The ACL is the access control table, consists of an ACL head and zero to multiple ACE (Access_Control Entry Access Control Instance).
The application platform of ACL is WindowsNT / 2000 / XP / 2003, which is actually supported by operating the NT core after WindowsNT3.1. The ACL marks a third party access to an object, this object can be any class of instance, of course, also includes a process object.
1 Overview
Each ACE contains a license object (Trustee) and a set of permissions, a valid SecurityDescriptor contains two ACLs, named DACL, and SACL.
Under WindowsNT, when using OpenProcess to open the process, the system will determine the access permission of the object according to the DACL structure of the corresponding process. If DACL does not exist, all permissions will be opened; if the DACL exists, it is empty, then the access of all forms will be rejected. .
In fact, under different operating systems, the processing of DACL is different, and there is a possibility that any form of access may not be rejected.
The role of SACL is to allow system administrators to record all access to security objects, and ACE in SACL is a project that needs to be recorded.
The working principle of DACL is as follows:
2 ??????? dacl and createprocess
2.1 ????? security_attributes
Security_Attributes structure is used to specify an access security level when creating a process.
Typedef struct _security_attributes
{
DWORD ?? NLENGTH;
?? LPVOID LPSECURITYDESCRIPTOR;
?? BOOL ?? ?? binherithandle;
SECURITY_ATTRIBUTES, * PSecurity_Attribute;
Where lPSecurityDescriptor points to a security_descriptor structure.
2.2 ????? security_descriptor
The Security_Descriptor structure cannot be modified directly. It can only be modified by calling the API function. Its content includes the owner of the process, Sid PrimaryGroup, DACL (one), SACL (one), for the previous item Modify the level.
The main API functions include:
(1) ??? INITIALIZESECURITYDESCRIPTOR
Initialize a security_descriptor structure, except that security_descriptor_revision is the default modification level, Owner and other items are empty or NULL values.
(2) ??? SetsecurityDescriptordordaCl
This function sets the DACL in the Security_Descriptor structure, which contains a pointer to the ACL structure.
(3) ?? SetSecurityDescriptorgroup
This function sets the primary group information in the SECURITY_DEScriptor structure, originally if there is a master working group information, the original information will be overwritten when the function is executed.
(4) ?? SetSecurityDescriptorowner
This function sets the owner (Owner) information in the Security_Descriptor structure and overwrites the original information.
(5) ?? setsecurityDescriptorrmControl
This function sets 64-bit information of the corresponding resource management program in Security_Descriptor, and the resource manager obtains information about the process object by accessing the 8 bytes of information.
(6) ?? SetSecurityDescriptorsaCL
This function sets the SACL in the SECURITY_DEScriptor structure, which contains a pointer to the ACL structure. Through the above six functions, we can complete access to the Struraity_Descriptor structure.
2.3 ????? CreateProcess
Function declaration:
Bool createprocess
? Lpctstr lpapplicationname, ?????????????????????????????????????????????????????????????????????????????????????????? // Name of Executable Module
? Lptstr lpcommandline, ?????????????????????? Command line string
? Lpsecurity_attributes lpprocessattributes,? // SD
? Lpsecurity_attributes lpthreadattributes ,? // SD
? Bool binherithandles, ????????????????????????/ Handle Inheritance Option
DWORD DWCREATIONFLAGS, ????????????????????? // Creation Flags
? LPVOID LPENVIRONMENT, ?? ???????????????????? // new environments block
? Lpctstr lpcurrentdirectory, ????????????????? // Current Directory Name
LPSTARTUPINFO LPSTARTUPINFO, ?????????????? // Startup Information
? Lpprocess_information LPPROCESSITIONInformation // Process Information
);
Partial parameter description:
LPCommandline points to the pointer to the string, is the command line of the new process. The command line string ends with empty characters, and the same '/ 0' also represents the end of the character. When lpapplicationname is NULL, this string will be seen as a new process of executable file path and file name, then pay attention to the processing of spaces;
LPPRocessAttributes, LPTHREADATIADATTRIBUTES These two pointers point to content represents the weighting settings for new processes and their threads. Special, in the NT core condition, point to a Security_Attributes structure. As mentioned earlier, it contains information about the subject level;
DWCREATIONFLAGS This DWORD value is used to set up the process of creating mode and priority, and most of the FLAG values can be combined.
3 ??????? ACL
3.1 ????? ACL header definition
Typedef struct _acl {
?? byte aclrevision;
?? Byte SBZ1;
Word aclsize;
?? Word acecount;
?? Word SBZ2;
} ACL, * PACL;
Parameter Description:
The ACLREVSION content correction level is generally ACL_REVISION, under the NT core, when there is a specified object ACE in the structure, it should be set to ACL_REVISION_DS;
SBZ1, SBZ2 filler;
The ACECount structure contains the number of ACEs;
ACLSIZE ??? ACL head and all ACE total bytes.
Structural description:
? 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1
???? 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
???? -------------------------------------------------------------- ------ --------------- ???? | ???????????????? | ??? Sbz1 ??? | AclRevision |
? -------------------------------------------------------------------------------- ---- -------------
???? | ????? ??? SBZ2 ????? ???? | ???? ?? acecount? ?????? |
?? ------------------------------------------------------------------------------ ---------------------
The ACL is composed of an ACL header (ie, ACL structure) and an uncertain ACE. Each ACE is numbered from 0 to N-1, and therefore, n is the number of ACEs in the ACL, namely n = acecount. When editing the ACL, the application accesses each individual ACE via the ACE number.
As mentioned earlier, ACL has two, namely DACL and SACL.
DACL is maintained by the Object Owner (Owner) and any processes with the object write_dac permissions. This mechanism is similar to the owner or administrator of a file, which is the right to decide to let anyone see this document.
An object also has a system-level security setting, which is SACL. SACL is maintained by system administrator, which determines the access to an object, the system administrator can record and review.
3.2 ????? ace for DACL
ACE is a unit that is entered in ACL, the following is the type of ACE that has been defined in DACL:
Access_allowed_ace
This structure allows the specified user or group to access an object;
Access_allowed_Object_ace
This structure allows the specified user or group to access a particular object, which is applied in Windows2000 / XP. When the ACE contains this type of ACE, ACLREVISION should be set to ACL_REVISION_DS;
Access_denied_ace
This structure rejects the specified user or group to access an object;
Access_nd_Object_ace
This structure refuses to specify the specified user or group to access a particular object, which is applied in Windows2000 / XP. When the ACE contains this type of ACE, ACLREVISION should be set to ACL_REVISION_DS.
In order to further illustrate the ACE, the data structure of the ACE is described below.
Typedef struct _ace_header {
?? Byte acetype;
?? Byte aceflags;
?? Word acesize;
ACE_HEADER;
Typedef ace_header * PACE_HEADER;
Parameter Description:
ACETYPE Specifies the ACE type;
The control flag of the ACEFLAGS ACE can be a combination of several markers;
The byte length of the ACESIZE ACE.
Each ACE begins with ACE_HEADER and contains its full length (byte).
3.3 ????? How to apply ACL
This section describes how to add Access_Denied_ ACE elements into a DACL and implement access protection to a process.
3.3.1? AddaccessdeniedAce function
Bool addaccessdeniedace (
Pacl Pacl, ???????????? // Access Control List
DWORD DWACEREVISION,? // ACL Revision Level
DWORD Accessmask, ???? // Access Mask
PSID PSID ????????????? // Security Identifier
);
Partial parameter description:
DWACEREVISION If an ACCESS_ALLOWED_OBJECT_ACE or Access_Denied_Object_Ace type is already included in the ACL, it should be set to ACL_REVISION_DS, otherwise it should be set to ACL_REVISION;
Accessmask Access Type Mask, which can mark a combination of access types or multiple access types, which will be disabled in this function;
PSID TruteE ID information. This parameter points to a SID structure, which specifies those users to be deprived access, which can be ordinary users, groups, and shared users.
In addition, in the ACL, you should add the ACE in order to set Access_Denied_ace, otherwise the error will result in an error. This is very important, and it is also a mistake for beginners. It is just Access_Denied_ace, which is not required to consider order issues.
3.3.2 ?? access_mask and sid
TypedEf DWORD Access_mask;
This type combination marks one or more access types.
SID (The Security Identifier)
This is a growing data structure for unique logo users or groups. This structure cannot be edited directly, and you need to create, modify, and specific applications with the system API function.
For a while, some netizens complained to me. He said that he has established a shared memory in this unit, then use the B / S architecture browser side to access this memory, the result is always successful, and the return error is no permission.
Indeed, the B / S program, its plug-in is running in the browser, the account is GUEST, of course, there is no permission to access the local shared memory for the kernel object. However, if you reset its access control list (DACL) while creating a kernel object, you can access any account you allow. Very magical, isn't it?
Below I show this technology by creating a billing program that will not be killed in Windows 2000:
Void test () {? printf ("This program will create a notepad! / n"); ?? psid peveryonesid ??????? = null; // Everyone group SID? PSID PADMINSID ?????????? = null; // null system administrator group SID? EXPLICIT_ACCESS ?????????? EA [3]; // ace content? PACL PPROCESACL ??? ????? = null; // process DACL? PSecurity_Descriptor psd = null; // process sd? Security_attributes ?? saprocess; // process SA
? DWORD dwRet; ?? // create the SID // S-1-1-0 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;??? SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;? If (AllocateAndInitializeSid (& SIDAuthWorld, 1, SECURITY_WORLD_RID, ?? 0, 0! , 0, 0, 0, 0, 0, & prop))? {?? printf ("allocateandinitializesid failed! Everyonesid / N"); ?? goto err;?} ?? // s-1-5-32-0x220 ? if {?? printf ( "AllocateAndInitializeSid failed AdminSID / n!") (AllocateAndInitializeSid (& SIDAuthNT, 1, SECURITY_BUILTIN_DOMAIN_RID, ?? DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, & pAdminSID)!);? ?? goto Err;???} // S-1-5-32-0x1F4 PSID pAdminuUserSID;?! if (AllocateAndInitializeSid (& SIDAuthNT, 1, SECURITY_BUILTIN_DOMAIN_RID, ?? DOMAIN_USER_RID_ADMIN, 0, 0, 0, 0, 0, 0, & pAdminuUserSID) )? {?? printf ("AllocateAndinitializesid Failed! PadminuuSID / N"); ?? goto err ;?}
? // Plug the external access group? ZeromeMory (& EA, 2 * SIZEOF (EXPLICIT_ACCESS));? // S-1-1-0, disable closing process and modify parameters? EA [0] .grfaceMissions = Process_Terminate | Process_set_information ;? ea [0] .grfAccessMode = GRANT_ACCESS;? ea [0] .grfInheritance = NO_INHERITANCE;? ea [0] .Trustee.TrusteeForm = TRUSTEE_IS_SID;? ea [0] .Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;? ea [0] .Trustee .ptstrname? = (lptstr) peveryonesid;
? // S-1-5-32-0X220, disabled prohibition process and modification parameters? EA [1] .grface | process_set_genformation;? Ea [1] .grface = grand_access;? EA [1] .grfinheritance = no_inheritance ;? EA [1] .trustee.trusteeform = trustee_is_sid;? EA [1] .trustee.trustetyETYPE = trustee_is_group;? EA [1] .trustee.ptstrname? = (lptstr) Padminsid;
? // s-1-5-32-0x1f4, disabled prohibition process and modification parameters? EA [2] .grface | process_set_terminate | process_set_information;? EA [2] .grface = grand_access;? EA [2] .grfinheritance = no_inheritance ;? EA [2] .trustee.trusteeform = trustee_is_sid;? EA [2] .trustee.trustetyTetype = trustee_is_user;? EA [2] .trustee.ptstrname? = (lptstr) PadminuSersid;
? // Create and populate ACL? Dwret = setENTRIESINACL (3, EA, NULL, & PPROCESSACL) ;? IF (dwret! = Error_success)? {?? printf ("STENTRIESINACL FAILED! / NCODE =% D", dwret);? ? goto cleanup ;?}? // Create and initialize SD? psd = (psecurity_descriptor) localalloc (lptr, ?? security_descriptor_min_length);? IF (PSD == NULL)? {?? printf ("LocalalAlloc Failed! / n") ?? goto err;?}? if (! IF, security_descriptor_revision)? {?? printf ("INITIALIZESECURITESCRIPTOR FAILED! / n"); ?? goto err ;?}? // Add ACL to SD Go? If (! SetsecuritydescriptordaDaracl (psd, ??????? true, ???? // fdaclpresent flag ?? ?????? pprocessacl, ??????? false)) ?? / / not a default DACL? {?? printf ( "SetSecurityDescriptorDacl failed!");? ?? goto Err ;?}? // set SA saProcess.nLength = sizeof (SECURITY_ATTRIBUTES) ;? saProcess.lpSecurityDescriptor = pSD;?? saProcess .bInheritHandle = FALSE;? // and wait for the process to run its normal end PROCESS_INFORMATION ProcessInfo;?? STARTUPINFO StartupInfo;? ZeroMemory (& StartupInfo, sizeof (StartupInfo)) ;? StartupInfo.cb = sizeof (StartupInfo) ;? if (CreateProcess ( " C: // winnt // notepad.exe ", NULL, ?? & saProcess, NULL, FALSE, 0, NULL, ?? NULL, & StartupInfo, & ProcessInfo)) {?? WaitForSingleObject (ProcessInfo.hProcess, INFINITE);? ?? CloseHandle (ProcessInfo. Hthread); ?? closehandle (processinfo.hprocess) ;?}?? Else? {?? printf ("createprocess failed! / n"); ?? goto err;?}? // clean upcleanup:? printf ("exiting ... / n ");? if (peveryonesid! = null)? {?? freesid (peveryonesid) ;?}? if (padminsid! = null)? {?? freesid (padminsid);?}? if (PPRocessaCl ! = Null)? {?? localfree (PPROCALFREE (PPROCALFREE (PPROCALFREE (PPROCALFREE (PSD! = NULL)? {?? localfree (PSD) ;?} ?? printf ("Success! / N") ;? return; / / Error processerr:? DWORD DWERR;? Dwerr =