1689 lines
43 KiB
C++
1689 lines
43 KiB
C++
// SessionResolver.cpp : Implementation of CSessionResolver
|
|
#include "stdafx.h"
|
|
#include "SAFSessionResolver.h"
|
|
#include "SessionResolver.h"
|
|
#include <sddl.h>
|
|
#include <userenv.h>
|
|
#include <winerror.h>
|
|
#include <wtsapi32.h>
|
|
#include <winsta.h>
|
|
#include <wchar.h>
|
|
#include <stdarg.h>
|
|
#include <io.h>
|
|
#include <fcntl.h>
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#define ANSI
|
|
#include <stdarg.h>
|
|
#include <psapi.h>
|
|
|
|
//
|
|
// HCAPI stuff
|
|
//
|
|
#include <ProjectConstants.h>
|
|
#include <MPC_utils.h>
|
|
#include <rderror.h>
|
|
|
|
#define BUF_SZ 200
|
|
|
|
typedef struct _WTS_USER_SESSION_INFO {
|
|
DWORD dwIndex; // Index into full table of these
|
|
DWORD dwSessionId; // WTS Session ID
|
|
HANDLE hUserToken; // Access token for user
|
|
HANDLE hEvent; // filled in by launchex, yank on this to say "yes"
|
|
HANDLE hProcess; // filled in by CreateProcessAsUser
|
|
HANDLE hThread; // so's this
|
|
DWORD dwProcessId; // and this
|
|
DWORD dwThreadId; // and this
|
|
} WTS_USER_SESSION_INFO, *PWTS_USER_SESSION_INFO;
|
|
|
|
// stolen from internal/ds/inc
|
|
|
|
#define RtlGenRandom SystemFunction036
|
|
|
|
extern "C" {
|
|
BOOL WINAPI
|
|
RtlGenRandom(
|
|
OUT PVOID RandomBuffer,
|
|
IN ULONG RandomBufferLength
|
|
);
|
|
}
|
|
|
|
/*
|
|
* Forward declarations
|
|
*/
|
|
void SetEventLog(bool yes, WCHAR *pUser, WCHAR *pDomain);
|
|
HANDLE OurCreateEvent(WCHAR *lpNameBfr, int iBufCnt, PSECURITY_DESCRIPTOR pSD);
|
|
PSID GetRealSID( BSTR pTextSID);
|
|
DWORD getUserName(PSID pUserSID, WCHAR **lpName, WCHAR **lpDomain);
|
|
HANDLE launchEx(PSID pUserSID, WTS_USER_SESSION_INFO *UserInfo, WCHAR *ConnectParms, WCHAR *HelpUrl, WCHAR *lpName, WCHAR *lpDomain, WCHAR *expertHelpBlob, WCHAR *userHelpBlob, SECURITY_ATTRIBUTES *sa);
|
|
DWORD GetUserSessions(PSID pUserSID, PWTS_USER_SESSION_INFO *pUserTbl, DWORD *pEntryCnt, WCHAR *lpName, WCHAR *lpDomain);
|
|
PSECURITY_DESCRIPTOR CreateSd(PSID pUserSID);
|
|
BOOL SecurityCheck(PSID pUserSID);
|
|
DWORD localKill(WTS_USER_SESSION_INFO *SessInfo, LPTHREAD_START_ROUTINE killThrd, LPSECURITY_ATTRIBUTES lpSA);
|
|
LPTHREAD_START_ROUTINE getKillProc(void);
|
|
BOOL ListFind(PSPLASHLIST pSplash, PSID user);
|
|
BOOL ListInsert(PSPLASHLIST pSplash, PSID user);
|
|
BOOL ListDelete(PSPLASHLIST pSplash, PSID user);
|
|
BOOL GetPropertyValueFromBlob(BSTR bstrHelpBlob, WCHAR * pName, WCHAR** ppValue);
|
|
|
|
/************ things that should remain as defines ****************/
|
|
// Some environment variables used to communicate with scripts
|
|
#define ENV_USER L"USERNAME"
|
|
#define ENV_DOMAIN L"USERDOMAIN"
|
|
#define ENV_EVENT L"PCHEVENTNAME"
|
|
#define ENV_INDEX L"PCHSESSIONENUM"
|
|
#define ENV_PARMS L"PCHCONNECTPARMS"
|
|
#define EVENT_PREFIX L"Alex:PCH"
|
|
|
|
#define MODULE_NAME L"safrslv"
|
|
|
|
// I can't imagine a user having more logins than this on one server, but...
|
|
#define MAX_SESSIONS 30 // used to be 256
|
|
|
|
/************ our debug spew stuff ******************/
|
|
void DbgSpew(int DbgClass, BSTR lpFormat, va_list ap);
|
|
void TrivialSpew(BSTR lpFormat, ...);
|
|
void InterestingSpew(BSTR lpFormat, ...);
|
|
void ImportantSpew(BSTR lpFormat, ...);
|
|
void HeinousESpew(BSTR lpFormat, ...);
|
|
void HeinousISpew(BSTR lpFormat, ...);
|
|
|
|
#define DBG_MSG_TRIVIAL 0x001
|
|
#define DBG_MSG_INTERESTING 0x002
|
|
#define DBG_MSG_IMPORTANT 0x003
|
|
#define DBG_MSG_HEINOUS 0x004
|
|
#define DBG_MSG_DEST_DBG 0x010
|
|
#define DBG_MSG_DEST_FILE 0x020
|
|
#define DBG_MSG_DEST_EVENT 0x040
|
|
#define DBG_MSG_CLASS_ERROR 0x100
|
|
#define DBG_MSG_CLASS_SECURE 0x200
|
|
|
|
#define TRIVIAL_MSG(msg) TrivialSpew msg
|
|
#define INTERESTING_MSG(msg) InterestingSpew msg
|
|
#define IMPORTANT_MSG(msg) ImportantSpew msg
|
|
#define HEINOUS_E_MSG(msg) HeinousESpew msg
|
|
#define HEINOUS_I_MSG(msg) HeinousISpew msg
|
|
|
|
/* Strings for some error spewage. I waste the space since these friendly strings
|
|
* do make it into the Event Logs...
|
|
*/
|
|
WCHAR *lpszConnectState[] = {
|
|
L"State_Active",
|
|
L"State_Connected",
|
|
L"State_ConnectQuery",
|
|
L"State_Shadow",
|
|
L"State_Disconnected",
|
|
L"State_Idle",
|
|
L"State_Listen",
|
|
L"State_Reset",
|
|
L"State_Down",
|
|
L"State_Init"
|
|
};
|
|
|
|
/*
|
|
* This global flag controls the amount of spew that we
|
|
* produce. Legit values are as follows:
|
|
* 1 = Trivial msgs displayed
|
|
* 2 = Interesting msgs displayed
|
|
* 3 = Important msgs displayed
|
|
* 4 = only the most Heinous msgs displayed
|
|
* The ctor actually sets this to 3 by default, but it can
|
|
* be overridden by setting:
|
|
* HKLM, Software/Microsoft/SAFSessionResolver, DebugSpew, DWORD
|
|
*/
|
|
int gDbgFlag = 0x1;
|
|
int iDbgFileHandle = 0;
|
|
long lSessionTag;
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
// CSessionResolver Methods
|
|
/*************************************************************
|
|
*
|
|
* NewResolveTSRDPSessionID(ConnectParms, userSID, *sessionID)
|
|
* Returns the WTS SessionID for the one enabled and
|
|
* ready to accept Remote Control.
|
|
*
|
|
* RETURN CODES:
|
|
* WTS_Session_ID Connection accepted by user
|
|
* RC_REFUSED Connection refused by user
|
|
* RC_TIMEOUT User never responded
|
|
* NONE_ACTIVE Found no active WTS sessions
|
|
* API_FAILURE Something bad happened
|
|
*
|
|
*************************************************************/
|
|
STDMETHODIMP
|
|
CSessionResolver::ResolveUserSessionID(
|
|
/*[in]*/BSTR connectParms,
|
|
/*[in]*/BSTR userSID,
|
|
/*[in]*/ BSTR expertHelpBlob,
|
|
/*[in]*/ BSTR userHelpBlob,
|
|
/*[out, retval]*/long *sessionID,
|
|
/*[in*/ DWORD dwPID,
|
|
/*[out]*/ULONG_PTR *hHelpCtr
|
|
,/*[out, retval]*/int *userResponse
|
|
)
|
|
{
|
|
INTERESTING_MSG((L"CSessionResolver::ResolveUserSessionID"));
|
|
|
|
DWORD result;
|
|
HANDLE hRdsAddin = NULL;
|
|
PSID pRealSID = NULL;
|
|
WCHAR *pUsername=NULL, *pDomainname=NULL;
|
|
PWTS_USER_SESSION_INFO pUserSessionInfo=NULL;
|
|
PSECURITY_DESCRIPTOR pSD=NULL;
|
|
HRESULT ret_code;
|
|
int i;
|
|
int TsIndex=-1;
|
|
DWORD dwUserSessionCnt, dwSessionCnt;
|
|
HANDLE pHandles[(MAX_SESSIONS*2)+1];
|
|
DWORD dwhIndex = 0;
|
|
SECURITY_ATTRIBUTES sa;
|
|
BOOL bAlreadyHelped, bRemoval=FALSE;
|
|
WCHAR *pExpertId=NULL, *pUserId=NULL;
|
|
|
|
/* param validation */
|
|
if (!connectParms || !userSID || !sessionID || !hHelpCtr
|
|
|| !userResponse
|
|
)
|
|
{
|
|
IMPORTANT_MSG((L"Invalid params ConnectParms=0x%x, UserSID=0x%x, SessionID=0x%x", connectParms, userSID, sessionID));
|
|
ret_code = E_INVALIDARG;
|
|
goto done;
|
|
}
|
|
|
|
// set a default ret code
|
|
*userResponse = SAFERROR_INTERNALERROR;
|
|
|
|
if (dwPID)
|
|
hRdsAddin = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
|
|
|
|
if (hRdsAddin)
|
|
{
|
|
DWORD dwRes;
|
|
WCHAR *szAddin = L"rdsaddin.exe";
|
|
WCHAR szTmp[32];
|
|
|
|
dwRes = GetModuleBaseNameW(hRdsAddin, NULL, szTmp, ARRAYSIZE(szTmp));
|
|
if (!dwRes || StrCmpI(szAddin, szTmp))
|
|
{
|
|
IMPORTANT_MSG((L"ERROR: the process handle for rdsaddin.exe has been recycled"));
|
|
CloseHandle(hRdsAddin);
|
|
hRdsAddin = 0;
|
|
}
|
|
}
|
|
|
|
if (!hRdsAddin)
|
|
{
|
|
// If we don't have a process handle, it is because
|
|
// the expert has already cancelled
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_CANTFORMLINKTOUSERSESSION;
|
|
goto done;
|
|
}
|
|
|
|
pRealSID = GetRealSID(userSID);
|
|
if (!pRealSID)
|
|
{
|
|
IMPORTANT_MSG((L"GetRealSID failed"));
|
|
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_INVALIDPARAMETERSTRING;
|
|
goto done;
|
|
}
|
|
|
|
EnterCriticalSection(&m_CritSec);
|
|
bAlreadyHelped = ListFind(m_pSplash, pRealSID);
|
|
ListInsert(m_pSplash, pRealSID);
|
|
// mark the SID for removal
|
|
bRemoval=TRUE;
|
|
LeaveCriticalSection(&m_CritSec);
|
|
|
|
if (bAlreadyHelped)
|
|
{
|
|
INTERESTING_MSG((L"Helpee already has a ticket on the screen"));
|
|
*sessionID = 0;
|
|
*userResponse = SAFERROR_HELPEECONSIDERINGHELP;
|
|
ret_code = E_ACCESSDENIED;
|
|
goto done;
|
|
}
|
|
|
|
/* check password: skip is UNSOLICITED=1 */
|
|
if (!GetPropertyValueFromBlob(userHelpBlob, L"UNSOLICITED", &pUserId) ||
|
|
!pUserId || *pUserId != L'1')
|
|
{
|
|
// Need to check password.
|
|
if (pUserId)
|
|
{
|
|
LocalFree(pUserId);
|
|
pUserId = NULL;
|
|
}
|
|
if (GetPropertyValueFromBlob(userHelpBlob, L"PASS", &pUserId))
|
|
{
|
|
if (!GetPropertyValueFromBlob(expertHelpBlob, L"PASS", &pExpertId) || wcscmp(pExpertId, pUserId) != 0)
|
|
{
|
|
IMPORTANT_MSG((L"Passwords don't match"));
|
|
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_INVALIDPASSWORD;
|
|
goto done;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* get the user's account strings */
|
|
if (!getUserName(pRealSID, &pUsername, &pDomainname))
|
|
{
|
|
DWORD error = GetLastError();
|
|
HEINOUS_E_MSG((L"getUserName() failed, err=0x%x", error));
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_INVALIDPARAMETERSTRING;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Get a list of all the active sessions on this WTS Server
|
|
* For a specific user
|
|
*/
|
|
// keeps the compiler happy
|
|
dwSessionCnt = 0;
|
|
result = GetUserSessions(pRealSID,
|
|
&pUserSessionInfo,
|
|
&dwUserSessionCnt,
|
|
pUsername, pDomainname);
|
|
|
|
if (!result )
|
|
{
|
|
IMPORTANT_MSG((L"GetUserSessions failed %08x", GetLastError()));
|
|
ret_code = E_FAIL;
|
|
goto done;
|
|
}
|
|
|
|
/* If no sessions are found, then exit! */
|
|
if (dwUserSessionCnt == 0)
|
|
{
|
|
INTERESTING_MSG((L"no sessions found"));
|
|
*sessionID = 0;
|
|
*userResponse = SAFERROR_HELPEENOTFOUND;
|
|
ret_code = E_ACCESSDENIED;
|
|
goto done;
|
|
}
|
|
/* make certain we don't overflow our handle buffers */
|
|
else if (dwUserSessionCnt > MAX_SESSIONS)
|
|
{
|
|
HEINOUS_I_MSG((L"Found %d active sessions for %ws/%ws, limitting to %d", dwUserSessionCnt, pDomainname, pUsername, MAX_SESSIONS));
|
|
|
|
int i = MAX_SESSIONS;
|
|
|
|
// free the extra WTS tokens
|
|
while (i < dwSessionCnt)
|
|
{
|
|
if (pUserSessionInfo[i].hUserToken)
|
|
CloseHandle(pUserSessionInfo[i].hUserToken);
|
|
i++;
|
|
}
|
|
dwUserSessionCnt = MAX_SESSIONS;
|
|
}
|
|
|
|
pSD = CreateSd(pRealSID);
|
|
if (!pSD)
|
|
{
|
|
IMPORTANT_MSG((L"CreateSd failed err=%08x", GetLastError()));
|
|
ret_code = E_ACCESSDENIED;
|
|
goto done;
|
|
}
|
|
|
|
sa.nLength = sizeof(sa);
|
|
sa.lpSecurityDescriptor = pSD;
|
|
sa.bInheritHandle = FALSE;
|
|
|
|
memset(&pHandles[0], 0, sizeof(pHandles));
|
|
pHandles[0] = hRdsAddin;
|
|
|
|
lSessionTag = InterlockedIncrement(&m_lSessionTag);
|
|
/*
|
|
* Start up the HelpCtr in all the various TS sessions
|
|
*/
|
|
for(i=0; i<(int)dwUserSessionCnt; i++)
|
|
{
|
|
TRIVIAL_MSG((L"calling launchEx[%d] for session %d", i, pUserSessionInfo[i].dwSessionId));
|
|
|
|
pUserSessionInfo[i].hProcess = launchEx(pRealSID,
|
|
&pUserSessionInfo[i],
|
|
connectParms, m_bstrResolveURL,
|
|
pUsername, pDomainname
|
|
,expertHelpBlob,userHelpBlob, &sa);
|
|
pHandles[i+1] = pUserSessionInfo[i].hProcess;
|
|
pHandles[i+1+dwUserSessionCnt] = pUserSessionInfo[i].hEvent;
|
|
}
|
|
|
|
/*
|
|
* Then wait for somebody to click on a "Yes", or a "No"
|
|
*/
|
|
|
|
// We use CoWaitForMultipleHandles otherwise, rdsaddin and sessmg
|
|
// deadlock since sessmgr is apartment threaded
|
|
TRIVIAL_MSG((L"Waiting. m_iWaitDuration: %ld seconds", m_iWaitDuration/1000));
|
|
|
|
ret_code = CoWaitForMultipleHandles (
|
|
COWAIT_ALERTABLE,
|
|
m_iWaitDuration,
|
|
(dwUserSessionCnt*2)+1,
|
|
pHandles,
|
|
&dwhIndex
|
|
);
|
|
if (S_OK == ret_code)
|
|
{
|
|
if (dwhIndex > dwUserSessionCnt)
|
|
{
|
|
/* somebody said "yes" */
|
|
|
|
TsIndex = dwhIndex-dwUserSessionCnt-1;
|
|
TRIVIAL_MSG((L"User responded YES for session 0x%x", TsIndex));
|
|
|
|
ret_code = S_OK;
|
|
*userResponse = SAFERROR_NOERROR;
|
|
// mark the SID for non-removal
|
|
bRemoval=FALSE;
|
|
|
|
//
|
|
// This code must not return a failure from here onwards. If it does, we must
|
|
// remove the SID from the list
|
|
//
|
|
if (hRdsAddin)
|
|
{
|
|
*hHelpCtr = NULL; // start with NULL
|
|
|
|
DuplicateHandle(GetCurrentProcess(), pUserSessionInfo[TsIndex].hProcess,
|
|
hRdsAddin, (HANDLE *)hHelpCtr, SYNCHRONIZE, FALSE, 0);
|
|
}
|
|
SetEventLog(TRUE, pUsername, pDomainname);
|
|
}
|
|
else if (dwhIndex == 0)
|
|
{
|
|
// we got here because the expert bailed out, or we lost the connection
|
|
INTERESTING_MSG((L"Expert killed RdsAddin"));
|
|
TsIndex = -1;
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_CANTFORMLINKTOUSERSESSION;
|
|
}
|
|
else
|
|
{
|
|
/*
|
|
* We get here because the novice "killed" a HelpCtr session
|
|
* or else the novice just said "NO"
|
|
*/
|
|
INTERESTING_MSG((L"User killed session or clicked NO for session 0x%x", dwhIndex-1));
|
|
/* this keeps us from trying to kill something the user has already closed */
|
|
TsIndex = dwhIndex-1;
|
|
ret_code = E_ACCESSDENIED;
|
|
*userResponse = SAFERROR_HELPEESAIDNO;
|
|
SetEventLog(FALSE, pUsername, pDomainname);
|
|
}
|
|
}
|
|
else if (RPC_S_CALLPENDING == ret_code)
|
|
{
|
|
TRIVIAL_MSG((L"User response timed out after %d seconds", m_iWaitDuration/1000));
|
|
|
|
TsIndex = -1;
|
|
ret_code = E_PENDING;
|
|
*userResponse = SAFERROR_HELPEENEVERRESPONDED;
|
|
}
|
|
else
|
|
{
|
|
IMPORTANT_MSG((L"WaitForObject failed %08x err=%08x", result, GetLastError()));
|
|
TsIndex = -1;
|
|
ret_code = E_FAIL;
|
|
}
|
|
|
|
/*
|
|
* Then close all the windows (except the one in TsIndex)
|
|
*/
|
|
for(i=0; i<(int)dwUserSessionCnt; i++)
|
|
{
|
|
LPTHREAD_START_ROUTINE lpKill = getKillProc();
|
|
|
|
if (pUserSessionInfo[i].dwIndex != TsIndex &&
|
|
pUserSessionInfo[i].hProcess)
|
|
{
|
|
/* This has to be done for each instance, since we call into the process
|
|
* to kill itself. If we did not get "lpKill" for each seperate occurance
|
|
* of HelpCtr, then Very Bad Things could happen...
|
|
*/
|
|
TRIVIAL_MSG((L"Killing HelpCtr in process %d", pUserSessionInfo[i].hProcess));
|
|
localKill(&pUserSessionInfo[i], lpKill, &sa);
|
|
}
|
|
}
|
|
|
|
if (ret_code == S_OK)
|
|
*sessionID = (long) pUserSessionInfo[TsIndex].dwSessionId;
|
|
done:
|
|
if (bRemoval)
|
|
{
|
|
// remove the SID from the list
|
|
EnterCriticalSection(&m_CritSec);
|
|
ListDelete(m_pSplash, pRealSID);
|
|
LeaveCriticalSection(&m_CritSec);
|
|
}
|
|
|
|
if (hRdsAddin)
|
|
CloseHandle(hRdsAddin);
|
|
|
|
if (pRealSID)
|
|
LocalFree(pRealSID);
|
|
|
|
if (pUserSessionInfo)
|
|
{
|
|
|
|
/* close all the handles */
|
|
for(i=0; i<(int)dwUserSessionCnt; i++)
|
|
{
|
|
if (pUserSessionInfo[i].hProcess)
|
|
CloseHandle(pUserSessionInfo[i].hProcess);
|
|
|
|
if (pUserSessionInfo[i].hUserToken)
|
|
CloseHandle(pUserSessionInfo[i].hUserToken);
|
|
|
|
if (pUserSessionInfo[i].hEvent)
|
|
CloseHandle(pUserSessionInfo[i].hEvent);
|
|
}
|
|
|
|
LocalFree(pUserSessionInfo);
|
|
}
|
|
|
|
if (pUsername)
|
|
LocalFree(pUsername);
|
|
|
|
if (pDomainname)
|
|
LocalFree(pDomainname);
|
|
|
|
if (pSD)
|
|
LocalFree(pSD);
|
|
|
|
if (pUserId) LocalFree(pUserId);
|
|
if (pExpertId) LocalFree(pExpertId);
|
|
|
|
INTERESTING_MSG((L"CSessionResolver::ResolveUserSessionID returns %x\n", ret_code ));
|
|
return ret_code;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* OnDisconnect([in] BSTR connectParms, [in] BSTR userSID, [in] long sessionID)
|
|
* Notifies us when an RA session ends
|
|
*
|
|
* NOTES:
|
|
* This is called so we can maintain the state of our user prompts
|
|
*
|
|
* WARNING: ACHTUNG: ATTENZIONE:
|
|
* This method must do a minimal amount of work before returning
|
|
* and must NEVER do anything that would cause COM to pump
|
|
* messages. To do so would screw Salem immensely.a
|
|
*
|
|
* RETURN CODES:
|
|
* NONE_ACTIVE Found no active WTS sessions
|
|
* API_FAILURE Something bad happened
|
|
*
|
|
*************************************************************/
|
|
|
|
STDMETHODIMP
|
|
CSessionResolver::OnDisconnect(
|
|
/*[in]*/BSTR connectParms,
|
|
/*[in]*/BSTR userSID,
|
|
/*[in]*/long sessionID
|
|
)
|
|
{
|
|
PSID pRealSID;
|
|
WCHAR *pUsername=NULL, *pDomainname=NULL;
|
|
|
|
if (!connectParms || !userSID)
|
|
{
|
|
HEINOUS_I_MSG((L"Invalid params in OnDisconnect- ConnectParms=0x%x, UserSID=0x%x", connectParms, userSID));
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
|
|
INTERESTING_MSG((L"CSessionResolver::OnDisconnect-(%ws)", userSID));
|
|
|
|
pRealSID = GetRealSID(userSID);
|
|
if (pRealSID)
|
|
{
|
|
EnterCriticalSection(&m_CritSec);
|
|
ListDelete(m_pSplash, pRealSID);
|
|
LeaveCriticalSection(&m_CritSec);
|
|
|
|
/* get the user's account strings */
|
|
if (!getUserName(pRealSID, &pUsername, &pDomainname))
|
|
{
|
|
pUsername = L"unknown user";
|
|
pDomainname = L"unknown domain";
|
|
}
|
|
|
|
|
|
/* write out an NT Event */
|
|
HANDLE hEvent = RegisterEventSource(NULL, MODULE_NAME);
|
|
LPCWSTR ArgsArray[2]={pUsername, pDomainname};
|
|
|
|
if (hEvent)
|
|
{
|
|
ReportEvent(hEvent, EVENTLOG_AUDIT_SUCCESS,
|
|
0,
|
|
SESSRSLR_ONDISCON,
|
|
NULL,
|
|
2,
|
|
0,
|
|
ArgsArray,
|
|
NULL);
|
|
|
|
DeregisterEventSource(hEvent);
|
|
}
|
|
}
|
|
|
|
if (pUsername)
|
|
LocalFree(pUsername);
|
|
if (pDomainname)
|
|
LocalFree(pDomainname);
|
|
|
|
|
|
INTERESTING_MSG((L"CSessionResolver::OnDisconnect; leaving"));
|
|
return S_OK;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* SetEventLog(bool yes, WCHAR *pUser, WCHAR *pDomain)
|
|
*
|
|
*************************************************************/
|
|
|
|
void SetEventLog(bool yes, WCHAR *pUser, WCHAR *pDomain)
|
|
{
|
|
/* write out an NT Event */
|
|
HANDLE hEvent = RegisterEventSource(NULL, MODULE_NAME);
|
|
LPCWSTR ArgsArray[2]={pUser, pDomain};
|
|
|
|
if (hEvent)
|
|
{
|
|
ReportEvent(hEvent, yes ? EVENTLOG_AUDIT_SUCCESS : EVENTLOG_AUDIT_FAILURE,
|
|
0,
|
|
yes ? SESSRSLR_RESOLVEYES : SESSRSLR_RESOLVENO,
|
|
NULL,
|
|
2,
|
|
0,
|
|
ArgsArray,
|
|
NULL);
|
|
|
|
DeregisterEventSource(hEvent);
|
|
}
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* GetRealSID([in] BSTR pTextSID)
|
|
* Converts a string-based SID into a REAL usable SID
|
|
*
|
|
* NOTES:
|
|
* This is a stub into "ConvertStringSidToSid".
|
|
*
|
|
* RETURN CODES:
|
|
* NULL Failed for some reason
|
|
* PSID Pointer to a real SID. Must be
|
|
* freed with "LocalFree"
|
|
*
|
|
*************************************************************/
|
|
PSID GetRealSID( BSTR pTextSID)
|
|
{
|
|
PSID pRetSID = NULL;
|
|
|
|
if (!ConvertStringSidToSidW(pTextSID, &pRetSID))
|
|
IMPORTANT_MSG((L"ConvertStringSidToSidW(%ws) failed %08x\n", pTextSID, GetLastError()));
|
|
|
|
return pRetSID;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* launchEx(PSID, WTS_USER_SESSION_INFO, char * ConnectParms, char * EventName)
|
|
*
|
|
*
|
|
* RETURN CODES:
|
|
* 0 Failed to start process
|
|
* <> HANDLE to started process
|
|
*
|
|
*************************************************************/
|
|
|
|
HANDLE launchEx(PSID pUserSID, WTS_USER_SESSION_INFO *UserInfo,
|
|
WCHAR *ConnectParms, WCHAR *HelpPageURL,
|
|
WCHAR *pUsername, WCHAR *pDomainname,
|
|
WCHAR *expertHelpBlob, WCHAR *userHelpBlob,
|
|
SECURITY_ATTRIBUTES *sa
|
|
)
|
|
{
|
|
BOOL result = FALSE;
|
|
HANDLE retval = 0;
|
|
STARTUPINFOW StartUp;
|
|
PROCESS_INFORMATION p_i;
|
|
WCHAR buf1[BUF_SZ], buf2[BUF_SZ], *lpUtf8ConnectParms=NULL;
|
|
static WCHAR *szEnvUser = ENV_USER;
|
|
static WCHAR *szEnvDomain = ENV_DOMAIN;
|
|
static WCHAR *szEnvEvent = ENV_EVENT;
|
|
static WCHAR *szEnvIndex = ENV_INDEX;
|
|
static WCHAR *szEnvParms = ENV_PARMS;
|
|
static WCHAR *szEnvExpertBlob = L"PCHEXPERTBLOB";
|
|
static WCHAR *szEnvUserBlob = L"PCHUSERBLOB";
|
|
#ifndef _PERF_OPTIMIZATIONS
|
|
WCHAR *pCmdLine = NULL;
|
|
WCHAR *pFormatString = L"\"%ws?%ws\"";
|
|
#endif
|
|
VOID *pEnvBlock = NULL;
|
|
DWORD dwUsername=0, dwDomainname=0, dwStrSz;
|
|
MPC::wstring strExe( HC_ROOT_HELPSVC_BINARIES L"\\HelpCtr.exe" );
|
|
MPC::SubstituteEnvVariables( strExe );
|
|
|
|
#ifndef _PERF_OPTIMIZATIONS
|
|
dwStrSz = wcslen(HelpPageURL) + wcslen(ConnectParms) + wcslen(pFormatString) + 3;
|
|
pCmdLine = (WCHAR *)LocalAlloc(LMEM_FIXED, dwStrSz * sizeof(WCHAR));
|
|
|
|
if (!pCmdLine)
|
|
{
|
|
IMPORTANT_MSG((L"LocalAlloc failed in resolver:launchex, err=0x%x", GetLastError()));
|
|
goto done;
|
|
}
|
|
|
|
wsprintf(pCmdLine, pFormatString, HelpPageURL, ConnectParms);
|
|
|
|
strExe += L" -Mode \"hcp://CN=Microsoft Corporation,L=Redmond,S=Washington,C=US/Remote Assistance/RAHelpeeAcceptLayout.xml\" -url ";
|
|
strExe += pCmdLine;
|
|
#else
|
|
strExe += L" -Mode \"hcp://system/Remote Assistance/RAHelpeeAcceptLayout.xml\" -url ";
|
|
strExe += HelpPageURL;
|
|
#endif
|
|
|
|
/*
|
|
* Here, we must start up a Help Center script in a WTS Session
|
|
* It gets a bit sticky, though as we do not have access to the
|
|
* user's desktop (any desktop), and this must appear on only
|
|
* one particular desktop. I am relying on the WTS-User-Token
|
|
* to get the desktop for me.
|
|
*
|
|
* The main component is our call to CreateProcessAsUser.
|
|
* Before we call that we must:
|
|
* Set up Environment as follows:
|
|
* PATH=%SystemPath%
|
|
* WINDIR=SystemRoot%
|
|
* USERNAME=(from WTS)
|
|
* USERDOMAIN=
|
|
* PCHEVENTNAME=EventName
|
|
* PCHSESSIONENUM=UserInfo->dwIndex
|
|
* PCHCONNECTPARMS=ConnectParms
|
|
*/
|
|
TRIVIAL_MSG((L"Launch %ws", (LPWSTR)strExe.c_str()));
|
|
|
|
/* Step on the ENVIRONMENT */
|
|
WCHAR lpNameBfr[256];
|
|
|
|
wnsprintfW(lpNameBfr, ARRAYSIZE(lpNameBfr), L"Global\\%ws%lx_%02d", EVENT_PREFIX, lSessionTag, UserInfo->dwIndex);
|
|
|
|
UserInfo->hEvent = CreateEvent(sa, TRUE, FALSE, lpNameBfr);
|
|
if (!UserInfo->hEvent || ERROR_ALREADY_EXISTS == GetLastError())
|
|
{
|
|
/*
|
|
* If we failed to create this event, it is most likely because one is already
|
|
* in name-space, perhaps an event, or else a mutex... In any case, we will
|
|
* try again, with a more random name. If that fails, then we must bail out.
|
|
*/
|
|
long lRand;
|
|
|
|
if (UserInfo->hEvent)
|
|
CloseHandle(UserInfo->hEvent);
|
|
|
|
RtlGenRandom(&lRand, sizeof(lRand));
|
|
wnsprintfW(lpNameBfr, ARRAYSIZE(lpNameBfr), L"Global\\%lx%lx%lx_%02d",
|
|
lRand, lSessionTag, UserInfo->dwIndex);
|
|
UserInfo->hEvent = CreateEvent(sa, TRUE, FALSE, lpNameBfr);
|
|
|
|
if (!UserInfo->hEvent || ERROR_ALREADY_EXISTS == GetLastError())
|
|
{
|
|
if (UserInfo->hEvent)
|
|
CloseHandle(UserInfo->hEvent);
|
|
UserInfo->hEvent = 0;
|
|
HEINOUS_E_MSG((L"The named event \"%s\" was in use- potential security issue, so Remote Assistance will be denied.", lpNameBfr));
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
SetEnvironmentVariable(szEnvEvent, lpNameBfr);
|
|
|
|
wsprintf(buf1, L"%d", UserInfo->dwIndex);
|
|
SetEnvironmentVariable(szEnvIndex, buf1);
|
|
SetEnvironmentVariable(szEnvParms, ConnectParms);
|
|
SetEnvironmentVariable(szEnvUser, pUsername );
|
|
SetEnvironmentVariable(szEnvDomain, pDomainname );
|
|
SetEnvironmentVariable(szEnvExpertBlob, expertHelpBlob);
|
|
SetEnvironmentVariable(szEnvUserBlob, userHelpBlob);
|
|
|
|
if (!CreateEnvironmentBlock(&pEnvBlock, UserInfo->hUserToken, TRUE))
|
|
{
|
|
IMPORTANT_MSG((L"CreateEnvironmentBlock failed in resolver:launchex, err=0x%x", GetLastError()));
|
|
goto done;
|
|
}
|
|
|
|
// initialize our structs
|
|
ZeroMemory(&p_i, sizeof(p_i));
|
|
ZeroMemory(&StartUp, sizeof(StartUp));
|
|
StartUp.cb = sizeof(StartUp);
|
|
StartUp.dwFlags = STARTF_USESHOWWINDOW;
|
|
StartUp.wShowWindow = SW_SHOWNORMAL;
|
|
|
|
result = CreateProcessAsUserW(UserInfo->hUserToken,
|
|
NULL, (LPWSTR)strExe.c_str(),
|
|
NULL, NULL, FALSE,
|
|
NORMAL_PRIORITY_CLASS + CREATE_UNICODE_ENVIRONMENT ,
|
|
pEnvBlock, // Environment block (must use the CREATE_UNICODE_ENVIRONMENT flag)
|
|
NULL, &StartUp, &p_i);
|
|
|
|
if (result)
|
|
{
|
|
// keep a leak from happening, as we never need the hThread...
|
|
CloseHandle(p_i.hThread);
|
|
UserInfo->hProcess = p_i.hProcess;
|
|
UserInfo->hThread = 0;
|
|
UserInfo->dwProcessId = p_i.dwProcessId;
|
|
UserInfo->dwThreadId = p_i.dwThreadId;
|
|
|
|
retval = p_i.hProcess;
|
|
|
|
TRIVIAL_MSG((L"CreateProcessAsUserW started up [%ws]", (LPWSTR)strExe.c_str()));
|
|
}
|
|
else
|
|
{
|
|
IMPORTANT_MSG((L"CreateProcessAsUserW failed, err=0x%x command line=[%ws]", GetLastError(), (LPWSTR)strExe.c_str()));
|
|
result=0;
|
|
}
|
|
done:
|
|
if (!result)
|
|
{
|
|
UserInfo->hProcess = 0;
|
|
UserInfo->hThread = 0;
|
|
UserInfo->dwProcessId = 0;
|
|
UserInfo->dwThreadId = 0;
|
|
}
|
|
|
|
// restore any memory we borrowed
|
|
#ifndef _PERF_OPTIMIZATIONS
|
|
if (pCmdLine) LocalFree(pCmdLine);
|
|
#endif
|
|
|
|
if (pEnvBlock) DestroyEnvironmentBlock(pEnvBlock);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* CreateSids([in] BSTR pTextSID)
|
|
* Create 3 Security IDs
|
|
*
|
|
* NOTES:
|
|
* Caller must free memory allocated to SIDs on success.
|
|
*
|
|
* RETURN CODES: TRUE if successfull, FALSE if not.
|
|
*
|
|
*************************************************************/
|
|
|
|
BOOL
|
|
CreateSids(
|
|
PSID *BuiltInAdministrators,
|
|
PSID *PowerUsers,
|
|
PSID *AuthenticatedUsers
|
|
)
|
|
{
|
|
//
|
|
// An SID is built from an Identifier Authority and a set of Relative IDs
|
|
// (RIDs). The Authority of interest to us SECURITY_NT_AUTHORITY.
|
|
//
|
|
|
|
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
|
|
|
|
//
|
|
// Each RID represents a sub-unit of the authority. Two of the SIDs we
|
|
// want to build, Local Administrators, and Power Users, are in the "built
|
|
// in" domain. The other SID, for Authenticated users, is based directly
|
|
// off of the authority.
|
|
//
|
|
// For examples of other useful SIDs consult the list in
|
|
// \nt\public\sdk\inc\ntseapi.h.
|
|
//
|
|
|
|
if (!AllocateAndInitializeSid(&NtAuthority,
|
|
2, // 2 sub-authorities
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS,
|
|
0,0,0,0,0,0,
|
|
BuiltInAdministrators))
|
|
{
|
|
// error
|
|
HEINOUS_E_MSG((L"Could not allocate security credentials for admins."));
|
|
}
|
|
else if (!AllocateAndInitializeSid(&NtAuthority,
|
|
2, // 2 sub-authorities
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_POWER_USERS,
|
|
0,0,0,0,0,0,
|
|
PowerUsers))
|
|
{
|
|
// error
|
|
|
|
HEINOUS_E_MSG((L"Could not allocate security credentials for power users."));
|
|
FreeSid(BuiltInAdministrators);
|
|
BuiltInAdministrators = NULL;
|
|
|
|
}
|
|
else if (!AllocateAndInitializeSid(&NtAuthority,
|
|
1, // 1 sub-authority
|
|
SECURITY_AUTHENTICATED_USER_RID,
|
|
0,0,0,0,0,0,0,
|
|
AuthenticatedUsers))
|
|
{
|
|
// error
|
|
HEINOUS_E_MSG((L"Could not allocate security credentials for users."));
|
|
|
|
FreeSid(BuiltInAdministrators);
|
|
BuiltInAdministrators = NULL;
|
|
|
|
FreeSid(PowerUsers);
|
|
PowerUsers = NULL;
|
|
|
|
} else {
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*************************************************************
|
|
*
|
|
* CreateSd(void)
|
|
* Creates a SECURITY_DESCRIPTOR with specific DACLs.
|
|
*
|
|
* NOTES:
|
|
* Caller must free the returned buffer if not NULL.
|
|
*
|
|
* RETURN CODES:
|
|
* NULL Failed for some reason
|
|
* PSECURITY_DESCRIPTOR Pointer to a SECURITY_DESCRIPTOR.
|
|
* Must be freed with "LocalFree"
|
|
*
|
|
*************************************************************/
|
|
PSECURITY_DESCRIPTOR CreateSd(PSID pUserSID)
|
|
{
|
|
PSID AuthenticatedUsers;
|
|
PSID BuiltInAdministrators;
|
|
PSID PowerUsers;
|
|
PSECURITY_DESCRIPTOR Sd = NULL;
|
|
ULONG AclSize;
|
|
ACL *Acl;
|
|
|
|
|
|
if (!CreateSids(&BuiltInAdministrators,
|
|
&PowerUsers,
|
|
&AuthenticatedUsers))
|
|
{
|
|
// error
|
|
IMPORTANT_MSG((L"CreateSids failed"));
|
|
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Calculate the size of and allocate a buffer for the DACL, we need
|
|
// this value independently of the total alloc size for ACL init.
|
|
//
|
|
|
|
//
|
|
// "- sizeof (ULONG)" represents the SidStart field of the
|
|
// ACCESS_ALLOWED_ACE. Since we're adding the entire length of the
|
|
// SID, this field is counted twice.
|
|
//
|
|
|
|
AclSize = sizeof (ACL) +
|
|
(4 * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (ULONG))) +
|
|
GetLengthSid(AuthenticatedUsers) +
|
|
GetLengthSid(BuiltInAdministrators) +
|
|
GetLengthSid(PowerUsers) +
|
|
GetLengthSid(pUserSID);
|
|
|
|
Sd = LocalAlloc(LMEM_FIXED + LMEM_ZEROINIT,
|
|
SECURITY_DESCRIPTOR_MIN_LENGTH + AclSize);
|
|
|
|
if (!Sd)
|
|
{
|
|
IMPORTANT_MSG((L"Cound not allocate 0x%x bytes for Security Descriptor", SECURITY_DESCRIPTOR_MIN_LENGTH + AclSize));
|
|
goto error;
|
|
}
|
|
|
|
Acl = (ACL *)((BYTE *)Sd + SECURITY_DESCRIPTOR_MIN_LENGTH);
|
|
|
|
if (!InitializeAcl(Acl,
|
|
AclSize,
|
|
ACL_REVISION))
|
|
{
|
|
// error
|
|
IMPORTANT_MSG((L"Cound not initialize ACL err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
TRIVIAL_MSG((L"initialized Successfully"));
|
|
|
|
|
|
if (!AddAccessAllowedAce(Acl,
|
|
ACL_REVISION,
|
|
STANDARD_RIGHTS_ALL | GENERIC_WRITE,
|
|
pUserSID))
|
|
{
|
|
// Failed to build the ACE granted to OWNER
|
|
// (STANDARD_RIGHTS_ALL) access.
|
|
IMPORTANT_MSG((L"Cound not add owner rights to ACL err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
|
|
if (!AddAccessAllowedAce(Acl,
|
|
ACL_REVISION,
|
|
GENERIC_READ,
|
|
AuthenticatedUsers))
|
|
{
|
|
// Failed to build the ACE granting "Authenticated users"
|
|
// (SYNCHRONIZE | GENERIC_READ) access.
|
|
IMPORTANT_MSG((L"Cound not add user rights to ACL err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
if (!AddAccessAllowedAce(Acl,
|
|
ACL_REVISION,
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
PowerUsers))
|
|
{
|
|
// Failed to build the ACE granting "Power users"
|
|
// (SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE) access.
|
|
IMPORTANT_MSG((L"Cound not add power user rights to ACL err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
if (!AddAccessAllowedAce(Acl,
|
|
ACL_REVISION,
|
|
STANDARD_RIGHTS_ALL,
|
|
BuiltInAdministrators))
|
|
{
|
|
// Failed to build the ACE granting "Built-in Administrators"
|
|
// STANDARD_RIGHTS_ALL access.
|
|
IMPORTANT_MSG((L"Cound not add admin rights to ACL err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
|
|
if (!InitializeSecurityDescriptor(Sd,SECURITY_DESCRIPTOR_REVISION))
|
|
{
|
|
// error
|
|
IMPORTANT_MSG((L"Cound not initialize SD err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
if (!SetSecurityDescriptorDacl(Sd,
|
|
TRUE,
|
|
Acl,
|
|
FALSE))
|
|
{
|
|
// error
|
|
IMPORTANT_MSG((L"SetSecurityDescriptorDacl failed err=0x%x", GetLastError()));
|
|
goto error;
|
|
}
|
|
|
|
FreeSid(AuthenticatedUsers);
|
|
FreeSid(BuiltInAdministrators);
|
|
FreeSid(PowerUsers);
|
|
|
|
// TRIVIAL_MSG((L"CreateSd succeeded."));
|
|
|
|
return Sd;
|
|
|
|
error:
|
|
/* A jump of last resort */
|
|
if (Sd)
|
|
LocalFree(Sd);
|
|
|
|
// error
|
|
if (AuthenticatedUsers)
|
|
FreeSid(AuthenticatedUsers);
|
|
if (BuiltInAdministrators)
|
|
FreeSid(BuiltInAdministrators);
|
|
if (PowerUsers)
|
|
FreeSid(PowerUsers);
|
|
return NULL;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* GetUserSessions(PSID, PWTS_USER_SESSION_INFOW , *DWORD)
|
|
* Returns a table of all the active WTS Sessions for this
|
|
* user, on this server.
|
|
*
|
|
* RETURN CODES:
|
|
*
|
|
* NOTES:
|
|
* Should log NT Events for failures
|
|
*
|
|
*************************************************************/
|
|
DWORD GetUserSessions(PSID pUserSID, PWTS_USER_SESSION_INFO *pUserTbl, DWORD *pEntryCnt, WCHAR *pUsername, WCHAR *pDomainname)
|
|
{
|
|
int i,ii=0;
|
|
DWORD retval=0,
|
|
dwSessions=0,
|
|
dwValidSessions,
|
|
dwOwnedSessions;
|
|
PWTS_SESSION_INFO pSessionInfo=NULL;
|
|
DWORD dwRetSize = 0;
|
|
WINSTATIONINFORMATION WSInfo;
|
|
|
|
/* param validation */
|
|
if (!pUserSID || !pUserTbl || !pEntryCnt)
|
|
{
|
|
IMPORTANT_MSG((L"GetUserSessions parameter violation"));
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Start with WTSEnumerateSessions,
|
|
* narrow it down to only active sessions,
|
|
* then filter further against the logonID
|
|
* then use WinStationQueryInformation to get the logged on users token
|
|
*/
|
|
if (!WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pSessionInfo, &dwSessions) ||
|
|
!pSessionInfo || !dwSessions)
|
|
{
|
|
/* if we can't do this, then we must give up */
|
|
IMPORTANT_MSG((L"GetUserSessions parameter violation"));
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Narrow down to only active sessions -
|
|
* a quick test
|
|
*/
|
|
for (i=0,dwValidSessions=0;i<(int)dwSessions;i++)
|
|
{
|
|
if (pSessionInfo[i].State == WTSActive)
|
|
dwValidSessions++;
|
|
}
|
|
|
|
/* bail out early if none found */
|
|
if (dwValidSessions == 0)
|
|
{
|
|
/* free the memory we asked for */
|
|
WTSFreeMemory(pSessionInfo);
|
|
|
|
INTERESTING_MSG((L"No active sessions found"));
|
|
return 0;
|
|
}
|
|
|
|
INTERESTING_MSG((L"%d sessions found", dwValidSessions));
|
|
|
|
/*
|
|
* Now see who owns each session. Only one problem- session details kept
|
|
* by WTS have no concept of SIDs- just a user name & domain. Oh well,
|
|
* it is a safe assumption that the two are just as reliable forms of
|
|
* identification. One little caveat- the names can be stored using
|
|
* different case variants. Example: "TomFr" and "tomfr" are equivalent,
|
|
* according to NT domain rules, so I have to use a case-insensitive
|
|
* check here.
|
|
*
|
|
* So, now that I know there is at least one possible WTS Session here,
|
|
* I will compare these IDs to determine if we want to notify this particular
|
|
* session.
|
|
*/
|
|
|
|
/* now look at all the active sessions and compare domain & user names */
|
|
for (i=0,dwOwnedSessions=0;i<(int)dwSessions;i++)
|
|
{
|
|
if (pSessionInfo[i].State == WTSActive)
|
|
{
|
|
DWORD CurSessionId = pSessionInfo[i].SessionId;
|
|
|
|
memset( &WSInfo, 0, sizeof(WSInfo) );
|
|
|
|
if (!WinStationQueryInformationW(
|
|
SERVERNAME_CURRENT,
|
|
CurSessionId,
|
|
WinStationInformation,
|
|
&WSInfo,
|
|
sizeof(WSInfo),
|
|
&dwRetSize
|
|
))
|
|
{
|
|
IMPORTANT_MSG((L"WinStationQueryInformation failed err=0x%x", GetLastError()));
|
|
|
|
break;
|
|
}
|
|
|
|
if (StrCmpI(WSInfo.Domain, pDomainname))
|
|
continue;
|
|
|
|
if (StrCmpI(WSInfo.UserName, pUsername))
|
|
continue;
|
|
|
|
/*
|
|
* If we got this far, then we know we want this session
|
|
*/
|
|
dwOwnedSessions++;
|
|
|
|
// mark this as a "session of interest"
|
|
pSessionInfo[i].State = (WTS_CONNECTSTATE_CLASS)0x45;
|
|
}
|
|
}
|
|
|
|
/* did we find any sessions? */
|
|
if (dwOwnedSessions == 0)
|
|
{
|
|
TRIVIAL_MSG((L"No matching sessions found"));
|
|
goto none_found;
|
|
}
|
|
|
|
/* Get some memory for our session tables */
|
|
*pUserTbl = (PWTS_USER_SESSION_INFO)LocalAlloc(LMEM_FIXED, dwOwnedSessions * sizeof(WTS_USER_SESSION_INFO));
|
|
|
|
if (!*pUserTbl)
|
|
{
|
|
HEINOUS_E_MSG((L"Could not allocate memory for %d sessions, err=0x%x", dwOwnedSessions, GetLastError()));
|
|
goto none_found;
|
|
}
|
|
|
|
*pEntryCnt = dwOwnedSessions;
|
|
|
|
for (i=0,ii=0;i<(int)dwSessions; i++)
|
|
{
|
|
/*
|
|
* If this is one of our "sessions of interest", get the session ID
|
|
* and User Token.
|
|
*/
|
|
if (pSessionInfo[i].State == (WTS_CONNECTSTATE_CLASS)0x45)
|
|
{
|
|
WINSTATIONUSERTOKEN WsUserToken;
|
|
ULONG ulRet;
|
|
PWTS_USER_SESSION_INFO lpi = &((*pUserTbl)[ii]);
|
|
|
|
WsUserToken.ProcessId = LongToHandle(GetCurrentProcessId());
|
|
WsUserToken.ThreadId = LongToHandle(GetCurrentThreadId());
|
|
|
|
lpi->dwIndex = (DWORD)ii;
|
|
lpi->dwSessionId = pSessionInfo[i].SessionId;
|
|
|
|
if (!WinStationQueryInformationW(WTS_CURRENT_SERVER_HANDLE, pSessionInfo[i].SessionId,
|
|
WinStationUserToken, &WsUserToken, sizeof(WsUserToken), &ulRet))
|
|
{
|
|
goto none_found;
|
|
}
|
|
|
|
lpi->hUserToken = WsUserToken.UserToken;
|
|
ii++;
|
|
}
|
|
}
|
|
|
|
/* Yahoo! we finally built our table. Now we can leave after cleaning up */
|
|
WTSFreeMemory(pSessionInfo);
|
|
|
|
IMPORTANT_MSG((L"GetUserSessions exiting: %d sessions found", *pEntryCnt));
|
|
|
|
return 1;
|
|
|
|
none_found:
|
|
/* free the memory we asked for */
|
|
if (pSessionInfo) WTSFreeMemory(pSessionInfo);
|
|
|
|
// we found no entries
|
|
*pEntryCnt =0;
|
|
*pUserTbl = NULL;
|
|
IMPORTANT_MSG((L"GetUserSessions exiting: no sessions found"));
|
|
return 1;
|
|
}
|
|
|
|
LPTHREAD_START_ROUTINE getKillProc(void)
|
|
{
|
|
LPTHREAD_START_ROUTINE lpKill = NULL;
|
|
|
|
HMODULE hKernel = LoadLibrary(L"kernel32");
|
|
if (hKernel)
|
|
{
|
|
lpKill = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel, "ExitProcess");
|
|
FreeLibrary(hKernel);
|
|
}
|
|
|
|
return lpKill;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* localKill(WTS_USER_SESSION_INFO *SessInfo, LPTHREAD_START_ROUTINE lpKill)
|
|
* kills the process for us.
|
|
*
|
|
*************************************************************/
|
|
DWORD localKill(WTS_USER_SESSION_INFO *SessInfo, LPTHREAD_START_ROUTINE lpKill, LPSECURITY_ATTRIBUTES lpSA)
|
|
{
|
|
TRIVIAL_MSG((L"Entered localKill(0x%x, 0x%x)", SessInfo, lpKill));
|
|
|
|
if (lpKill)
|
|
{
|
|
HANDLE hKillThrd= CreateRemoteThread(
|
|
SessInfo->hProcess,
|
|
lpSA,
|
|
NULL,
|
|
lpKill,
|
|
0,
|
|
0,
|
|
NULL);
|
|
if (hKillThrd)
|
|
{
|
|
CloseHandle(hKillThrd);
|
|
return 1;
|
|
}
|
|
IMPORTANT_MSG((L"CreateRemoteThread failed. Err: %08x", GetLastError()));
|
|
// the fall-through is by design...
|
|
}
|
|
|
|
if(!TerminateProcess( SessInfo->hProcess, 0 ))
|
|
{
|
|
IMPORTANT_MSG((L"TerminateProcess failed. Err: %08x", GetLastError()));
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* getUserName()
|
|
* get the user's name & domain.
|
|
*
|
|
*************************************************************/
|
|
DWORD getUserName(PSID pUserSID, WCHAR **pUsername, WCHAR **pDomainname)
|
|
{
|
|
if (!pUsername || !pDomainname || !pUserSID)
|
|
return 0;
|
|
|
|
DWORD dwUsername=0, dwDomainname=0;
|
|
SID_NAME_USE eUse;
|
|
|
|
TRIVIAL_MSG((L"Entered getUserName"));
|
|
|
|
*pUsername=NULL, *pDomainname=NULL;
|
|
|
|
/* get the size of the buffers we will need */
|
|
if (!LookupAccountSid(NULL, pUserSID, NULL, &dwUsername, NULL, &dwDomainname, &eUse) &&
|
|
(!dwUsername || !dwDomainname))
|
|
{
|
|
IMPORTANT_MSG((L"LookupAccountSid(nulls) failed err=0x%x", GetLastError()));
|
|
return 0;
|
|
}
|
|
|
|
/* now get enough memory for our name & domain strings */
|
|
*pUsername = (WCHAR *)LocalAlloc(LMEM_FIXED, (dwUsername+16) * sizeof(WCHAR));
|
|
*pDomainname = (WCHAR *)LocalAlloc(LMEM_FIXED, (dwDomainname+16) * sizeof(WCHAR));
|
|
|
|
if (!*pUsername || !*pDomainname ||
|
|
!LookupAccountSid(NULL, pUserSID, *pUsername, &dwUsername, *pDomainname, &dwDomainname, &eUse))
|
|
{
|
|
/* if we get here, it is very bad!! */
|
|
DWORD error = GetLastError();
|
|
if (!*pUsername || !*pDomainname)
|
|
IMPORTANT_MSG((L"LocalAlloc failed err=0x%x", error));
|
|
else
|
|
IMPORTANT_MSG((L"LookupAccountSid(ptrs) failed err=0x%x", error));
|
|
|
|
return 0;
|
|
}
|
|
|
|
TRIVIAL_MSG((L"Requested user=[%ws] dom=[%ws]", *pUsername, *pDomainname));
|
|
return 1;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* ListFind(PSPLASHLIST pSplash, PSID user)
|
|
* returns TRUE if SID is found in our "splash table"
|
|
*
|
|
*************************************************************/
|
|
BOOL ListFind(PSPLASHLIST pSplash, PSID user)
|
|
{
|
|
PSPLASHLIST lpSplash;
|
|
|
|
if (!pSplash)
|
|
{
|
|
IMPORTANT_MSG((L"ListFind: no splash table memory"));
|
|
return FALSE;
|
|
}
|
|
|
|
if (!user)
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no SID pointer"));
|
|
return FALSE;
|
|
}
|
|
|
|
lpSplash = pSplash;
|
|
|
|
while (lpSplash)
|
|
{
|
|
if (lpSplash->refcount &&
|
|
EqualSid(user, &lpSplash->Sid))
|
|
{
|
|
return TRUE;
|
|
}
|
|
lpSplash = (PSPLASHLIST) lpSplash->next;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* ListInsert(PSPLASHLIST pSplash, int iSplashCnt, PSID user)
|
|
* inserts SID in our "splash table"
|
|
*
|
|
* NOTES:
|
|
* if already there, we increment the refcount for SID
|
|
*
|
|
*************************************************************/
|
|
BOOL ListInsert(PSPLASHLIST pSplash, PSID user)
|
|
{
|
|
PSPLASHLIST lpSplash;
|
|
|
|
if (!pSplash)
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no splash table memory"));
|
|
return FALSE;
|
|
}
|
|
|
|
if (!user)
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no SID pointer"));
|
|
return FALSE;
|
|
}
|
|
|
|
if (!IsValidSid(user))
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: bad SID"));
|
|
return FALSE;
|
|
}
|
|
|
|
// first, look for one already in the list
|
|
lpSplash = pSplash;
|
|
|
|
while (lpSplash)
|
|
{
|
|
if (lpSplash->refcount && EqualSid(user, &lpSplash->Sid))
|
|
{
|
|
TRIVIAL_MSG((L"Recycling SID in ListInsert"));
|
|
lpSplash->refcount++;
|
|
return TRUE;
|
|
}
|
|
lpSplash = (PSPLASHLIST) lpSplash->next;
|
|
}
|
|
|
|
|
|
// since we did not find one, let's add a new one
|
|
lpSplash = pSplash;
|
|
|
|
while (lpSplash->next)
|
|
lpSplash = (PSPLASHLIST) lpSplash->next;
|
|
|
|
int iSidSz = GetLengthSid(user);
|
|
|
|
lpSplash->next = LocalAlloc(LMEM_FIXED, sizeof(SPLASHLIST) + iSidSz - sizeof(SID));
|
|
|
|
if (lpSplash->next)
|
|
{
|
|
lpSplash = (PSPLASHLIST) lpSplash->next;
|
|
|
|
CopySid(iSidSz, &lpSplash->Sid, user);
|
|
lpSplash->refcount=1;
|
|
lpSplash->next = NULL;
|
|
return TRUE;
|
|
}
|
|
else
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no memory available to extend splash tables"));
|
|
}
|
|
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
/*************************************************************
|
|
*
|
|
* ListDelete(PSPLASHLIST pSplash, PSID user)
|
|
* deletes SID from our "splash table"
|
|
*
|
|
* NOTES:
|
|
* if there, we decrement the refcount for SID
|
|
* when refcount hits zero, SID is removed
|
|
*
|
|
*************************************************************/
|
|
BOOL ListDelete(PSPLASHLIST pSplash, PSID user)
|
|
{
|
|
PSPLASHLIST lpSplash, lpLast;
|
|
|
|
if (!pSplash)
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no splash table memory"));
|
|
return FALSE;
|
|
}
|
|
|
|
if (!user)
|
|
{
|
|
IMPORTANT_MSG((L"Fatal error: no SID pointer"));
|
|
return FALSE;
|
|
}
|
|
|
|
lpSplash = lpLast = pSplash;
|
|
|
|
while (lpSplash)
|
|
{
|
|
if (lpSplash->refcount &&
|
|
EqualSid(user, &lpSplash->Sid))
|
|
{
|
|
lpSplash->refcount--;
|
|
TRIVIAL_MSG((L"found SID in ListDelete"));
|
|
|
|
if (!lpSplash->refcount)
|
|
{
|
|
// blow away the SID data
|
|
TRIVIAL_MSG((L"deleting SID entry"));
|
|
lpLast->next = lpSplash->next;
|
|
LocalFree(lpSplash);
|
|
}
|
|
return TRUE;
|
|
}
|
|
lpLast = lpSplash;
|
|
lpSplash = (PSPLASHLIST) lpSplash->next;
|
|
}
|
|
|
|
IMPORTANT_MSG((L"Fatal error: attempted to delete non-existant SID from splash table memory"));
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*************************************************************
|
|
*
|
|
* DbgSpew(DbgClass, char *, ...)
|
|
* Sends debug information.
|
|
*
|
|
*************************************************************/
|
|
void DbgSpew(int DbgClass, BSTR lpFormat, va_list ap)
|
|
{
|
|
WCHAR szMessage[2400];
|
|
|
|
|
|
vswprintf(szMessage, lpFormat, ap);
|
|
wcscat(szMessage, L"\r\n");
|
|
|
|
if ((DbgClass & 0x0F) >= (gDbgFlag & 0x0F))
|
|
{
|
|
// should this be sent to the debugger?
|
|
if (DbgClass & DBG_MSG_DEST_DBG)
|
|
OutputDebugStringW(szMessage);
|
|
|
|
// should this go to our log file?
|
|
if (iDbgFileHandle)
|
|
_write(iDbgFileHandle, szMessage, (2*lstrlen(szMessage)));
|
|
}
|
|
|
|
// should this msg go to the Event Logs?
|
|
if (DbgClass & DBG_MSG_DEST_EVENT)
|
|
{
|
|
WORD wType;
|
|
DWORD dwEvent;
|
|
|
|
if (DbgClass & DBG_MSG_CLASS_SECURE)
|
|
{
|
|
if (DbgClass & DBG_MSG_CLASS_ERROR)
|
|
{
|
|
wType = EVENTLOG_AUDIT_FAILURE;
|
|
dwEvent = SESSRSLR_E_SECURE;
|
|
}
|
|
else
|
|
{
|
|
wType = EVENTLOG_AUDIT_SUCCESS;
|
|
dwEvent = SESSRSLR_I_SECURE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (DbgClass & DBG_MSG_CLASS_ERROR)
|
|
{
|
|
wType = EVENTLOG_ERROR_TYPE;
|
|
dwEvent = SESSRSLR_E_GENERAL;
|
|
}
|
|
else
|
|
{
|
|
wType = EVENTLOG_INFORMATION_TYPE;
|
|
dwEvent = SESSRSLR_I_GENERAL;
|
|
}
|
|
}
|
|
|
|
/* write out an NT Event */
|
|
HANDLE hEvent = RegisterEventSource(NULL, MODULE_NAME);
|
|
LPCWSTR ArgsArray[1]={szMessage};
|
|
|
|
if (hEvent)
|
|
{
|
|
ReportEvent(hEvent, wType,
|
|
0,
|
|
dwEvent,
|
|
NULL,
|
|
1,
|
|
0,
|
|
ArgsArray,
|
|
NULL);
|
|
|
|
DeregisterEventSource(hEvent);
|
|
}
|
|
}
|
|
}
|
|
|
|
void TrivialSpew(BSTR lpFormat, ...)
|
|
{
|
|
va_list vd;
|
|
va_start(vd, lpFormat);
|
|
DbgSpew(DBG_MSG_TRIVIAL+DBG_MSG_DEST_DBG, lpFormat, vd);
|
|
va_end(vd);
|
|
}
|
|
|
|
void InterestingSpew(BSTR lpFormat, ...)
|
|
{
|
|
va_list ap;
|
|
va_start(ap, lpFormat);
|
|
DbgSpew(DBG_MSG_INTERESTING+DBG_MSG_DEST_DBG, lpFormat, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
void ImportantSpew(BSTR lpFormat, ...)
|
|
{
|
|
va_list ap;
|
|
va_start(ap, lpFormat);
|
|
DbgSpew(DBG_MSG_IMPORTANT+DBG_MSG_DEST_DBG+DBG_MSG_DEST_FILE, lpFormat, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
void HeinousESpew(BSTR lpFormat, ...)
|
|
{
|
|
va_list ap;
|
|
va_start(ap, lpFormat);
|
|
DbgSpew(DBG_MSG_HEINOUS+DBG_MSG_DEST_DBG+DBG_MSG_DEST_FILE+DBG_MSG_DEST_EVENT+DBG_MSG_CLASS_ERROR, lpFormat, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
void HeinousISpew(BSTR lpFormat, ...)
|
|
{
|
|
va_list ap;
|
|
va_start(ap, lpFormat);
|
|
DbgSpew(DBG_MSG_HEINOUS+DBG_MSG_DEST_DBG+DBG_MSG_DEST_FILE+DBG_MSG_DEST_EVENT, lpFormat, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
// Blob format: propertylength;propertyName=value.
|
|
BOOL GetPropertyValueFromBlob(BSTR bstrHelpBlob, WCHAR * pName, WCHAR** ppValue)
|
|
{
|
|
WCHAR *p1, *p2, *pEnd;
|
|
BOOL bRet = FALSE;
|
|
LONG lTotal =0;
|
|
size_t lProp = 0;
|
|
size_t iNameLen;
|
|
|
|
if (!bstrHelpBlob || *bstrHelpBlob==L'\0' || !pName || *pName ==L'\0'|| !ppValue)
|
|
return FALSE;
|
|
|
|
iNameLen = wcslen(pName);
|
|
|
|
pEnd = bstrHelpBlob + wcslen(bstrHelpBlob);
|
|
p1 = p2 = bstrHelpBlob;
|
|
|
|
while (1)
|
|
{
|
|
// get property length
|
|
while (*p2 != L';' && *p2 != L'\0' && iswdigit(*p2) ) p2++;
|
|
if (*p2 != L';')
|
|
goto done;
|
|
|
|
*p2 = L'\0'; // set it to get length
|
|
lProp = _wtol(p1);
|
|
*p2 = L';'; // revert it back.
|
|
|
|
// get property string
|
|
p1 = ++p2;
|
|
|
|
while (*p2 != L'=' && *p2 != L'\0' && p2 < p1+lProp) p2++;
|
|
if (*p2 != L'=')
|
|
goto done;
|
|
|
|
if (wcsncmp(p1, pName, iNameLen) == 0)
|
|
{
|
|
if (lProp == iNameLen+1) // A=B= case (no value)
|
|
goto done;
|
|
|
|
*ppValue = (WCHAR*)LocalAlloc(LMEM_FIXED, sizeof(WCHAR) * (lProp-iNameLen));
|
|
if (*ppValue == NULL)
|
|
goto done;
|
|
|
|
wcsncpy(*ppValue, p2+1, lProp-iNameLen-1);
|
|
(*ppValue)[lProp-iNameLen-1]=L'\0';
|
|
bRet = TRUE;
|
|
break;
|
|
}
|
|
|
|
// check next property
|
|
p2 = p1 = p1 + lProp;
|
|
if (p2 > pEnd)
|
|
break;
|
|
}
|
|
|
|
done:
|
|
return bRet;
|
|
}
|