|
阅读:12230回复:1
关于创建安全描述符的代码
ULONG aclSize = 0;
PACL pAcl = NULL; //////////////////////////////////////////////////////////////////////////////////////////////////////////// //计算ACL的大小 aclSize = sizeof(ACL); aclSize += RtlLengthSid(SeExports->SeLocalSystemSid); aclSize += RtlLengthSid(SeExports->SeAliasAdminsSid); aclSize += RtlLengthSid(SeExports->SeWorldSid); aclSize += 3 * FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart); //////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////// //为ACL分配内存 pAcl = (PACL)ExAllocatePool(PagedPool, aclSize); if (pAcl == NULL) return STATUS_INSUFFICIENT_RESOURCES; //////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////// //创建ACL RtlCreateAcl(pAcl, aclSize, ACL_REVISION); //////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////// //往ACL中添加ACE RtlAddAccessAllowedAce(pAcl,ACL_REVISION,GENERIC_READ|GENERIC_WRITE|DELETE, SeExports->SeLocalSystemSid); RtlAddAccessAllowedAce(pAcl,ACL_REVISION, GENERIC_READ|GENERIC_WRITE|DELETE, SeExports->SeAliasAdminsSid); RtlAddAccessAllowedAce(pAcl,ACL_REVISION, GENERIC_READ|GENERIC_WRITE,SeExports->SeWorldSid); //////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////// //创建并设置安全描述符 SECURITY_DESCRIPTOR pSD; RtlCreateSecurityDescriptor(&pSD, SECURITY_DESCRIPTOR_REVISION); RtlSetDaclSecurityDescriptor(&pSD, TRUE, pAcl, FALSE); //////////////////////////////////////////////////////////////////////////////////////////////////////////// |
|
|
沙发#
发布于:2008-12-30 17:08
Windows Driver Kit: Installable File System Drivers
SeExports The SeExports structure is a large external static SE_EXPORTS structure that defines a number of well-known security constants for privilege values and security identifiers. typedef struct _SE_EXPORTS { LUID SeCreateTokenPrivilege; LUID SeAssignPrimaryTokenPrivilege; LUID SeLockMemoryPrivilege; LUID SeIncreaseQuotaPrivilege; LUID SeUnsolicitedInputPrivilege; LUID SeTcbPrivilege; LUID SeSecurityPrivilege; LUID SeTakeOwnershipPrivilege; LUID SeLoadDriverPrivilege; LUID SeCreatePagefilePrivilege; LUID SeIncreaseBasePriorityPrivilege; LUID SeSystemProfilePrivilege; LUID SeSystemtimePrivilege; LUID SeProfileSingleProcessPrivilege; LUID SeCreatePermanentPrivilege; LUID SeBackupPrivilege; LUID SeRestorePrivilege; LUID SeShutdownPrivilege; LUID SeDebugPrivilege; LUID SeAuditPrivilege; LUID SeSystemEnvironmentPrivilege; LUID SeChangeNotifyPrivilege; LUID SeRemoteShutdownPrivilege; PSID SeNullSid; PSID SeWorldSid; PSID SeLocalSid; PSID SeCreatorOwnerSid; PSID SeCreatorGroupSid; PSID SeNtAuthoritySid; PSID SeDialupSid; PSID SeNetworkSid; PSID SeBatchSid; PSID SeInteractiveSid; PSID SeLocalSystemSid; PSID SeAliasAdminsSid; PSID SeAliasUsersSid; PSID SeAliasGuestsSid; PSID SeAliasPowerUsersSid; PSID SeAliasAccountOpsSid; PSID SeAliasSystemOpsSid; PSID SeAliasPrintOpsSid; PSID SeAliasBackupOpsSid; PSID SeAuthenticatedUsersSid; PSID SeRestrictedSid; PSID SeAnonymousLogonSid; LUID SeUndockPrivilege; LUID SeSyncAgentPrivilege; LUID SeEnableDelegationPrivilege; PSID SeLocalServiceSid; PSID SeNetworkServiceSid; LUID SeManageVolumePrivilege; LUID SeImpersonatePrivilege; LUID SeCreateGlobalPrivilege;} SE_EXPORTS, *PSE_EXPORTS;extern NTKERNELAPI PSE_EXPORTS SeExports;Members SeCreateTokenPrivilege The privilege that is required to create a primary access token. User-mode applications represent this privilege as the following user-right string: “Create a token object”. SeAssignPrimaryTokenPrivilege The privilege that is required to assign the primary token of a process. The privilege allows a parent process to replace the access token that is associated with a child process. User-mode applications represent this privilege as the following user-right string: “Replace a process-level token”. SeLockMemoryPrivilege The privilege that is required to lock physical pages in memory. This privilege allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on a disk. User-mode applications represent this privilege as the following user-right string: “Required to lock physical pages in memory”. SeIncreaseQuotaPrivilege The privilege that is required to increase the quota assigned to a process. The privilege allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. User-mode applications represent this privilege as the following user-right string: “Adjust memory quotas for a process”. SeUnsolicitedInputPrivilege The privilege that is required to read unsolicited input from a terminal device. This privilege is obsolete and unused. It has no effect on the system. SeTcbPrivilege The privilege that identifies its holder as part of the trusted computer base. Typically, only low-level authentication services require this privilege. Some trusted protected subsystems are granted this privilege. User-mode applications represent this privilege as the following user-right string: “Act as part of the operating system”. SeSecurityPrivilege The privilege that is required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator. This privilege allows a user to specify object access auditing options for individual resources, including files, Active Directory objects, and Registry keys. A user who has this privilege can also view and clear the security log from Event Viewer. User-mode applications represent this privilege as the following user-right string: “Manage auditing and security log”. SeTakeOwnershipPrivilege The privilege that is required to take ownership of an object without being granted discretionary access. This privilege allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. This privilege allows the owner value to be set only to those values that the holder might legitimately assign as the owner of an object. User-mode applications represent this privilege as the following user-right string: “Take ownership of files or other objects”. SeLoadDriverPrivilege The privilege that is required to load or unload a device driver. This privilege allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. User-mode applications represent this privilege as the following user-right string: “Load and unload device drivers”. SeCreatePagefilePrivilege The privilege that is required to create and change the size of a paging file. User-mode applications represent this privilege as the following user-right string: “Create a pagefile”. SeIncreaseBasePriorityPrivilege The privilege that is required to increase the base priority of a process. This privilege allows a user to increase the base priority class of a process. Increasing relative priority within a priority class is not a privileged operation and does not need this privilege. User-mode applications represent this privilege as the following user-right string: “Increase scheduling priority”. SeSystemProfilePrivilege The privilege that is required to gather profiling information for the entire system. The privilege allows a user to sample the performance of system processes. User-mode applications represent this privilege as the following user-right string: “Profile system performance”. SeSystemtimePrivilege The privilege that is required to modify the system time. This privilege allows the user to adjust the time on the computer's internal clock. This privilege is not required to change the time zone or other display characteristics of the system time. User-mode applications represent this privilege as the following user-right string: “Change the system time”. SeProfileSingleProcessPrivilege The privilege that is required to gather profiling information for a single process. The privilege allows a user to sample the performance of an application process. User-mode applications represent this privilege as the following user-right string: “Profile single process”. SeCreatePermanentPrivilege The privilege that is required to create a permanent object. This privilege allows a process to create a directory object in the object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently. User-mode applications represent this privilege as the following user-right string: “Create permanent shared objects”. SeBackupPrivilege The privilege that is required to perform backup operations. This privilege allows the user to circumvent file and directory permissions to back up the system. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the user-mode RegSaveKey and RegSaveKeyEx routines. The following access rights are granted if this privilege is held: READ_CONTROL ACCESS_SYSTEM_SECURITY FILE_GENERIC_READ FILE_TRAVERSE User-mode applications represent this privilege as the following user-right string: “Back up files and directories”. SeRestorePrivilege The privilege that is required to perform restore operations. This privilege allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. This privilege is required by the user-mode RegLoadKey and RegUnLoadKey routines that add or remove a hive from the registry. The following access rights are granted if this privilege is held: WRITE_DAC WRITE_OWNER ACCESS_SYSTEM_SECURITY FILE_GENERIC_WRITE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY DELETE User-mode applications represent this privilege as the following user-right string: “Restore files and directories”. SeShutdownPrivilege The privilege that is required to shut down a local system. User-mode applications represent this privilege as the following user-right string: “Shut down the system”. SeDebugPrivilege The privilege that is required to debug and adjust the memory of a process owned by another account. This privilege allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. User-mode applications represent this privilege as the following user-right string: “Debug programs”. SeAuditPrivilege The privilege that is required to generate audit-log entries in the security log. The security log can be used to trace unauthorized system access. This privilege should be given to secure servers. User-mode applications represent this privilege as the following user-right string: “Generate security audits”. SeSystemEnvironmentPrivilege The privilege required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. User-mode applications represent this privilege as the following user-right string: “Modify firmware environment values”. SeChangeNotifyPrivilege The privilege that is required to receive notifications of changes to files or directories. This privilege allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. This privilege causes the system to skip all traversal access checks. It is enabled by default for all users. User-mode applications represent this privilege as the following user-right string: “Bypass traverse checking”. SeRemoteShutdownPrivilege The privilege that is required to shut down a system by using a network request. This privilege allows a user to shut down a computer from a remote location on the network. User-mode applications represent this privilege as the following user-right string: “Force shutdown from a remote system”. SeNullSid The null SID. SeWorldSid The SID that matches everyone. SeLocalSid The local SID. SeCreatorOwnerSid The SID that matches the owner or creator of an object. This SID is used in inheritable access control entries (ACEs). SeCreatorGroupSid The SID that matches the creator group of an object. This SID is used in inheritable ACEs. SeNtAuthoritySid The SID for the Microsoft Windows NT authority. SeDialupSid The SID for a dial-up account. SeNetworkSid The SID for a network account. This SID is added to the process of a token when it logs on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. SeBatchSid The SID for a batch process. This SID is added to the process of a token when it logs on as a batch job. The corresponding logon type is LOGON32_LOGON_BATCH. SeInteractiveSid The SID for an interactive account. This SID is added to the process of a token when it logs on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. SeLocalSystemSid The SID that matches the LocalSystem account, a predefined local account used by the Service Control Manager. This account is not recognized by the security subsystem. It has extensive privileges on the local computer and acts as the computer on the network. Its token includes the Windows NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is ".\LocalSystem". The name, "LocalSystem" or "ComputerName\LocalSystem" can also be used. This account does not have a password. A service that runs in the context of the LocalSystem account inherits the security context of the Service Control Manager. The account is not associated with any logged-on user account. The LocalSystem account has the following privileges: SE_ASSIGNPRIMARYTOKEN_NAME SE_AUDIT_NAME SE_BACKUP_NAME SE_CHANGE_NOTIFY_NAME SE_CREATE_PAGEFILE_NAME SE_CREATE_PERMANENT_NAME SE_CREATE_TOKEN_NAME SE_DEBUG_NAME SE_INC_BASE_PRIORITY_NAME SE_INCREASE_QUOTA_NAME SE_LOAD_DRIVER_NAME SE_LOCK_MEMORY_NAME SE_PROF_SINGLE_PROCESS_NAME SE_RESTORE_NAME SE_SECURITY_NAME SE_SHUTDOWN_NAME SE_SYSTEM_ENVIRONMENT_NAME SE_SYSTEM_PROFILE_NAME SE_SYSTEMTIME_NAME SE_TAKE_OWNERSHIP_NAME SE_TCB_NAME SE_UNDOCK_NAME Most services do not need such a high privilege level. If your service does not need these privileges, and it is not an interactive service, consider using the LocalService account or the NetworkService account. SeAliasAdminsSid The SID that matches the administrator account. SeAliasUsersSid The SID that matches built-in user accounts. SeAliasGuestsSid The SID that matches the guest account. SeAliasPowerUsersSid The SID that matches the power users group. SeAliasAccountOpsSid The SID that matches the account operators account. SeAliasSystemOpsSid The SID that matches the system operators group. SeAliasPrintOpsSid The SID that matches the print operators group. SeAliasBackupOpsSid The SID that matches the backup operators group. SeAuthenticatedUsersSid The SID that matches any authenticated user. SeRestrictedSid The SID for restricted code. SeAnonymousLogonSid The SID for the anonymous account. SeUndockPrivilege The privilege that is required to remove a computer from a docking station. This privilege allows the user of a portable computer to undock the computer by clicking Start, and then clicking Eject PC. SeSyncAgentPrivilege The privilege that is required to synchronize directory service data. This privilege allows a process to read all objects and properties in the directory, regardless of the protection that is set on the objects and properties. This privilege is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services. This privilege is required for a domain controller to use the LDAP directory synchronization services. SeEnableDelegationPrivilege The privilege that is required to enable computer and user accounts to be trusted for delegation. SeLocalServiceSid The SID that matches the LocalService account, a predefined local account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. The name of the account in all locales is "NT AUTHORITY\LocalService". This account does not have a password. The LocalService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the LocalService account. The LocalService account has the following privileges: SE_AUDIT_NAME SE_CHANGE_NOTIFY_NAME SE_UNDOCK_NAME Any privileges assigned to users and authenticated users The LocalService account is available on the Microsoft Windows XP and later operating systems. SeNetworkServiceSid The SID that matches the NetworkService account, a predefined local account. The NetworkService account has minimum privileges on the local computer and acts as the computer on the network. The name of the account in all locales is "NT AUTHORITY\NetworkService". This account does not have a password. A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. By default, the remote token contains SIDs for the Everyone and Authenticated Users groups. The NetworkService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the NetworkService account. The NetworkService account has the following privileges: SE_AUDIT_NAME SE_CHANGE_NOTIFY_NAME SE_UNDOCK_NAME Any privileges assigned to users and authenticated users The NetworkService account is available on Windows XP and later. SeManageVolumePrivilege The privilege that is required to allow a non-administrative or remote user to manage volumes or disks. The operating system checks for this privilege in a user's access token when a process running in the user's security context calls the user mode SetFileValidData routine. SeImpersonatePrivilege The privilege that is required to impersonate a user. This privilege is available on Windows 2000 with Service Pack 4 (SP4) and later. User-mode applications represent this privilege as the following user-right string: “Impersonate a client after authentication”. SeCreateGlobalPrivilege The privilege that is required for a user account to create global objects in a Terminal Services session. Note that users can still create session-specific objects without being assigned this user right. By default, this privilege is assigned to members of the Administrators group, the System account, and services that are started by the Service Control Manager. This privilege is available on Windows 2000 with Service Pack 4 and later. User-mode applications represent this privilege as the following user-right string: “Create Global Objects”. Comments SeExports is a large external static SE_EXPORTS structure exported by Ntoskrnl.exe. Requirements Headers: Declared in ntifs.h. Include ntifs.h. See Also LUID, SID APIScan Requirements Header: ntifs.h Function: SeExports |
|