Updated access checking to return privileges and check status.

Author: tyranid

NtApiDotNet/AccessCheckResult.cs

@@ -0,0 +1,44 @@
+//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using System.Collections.Generic;
+
+namespace NtApiDotNet
+{
+    /// <summary>
+    /// Result of an access check.
+    /// </summary>
+    public class AccessCheckResult
+    {
+        /// <summary>
+        /// The NT status code from the access check.
+        /// </summary>
+        public NtStatus Status { get; }
+        /// <summary>
+        /// The granted access from the check.
+        /// </summary>
+        public AccessMask GrantedAccess { get; }
+        /// <summary>
+        /// The required privileges for this access.
+        /// </summary>
+        public IEnumerable<TokenPrivilege> PrivilegesRequired { get; }
+
+        internal AccessCheckResult(NtStatus status, AccessMask granted_access, SafePrivilegeSetBuffer privilege_set)
+        {
+            Status = status;
+            GrantedAccess = granted_access;
+            PrivilegesRequired = privilege_set?.GetPrivileges() ?? new TokenPrivilege[0];
+        }
+    }
+}

NtApiDotNet/NtApiDotNet.csproj

@@ -46,6 +46,7 @@
     <Reference Include="System.XML" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="AccessCheckResult.cs" />
     <Compile Include="AccessMask.cs" />
     <Compile Include="AccessMaskEntry.cs" />
     <Compile Include="Ace.cs" />

NtApiDotNet/NtObjectWithDuplicate.cs

@@ -194,11 +194,6 @@ internal O ShallowClone()
             return ShallowClone(new SafeKernelObjectHandle(Handle.DangerousGetHandle(), false), false);
         }
 
-        private A UIntToAccess(GenericAccessRights access)
-        {
-            return (A)Enum.ToObject(typeof(A), (uint)access);
-        }
-
         /// <summary>
         /// Get granted access for handle.
         /// </summary>

NtApiDotNet/NtSecurity.cs

@@ -494,26 +494,27 @@ public static Sid SidFromSddl(string sddl)
             return SidFromSddl(sddl, true).Result;
         }
 
-        private static NtToken DuplicateForAccessCheck(NtToken token)
+        private static NtResult<NtToken> DuplicateForAccessCheck(NtToken token, bool throw_on_error)
         {
             if (token.IsPseudoToken)
             {
                 // This is a pseudo token, pass along as no need to duplicate.
-                return token;
+                return token.CreateResult();
             }
 
             if (token.TokenType == TokenType.Primary)
             {
-                return token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query);
+                return token.DuplicateToken(TokenType.Impersonation, 
+                    SecurityImpersonationLevel.Identification, TokenAccessRights.Query, throw_on_error);
             }
             else if (!token.IsAccessGranted(TokenAccessRights.Query))
             {
-                return token.Duplicate(TokenAccessRights.Query);
+                return token.Duplicate(TokenAccessRights.Query, throw_on_error);
             }
             else
             {
                 // If we've got query access rights already just create a shallow clone.
-                return token.ShallowClone();
+                return token.ShallowClone().CreateResult();
             }
         }
 
@@ -525,10 +526,12 @@ private static NtToken DuplicateForAccessCheck(NtToken token)
         /// <param name="access_rights">The set of access rights to check against</param>
         /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
         /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
-        /// <returns>The allowed access mask as a unsigned integer.</returns>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The result of the access check.</returns>
         /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
-        public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
-            AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
+        public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtToken token,
+            AccessMask access_rights, Sid principal, GenericMapping generic_mapping,
+            bool throw_on_error)
         {
             if (sd == null)
             {
@@ -542,33 +545,71 @@ public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
 
             if (access_rights.IsEmpty)
             {
-                return AccessMask.Empty;
+                return new AccessCheckResult(NtStatus.STATUS_ACCESS_DENIED, 0, null).CreateResult();
             }
 
-            using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
+            using (var list = new DisposableList())
             {
-                using (NtToken imp_token = DuplicateForAccessCheck(token))
+                var sd_buffer = list.AddResource(sd.ToSafeBuffer());
+                var imp_token = list.AddResource(DuplicateForAccessCheck(token, throw_on_error));
+                if (!imp_token.IsSuccess)
                 {
-                    using (var privs = new SafePrivilegeSetBuffer())
-                    {
-                        int buffer_length = privs.Length;
+                    return imp_token.Cast<AccessCheckResult>();
+                }
+                var self_sid = list.AddResource(principal?.ToSafeBuffer() ?? SafeSidBufferHandle.Null);
+                var privs = list.AddResource(new SafePrivilegeSetBuffer());
+                int repeat_count = 1;
 
-                        using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
-                        {
-                            NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
-                                SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
-                                ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
-                            if (result_status.IsSuccess())
-                            {
-                                return granted_access;
-                            }
-                            return AccessMask.Empty;
-                        }
+                while (true)
+                {
+                    int buffer_length = privs.Length;
+                    NtStatus status = NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Result.Handle, access_rights,
+                        SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
+                        ref buffer_length, out AccessMask granted_access, out NtStatus result_status);
+                    if (repeat_count == 0 || status != NtStatus.STATUS_BUFFER_TOO_SMALL)
+                    {
+                        return status.CreateResult(throw_on_error, () 
+                            => new AccessCheckResult(result_status, granted_access, privs));
                     }
+
+                    repeat_count--;
+                    privs = list.AddResource(new SafePrivilegeSetBuffer(buffer_length));
                 }
             }
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="access_rights">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static AccessCheckResult AccessCheck(SecurityDescriptor sd, NtToken token,
+            AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
+        {
+            return AccessCheck(sd, token, access_rights, principal, generic_mapping, true).Result;
+        }
+
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="access_rights">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <returns>The allowed access mask as a unsigned integer.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
+            AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
+        {
+            return AccessCheck(sd, token, access_rights, principal, generic_mapping, true).Result.GrantedAccess;
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>

NtApiDotNet/NtSecurityNative.cs

@@ -15,6 +15,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Runtime.InteropServices;
 
 namespace NtApiDotNet
@@ -254,11 +255,18 @@ internal CachedSigningLevelEaBufferV3(int version2, int flags, SigningLevel sign
         }
     }
 
+    [Flags]
+    public enum PrivilegeSetControlFlags
+    {
+        None = 0,
+        AllNecessary = 1,
+    }
+
     [StructLayout(LayoutKind.Sequential), DataStart("Privilege")]
     public struct PrivilegeSet
     {
         public int PrivilegeCount;
-        public int Control;
+        public PrivilegeSetControlFlags Control;
         public LuidAndAttributes Privilege;
     }
 
@@ -297,15 +305,51 @@ public enum SigningLevel
 
     public class SafePrivilegeSetBuffer : SafeStructureInOutBuffer<PrivilegeSet>
     {
-        public SafePrivilegeSetBuffer(int count)
-            : base(new PrivilegeSet(),
-                  count * Marshal.SizeOf(typeof(LuidAndAttributes)),
+        private SafePrivilegeSetBuffer(bool owns_handle) 
+            : base(IntPtr.Zero, 0, owns_handle)
+        {
+        }
+
+        private SafePrivilegeSetBuffer(PrivilegeSet privilege_set, int count)
+            : base(privilege_set, count * Marshal.SizeOf(typeof(LuidAndAttributes)),
                   true)
         {
         }
 
-        public SafePrivilegeSetBuffer() : this(1)
+        private SafePrivilegeSetBuffer(IEnumerable<TokenPrivilege> privileges,
+            PrivilegeSetControlFlags control, int count) : this(new PrivilegeSet() { Control = control, PrivilegeCount = count },
+                count)
+        {
+            if (count <= 0)
+            {
+                throw new ArgumentException("Privilege count must be greater than 0", nameof(count));
+            }
+            var luids = privileges.Select(p => new LuidAndAttributes() { Luid = p.Luid, Attributes = p.Attributes }).ToArray();
+            Data.WriteArray(0, luids, 0, luids.Length);
+        }
+
+        public SafePrivilegeSetBuffer(int total_size) 
+            : base(total_size, false)
+        {
+        }
+
+        public SafePrivilegeSetBuffer(IEnumerable<TokenPrivilege> privileges, 
+            PrivilegeSetControlFlags control) : this(privileges, control, privileges.Count())
+        {
+        }
+
+        public SafePrivilegeSetBuffer() : this(new PrivilegeSet(), 1)
+        {
+        }
+
+        public static new SafePrivilegeSetBuffer Null => new SafePrivilegeSetBuffer(false);
+
+        public IEnumerable<TokenPrivilege> GetPrivileges()
         {
+            var result = Result;
+            LuidAndAttributes[] luids = new LuidAndAttributes[result.PrivilegeCount];
+            Data.ReadArray(0, luids, 0, luids.Length);
+            return luids.Select(l => new TokenPrivilege(l.Luid, l.Attributes)).ToArray();
         }
     }
 

NtApiDotNet/NtTokenNative.cs

@@ -366,7 +366,7 @@ public long ToInt64()
     public struct LuidAndAttributes
     {
         public Luid Luid;
-        public uint Attributes;
+        public PrivilegeAttributes Attributes;
     }
 
     [StructLayout(LayoutKind.Sequential), DataStart("Privileges")]
@@ -674,7 +674,7 @@ public void AddPrivilege(Luid luid, PrivilegeAttributes attributes)
             LuidAndAttributes priv = new LuidAndAttributes
             {
                 Luid = luid,
-                Attributes = (uint)attributes
+                Attributes = attributes
             };
             _privs.Add(priv);
         }
@@ -697,7 +697,7 @@ public void AddPrivilege(TokenPrivilege privilege)
 
         public void AddPrivilegeRange(IEnumerable<TokenPrivilege> privileges)
         {
-            _privs.AddRange(privileges.Select(p => new LuidAndAttributes() { Luid = p.Luid, Attributes = (uint)p.Attributes }));
+            _privs.AddRange(privileges.Select(p => new LuidAndAttributes() { Luid = p.Luid, Attributes = p.Attributes }));
         }
 
         public SafeTokenPrivilegesBuffer ToBuffer()