windows之权限检查

Access checks
The Windows security model requires that a thread specify up front, at the time that it opens an object, what types of actions it 
windows安全模型需要 线程预先指定，在它打开一个对象的时间，

wants to perform on the object. The object manager calls the SRM to perform access checks based on a thread’s desired access. 
什么类型的动作它要对对象执行，对象管理器调用SRM去执行权限检查是否匹配线程要的权限。

If the access is granted, a handle is assigned to the thread’s process with which the thread (or other threads in the process) can perform further operations on the object.
如果权限被给予，一个句柄被分配到线程的进程，然后进程可以进行更加深的操作，

One event that causes the object manager to perform security access validation is when a thread opens an existing object using a name. When
 一个项目让对象管理器去执行安全权限验证当一个线程打开一个存在的对象

an object is opened by name, the object manager performs a lookup of the specified object in the object manager namespace. If the object isn
当一个对象被打开，对象管理器执行一个查找操作-----在对象管理器的表空间。

’t located in a secondary namespace, such as the configuration manager’s registry namespace or a file system driver’s file system 
对象没有在第二表空间找到，像配置管理器的注册表空间或者文件系统表空间

namespace, the object manager calls the internal function ObpCreateHandle once it locates the object. As its name implies, ObpCreateHandle 
一旦定位这个对象 ，对象管理器调用ObpCreateHandle 这个内部功能。

creates an entry in the process handle table that becomes associated with the object. ObpCreateHandle first calls ObpGrantAccess to see if the 
像它的名字一样意思，ObpCreateHandle 创建一个条目在进程句柄表，关联这个对象。ObpCreateHandle 第一次调用ObpGrantAccess 

thread has permission to access the object. If so, ObpCreateHandle calls the executive function ExCreateHandle to create the entry in the 

线程就有权限去访问对象。这样ObpCreateHandle  调用执行功能ExCreateHandle 创造一个条目 在进程句柄表里
process handle table. ObpGrantAccess calls ObCheckObjectAccess to initiate the security access check.
ObpGrantAccess 调用ObCheckObjectAccess 去初始化安全访问检查。

ObpGrantAccess passes to ObCheckObjectAccess the security credentials of the thread opening the object, the types of access to the object that 
ObpGrantAccess 传递ObCheckObjectAccess 这个安全凭据，然后线程可以打开这个对象，

 the thread is requesting (read, write, delete, and so forth, including object-specific operations), and a pointer to the object. 
这个线程需要读写，删除，包括特别的操作符，和一个对象的指针

ObCheckObjectAccess first locks the object’s security descriptor and the security context of the thread. The object security lock ObCheckObjectAccess 第一次锁对象的安全描述符和安全上下文。对象的安全锁

prevents another thread in the system from changing the object’s security while the access check is in progress. The lock on the 
防止其他线程改变对象的安全性----在做访问检查的时候。

thread’s security context prevents another thread (from that process or a different process) from altering the security identity of 
这个锁在线程的安全性上下文上，可以防止其他线程改变安全性标识符。

the thread while security validation is in progress. ObCheckObjectAccess then calls the object’s security method to obtain the 

security settings of the object. (See Chapter 8 in Part 2 for a description of object methods.) The call to the security method might 

invoke a function in a different executive component. However, many executive objects rely on the system’s default security 

然后许多执行对象依靠系统默认的安全管理支持
management support.

When an executive component defining an object doesn’t want to override the SRM’s default security policy, it marks the 

当以个执行组件定义一个对象不要重写SRM的默认安全策略。

object type as having default security. Whenever the SRM calls an object’s security method, it first checks to see whether the 
它标记对象类型是默认安全性。无论什么时候SRM调用一个对象安全性方法，

object has default security. An object with default security stores its security information in its header, and its security method is 

一个对象有默认的安全性存储在它的文件头。

SeDefaultObjectMethod. An object that doesn’t rely on default security must manage its own security information and supply a 
并且它的安全方法是SeDefaultObjectMethod.  不依靠默认安全设置的对象一定管理它的安全信息和应用指定的安全方法。

specific security method. Objects that rely on default security include mutexes, events, and semaphores. A file object is an example 

of an object that overrides default security. The I/O manager, which defines the file object type, has the file system driver on 

i/o管理器定义了文件对象类型。i/o管理器有文件系统驱动。

which a file resides manage (or choose not to implement) the security for its files. Thus, when the system queries the security on a 

file object that represents a file on an NTFS volume, the I/O manager file object security method retrieves the file’s security using 

这个I/o管理器方法检索文件的安全通过使用NTFS文件系统驱动。 

the NTFS file system driver. Note, however, that ObCheckObjectAccess isn’t executed when files are opened because they reside 

当文件被打开ObCheckObjectAccess 不会被执行。以为ObCheckObjectAccess 在第二命名空间。

in secondary namespaces. The system invokes a file object’s security method only when a thread explicitly queries or sets the 

security on a file (with the Windows SetFileSecurity or GetFileSecurity functions, for example).

After obtaining an object’s security information, ObCheckObjectAccess invokes the SRM function SeAccessCheck. SeAccessCheck 在得到一个对象的安全信息以后，ObCheckObjectAccess 调用SRM功能SeAccessCheck. 

is one of the functions at the heart of the Windows security model. Among the input parameters SeAccessCheck accepts are the SeAccessCheck 是一个重要的功能----在windows安全模型里。

object’s security information, the security identity of the thread as captured by ObCheckObjectAccess, and the access that the 
SeAccessCheck  接受 对象的安全信息，线程的安全标识被捕捉，然后访问线程所需要的，

thread is requesting. SeAccessCheck returns true or false, depending on whether the thread is granted the access it requested to 

SeAccessCheck 返回对与错，取决于是否这个线程得到权限。

the object.

Here is an example: Suppose a thread wants to know when a specific process exits (or terminates in some way). It needs to get a 

这里是一个例子，假设一个线程要去了解什么时候一个指定进程存在，它要调一个句柄去目标进程
handle to the target process by calling the OpenProcess API, passing in two important arguments: the unique process ID (let’s 

然后传两个重要的参数 ，唯一的进程id和表面操作符的访问掩码

assume it’s known or has been obtained in some way) and an access mask indicating the operations that the thread wants to 

perform using the returned handle. Lazy developers may just pass PROCESS_ALL_ACCESS for the access mask, specifying they 

这个线程要进行什么操作使用返回的句柄。懒的开发者就传一个PROCESS_ALL_ACCESS给访问掩码，指明他们

want all possible access rights for the process. One of the following two results would occur:

需要所有可以的权限。有两个结果，

If the calling thread can be granted all the permissions, it would get back a valid handle and then could call WaitForSingleObject 

如果一个调用线程被授予所有权限，它会取得一个有效的句柄，然后调用WaitForSingleObject 去等

to wait for the process to exit. However, another thread in the process, perhaps with fewer privileges, can use the same handle to 

do other operations with the process, such as terminate it prematurely with TerminateProcess, because the handle allows all 

possible operations on the process.

The call can fail if the calling thread does not have sufficient privileges to be granted all possible access and the result is an invalid 

handle, meaning no access to the process. This is unfortunate, because the thread just needed to ask for the SYNCHRONIZE 

access mask. That has a much better chance of succeeding than asking for PROCESS_ALL_ACCESS.

The simple conclusion here is that a thread should request the exact access it requires—no more, no less.

这个简单的结论，线程应该给正正好的权限。
Another event that causes the object manager to execute access validation is when a process references an object using an 
另外一个事件可以导致对象管理器去执行访问校验，当一个进程要用一个退出句柄。

existing handle. Such references often occur indirectly, as when a process calls on a Windows API to manipulate an object and 
这样的引用经常间接发生，当一个进程调用一个windows api去操作一个对象
passes an object handle. For example, a thread opening a file can request read permission to the file. If the thread has permission 
并且传一个句柄，比如，一个线程打开一个文件能需要读权限。

to access the object in this way, as dictated by its security context and the security settings of the file, the object manager creates 如果这个进程有权限去访问这个对象，

a handle— representing the file—in the handle table of the thread’s process. The types of accesses the threads in the process 这个权限类型----线程被授予的   被存储在对象管理器。

are granted through the handle are stored with the handle by the object manager.

Subsequently, the thread could attempt to write to the file using the WriteFile Windows function, passing the file’s handle as a 
随后，这个线程要去写入----WriteFile ，用传递这个文件的句柄
parameter. The system service NtWriteFile, which WriteFile calls via Ntdll.dll, uses the object manager function 

这个系统服务NtWriteFile, ，用Ntdll.dll调用的，使用对象管理器功能，，最后得到了对象的指针

ObReferenceObjectByHandle (documented in the WDK) to obtain a pointer to the file object from the handle. 

ObReferenceObjectByHandle accepts the access that the caller wants from the object as a parameter. After finding the handle 

entry in the process handle table, ObReferenceObjectByHandle compares the access being requested with the access granted at 

the time the file was opened. In this example, ObReferenceObjectByHandle will indicate that the write operation should fail 

because the caller didn’t obtain write access when the file was opened.

The Windows security functions also enable Windows applications to define their own private objects and to call on the services of 
windows安全功能也启用应用，定义他们自己私有对象，条用SRM服务

the SRM (through the AuthZ user-mode APIs, described later) to enforce the Windows security model on those objects. Many 

kernel-mode functions that the object manager and other executive components use to protect their own objects are exported as 

Windows user-mode APIs. The user-mode equivalent of SeAccessCheck is the AuthZ API AccessCheck. Windows applications
  

can therefore leverage the flexibility of the security model and transparently integrate with the authentication and administrative 

interfaces that are present in Windows.

The essence of the SRM’s security model is an equation that takes three inputs: the security identity of a thread, the access that 

the thread wants to an object, and the security settings of the object. The output is either yes or no and indicates whether the 

security model grants the thread the access it desires. The following sections describe the inputs in more detail and then 

document the model’s access-validation algorithm.

   EXPERIM