// Windows/SecurityUtils.h
#ifndef __WINDOWS_SECURITY_UTILS_H
#define __WINDOWS_SECURITY_UTILS_H
#include <NTSecAPI.h>
#include "Defs.h"
namespace NWindows {
namespace NSecurity {
class CAccessToken
{
HANDLE _handle;
public:
CAccessToken(): _handle(NULL) {};
~CAccessToken() { Close(); }
bool Close()
{
if (_handle == NULL)
return true;
bool res = BOOLToBool(::CloseHandle(_handle));
if (res)
_handle = NULL;
return res;
}
bool OpenProcessToken(HANDLE processHandle, DWORD desiredAccess)
{
Close();
return BOOLToBool(::OpenProcessToken(processHandle, desiredAccess, &_handle));
}
/*
bool OpenThreadToken(HANDLE threadHandle, DWORD desiredAccess, bool openAsSelf)
{
Close();
return BOOLToBool(::OpenTreadToken(threadHandle, desiredAccess, BoolToBOOL(anOpenAsSelf), &_handle));
}
*/
bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState,
DWORD bufferLength, PTOKEN_PRIVILEGES previousState, PDWORD returnLength)
{ return BOOLToBool(::AdjustTokenPrivileges(_handle, BoolToBOOL(disableAllPrivileges),
newState, bufferLength, previousState, returnLength)); }
bool AdjustPrivileges(bool disableAllPrivileges, PTOKEN_PRIVILEGES newState)
{ return AdjustPrivileges(disableAllPrivileges, newState, 0, NULL, NULL); }
bool AdjustPrivileges(PTOKEN_PRIVILEGES newState)
{ return AdjustPrivileges(false, newState); }
};
#ifndef _UNICODE
typedef NTSTATUS (NTAPI *LsaOpenPolicyP)(PLSA_UNICODE_STRING SystemName,
PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle);
typedef NTSTATUS (NTAPI *LsaCloseP)(LSA_HANDLE ObjectHandle);
typedef NTSTATUS (NTAPI *LsaAddAccountRightsP)(LSA_HANDLE PolicyHandle,
PSID AccountSid, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights );
#define MY_STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#endif
struct CPolicy
{
protected:
LSA_HANDLE _handle;
#ifndef _UNICODE
HMODULE hModule;
#endif
public:
operator LSA_HANDLE() const { return _handle; }
CPolicy(): _handle(NULL)
{
#ifndef _UNICODE
hModule = GetModuleHandle(TEXT("Advapi32.dll"));
#endif
};
~CPolicy() { Close(); }
NTSTATUS Open(PLSA_UNICODE_STRING systemName, PLSA_OBJECT_ATTRIBUTES objectAttributes,
ACCESS_MASK desiredAccess)
{
#ifndef _UNICODE
if (hModule == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
LsaOpenPolicyP lsaOpenPolicy = (LsaOpenPolicyP)GetProcAddress(hModule, "LsaOpenPolicy");
if (lsaOpenPolicy == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
#endif
Close();
return
#ifdef _UNICODE
::LsaOpenPolicy
#else
lsaOpenPolicy
#endif
(systemName, objectAttributes, desiredAccess, &_handle);
}
NTSTATUS Close()
{
if (_handle == NULL)
return 0;
#ifndef _UNICODE
if (hModule == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
LsaCloseP lsaClose = (LsaCloseP)GetProcAddress(hModule, "LsaClose");
if (lsaClose == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
#endif
NTSTATUS res =
#ifdef _UNICODE
::LsaClose
#else
lsaClose
#endif
(_handle);
_handle = NULL;
return res;
}
NTSTATUS EnumerateAccountsWithUserRight(PLSA_UNICODE_STRING userRights,
PLSA_ENUMERATION_INFORMATION *enumerationBuffer, PULONG countReturned)
{ return LsaEnumerateAccountsWithUserRight(_handle, userRights, (void **)enumerationBuffer, countReturned); }
NTSTATUS EnumerateAccountRights(PSID sid, PLSA_UNICODE_STRING* userRights, PULONG countOfRights)
{ return ::LsaEnumerateAccountRights(_handle, sid, userRights, countOfRights); }
NTSTATUS LookupSids(ULONG count, PSID* sids,
PLSA_REFERENCED_DOMAIN_LIST* referencedDomains, PLSA_TRANSLATED_NAME* names)
{ return LsaLookupSids(_handle, count, sids, referencedDomains, names); }
NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights, ULONG countOfRights)
{
#ifndef _UNICODE
if (hModule == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
LsaAddAccountRightsP lsaAddAccountRights = (LsaAddAccountRightsP)GetProcAddress(hModule, "LsaAddAccountRights");
if (lsaAddAccountRights == NULL)
return MY_STATUS_NOT_IMPLEMENTED;
#endif
return
#ifdef _UNICODE
::LsaAddAccountRights
#else
lsaAddAccountRights
#endif
(_handle, accountSid, userRights, countOfRights);
}
NTSTATUS AddAccountRights(PSID accountSid, PLSA_UNICODE_STRING userRights)
{ return AddAccountRights(accountSid, userRights, 1); }
NTSTATUS RemoveAccountRights(PSID accountSid, bool allRights, PLSA_UNICODE_STRING userRights, ULONG countOfRights)
{ return LsaRemoveAccountRights(_handle, accountSid, (BOOLEAN)(allRights ? TRUE : FALSE), userRights, countOfRights); }
};
bool AddLockMemoryPrivilege();
}}
#endif