windows内核访问控制机制

          主要看了下面两部分：

    1.进程对系统进行特权操作需要有一个权限（Privilege），所以进程有特权集表示进程拥有的权限，内核会在执行这些权限时检查进程是否有权执行此操作。

     2.进程对于每个内核对象的操作权限不同，内核对象有一个访问控制列表（ACL）来标示某个用户启动的进程有如何的访问权。进程对对象执行操作时，会检查相应的权限是否符合。

一、SID:用来表示系统中唯一的用户或组

typedef struct _SID {
   UCHAR Revision;
   UCHAR SubAuthorityCount;
   SID_IDENTIFIER_AUTHORITY IdentifierAuthority;		6字节标明发证机关
#ifdef MIDL_PASS
   [size_is(SubAuthorityCount)] ULONG SubAuthority[*];
#else // MIDL_PASS
   ULONG SubAuthority[ANYSIZE_ARRAY];		RID数组，RID是一个域中成员随机分配的相对id，管理员一般是500
#endif // MIDL_PASS
} SID, *PISID;

IdentifierAuthority可以是：
#define SECURITY_NULL_SID_AUTHORITY         {0,0,0,0,0,0}
#define SECURITY_WORLD_SID_AUTHORITY        {0,0,0,0,0,1}
#define SECURITY_LOCAL_SID_AUTHORITY        {0,0,0,0,0,2}
#define SECURITY_CREATOR_SID_AUTHORITY      {0,0,0,0,0,3}
#define SECURITY_NON_UNIQUE_AUTHORITY       {0,0,0,0,0,4}
#define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9}

SubAuthority是
#define SECURITY_NULL_RID                 (0x00000000L)
#define SECURITY_WORLD_RID                (0x00000000L)
#define SECURITY_LOCAL_RID                (0x00000000L)

#define SECURITY_CREATOR_OWNER_RID        (0x00000000L)
#define SECURITY_CREATOR_GROUP_RID        (0x00000001L)

#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)

二、令牌：进程的token，在eprocess中标明一个进程的权限

typedef struct _TOKEN {

    TOKEN_SOURCE TokenSource;                           // Ro: 16-Bytes		令牌创建来源

    LUID TokenId;                                       // Ro: 8-Bytes		令牌id
    LUID AuthenticationId;                              // Ro: 8-Bytes			LsaLogonUser时lsass分配的
    LUID ParentTokenId;                                 // Ro: 8-Bytes
    LARGE_INTEGER ExpirationTime;                       // Ro: 8-Bytes
    PERESOURCE TokenLock;                               // Ro:

    SEP_AUDIT_POLICY AuditPolicy;                       // RW: 8 bytes

    LUID ModifiedId;                                    // Wr: 8-Bytes		令牌特征修改时刷新的id

    ULONG SessionId;                                    // Wr: 4-bytes
    ULONG UserAndGroupCount;                            // Ro: 4-Bytes
    ULONG RestrictedSidCount;                           // Ro: 4-Bytes
    ULONG PrivilegeCount;                               // Ro: 4-Bytes
    ULONG VariableLength;                               // Ro: 4-Bytes
    ULONG DynamicCharged;                               // Ro: 4-Bytes

    ULONG DynamicAvailable;                             // Wr: 4-Bytes (Mod)
    ULONG DefaultOwnerIndex;                            // Wr: 4-Bytes (Mod)
    PSID_AND_ATTRIBUTES UserAndGroups;                  // Wr: 4-Bytes (Mod)		sid数组，UserAndGroupCount标明其大小
    PSID_AND_ATTRIBUTES RestrictedSids;                 // Ro: 4-Bytes				sid数组
    PSID PrimaryGroup;                                  // Wr: 4-Bytes (Mod)
    PLUID_AND_ATTRIBUTES Privileges;                    // Wr: 4-Bytes (Mod)			luid数组，表示进程当前获得的特权，如SeLoadDriverPrivilege等等
    PULONG DynamicPart;                                 // Wr: 4-Bytes (Mod)
    PACL DefaultDacl;                                   // Wr: 4-Bytes (Mod)			访问控制列表，下面会看

TOKEN_TYPE TokenType;                               // Ro: 1-Byte				TokenType有两种，通常是TokenPrimary。当他是TokenImpersonation时，表明它是rpc server应用，模仿客户的远程令牌去实现一个请求。
/*
typedef enum _SECURITY_IMPERSONATION_LEVEL {
    SecurityAnonymous,
    SecurityIdentification,	可获取客户信息
SecurityImpersonation,	可获取客户信息，模仿本地用户级别
SecurityDelegation		可获取客户信息，模仿远程用户级别

} SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL;
然而模仿是针对线程而言的，ethread->ImpersonationInfo结构有标明，这里不跟进了
*/
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;    // Ro: 1-Byte				模仿级别

    UCHAR TokenFlags;                                   // Rw: 4-Bytes
    BOOLEAN TokenInUse;                                 // Wr: 1-Byte

    PSECURITY_TOKEN_PROXY_DATA ProxyData;               // Ro: 4-Bytes
    PSECURITY_TOKEN_AUDIT_DATA AuditData;               // Ro: 4-Bytes

    PSEP_LOGON_SESSION_REFERENCES LogonSession;         // Rw: Ptr

    LUID OriginatingLogonSession ;                      // Rw: 8 bytes (set by LSA)

    ULONG VariablePart;                                 // Wr: 4-Bytes (Mod)

} TOKEN, * PTOKEN;

查看system的进程令牌

kd> !process 4 1
Searching for Process with Cid == 4
Cid handle table at e1001c68 with 50 entries in use

PROCESS 8179b7a8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 0fc01000  ObjectTable: e1003e38  HandleCount: 137.
    Image: System
    VadRoot 817c11b0 Vads 2 Clone 0 Private 2. Modified 863. Locked 0.
    DeviceMap e10007b8
    Token                             e1000aa8
kd> !token e1000aa8
_TOKEN e1000aa8
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0						//包含所有用户的组
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
Primary Group: S-1-5-18
Privs: 
 00 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 01 0x000000002 SeCreateTokenPrivilege            Attributes - 
 02 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 03 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 06 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 08 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 09 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 10 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 11 0x000000008 SeSecurityPrivilege