Reworked AccessCheckResult.

Author: tyranid

NtApiDotNet/AccessCheckResult.cs

@@ -18,10 +18,9 @@
 namespace NtApiDotNet
 {
     /// <summary>
-    /// Result of an access check with specific access types. This is an extension with
-    /// generic granted access masks.
+    /// Result of an access check with specific access types.
     /// </summary>
-    /// <typeparam name="T">The access rights type.</typeparam>
+    /// <typeparam name="T">The access rights type, must be derived from an Enum.</typeparam>
     public class AccessCheckResult<T> where T : Enum
     {
         /// <summary>
@@ -49,13 +48,17 @@ public class AccessCheckResult<T> where T : Enum
         /// </summary>
         public T SpecificGenericGrantedAccess { get; }
         /// <summary>
+        /// Object type associated with the access.
+        /// </summary>
+        public Guid ObjectType { get; }
+        /// <summary>
         /// Get access check result as a specific access.
         /// </summary>
         /// <returns>The specific access results.</returns>
         public AccessCheckResult<U> ToSpecificAccess<U>() where U : Enum
         {
             return new AccessCheckResult<U>(Status, GrantedAccess, GenericGrantedAccess, PrivilegesRequired, 
-                GrantedAccess.ToSpecificAccess<U>(), GenericGrantedAccess.ToSpecificAccess<U>());
+                GrantedAccess.ToSpecificAccess<U>(), GenericGrantedAccess.ToSpecificAccess<U>(), ObjectType);
         }
         /// <summary>
         /// Get access check result as a specific access.
@@ -65,17 +68,20 @@ public AccessCheckResult<Enum> ToSpecificAccess(Type specific_access_type)
         {
             return new AccessCheckResult<Enum>(Status, GrantedAccess, GenericGrantedAccess, PrivilegesRequired,
                 GrantedAccess.ToSpecificAccess(specific_access_type),
-                GenericGrantedAccess.ToSpecificAccess(specific_access_type));
+                GenericGrantedAccess.ToSpecificAccess(specific_access_type), 
+                ObjectType);
         }
 
         internal AccessCheckResult(NtStatus status,
             AccessMask granted_access,
             AccessMask generic_granted_access,
-            IEnumerable<TokenPrivilege> privilege_required) 
+            IEnumerable<TokenPrivilege> privilege_required,
+            Guid object_type) 
             : this(status, granted_access, 
                   generic_granted_access, privilege_required,
                   granted_access.ToSpecificAccess<T>(),
-                  generic_granted_access.ToSpecificAccess<T>())
+                  generic_granted_access.ToSpecificAccess<T>(),
+                  object_type)
         {
         }
 
@@ -84,14 +90,16 @@ internal AccessCheckResult(NtStatus status,
             AccessMask generic_granted_access,
             IEnumerable<TokenPrivilege> privilege_required,
             T specific_granted_access,
-            T specific_generic_granted_access)
+            T specific_generic_granted_access,
+            Guid object_type)
         {
             Status = status;
             GrantedAccess = granted_access;
             GenericGrantedAccess = generic_granted_access;
             PrivilegesRequired = privilege_required;
             SpecificGrantedAccess = specific_granted_access;
             SpecificGenericGrantedAccess = specific_generic_granted_access;
+            ObjectType = object_type;
         }
     }
 
@@ -103,22 +111,25 @@ public class AccessCheckResult : AccessCheckResult<GenericAccessRights>
         internal AccessCheckResult(NtStatus status,
             AccessMask granted_access,
             SafePrivilegeSetBuffer privilege_set,
-            GenericMapping generic_mapping)
+            GenericMapping generic_mapping,
+            Guid object_type)
             : this(status, granted_access,
                   generic_mapping.UnmapMask(granted_access),
-                  privilege_set?.GetPrivileges() ?? new TokenPrivilege[0])
+                  privilege_set?.GetPrivileges() ?? new TokenPrivilege[0],
+                  object_type)
         {
         }
 
         internal AccessCheckResult(
             NtStatus status,
             AccessMask granted_access,
             AccessMask generic_granted_access,
-            IEnumerable<TokenPrivilege> privilege_required)
+            IEnumerable<TokenPrivilege> privilege_required,
+            Guid object_type)
             : base(status, granted_access, generic_granted_access, privilege_required,
-                  granted_access.ToGenericAccess(), generic_granted_access.ToGenericAccess())
+                  granted_access.ToGenericAccess(), generic_granted_access.ToGenericAccess(),
+                  object_type)
         {
         }
     }
-
 }

NtApiDotNet/NtObjectUtils.cs

@@ -12,14 +12,14 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Win32;
 using System;
-using System.IO;
 using System.Collections.Generic;
-using System.Runtime.InteropServices;
+using System.IO;
 using System.Linq;
-using NtApiDotNet.Win32;
-using System.Threading.Tasks;
 using System.Reflection;
+using System.Runtime.InteropServices;
+using System.Threading.Tasks;
 
 namespace NtApiDotNet
 {

NtApiDotNet/NtSecurity.cs

@@ -391,7 +391,8 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
 
             if (desired_access.IsEmpty)
             {
-                return new AccessCheckResult(NtStatus.STATUS_ACCESS_DENIED, 0, null, generic_mapping).CreateResult();
+                return new AccessCheckResult(NtStatus.STATUS_ACCESS_DENIED, 0, null, 
+                    generic_mapping, object_types.GetDefaultObjectType()).CreateResult();
             }
 
             using (var list = new DisposableList())
@@ -416,7 +417,8 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
                     if (repeat_count == 0 || status != NtStatus.STATUS_BUFFER_TOO_SMALL)
                     {
                         return status.CreateResult(throw_on_error, () 
-                            => new AccessCheckResult(result_status, granted_access, privs, generic_mapping));
+                            => new AccessCheckResult(result_status, granted_access, 
+                            privs, generic_mapping, object_types.GetDefaultObjectType()));
                     }
 
                     repeat_count--;
@@ -425,6 +427,23 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
             }
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="desired_access">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <param name="object_types">List of object types to check against.</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static AccessCheckResult AccessCheck(SecurityDescriptor sd, NtToken token,
+            AccessMask desired_access, Sid principal, GenericMapping generic_mapping, IEnumerable<ObjectTypeEntry> object_types)
+        {
+            return AccessCheck(sd, token, desired_access, principal, generic_mapping, object_types, true).Result;
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>
@@ -445,6 +464,24 @@ public static NtResult<AccessCheckResult<T>> AccessCheck<T>(SecurityDescriptor s
                 generic_mapping, object_types, throw_on_error).Map(r => r.ToSpecificAccess<T>());
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="desired_access">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <param name="object_types">List of object types to check against.</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static AccessCheckResult<T> AccessCheck<T>(SecurityDescriptor sd, NtToken token,
+            T desired_access, Sid principal, GenericMapping generic_mapping, IEnumerable<ObjectTypeEntry> object_types) 
+                where T : Enum
+        {
+            return AccessCheck(sd, token, desired_access, principal, generic_mapping, object_types, true).Result;
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>
@@ -1372,6 +1409,13 @@ private static void GetCapabilitySids(string capability_name, out Sid capability
             }
         }
 
+        private static Guid GetDefaultObjectType(this IEnumerable<ObjectTypeEntry> object_types)
+        {
+            if (object_types == null)
+                return Guid.Empty;
+            return object_types.Select(e => e.ObjectType).FirstOrDefault();
+        }
+
         #endregion
     }
 }

NtApiDotNet/NtSecurityNative.cs

@@ -555,6 +555,21 @@ public class ObjectTypeEntry
         public int Level { get; set; }
         public Guid ObjectType { get; set; }
 
+        public ObjectTypeEntry()
+        {
+        }
+
+        public ObjectTypeEntry(Guid object_type, int level)
+        {
+            ObjectType = object_type;
+            Level = level;
+        }
+
+        public ObjectTypeEntry(Guid object_type) 
+            : this(object_type, 0)
+        {
+        }
+
         internal ObjectTypeList ToStruct(DisposableList resources)
         {
             return new ObjectTypeList()

NtObjectManager/NtSecurityCmdlets.cs

@@ -675,6 +675,12 @@ public class GetNtGrantedAccessCmdlet : Cmdlet
         [Parameter]
         public SwitchParameter PassResult { get; set; }
 
+        /// <summary>
+        /// <para type="description">Specify object types for access check..</para>
+        /// </summary>
+        [Parameter]
+        public ObjectTypeEntry[] ObjectType { get; set; }
+
         /// <summary>
         /// Constructor.
         /// </summary>
@@ -739,7 +745,7 @@ protected override void ProcessRecord()
                 if (type == null)
                     throw new ArgumentException("Must specify a type.");
                 var result = NtSecurity.AccessCheck(GetSecurityDescriptor(), 
-                    token, AccessMask, Principal, type.GenericMapping).ToSpecificAccess(type.AccessRightsType);
+                    token, AccessMask, Principal, type.GenericMapping, ObjectType).ToSpecificAccess(type.AccessRightsType);
                 if (PassResult)
                 {
                     WriteObject(result);