Still study, this program is longer, from MSDN, I have made a little modification, and add your own understanding in the comment, so please note the comments in the code:
#include
Bool Fresult; Bool Fapisuccess; security_information secinfo = dacl_security_information; // The following two functions are new API functions, only in Windows 2000 or later operating system support. / / This will be turned from the Advapi32.dll file. If you use the VC 6.0 compiler, and you want to // use the static links of these two functions. Please add: / D_WIN32_WINNT = 0x0500 // compile parameters for your compilation. And make sure your SDK's header file and lib file are the latest. SetSecurityDescriptorControlFnPtr _SetSecurityDescriptorControl = NULL; AddAccessAllowedAceExFnPtr _AddAccessAllowedAceEx = NULL; __try {// // STEP 1: // acquired in this step, the SID LookupAccountName function is called twice, first extraction is required memory // user name Size, then, perform memory allocation. The second call is the account information of the user. // LookupAccountName can also obtain information from domain users or user groups. (Please see MSDN) // FAPISUCCESS = LookupAccountName (Null, Lpszaccountname, Pusersid, & Cbusersid, szdomain, & clomain, "snuType); // The above call API will fail, the cause of failure is insufficient. And pass the required memory size. // The following is an error in processing non-memory.
if (fAPISuccess) __leave; else if (! GetLastError () = ERROR_INSUFFICIENT_BUFFER) {_tprintf (TEXT ( ". LookupAccountName () failed Error% d / n"), GetLastError ()); __leave;} pUserSID = myheapalloc (cbUserSID); If (! puSERSID) {_tprintf ("HeapAlloc () Failed. Error% D / N"), getLastError ()); __leave;} szdomain = (tchar *) MyHeapalloc (CBDomain * Sizeof (tchar)); if ( ! szDomain) {_tprintf (TEXT ( ". HeapAlloc () failed Error% d / n"), GetLastError ()); __leave;} fAPISuccess = LookupAccountName (NULL, lpszAccountName, pUserSID, & cbUserSID, szDomain, & cbDomain, & snuType); if (! FAPISUCCESS) {_tprintf ("LookuPaccountName () Failed. Error% D / N"), getLastError ()); __leave;} // // STEP 2: A File (Directory) Related Security Descriptor SD / / Use the getFileSecurity function to get a copy of a file SD, and the same, this function is also // is called twice, and the first time the memory length is taken to take the SD. Note that SD has two formats: self-correlation // (self-relative) and complete (Absolute), getFileSecurity can only be "self-/ related", while SetFileSecurity needs to be complete. That's why there is a new SD, / / instead of being modified directly on the SD returned by GetFileSecurity. Because "autocorrelation" information // is incomplete. FAPISUCCESS = GetFileSecurity (LPSZFileName, SECINFO, PFILESD, 0, & CBFilesd); // The above call API will fail, the cause of failure is insufficient memory. And pass the required memory size. // The following is an error in processing non-memory.
if (fAPISuccess) __leave; else if (! GetLastError () = ERROR_INSUFFICIENT_BUFFER) {_tprintf (TEXT ( ". GetFileSecurity () failed Error% d / n"), GetLastError ()); __leave;} pFileSD = myheapalloc (cbFileSD); IF (! pfilesd) {_tprintf ("HeapAlloc () failed. Error% D / N"), getLastError ()); __leave;} fapisuccess = getFileSecurity (LpszFileName, SECINFO, PFILESD, CBFILESD, & CBFilesd; if (! FAPISUCCESS) {_tprintf ("getFileSecurity () failed. Error% D / N"), getLastError ()); __leave;} // // Step 3: Initialize a new SD // if (! InitializeSecurityDescriptor (& newsd, Security_descriptor_revision) {_tprintf ("INITIALIZESECURITYDESCRIPTOR () Failed.") TEXT ("Error% D / N"), getLastError ()); __LEAVE;} // // STEP 4: Take DACL from the SD returned from getFileSecurity // if (! GetSecurityDescriptORDACL (pfilesd, & fdaclpresent, & PACL, & fdacldefault) {_tprintf ("GetSecurityDescriptOracl () Failed. Error% D / N"), getLastError ()); __LEAVE;} // // Step 5: Take DACL Memory Size // getAclinformation Provides DACL memory size. Only passing the parameters for Structure // acl_size_information, you need DACL information, just for //, it is convenient for us to traverse the ACE. Aclinfo.Acecount = 0; // AssuMe Null Dacl. Aclinfo.aclbytesfree = 0; aclinfo.aclbytesinuse = sizeof (ACL); if (PACL == Null) fdaclpresent = false; // If DACL is not empty, take information .
(Most cases "self-associated" DACL is empty) IF (fdaclpresent) {if (! GetAclinformation) {_tprintf (text ("getAclinformation () failed. Error% d / N "), getLastError ()); __LEAVE;}} // // Step 6: Calculating the new ACL's size // calculated formula is: the original DACL Size plus the Size of an ACE you need to add, With // and plus a SID-related SID, final minus two bytes to obtain precise size. cbNewACL = AclInfo.AclBytesInUse sizeof (ACCESS_ALLOWED_ACE) GetLengthSid (pUserSID) - sizeof (DWORD); // // STEP 7: allocate memory for the new ACL // pNewACL = (PACL) myheapalloc (cbNewACL); if (pNewACL! ) {_TPrintf ("HeapAlloc () failed. Error% D / N"), getLastError ()); __leave;} // // Step 8: Initialization new ACL structure // if (! InitializeAcl (pnewacl, cbenewacl , Acl_revision2)) {_tprintf ("INITIALIZEACL () Failed. Error% D / N"), getLastError ()); __leave;} (The program is not finished, please see the next article) // // step 9 If the file (directory) DACL has data, copying ACE to new DACL // // The following code hypothesis first checks the specified file (directory) DACL existing, if any, // then copy all ACE to new In the DACL structure, we can see that its traversal is completed by the Acecount member in // acl_size_information structure.
In this cycle, copy according to the order of the default ACE (the order in the ACE is critical in the ACL), in the copy // biscuit, copy the ACE to inherited first (we know the ACE will Inherited in the upper list) // newAcEindex = 0; if (fdaclpresent && aclinfo.cecount) {for (currentAcEIndex = 0; currentAcEIndex
// if (! Addace (PNewaCl, ACL_REVISION, MAXDWORD, PTEMPACE) -> ACESIZE)) {_tprintf (text ("addace () failed. Error% D / N"), getLastError ()); __leave;} newaceindex ;}} <- Previous Next->
(All rights reserved, please indicate the source and author information when reproduced)