c – SECURITY_ATTRIBUTES结构和CreateNamedPipe()

2023年2月17日 232次阅读

我的方案如下：使用CreateNamedPipe()创建命名管道对象的进程具有管理员权限,但客户端进程与CreateFile()“连接”它不具有管理员权限.将NULL作为最后一个参数传递给CreateNamedPipe()似乎默认为admin-only访问权限.

作为一个黑客,我已尝试在管道相关代码的持续时间内执行服务器端ImpersonateLoggedOnUser()/ RevertToSelf()方法,但它失败了.在我看来,这里最好的事情是实际设置一个适当的SECURITY_ATTRIBUTES结构到CreateNamedPipe()的最后一个参数,但我无法弄清楚如何做到这一点.

MSDN example有一个关于注册表键操作的示例,但我缺乏适应我的目的的专业知识.

这就是我尝试过的：

if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
    SECURITY_WORLD_RID,
    0, 0, 0, 0, 0, 0, 0,
    &pEveryoneSID))
{
    _tprintf(_T("AllocateAndInitializeSid Error %u\n"), GetLastError());
    ret_val = 0;
    goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow Everyone read access to the key.
ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions = STANDARD_RIGHTS_ALL;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR)pEveryoneSID;

// there's another ACE for administrators in between, but is of no relevance here

dwRes = SetEntriesInAcl(2, ea, NULL, &pACL);

// Initialize a security descriptor.  
pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
    SECURITY_DESCRIPTOR_MIN_LENGTH);
if (NULL == pSD)
{
    _tprintf(_T("LocalAlloc Error %u\n"), GetLastError());
    ret_val = 0;
    goto Cleanup;
}

if (!InitializeSecurityDescriptor(pSD,
    SECURITY_DESCRIPTOR_REVISION))
{
    _tprintf(_T("InitializeSecurityDescriptor Error %u\n"),
        GetLastError());
    ret_val = 0;
    goto Cleanup;
}

// Add the ACL to the security descriptor. 
if (!SetSecurityDescriptorDacl(pSD,
    TRUE,     // bDaclPresent flag   
    pACL,
    FALSE))   // not a default DACL 
{
    _tprintf(_T("SetSecurityDescriptorDacl Error %u\n"),
        GetLastError());
    ret_val = 0;
    goto Cleanup;
}

    // Initialize a security attributes structure.
*sa = new SECURITY_ATTRIBUTES;

(*sa)->nLength = sizeof(SECURITY_ATTRIBUTES);
(*sa)->lpSecurityDescriptor = pSD;
(*sa)->bInheritHandle = FALSE;

结果是客户端在CreateFile()上获得错误0x5(访问被拒绝).这有什么不对？

最佳答案您可以将描述符的DACL设置为NULL,以允许任何人访问管道：

pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!pSD)
{
    ...
}

if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
    ...
}

if (!SetSecurityDescriptorDacl(pSD, TRUE, NULL, FALSE))
{
    ...
}

SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;

... = CreateNamedPipe(..., &sa);