// Windows/SecurityUtils.h #ifndef __WINDOWS_SECURITY_UTILS_H #define __WINDOWS_SECURITY_UTILS_H #include <NTSecAPI.h> #include "Defs.h" namespace NWindows { namespace NSecurity { class CAccessToken { HANDLE _handle; public: CAccessToken(): _handle(NULL) {}; ~CAccessToken() { Close(); } bool Close() { if (_handle == NULL) return true; bool res = BOOLToBool(::CloseHandle(_handle)); if (res) _handle = NULL; return res; } bool OpenProcessToken(HANDLE processHandle, DWORD desiredAccess) { Close(); return BOOLToBool(::OpenProcessToken(processHandle, desiredAccess, &_handle)); } /* bool OpenThreadToken(HANDLE threadHandle, DWORD desiredAccess, bool openAsSelf) { Close(); return BOOLToBool(::OpenTreadToken(threadHandle, desiredAccess, BoolToBOOL(anOpenAsSelf), &_handle)); } */ bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState, DWORD bufferLength, PTOKEN_PRIVILEGES previousState, PDWORD returnLength) { return BOOLToBool(::AdjustTokenPrivileges(_handle, BoolToBOOL(disableAllPrivileges), newState, bufferLength, previousState, returnLength)); } bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState) { return AdjustPrivileges(disableAllPrivileges, newState, 0, NULL, NULL); } bool AdjustPrivileges(PTOKEN_PRIVILEGES newState) { return AdjustPrivileges(false, newState); } }; #ifndef _UNICODE typedef NTSTATUS (NTAPI *LsaOpenPolicyP)(PLSA_UNICODE_STRING SystemName, PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle); typedef NTSTATUS (NTAPI *LsaCloseP)(LSA_HANDLE ObjectHandle); typedef NTSTATUS (NTAPI *LsaAddAccountRightsP)(LSA_HANDLE PolicyHandle, PSID AccountSid, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights ); #define MY_STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) #endif struct CPolicy { protected: LSA_HANDLE _handle; #ifndef _UNICODE HMODULE hModule; #endif public: operator LSA_HANDLE() const { return _handle; } CPolicy(): _handle(NULL) { #ifndef _UNICODE hModule = GetModuleHandle(TEXT("Advapi32.dll")); #endif }; ~CPolicy() { Close(); } NTSTATUS Open(PLSA_UNICODE_STRING systemName, PLSA_OBJECT_ATTRIBUTES objectAttributes, ACCESS_MASK desiredAccess) { #ifndef _UNICODE if (hModule == NULL) return MY_STATUS_NOT_IMPLEMENTED; LsaOpenPolicyP lsaOpenPolicy = (LsaOpenPolicyP)GetProcAddress(hModule, "LsaOpenPolicy"); if (lsaOpenPolicy == NULL) return MY_STATUS_NOT_IMPLEMENTED; #endif Close(); return #ifdef _UNICODE ::LsaOpenPolicy #else lsaOpenPolicy #endif (systemName, objectAttributes, desiredAccess, &_handle); } NTSTATUS Close() { if (_handle == NULL) return 0; #ifndef _UNICODE if (hModule == NULL) return MY_STATUS_NOT_IMPLEMENTED; LsaCloseP lsaClose = (LsaCloseP)GetProcAddress(hModule, "LsaClose"); if (lsaClose == NULL) return MY_STATUS_NOT_IMPLEMENTED; #endif NTSTATUS res = #ifdef _UNICODE ::LsaClose #else lsaClose #endif (_handle); _handle = NULL; return res; } NTSTATUS EnumerateAccountsWithUserRight(PLSA_UNICODE_STRING userRights, PLSA_ENUMERATION_INFORMATION *enumerationBuffer, PULONG countReturned) { return LsaEnumerateAccountsWithUserRight(_handle, userRights, (void **)enumerationBuffer, countReturned); } NTSTATUS EnumerateAccountRights(PSID sid, PLSA_UNICODE_STRING* userRights, PULONG countOfRights) { return ::LsaEnumerateAccountRights(_handle, sid, userRights, countOfRights); } NTSTATUS LookupSids(ULONG count, PSID* sids, PLSA_REFERENCED_DOMAIN_LIST* referencedDomains, PLSA_TRANSLATED_NAME* names) { return LsaLookupSids(_handle, count, sids, referencedDomains, names); } NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights, ULONG countOfRights) { #ifndef _UNICODE if (hModule == NULL) return MY_STATUS_NOT_IMPLEMENTED; LsaAddAccountRightsP lsaAddAccountRights = (LsaAddAccountRightsP)GetProcAddress(hModule, "LsaAddAccountRights"); if (lsaAddAccountRights == NULL) return MY_STATUS_NOT_IMPLEMENTED; #endif return #ifdef _UNICODE ::LsaAddAccountRights #else lsaAddAccountRights #endif (_handle, accountSid, userRights, countOfRights); } NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights) { return AddAccountRights(accountSid, userRights, 1); } NTSTATUS RemoveAccountRights(PSID accountSid, bool allRights, PLSA_UNICODE_STRING userRights, ULONG countOfRights) { return LsaRemoveAccountRights(_handle, accountSid, (BOOLEAN)(allRights ? TRUE : FALSE), userRights, countOfRights); } }; bool AddLockMemoryPrivilege(); }} #endif