244 lines
4.8 KiB
C
244 lines
4.8 KiB
C
|
#include "precomp.h"
|
||
|
|
#pragma hdrstop
|
||
|
|
|
||
|
|
|
||
|
|
BOOL
|
||
|
|
IsUserAdmin(
|
||
|
|
VOID
|
||
|
|
)
|
||
|
|
|
||
|
|
/*++
|
||
|
|
|
||
|
|
Routine Description:
|
||
|
|
|
||
|
|
This routine returns TRUE if the caller's process is a
|
||
|
|
member of the Administrators local group.
|
||
|
|
|
||
|
|
Caller is NOT expected to be impersonating anyone and IS
|
||
|
|
expected to be able to open their own process and process
|
||
|
|
token.
|
||
|
|
|
||
|
|
Arguments:
|
||
|
|
|
||
|
|
None.
|
||
|
|
|
||
|
|
Return Value:
|
||
|
|
|
||
|
|
TRUE - Caller has Administrators local group.
|
||
|
|
|
||
|
|
FALSE - Caller does not have Administrators local group.
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
{
|
||
|
|
HANDLE Token;
|
||
|
|
DWORD BytesRequired;
|
||
|
|
PTOKEN_GROUPS Groups;
|
||
|
|
BOOL b;
|
||
|
|
DWORD i;
|
||
|
|
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
|
||
|
|
PSID AdministratorsGroup;
|
||
|
|
|
||
|
|
//
|
||
|
|
// On non-NT platforms the user is administrator.
|
||
|
|
//
|
||
|
|
if(!ISNT()) {
|
||
|
|
return(TRUE);
|
||
|
|
}
|
||
|
|
|
||
|
|
//
|
||
|
|
// Open the process token.
|
||
|
|
//
|
||
|
|
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) {
|
||
|
|
return(FALSE);
|
||
|
|
}
|
||
|
|
|
||
|
|
b = FALSE;
|
||
|
|
Groups = NULL;
|
||
|
|
|
||
|
|
//
|
||
|
|
// Get group information.
|
||
|
|
//
|
||
|
|
if(!GetTokenInformation(Token,TokenGroups,NULL,0,&BytesRequired)
|
||
|
|
&& (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
|
||
|
|
&& (Groups = (PTOKEN_GROUPS)LocalAlloc(LPTR,BytesRequired))
|
||
|
|
&& GetTokenInformation(Token,TokenGroups,Groups,BytesRequired,&BytesRequired)) {
|
||
|
|
|
||
|
|
b = AllocateAndInitializeSid(
|
||
|
|
&NtAuthority,
|
||
|
|
2,
|
||
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
||
|
|
DOMAIN_ALIAS_RID_ADMINS,
|
||
|
|
0, 0, 0, 0, 0, 0,
|
||
|
|
&AdministratorsGroup
|
||
|
|
);
|
||
|
|
|
||
|
|
if(b) {
|
||
|
|
|
||
|
|
//
|
||
|
|
// See if the user has the administrator group.
|
||
|
|
//
|
||
|
|
b = FALSE;
|
||
|
|
for(i=0; i<Groups->GroupCount; i++) {
|
||
|
|
if(EqualSid(Groups->Groups[i].Sid,AdministratorsGroup)) {
|
||
|
|
b = TRUE;
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
FreeSid(AdministratorsGroup);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
//
|
||
|
|
// Clean up and return.
|
||
|
|
//
|
||
|
|
|
||
|
|
if(Groups) {
|
||
|
|
LocalFree((HLOCAL)Groups);
|
||
|
|
}
|
||
|
|
|
||
|
|
CloseHandle(Token);
|
||
|
|
|
||
|
|
return(b);
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
BOOL
|
||
|
|
DoesUserHavePrivilege(
|
||
|
|
PTSTR PrivilegeName
|
||
|
|
)
|
||
|
|
|
||
|
|
/*++
|
||
|
|
|
||
|
|
Routine Description:
|
||
|
|
|
||
|
|
This routine returns TRUE if the caller's process has
|
||
|
|
the specified privilege. The privilege does not have
|
||
|
|
to be currently enabled. This routine is used to indicate
|
||
|
|
whether the caller has the potential to enable the privilege.
|
||
|
|
|
||
|
|
Caller is NOT expected to be impersonating anyone and IS
|
||
|
|
expected to be able to open their own process and process
|
||
|
|
token.
|
||
|
|
|
||
|
|
Arguments:
|
||
|
|
|
||
|
|
Privilege - the name form of privilege ID (such as
|
||
|
|
SE_SECURITY_NAME).
|
||
|
|
|
||
|
|
Return Value:
|
||
|
|
|
||
|
|
TRUE - Caller has the specified privilege.
|
||
|
|
|
||
|
|
FALSE - Caller does not have the specified privilege.
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
{
|
||
|
|
HANDLE Token;
|
||
|
|
ULONG BytesRequired;
|
||
|
|
PTOKEN_PRIVILEGES Privileges;
|
||
|
|
BOOL b;
|
||
|
|
DWORD i;
|
||
|
|
LUID Luid;
|
||
|
|
|
||
|
|
//
|
||
|
|
// On non-NT platforms the user has all privileges
|
||
|
|
//
|
||
|
|
if(!ISNT()) {
|
||
|
|
return(TRUE);
|
||
|
|
}
|
||
|
|
|
||
|
|
//
|
||
|
|
// Open the process token.
|
||
|
|
//
|
||
|
|
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) {
|
||
|
|
return(FALSE);
|
||
|
|
}
|
||
|
|
|
||
|
|
b = FALSE;
|
||
|
|
Privileges = NULL;
|
||
|
|
|
||
|
|
//
|
||
|
|
// Get privilege information.
|
||
|
|
//
|
||
|
|
if(!GetTokenInformation(Token,TokenPrivileges,NULL,0,&BytesRequired)
|
||
|
|
&& (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
|
||
|
|
&& (Privileges = (PTOKEN_PRIVILEGES)LocalAlloc(LPTR,BytesRequired))
|
||
|
|
&& GetTokenInformation(Token,TokenPrivileges,Privileges,BytesRequired,&BytesRequired)
|
||
|
|
&& LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) {
|
||
|
|
|
||
|
|
//
|
||
|
|
// See if we have the requested privilege
|
||
|
|
//
|
||
|
|
for(i=0; i<Privileges->PrivilegeCount; i++) {
|
||
|
|
|
||
|
|
if(!memcmp(&Luid,&Privileges->Privileges[i].Luid,sizeof(LUID))) {
|
||
|
|
|
||
|
|
b = TRUE;
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
//
|
||
|
|
// Clean up and return.
|
||
|
|
//
|
||
|
|
|
||
|
|
if(Privileges) {
|
||
|
|
LocalFree((HLOCAL)Privileges);
|
||
|
|
}
|
||
|
|
|
||
|
|
CloseHandle(Token);
|
||
|
|
|
||
|
|
return(b);
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
BOOL
|
||
|
|
EnablePrivilege(
|
||
|
|
IN PTSTR PrivilegeName,
|
||
|
|
IN BOOL Enable
|
||
|
|
)
|
||
|
|
{
|
||
|
|
HANDLE Token;
|
||
|
|
BOOL b;
|
||
|
|
TOKEN_PRIVILEGES NewPrivileges;
|
||
|
|
LUID Luid;
|
||
|
|
|
||
|
|
//
|
||
|
|
// On non-NT platforms the user already has all privileges
|
||
|
|
//
|
||
|
|
if(!ISNT()) {
|
||
|
|
return(TRUE);
|
||
|
|
}
|
||
|
|
|
||
|
|
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&Token)) {
|
||
|
|
return(FALSE);
|
||
|
|
}
|
||
|
|
|
||
|
|
if(!LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) {
|
||
|
|
CloseHandle(Token);
|
||
|
|
return(FALSE);
|
||
|
|
}
|
||
|
|
|
||
|
|
NewPrivileges.PrivilegeCount = 1;
|
||
|
|
NewPrivileges.Privileges[0].Luid = Luid;
|
||
|
|
NewPrivileges.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0;
|
||
|
|
|
||
|
|
b = AdjustTokenPrivileges(
|
||
|
|
Token,
|
||
|
|
FALSE,
|
||
|
|
&NewPrivileges,
|
||
|
|
0,
|
||
|
|
NULL,
|
||
|
|
NULL
|
||
|
|
);
|
||
|
|
|
||
|
|
CloseHandle(Token);
|
||
|
|
|
||
|
|
return(b);
|
||
|
|
}
|