aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/token.hpp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/token.hpp152
1 files changed, 9 insertions, 143 deletions
diff --git a/src/token.hpp b/src/token.hpp
index 042cd2b..509a15c 100644
--- a/src/token.hpp
+++ b/src/token.hpp
@@ -5,17 +5,12 @@
#pragma once
-#include "error.hpp"
#include "handle.hpp"
-#include "os.hpp"
#include "sid.hpp"
#include <Windows.h>
#include <string>
-#include <unordered_map>
-#include <utility>
-#include <vector>
namespace token
{
@@ -29,153 +24,24 @@ namespace token
constexpr DWORD default_permissions = permissions::query();
// Current thread's primary impersonation token.
- Handle dumb() { return Handle{NULL}; }
+ inline Handle dumb() { return Handle{NULL}; }
Handle open_for_process(
const Handle& process,
- DWORD permissions = default_permissions)
- {
- HANDLE raw;
-
- if (!OpenProcessToken(process, permissions, &raw))
- error::raise("OpenProcessToken");
-
- return Handle{raw};
- }
+ DWORD permissions = default_permissions);
Handle open_for_current_process(
- DWORD permissions = default_permissions)
- {
- return open_for_process(Handle{GetCurrentProcess()}, permissions);
- }
-
- bool get_linked(Handle& token)
- {
- if (!os::is_vista_or_later())
- return false;
-
- auto type = TokenElevationTypeDefault;
- DWORD cb = 0;
-
- if (!GetTokenInformation(token, TokenElevationType, &type, sizeof(type), &cb))
- error::raise("GetTokenInformation");
-
- if (type != TokenElevationTypeLimited)
- return false;
-
- HANDLE raw;
-
- if (!GetTokenInformation(token, TokenLinkedToken, &raw, sizeof(raw), &cb))
- error::raise("GetTokenInformation");
-
- token = Handle{raw};
- return true;
- }
-
- Handle get_for_identification(const Handle& token)
- {
- HANDLE raw;
+ DWORD permissions = default_permissions);
- if (!DuplicateToken(token, SecurityIdentification, &raw))
- error::raise("DuplicateToken");
+ bool get_linked(Handle& token);
- return Handle{raw};
- }
+ Handle get_for_identification(const Handle& token);
- //
- // FUNCTION: query_integrity_level()
- //
- // RETURN VALUE: Returns the integrity level of the current process. It is
- // usually one of these values:
- //
- // SECURITY_MANDATORY_UNTRUSTED_RID (SID: S-1-16-0x0)
- // Means untrusted level. It is used by processes started by the
- // Anonymous group. Blocks most write access.
- //
- // SECURITY_MANDATORY_LOW_RID (SID: S-1-16-0x1000)
- // Means low integrity level. It is used by Protected Mode Internet
- // Explorer. Blocks write acess to most objects (such as files and
- // registry keys) on the system.
- //
- // SECURITY_MANDATORY_MEDIUM_RID (SID: S-1-16-0x2000)
- // Means medium integrity level. It is used by normal applications
- // being launched while UAC is enabled.
- //
- // SECURITY_MANDATORY_HIGH_RID (SID: S-1-16-0x3000)
- // Means high integrity level. It is used by administrative applications
- // launched through elevation when UAC is enabled, or normal
- // applications if UAC is disabled and the user is an administrator.
- //
- // SECURITY_MANDATORY_SYSTEM_RID (SID: S-1-16-0x4000)
- // Means system integrity level. It is used by services and other
- // system-level applications (such as Wininit, Winlogon, Smss, etc.)
- //
- DWORD query_integrity_level(const Handle& token)
- {
- DWORD cb = 0;
-
- if (!GetTokenInformation(token, TokenIntegrityLevel, NULL, 0, &cb))
- {
- switch (GetLastError())
- {
- case ERROR_INSUFFICIENT_BUFFER:
- break;
- default:
- error::raise("GetTokenInformation");
- }
- }
-
- std::vector<unsigned char> buf(cb);
- const auto token_level = reinterpret_cast<TOKEN_MANDATORY_LABEL*>(buf.data());
-
- if (!GetTokenInformation(token, TokenIntegrityLevel, token_level, cb, &cb))
- error::raise("GetTokenInformation");
-
- // Integrity Level SIDs are in the form of S-1-16-0xXXXX. (e.g.
- // S-1-16-0x1000 stands for low integrity level SID). There is one and
- // only one subauthority.
- return *GetSidSubAuthority(token_level->Label.Sid, 0);
- }
-
- std::wstring integrity_level_to_string(DWORD level)
- {
- static const std::unordered_map<DWORD, const wchar_t*> names =
- {
- {SECURITY_MANDATORY_UNTRUSTED_RID, L"Untrusted"},
- {SECURITY_MANDATORY_LOW_RID, L"Low"},
- {SECURITY_MANDATORY_MEDIUM_RID, L"Medium"},
- {SECURITY_MANDATORY_HIGH_RID, L"High"},
- {SECURITY_MANDATORY_SYSTEM_RID, L"System"},
- };
+ DWORD query_integrity_level(const Handle& token);
- static constexpr auto unknown_name = L"Unknown";
+ std::wstring integrity_level_to_string(DWORD);
- const auto it = names.find(level);
+ bool check_belongs(const Handle& token, const SidBuffer& sid);
- if (it == names.cend())
- return unknown_name;
-
- return it->second;
- }
-
- bool check_belongs(const Handle& token, const SidBuffer& sid)
- {
- BOOL b = FALSE;
-
- if (!CheckTokenMembership(token, const_cast<unsigned char*>(sid.data()), &b))
- error::raise("CheckTokenMembership");
-
- return b != FALSE;
- }
-
- bool query_elevation(const Handle& token)
- {
- TOKEN_ELEVATION elevation;
- DWORD cb = 0;
-
- if (!GetTokenInformation(token, TokenElevation, &elevation, sizeof(elevation), &cb))
- error::raise("GetTokenInformation");
-
- return elevation.TokenIsElevated != 0;
- }
+ bool query_elevation(const Handle& token);
}