checking.</param>
 /// <param name="access_rights_type">The access rights enumeration type.</param>
 /// <returns></returns>
 public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type)
 {
     return(new NtType(name, generic_mapping, access_rights_type));
 }
Пример #19
0
        /// <summary>
        /// Do an access check between a security descriptor and a token to determine the allowed access.
        /// </summary>
        /// <param name="sd">The security descriptor</param>
        /// <param name="token">The access token.</param>
        /// <param name="access_rights">The set of access rights to check against</param>
        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
        /// <returns>The allowed access mask as a unsigned integer.</returns>
        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
        public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
                                                  AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
        {
            if (sd == null)
            {
                throw new ArgumentNullException("sd");
            }

            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            if (access_rights.IsEmpty)
            {
                return(AccessMask.Empty);
            }

            using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
            {
                using (NtToken imp_token = DuplicateForAccessCheck(token))
                {
                    using (var privs = new SafePrivilegeSetBuffer())
                    {
                        int buffer_length = privs.Length;

                        using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
                        {
                            NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
                                                              SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
                                                              ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
                            if (result_status.IsSuccess())
                            {
                                return(granted_access);
                            }
                            return(AccessMask.Empty);
                        }
                    }
                }
            }
        }
 public static extern NtStatus RtlNewSecurityObject(SafeBuffer ParentDescriptor,
                                                    SafeBuffer CreatorDescriptor,
                                                    out SafeSecurityObjectBuffer NewDescriptor,
                                                    bool IsDirectoryObject,
                                                    SafeKernelObjectHandle Token,
                                                    ref GenericMapping GenericMapping);
 /// <summary>
 /// Checks if a access mask represents a execute permission on this type
 /// </summary>
 /// <param name="access_mask">The access mask to check</param>
 /// <returns>True if it has execute permissions</returns>
 public bool HasExecutePermission(uint access_mask)
 {
     access_mask = GenericMapping.MapMask(access_mask);
     return((access_mask & GenericMapping.GenericExecute & ~GenericMapping.GenericRead) != 0);
 }