Sign in to follow this  
Followers 0
superg

Help with GetKernelObjectSecurity and SetKernelObjectSecurity functions

1 post in this topic

#1 ·  Posted (edited)

Hi,

I been working with Permissions.au3 posted by FredAI. One of the limitations of the include however is no GetKernelObjectSecurity and SetKernelObjectSecurity functions are provided.

I'd like to write a script where I can manage the discretionary access control list (DACL) of a process. According to http://www.tenouk.com/ModuleI3.html the aforementioned functions are used to manage process object type security.

As you can see by this code, I'm able to lookup user/group SID's and process PID's and handles. The SID is necessary for creating a Security Descriptor string. The final script will need to be able to convert a security descriptor string to a security descriptor (when setting process permissions) and convert security descriptors to strings (whenr getting process permissions.) It seems _ConvertSecurityDescriptorToStringSecurityDescriptor and _ConvertStringSecurityDescriptorToSecurityDescriptor in Permissions.au3 could be used for that.

#Include<WinAPI.au3>
$Account = _Security__LookupAccountName("Everyone")
If IsArray($Account) Then
    _DisplayAccount(@ComputerName & "Everyone", $Account)
EndIf
$DomainName = _DomainComputerBelongs()
If @ComputerName <> $DomainName Then
    ;ConsoleWrite("ComputerName: [" & @ComputerName & "]" & @LF)
    ;ConsoleWrite("Domain: [" & $DomainName & "]" & @LF)
    $Account = _Security__LookupAccountName($DomainName & "Domain Users")
    If IsArray($Account) Then
        _DisplayAccount($DomainName & "Domain Users", $Account)
    EndIf
EndIf
Local $handle = WinGetHandle("[CLASS:PROCEXPL]")
Local $pid = WinGetProcess("[CLASS:PROCEXPL]")
ConsoleWrite('Handle: ' & $handle & @CRLF)
ConsoleWrite('PID: ' & $pid & @CRLF)
Func _DisplayAccount($user = "", $account = "")
    If IsArray($account) Then
        Local $i
        ConsoleWrite("[" & $user & "]" & @LF)
        For $i = 0 to 2
            ConsoleWrite($i & ": [" & $account[$i] & "]" & @LF)
        Next
        Return $account
    EndIf
    ;Success:    Array with the following format:
    ;    $aAcct[0] - SID String
    ;    $aAcct[1] - Domain name
    ;    $aAcct[2] - SID type, which can be one of the following values:
    ;    1 - Indicates a user SID
    ;    2 - Indicates a group SID
    ;    3 - Indicates a domain SID
    ;    4 - Indicates an alias SID
    ;    5 - Indicates a SID for a well-known group
    ;    6 - Indicates a SID for a deleted account
    ;    7 - Indicates an invalid SID
    ;    8 - Indicates an unknown SID type
    ;    9 - Indicates a SID for a computer
    ;Failure:    Set @error
EndFunc
Func _DomainComputerBelongs($strComputer = "localhost")
    $Domain = ''
    $wbemFlagReturnImmediately = 0x10
    $wbemFlagForwardOnly = 0x20
   
    $objWMIService = ObjGet("winmgmts:" & $strComputer & "rootCIMV2")
    If Not IsObj($objWMIService) Then Return SetError(1, 0, '')
        $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", _
                                                    $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
    If IsObj($colItems) then
        For $objItem In $colItems
            $Domain = $objItem.Domain
        Next
    Endif
    Return $Domain
EndFunc

Here is my attempt at creating the necessary function for use with Permissions.au3:

Func _GetKernelObjectSecurity($handle)
    Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
    If $ResourcesState = 0 Then _InitiatePermissionResources()
    Local $aRet = DllCall($h__Advapi32Dll, "dword", "GetKernelObjectSecurity ", _
                "handle", $handle, _
                "dword", $SECURITY_INFORMATION, _
                "ptr", 0, _
                "dword", 0, _
                "dword", 0)
    If @error Then Return SetError(@error,0,0)
    Return $aRet
EndFunc ;==>_GetKernelObjectSecurity

I haven't been able to get this to work however.

I'm also unclear if GetSecurityInfo and SetSecurityInfo would also work for managing process security. Here are is my attempt to incorporate those...

Func _GetSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor)
        $call = DllCall($h__Advapi32Dll, "long", "GetSecurityInfo", _
                        "ptr", $handle, _
                        "int", $ObjectType, _
                        "dword", $SecurityInfo, _
                        "ptr", $ppsidOwner, _
                        "ptr", $ppsidGroup, _
                        "ptr", $ppDacl, _
                        "ptr", $ppSacl, _
                        "ptr", $ppSecurityDescriptor)
        Return $call
EndFunc   ;==>GetSecurityInfo

Func _SetSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl)
        $call = DllCall($h__Advapi32Dll, "long", "SetSecurityInfo", _
                        "ptr", $handle, _
                        "int", $ObjectType, _
                        "dword", $SecurityInfo, _
                        "ptr", $psidOwner, _
                        "ptr", $psidGroup, _
                        "ptr", $pDacl, _
                        "ptr", $pSacl)
        Return $call
EndFunc   ;==>SetSecurityInfo

At any rate, does anyone here have the expertise to help me create a working sample? The first obtaining the DACL of a given process and displaying on the console as a string, the secon actually setting a different DACL to that process using a security descriptor written as a string?

Thanks in advance!!

Edited by superg

Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0