Grant minimal access rights to the user associated with the process token.

This commit is contained in:
rockihack 2017-02-26 22:59:21 +01:00
parent 153dc620c8
commit 6d69f0b547

View File

@ -248,8 +248,7 @@ void setupSearchPaths()
// //
// Prevent memory dumps without admin privileges. // Prevent memory dumps without admin privileges.
// MiniDumpWriteDump function requires // MiniDumpWriteDump function requires PROCESS_QUERY_INFORMATION and PROCESS_VM_READ
// PROCESS_QUERY_INFORMATION and PROCESS_VM_READ
// see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360%28v=vs.85%29.aspx // see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360%28v=vs.85%29.aspx
// //
bool createWindowsDACL() bool createWindowsDACL()
@ -257,48 +256,62 @@ bool createWindowsDACL()
bool bSuccess = false; bool bSuccess = false;
#ifdef Q_OS_WIN #ifdef Q_OS_WIN
// Process token and user
HANDLE hToken = nullptr;
PTOKEN_USER pTokenUser = nullptr;
DWORD cbBufferSize = 0;
// Access control list // Access control list
PACL pACL = nullptr; PACL pACL = nullptr;
DWORD cbACL = 0; DWORD cbACL = 0;
// Security identifiers // Open the access token associated with the calling process
PSID pSIDAdmin = nullptr; if (!OpenProcessToken(
PSID pSIDSystem = nullptr; GetCurrentProcess(),
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY; TOKEN_QUERY,
&hToken
// Create a SID for the BUILTIN\Administrators group
if (!AllocateAndInitializeSid(
&SIDAuthNT,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pSIDAdmin
)) { )) {
goto Cleanup; goto Cleanup;
} }
// Create a SID for the System group // Retrieve the token information in a TOKEN_USER structure
if (!AllocateAndInitializeSid( GetTokenInformation(
&SIDAuthNT, hToken,
1, TokenUser, // request for a TOKEN_USER structure
SECURITY_LOCAL_SYSTEM_RID, nullptr,
0, 0, 0, 0, 0, 0, 0, 0,
&pSIDSystem &cbBufferSize
);
pTokenUser = static_cast<PTOKEN_USER>(HeapAlloc(GetProcessHeap(), 0, cbBufferSize));
if (pTokenUser == nullptr) {
goto Cleanup;
}
if (!GetTokenInformation(
hToken,
TokenUser,
pTokenUser,
cbBufferSize,
&cbBufferSize
)) { )) {
goto Cleanup; goto Cleanup;
} }
if (!IsValidSid(pTokenUser->User.Sid)) {
goto Cleanup;
}
// Calculate the amount of memory that must be allocated for the DACL
cbACL = sizeof(ACL) cbACL = sizeof(ACL)
+ sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pSIDAdmin) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid);
+ sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pSIDSystem);
// Create and initialize an ACL
pACL = static_cast<PACL>(HeapAlloc(GetProcessHeap(), 0, cbACL)); pACL = static_cast<PACL>(HeapAlloc(GetProcessHeap(), 0, cbACL));
if (pACL == nullptr) { if (pACL == nullptr) {
goto Cleanup; goto Cleanup;
} }
// Initialize access control list
if (!InitializeAcl(pACL, cbACL, ACL_REVISION)) { if (!InitializeAcl(pACL, cbACL, ACL_REVISION)) {
goto Cleanup; goto Cleanup;
} }
@ -307,21 +320,13 @@ bool createWindowsDACL()
if (!AddAccessAllowedAce( if (!AddAccessAllowedAce(
pACL, pACL,
ACL_REVISION, ACL_REVISION,
SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // protected process SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // same as protected process
pSIDAdmin pTokenUser->User.Sid // pointer to the trustee's SID
)) {
goto Cleanup;
}
if (!AddAccessAllowedAce(
pACL,
ACL_REVISION,
PROCESS_ALL_ACCESS,
pSIDSystem
)) { )) {
goto Cleanup; goto Cleanup;
} }
// Update discretionary access control list // Set discretionary access control list
bSuccess = ERROR_SUCCESS == SetSecurityInfo( bSuccess = ERROR_SUCCESS == SetSecurityInfo(
GetCurrentProcess(), // object handle GetCurrentProcess(), // object handle
SE_KERNEL_OBJECT, // type of object SE_KERNEL_OBJECT, // type of object
@ -333,15 +338,15 @@ bool createWindowsDACL()
Cleanup: Cleanup:
if (pSIDAdmin != nullptr) {
FreeSid(pSIDAdmin);
}
if (pSIDSystem != nullptr) {
FreeSid(pSIDSystem);
}
if (pACL != nullptr) { if (pACL != nullptr) {
HeapFree(GetProcessHeap(), 0, pACL); HeapFree(GetProcessHeap(), 0, pACL);
} }
if (pTokenUser != nullptr) {
HeapFree(GetProcessHeap(), 0, pTokenUser);
}
if (hToken != nullptr) {
CloseHandle(hToken);
}
#endif #endif
return bSuccess; return bSuccess;