MSDN DCOM Architecture安全示例代码的DELPHI版本

MSDN DCOM Architecture安全示例代码的DELPHI版本

     windows安全代码基本上是c/c++代码，对于DELPHI程序员而言，学习windows安全，必须要有c/c++语言基础，这是无法回避的过程（许多windows核心技术文档都是c/c++语法，delphi程序员要想在windows原生代码上有所提高，必须学会基本的c/c++语言，其实很希望有一位高手能够在windwos系统核心编程方面写些DELPHI方面的技术文档，此一方面我本人仍不能忘记李维先生对，正是他地COM系统丛书缩短了DELPHI程序员与windows核心技术的距离）。

近期重读MSDN中间关于DCOM安全的文档，看到了其中“DCOM Architecture Sample: Enumerating a security descriptor”的示例代码，感觉其中涉及到DACL的获取、ACE项目的枚举和被受权实体的 获得，比较有代表性，而且其中有许多指针的操作和类型转换，是将c/c++代码转换成DELPHI的好示例，因此下面将两个版本的同贴于下，有兴趣者可以对比代码之间的不同。

program pOleSec; {$APPTYPE CONSOLE} uses windows, SysUtils, ActiveX, uSecurity in 'uSecurity.pas'; const _MAX_PATH=2048; var hKeyOLE:HKEY; dwSDSize:DWORD; pSD:PSECURITY_DESCRIPTOR; bHasDacl,bDefaulted:BOOL; pDacl:PACL; pACE:PACE_HEADER; i,n:integer; szUser:array [0.._MAX_PATH] of char; szDomain:array [0.._MAX_PATH] of char; dwUserSize:DWORD; dwDomainSize:DWORD; use:SID_NAME_USE; begin { TODO -oUser -cConsole Main : Insert code here } RegOpenKeyEx(HKEY_LOCAL_MACHINE,'SOFTWARE/Microsoft/Ole', 0, KEY_READ, hKeyOLE); RegQueryValueEx(hKeyOLE, 'DefaultLaunchPermission', nil,nil,nil, @dwSDSize); psd:=CoTaskMemAlloc(dwSDSize); RegQueryValueEx(hKeyOLE, 'DefaultLaunchPermission', nil,nil, pSD, @dwSDSize); RegCloseKey(hKeyOLE); GetSecurityDescriptorDacl(pSD, bHasDacl, pDACL, bDefaulted); if (pDACL<>nil) then begin // Enumerate the ACEs in the DACL. n:=pDacl^.AceCount; for i:=0 to n-1 do begin // Retrieve ACE i. GetAce(pDACL^, i, pointer(pAce)); // Test for AceType. Case pace.AceType of ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE: begin // Find the account name given the SID in the ACE. dwUserSize:=sizeof(szUser); dwDomainSize:=sizeof(szDomain); LookupAccountSid( nil, @PACCESS_ALLOWED_ACE(pAce)^.SidStart, // ACCESS_DENIED_ACE is polymorphic. szUser, dwUserSize, szDomain, dwDomainSize, use); if (pAce^.AceType =ACCESS_ALLOWED_ACE_TYPE) then write('Allow') else write('Deny'); writeln(format(' access to principal %s/%s',[szDomain, szUser])); end; SYSTEM_AUDIT_ACE_TYPE: writeln('Audit ACE''s not allowed in DACL!' ); else writeln('Unknown ACE type in DACL'); end;//case end;//for end;//if CoTaskMemFree(pSD); end. ======================================== unit uSecurity; interface uses windows, SysUtils, ActiveX; const ACCESS_ALLOWED_ACE_TYPE=$0; ACCESS_DENIED_ACE_TYPE=$1; SYSTEM_AUDIT_ACE_TYPE=$2; type {typedef struct _ACE_HEADER { // acehdr BYTE AceType; BYTE AceFlags; WORD AceSize; ACE_HEADER;} _ACE_HEADER=RECORD AceType:Byte; AceFlags:Byte; AceSize:Word; end; PACE_HEADER=^ACE_HEADER; ACE_HEADER=_ACE_HEADER; { typedef struct _ACCESS_ALLOWED_ACE { // aaace ACE_HEADER Header; ACCESS_MASK Mask; DWORD SidStart; // ACCESS_ALLOWED_ACE;} _ACCESS_ALLOWED_ACE=RECORD Header:ACE_HEADER; Mask:ACCESS_MASK; SidStart:DWORD; end; PACCESS_ALLOWED_ACE=^ACCESS_ALLOWED_ACE; ACCESS_ALLOWED_ACE=_ACCESS_ALLOWED_ACE; implementation end.

DCOM Architecture Sample: Enumerating a security descriptor The following sample program illustrates how the security descriptor for default access permissions can be read from the registry and how the security principals in the DACL can be enumerated: #include "windows.h" #include "stdio.h" main() { // Open registry key. HKEY hKeyOLE=NULL; RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE//Microsoft//Ole", 0, KEY_READ, &hKeyOLE); // Read security descriptor length. DWORD dwSDSize=0; RegQueryValueEx(hKeyOLE, "DefaultAccessPermission", NULL, NULL, NULL, &dwSDSize); // Read security descriptor data. SECURITY_DESCRIPTOR* pSD = (SECURITY_DESCRIPTOR*) CoTaskMemAlloc(dwSDSize); RegQueryValueEx(hKeyOLE, "DefaultAccessPermission", NULL, NULL, (LPBYTE) pSD, &dwSDSize); RegCloseKey(hKeyOLE); // Get the DACL. BOOL bHasDacl, bDefaulted; ACL* pDACL=NULL; GetSecurityDescriptorDacl(pSD, &bHasDacl, &pDACL, &bDefaulted); if (pDACL) { // Enumerate the ACEs in the DACL. ACE_HEADER* pAce=NULL; for (int i=0; i<pDACL->AceCount; i++) { // Retrieve ACE i. GetAce(pDACL, i, (void**) &pAce); // Test for AceType. switch (pAce->AceType) { case ACCESS_ALLOWED_ACE_TYPE: case ACCESS_DENIED_ACE_TYPE: { // Find the account name given the SID in the ACE. TCHAR szUser[_MAX_PATH]; TCHAR szDomain[_MAX_PATH]; DWORD dwUserSize=sizeof(szUser); DWORD dwDomainSize=sizeof(szDomain); SID_NAME_USE use; LookupAccountSid( NULL, &(((ACCESS_ALLOWED_ACE*)pAce)->SidStart), // ACCESS_DENIED_ACE is polymorphic. szUser, &dwUserSize, szDomain, &dwDomainSize, &use); // Print the principal information. if (pAce->AceType==ACCESS_ALLOWED_ACE_TYPE) printf("Allow"); else printf("Deny"); printf(" access to principal %s//%s/n", szDomain, szUser); break; } // Only allow and deny ACEs are allowed in DACLs! case SYSTEM_AUDIT_ACE_TYPE: printf("Audit ACE's not allowed in DACL!/n"); break; case SYSTEM_ALARM_ACE_TYPE: printf("Alarm ACE's not allowed in DACL!/n"); break; default: printf("Unknown ACE type in DACL/n"); break; } } } CoTaskMemFree(pSD); // Free the security descriptor. return 0; }

代码中ACE_HEADER等结构和常量DELPHI源代码中没有定义，相关结构定义在uSecurity单元中。建议看这段代码时将delphi和c/c++函数说明放在一起对比一下，这里有意思的是LookupAccountSid的对比，其中即可以看到指针转换的运用，也可以看到对ACE结构的具体操作，很有代表性

Delphi中的声明：
Function LookupAccountSid(
  lpSystemName: PChar;
  Sid: PSID;
  Name: PChar;
  var cbName: DWORD;
  ReferencedDomainName: PChar;
  var cbReferencedDomainName: DWORD;
  var peUse: SID_NAME_USE): BOOL; stdcall;

C/C++中的声明：
 BOOL LookupAccountSid(
    LPCTSTR lpSystemName, // address of string for system name
    PSID Sid, // address of security identifier
    LPTSTR Name, // address of string for account name
    LPDWORD cbName, // address of size account string
    LPTSTR ReferencedDomainName, // address of string for referenced domain
    LPDWORD cbReferencedDomainName, // address of size domain string
    PSID_NAME_USE peUse // address of structure for SID type
   );
DELPHI的调用如下：
LookupAccountSid( nil, 
                                @PACCESS_ALLOWED_ACE(pAce)^.SidStart, 
                               szUser,
                               dwUserSize,
                               szDomain,
                               dwDomainSize,
                                use);
C/C++的调用如下：
LookupAccountSid( NULL,
                              &(((ACCESS_ALLOWED_ACE*)pAce)->SidStart), 
                               szUser,
                              &dwUserSize,
                              szDomain,
                             &dwDomainSize,
                             &use);

 

  代码中pAce原是ACE_HEADER结构，被转换成ACCESS_ALLOWED_ACE结构，并取得了其成员SidStart变量的地址。在这段代码中运用了ACCESS_ALLOWED_ACE结构起始成员是ACE_HEADER这一事实，巧妙得取得DACL中每个ACE包含的SID。  这段代码中是对注册表中存储的安全信息进行访问，你可以将其换成其他任何windows可执行对象如进程、线程、段、互斥量等等。

   上述DELPHI代码可以编译成控制台应用，在控制台下执行后，将可获得本地计算机中默认具有启动COM服务的用户实体名(帐户名)。