How to adjust the Ace of device object

gz1x — Wed, 10 Feb 2010 08:28:03 +0000

直接扔关键代码，不想写太多的说明，本来这些代码也只是副产品，眼尖的应该能看出来这些代码的来处和去处。

===============

PACCESS_ALLOWED_ACE
GetAceFromAcl(
    IN PACL Dacl,
    IN ULONG AceIndex
    )
/*++

Routine Description:

Arguments:

Return Value:

--*/

{
    USHORT i = 0;
    PACCESS_ALLOWED_ACE Ace = NULL;

    if (Dacl && AceIndex < Dacl->AceCount)
    {
        for (Ace = FirstAce(Dacl); i < AceIndex; Ace = NextAce(Ace))
        {
            if (Ace >= (PACCESS_ALLOWED_ACE)((PUCHAR)Dacl + Dacl->AclSize))
            {
                break;
            }

            ++ i;   
        }

        if (i == AceIndex)
        {
            return Ace;
        }
    }

    return NULL;
}

BOOLEAN
NmCheckDaclForGroupSid(
    IN PACL Dacl
    )
/*++

Routine Description:

Arguments:

Return Value:

--*/

{ 
    USHORT i = 0;
    USHORT gSidOffset, cSidOffset;
    BOOLEAN result = FALSE;
    PACCESS_ALLOWED_ACE pACE = NULL;
    SIZE_T retLong;

    if (g_GroupAce->Header.AceSize >= (USHORT)(sizeof(ACCESS_ALLOWED_ACE)))
    {
        gSidOffset = g_GroupAce->Header.AceSize -
              (USHORT)(sizeof(ACCESS_ALLOWED_ACE));  

        if (Dacl->AceCount)
        {
            do
            {
                pACE = GetAceFromAcl(Dacl, i);

                if (pACE)
                {
                    cSidOffset = pACE->Header.AceSize -
                          (USHORT)(sizeof(ACCESS_ALLOWED_ACE));

                    if (gSidOffset == cSidOffset)
                    {
                        retLong = RtlCompareMemory(
                            &(pACE->SidStart),
                            &(g_GroupAce->SidStart),
                            cSidOffset
                            );

                        result = (cSidOffset == retLong);

                        if (result == TRUE)
                        {
                            return result;
                        }
                    }
                 }

                 ++ i;

            } while (i < Dacl->AceCount);
        }
    }

    return result;
}

BOOLEAN
AddAceToAcl(
    IN PACL NewAcl,
    IN PACCESS_ALLOWED_ACE toAddAce
    )
/*++

Routine Description:

Arguments:

Return Value:

--*/

{ 
    USHORT i = 0;
    PACCESS_ALLOWED_ACE Ace = FirstAce(NewAcl);

    if (NewAcl && toAddAce)
    {
        if (NewAcl->AceCount)
        {
            for (NOTHING; i < NewAcl->AceCount; Ace = NextAce(Ace))
            {
                if (Ace >= (PACCESS_ALLOWED_ACE)((PUCHAR)NewAcl + NewAcl->AclSize))
                {
                    break;
                }

                ++ i;
            }
         }

         if ((PACCESS_ALLOWED_ACE)((PUCHAR)Ace + toAddAce->Header.AceSize) >
                        (PACCESS_ALLOWED_ACE)((PUCHAR)NewAcl + NewAcl->AclSize))
         {
             return FALSE;
         }
         else
         {
             NdisMoveMemory(
                 Ace,
                 toAddAce,
                 toAddAce->Header.AceSize
                 );

             NewAcl->AceCount = i + 1;
         }
    }

    return TRUE;
}

NDIS_STATUS
NmModifyDacl(
    IN PACL oldDacl,
    OUT PACL* NewDacl
    )
/*++

Routine Description:

Arguments:

Return Value:

--*/

{
    NDIS_STATUS result = NDIS_STATUS_SUCCESS;
    USHORT tSize;
    PACL tmpDacl = NULL;
    USHORT i = 0;
    PACCESS_DENIED_ACE pdACE = NULL;
    PACCESS_ALLOWED_ACE paACE = NULL;

    if (oldDacl)
    {
        tSize = oldDacl->AclSize + g_GroupAce->Header.AceSize;

        tmpDacl = (PACL)ExAllocatePoolWithTag(
            NonPagedPool,
            tSize,
            'dnTF'
            );
        if (tmpDacl)
        {
            tmpDacl->AclRevision = oldDacl->AclRevision;   
            tmpDacl->Sbz1 = oldDacl->Sbz1;
            tmpDacl->AceCount = 0;
            tmpDacl->AclSize = tSize;   
            tmpDacl->Sbz2 = oldDacl->Sbz2;

            if (oldDacl->AceCount)
            {
                do
                {
                    pdACE = (PACCESS_DENIED_ACE)GetAceFromAcl(
                        oldDacl,
                        i
                        );
                    if (pdACE->Header.AceType != ACCESS_DENIED_ACE_TYPE)
                    {
                        break;
                    }

                    AddAceToAcl(tmpDacl, (PACCESS_ALLOWED_ACE)pdACE);

                    ++ i;

                } while (i < oldDacl->AceCount);    
             }

             AddAceToAcl(tmpDacl, g_GroupAce);

             while(i < oldDacl->AceCount)
             {
                 paACE = GetAceFromAcl(oldDacl, i);

                 AddAceToAcl(tmpDacl, (PACCESS_ALLOWED_ACE)paACE);

                 ++ i;
             }

             *NewDacl= tmpDacl;
        }
    }   

    return result;
}

NDIS_STATUS
NmAddGroupAccessAce(
    IN PDEVICE_OBJECT DeviceObject
    )
/*++

Routine Description:

Arguments:

Return Value:

--*/

{
    NDIS_STATUS Status = NDIS_STATUS_SUCCESS;
    PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
    PSECURITY_DESCRIPTOR NewSecurityDescriptor = NULL;

    ULONG csize = sizeof(SECURITY_DESCRIPTOR);
    PACL NewDdcl = NULL;
    HANDLE Handle = NULL;
    BOOLEAN DaclPresent, DaclDefaulted;
    PACL Dacl = NULL;

    if (DeviceObject && g_GroupAce)
    {
        Status = ObOpenObjectByPointer(
            DeviceObject,
            OBJ_KERNEL_HANDLE,
            NULL,
            WRITE_DAC,
            0,
            0,
            &Handle
            );
        if (Status == NDIS_STATUS_SUCCESS)
        {
            SecurityDescriptor = DeviceObject->SecurityDescriptor;

            Status = RtlGetDaclSecurityDescriptor(
                SecurityDescriptor,
                &DaclPresent,
                &Dacl,
                &DaclDefaulted
                );
            if (Status == NDIS_STATUS_SUCCESS)
            {
                ASSERT(DaclPresent);
                ASSERT(Dacl != NULL);

                if (NmCheckDaclForGroupSid(Dacl) != TRUE)
                {
                    csize = RtlLengthSecurityDescriptor(SecurityDescriptor);

                    NewSecurityDescriptor = ExAllocatePoolWithTag(
                        NonPagedPool,
                        g_GroupAce->Header.AceSize + csize,
                        'dnTF'
                        );
                    if (NewSecurityDescriptor)
                    {
                        RtlCreateSecurityDescriptor(
                            NewSecurityDescriptor,
                            SECURITY_DESCRIPTOR_REVISION
                            );

                        Status = NmModifyDacl(
                            Dacl,
                            &NewDdcl
                            );
                        if (Status == NDIS_STATUS_SUCCESS)
                        {
                            Status = RtlSetDaclSecurityDescriptor(
                                NewSecurityDescriptor,
                                TRUE,
                                NewDdcl,
                                FALSE
                                );
                            if (Status == NDIS_STATUS_SUCCESS)
                            {
                                Status = ZwSetSecurityObject(
                                    Handle,
                                    DACL_SECURITY_INFORMATION,
                                    NewSecurityDescriptor
                                    );
                            }
                        }
                    }
                }
            }
        }

        if (Handle)
        {
            ZwClose(Handle);
        }

        if (NewSecurityDescriptor)
        {
            ExFreePoolWithTag(NewSecurityDescriptor, 'dnTF');
        }

        if (NewDdcl)
        {
            ExFreePoolWithTag(NewDdcl, 'dnTF');
        }
    }

    return Status;
}

===============

在RegisterDevice之后加上即可，对于g_GroupAce，这个查询注册表或者自己获取，这些都是因时而异。
我这里是需要从注册表读过来的，然后加上去的：

===============

PACCESS_ALLOWED_ACE g_GroupAce = NULL;

//...省略...

       InitializeObjectAttributes(
           &ObjectAttributes,
           RegistryPath,
           OBJ_CASE_INSENSITIVE,
           NULL,
           NULL
           );

       Status = ZwOpenKey(
           &hHandle,
           KEY_READ,
           &ObjectAttributes
           );
       if (Status == STATUS_SUCCESS)
       {
           RtlInitUnicodeString(&DestinationString, L"GroupSid");

           Status = ZwQueryValueKey(
               hHandle,
               &DestinationString,
               KeyValueFullInformation,
               0,
               0,
               &ResultLength
               );
           if (Status == STATUS_BUFFER_OVERFLOW ||
               Status == STATUS_BUFFER_TOO_SMALL)
           {
               pBuffer = (PKEY_VALUE_FULL_INFORMATION)ExAllocatePoolWithTag(
                   NonPagedPool,
                   ResultLength,
                   'dnTF'
                   );  
               if (pBuffer)
               {
                   Status = ZwQueryValueKey(
                       hHandle,
                       &DestinationString,
                       KeyValueFullInformation,
                       pBuffer,
                       ResultLength,
                       &ResultLength
                       );
                   if (Status == STATUS_SUCCESS)
                   {
                         g_GroupAce = (PACCESS_ALLOWED_ACE)ExAllocatePoolWithTag(
                              NonPagedPool,
                              pBuffer->DataLength + sizeof(ACCESS_ALLOWED_ACE),
                              'gamn'
                              );
                         if (g_GroupAce)
                         {
                              NdisZeroMemory(
                                  g_GroupAce,
                                  pBuffer->DataLength + sizeof(ACCESS_ALLOWED_ACE)
                                  );

                              g_GroupAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
                              g_GroupAce->Header.AceFlags = 0;
                              g_GroupAce->Header.AceSize =
                                   (USHORT)(pBuffer->DataLength +
                                   sizeof(ACCESS_ALLOWED_ACE));

                              g_GroupAce->Mask = SYNCHRONIZE |
                                   READ_CONTROL | FILE_READ_ATTRIBUTES |
                                   FILE_READ_DATA | FILE_READ_EA;

                              NdisMoveMemory(
                                  (PVOID)&(g_GroupAce->SidStart),
                                  (PVOID)((PUCHAR)pBuffer + pBuffer->DataOffset),
                                  pBuffer->DataLength
                                  );

//...省略...

===============

PS: 排版很麻烦，我改了半天。下篇把这个工程的真正精华部分放上来大家探讨。

Comments

2010年10月11日, Lewis writes: 你丫的，没下文了！

Copyright © 2008
This feed is for personal, non-commercial use only.
The use of this feed on other websites breaches copyright. If this content is not in your news reader, it makes the page you are viewing an infringement of the copyright. (Digital Fingerprint:
8e761b2ea8edc3ca311452b020051837)

随机日志

2010年05月12日 -- RdpDr.sys Bug Check 0X7E{0xC0000005}
2008年10月22日 -- 绕过主动防御的代码注入方法一点思考
2009年04月30日 -- Native Application之键盘处理
2009年12月27日 -- Symbian_S60_3rd_Application_Cracking_With_IDA_Remote_Debugger_Tutorial
2010年05月7日 -- IoRegisterDriverReinitialization 和IoRegisterBootDriverReinitialization
2009年04月26日 -- SoftRCE再次回归上线
2011年03月21日 -- QQplayer Memory Corruption Vulnerability
2010年01月12日 -- MS07-014调试手记
2010年04月21日 -- WinMount mou文件格式溢出漏洞分析
2009年05月15日 -- ActiveX 控件组件的Fuzz和利用

SoftRCE.net » GroupSid

How to adjust the Ace of device object

Comments

Related posts:

随机日志