无法使用 SetKernelObjectSecurity 将 ACE 添加到内核对象的 SACl
Unable to add ACE to SACl of Kernel Object using SetKernelObjectSecurity
编辑 1
这里我使用的文件句柄是system32目录下的一个DLL文件
我也尝试了以下操作:
- 使用
LABEL_SECURITY_INFORMATION 代替 SACL_SECURITY_INFORMATION
- 我尝试使用
hr = SetSecurityInfo(hFile, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pNewSACL); 来设置 SACl 而不是 SetSecurityDescriptorSacl 和 SetKernelObjectSecurity
原创
我正在尝试将 Audit ACE 添加到内核安全对象并删除所有现有的 ACE。因此,我能够通过参考文档和互联网上的其他帖子得出以下代码。最后,我能够 运行 SetKernelObjectSecurity 没有错误,但是当我再次尝试验证是否添加了 ACE 时,我看到 ACE 计数为 0。截至目前,我被困在这一点上。如果有人可以帮助我如何正确更改内核对象 SACl 中的 ACE,那就太好了。
谢谢。
这里是代码的简要概述:
- 可以看到有5个Section
- 第 1 部分:创建句柄
- 第 2 部分:获取内核对象安全性和 pOldSacl
- 第 3 部分:从旧 SACL 创建新 SACL
- 第 4 节:将 newSACL 添加到内核对象安全性
- 第 5 节:验证 SACL 是否已更新
- 除此之外还有 5 个
// NOTE 标签显示不同点的 A 计数值
代码如下:
void setAceAudit()
{
DWORD dwRes = 0;
PACL pOldSACL = NULL, pNewSACL = NULL;
PSECURITY_DESCRIPTOR pSS = NULL;
EXPLICIT_ACCESS ea;
HANDLE hFile = NULL;
// SECTION 1: Create handle
hFile = CreateFile2(filePath,
FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
OPEN_EXISTING,
nullptr);
if (hFile == INVALID_HANDLE_VALUE && GetLastError() == ERROR_ACCESS_DENIED)
{
// A directory will fail without FILE_FLAG_BACKUP_SEMANTICS.
CREATEFILE2_EXTENDED_PARAMETERS extendedParams = {
sizeof(CREATEFILE2_EXTENDED_PARAMETERS),
FILE_ATTRIBUTE_NORMAL,
FILE_FLAG_BACKUP_SEMANTICS,
0,
nullptr,
nullptr
};
hFile = CreateFile2(filePath,
FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
OPEN_EXISTING,
&extendedParams);
}
// SECTION 1: End
// SECTION 2: Get Kernel object security and pOldSacl
DWORD dwSize = 0;
HRESULT hr = S_OK;
if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
{
DWORD dwError = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER != dwError)
{
hr = HRESULT_FROM_WIN32(dwError);
}
else if (NULL == (pSS = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
{
hr = E_OUTOFMEMORY;
}
else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
}
else
{
hr = E_UNEXPECTED;
}
VERIFY_ARE_EQUAL(hr, S_OK);
BOOL bSaclPresent = FALSE;
BOOL bSaclDefaulted = FALSE;
if (!GetSecurityDescriptorSacl(pSS, &bSaclPresent, &pOldSACL, &bSaclDefaulted))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
// SECTION 2: End
// SECTION 3: Create newSACL from oldSACL
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = 0X11000000;
ea.grfAccessMode = SET_AUDIT_SUCCESS;
ea.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.ptstrName = L"Administrator";
dwRes = SetEntriesInAcl(1, &ea, pOldSACL, &pNewSACL);
if (ERROR_SUCCESS != dwRes) {
LOG_OUTPUT(L"SetEntriesInAcl Error %lu %ld\n", dwRes, GetLastError());
return dwRes;
}
for (int ii = pNewSACL->AceCount - 1; ii >= 0; ii--)
{
PSYSTEM_MANDATORY_LABEL_ACE pAce = NULL; // Only access pAce->Header until checking AceType
if (!GetAce(pNewSACL, ii, (LPVOID*)&pAce))
{
VERIFY_ARE_EQUAL((DWORD)0, GetLastError());
}
DeleteAce(pNewSACL, ii);
}
PSID pIntegritySid = NULL;
BOOL fRet;
if (true)
{
fRet = ConvertStringSidToSidW(SDDL_ML_HIGH, &pIntegritySid);
}
else
{
fRet = ConvertStringSidToSidW(SDDL_ML_MEDIUM, &pIntegritySid);
}
VERIFY_IS_TRUE(fRet);
fRet = AddAuditAccessAce(pNewSACL, ACL_REVISION_DS, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, pIntegritySid, FALSE, FALSE);
VERIFY_IS_TRUE(fRet);
DWORD absSize = 0;
DWORD daclSize = 0;
DWORD saclSize = 0;
DWORD ownerSize = 0;
DWORD primGroupSize = 0;
fRet = MakeAbsoluteSD(pSS, NULL, &absSize, NULL, &daclSize, NULL, &saclSize, NULL, &ownerSize, NULL, &primGroupSize);
PSECURITY_DESCRIPTOR pSD = LocalAlloc(0, absSize);
fRet = MakeAbsoluteSD(pSS,
pSD, &absSize,
/*pSD->Dacl =*/ (PACL)LocalAlloc(0, daclSize), &daclSize,
/*pSD->Sacl =*/ (PACL)LocalAlloc(0, saclSize), &saclSize,
/*pSD->Owner =*/ (PSID)LocalAlloc(0, ownerSize), &ownerSize,
/*pSD->Group =*/ (PSID)LocalAlloc(0, primGroupSize), &primGroupSize);
// NOTE 1: Verified that ACE count is 1 in pNewSACL before inserting it
// SECTION 3: End
// SECTION 4: Add newSACL to kernel object security
if (!SetSecurityDescriptorSacl(pSD, TRUE, pNewSACL, FALSE))
{
DWORD dwError = GetLastError();
hr = HRESULT_FROM_WIN32(dwError);
}
// NOTE 2: Verified that new SACL in pSD has ACE count as 1 by using GetSecurityDescriptorSacl
if (!SetKernelObjectSecurity(hFile, SACL_SECURITY_INFORMATION, pSD))
{
// NOTE 3: Call flow doesn't go here so SetKernelObjectSecurity is success.
DWORD dwError = GetLastError();
hr = HRESULT_FROM_WIN32(dwError);
}
// SECTION 4: End
// SECTION 5: Validate if SACL is updated
// NOTE 4: Following code is to validate that ACE count is changed by using GetKernelObjectSecurity and GetSecurityDescriptorSacl but as in (NOTE 5) it is found to be 0
dwSize = 0;
PSECURITY_DESCRIPTOR pSD1 = NULL;
if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
{
DWORD dwError = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER != dwError)
{
hr = HRESULT_FROM_WIN32(dwError);
}
else if (NULL == (pSD1 = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
{
hr = E_OUTOFMEMORY;
}
else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
}
else
{
// Should never get here, as dwSize was initialized to 0,
// so the call to GetKernelObjectSecurity should fail.
// Adding this to avoid Prefast/Prefix complaining that
// potential use of NULL pSD below.
hr = E_UNEXPECTED;
}
VERIFY_ARE_EQUAL(hr, S_OK);
PACL pSacl = NULL;
bSaclPresent = FALSE;
bSaclDefaulted = FALSE;
if (!GetSecurityDescriptorSacl(pSD1, &bSaclPresent, &pSacl, &bSaclDefaulted))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
VERIFY_ARE_EQUAL(hr, S_OK);
VERIFY_ARE_NOT_EQUAL(pSacl, (PACL)NULL);
VERIFY_ARE_EQUAL(bSaclPresent, (BOOL)true);
VERIFY_ARE_NOT_EQUAL(pSacl->AceCount, (WORD)0); // NOTE 5: ACE Count is 0
// SECTION 5: End
CloseHandle(hFile);
}
将 LABEL_SECURITY_INFORMATION 替换为 SACL_SECURITY_INFORMATION。
编辑 1
这里我使用的文件句柄是system32目录下的一个DLL文件
我也尝试了以下操作:
- 使用
LABEL_SECURITY_INFORMATION代替SACL_SECURITY_INFORMATION - 我尝试使用
hr = SetSecurityInfo(hFile, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pNewSACL);来设置 SACl 而不是SetSecurityDescriptorSacl和SetKernelObjectSecurity
原创
我正在尝试将 Audit ACE 添加到内核安全对象并删除所有现有的 ACE。因此,我能够通过参考文档和互联网上的其他帖子得出以下代码。最后,我能够 运行 SetKernelObjectSecurity 没有错误,但是当我再次尝试验证是否添加了 ACE 时,我看到 ACE 计数为 0。截至目前,我被困在这一点上。如果有人可以帮助我如何正确更改内核对象 SACl 中的 ACE,那就太好了。
谢谢。
这里是代码的简要概述:
- 可以看到有5个Section
- 第 1 部分:创建句柄
- 第 2 部分:获取内核对象安全性和 pOldSacl
- 第 3 部分:从旧 SACL 创建新 SACL
- 第 4 节:将 newSACL 添加到内核对象安全性
- 第 5 节:验证 SACL 是否已更新
- 除此之外还有 5 个
// NOTE标签显示不同点的 A 计数值
代码如下:
void setAceAudit()
{
DWORD dwRes = 0;
PACL pOldSACL = NULL, pNewSACL = NULL;
PSECURITY_DESCRIPTOR pSS = NULL;
EXPLICIT_ACCESS ea;
HANDLE hFile = NULL;
// SECTION 1: Create handle
hFile = CreateFile2(filePath,
FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
OPEN_EXISTING,
nullptr);
if (hFile == INVALID_HANDLE_VALUE && GetLastError() == ERROR_ACCESS_DENIED)
{
// A directory will fail without FILE_FLAG_BACKUP_SEMANTICS.
CREATEFILE2_EXTENDED_PARAMETERS extendedParams = {
sizeof(CREATEFILE2_EXTENDED_PARAMETERS),
FILE_ATTRIBUTE_NORMAL,
FILE_FLAG_BACKUP_SEMANTICS,
0,
nullptr,
nullptr
};
hFile = CreateFile2(filePath,
FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
OPEN_EXISTING,
&extendedParams);
}
// SECTION 1: End
// SECTION 2: Get Kernel object security and pOldSacl
DWORD dwSize = 0;
HRESULT hr = S_OK;
if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
{
DWORD dwError = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER != dwError)
{
hr = HRESULT_FROM_WIN32(dwError);
}
else if (NULL == (pSS = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
{
hr = E_OUTOFMEMORY;
}
else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
}
else
{
hr = E_UNEXPECTED;
}
VERIFY_ARE_EQUAL(hr, S_OK);
BOOL bSaclPresent = FALSE;
BOOL bSaclDefaulted = FALSE;
if (!GetSecurityDescriptorSacl(pSS, &bSaclPresent, &pOldSACL, &bSaclDefaulted))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
// SECTION 2: End
// SECTION 3: Create newSACL from oldSACL
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = 0X11000000;
ea.grfAccessMode = SET_AUDIT_SUCCESS;
ea.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.ptstrName = L"Administrator";
dwRes = SetEntriesInAcl(1, &ea, pOldSACL, &pNewSACL);
if (ERROR_SUCCESS != dwRes) {
LOG_OUTPUT(L"SetEntriesInAcl Error %lu %ld\n", dwRes, GetLastError());
return dwRes;
}
for (int ii = pNewSACL->AceCount - 1; ii >= 0; ii--)
{
PSYSTEM_MANDATORY_LABEL_ACE pAce = NULL; // Only access pAce->Header until checking AceType
if (!GetAce(pNewSACL, ii, (LPVOID*)&pAce))
{
VERIFY_ARE_EQUAL((DWORD)0, GetLastError());
}
DeleteAce(pNewSACL, ii);
}
PSID pIntegritySid = NULL;
BOOL fRet;
if (true)
{
fRet = ConvertStringSidToSidW(SDDL_ML_HIGH, &pIntegritySid);
}
else
{
fRet = ConvertStringSidToSidW(SDDL_ML_MEDIUM, &pIntegritySid);
}
VERIFY_IS_TRUE(fRet);
fRet = AddAuditAccessAce(pNewSACL, ACL_REVISION_DS, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, pIntegritySid, FALSE, FALSE);
VERIFY_IS_TRUE(fRet);
DWORD absSize = 0;
DWORD daclSize = 0;
DWORD saclSize = 0;
DWORD ownerSize = 0;
DWORD primGroupSize = 0;
fRet = MakeAbsoluteSD(pSS, NULL, &absSize, NULL, &daclSize, NULL, &saclSize, NULL, &ownerSize, NULL, &primGroupSize);
PSECURITY_DESCRIPTOR pSD = LocalAlloc(0, absSize);
fRet = MakeAbsoluteSD(pSS,
pSD, &absSize,
/*pSD->Dacl =*/ (PACL)LocalAlloc(0, daclSize), &daclSize,
/*pSD->Sacl =*/ (PACL)LocalAlloc(0, saclSize), &saclSize,
/*pSD->Owner =*/ (PSID)LocalAlloc(0, ownerSize), &ownerSize,
/*pSD->Group =*/ (PSID)LocalAlloc(0, primGroupSize), &primGroupSize);
// NOTE 1: Verified that ACE count is 1 in pNewSACL before inserting it
// SECTION 3: End
// SECTION 4: Add newSACL to kernel object security
if (!SetSecurityDescriptorSacl(pSD, TRUE, pNewSACL, FALSE))
{
DWORD dwError = GetLastError();
hr = HRESULT_FROM_WIN32(dwError);
}
// NOTE 2: Verified that new SACL in pSD has ACE count as 1 by using GetSecurityDescriptorSacl
if (!SetKernelObjectSecurity(hFile, SACL_SECURITY_INFORMATION, pSD))
{
// NOTE 3: Call flow doesn't go here so SetKernelObjectSecurity is success.
DWORD dwError = GetLastError();
hr = HRESULT_FROM_WIN32(dwError);
}
// SECTION 4: End
// SECTION 5: Validate if SACL is updated
// NOTE 4: Following code is to validate that ACE count is changed by using GetKernelObjectSecurity and GetSecurityDescriptorSacl but as in (NOTE 5) it is found to be 0
dwSize = 0;
PSECURITY_DESCRIPTOR pSD1 = NULL;
if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
{
DWORD dwError = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER != dwError)
{
hr = HRESULT_FROM_WIN32(dwError);
}
else if (NULL == (pSD1 = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
{
hr = E_OUTOFMEMORY;
}
else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
}
else
{
// Should never get here, as dwSize was initialized to 0,
// so the call to GetKernelObjectSecurity should fail.
// Adding this to avoid Prefast/Prefix complaining that
// potential use of NULL pSD below.
hr = E_UNEXPECTED;
}
VERIFY_ARE_EQUAL(hr, S_OK);
PACL pSacl = NULL;
bSaclPresent = FALSE;
bSaclDefaulted = FALSE;
if (!GetSecurityDescriptorSacl(pSD1, &bSaclPresent, &pSacl, &bSaclDefaulted))
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
VERIFY_ARE_EQUAL(hr, S_OK);
VERIFY_ARE_NOT_EQUAL(pSacl, (PACL)NULL);
VERIFY_ARE_EQUAL(bSaclPresent, (BOOL)true);
VERIFY_ARE_NOT_EQUAL(pSacl->AceCount, (WORD)0); // NOTE 5: ACE Count is 0
// SECTION 5: End
CloseHandle(hFile);
}
将 LABEL_SECURITY_INFORMATION 替换为 SACL_SECURITY_INFORMATION。