/// <summary> /// Do an access check between a security descriptor and a token to determine the allowed access. /// </summary> /// <param name="sd">The security descriptor</param> /// <param name="token">The access token.</param> /// <param name="access_rights">The set of access rights to check against</param> /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param> /// <returns>The allowed access mask as a unsigned integer.</returns> /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception> public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping) { if (sd == null) { throw new ArgumentNullException("sd"); } if (token == null) { throw new ArgumentNullException("token"); } using (var sd_buffer = sd.ToSafeBuffer()) { using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification)) { uint granted_access; NtStatus result_status; using (var privs = new SafePrivilegeSetBuffer()) { int buffer_length = privs.Length; NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights, ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException(); if (result_status.IsSuccess()) { return(granted_access); } return(0); } } } }
/// <summary> /// Set the object's security descriptor /// </summary> /// <param name="security_desc">The security descriptor to set.</param> /// <param name="security_information">What parts of the security descriptor to set</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The NT status code.</returns> public NtStatus SetSecurityDescriptor(SecurityDescriptor security_desc, SecurityInformation security_information, bool throw_on_error) { using (var buffer = security_desc.ToSafeBuffer(true)) { return(NtSecurity.SetSecurityDescriptor(Handle, buffer, security_information, throw_on_error)); } }
/// <summary> /// Constructor /// </summary> /// <param name="object_name">The object name, can be null.</param> /// <param name="attributes">The object attribute flags.</param> /// <param name="root">An optional root handle, can be SafeKernelObjectHandle.Null. Will duplicate the handle.</param> /// <param name="sqos">An optional security quality of service.</param> /// <param name="security_descriptor">An optional security descriptor.</param> public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, SecurityDescriptor security_descriptor) { Length = Marshal.SizeOf(this); if (object_name != null) { ObjectName = new UnicodeString(object_name).ToBuffer(); } else { ObjectName = SafeHGlobalBuffer.Null; } Attributes = attributes; if (sqos != null) { SecurityQualityOfService = sqos.ToBuffer(); } else { SecurityQualityOfService = SafeHGlobalBuffer.Null; } RootDirectory = !root.IsInvalid ? NtObject.DuplicateHandle(root) : SafeKernelObjectHandle.Null; if (security_descriptor != null) { SecurityDescriptor = security_descriptor.ToSafeBuffer(); } else { SecurityDescriptor = SafeHGlobalBuffer.Null; } }
private ObjectAttributes(SafeBuffer object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, SecurityDescriptor security_descriptor) { try { if (root == null) { throw new ArgumentNullException(nameof(root), "Use SafeKernelObjectHandle.Null for a null handle"); } Length = Marshal.SizeOf(this); ObjectName = object_name; Attributes = attributes; if (sqos != null) { SecurityQualityOfService = sqos.ToBuffer(); } else { SecurityQualityOfService = SafeHGlobalBuffer.Null; } RootDirectory = !root.IsInvalid ? NtObject.DuplicateHandle(root) : SafeKernelObjectHandle.Null; if (security_descriptor != null) { SecurityDescriptor = security_descriptor.ToSafeBuffer(); } else { SecurityDescriptor = SafeHGlobalBuffer.Null; } } catch { Dispose(); throw; } }
internal static SafeBuffer AddSecurityDescriptor(this DisposableList list, SecurityDescriptor sd) { if (sd == null) { return(SafeHGlobalBuffer.Null); } return(list.AddResource(sd.ToSafeBuffer())); }
/// <summary> /// Constructor /// </summary> /// <param name="base_object">Base object for security descriptor</param> /// <param name="token">Token for determining user rights</param> /// <param name="is_directory">True if a directory security descriptor</param> public SecurityDescriptor(NtObject base_object, NtToken token, bool is_directory) : this() { if ((base_object == null) && (token == null)) { throw new ArgumentNullException(); } SecurityDescriptor parent_sd = null; if (base_object != null) { parent_sd = base_object.SecurityDescriptor; } SecurityDescriptor creator_sd = null; if (token != null) { creator_sd = new SecurityDescriptor { Owner = new SecurityDescriptorSid(token.Owner, false), Group = new SecurityDescriptorSid(token.PrimaryGroup, false), Dacl = token.DefaultDacl }; } NtType type = base_object.NtType; SafeBuffer parent_sd_buffer = SafeHGlobalBuffer.Null; SafeBuffer creator_sd_buffer = SafeHGlobalBuffer.Null; SafeSecurityObjectBuffer security_obj = null; try { if (parent_sd != null) { parent_sd_buffer = parent_sd.ToSafeBuffer(); } if (creator_sd != null) { creator_sd_buffer = creator_sd.ToSafeBuffer(); } GenericMapping mapping = type.GenericMapping; NtRtl.RtlNewSecurityObject(parent_sd_buffer, creator_sd_buffer, out security_obj, is_directory, token != null ? token.Handle : SafeKernelObjectHandle.Null, ref mapping).ToNtException(); ParseSecurityDescriptor(security_obj); } finally { parent_sd_buffer?.Close(); creator_sd_buffer?.Close(); security_obj?.Close(); } }
/// <summary> /// Do an access check between a security descriptor and a token to determine the allowed access. /// </summary> /// <param name="sd">The security descriptor</param> /// <param name="token">The access token.</param> /// <param name="access_rights">The set of access rights to check against</param> /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param> /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param> /// <returns>The allowed access mask as a unsigned integer.</returns> /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception> public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token, AccessMask access_rights, Sid principal, GenericMapping generic_mapping) { if (sd == null) { throw new ArgumentNullException("sd"); } if (token == null) { throw new ArgumentNullException("token"); } if (access_rights.IsEmpty) { return(AccessMask.Empty); } using (SafeBuffer sd_buffer = sd.ToSafeBuffer()) { using (NtToken imp_token = DuplicateForAccessCheck(token)) { using (var privs = new SafePrivilegeSetBuffer()) { int buffer_length = privs.Length; using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null) { NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights, SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs, ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException(); if (result_status.IsSuccess()) { return(granted_access); } return(AccessMask.Empty); } } } } }
/// <summary> /// Create a new WNF state name. /// </summary> /// <param name="name_lifetime">The lifetime of the name.</param> /// <param name="data_scope">The scope of the data.</param> /// <param name="persist_data">Whether to persist data.</param> /// <param name="type_id">Optional type ID.</param> /// <param name="maximum_state_size">Maximum state size.</param> /// <param name="security_descriptor">Mandatory security descriptor.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The created object.</returns> public static NtResult <NtWnf> Create( WnfStateNameLifetime name_lifetime, WnfDataScope data_scope, bool persist_data, WnfTypeId type_id, int maximum_state_size, SecurityDescriptor security_descriptor, bool throw_on_error) { if (security_descriptor == null) { throw new ArgumentNullException("Must specify a security descriptor"); } using (var sd_buffer = security_descriptor.ToSafeBuffer()) { return(NtSystemCalls.NtCreateWnfStateName(out ulong state_name, name_lifetime, data_scope, persist_data, type_id, maximum_state_size, sd_buffer) .CreateResult(throw_on_error, () => new NtWnf(state_name) { _security_descriptor = security_descriptor })); } }