1 files changed, 250 insertions, 0 deletions
diff --git a/token.c b/token.c
new file mode 100644
index 0000000..2f7e45b
--- /dev/null
+++ b/token.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              token.c
+ *
+ * Abstract:
+ *
+ *              This module implements various token hooking routines.
+ *              Token objects encapsulate the privileges and access rights of an agent
+ *              (a thread or process).
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 25-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include "token.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitTokenHooks)
+#endif
+fpZwAdjustPrivilegesToken       OriginalNtAdjustPrivilegesToken = NULL;
+fpZwSetInformationToken         OriginalNtSetInformationToken = NULL;
+/*
+ * HookedNtAdjustPrivilegesToken()
+ *
+ * Description:
+ *              This function mediates the NtAdjustPrivilegesToken() system service and XXX.
+ *
+ *              NOTE: ZwAdjustPrivilegesToken adjusts the attributes of the privileges in a token. [NAR]
+ *
+ * Parameters:
+ *              Those of NtAdjustPrivilegesToken().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtAdjustPrivilegesToken().
+ */
+NTSTATUS
+NTAPI
+HookedNtAdjustPrivilegesToken
+(
+        IN HANDLE TokenHandle,
+        IN BOOLEAN DisableAllPrivileges,
+        IN PTOKEN_PRIVILEGES NewState,
+        IN ULONG BufferLength,
+        OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
+        OUT PULONG ReturnLength
+)
+{
+        PCHAR                   FunctionName = "HookedNtAdjustPrivilegesToken";
+        PCHAR                   TOKENNAME = NULL;       /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
+        ULONG                   i;
+        HOOK_ROUTINE_ENTER();
+/*
+        if (LearningMode == FALSE && IsTokenModificationAllowed() == FALSE)
+        {
+                LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtAdjustPrivilegesToken: disallowing token modification\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                LogAlert(ALERT_SS_TOKEN, OP_MODIFY, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+*/
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(TOKEN, OP_TOKEN_MODIFY);
+        }
+        if (KeGetPreviousMode() != KernelMode && DisableAllPrivileges == FALSE && ARGUMENT_PRESENT(NewState))
+        {
+                BOOLEAN         CaughtException;
+                __try
+                {
+                        // Probe to make sure the first ULONG (PrivilegeCount) is accessible
+                        ProbeForRead(NewState, sizeof(ULONG), sizeof(ULONG));
+                        // Now probe the entire structure
+                        ProbeForRead(NewState, sizeof(TOKEN_PRIVILEGES) +
+                                                (NewState->PrivilegeCount - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES),
+                                                sizeof(ULONG));
+                }
+                __except(EXCEPTION_EXECUTE_HANDLER)
+                {
+                        NTSTATUS status = GetExceptionCode();
+                        LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("HookedNtAdjustPrivilegesToken(): caught an exception. status = 0x%x\n", status));
+                        CaughtException = TRUE;
+                }
+                LOG(LOG_SS_TOKEN, LOG_PRIORITY_VERBOSE, ("%d HookedNtAdjustPrivilegesToken: %S\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                //XXX replace with PID lookup
+/*
+                if (CaughtException == FALSE &&
+                        wcsstr(GetCurrentProcessName(), L"svchost.exe") == 0 &&
+                        wcsstr(GetCurrentProcessName(), L"services.exe") == 0)
+                {
+                        LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d HookedNtAdjustPrivilegesToken\n", (ULONG) PsGetCurrentProcessId()));
+                        for (i = 0; i < NewState->PrivilegeCount; i++)
+                        {
+                                if (NewState->Privileges[i].Luid.LowPart == SE_AUDIT_PRIVILEGE && NewState->Privileges[i].Luid.HighPart == 0)
+                                        ;
+                                else
+                                        KdPrint(("priv %d: %x %x %x\n", i, NewState->Privileges[i].Attributes, NewState->Privileges[i].Luid.LowPart, NewState->Privileges[i].Luid.HighPart));
+                        }
+                }
+*/
+        }
+        ASSERT(OriginalNtAdjustPrivilegesToken);
+        rc = OriginalNtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges, NewState, BufferLength,
+                                                                                        PreviousState, ReturnLength);
+        if (LearningMode == TRUE)
+        {
+                AddRule(RULE_TOKEN, NULL, OP_TOKEN_MODIFY);
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * HookedNtSetInformationToken()
+ *
+ * Description:
+ *              This function mediates the NtSetInformationToken() system service and XXX.
+ *
+ *              NOTE: ZwSetInformationToken sets information affecting a token object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtSetInformationToken().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtSetInformationToken().
+ */
+NTSTATUS
+NTAPI
+HookedNtSetInformationToken
+(
+        IN HANDLE TokenHandle,
+        IN TOKEN_INFORMATION_CLASS TokenInformationClass,
+        IN PVOID TokenInformation,
+        IN ULONG TokenInformationLength
+)
+{
+        PCHAR                   FunctionName = "HookedNtSetInformationToken";
+        PCHAR                   TOKENNAME = NULL;       /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_TOKEN, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetInformationToken %S %x %x %x\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), TokenInformationClass, TokenInformation, TokenInformationLength));
+/*
+        if (LearningMode == FALSE && IsTokenModificationAllowed() == FALSE)
+        {
+                LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetInformationToken: disallowing token modification\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                LogAlert(ALERT_SS_TOKEN, OP_MODIFY, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+*/
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(TOKEN, OP_TOKEN_MODIFY);
+        }
+        ASSERT(OriginalNtSetInformationToken);
+        rc = OriginalNtSetInformationToken(TokenHandle, TokenInformationClass, TokenInformation, TokenInformationLength);
+        if (LearningMode == TRUE)
+        {
+                AddRule(RULE_TOKEN, NULL, OP_TOKEN_MODIFY);
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitTokenHooks()
+ *
+ * Description:
+ *              Initializes all the mediated token object operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitTokenHooks()
+{
+        if ( (OriginalNtAdjustPrivilegesToken = (fpZwAdjustPrivilegesToken) ZwCalls[ZW_ADJUST_TOKEN_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("InitTokenHooks: OriginalNtAdjustPrivilegesToken is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtSetInformationToken = (fpZwSetInformationToken) ZwCalls[ZW_SET_INFO_TOKEN_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("InitTokenHooks: OriginalNtSetInformationToken is NULL\n"));
+                return FALSE;
+        }
+        return TRUE;
+}

diff --git a/token.c b/token.c new file mode 100644 index 0000000..2f7e45b --- /dev/null +++ b/token.c
@@ -0,0 +1,250 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* token.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various token hooking routines.
	11	* Token objects encapsulate the privileges and access rights of an agent
	12	* (a thread or process).
	13	*
	14	* Author:
	15	*
	16	* Eugene Tsyrklevich 25-Mar-2004
	17	*
	18	* Revision History:
	19	*
	20	* None.
	21	*/
	22
	23
	24	#include "token.h"
	25
	26
	27	#ifdef ALLOC_PRAGMA
	28	#pragma alloc_text (INIT, InitTokenHooks)
	29	#endif
	30
	31
	32	fpZwAdjustPrivilegesToken OriginalNtAdjustPrivilegesToken = NULL;
	33	fpZwSetInformationToken OriginalNtSetInformationToken = NULL;
	34
	35
	36
	37	/*
	38	* HookedNtAdjustPrivilegesToken()
	39	*
	40	* Description:
	41	* This function mediates the NtAdjustPrivilegesToken() system service and XXX.
	42	*
	43	* NOTE: ZwAdjustPrivilegesToken adjusts the attributes of the privileges in a token. [NAR]
	44	*
	45	* Parameters:
	46	* Those of NtAdjustPrivilegesToken().
	47	*
	48	* Returns:
	49	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	50	* Otherwise, NTSTATUS returned by NtAdjustPrivilegesToken().
	51	*/
	52
	53	NTSTATUS
	54	NTAPI
	55	HookedNtAdjustPrivilegesToken
	56	(
	57	IN HANDLE TokenHandle,
	58	IN BOOLEAN DisableAllPrivileges,
	59	IN PTOKEN_PRIVILEGES NewState,
	60	IN ULONG BufferLength,
	61	OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
	62	OUT PULONG ReturnLength
	63	)
	64	{
	65	PCHAR FunctionName = "HookedNtAdjustPrivilegesToken";
	66	PCHAR TOKENNAME = NULL; /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
	67	ULONG i;
	68
	69
	70	HOOK_ROUTINE_ENTER();
	71
	72	/*
	73	if (LearningMode == FALSE && IsTokenModificationAllowed() == FALSE)
	74	{
	75	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtAdjustPrivilegesToken: disallowing token modification\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	76
	77	LogAlert(ALERT_SS_TOKEN, OP_MODIFY, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
	78
	79	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	80	}
	81	*/
	82	if (LearningMode == FALSE)
	83	{
	84	POLICY_CHECK_OPTYPE_NAME(TOKEN, OP_TOKEN_MODIFY);
	85	}
	86
	87
	88	if (KeGetPreviousMode() != KernelMode && DisableAllPrivileges == FALSE && ARGUMENT_PRESENT(NewState))
	89	{
	90	BOOLEAN CaughtException;
	91
	92	__try
	93	{
	94	// Probe to make sure the first ULONG (PrivilegeCount) is accessible
	95	ProbeForRead(NewState, sizeof(ULONG), sizeof(ULONG));
	96
	97	// Now probe the entire structure
	98	ProbeForRead(NewState, sizeof(TOKEN_PRIVILEGES) +
	99	(NewState->PrivilegeCount - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES),
	100	sizeof(ULONG));
	101	}
	102
	103	__except(EXCEPTION_EXECUTE_HANDLER)
	104	{
	105	NTSTATUS status = GetExceptionCode();
	106
	107	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("HookedNtAdjustPrivilegesToken(): caught an exception. status = 0x%x\n", status));
	108
	109	CaughtException = TRUE;
	110	}
	111
	112
	113	LOG(LOG_SS_TOKEN, LOG_PRIORITY_VERBOSE, ("%d HookedNtAdjustPrivilegesToken: %S\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	114
	115
	116	//XXX replace with PID lookup
	117	/*
	118	if (CaughtException == FALSE &&
	119	wcsstr(GetCurrentProcessName(), L"svchost.exe") == 0 &&
	120	wcsstr(GetCurrentProcessName(), L"services.exe") == 0)
	121	{
	122	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d HookedNtAdjustPrivilegesToken\n", (ULONG) PsGetCurrentProcessId()));
	123
	124	for (i = 0; i < NewState->PrivilegeCount; i++)
	125	{
	126	if (NewState->Privileges[i].Luid.LowPart == SE_AUDIT_PRIVILEGE && NewState->Privileges[i].Luid.HighPart == 0)
	127	;
	128	else
	129	KdPrint(("priv %d: %x %x %x\n", i, NewState->Privileges[i].Attributes, NewState->Privileges[i].Luid.LowPart, NewState->Privileges[i].Luid.HighPart));
	130	}
	131	}
	132	*/
	133	}
	134
	135
	136	ASSERT(OriginalNtAdjustPrivilegesToken);
	137
	138	rc = OriginalNtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges, NewState, BufferLength,
	139	PreviousState, ReturnLength);
	140
	141
	142	if (LearningMode == TRUE)
	143	{
	144	AddRule(RULE_TOKEN, NULL, OP_TOKEN_MODIFY);
	145	}
	146
	147	HOOK_ROUTINE_EXIT(rc);
	148	}
	149
	150
	151
	152	/*
	153	* HookedNtSetInformationToken()
	154	*
	155	* Description:
	156	* This function mediates the NtSetInformationToken() system service and XXX.
	157	*
	158	* NOTE: ZwSetInformationToken sets information affecting a token object. [NAR]
	159	*
	160	* Parameters:
	161	* Those of NtSetInformationToken().
	162	*
	163	* Returns:
	164	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	165	* Otherwise, NTSTATUS returned by NtSetInformationToken().
	166	*/
	167
	168	NTSTATUS
	169	NTAPI
	170	HookedNtSetInformationToken
	171	(
	172	IN HANDLE TokenHandle,
	173	IN TOKEN_INFORMATION_CLASS TokenInformationClass,
	174	IN PVOID TokenInformation,
	175	IN ULONG TokenInformationLength
	176	)
	177	{
	178	PCHAR FunctionName = "HookedNtSetInformationToken";
	179	PCHAR TOKENNAME = NULL; /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
	180
	181
	182	HOOK_ROUTINE_ENTER();
	183
	184
	185	LOG(LOG_SS_TOKEN, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetInformationToken %S %x %x %x\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), TokenInformationClass, TokenInformation, TokenInformationLength));
	186
	187	/*
	188	if (LearningMode == FALSE && IsTokenModificationAllowed() == FALSE)
	189	{
	190	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetInformationToken: disallowing token modification\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	191
	192	LogAlert(ALERT_SS_TOKEN, OP_MODIFY, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
	193
	194	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	195	}
	196	*/
	197	if (LearningMode == FALSE)
	198	{
	199	POLICY_CHECK_OPTYPE_NAME(TOKEN, OP_TOKEN_MODIFY);
	200	}
	201
	202
	203	ASSERT(OriginalNtSetInformationToken);
	204
	205	rc = OriginalNtSetInformationToken(TokenHandle, TokenInformationClass, TokenInformation, TokenInformationLength);
	206
	207
	208	if (LearningMode == TRUE)
	209	{
	210	AddRule(RULE_TOKEN, NULL, OP_TOKEN_MODIFY);
	211	}
	212
	213	HOOK_ROUTINE_EXIT(rc);
	214	}
	215
	216
	217
	218	/*
	219	* InitTokenHooks()
	220	*
	221	* Description:
	222	* Initializes all the mediated token object operation pointers. The "OriginalFunction" pointers
	223	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	224	*
	225	* NOTE: Called once during driver initialization (DriverEntry()).
	226	*
	227	* Parameters:
	228	* None.
	229	*
	230	* Returns:
	231	* TRUE to indicate success, FALSE if failed.
	232	*/
	233
	234	BOOLEAN
	235	InitTokenHooks()
	236	{
	237	if ( (OriginalNtAdjustPrivilegesToken = (fpZwAdjustPrivilegesToken) ZwCalls[ZW_ADJUST_TOKEN_INDEX].OriginalFunction) == NULL)
	238	{
	239	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("InitTokenHooks: OriginalNtAdjustPrivilegesToken is NULL\n"));
	240	return FALSE;
	241	}
	242
	243	if ( (OriginalNtSetInformationToken = (fpZwSetInformationToken) ZwCalls[ZW_SET_INFO_TOKEN_INDEX].OriginalFunction) == NULL)
	244	{
	245	LOG(LOG_SS_TOKEN, LOG_PRIORITY_DEBUG, ("InitTokenHooks: OriginalNtSetInformationToken is NULL\n"));
	246	return FALSE;
	247	}
	248
	249	return TRUE;
	250	}