Jump to content

Help with GetKernelObjectSecurity and SetKernelObjectSecurity functions


Recommended Posts


I been working with Permissions.au3 posted by FredAI. One of the limitations of the include however is no GetKernelObjectSecurity and SetKernelObjectSecurity functions are provided.

I'd like to write a script where I can manage the discretionary access control list (DACL) of a process. According to http://www.tenouk.com/ModuleI3.html the aforementioned functions are used to manage process object type security.

As you can see by this code, I'm able to lookup user/group SID's and process PID's and handles. The SID is necessary for creating a Security Descriptor string. The final script will need to be able to convert a security descriptor string to a security descriptor (when setting process permissions) and convert security descriptors to strings (whenr getting process permissions.) It seems _ConvertSecurityDescriptorToStringSecurityDescriptor and _ConvertStringSecurityDescriptorToSecurityDescriptor in Permissions.au3 could be used for that.

$Account = _Security__LookupAccountName("Everyone")
If IsArray($Account) Then
    _DisplayAccount(@ComputerName & "Everyone", $Account)
$DomainName = _DomainComputerBelongs()
If @ComputerName <> $DomainName Then
    ;ConsoleWrite("ComputerName: [" & @ComputerName & "]" & @LF)
    ;ConsoleWrite("Domain: [" & $DomainName & "]" & @LF)
    $Account = _Security__LookupAccountName($DomainName & "Domain Users")
    If IsArray($Account) Then
        _DisplayAccount($DomainName & "Domain Users", $Account)
Local $handle = WinGetHandle("[CLASS:PROCEXPL]")
Local $pid = WinGetProcess("[CLASS:PROCEXPL]")
ConsoleWrite('Handle: ' & $handle & @CRLF)
ConsoleWrite('PID: ' & $pid & @CRLF)
Func _DisplayAccount($user = "", $account = "")
    If IsArray($account) Then
        Local $i
        ConsoleWrite("[" & $user & "]" & @LF)
        For $i = 0 to 2
            ConsoleWrite($i & ": [" & $account[$i] & "]" & @LF)
        Return $account
    ;Success:    Array with the following format:
    ;    $aAcct[0] - SID String
    ;    $aAcct[1] - Domain name
    ;    $aAcct[2] - SID type, which can be one of the following values:
    ;    1 - Indicates a user SID
    ;    2 - Indicates a group SID
    ;    3 - Indicates a domain SID
    ;    4 - Indicates an alias SID
    ;    5 - Indicates a SID for a well-known group
    ;    6 - Indicates a SID for a deleted account
    ;    7 - Indicates an invalid SID
    ;    8 - Indicates an unknown SID type
    ;    9 - Indicates a SID for a computer
    ;Failure:    Set @error
Func _DomainComputerBelongs($strComputer = "localhost")
    $Domain = ''
    $wbemFlagReturnImmediately = 0x10
    $wbemFlagForwardOnly = 0x20
    $objWMIService = ObjGet("winmgmts:" & $strComputer & "rootCIMV2")
    If Not IsObj($objWMIService) Then Return SetError(1, 0, '')
        $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", _
                                                    $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
    If IsObj($colItems) then
        For $objItem In $colItems
            $Domain = $objItem.Domain
    Return $Domain

Here is my attempt at creating the necessary function for use with Permissions.au3:

Func _GetKernelObjectSecurity($handle)
    If $ResourcesState = 0 Then _InitiatePermissionResources()
    Local $aRet = DllCall($h__Advapi32Dll, "dword", "GetKernelObjectSecurity ", _
                "handle", $handle, _
                "dword", $SECURITY_INFORMATION, _
                "ptr", 0, _
                "dword", 0, _
                "dword", 0)
    If @error Then Return SetError(@error,0,0)
    Return $aRet
EndFunc ;==>_GetKernelObjectSecurity

I haven't been able to get this to work however.

I'm also unclear if GetSecurityInfo and SetSecurityInfo would also work for managing process security. Here are is my attempt to incorporate those...

Func _GetSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor)
        $call = DllCall($h__Advapi32Dll, "long", "GetSecurityInfo", _
                        "ptr", $handle, _
                        "int", $ObjectType, _
                        "dword", $SecurityInfo, _
                        "ptr", $ppsidOwner, _
                        "ptr", $ppsidGroup, _
                        "ptr", $ppDacl, _
                        "ptr", $ppSacl, _
                        "ptr", $ppSecurityDescriptor)
        Return $call
EndFunc   ;==>GetSecurityInfo

Func _SetSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl)
        $call = DllCall($h__Advapi32Dll, "long", "SetSecurityInfo", _
                        "ptr", $handle, _
                        "int", $ObjectType, _
                        "dword", $SecurityInfo, _
                        "ptr", $psidOwner, _
                        "ptr", $psidGroup, _
                        "ptr", $pDacl, _
                        "ptr", $pSacl)
        Return $call
EndFunc   ;==>SetSecurityInfo

At any rate, does anyone here have the expertise to help me create a working sample? The first obtaining the DACL of a given process and displaying on the console as a string, the secon actually setting a different DACL to that process using a security descriptor written as a string?

Thanks in advance!!

Edited by superg
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...