windows Access Token 、ACL、ACE学习笔记

最新推荐文章于 2024-08-06 23:55:56 发布
最新推荐文章于 2024-08-06 23:55:56 发布
阅读量7.6k 收藏 9
点赞数 2
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xbgprogrammer/article/details/16818973
版权

今日看了看关于windows本身安全机制的一些文章,所以将自己掌握到的一些东西供大家探讨一下。

 

1. Access Token

  windows访问令牌记录着某用户的SID、组ID、Session、及权限等信息,要获取这些信息,可以通过GetTokenInformation API获得。以下是一些代码样例

#define GETATTRI(desc, attri, check) \
if (attri & check)\
{\
	if (desc!=_T(""))\
	{\
		desc += _T(" | ");\
	}\
	desc+=_T(#check);\
}

#define MAKESIDDESC(type) {type, _T(#type)}

struct SIDNameDesc 
{
	SID_NAME_USE type;
	TCHAR* desc;
};

SIDNameDesc gvSidUseType[]=
{
	MAKESIDDESC(SidTypeUser),
	MAKESIDDESC(SidTypeGroup),
	MAKESIDDESC(SidTypeDomain),
	MAKESIDDESC(SidTypeAlias),
	MAKESIDDESC(SidTypeWellKnownGroup),
	MAKESIDDESC(SidTypeDeletedAccount),
	MAKESIDDESC(SidTypeInvalid),
	MAKESIDDESC(SidTypeUnknown),
	MAKESIDDESC(SidTypeComputer),
	MAKESIDDESC(SidTypeLabel),
};

TCHAR* GetSidNameUseDescription(SID_NAME_USE type)
{
	TCHAR* pDesc=NULL;
	int count = sizeof(gvSidUseType) / sizeof(SIDNameDesc);
	for (int i=0;i<count;i++)
	{
		if (gvSidUseType[i].type==type)
		{
			pDesc=gvSidUseType[i].desc;
			break;
		}
	}
	return pDesc;
}

CString GetAttribute(DWORD attribute)
{
	CString strAttri;
	GETATTRI(strAttri,attribute,SE_GROUP_ENABLED);
	GETATTRI(strAttri,attribute,SE_GROUP_ENABLED_BY_DEFAULT);
	GETATTRI(strAttri,attribute,SE_GROUP_LOGON_ID);
	GETATTRI(strAttri,attribute,SE_GROUP_MANDATORY);
	GETATTRI(strAttri,attribute,SE_GROUP_OWNER);
	GETATTRI(strAttri,attribute,SE_GROUP_RESOURCE);
	GETATTRI(strAttri,attribute,SE_GROUP_USE_FOR_DENY_ONLY);

	return strAttri;
}

void dump(PSID pSid)
{
	USES_CONVERSION;

	LPTSTR strSid;
	ConvertSidToStringSid(pSid,&strSid);
	cout<<"SID : "<<T2A(strSid)<<endl;

	TCHAR name[MAX_PATH];
	TCHAR domainName[MAX_PATH];
	DWORD dwNamelen=MAX_PATH;
	DWORD dwDomainNamelen=MAX_PATH;
	SID_NAME_USE nameUse;
	if(!LookupAccountSid(NULL,pSid,name,&dwNamelen,domainName,&dwDomainNamelen,&nameUse))
	{
		cout<<"LookupAccountSid failed with "<<GetLastError()<<endl;
		return;
	}

	StrCat(domainName,_T("\\"));
	StrCat(domainName, name);
	cout<<"Account : "<<T2A(domainName)<<endl;
	cout<<"  Type  : "<<T2A(GetSidNameUseDescription(nameUse))<<endl;
}

void dump(DWORD attribute)
{
	USES_CONVERSION;
	CString strAttri = GetAttribute(attribute);
	cout<<"Attribute : "<<T2A(strAttri)<<endl;
}

void GetTokenUser(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenUser, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenUser, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_USER* pUser = (TOKEN_USER*)p;
	dump(pUser->User.Sid);
	dump(pUser->User.Attributes);
}


void GetTokenGroup(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenGroups, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenGroups, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_GROUPS* pGroup = (TOKEN_GROUPS*)p;
	
	for (int i=0;i<pGroup->GroupCount;i++)
	{
		dump(pGroup->Groups[i].Sid);
		dump(pGroup->Groups[i].Attributes);
		cout<<endl;
	}
}

void dump(LUID_AND_ATTRIBUTES privilege)
{
	USES_CONVERSION;
	TCHAR buffer[MAX_PATH];
	DWORD dwLength=MAX_PATH;
	if(!LookupPrivilegeName(NULL,&privilege.Luid,buffer,&dwLength))
	{
		cout<<"LookupPrivilegeName failed with "<<GetLastError()<<endl;
		return;
	}

	CString strAttribute;
	GETATTRI(strAttribute,privilege.Attributes,SE_PRIVILEGE_ENABLED);
	GETATTRI(strAttribute,privilege.Attributes,SE_PRIVILEGE_ENABLED_BY_DEFAULT);
	GETATTRI(strAttribute,privilege.Attributes,SE_PRIVILEGE_REMOVED);
	GETATTRI(strAttribute,privilege.Attributes,SE_PRIVILEGE_USED_FOR_ACCESS);

	CString strDump = buffer;
	strDump += _T(" : ");
	strDump += strAttribute;
	cout<<T2A(strDump)<<endl;
}

void GetPrivileges(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenPrivileges, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenPrivileges, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_PRIVILEGES* pPrivileges = (TOKEN_PRIVILEGES*)p;

	for (int i=0;i<pPrivileges->PrivilegeCount;i++)
	{
		dump(pPrivileges->Privileges[i]);
	}
}

void GetOwnerInfo(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenOwner, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenOwner, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_OWNER* pOwner = (TOKEN_OWNER*)p;

	dump(pOwner->Owner);
}


void GetPrimaryGroup(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenPrimaryGroup, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenPrimaryGroup, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_PRIMARY_GROUP* pPrimaryGroup = (TOKEN_PRIMARY_GROUP*)p;

	dump(pPrimaryGroup->PrimaryGroup);
}

void Print(LPCSTR desc, LUID luid)
{
	LARGE_INTEGER* pli = (LARGE_INTEGER*)&luid;
	cout<<desc<<" : "<<pli->QuadPart<<endl;
}

void dump(TOKEN_STATISTICS* pStatistics)
{
	Print("TokenID", pStatistics->TokenId);
	Print("AuthenticationId", pStatistics->AuthenticationId);
	if (pStatistics->TokenType == TokenPrimary)
	{
		cout<<"Primary Token"<<endl;
	}
	else
	{
		cout<<"Impersonation Token"<<endl;
	}

}

void GetTokenStatistics(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenStatistics, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenStatistics, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_STATISTICS* pTokenStatistics = (TOKEN_STATISTICS*)p;

	dump(pTokenStatistics);
}

void GetTokenSource(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	GetTokenInformation(hToken, TokenSource, NULL, NULL, &dwReturnedLen);
	if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	LPVOID p=LocalAlloc(LPTR, dwReturnedLen);
	if (p==NULL)
	{
		cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	}

	if(!GetTokenInformation(hToken, TokenSource, p, dwReturnedLen, &dwReturnedLen))
	{
		if (GetLastError()!=ERROR_SUCCESS)
		{
			cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
		}
	}

	TOKEN_SOURCE* pSource = (TOKEN_SOURCE*)p;

	cout<<"Source Name : "<<pSource->SourceName<<endl;
	Print("Source ID   : ", pSource->SourceIdentifier);
}

void GetTokenSessionID(HANDLE hToken)
{
	DWORD dwReturnedLen=0;
	DWORD sessionID;
	if(!GetTokenInformation(hToken, TokenSessionId, &sessionID, sizeof(DWORD), &dwReturnedLen))
	{
		cout<<"GetTokenInformation failed with "<<GetLastError()<<endl;
	}

	cout<<"Session ID : "<<sessionID<<endl;
}


大家知道在Win7上管理员登录后会关联两个Access Token,一个是有管理员权限的Access Token,另外一个是被限制权限的Access Token,其中Restricted Access Token中Administrators组的属性为SE_GROUP_USE_FOR_DENY_ONLY,说明系统在访问检查时,只会检查给这个组应用了拒绝访问的那些ACE项,而允许访问的ACE项被忽略。而CheckTokenMembership在判断一个Token是否属于某个组时,这个组必须存在并且组属性包含SE_GROUP_ENABLED,才会认为这个Token属于这个组。所以一个权限未提升的进程的令牌是不会认为属于Administrators组的。

2. 安全描述符

安全描述符是windows安全对象管理的一种数据结构,用来描述允许什么用户使用某种权限访问它,拒绝什么用户使用某种权限访问它。(另外还有一些审计操作,不讨论了)。获取ACE信息,见一些代码

void ParseAce(PACE_HEADER pAceHdr);

#define GETATTRI(mask, check) \
if (mask & check)\
{\
	cout<<#check<<endl;\
}

#define MAKESIDDESC(type) {type, _T(#type)}

struct SIDNameDesc 
{
	SID_NAME_USE type;
	TCHAR* desc;
};

SIDNameDesc gvSidUseType[]=
{
	MAKESIDDESC(SidTypeUser),
	MAKESIDDESC(SidTypeGroup),
	MAKESIDDESC(SidTypeDomain),
	MAKESIDDESC(SidTypeAlias),
	MAKESIDDESC(SidTypeWellKnownGroup),
	MAKESIDDESC(SidTypeDeletedAccount),
	MAKESIDDESC(SidTypeInvalid),
	MAKESIDDESC(SidTypeUnknown),
	MAKESIDDESC(SidTypeComputer),
	MAKESIDDESC(SidTypeLabel),
};

TCHAR* GetSidNameUseDescription(SID_NAME_USE type)
{
	TCHAR* pDesc=NULL;
	int count = sizeof(gvSidUseType) / sizeof(SIDNameDesc);
	for (int i=0;i<count;i++)
	{
		if (gvSidUseType[i].type==type)
		{
			pDesc=gvSidUseType[i].desc;
			break;
		}
	}
	return pDesc;
}

void dump(PSID pSid)
{
	USES_CONVERSION;

	LPTSTR strSid;
	ConvertSidToStringSid(pSid,&strSid);
	cout<<"SID : "<<T2A(strSid)<<endl;

	TCHAR name[MAX_PATH];
	TCHAR domainName[MAX_PATH];
	DWORD dwNamelen=MAX_PATH;
	DWORD dwDomainNamelen=MAX_PATH;
	SID_NAME_USE nameUse;
	if(!LookupAccountSid(NULL,pSid,name,&dwNamelen,domainName,&dwDomainNamelen,&nameUse))
	{
		cout<<"LookupAccountSid failed with "<<GetLastError()<<endl;
		return;
	}

	StrCat(domainName,_T("\\"));
	StrCat(domainName, name);
	cout<<"Account : "<<T2A(domainName)<<endl;
	cout<<"  Type  : "<<T2A(GetSidNameUseDescription(nameUse))<<endl;
}

void dumpAccessMask(ACCESS_MASK mask)
{
	GETATTRI(mask, DELETE);
	GETATTRI(mask, READ_CONTROL);
	GETATTRI(mask, WRITE_DAC);
	GETATTRI(mask, WRITE_OWNER);
	GETATTRI(mask, SYNCHRONIZE);
}


#define MAKESDCDESC(sdc) {sdc, _T(#sdc)}

struct SdcDesc 
{
	DWORD sdc;
	TCHAR* desc;
};

SdcDesc gvSdcDesc[]=
{
	MAKESDCDESC(SE_DACL_AUTO_INHERIT_REQ),
	MAKESDCDESC(SE_DACL_AUTO_INHERITED),
	MAKESDCDESC(SE_DACL_DEFAULTED),
	MAKESDCDESC(SE_DACL_PRESENT),
	MAKESDCDESC(SE_DACL_PROTECTED),
	MAKESDCDESC(SE_GROUP_DEFAULTED),

	MAKESDCDESC(SE_OWNER_DEFAULTED),
	MAKESDCDESC(SE_RM_CONTROL_VALID),
	MAKESDCDESC(SE_SACL_AUTO_INHERIT_REQ),
	MAKESDCDESC(SE_SACL_AUTO_INHERITED),

	MAKESDCDESC(SE_SACL_DEFAULTED),
	MAKESDCDESC(SE_SACL_PRESENT),
	MAKESDCDESC(SE_SACL_PROTECTED),
	MAKESDCDESC(SE_SELF_RELATIVE)
};

void dumpSdc(SECURITY_DESCRIPTOR_CONTROL controlBit)
{
	USES_CONVERSION;

	CString strDesc;
	int count = sizeof(gvSdcDesc)/sizeof(SdcDesc);

	for (int i=0;i<count;i++)
	{
		if (controlBit & gvSdcDesc[i].sdc)
		{
			if (strDesc!=_T(""))
			{
				strDesc += _T(" | ");
			}
			strDesc+=gvSdcDesc[i].desc;
		}
	}

	cout<<"Security Description Control"<<endl;
	cout<<T2A(strDesc)<<endl;
}


int _tmain(int argc, _TCHAR* argv[])
{
	TCHAR* file = _T("F:\\bixy\\topdesk.ini");
	PSID pSidOwner;
	PSID pSidGroup;
	PACL pDacl;
	PSECURITY_DESCRIPTOR pSD;
	DWORD dwRet = GetNamedSecurityInfo(file,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION|OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
		&pSidOwner,&pSidGroup,&pDacl,NULL,&pSD);
	if (dwRet==ERROR_SUCCESS)
	{
		cout<<"-------------------Owner--------------------"<<endl;
		dump(pSidOwner);
		cout<<endl;
		cout<<"-------------------Group--------------------"<<endl;
		dump(pSidGroup);
	}
	else
	{
		cout<<"GetNamedSecurityInfo failed with "<<dwRet<<endl;
		return 0;
	}

	SECURITY_DESCRIPTOR_CONTROL controlBit;
	DWORD dwRevision;
	if(!GetSecurityDescriptorControl(pSD,&controlBit,&dwRevision))
	{
		cout<<"GetSecurityDescriptorControl failed with "<<GetLastError()<<endl;
		return 0;
	}

	dumpSdc(controlBit);

	ULONG countofExplicitEntries;
	PEXPLICIT_ACCESS pExplicitAcess;
	dwRet = GetExplicitEntriesFromAcl(pDacl,&countofExplicitEntries,&pExplicitAcess);
	if (dwRet==ERROR_SUCCESS)
	{
		for (int i=0;i<countofExplicitEntries;i++)
		{
			cout<<endl<<"----------------------------------------"<<endl;
			cout<<"Explicit Access "<<i+1<<endl;
			cout<<"Access Mask:"<<endl;
			dumpAccessMask(pExplicitAcess[i].grfAccessPermissions);
			cout<<endl;

			cout<<"Access Mode"<<endl;
			switch(pExplicitAcess[i].grfAccessMode)
			{
			case NOT_USED_ACCESS:
				cout<<"NOT_USED_ACCESS"<<endl;
				break;

			case GRANT_ACCESS:
				cout<<"GRANT_ACCESS"<<endl;
				break;

			case SET_ACCESS:
				cout<<"SET_ACCESS"<<endl;
				break;

			case DENY_ACCESS:
				cout<<"DENY_ACCESS"<<endl;
				break;

			case REVOKE_ACCESS:
				cout<<"REVOKE_ACCESS"<<endl;
				break;

			case SET_AUDIT_SUCCESS:
				cout<<"SET_AUDIT_SUCCESS"<<endl;
				break;

			case SET_AUDIT_FAILURE:
				cout<<"SET_AUDIT_FAILURE"<<endl;
				break;
			}

			if (pExplicitAcess[i].Trustee.TrusteeForm==TRUSTEE_IS_SID)
			{
				dump((PSID)pExplicitAcess[i].Trustee.ptstrName);
			}

			cout<<endl<<"--------------------------------"<<endl<<endl;
		}
	}
	else
	{
		cout<<"GetExplicitEntriesFromAcl failed with "<<GetLastError()<<endl;
	}

	TRUSTEE Trustee;
	ZeroMemory(&Trustee,sizeof(TRUSTEE));
	Trustee.pMultipleTrustee=NULL;
	Trustee.MultipleTrusteeOperation=NO_MULTIPLE_TRUSTEE;
	Trustee.TrusteeForm=TRUSTEE_IS_SID;
	Trustee.TrusteeType=TRUSTEE_IS_USER;
	Trustee.ptstrName=(LPTSTR)pSidOwner;

	ACCESS_MASK mask=0;
	dwRet = GetEffectiveRightsFromAcl(pDacl,&Trustee,&mask);
	if (dwRet==ERROR_SUCCESS)
	{
		cout<<endl;
		cout<<"Access Mask:"<<endl;
		dumpAccessMask(mask);
	}
	else
	{
		cout<<"GetEffectiveRightsFromAcl failed with "<<GetLastError()<<endl;
	}

	cout<<endl<<"--------------------------------"<<endl<<endl;
	ACL_SIZE_INFORMATION asi;
	if(!GetAclInformation(pDacl,&asi,sizeof(ACL_SIZE_INFORMATION),AclSizeInformation))
	{
		cout<<"GetAclInformation failed with "<<GetLastError()<<endl;
	}

	for (int i=0;i<asi.AceCount;i++)
	{
		LPVOID pAce;
		if (!GetAce(pDacl,i,&pAce))
		{
			cout<<"GetAce failed with "<<GetLastError()<<endl;
			break;
		}

		PACE_HEADER pAceHeader = (PACE_HEADER)pAce;
		ParseAce(pAceHeader);
	}

	//LocalFree(pDacl);
	cout<<endl;
	return 0;
}

void dumpAceFlags(BYTE flag)
{
	CString strDesc;
	GETATTRI(flag,CONTAINER_INHERIT_ACE);
	GETATTRI(flag,FAILED_ACCESS_ACE_FLAG);
	GETATTRI(flag,INHERIT_ONLY_ACE);
	GETATTRI(flag,INHERITED_ACE);
	GETATTRI(flag,NO_PROPAGATE_INHERIT_ACE);
	GETATTRI(flag,OBJECT_INHERIT_ACE);
	GETATTRI(flag,SUCCESSFUL_ACCESS_ACE_FLAG);
}

void ParseAce(PACCESS_ALLOWED_ACE pAllowedAce)
{
	dumpAccessMask(pAllowedAce->Mask);
	dump((PSID)&pAllowedAce->SidStart);
}

void ParseAce(PACCESS_DENIED_ACE pAllowedAce)
{
	dumpAccessMask(pAllowedAce->Mask);
	dump((PSID)&pAllowedAce->SidStart);
}

void ParseAce(PSYSTEM_ALARM_OBJECT_ACE pAllowedAce)
{

}

void ParseAce(PSYSTEM_ALARM_ACE pAllowedAce)
{

}


void ParseAce(PSYSTEM_ALARM_CALLBACK_ACE pAllowedAce)
{

}

void ParseAce(PSYSTEM_ALARM_CALLBACK_OBJECT_ACE pAllowedAce)
{

}

void ParseAce(PSYSTEM_AUDIT_ACE pAllowedAce)
{

}

void ParseAce(PSYSTEM_MANDATORY_LABEL_ACE pAllowedAce)
{

}


void ParseAce(PACE_HEADER pAceHdr)
{
	cout<<"-------------------------------------"<<endl;
	cout<<"-------------------------------------"<<endl;
	cout<<"-------------------------------------"<<endl;
	dumpAceFlags(pAceHdr->AceFlags);
	cout<<endl;
	if (pAceHdr->AceType == ACCESS_ALLOWED_ACE_TYPE)
	{
		cout<<"ACCESS_ALLOWED_ACE_TYPE"<<endl;
		ParseAce((PACCESS_ALLOWED_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == ACCESS_DENIED_ACE_TYPE)
	{
		cout<<"ACCESS_DENIED_ACE_TYPE"<<endl;
		ParseAce((PACCESS_DENIED_ACE)pAceHdr);
	}
	else if(pAceHdr->AceType == SYSTEM_ALARM_OBJECT_ACE_TYPE)
	{
		cout<<"SYSTEM_ALARM_OBJECT_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_ALARM_OBJECT_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == SYSTEM_ALARM_ACE_TYPE)
	{
		cout<<"SYSTEM_ALARM_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_ALARM_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == SYSTEM_ALARM_CALLBACK_ACE_TYPE)
	{
		cout<<"SYSTEM_ALARM_CALLBACK_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_ALARM_CALLBACK_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE)
	{
		cout<<"SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_ALARM_CALLBACK_OBJECT_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == SYSTEM_AUDIT_ACE_TYPE)
	{
		cout<<"SYSTEM_AUDIT_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_ALARM_ACE)pAceHdr);
	}
	else if (pAceHdr->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
	{
		cout<<"SYSTEM_MANDATORY_LABEL_ACE_TYPE"<<endl;
		ParseAce((PSYSTEM_MANDATORY_LABEL_ACE)pAceHdr);
	}
	cout<<endl;
}


3. 为新建对象使用安全描述符(或更改描述符)

#define MAKESDCDESC(sdc) {sdc, _T(#sdc)}

struct SdcDesc 
{
	DWORD sdc;
	TCHAR* desc;
};

SdcDesc gvSdcDesc[]=
{
	MAKESDCDESC(SE_DACL_AUTO_INHERIT_REQ),
	MAKESDCDESC(SE_DACL_AUTO_INHERITED),
	MAKESDCDESC(SE_DACL_DEFAULTED),
	MAKESDCDESC(SE_DACL_PRESENT),
	MAKESDCDESC(SE_DACL_PROTECTED),
	MAKESDCDESC(SE_GROUP_DEFAULTED),

	MAKESDCDESC(SE_OWNER_DEFAULTED),
	MAKESDCDESC(SE_RM_CONTROL_VALID),
	MAKESDCDESC(SE_SACL_AUTO_INHERIT_REQ),
	MAKESDCDESC(SE_SACL_AUTO_INHERITED),

	MAKESDCDESC(SE_SACL_DEFAULTED),
	MAKESDCDESC(SE_SACL_PRESENT),
	MAKESDCDESC(SE_SACL_PROTECTED),
	MAKESDCDESC(SE_SELF_RELATIVE)
};

void dumpSdc(SECURITY_DESCRIPTOR_CONTROL controlBit)
{
	USES_CONVERSION;

	CString strDesc;
	int count = sizeof(gvSdcDesc)/sizeof(SdcDesc);

	for (int i=0;i<count;i++)
	{
		if (controlBit & gvSdcDesc[i].sdc)
		{
			if (strDesc!=_T(""))
			{
				strDesc += _T(" | ");
			}
			strDesc+=gvSdcDesc[i].desc;
		}
	}

	cout<<"Security Description Control"<<endl;
	cout<<T2A(strDesc)<<endl;
}

void CreateDACL()
{
	TCHAR* filename = _T("F:\\bixy\\topdesk.ini");


	SECURITY_DESCRIPTOR sd;
	PACL pAcl;
	InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);


	EXPLICIT_ACCESS explicitAccess;
	ZeroMemory(&explicitAccess,sizeof(EXPLICIT_ACCESS));
	BuildExplicitAccessWithName(&explicitAccess, _T("Everyone"), GENERIC_READ|GENERIC_WRITE, GRANT_ACCESS, NO_INHERITANCE);
	
	DWORD dwRet = SetEntriesInAcl(1, &explicitAccess, NULL, &pAcl);
	if (ERROR_SUCCESS != dwRet) 
	{
		cout<<"SetEntriesInAcl failed with "<<GetLastError()<<endl;
		return;
	}

	EXPLICIT_ACCESS explicitAccess2;
	ZeroMemory(&explicitAccess2,sizeof(EXPLICIT_ACCESS));
	BuildExplicitAccessWithName(&explicitAccess2, _T("Administrators"), GENERIC_READ|GENERIC_WRITE, DENY_ACCESS, CONTAINER_INHERIT_ACE);

	dwRet = SetEntriesInAcl(1, &explicitAccess2, pAcl, &pAcl);
	if (ERROR_SUCCESS != dwRet) 
	{
		cout<<"SetEntriesInAcl failed with "<<GetLastError()<<endl;
		return;
	}

	//PSID Sid;
	//DWORD SidSize;
	//SidSize = SECURITY_MAX_SID_SIZE;
	 Allocate enough memory for the largest possible SID.
	//if(!(Sid = LocalAlloc(LMEM_FIXED, SidSize)))
	//{    
	//	cout<<"LocalAlloc failed with "<<GetLastError()<<endl;
	//	return;
	//}

	//if(!CreateWellKnownSid(WinBuiltinAdministratorsSid ,NULL,Sid,&SidSize))
	//{
	//	cout<<"CreateWellKnownSid failed with "<<GetLastError()<<endl;
	//	return;
	//}

	//if(!AddAccessDeniedAce(pAcl,ACL_REVISION,GENERIC_READ|GENERIC_WRITE,Sid))
	//{
	//	cout<<"AddAccessDeniedAce failed with "<<GetLastError()<<endl;
	//	return;
	//}

	SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE);


	SECURITY_DESCRIPTOR_CONTROL controlBit;
	DWORD dwRevision;
	if(!GetSecurityDescriptorControl(&sd,&controlBit,&dwRevision))
	{
		cout<<"GetSecurityDescriptorControl failed with "<<GetLastError()<<endl;
		return;
	}

	dumpSdc(controlBit);

	SECURITY_ATTRIBUTES sa;
	sa.nLength=sizeof(SECURITY_ATTRIBUTES);
	sa.bInheritHandle=FALSE;
	sa.lpSecurityDescriptor=&sd;


	HANDLE hFile = CreateFile(filename,GENERIC_READ|GENERIC_WRITE, NULL, &sa, CREATE_ALWAYS, NULL,NULL);
	CloseHandle(hFile);
}


 ps:判断当前用户是否域登录,可以先查询用户所属的组,再用LookupAccountSid查询组Sid的SID_NAME_USE

 

xbgprogrammer
关注
xxl-job报错:xxl-job registry fail:The access token is wrong
雾林小妖的博客
12-26 5843
springboot整合xxl-job分布式任务调度框架报错:xxl-job registry fail The access token is wrong
Windows Access Token
purvispanwu的博客
12-04 680
Windows Token
Windows 中的 ACL,DACL,SACLACE
顺其自然~专栏
01-29 1194
DACL(Discretionary Access Control List,自由决定的访问控制列表),主要用于设置。- SACL(System Access Control List,SACL,系统访问控制列表),用于。- SD 有助于控制对对象的访问,它包含所有者的信息、要审核的内容以及以何种方式授予访问权限。(Access Control Entries)构成。- 它包含了真正的用于设置安全权限的 ACL。配置对安全对象的访问的审计(生成日志)。- 每个 ACL 由多个。
windows@修改目录或文件的所有者权限@访问控制列表ACL@共享文件夹访问权限
最新发布
xuchaoxin1375的博客
08-06 1071
windows个人用户对文件夹或文件做访问控制权限设置的情况比较少,但有时确实需要一类是不当得使用管理员权限做某些更改或者授权给某些软件运行了一些修改文件夹或文件的命令导致用户访问发生异常另一方面则是用户主动利用访问控制权限保护数据不被未授权的行为造成影响,比如共享文件夹为特定用户设置特定的权限,那么就要配合NTFS访问控制权限设置,授权不同用户不同的访问权限。
Consul之ACL加上token-yellowcong
01-15 2502
这个是Consul 1.4.2 ,这个主要有5步骤,1. 创建acl.json 在配置文件夹中(-config-dir=/etc/consul),2.启动服务,启动的时候,需要指定启动目录以及数据目录。3.创建初始化密钥,这个密钥是根密钥,其他的token都是基于这个给弄出来的。4.配置agent的acl策略,然后创建token。 5.添加token到consul启动的配置文件中。6.设置匿名用...
测试real application security 的ACLACE
wgz7747147820的博客
02-17 221
测试ACLACE 在创建ACLACE的过程中,基本上所有的东西都没有进行verify,比如 19:57:35 SQL> declare ace_list xs$ace_list; st_date timestamp with time zone; en_date timestamp with time zone; begin st_date :=systimestamp; en_date :=to_timestamp_tz('2021-12-31 00:00:00 -08:20','yy
GitLab: 使用用户名/密码创建Access Token的暂定方法
热门推荐
知行合一 止于至善
07-20 1万+
GitLab升级到后续的版本之后,由于Session API已经不再支持,通过用户名/密码方式获取Access Token的方式需要换一种方式,这篇文章介绍一下一种通过使用cookie获取的方式。
HDFS block access token认证机制
走在前往架构师的路上
12-28 1957
文章目录前言Block access tokenHDFS block access token的原理 前言 在存储系统中,数据的安全性无疑是十分重要的。在我们常见的文件系统中,最常使用的方式是通过文件目录的权限来做数据访问的控制。在HDFS这样分布式存储系统中,其内部实现同样沿用了这样的方式来做数据访问的控制。但是在HDFS拥有如此海量数据规模的系统中,我们只做文件权限的检查是足够安全的吗?鉴于HDFS的架构设计,权限检查是发生在NameNode端的,这时倘若一个恶意用户绕过了文件权限检查,然后直接访问实
token 微信access 过期_微信公众号开发之解决Access Token过期的问题
weixin_42515063的博客
01-30 2492
因为access_token,在以后的高级功能里面会经常用到,所以这里不得不这里对前面所讲解的access_token改造一下。另外需要说明的是access_token是变化的,有自己的周期,官方解释为:"有效期为7200秒",这就要求我们把获得的access_token存入一个物理文件或者Application中,请求到过期后修改这些内容,需要用的时候读出来.有些人可能想到了,如果过期我就在获得...
GitLab: 使用用户名/密码创建Access Token的示例脚本
知行合一 止于至善
07-23 5417
这篇文章总结一下上篇文章的内容,整理了一个示例用的脚本,只需要传入admin用户名、密码和gitlab的url即可创建指定名称的apitoken
ACL&ACE的三条原则!
技术点滴
09-02 4966
第一:NTFS Permission are Cumulative 即多个组被赋予的不同的权限是可以累加的。第二:File Override Folder Permission 即文件的权限占先于目录的权限。文件的权限先起作用,文件夹的权限后起作用。即底层的权限优先。第三:Deny Override Other Permission 即拒绝访问权限优先。
关于:Windows 中的 ACL,DACL,SACLACE
老陈醋的博客
02-11 2547
关于:Windows 中的 ACL,DACL,SACLACE
Windows认证基础知识
hello
02-21 1147
域管理员是在整个域控中管理权限最高的,为了防止域管理员的令牌被恶意窃取,必须禁止域管理员异机登录。如果因一些特殊情况域管理员登录了其他机器,应及时将令牌清除,以防止令牌被窃取。
再聊Windows的访问控制(Access Control)(三)
stevenjoo67的博客
04-16 731
ACE继承
EXPLICIT_ACCESS
hyczwl的专栏
10-03 2223
EXPLICIT_ACCESS EXPLICIT_ACCESS结构为一个指定的受托人定义访问控制信息. 访问控制函数,例如SetEntriesInAcl和GetExplicitEntriesFromAcl, 使用这种结构来描述在一个访问控制列表(ACL)的访问控制条目(ACE)的信息。 typedef struct _EXPLICIT_ACCESS {   DWORD grfAccess
Consul ACL集群配置说明以及ACL Token的用法
weixin_34124939的博客
06-05 1451
在上一篇文章里面,我们讲了如何搭建带有Acl控制的Consul集群。 这一篇文章主要讲述一下上一篇文章那一大串配置文件的含义。 1.配置说明 #1.1 勘误 上一篇文章关于机器规划方面,consul client agent的端口写的有误。这里再贴一下正确的机器规划。 1.2 我们先来看一下consul server agent的配置。 上一节中,提供了三个配置文件,consul-server1...
学习笔记-ACL
人饭子的博客
11-05 428
ACL 什么是 ACL windows 系统中的 ACL(Access Control List),用来表示组与用户权限的列表。比如文件、注册表的权限都包括 ACL,它用来表示哪些组与用户具有操作权限,其实主要是一组规则,定义哪些组与用户等对特定 AD 对象具有哪些权限。 ACL Access Control List,用来表示用户(组)权限的列表,包括 DACL 和 SACLACE Ac...
win7文件扩展名关联打开方式时崩溃(RtlQueryInformationAcl+0x9)的调试
u010607621的博客
07-13 1606
故障现象 win7x64,装了蓝山办公,再卸载之,就出现了文件扩展名关联打开方式时会崩溃。 dmp分析 捕获进程崩溃dmp,可知崩溃的进程为rundll32.exe,崩溃时的栈如下: 00000000`000eec00 000007fe`fce9b35a : 00000000`000706e4 00000000`00310ea8 00000000`00000111 00000000`00000000 : ntdll!RtlQueryInformationAcl+0x9 00000000`000eec30
C#实现微信access_token获取与签名验证
在C#编程中,获取微信access_token是一个关键任务,特别是在处理微信文章的二次转发时,确保标题和图片信息不会丢失。access_token是微信开放平台提供的一个临时密钥,用于与微信服务器进行安全通信,验证应用的身份...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值