2020-09-30 16:53:55 +02:00

891 lines
27 KiB
C++

//+----------------------------------------------------------------------------
//
// Job Scheduler Service
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1996.
//
// File: getuser.cxx
//
// Contents: Get the identity of the logged in user.
//
// History: 19-Jun-96 EricB created
//
// Notes: This is for NT only since Win95 doesn't have security.
//
//-----------------------------------------------------------------------------
//
// Some NT header definitions conflict with some of the standard windows
// definitions. Thus, the project precompiled header can't be used.
//
extern "C" {
#include <nt.h> // NT definitions
#include <ntrtl.h> // NT runtime library definitions
#include <nturtl.h>
#include <ntlsa.h> // BUGBUG 254102
}
#include <windows.h>
#define SECURITY_WIN32 // needed by security.h
#include <security.h> // GetUserNameEx
#include <winbase.h> // SecureZeroMemory
#include <StrSafe.h>
#include <lmcons.h> // BUGBUG 254102
#include <defines.hxx> // BUGBUG 254102
#include <..\..\..\smdebug\smdebug.h>
#include <debug.hxx>
#include "globals.hxx"
#include <Wtsapi32.h>
const int SCH_BIGBUF_LEN = 256;
//
// Registry key/value for default shell.
//
#define SHELL_REGKEY L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
#define SHELL_REGVAL L"Shell"
#define DEFAULT_SHELL L"explorer.exe"
// This function is actually declared in proto.hxx. But including proto.hxx
// brings in alot of things we don't need. Just define it here to the includes
// simple.
//
HANDLE ImpersonateUser(HANDLE hUserToken, HANDLE hImpersonationToken);
// so's this one - here's to hoping that type-safe linkage works well...
HANDLE ImpersonateLoggedInUser(void);
BOOL StopImpersonating(HANDLE ThreadHandle, BOOL fCloseHandle);
// toggle to allow conditional compilation of fix for RAID 720688
// "old" method found user token for shell process (usually explorer.exe)
// "new" method uses Terminal Server functions
#define FIND_USER_WITH_TS
//+----------------------------------------------------------------------------
//
// Function: LogonSessionDataCleanup
//
// Synopsis: Close all open handles and free memory.
//
// Notes: **** Important ****
//
// No need to enter gcsLogonSessionInfoCritSection prior to
// calling this function since it is entered here.
//
//-----------------------------------------------------------------------------
void
LogonSessionDataCleanup(void)
{
EnterCriticalSection(gUserLogonInfo.CritSection);
if (gUserLogonInfo.ImpersonationThread != NULL)
{
CloseHandle(gUserLogonInfo.ImpersonationThread);
gUserLogonInfo.ImpersonationThread = NULL;
}
if (gUserLogonInfo.DomainUserName != NULL)
{
delete gUserLogonInfo.DomainUserName;
gUserLogonInfo.DomainUserName= NULL;
}
if (gUserLogonInfo.ShellToken)
{
CloseHandle(gUserLogonInfo.ShellToken);
gUserLogonInfo.ShellToken = NULL;
}
SecureZeroMemory(gUserLogonInfo.Sid, sizeof(gUserLogonInfo.Sid));
LeaveCriticalSection(gUserLogonInfo.CritSection);
}
//+----------------------------------------------------------------------------
//
// Function: ImpersonateUser
//
// Synopsis: Impersonate the user associated with the token.
//
// Arguments: [hUserToken] - Handle to the token to be impersonated.
// [ThreadHandle] - Handle to the thread that is to impersonate
// hUserToken. If this is NULL, the function opens a handle
// to the current thread.
//
// Returns: Handle to the thread that is impersonating hUserToken.
//
// Notes: BUGBUG : This code was taken from RAS. It is quite different
// than that in winlogon
// (windows\gina\winlogon\secutil.c).
//
//-----------------------------------------------------------------------------
HANDLE
ImpersonateUser(HANDLE hUserToken, HANDLE ThreadHandle)
{
NTSTATUS Status;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE ImpersonationToken;
BOOL ThreadHandleOpened = FALSE;
if (ThreadHandle == NULL)
{
//
// Get a handle to the current thread.
// Once we have this handle, we can set the user's impersonation
// token into the thread and remove it later even though we ARE
// the user for the removal operation. This is because the handle
// contains the access rights - the access is not re-evaluated
// at token removal time.
//
Status = NtDuplicateObject( NtCurrentProcess(), // Source process
NtCurrentThread(), // Source handle
NtCurrentProcess(), // Target process
&ThreadHandle, // Target handle
THREAD_SET_THREAD_TOKEN,// Access
0L, // Attributes
DUPLICATE_SAME_ATTRIBUTES);
if (!NT_SUCCESS(Status))
{
ERR_OUT("ImpersonateUser: NtDuplicateObject", Status);
return(NULL);
}
ThreadHandleOpened = TRUE;
}
//
// If the usertoken is NULL, there's nothing to do
//
if (hUserToken != NULL)
{
//
// hUserToken is a primary token - create an impersonation token
// version of it so we can set it on our thread
//
InitializeObjectAttributes(&ObjectAttributes,
NULL,
0L,
NULL,
// UserProcessData->NewThreadTokenSD);
NULL);
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
SecurityQualityOfService.ContextTrackingMode =
SECURITY_DYNAMIC_TRACKING;
SecurityQualityOfService.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
Status = NtDuplicateToken(hUserToken,
TOKEN_IMPERSONATE | TOKEN_READ,
&ObjectAttributes,
FALSE,
TokenImpersonation,
&ImpersonationToken);
if (!NT_SUCCESS(Status))
{
ERR_OUT("ImpersonateUser: NtDuplicateToken", Status);
if (ThreadHandleOpened)
{
NtClose(ThreadHandle);
}
return(NULL);
}
//
// Set the impersonation token on this thread so we 'are' the user
//
Status = NtSetInformationThread(ThreadHandle,
ThreadImpersonationToken,
(PVOID)&ImpersonationToken,
sizeof(ImpersonationToken));
//
// We're finished with our handle to the impersonation token
//
NtClose(ImpersonationToken);
//
// Check we set the token on our thread ok
//
if (!NT_SUCCESS(Status))
{
ERR_OUT("ImpersonateUser: NTSetInformationThread", Status);
if (ThreadHandleOpened)
{
NtClose(ThreadHandle);
}
return(NULL);
}
}
return(ThreadHandle);
}
//+----------------------------------------------------------------------------
//
// Function: GetLoggedOnUser
//
// Synopsis: Called when a user logs in.
//
// Returns: None. Sets the global gUserLogonInfo.
//
// Notes: **** Important ****
//
// Caller must have entered the gcsLogonSessionInfoCritSection
// critical section for the duration of this call and continue
// to remain in this critical section for the lifetime use of
// the returned string.
//
// DO NOT attempt to dealloc the returned string! It is a
// pointer to global memory.
//
//-----------------------------------------------------------------------------
void
GetLoggedOnUser(void)
{
LPWSTR pwszLoggedOnUser;
DWORD cchName = 0;
DWORD dwErr = ERROR_SUCCESS;
if (gUserLogonInfo.DomainUserName != NULL)
{
//
// Already done.
//
return;
}
//
// Impersonate the logged in user.
//
if (ImpersonateLoggedInUser())
{
//
// Get the size of the user name string.
//
if (!GetUserNameEx(NameSamCompatible, NULL, &cchName))
{
dwErr = GetLastError();
if (dwErr != ERROR_MORE_DATA || cchName == 0)
{
StopImpersonating(gUserLogonInfo.ImpersonationThread, TRUE);
ERR_OUT("GetLoggedOnUser: GetUserName", dwErr);
return;
}
}
cchName++; // contrary to docs, cchName excludes the null
//
// Allocate the user name string buffer and get the user name.
//
pwszLoggedOnUser = new WCHAR[cchName * 2];
if (pwszLoggedOnUser != NULL)
{
if (!GetUserNameEx(NameSamCompatible, pwszLoggedOnUser, &cchName))
{
dwErr = GetLastError();
ERR_OUT("GetLoggedOnUser: GetUserName", dwErr);
delete pwszLoggedOnUser;
}
else
{
schDebugOut((DEB_ITRACE, "GetLoggedOnUser: got '%S'\n",
pwszLoggedOnUser));
cchName++; // contrary to docs, cchName excludes the null
//
// This name is in the format "domain\\user".
// Make a copy of the domain name right after it, so
// we end up with a single buffer in the format
// "domain\\user\0domain". Set up pointers into this
// buffer for all 3 parts of the name:
// domain
// user
// domain\user
//
gUserLogonInfo.DomainUserName = pwszLoggedOnUser;
WCHAR *pSlash = wcschr(pwszLoggedOnUser, L'\\');
schAssert(pSlash != NULL);
gUserLogonInfo.UserName = pSlash + 1;
DWORD cchDomain = (DWORD) (pSlash - pwszLoggedOnUser);
gUserLogonInfo.DomainName = pwszLoggedOnUser + cchName;
wcsncpy(gUserLogonInfo.DomainName, pwszLoggedOnUser, cchDomain);
gUserLogonInfo.DomainName[cchDomain] = L'\0';
schDebugOut((DEB_ITRACE, "GetLoggedOnUser: domain '%S', user '%S'\n",
gUserLogonInfo.DomainName, gUserLogonInfo.UserName));
}
}
else
{
ERR_OUT("GetLoggedOnUser", ERROR_OUTOFMEMORY);
}
//
// BUGBUG 254102 - Cache the logged-on user's SID, since
// LookupAccountName doesn't do it when offline.
// Remove this code when bug 254102 is fixed.
//
#define USER_TOKEN_STACK_BUFFER_SIZE \
(sizeof(TOKEN_USER) + sizeof(SID_AND_ATTRIBUTES) + MAX_SID_SIZE)
BYTE rgbTokenInformation[USER_TOKEN_STACK_BUFFER_SIZE];
TOKEN_USER * pTokenUser = (TOKEN_USER *)rgbTokenInformation;
DWORD cbReturnLength;
if (!GetTokenInformation(gUserLogonInfo.ShellToken,
TokenUser,
pTokenUser,
USER_TOKEN_STACK_BUFFER_SIZE,
&cbReturnLength))
{
schAssert(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
CHECK_HRESULT(HRESULT_FROM_WIN32(GetLastError()));
SecureZeroMemory(gUserLogonInfo.Sid, sizeof(gUserLogonInfo.Sid));
}
else if (!CopySid(sizeof(gUserLogonInfo.Sid),
gUserLogonInfo.Sid,
pTokenUser->User.Sid))
{
schAssert(!"CopySid failed");
CHECK_HRESULT(HRESULT_FROM_WIN32(GetLastError()));
SecureZeroMemory(gUserLogonInfo.Sid, sizeof(gUserLogonInfo.Sid));
}
StopImpersonating(gUserLogonInfo.ImpersonationThread, FALSE);
}
}
//+----------------------------------------------------------------------------
//
// Function: StopImpersonating
//
// Synopsis: Stop impersonating.
//
// Notes: This code was taken from winlogon. Specifically:
// windows\gina\winlogon\secutil.c.
//
//-----------------------------------------------------------------------------
BOOL
StopImpersonating(HANDLE ThreadHandle, BOOL fCloseHandle)
{
NTSTATUS Status, IgnoreStatus;
HANDLE ImpersonationToken;
//
// Remove the user's token from our thread so we are 'ourself' again
//
ImpersonationToken = NULL;
Status = NtSetInformationThread(ThreadHandle,
ThreadImpersonationToken,
(PVOID)&ImpersonationToken,
sizeof(ImpersonationToken));
//
// We're finished with the thread handle
//
if (fCloseHandle)
{
IgnoreStatus = NtClose(ThreadHandle);
schAssert(NT_SUCCESS(IgnoreStatus));
}
if (!NT_SUCCESS(Status))
{
schDebugOut((DEB_ERROR,
"Failed to remove user impersonation token from SA service, " \
"status = 0x%lx", Status));
}
return(NT_SUCCESS(Status));
}
#ifdef FIND_USER_WITH_TS
//+----------------------------------------------------------------------------
//
// Function: ImpersonateLoggedInUser
//
// Synopsis: Impersonate the shell user.
//
// Returns: Handle to thread that's impersonating user
//
// Notes: **** Important ****
//
// Caller must have entered the gcsLogonSessionInfoCritSection
// critical section for the duration of this call.
//
// GLOBALS: sets gUserLogonInfo.ShellToken and gUserLogonInfo.ImpersonationThread
//
//-----------------------------------------------------------------------------
HANDLE
ImpersonateLoggedInUser(void)
{
if (gUserLogonInfo.ShellToken)
{
CloseHandle(gUserLogonInfo.ShellToken);
gUserLogonInfo.ShellToken = NULL;
}
DWORD sessionID;
sessionID = WTSGetActiveConsoleSessionId();
if (sessionID == 0xFFFFFFFF)
return NULL;
if (!WTSQueryUserToken(sessionID, &gUserLogonInfo.ShellToken))
return NULL;
if (gUserLogonInfo.ImpersonationThread)
CloseHandle(gUserLogonInfo.ImpersonationThread);
return (gUserLogonInfo.ImpersonationThread = ImpersonateUser(
gUserLogonInfo.ShellToken,
gUserLogonInfo.ImpersonationThread));
}
#else // #ifdef FIND_USER_WITH_TS
HANDLE GetShellProcessHandle(void);
PSYSTEM_PROCESS_INFORMATION GetSystemProcessInfo(void);
PSYSTEM_PROCESS_INFORMATION FindProcessByName(PSYSTEM_PROCESS_INFORMATION,
LPWSTR);
VOID FreeSystemProcessInfo(PSYSTEM_PROCESS_INFORMATION pProcessInfo);
//+----------------------------------------------------------------------------
//
// Function: GetShellProcessHandle
//
// Synopsis: Initialize & return the shell handle of the current logged
// on user, gUserLogonInfo.ShellHandle.
//
// Returns: ERROR_SUCCESS or an error code.
//
// Notes: **** Important ****
//
// Caller must have entered gUserLogonInfo.CriticalSection
// for the duration of this call and continue to remain in
// in it for the lifetime use of the returned handle.
//
// DO NOT close the returned handle. It is a global handle.
//
//-----------------------------------------------------------------------------
HANDLE
GetShellProcessHandle(void)
{
PSYSTEM_PROCESS_INFORMATION pSystemInfo, pProcessInfo;
WCHAR wszShellName[MAX_PATH + 1];
WCHAR * pwszShellName = wszShellName;
WCHAR * pwsz;
HKEY hReg = NULL;
HANDLE hProcess = NULL;
DWORD dwErr = ERROR_SUCCESS;
DWORD dwType;
DWORD dwSize;
//
// Get the shell process name. We will look for this
// to find out who the currently logged-on user is.
//
if (gUserLogonInfo.ShellHandle != NULL)
{
//
// Check if the handle is valid.
//
if (WaitForSingleObject(gUserLogonInfo.ShellHandle,
0) == WAIT_TIMEOUT)
{
//
// Still valid.
//
return(gUserLogonInfo.ShellHandle);
}
//
// Re-acquire handle.
//
CloseHandle(gUserLogonInfo.ShellHandle);
gUserLogonInfo.ShellHandle = NULL;
}
StringCchCopy(pwszShellName, MAX_PATH + 1, DEFAULT_SHELL);
if ((dwErr = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
SHELL_REGKEY,
0,
KEY_READ,
&hReg)) == ERROR_SUCCESS)
{
dwSize = sizeof(wszShellName);
dwErr = RegQueryValueEx(hReg,
SHELL_REGVAL,
NULL,
&dwType,
(PBYTE)pwszShellName,
&dwSize);
RegCloseKey(hReg);
}
if (dwErr != ERROR_SUCCESS)
{
ERR_OUT("GetShellProcessHandle: RegQueryValueEx", dwErr);
return(NULL);
}
//
// Remove parameters from command line.
//
pwsz = pwszShellName;
while (*pwsz != L' ' && *pwsz != L'\0')
{
pwsz++;
}
*pwsz = L'\0';
//
// Get the process list.
//
pSystemInfo = GetSystemProcessInfo();
if (pSystemInfo == NULL)
{
return(NULL);
}
//
// See if wszShell is running.
//
pProcessInfo = FindProcessByName(pSystemInfo, pwszShellName);
if (pProcessInfo != NULL)
{
//
// Open the process.
//
hProcess = OpenProcess(PROCESS_ALL_ACCESS,
FALSE,
HandleToUlong(pProcessInfo->UniqueProcessId));
#if DBG == 1
if (hProcess == NULL)
{
ERR_OUT("GetShellProcessHandle: OpenProcess", GetLastError());
}
#endif
}
//
// Free resources.
//
FreeSystemProcessInfo(pSystemInfo);
//
// Return process handle.
//
return(gUserLogonInfo.ShellHandle = hProcess);
}
//+----------------------------------------------------------------------------
//
// Function: GetShellProcessToken
//
// Synopsis:
//
// Returns: ERROR_SUCCESS or an error code.
//
// Notes: **** Important ****
//
// Caller must have entered the gcsLogonSessionInfoCritSection
// critical section for the duration of this call and continue
// to remain in this critical section for the lifetime use of
// the returned handle.
//
// DO NOT close the returned handle. It is a global handle.
//
//-----------------------------------------------------------------------------
HANDLE
GetShellProcessToken(void)
{
HANDLE hProcess = GetShellProcessHandle();
if (hProcess == NULL)
{
return(NULL);
}
HANDLE hToken = gUserLogonInfo.ShellToken;
if (gUserLogonInfo.ShellToken == NULL)
{
if (OpenProcessToken(hProcess,
TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY,
&hToken))
{
return(gUserLogonInfo.ShellToken = hToken);
}
else
{
ERR_OUT("GetShellProcessToken: OpenProcessToken", GetLastError());
return(NULL);
}
}
return gUserLogonInfo.ShellToken;
}
//+----------------------------------------------------------------------------
//
// Function: GetSystemProcessInfo
//
// Synopsis: Return a block containing information about all processes
// currently running in the system.
//
// Returns: A pointer to the system process information or NULL if it could
// not be allocated or retrieved.
//
//-----------------------------------------------------------------------------
PSYSTEM_PROCESS_INFORMATION
GetSystemProcessInfo(void)
{
#define SYSTEM_PROCESS_BUFFER_INCREMENT 4096
NTSTATUS Status = 0;
PUCHAR pBuffer;
DWORD cbBufferSize;
//
// Get the process list.
//
cbBufferSize = SYSTEM_PROCESS_BUFFER_INCREMENT;
pBuffer = (PUCHAR)LocalAlloc(LMEM_FIXED, cbBufferSize);
if (pBuffer == NULL)
{
ERR_OUT("GetSystemProcessInfo: LocalAlloc", GetLastError());
return(NULL);
}
for (;;)
{
Status = NtQuerySystemInformation(SystemProcessInformation,
pBuffer,
cbBufferSize,
NULL);
if (Status == STATUS_SUCCESS)
{
break;
}
else if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
cbBufferSize += SYSTEM_PROCESS_BUFFER_INCREMENT;
PUCHAR pTempBuffer = (PUCHAR)LocalReAlloc(pBuffer, cbBufferSize, LMEM_MOVEABLE);
if (pTempBuffer == NULL)
{
LocalFree(pBuffer); // original handle is still valid; use it to free the memory
ERR_OUT("GetSystemProcessInfo: LocalReAlloc", GetLastError());
return(NULL);
}
pBuffer = pTempBuffer; // LocalReAlloc succeeded, so use the new handle now
}
else
{
break;
}
}
if (Status != STATUS_SUCCESS && pBuffer != NULL)
{
LocalFree(pBuffer);
pBuffer = NULL;
}
return (PSYSTEM_PROCESS_INFORMATION)pBuffer;
}
//+----------------------------------------------------------------------------
//
// Function: FindProcessByName
//
// Synopsis: Given a pointer returned by GetSystemProcessInfo(), find
// a process by name.
// Hydra modification: Only processes on the physical console
// session are included.
//
// Arguments: [pProcessInfo] - a pointer returned by GetSystemProcessInfo().
// [lpExeName] - a pointer to a Unicode string containing the
// process to be found.
//
// Returns: A pointer to the process information for the supplied
// process or NULL if it could not be found.
//
//-----------------------------------------------------------------------------
PSYSTEM_PROCESS_INFORMATION
FindProcessByName(PSYSTEM_PROCESS_INFORMATION pProcessInfo, LPWSTR lpExeName)
{
PUCHAR pLargeBuffer = (PUCHAR)pProcessInfo;
ULONG ulTotalOffset = 0;
//
// Look in the process list for lpExeName.
//
for (;;)
{
if (pProcessInfo->ImageName.Buffer != NULL)
{
schDebugOut((DEB_USER3, "FindProcessByName: process: %S (%d)\n",
pProcessInfo->ImageName.Buffer,
pProcessInfo->UniqueProcessId));
if (!_wcsicmp(pProcessInfo->ImageName.Buffer, lpExeName))
{
//
// Pick this process only if it's
// running on the physical console session
//
DWORD dwSessionId;
if (! ProcessIdToSessionId(
HandleToUlong(pProcessInfo->UniqueProcessId),
&dwSessionId))
{
schDebugOut((DEB_ERROR, "ProcessIdToSessionId FAILED, %lu\n",
GetLastError));
}
else if (dwSessionId == 0)
{
return pProcessInfo;
}
}
}
//
// Increment offset to next process information block.
//
if (!pProcessInfo->NextEntryOffset)
{
break;
}
ulTotalOffset += pProcessInfo->NextEntryOffset;
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pLargeBuffer[ulTotalOffset];
}
schDebugOut((DEB_ITRACE, "FindProcessByName: process %ws not found\n", lpExeName));
return NULL;
}
//+----------------------------------------------------------------------------
//
// Function: FreeSystemProcessInfo
//
// Synopsis: Free a buffer returned by GetSystemProcessInfo().
//
// Arguments: [pProcessInfo] - a pointer returned by GetSystemProcessInfo().
//
//-----------------------------------------------------------------------------
VOID
FreeSystemProcessInfo(PSYSTEM_PROCESS_INFORMATION pProcessInfo)
{
LocalFree(pProcessInfo);
}
//+----------------------------------------------------------------------------
//
// Function: ImpersonateLoggedInUser
//
// Synopsis: Impersonate the shell user.
//
// Returns:
//
// Notes: **** Important ****
//
// Caller must have entered the gcsLogonSessionInfoCritSection
// critical section for the duration of this call.
//
//-----------------------------------------------------------------------------
HANDLE
ImpersonateLoggedInUser(void)
{
BOOL fDuplicateToken;
//
// Open the impersonation token for the
// process we want to impersonate.
//
if (gUserLogonInfo.ImpersonationThread == NULL)
{
if (gUserLogonInfo.ShellHandle == NULL)
{
if (GetShellProcessHandle() == NULL)
{
return(NULL);
}
}
if (gUserLogonInfo.ShellToken == NULL)
{
if (GetShellProcessToken() == NULL)
{
return(NULL);
}
}
}
return(gUserLogonInfo.ImpersonationThread = ImpersonateUser(
gUserLogonInfo.ShellToken,
gUserLogonInfo.ImpersonationThread));
}
#endif // FIND_USER_WITH_TS