1613 lines
46 KiB
C
1613 lines
46 KiB
C
|
/*++
|
|||
|
|
|||
|
Copyright (c) 1989 Microsoft Corporation
|
|||
|
|
|||
|
Module Name:
|
|||
|
|
|||
|
Tokenqry.c
|
|||
|
|
|||
|
Abstract:
|
|||
|
|
|||
|
This module implements the QUERY function for the executive
|
|||
|
token object.
|
|||
|
|
|||
|
Author:
|
|||
|
|
|||
|
Jim Kelly (JimK) 15-June-1990
|
|||
|
|
|||
|
|
|||
|
Revision History:
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
#include "sep.h"
|
|||
|
#include "seopaque.h"
|
|||
|
#include "tokenp.h"
|
|||
|
|
|||
|
#ifdef ALLOC_PRAGMA
|
|||
|
#pragma alloc_text(PAGE,NtQueryInformationToken)
|
|||
|
#pragma alloc_text(PAGE,SeQueryAuthenticationIdToken)
|
|||
|
#pragma alloc_text(PAGE,SeQueryInformationToken)
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NtQueryInformationToken (
|
|||
|
IN HANDLE TokenHandle,
|
|||
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
OUT PVOID TokenInformation,
|
|||
|
IN ULONG TokenInformationLength,
|
|||
|
OUT PULONG ReturnLength
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
Retrieve information about a specified token.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
TokenHandle - Provides a handle to the token to operate on.
|
|||
|
|
|||
|
TokenInformationClass - The token information class about which
|
|||
|
to retrieve information.
|
|||
|
|
|||
|
TokenInformation - The buffer to receive the requested class of
|
|||
|
information. The buffer must be aligned on at least a
|
|||
|
longword boundary. The actual structures returned are
|
|||
|
dependent upon the information class requested, as defined in
|
|||
|
the TokenInformationClass parameter description.
|
|||
|
|
|||
|
TokenInformation Format By Information Class:
|
|||
|
|
|||
|
TokenUser => TOKEN_USER data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenGroups => TOKEN_GROUPS data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenPrivileges => TOKEN_PRIVILEGES data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenOwner => TOKEN_OWNER data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenPrimaryGroup => TOKEN_PRIMARY_GROUP data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenDefaultDacl => TOKEN_DEFAULT_DACL data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenSource => TOKEN_SOURCE data structure.
|
|||
|
TOKEN_QUERY_SOURCE access is needed to retrieve this
|
|||
|
information about a token.
|
|||
|
|
|||
|
TokenType => TOKEN_TYPE data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenStatistics => TOKEN_STATISTICS data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this
|
|||
|
information about a token.
|
|||
|
|
|||
|
TokenInformationLength - Indicates the length, in bytes, of the
|
|||
|
TokenInformation buffer.
|
|||
|
|
|||
|
ReturnLength - This OUT parameter receives the actual length of
|
|||
|
the requested information. If this value is larger than that
|
|||
|
provided by the TokenInformationLength parameter, then the
|
|||
|
buffer provided to receive the requested information is not
|
|||
|
large enough to hold that data and no data is returned.
|
|||
|
|
|||
|
If the queried class is TokenDefaultDacl and there is no
|
|||
|
default Dacl established for the token, then the return
|
|||
|
length will be returned as zero, and no data will be returned.
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
STATUS_SUCCESS - Indicates the operation was successful.
|
|||
|
|
|||
|
STATUS_BUFFER_TOO_SMALL - if the requested information did not
|
|||
|
fit in the provided output buffer. In this case, the
|
|||
|
ReturnLength OUT parameter contains the number of bytes
|
|||
|
actually needed to store the requested information.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
|
|||
|
KPROCESSOR_MODE PreviousMode;
|
|||
|
NTSTATUS Status;
|
|||
|
|
|||
|
PTOKEN Token;
|
|||
|
|
|||
|
ULONG RequiredLength;
|
|||
|
ULONG Index;
|
|||
|
|
|||
|
PTOKEN_TYPE LocalType;
|
|||
|
PTOKEN_USER LocalUser;
|
|||
|
PTOKEN_GROUPS LocalGroups;
|
|||
|
PTOKEN_PRIVILEGES LocalPrivileges;
|
|||
|
PTOKEN_OWNER LocalOwner;
|
|||
|
PTOKEN_PRIMARY_GROUP LocalPrimaryGroup;
|
|||
|
PTOKEN_DEFAULT_DACL LocalDefaultDacl;
|
|||
|
PTOKEN_SOURCE LocalSource;
|
|||
|
PSECURITY_IMPERSONATION_LEVEL LocalImpersonationLevel;
|
|||
|
PTOKEN_STATISTICS LocalStatistics;
|
|||
|
|
|||
|
PSID PSid;
|
|||
|
PACL PAcl;
|
|||
|
|
|||
|
PVOID Ignore;
|
|||
|
|
|||
|
PAGED_CODE();
|
|||
|
|
|||
|
//
|
|||
|
// Get previous processor mode and probe output argument if necessary.
|
|||
|
//
|
|||
|
|
|||
|
PreviousMode = KeGetPreviousMode();
|
|||
|
if (PreviousMode != KernelMode) {
|
|||
|
try {
|
|||
|
|
|||
|
ProbeForWrite(
|
|||
|
TokenInformation,
|
|||
|
TokenInformationLength,
|
|||
|
sizeof(ULONG)
|
|||
|
);
|
|||
|
|
|||
|
ProbeForWriteUlong(ReturnLength);
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Case on information class.
|
|||
|
//
|
|||
|
|
|||
|
switch ( TokenInformationClass ) {
|
|||
|
|
|||
|
case TokenUser:
|
|||
|
|
|||
|
LocalUser = (PTOKEN_USER)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = SeLengthSid( Token->UserAndGroups[0].Sid) +
|
|||
|
(ULONG)sizeof( TOKEN_USER );
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the user SID
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
//
|
|||
|
// Put SID immediately following TOKEN_USER data structure
|
|||
|
//
|
|||
|
PSid = (PSID)( (ULONG)LocalUser + (ULONG)sizeof(TOKEN_USER) );
|
|||
|
|
|||
|
RtlCopySidAndAttributesArray(
|
|||
|
1,
|
|||
|
Token->UserAndGroups,
|
|||
|
RequiredLength,
|
|||
|
&(LocalUser->User),
|
|||
|
PSid,
|
|||
|
((PSID *)&Ignore),
|
|||
|
((PULONG)&Ignore)
|
|||
|
);
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenGroups:
|
|||
|
|
|||
|
LocalGroups = (PTOKEN_GROUPS)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Figure out how much space is needed to return the group SIDs.
|
|||
|
// That's the size of TOKEN_GROUPS (without any array entries)
|
|||
|
// plus the size of an SID_AND_ATTRIBUTES times the number of groups.
|
|||
|
// The number of groups is Token->UserAndGroups-1 (since the count
|
|||
|
// includes the user ID). Then the lengths of each individual group
|
|||
|
// must be added.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_GROUPS) +
|
|||
|
((Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
|
|||
|
((ULONG)sizeof(SID_AND_ATTRIBUTES)) );
|
|||
|
|
|||
|
Index = 1;
|
|||
|
while (Index < Token->UserAndGroupCount) {
|
|||
|
|
|||
|
RequiredLength += SeLengthSid( Token->UserAndGroups[Index].Sid );
|
|||
|
|
|||
|
Index += 1;
|
|||
|
|
|||
|
} // endwhile
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Now copy the groups.
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
LocalGroups->GroupCount = Token->UserAndGroupCount - 1;
|
|||
|
|
|||
|
PSid = (PSID)( (ULONG)LocalGroups +
|
|||
|
(ULONG)sizeof(TOKEN_GROUPS) +
|
|||
|
( (Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
|
|||
|
(ULONG)sizeof(SID_AND_ATTRIBUTES) )
|
|||
|
);
|
|||
|
|
|||
|
RtlCopySidAndAttributesArray(
|
|||
|
(ULONG)(Token->UserAndGroupCount - 1),
|
|||
|
&(Token->UserAndGroups[1]),
|
|||
|
RequiredLength,
|
|||
|
LocalGroups->Groups,
|
|||
|
PSid,
|
|||
|
((PSID *)&Ignore),
|
|||
|
((PULONG)&Ignore)
|
|||
|
);
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenPrivileges:
|
|||
|
|
|||
|
LocalPrivileges = (PTOKEN_PRIVILEGES)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the privileges.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_PRIVILEGES) +
|
|||
|
((Token->PrivilegeCount - ANYSIZE_ARRAY) *
|
|||
|
((ULONG)sizeof(LUID_AND_ATTRIBUTES)) );
|
|||
|
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the token privileges.
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
LocalPrivileges->PrivilegeCount = Token->PrivilegeCount;
|
|||
|
|
|||
|
RtlCopyLuidAndAttributesArray(
|
|||
|
Token->PrivilegeCount,
|
|||
|
Token->Privileges,
|
|||
|
LocalPrivileges->Privileges
|
|||
|
);
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenOwner:
|
|||
|
|
|||
|
LocalOwner = (PTOKEN_OWNER)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
PSid = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_OWNER) +
|
|||
|
SeLengthSid( PSid );
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the owner SID
|
|||
|
//
|
|||
|
|
|||
|
PSid = (PSID)((ULONG)LocalOwner +
|
|||
|
(ULONG)sizeof(TOKEN_OWNER));
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
LocalOwner->Owner = PSid;
|
|||
|
|
|||
|
Status = RtlCopySid(
|
|||
|
(RequiredLength - (ULONG)sizeof(TOKEN_OWNER)),
|
|||
|
PSid,
|
|||
|
Token->UserAndGroups[Token->DefaultOwnerIndex].Sid
|
|||
|
);
|
|||
|
|
|||
|
ASSERT( NT_SUCCESS(Status) );
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenPrimaryGroup:
|
|||
|
|
|||
|
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_PRIMARY_GROUP) +
|
|||
|
SeLengthSid( Token->PrimaryGroup );
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the primary group SID
|
|||
|
//
|
|||
|
|
|||
|
PSid = (PSID)((ULONG)LocalPrimaryGroup +
|
|||
|
(ULONG)sizeof(TOKEN_PRIMARY_GROUP));
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
LocalPrimaryGroup->PrimaryGroup = PSid;
|
|||
|
|
|||
|
Status = RtlCopySid( (RequiredLength - (ULONG)sizeof(TOKEN_PRIMARY_GROUP)),
|
|||
|
PSid,
|
|||
|
Token->PrimaryGroup
|
|||
|
);
|
|||
|
|
|||
|
ASSERT( NT_SUCCESS(Status) );
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenDefaultDacl:
|
|||
|
|
|||
|
LocalDefaultDacl = (PTOKEN_DEFAULT_DACL)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_DEFAULT_DACL);
|
|||
|
|
|||
|
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
|
|||
|
|
|||
|
RequiredLength += Token->DefaultDacl->AclSize;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the default Dacl
|
|||
|
//
|
|||
|
|
|||
|
PAcl = (PACL)((ULONG)LocalDefaultDacl +
|
|||
|
(ULONG)sizeof(TOKEN_DEFAULT_DACL));
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
|
|||
|
|
|||
|
LocalDefaultDacl->DefaultDacl = PAcl;
|
|||
|
|
|||
|
RtlMoveMemory( (PVOID)PAcl,
|
|||
|
(PVOID)Token->DefaultDacl,
|
|||
|
Token->DefaultDacl->AclSize
|
|||
|
);
|
|||
|
} else {
|
|||
|
|
|||
|
LocalDefaultDacl->DefaultDacl = NULL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
case TokenSource:
|
|||
|
|
|||
|
LocalSource = (PTOKEN_SOURCE)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY_SOURCE, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// The type of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(TOKEN_SOURCE);
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the token source
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
(*LocalSource) = Token->TokenSource;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
case TokenType:
|
|||
|
|
|||
|
LocalType = (PTOKEN_TYPE)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// The type of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(TOKEN_TYPE);
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the token type
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
(*LocalType) = Token->TokenType;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
|
|||
|
case TokenImpersonationLevel:
|
|||
|
|
|||
|
LocalImpersonationLevel = (PSECURITY_IMPERSONATION_LEVEL)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// The impersonation level of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Make sure the token is an appropriate type to be retrieving
|
|||
|
// the impersonation level from.
|
|||
|
//
|
|||
|
|
|||
|
if (Token->TokenType != TokenImpersonation) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_INVALID_INFO_CLASS;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(SECURITY_IMPERSONATION_LEVEL);
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the impersonation level
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
(*LocalImpersonationLevel) = Token->ImpersonationLevel;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
|
|||
|
case TokenStatistics:
|
|||
|
|
|||
|
LocalStatistics = (PTOKEN_STATISTICS)TokenInformation;
|
|||
|
|
|||
|
Status = ObReferenceObjectByHandle(
|
|||
|
TokenHandle, // Handle
|
|||
|
TOKEN_QUERY, // DesiredAccess
|
|||
|
SepTokenObjectType, // ObjectType
|
|||
|
PreviousMode, // AccessMode
|
|||
|
(PVOID *)&Token, // Object
|
|||
|
NULL // GrantedAccess
|
|||
|
);
|
|||
|
|
|||
|
if ( !NT_SUCCESS(Status) ) {
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof( TOKEN_STATISTICS );
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
*ReturnLength = RequiredLength;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
if ( TokenInformationLength < RequiredLength ) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_BUFFER_TOO_SMALL;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the statistics
|
|||
|
//
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
LocalStatistics->TokenId = Token->TokenId;
|
|||
|
LocalStatistics->AuthenticationId = Token->AuthenticationId;
|
|||
|
LocalStatistics->ExpirationTime = Token->ExpirationTime;
|
|||
|
LocalStatistics->TokenType = Token->TokenType;
|
|||
|
LocalStatistics->ImpersonationLevel = Token->ImpersonationLevel;
|
|||
|
LocalStatistics->DynamicCharged = Token->DynamicCharged;
|
|||
|
LocalStatistics->DynamicAvailable = Token->DynamicAvailable;
|
|||
|
LocalStatistics->GroupCount = Token->UserAndGroupCount-1;
|
|||
|
LocalStatistics->PrivilegeCount = Token->PrivilegeCount;
|
|||
|
LocalStatistics->ModifiedId = Token->ModifiedId;
|
|||
|
|
|||
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return GetExceptionCode();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
ObDereferenceObject( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
|
|||
|
default:
|
|||
|
|
|||
|
return STATUS_INVALID_INFO_CLASS;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
SeQueryAuthenticationIdToken(
|
|||
|
IN PACCESS_TOKEN Token,
|
|||
|
OUT PLUID AuthenticationId
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
Retrieve authentication ID out of the token.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
Token - Referenced pointer to a token.
|
|||
|
|
|||
|
AutenticationId - Receives the token's authentication ID.
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
STATUS_SUCCESS - Indicates the operation was successful.
|
|||
|
|
|||
|
This is the only expected status.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
PAGED_CODE();
|
|||
|
|
|||
|
SepAcquireTokenReadLock( ((PTOKEN)Token) );
|
|||
|
(*AuthenticationId) = ((PTOKEN)Token)->AuthenticationId;
|
|||
|
SepReleaseTokenReadLock( ((PTOKEN)Token) );
|
|||
|
return(STATUS_SUCCESS);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
SeQueryInformationToken (
|
|||
|
IN PACCESS_TOKEN AccessToken,
|
|||
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
OUT PVOID *TokenInformation
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
Retrieve information about a specified token.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
TokenHandle - Provides a handle to the token to operate on.
|
|||
|
|
|||
|
TokenInformationClass - The token information class about which
|
|||
|
to retrieve information.
|
|||
|
|
|||
|
TokenInformation - Receives a pointer to the requested information.
|
|||
|
The actual structures returned are dependent upon the information
|
|||
|
class requested, as defined in the TokenInformationClass parameter
|
|||
|
description.
|
|||
|
|
|||
|
TokenInformation Format By Information Class:
|
|||
|
|
|||
|
TokenUser => TOKEN_USER data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenGroups => TOKEN_GROUPS data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenPrivileges => TOKEN_PRIVILEGES data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenOwner => TOKEN_OWNER data structure. TOKEN_QUERY
|
|||
|
access is needed to retrieve this information about a
|
|||
|
token.
|
|||
|
|
|||
|
TokenPrimaryGroup => TOKEN_PRIMARY_GROUP data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenDefaultDacl => TOKEN_DEFAULT_DACL data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenSource => TOKEN_SOURCE data structure.
|
|||
|
TOKEN_QUERY_SOURCE access is needed to retrieve this
|
|||
|
information about a token.
|
|||
|
|
|||
|
TokenType => TOKEN_TYPE data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this information
|
|||
|
about a token.
|
|||
|
|
|||
|
TokenStatistics => TOKEN_STATISTICS data structure.
|
|||
|
TOKEN_QUERY access is needed to retrieve this
|
|||
|
information about a token.
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
STATUS_SUCCESS - Indicates the operation was successful.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
|
|||
|
NTSTATUS Status;
|
|||
|
|
|||
|
ULONG RequiredLength;
|
|||
|
ULONG Index;
|
|||
|
|
|||
|
PSID PSid;
|
|||
|
PACL PAcl;
|
|||
|
|
|||
|
PVOID Ignore;
|
|||
|
PTOKEN Token = (PTOKEN)AccessToken;
|
|||
|
|
|||
|
PAGED_CODE();
|
|||
|
|
|||
|
//
|
|||
|
// Case on information class.
|
|||
|
//
|
|||
|
|
|||
|
switch ( TokenInformationClass ) {
|
|||
|
|
|||
|
case TokenUser:
|
|||
|
{
|
|||
|
PTOKEN_USER LocalUser;
|
|||
|
|
|||
|
LocalUser = (PTOKEN_USER)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = SeLengthSid( Token->UserAndGroups[0].Sid) +
|
|||
|
(ULONG)sizeof( TOKEN_USER );
|
|||
|
|
|||
|
LocalUser = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalUser == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the user SID
|
|||
|
//
|
|||
|
// Put SID immediately following TOKEN_USER data structure
|
|||
|
//
|
|||
|
|
|||
|
PSid = (PSID)( (ULONG)LocalUser + (ULONG)sizeof(TOKEN_USER) );
|
|||
|
|
|||
|
RtlCopySidAndAttributesArray(
|
|||
|
1,
|
|||
|
Token->UserAndGroups,
|
|||
|
RequiredLength,
|
|||
|
&(LocalUser->User),
|
|||
|
PSid,
|
|||
|
((PSID *)&Ignore),
|
|||
|
((PULONG)&Ignore)
|
|||
|
);
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenGroups:
|
|||
|
{
|
|||
|
PTOKEN_GROUPS LocalGroups;
|
|||
|
|
|||
|
LocalGroups = (PTOKEN_GROUPS)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Figure out how much space is needed to return the group SIDs.
|
|||
|
// That's the size of TOKEN_GROUPS (without any array entries)
|
|||
|
// plus the size of an SID_AND_ATTRIBUTES times the number of groups.
|
|||
|
// The number of groups is Token->UserAndGroups-1 (since the count
|
|||
|
// includes the user ID). Then the lengths of each individual group
|
|||
|
// must be added.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_GROUPS) +
|
|||
|
((Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
|
|||
|
((ULONG)sizeof(SID_AND_ATTRIBUTES)) );
|
|||
|
|
|||
|
Index = 1;
|
|||
|
while (Index < Token->UserAndGroupCount) {
|
|||
|
|
|||
|
RequiredLength += SeLengthSid( Token->UserAndGroups[Index].Sid );
|
|||
|
|
|||
|
Index += 1;
|
|||
|
|
|||
|
} // endwhile
|
|||
|
|
|||
|
LocalGroups = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalGroups == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Now copy the groups.
|
|||
|
//
|
|||
|
|
|||
|
LocalGroups->GroupCount = Token->UserAndGroupCount - 1;
|
|||
|
|
|||
|
PSid = (PSID)( (ULONG)LocalGroups +
|
|||
|
(ULONG)sizeof(TOKEN_GROUPS) +
|
|||
|
( (Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
|
|||
|
(ULONG)sizeof(SID_AND_ATTRIBUTES) )
|
|||
|
);
|
|||
|
|
|||
|
RtlCopySidAndAttributesArray(
|
|||
|
(ULONG)(Token->UserAndGroupCount - 1),
|
|||
|
&(Token->UserAndGroups[1]),
|
|||
|
RequiredLength,
|
|||
|
LocalGroups->Groups,
|
|||
|
PSid,
|
|||
|
((PSID *)&Ignore),
|
|||
|
((PULONG)&Ignore)
|
|||
|
);
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenPrivileges:
|
|||
|
{
|
|||
|
PTOKEN_PRIVILEGES LocalPrivileges;
|
|||
|
|
|||
|
LocalPrivileges = (PTOKEN_PRIVILEGES)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the privileges.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_PRIVILEGES) +
|
|||
|
((Token->PrivilegeCount - ANYSIZE_ARRAY) *
|
|||
|
((ULONG)sizeof(LUID_AND_ATTRIBUTES)) );
|
|||
|
|
|||
|
LocalPrivileges = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalPrivileges == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the token privileges.
|
|||
|
//
|
|||
|
|
|||
|
LocalPrivileges->PrivilegeCount = Token->PrivilegeCount;
|
|||
|
|
|||
|
RtlCopyLuidAndAttributesArray(
|
|||
|
Token->PrivilegeCount,
|
|||
|
Token->Privileges,
|
|||
|
LocalPrivileges->Privileges
|
|||
|
);
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenOwner:
|
|||
|
{
|
|||
|
PTOKEN_OWNER LocalOwner;
|
|||
|
|
|||
|
LocalOwner = (PTOKEN_OWNER)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
PSid = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_OWNER) +
|
|||
|
SeLengthSid( PSid );
|
|||
|
|
|||
|
LocalOwner = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalOwner == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the owner SID
|
|||
|
//
|
|||
|
|
|||
|
PSid = (PSID)((ULONG)LocalOwner +
|
|||
|
(ULONG)sizeof(TOKEN_OWNER));
|
|||
|
|
|||
|
LocalOwner->Owner = PSid;
|
|||
|
|
|||
|
Status = RtlCopySid(
|
|||
|
(RequiredLength - (ULONG)sizeof(TOKEN_OWNER)),
|
|||
|
PSid,
|
|||
|
Token->UserAndGroups[Token->DefaultOwnerIndex].Sid
|
|||
|
);
|
|||
|
|
|||
|
ASSERT( NT_SUCCESS(Status) );
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenPrimaryGroup:
|
|||
|
{
|
|||
|
PTOKEN_PRIMARY_GROUP LocalPrimaryGroup;
|
|||
|
|
|||
|
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_PRIMARY_GROUP) +
|
|||
|
SeLengthSid( Token->PrimaryGroup );
|
|||
|
|
|||
|
LocalPrimaryGroup = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalPrimaryGroup == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the primary group SID
|
|||
|
//
|
|||
|
|
|||
|
PSid = (PSID)((ULONG)LocalPrimaryGroup +
|
|||
|
(ULONG)sizeof(TOKEN_PRIMARY_GROUP));
|
|||
|
|
|||
|
LocalPrimaryGroup->PrimaryGroup = PSid;
|
|||
|
|
|||
|
Status = RtlCopySid( (RequiredLength - (ULONG)sizeof(TOKEN_PRIMARY_GROUP)),
|
|||
|
PSid,
|
|||
|
Token->PrimaryGroup
|
|||
|
);
|
|||
|
|
|||
|
ASSERT( NT_SUCCESS(Status) );
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenDefaultDacl:
|
|||
|
{
|
|||
|
PTOKEN_DEFAULT_DACL LocalDefaultDacl;
|
|||
|
|
|||
|
LocalDefaultDacl = (PTOKEN_DEFAULT_DACL)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token to prevent changes
|
|||
|
// from occuring to the owner.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof(TOKEN_DEFAULT_DACL);
|
|||
|
|
|||
|
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
|
|||
|
|
|||
|
RequiredLength += Token->DefaultDacl->AclSize;
|
|||
|
}
|
|||
|
|
|||
|
LocalDefaultDacl = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalDefaultDacl == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the default Dacl
|
|||
|
//
|
|||
|
|
|||
|
PAcl = (PACL)((ULONG)LocalDefaultDacl +
|
|||
|
(ULONG)sizeof(TOKEN_DEFAULT_DACL));
|
|||
|
|
|||
|
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
|
|||
|
|
|||
|
LocalDefaultDacl->DefaultDacl = PAcl;
|
|||
|
|
|||
|
RtlMoveMemory( (PVOID)PAcl,
|
|||
|
(PVOID)Token->DefaultDacl,
|
|||
|
Token->DefaultDacl->AclSize
|
|||
|
);
|
|||
|
} else {
|
|||
|
|
|||
|
LocalDefaultDacl->DefaultDacl = NULL;
|
|||
|
}
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenSource:
|
|||
|
{
|
|||
|
PTOKEN_SOURCE LocalSource;
|
|||
|
|
|||
|
LocalSource = (PTOKEN_SOURCE)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// The type of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(TOKEN_SOURCE);
|
|||
|
|
|||
|
LocalSource = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalSource == NULL) {
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the token source
|
|||
|
//
|
|||
|
|
|||
|
(*LocalSource) = Token->TokenSource;
|
|||
|
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenType:
|
|||
|
{
|
|||
|
PTOKEN_TYPE LocalType;
|
|||
|
|
|||
|
LocalType = (PTOKEN_TYPE)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// The type of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(TOKEN_TYPE);
|
|||
|
|
|||
|
LocalType = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalType == NULL) {
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the token type
|
|||
|
//
|
|||
|
|
|||
|
(*LocalType) = Token->TokenType;
|
|||
|
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenImpersonationLevel:
|
|||
|
{
|
|||
|
PSECURITY_IMPERSONATION_LEVEL LocalImpersonationLevel;
|
|||
|
|
|||
|
LocalImpersonationLevel = (PSECURITY_IMPERSONATION_LEVEL)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// The impersonation level of a token can not be changed, so
|
|||
|
// exclusive access to the token is not necessary.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Make sure the token is an appropriate type to be retrieving
|
|||
|
// the impersonation level from.
|
|||
|
//
|
|||
|
|
|||
|
if (Token->TokenType != TokenImpersonation) {
|
|||
|
|
|||
|
return STATUS_INVALID_INFO_CLASS;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG) sizeof(SECURITY_IMPERSONATION_LEVEL);
|
|||
|
|
|||
|
LocalImpersonationLevel = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalImpersonationLevel == NULL) {
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the impersonation level
|
|||
|
//
|
|||
|
|
|||
|
(*LocalImpersonationLevel) = Token->ImpersonationLevel;
|
|||
|
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
case TokenStatistics:
|
|||
|
{
|
|||
|
PTOKEN_STATISTICS LocalStatistics;
|
|||
|
|
|||
|
LocalStatistics = (PTOKEN_STATISTICS)(*TokenInformation);
|
|||
|
|
|||
|
//
|
|||
|
// Gain exclusive access to the token.
|
|||
|
//
|
|||
|
|
|||
|
SepAcquireTokenReadLock( Token );
|
|||
|
|
|||
|
//
|
|||
|
// Return the length required now in case not enough buffer
|
|||
|
// was provided by the caller and we have to return an error.
|
|||
|
//
|
|||
|
|
|||
|
RequiredLength = (ULONG)sizeof( TOKEN_STATISTICS );
|
|||
|
|
|||
|
LocalStatistics = ExAllocatePool( PagedPool, RequiredLength );
|
|||
|
|
|||
|
if (LocalStatistics == NULL) {
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Return the statistics
|
|||
|
//
|
|||
|
|
|||
|
LocalStatistics->TokenId = Token->TokenId;
|
|||
|
LocalStatistics->AuthenticationId = Token->AuthenticationId;
|
|||
|
LocalStatistics->ExpirationTime = Token->ExpirationTime;
|
|||
|
LocalStatistics->TokenType = Token->TokenType;
|
|||
|
LocalStatistics->ImpersonationLevel = Token->ImpersonationLevel;
|
|||
|
LocalStatistics->DynamicCharged = Token->DynamicCharged;
|
|||
|
LocalStatistics->DynamicAvailable = Token->DynamicAvailable;
|
|||
|
LocalStatistics->GroupCount = Token->UserAndGroupCount-1;
|
|||
|
LocalStatistics->PrivilegeCount = Token->PrivilegeCount;
|
|||
|
LocalStatistics->ModifiedId = Token->ModifiedId;
|
|||
|
|
|||
|
SepReleaseTokenReadLock( Token );
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
default:
|
|||
|
|
|||
|
return STATUS_INVALID_INFO_CLASS;
|
|||
|
}
|
|||
|
}
|