1*f6dc9357SAndroid Build Coastguard Worker // Windows/SecurityUtils.h 2*f6dc9357SAndroid Build Coastguard Worker 3*f6dc9357SAndroid Build Coastguard Worker #ifndef ZIP7_INC_WINDOWS_SECURITY_UTILS_H 4*f6dc9357SAndroid Build Coastguard Worker #define ZIP7_INC_WINDOWS_SECURITY_UTILS_H 5*f6dc9357SAndroid Build Coastguard Worker 6*f6dc9357SAndroid Build Coastguard Worker #include <NTSecAPI.h> 7*f6dc9357SAndroid Build Coastguard Worker 8*f6dc9357SAndroid Build Coastguard Worker #include "Defs.h" 9*f6dc9357SAndroid Build Coastguard Worker 10*f6dc9357SAndroid Build Coastguard Worker #ifndef _UNICODE 11*f6dc9357SAndroid Build Coastguard Worker 12*f6dc9357SAndroid Build Coastguard Worker extern "C" { 13*f6dc9357SAndroid Build Coastguard Worker typedef NTSTATUS (NTAPI *Func_LsaOpenPolicy)(PLSA_UNICODE_STRING SystemName, 14*f6dc9357SAndroid Build Coastguard Worker PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle); 15*f6dc9357SAndroid Build Coastguard Worker typedef NTSTATUS (NTAPI *Func_LsaClose)(LSA_HANDLE ObjectHandle); 16*f6dc9357SAndroid Build Coastguard Worker typedef NTSTATUS (NTAPI *Func_LsaAddAccountRights)(LSA_HANDLE PolicyHandle, 17*f6dc9357SAndroid Build Coastguard Worker PSID AccountSid, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights ); 18*f6dc9357SAndroid Build Coastguard Worker #define MY_STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) 19*f6dc9357SAndroid Build Coastguard Worker } 20*f6dc9357SAndroid Build Coastguard Worker 21*f6dc9357SAndroid Build Coastguard Worker Z7_DIAGNOSTIC_IGNORE_CAST_FUNCTION 22*f6dc9357SAndroid Build Coastguard Worker 23*f6dc9357SAndroid Build Coastguard Worker #define POLICY_FUNC_CALL(fff, str) \ 24*f6dc9357SAndroid Build Coastguard Worker if (hModule == NULL) return MY_STATUS_NOT_IMPLEMENTED; \ 25*f6dc9357SAndroid Build Coastguard Worker const Func_ ## fff v = Z7_GET_PROC_ADDRESS(Func_ ## fff, hModule, str); \ 26*f6dc9357SAndroid Build Coastguard Worker if (!v) return MY_STATUS_NOT_IMPLEMENTED; \ 27*f6dc9357SAndroid Build Coastguard Worker const NTSTATUS res = v 28*f6dc9357SAndroid Build Coastguard Worker 29*f6dc9357SAndroid Build Coastguard Worker #else 30*f6dc9357SAndroid Build Coastguard Worker 31*f6dc9357SAndroid Build Coastguard Worker #define POLICY_FUNC_CALL(fff, str) \ 32*f6dc9357SAndroid Build Coastguard Worker const NTSTATUS res = ::fff 33*f6dc9357SAndroid Build Coastguard Worker 34*f6dc9357SAndroid Build Coastguard Worker #endif 35*f6dc9357SAndroid Build Coastguard Worker 36*f6dc9357SAndroid Build Coastguard Worker 37*f6dc9357SAndroid Build Coastguard Worker namespace NWindows { 38*f6dc9357SAndroid Build Coastguard Worker namespace NSecurity { 39*f6dc9357SAndroid Build Coastguard Worker 40*f6dc9357SAndroid Build Coastguard Worker class CAccessToken 41*f6dc9357SAndroid Build Coastguard Worker { 42*f6dc9357SAndroid Build Coastguard Worker HANDLE _handle; 43*f6dc9357SAndroid Build Coastguard Worker public: CAccessToken()44*f6dc9357SAndroid Build Coastguard Worker CAccessToken(): _handle(NULL) {} ~CAccessToken()45*f6dc9357SAndroid Build Coastguard Worker ~CAccessToken() { Close(); } Close()46*f6dc9357SAndroid Build Coastguard Worker bool Close() 47*f6dc9357SAndroid Build Coastguard Worker { 48*f6dc9357SAndroid Build Coastguard Worker if (_handle == NULL) 49*f6dc9357SAndroid Build Coastguard Worker return true; 50*f6dc9357SAndroid Build Coastguard Worker bool res = BOOLToBool(::CloseHandle(_handle)); 51*f6dc9357SAndroid Build Coastguard Worker if (res) 52*f6dc9357SAndroid Build Coastguard Worker _handle = NULL; 53*f6dc9357SAndroid Build Coastguard Worker return res; 54*f6dc9357SAndroid Build Coastguard Worker } 55*f6dc9357SAndroid Build Coastguard Worker OpenProcessToken(HANDLE processHandle,DWORD desiredAccess)56*f6dc9357SAndroid Build Coastguard Worker bool OpenProcessToken(HANDLE processHandle, DWORD desiredAccess) 57*f6dc9357SAndroid Build Coastguard Worker { 58*f6dc9357SAndroid Build Coastguard Worker Close(); 59*f6dc9357SAndroid Build Coastguard Worker return BOOLToBool(::OpenProcessToken(processHandle, desiredAccess, &_handle)); 60*f6dc9357SAndroid Build Coastguard Worker } 61*f6dc9357SAndroid Build Coastguard Worker 62*f6dc9357SAndroid Build Coastguard Worker /* 63*f6dc9357SAndroid Build Coastguard Worker bool OpenThreadToken(HANDLE threadHandle, DWORD desiredAccess, bool openAsSelf) 64*f6dc9357SAndroid Build Coastguard Worker { 65*f6dc9357SAndroid Build Coastguard Worker Close(); 66*f6dc9357SAndroid Build Coastguard Worker return BOOLToBool(::OpenTreadToken(threadHandle, desiredAccess, BoolToBOOL(anOpenAsSelf), &_handle)); 67*f6dc9357SAndroid Build Coastguard Worker } 68*f6dc9357SAndroid Build Coastguard Worker */ 69*f6dc9357SAndroid Build Coastguard Worker AdjustPrivileges(bool disableAllPrivileges,PTOKEN_PRIVILEGES newState,DWORD bufferLength,PTOKEN_PRIVILEGES previousState,PDWORD returnLength)70*f6dc9357SAndroid Build Coastguard Worker bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState, 71*f6dc9357SAndroid Build Coastguard Worker DWORD bufferLength, PTOKEN_PRIVILEGES previousState, PDWORD returnLength) 72*f6dc9357SAndroid Build Coastguard Worker { return BOOLToBool(::AdjustTokenPrivileges(_handle, BoolToBOOL(disableAllPrivileges), 73*f6dc9357SAndroid Build Coastguard Worker newState, bufferLength, previousState, returnLength)); } 74*f6dc9357SAndroid Build Coastguard Worker AdjustPrivileges(bool disableAllPrivileges,PTOKEN_PRIVILEGES newState)75*f6dc9357SAndroid Build Coastguard Worker bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState) 76*f6dc9357SAndroid Build Coastguard Worker { return AdjustPrivileges(disableAllPrivileges, newState, 0, NULL, NULL); } 77*f6dc9357SAndroid Build Coastguard Worker AdjustPrivileges(PTOKEN_PRIVILEGES newState)78*f6dc9357SAndroid Build Coastguard Worker bool AdjustPrivileges(PTOKEN_PRIVILEGES newState) 79*f6dc9357SAndroid Build Coastguard Worker { return AdjustPrivileges(false, newState); } 80*f6dc9357SAndroid Build Coastguard Worker 81*f6dc9357SAndroid Build Coastguard Worker }; 82*f6dc9357SAndroid Build Coastguard Worker 83*f6dc9357SAndroid Build Coastguard Worker 84*f6dc9357SAndroid Build Coastguard Worker 85*f6dc9357SAndroid Build Coastguard Worker 86*f6dc9357SAndroid Build Coastguard Worker struct CPolicy 87*f6dc9357SAndroid Build Coastguard Worker { 88*f6dc9357SAndroid Build Coastguard Worker protected: 89*f6dc9357SAndroid Build Coastguard Worker LSA_HANDLE _handle; 90*f6dc9357SAndroid Build Coastguard Worker #ifndef _UNICODE 91*f6dc9357SAndroid Build Coastguard Worker HMODULE hModule; 92*f6dc9357SAndroid Build Coastguard Worker #endif 93*f6dc9357SAndroid Build Coastguard Worker public: LSA_HANDLECPolicy94*f6dc9357SAndroid Build Coastguard Worker operator LSA_HANDLE() const { return _handle; } CPolicyCPolicy95*f6dc9357SAndroid Build Coastguard Worker CPolicy(): _handle(NULL) 96*f6dc9357SAndroid Build Coastguard Worker { 97*f6dc9357SAndroid Build Coastguard Worker #ifndef _UNICODE 98*f6dc9357SAndroid Build Coastguard Worker hModule = GetModuleHandle(TEXT("advapi32.dll")); 99*f6dc9357SAndroid Build Coastguard Worker #endif 100*f6dc9357SAndroid Build Coastguard Worker } ~CPolicyCPolicy101*f6dc9357SAndroid Build Coastguard Worker ~CPolicy() { Close(); } 102*f6dc9357SAndroid Build Coastguard Worker OpenCPolicy103*f6dc9357SAndroid Build Coastguard Worker NTSTATUS Open(PLSA_UNICODE_STRING systemName, PLSA_OBJECT_ATTRIBUTES objectAttributes, 104*f6dc9357SAndroid Build Coastguard Worker ACCESS_MASK desiredAccess) 105*f6dc9357SAndroid Build Coastguard Worker { 106*f6dc9357SAndroid Build Coastguard Worker Close(); 107*f6dc9357SAndroid Build Coastguard Worker POLICY_FUNC_CALL (LsaOpenPolicy, "LsaOpenPolicy") 108*f6dc9357SAndroid Build Coastguard Worker (systemName, objectAttributes, desiredAccess, &_handle); 109*f6dc9357SAndroid Build Coastguard Worker return res; 110*f6dc9357SAndroid Build Coastguard Worker } 111*f6dc9357SAndroid Build Coastguard Worker CloseCPolicy112*f6dc9357SAndroid Build Coastguard Worker NTSTATUS Close() 113*f6dc9357SAndroid Build Coastguard Worker { 114*f6dc9357SAndroid Build Coastguard Worker if (_handle == NULL) 115*f6dc9357SAndroid Build Coastguard Worker return 0; 116*f6dc9357SAndroid Build Coastguard Worker POLICY_FUNC_CALL (LsaClose, "LsaClose") 117*f6dc9357SAndroid Build Coastguard Worker (_handle); 118*f6dc9357SAndroid Build Coastguard Worker _handle = NULL; 119*f6dc9357SAndroid Build Coastguard Worker return res; 120*f6dc9357SAndroid Build Coastguard Worker } 121*f6dc9357SAndroid Build Coastguard Worker EnumerateAccountsWithUserRightCPolicy122*f6dc9357SAndroid Build Coastguard Worker NTSTATUS EnumerateAccountsWithUserRight(PLSA_UNICODE_STRING userRights, 123*f6dc9357SAndroid Build Coastguard Worker PLSA_ENUMERATION_INFORMATION *enumerationBuffer, PULONG countReturned) 124*f6dc9357SAndroid Build Coastguard Worker { return LsaEnumerateAccountsWithUserRight(_handle, userRights, (void **)enumerationBuffer, countReturned); } 125*f6dc9357SAndroid Build Coastguard Worker EnumerateAccountRightsCPolicy126*f6dc9357SAndroid Build Coastguard Worker NTSTATUS EnumerateAccountRights(PSID sid, PLSA_UNICODE_STRING* userRights, PULONG countOfRights) 127*f6dc9357SAndroid Build Coastguard Worker { return ::LsaEnumerateAccountRights(_handle, sid, userRights, countOfRights); } 128*f6dc9357SAndroid Build Coastguard Worker LookupSidsCPolicy129*f6dc9357SAndroid Build Coastguard Worker NTSTATUS LookupSids(ULONG count, PSID* sids, 130*f6dc9357SAndroid Build Coastguard Worker PLSA_REFERENCED_DOMAIN_LIST* referencedDomains, PLSA_TRANSLATED_NAME* names) 131*f6dc9357SAndroid Build Coastguard Worker { return LsaLookupSids(_handle, count, sids, referencedDomains, names); } 132*f6dc9357SAndroid Build Coastguard Worker AddAccountRightsCPolicy133*f6dc9357SAndroid Build Coastguard Worker NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights, ULONG countOfRights) 134*f6dc9357SAndroid Build Coastguard Worker { 135*f6dc9357SAndroid Build Coastguard Worker POLICY_FUNC_CALL (LsaAddAccountRights, "LsaAddAccountRights") 136*f6dc9357SAndroid Build Coastguard Worker (_handle, accountSid, userRights, countOfRights); 137*f6dc9357SAndroid Build Coastguard Worker return res; 138*f6dc9357SAndroid Build Coastguard Worker } AddAccountRightsCPolicy139*f6dc9357SAndroid Build Coastguard Worker NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights) 140*f6dc9357SAndroid Build Coastguard Worker { return AddAccountRights(accountSid, userRights, 1); } 141*f6dc9357SAndroid Build Coastguard Worker RemoveAccountRightsCPolicy142*f6dc9357SAndroid Build Coastguard Worker NTSTATUS RemoveAccountRights(PSID accountSid, bool allRights, PLSA_UNICODE_STRING userRights, ULONG countOfRights) 143*f6dc9357SAndroid Build Coastguard Worker { return LsaRemoveAccountRights(_handle, accountSid, (BOOLEAN)(allRights ? TRUE : FALSE), userRights, countOfRights); } 144*f6dc9357SAndroid Build Coastguard Worker }; 145*f6dc9357SAndroid Build Coastguard Worker 146*f6dc9357SAndroid Build Coastguard Worker bool AddLockMemoryPrivilege(); 147*f6dc9357SAndroid Build Coastguard Worker 148*f6dc9357SAndroid Build Coastguard Worker }} 149*f6dc9357SAndroid Build Coastguard Worker 150*f6dc9357SAndroid Build Coastguard Worker #endif 151