• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Windows/SecurityUtils.h
2 
3 #ifndef ZIP7_INC_WINDOWS_SECURITY_UTILS_H
4 #define ZIP7_INC_WINDOWS_SECURITY_UTILS_H
5 
6 #include <NTSecAPI.h>
7 
8 #include "Defs.h"
9 
10 #ifndef _UNICODE
11 
12 extern "C" {
13 typedef NTSTATUS (NTAPI *Func_LsaOpenPolicy)(PLSA_UNICODE_STRING SystemName,
14     PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle);
15 typedef NTSTATUS (NTAPI *Func_LsaClose)(LSA_HANDLE ObjectHandle);
16 typedef NTSTATUS (NTAPI *Func_LsaAddAccountRights)(LSA_HANDLE PolicyHandle,
17     PSID AccountSid, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights );
18 #define MY_STATUS_NOT_IMPLEMENTED  ((NTSTATUS)0xC0000002L)
19 }
20 
21 #define POLICY_FUNC_CALL(fff, str)  \
22   if (hModule == NULL) return MY_STATUS_NOT_IMPLEMENTED; \
23   const Func_ ## fff v = Z7_GET_PROC_ADDRESS(Func_ ## fff, hModule, str); \
24   if (!v) return MY_STATUS_NOT_IMPLEMENTED; \
25   const NTSTATUS res = v
26 
27 #else
28 
29 #define POLICY_FUNC_CALL(fff, str)  \
30   const NTSTATUS res = ::fff
31 
32 #endif
33 
34 
35 namespace NWindows {
36 namespace NSecurity {
37 
38 class CAccessToken
39 {
40   HANDLE _handle;
41 public:
CAccessToken()42   CAccessToken(): _handle(NULL) {}
~CAccessToken()43   ~CAccessToken() { Close(); }
Close()44   bool Close()
45   {
46     if (_handle == NULL)
47       return true;
48     bool res = BOOLToBool(::CloseHandle(_handle));
49     if (res)
50       _handle = NULL;
51     return res;
52   }
53 
OpenProcessToken(HANDLE processHandle,DWORD desiredAccess)54   bool OpenProcessToken(HANDLE processHandle, DWORD desiredAccess)
55   {
56     Close();
57     return BOOLToBool(::OpenProcessToken(processHandle, desiredAccess, &_handle));
58   }
59 
60   /*
61   bool OpenThreadToken(HANDLE threadHandle, DWORD desiredAccess, bool openAsSelf)
62   {
63     Close();
64     return BOOLToBool(::OpenTreadToken(threadHandle, desiredAccess, BoolToBOOL(anOpenAsSelf), &_handle));
65   }
66   */
67 
AdjustPrivileges(bool disableAllPrivileges,PTOKEN_PRIVILEGES newState,DWORD bufferLength,PTOKEN_PRIVILEGES previousState,PDWORD returnLength)68   bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState,
69       DWORD bufferLength, PTOKEN_PRIVILEGES previousState, PDWORD returnLength)
70     { return BOOLToBool(::AdjustTokenPrivileges(_handle, BoolToBOOL(disableAllPrivileges),
71       newState, bufferLength, previousState, returnLength)); }
72 
AdjustPrivileges(bool disableAllPrivileges,PTOKEN_PRIVILEGES newState)73   bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState)
74     { return AdjustPrivileges(disableAllPrivileges, newState, 0, NULL, NULL); }
75 
AdjustPrivileges(PTOKEN_PRIVILEGES newState)76   bool AdjustPrivileges(PTOKEN_PRIVILEGES newState)
77     { return AdjustPrivileges(false, newState); }
78 
79 };
80 
81 
82 
83 
84 struct CPolicy
85 {
86 protected:
87   LSA_HANDLE _handle;
88   #ifndef _UNICODE
89   HMODULE hModule;
90   #endif
91 public:
LSA_HANDLECPolicy92   operator LSA_HANDLE() const { return _handle; }
CPolicyCPolicy93   CPolicy(): _handle(NULL)
94   {
95     #ifndef _UNICODE
96     hModule = GetModuleHandle(TEXT("advapi32.dll"));
97     #endif
98   }
~CPolicyCPolicy99   ~CPolicy() { Close(); }
100 
OpenCPolicy101   NTSTATUS Open(PLSA_UNICODE_STRING systemName, PLSA_OBJECT_ATTRIBUTES objectAttributes,
102       ACCESS_MASK desiredAccess)
103   {
104     Close();
105     POLICY_FUNC_CALL (LsaOpenPolicy, "LsaOpenPolicy")
106       (systemName, objectAttributes, desiredAccess, &_handle);
107     return res;
108   }
109 
CloseCPolicy110   NTSTATUS Close()
111   {
112     if (_handle == NULL)
113       return 0;
114     POLICY_FUNC_CALL (LsaClose, "LsaClose")
115       (_handle);
116     _handle = NULL;
117     return res;
118   }
119 
EnumerateAccountsWithUserRightCPolicy120   NTSTATUS EnumerateAccountsWithUserRight(PLSA_UNICODE_STRING userRights,
121       PLSA_ENUMERATION_INFORMATION *enumerationBuffer, PULONG countReturned)
122     { return LsaEnumerateAccountsWithUserRight(_handle, userRights, (void **)enumerationBuffer, countReturned); }
123 
EnumerateAccountRightsCPolicy124   NTSTATUS EnumerateAccountRights(PSID sid, PLSA_UNICODE_STRING* userRights, PULONG countOfRights)
125     { return ::LsaEnumerateAccountRights(_handle, sid, userRights, countOfRights); }
126 
LookupSidsCPolicy127   NTSTATUS LookupSids(ULONG count, PSID* sids,
128       PLSA_REFERENCED_DOMAIN_LIST* referencedDomains, PLSA_TRANSLATED_NAME* names)
129     { return LsaLookupSids(_handle, count, sids, referencedDomains, names); }
130 
AddAccountRightsCPolicy131   NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights, ULONG countOfRights)
132   {
133     POLICY_FUNC_CALL (LsaAddAccountRights, "LsaAddAccountRights")
134       (_handle, accountSid, userRights, countOfRights);
135     return res;
136   }
AddAccountRightsCPolicy137   NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights)
138     { return AddAccountRights(accountSid, userRights, 1); }
139 
RemoveAccountRightsCPolicy140   NTSTATUS RemoveAccountRights(PSID accountSid, bool allRights, PLSA_UNICODE_STRING userRights, ULONG countOfRights)
141     { return LsaRemoveAccountRights(_handle, accountSid, (BOOLEAN)(allRights ? TRUE : FALSE), userRights, countOfRights); }
142 };
143 
144 bool AddLockMemoryPrivilege();
145 
146 }}
147 
148 #endif
149