Made AccessCheckResult more generic and added object list.

Author: James Forshaw

NtApiDotNet/AccessCheckResult.cs

@@ -12,33 +12,113 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using System;
 using System.Collections.Generic;
 
 namespace NtApiDotNet
 {
     /// <summary>
-    /// Result of an access check.
+    /// Result of an access check with specific access types. This is an extension with
+    /// generic granted access masks.
     /// </summary>
-    public class AccessCheckResult
+    /// <typeparam name="T">The access rights type.</typeparam>
+    public class AccessCheckResult<T> where T : Enum
     {
         /// <summary>
         /// The NT status code from the access check.
         /// </summary>
         public NtStatus Status { get; }
         /// <summary>
-        /// The granted access from the check.
+        /// The granted access mask from the check.
         /// </summary>
         public AccessMask GrantedAccess { get; }
         /// <summary>
+        /// The granted access mapped to generic access mask.
+        /// </summary>
+        public AccessMask GenericGrantedAccess { get; }
+        /// <summary>
         /// The required privileges for this access.
         /// </summary>
         public IEnumerable<TokenPrivilege> PrivilegesRequired { get; }
+        /// <summary>
+        /// The specific granted access mask from the check.
+        /// </summary>
+        public T SpecificGrantedAccess { get; }
+        /// <summary>
+        /// The specific granted access mapped to generic access mask.
+        /// </summary>
+        public T SpecificGenericGrantedAccess { get; }
+        /// <summary>
+        /// Get access check result as a specific access.
+        /// </summary>
+        /// <returns>The specific access results.</returns>
+        public AccessCheckResult<U> ToSpecificAccess<U>() where U : Enum
+        {
+            return new AccessCheckResult<U>(Status, GrantedAccess, GenericGrantedAccess, PrivilegesRequired, 
+                GrantedAccess.ToSpecificAccess<U>(), GenericGrantedAccess.ToSpecificAccess<U>());
+        }
+        /// <summary>
+        /// Get access check result as a specific access.
+        /// </summary>
+        /// <returns>The specific access.</returns>
+        public AccessCheckResult<Enum> ToSpecificAccess(Type specific_access_type)
+        {
+            return new AccessCheckResult<Enum>(Status, GrantedAccess, GenericGrantedAccess, PrivilegesRequired,
+                GrantedAccess.ToSpecificAccess(specific_access_type),
+                GenericGrantedAccess.ToSpecificAccess(specific_access_type));
+        }
 
-        internal AccessCheckResult(NtStatus status, AccessMask granted_access, SafePrivilegeSetBuffer privilege_set)
+        internal AccessCheckResult(NtStatus status,
+            AccessMask granted_access,
+            AccessMask generic_granted_access,
+            IEnumerable<TokenPrivilege> privilege_required) 
+            : this(status, granted_access, 
+                  generic_granted_access, privilege_required,
+                  granted_access.ToSpecificAccess<T>(),
+                  generic_granted_access.ToSpecificAccess<T>())
+        {
+        }
+
+        internal AccessCheckResult(NtStatus status,
+            AccessMask granted_access,
+            AccessMask generic_granted_access,
+            IEnumerable<TokenPrivilege> privilege_required,
+            T specific_granted_access,
+            T specific_generic_granted_access)
         {
             Status = status;
             GrantedAccess = granted_access;
-            PrivilegesRequired = privilege_set?.GetPrivileges() ?? new TokenPrivilege[0];
+            GenericGrantedAccess = generic_granted_access;
+            PrivilegesRequired = privilege_required;
+            SpecificGrantedAccess = specific_granted_access;
+            SpecificGenericGrantedAccess = specific_generic_granted_access;
         }
     }
+
+    /// <summary>
+    /// Result of an access check.
+    /// </summary>
+    public class AccessCheckResult : AccessCheckResult<GenericAccessRights>
+    {
+        internal AccessCheckResult(NtStatus status,
+            AccessMask granted_access,
+            SafePrivilegeSetBuffer privilege_set,
+            GenericMapping generic_mapping)
+            : this(status, granted_access,
+                  generic_mapping.UnmapMask(granted_access),
+                  privilege_set?.GetPrivileges() ?? new TokenPrivilege[0])
+        {
+        }
+
+        internal AccessCheckResult(
+            NtStatus status,
+            AccessMask granted_access,
+            AccessMask generic_granted_access,
+            IEnumerable<TokenPrivilege> privilege_required)
+            : base(status, granted_access, generic_granted_access, privilege_required,
+                  granted_access.ToGenericAccess(), generic_granted_access.ToGenericAccess())
+        {
+        }
+    }
+
 }

NtApiDotNet/AccessMask.cs

@@ -97,11 +97,11 @@ public A ToSpecificAccess<A>() where A : Enum
         /// </summary>
         /// <param name="enum_type">The type of enumeration to convert to.</param>
         /// <returns>The converted value.</returns>
-        public object ToSpecificAccess(Type enum_type)
+        public Enum ToSpecificAccess(Type enum_type)
         {
             if (!enum_type.IsEnum)
                 throw new ArgumentException("Type must be an Enum", "enum_type");
-            return Enum.ToObject(enum_type, Access);
+            return (Enum)Enum.ToObject(enum_type, Access);
         }
 
         /// <summary>

NtApiDotNet/NtSecurity.cs

@@ -391,7 +391,7 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
 
             if (desired_access.IsEmpty)
             {
-                return new AccessCheckResult(NtStatus.STATUS_ACCESS_DENIED, 0, null).CreateResult();
+                return new AccessCheckResult(NtStatus.STATUS_ACCESS_DENIED, 0, null, generic_mapping).CreateResult();
             }
 
             using (var list = new DisposableList())
@@ -404,19 +404,19 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
                 }
                 var self_sid = list.AddResource(principal?.ToSafeBuffer() ?? SafeSidBufferHandle.Null);
                 var privs = list.AddResource(new SafePrivilegeSetBuffer());
-                var object_type_list = list.AddResource(ConvertObjectTypes(object_types));
+                var object_type_list = ConvertObjectTypes(object_types, list);
                 int repeat_count = 1;
 
                 while (true)
                 {
                     int buffer_length = privs.Length;
                     NtStatus status = NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Result.Handle, desired_access,
-                        object_type_list, 0, ref generic_mapping, privs,
+                        object_type_list, object_type_list?.Length ?? 0, ref generic_mapping, privs,
                         ref buffer_length, out AccessMask granted_access, out NtStatus result_status);
                     if (repeat_count == 0 || status != NtStatus.STATUS_BUFFER_TOO_SMALL)
                     {
                         return status.CreateResult(throw_on_error, () 
-                            => new AccessCheckResult(result_status, granted_access, privs));
+                            => new AccessCheckResult(result_status, granted_access, privs, generic_mapping));
                     }
 
                     repeat_count--;
@@ -425,6 +425,26 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
             }
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="desired_access">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <param name="object_types">List of object types to check against.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static NtResult<AccessCheckResult<T>> AccessCheck<T>(SecurityDescriptor sd, NtToken token,
+            T desired_access, Sid principal, GenericMapping generic_mapping, IEnumerable<ObjectTypeEntry> object_types,
+            bool throw_on_error) where T : Enum
+        {
+            return AccessCheck(sd, token, (AccessMask)desired_access, principal, 
+                generic_mapping, object_types, throw_on_error).Map(r => r.ToSpecificAccess<T>());
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>
@@ -443,6 +463,24 @@ public static NtResult<AccessCheckResult> AccessCheck(SecurityDescriptor sd, NtT
             return AccessCheck(sd, token, desired_access, principal, generic_mapping, null, throw_on_error);
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="desired_access">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static NtResult<AccessCheckResult<T>> AccessCheck<T>(SecurityDescriptor sd, NtToken token,
+            T desired_access, Sid principal, GenericMapping generic_mapping,
+            bool throw_on_error) where T : Enum
+        {
+            return AccessCheck(sd, token, desired_access, principal, generic_mapping, null, throw_on_error);
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>
@@ -459,6 +497,22 @@ public static AccessCheckResult AccessCheck(SecurityDescriptor sd, NtToken token
             return AccessCheck(sd, token, desired_access, principal, generic_mapping, true).Result;
         }
 
+        /// <summary>
+        /// Do an access check between a security descriptor and a token to determine the allowed access.
+        /// </summary>
+        /// <param name="sd">The security descriptor</param>
+        /// <param name="token">The access token.</param>
+        /// <param name="desired_access">The set of access rights to check against</param>
+        /// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
+        /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
+        /// <returns>The result of the access check.</returns>
+        /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
+        public static AccessCheckResult<T> AccessCheck<T>(SecurityDescriptor sd, NtToken token,
+            T desired_access, Sid principal, GenericMapping generic_mapping) where T : Enum
+        {
+            return AccessCheck(sd, token, desired_access, principal, generic_mapping, true).Result;
+        }
+
         /// <summary>
         /// Do an access check between a security descriptor and a token to determine the allowed access.
         /// </summary>
@@ -1232,26 +1286,12 @@ private static NtResult<NtToken> DuplicateForAccessCheck(NtToken token, bool thr
             }
         }
 
-        private static SafeArrayBuffer<ObjectTypeList> ConvertObjectTypes(IEnumerable<ObjectTypeEntry> object_types)
+        private static ObjectTypeList[] ConvertObjectTypes(IEnumerable<ObjectTypeEntry> object_types, DisposableList list)
         {
             if (object_types == null || !object_types.Any())
-                return SafeArrayBuffer<ObjectTypeList>.Null;
+                return null;
 
-            var guids = object_types.Select(o => o.ObjectType).ToArray();
-            var ret = new SafeArrayBuffer<ObjectTypeList>(new ObjectTypeList[guids.Length], guids.Length * 16);
-            try
-            {
-                IntPtr ptr = ret.Data.DangerousGetHandle();
-                var arr = object_types.Select((t, i) => new ObjectTypeList() { Level = (short)t.Level, ObjectType = ptr + (i * 16) }).ToArray();
-                ret.WriteArray(0, arr, 0, arr.Length);
-                ret.Data.WriteArray(0, guids, 0, guids.Length);
-                return ret;
-            }
-            catch
-            {
-                ret?.Dispose();
-                throw;
-            }
+            return object_types.Select(o => o.ToStruct(list)).ToArray();
         }
 
         private static CachedSigningLevelEaBuffer ReadCachedSigningLevelVersion1(BinaryReader reader)

NtApiDotNet/NtSecurityNative.cs

@@ -554,6 +554,15 @@ public class ObjectTypeEntry
     {
         public int Level { get; set; }
         public Guid ObjectType { get; set; }
+
+        internal ObjectTypeList ToStruct(DisposableList resources)
+        {
+            return new ObjectTypeList()
+            {
+                Level = (short)Level,
+                ObjectType = resources.AddResource(new SafeStructureInOutBuffer<Guid>(ObjectType)).DangerousGetHandle()
+            };
+        }
     }
 
     public static partial class NtRtl
@@ -752,7 +761,7 @@ public static extern NtStatus NtAccessCheckByType(
             SafeHandle PrincipalSelfSid,
             SafeKernelObjectHandle ClientToken,
             AccessMask DesiredAccess,
-            SafeBuffer ObjectTypeList,
+            [In] ObjectTypeList[] ObjectTypeList,
             int ObjectTypeListLength,
             ref GenericMapping GenericMapping,
             SafePrivilegeSetBuffer RequiredPrivilegesBuffer,

NtObjectManager/NtDirectoryEntry.cs

@@ -13,6 +13,7 @@
 //  limitations under the License.
 
 using NtApiDotNet;
+using System;
 
 namespace NtObjectManager
 {
@@ -24,7 +25,7 @@ public class NtDirectoryEntry
         private NtDirectory _base_directory;
         private SecurityDescriptor _sd;
         private string _symlink_target;
-        private object _maximum_granted_access;
+        private Enum _maximum_granted_access;
         private bool _data_populated;
 
         private void PopulateData()
@@ -49,8 +50,7 @@ private void PopulateData()
                                 _sd = obj.SecurityDescriptor;
                             }
 
-                            NtSymbolicLink link = obj as NtSymbolicLink;
-                            if (link != null && link.IsAccessGranted(SymbolicLinkAccessRights.Query))
+                            if (obj is NtSymbolicLink link && link.IsAccessGranted(SymbolicLinkAccessRights.Query))
                             {
                                 _symlink_target = link.Target;
                             }
@@ -117,7 +117,7 @@ public string SymbolicLinkTarget
         /// <summary>
         /// The maximum granted access to the entry. Can be set to 0 if the caller doesn't have permission to open the actual object.
         /// </summary>
-        public object MaximumGrantedAccess
+        public Enum MaximumGrantedAccess
         {
             get
             {