psopen.c File Reference

#include "psp.h"

Go to the source code of this file.

Functions
NTSTATUS	NtOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)
NTSTATUS	NtOpenThread (OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)

---

Function Documentation

NTSTATUS NtOpenProcess (  OUT PHANDLE  ProcessHandle, IN ACCESS_MASK  DesiredAccess, IN POBJECT_ATTRIBUTES  ObjectAttributes, IN PCLIENT_ID ClientId  OPTIONAL )

Definition at line 30 of file psopen.c. References EXCEPTION_EXECUTE_HANDLER, FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, Handle, KernelMode, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObjectAttributes, ObOpenObjectByName(), ObOpenObjectByPointer(), PAGED_CODE, _ACCESS_STATE::PreviouslyGrantedAccess, ProbeForRead, ProbeForWriteHandle, PsLookupProcessByProcessId(), PsLookupProcessThreadByCid(), PsProcessType, _ACCESS_STATE::RemainingDesiredAccess, SeCreateAccessState(), SeDebugPrivilege, SeDeleteAccessState(), SeSinglePrivilegeCheck(), Status, TRUE, and _OBJECT_TYPE::TypeInfo. Referenced by OpenAppropriateToken(), and RtlpChangeQueryDebugBufferTarget(). : This function opens a handle to a process object with the specified desired access. The object is located either by name, or by locating a thread whose Client ID matches the specified Client ID and then opening that thread's process. Arguments: ProcessHandle - Supplies a pointer to a variable that will receive the process object handle. DesiredAccess - Supplies the desired types of access for the process object. ObjectAttributes - Supplies a pointer to an object attributes structure. If the ObjectName field is specified, then ClientId must not be specified. ClientId - Supplies a pointer to a ClientId that if supplied specifies the thread whose process is to be opened. If this argument is specified, then ObjectName field of the ObjectAttributes structure must not be specified. Return Value: TBS --*/ { HANDLE Handle; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PEPROCESS Process; PETHREAD Thread; CLIENT_ID CapturedCid; BOOLEAN ObjectNamePresent; BOOLEAN ClientIdPresent; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; ULONG Attributes; PAGED_CODE(); // // Make sure that only one of either ClientId or ObjectName is // present. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Since we need to look at the ObjectName field, probe // ObjectAttributes and capture object name present indicator. // try { ProbeForWriteHandle(ProcessHandle); ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), sizeof(ULONG)); ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT(ObjectAttributes->ObjectName); Attributes = ObjectAttributes->Attributes; if (ARGUMENT_PRESENT(ClientId)) { ProbeForRead(ClientId, sizeof(CLIENT_ID), sizeof(ULONG)); CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT(ObjectAttributes->ObjectName); Attributes = ObjectAttributes->Attributes; if (ARGUMENT_PRESENT(ClientId)) { CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } if ( ObjectNamePresent && ClientIdPresent ) { return STATUS_INVALID_PARAMETER_MIX; } // // Create an AccessState here, because the caller may have // DebugPrivilege, which requires us to make special adjustments // to his desired access mask. We do this by modifying the // internal fields in the AccessState to achieve the effect // we desire. // Status = SeCreateAccessState( &AccessState, &AuxData, DesiredAccess, &PsProcessType->TypeInfo.GenericMapping ); if ( !NT_SUCCESS(Status) ) { return Status; } // // Check here to see if the caller has SeDebugPrivilege. If // he does, we will allow him any access he wants to the process. // We do this by clearing the DesiredAccess in the AccessState // and recording what we want him to have in the PreviouslyGrantedAccess // field. // // Note that this routine performs auditing as appropriate. // if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) { if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) { AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS; } else { AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess ); } AccessState.RemainingDesiredAccess = 0; } if ( ObjectNamePresent ) { // // Open handle to the process object with the specified desired access, // set process handle value, and return service completion status. // Status = ObOpenObjectByName( ObjectAttributes, PsProcessType, PreviousMode, &AccessState, 0, NULL, &Handle ); SeDeleteAccessState( &AccessState ); if ( NT_SUCCESS(Status) ) { try { *ProcessHandle = Handle; } except(EXCEPTION_EXECUTE_HANDLER) { return Status; } } return Status; } if ( ClientIdPresent ) { Thread = NULL; if (CapturedCid.UniqueThread) { Status = PsLookupProcessThreadByCid( &CapturedCid, &Process, &Thread ); if ( !NT_SUCCESS(Status) ) { SeDeleteAccessState( &AccessState ); return Status; } } else { Status = PsLookupProcessByProcessId( CapturedCid.UniqueProcess, &Process ); if ( !NT_SUCCESS(Status) ) { SeDeleteAccessState( &AccessState ); return Status; } } // // OpenObjectByAddress // Status = ObOpenObjectByPointer( Process, Attributes, &AccessState, 0, PsProcessType, PreviousMode, &Handle ); SeDeleteAccessState( &AccessState ); if ( Thread ) { ObDereferenceObject(Thread); } ObDereferenceObject(Process); if ( NT_SUCCESS(Status) ) { try { *ProcessHandle = Handle; } except(EXCEPTION_EXECUTE_HANDLER) { return Status; } } return Status; } return STATUS_INVALID_PARAMETER_MIX; }

NTSTATUS NtOpenThread (  OUT PHANDLE  ThreadHandle, IN ACCESS_MASK  DesiredAccess, IN POBJECT_ATTRIBUTES  ObjectAttributes, IN PCLIENT_ID ClientId  OPTIONAL )

Definition at line 280 of file psopen.c. References EXCEPTION_EXECUTE_HANDLER, FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, Handle, KernelMode, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObjectAttributes, ObOpenObjectByName(), ObOpenObjectByPointer(), PAGED_CODE, _ACCESS_STATE::PreviouslyGrantedAccess, ProbeForRead, ProbeForWriteHandle, PsLookupProcessThreadByCid(), PsLookupThreadByThreadId(), PsProcessType, PsThreadType, _ACCESS_STATE::RemainingDesiredAccess, SeCreateAccessState(), SeDebugPrivilege, SeDeleteAccessState(), SeSinglePrivilegeCheck(), Status, ThreadHandle, TRUE, and _OBJECT_TYPE::TypeInfo. Referenced by SepServerInitialize(). 00289 : 00290 00291 This function opens a handle to a thread object with the specified 00292 desired access. 00293 00294 The object is located either by name, or by locating a thread whose 00295 Client ID matches the specified Client ID. 00296 00297 Arguments: 00298 00299 ThreadHandle - Supplies a pointer to a variable that will receive 00300 the thread object handle. 00301 00302 DesiredAccess - Supplies the desired types of access for the Thread 00303 object. 00304 00305 ObjectAttributes - Supplies a pointer to an object attributes structure. 00306 If the ObjectName field is specified, then ClientId must not be 00307 specified. 00308 00309 ClientId - Supplies a pointer to a ClientId that if supplied 00310 specifies the thread whose thread is to be opened. If this 00311 argument is specified, then ObjectName field of the ObjectAttributes 00312 structure must not be specified. 00313 00314 Return Value: 00315 00316 TBS 00317 00318 --*/ 00319 00320 { 00321 00322 HANDLE Handle; 00323 KPROCESSOR_MODE PreviousMode; 00324 NTSTATUS Status; 00325 PETHREAD Thread; 00326 CLIENT_ID CapturedCid; 00327 BOOLEAN ObjectNamePresent; 00328 BOOLEAN ClientIdPresent; 00329 ACCESS_STATE AccessState; 00330 AUX_ACCESS_DATA AuxData; 00331 ULONG HandleAttributes; 00332 00333 PAGED_CODE(); 00334 00335 // 00336 // Make sure that only one of either ClientId or ObjectName is 00337 // present. 00338 // 00339 00340 PreviousMode = KeGetPreviousMode(); 00341 if (PreviousMode != KernelMode) { 00342 00343 // 00344 // Since we need to look at the ObjectName field, probe 00345 // ObjectAttributes and capture object name present indicator. 00346 // 00347 00348 try { 00349 00350 ProbeForWriteHandle(ThreadHandle); 00351 00352 ProbeForRead(ObjectAttributes, 00353 sizeof(OBJECT_ATTRIBUTES), 00354 sizeof(ULONG)); 00355 ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT(ObjectAttributes->ObjectName); 00356 HandleAttributes = ObjectAttributes->Attributes; 00357 00358 if (ARGUMENT_PRESENT(ClientId)) { 00359 ProbeForRead(ClientId, sizeof(CLIENT_ID), sizeof(ULONG)); 00360 CapturedCid = *ClientId; 00361 ClientIdPresent = TRUE; 00362 } 00363 else { 00364 ClientIdPresent = FALSE; 00365 } 00366 } 00367 except(EXCEPTION_EXECUTE_HANDLER) { 00368 return GetExceptionCode(); 00369 } 00370 } 00371 else { 00372 ObjectNamePresent = (BOOLEAN) ARGUMENT_PRESENT(ObjectAttributes->ObjectName); 00373 HandleAttributes = ObjectAttributes->Attributes; 00374 if (ARGUMENT_PRESENT(ClientId)) { 00375 CapturedCid = *ClientId; 00376 ClientIdPresent = TRUE; 00377 } 00378 else { 00379 ClientIdPresent = FALSE; 00380 } 00381 } 00382 00383 if ( ObjectNamePresent && ClientIdPresent ) { 00384 return STATUS_INVALID_PARAMETER_MIX; 00385 } 00386 00387 Status = SeCreateAccessState( 00388 &AccessState, 00389 &AuxData, 00390 DesiredAccess, 00391 &PsProcessType->TypeInfo.GenericMapping 00392 ); 00393 00394 if ( !NT_SUCCESS(Status) ) { 00395 00396 return Status; 00397 } 00398 00399 // 00400 // Check here to see if the caller has SeDebugPrivilege. If 00401 // he does, we will allow him any access he wants to the process. 00402 // We do this by clearing the DesiredAccess in the AccessState 00403 // and recording what we want him to have in the PreviouslyGrantedAccess 00404 // field. 00405 00406 if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) { 00407 00408 if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) { 00409 AccessState.PreviouslyGrantedAccess |= THREAD_ALL_ACCESS; 00410 00411 } else { 00412 00413 AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess ); 00414 } 00415 00416 AccessState.RemainingDesiredAccess = 0; 00417 00418 } 00419 00420 if ( ObjectNamePresent ) { 00421 00422 // 00423 // Open handle to the Thread object with the specified desired access, 00424 // set Thread handle value, and return service completion status. 00425 // 00426 00427 Status = ObOpenObjectByName( 00428 ObjectAttributes, 00429 PsThreadType, 00430 PreviousMode, 00431 &AccessState, 00432 0, 00433 NULL, 00434 &Handle 00435 ); 00436 00437 SeDeleteAccessState( &AccessState ); 00438 00439 if ( NT_SUCCESS(Status) ) { 00440 try { 00441 *ThreadHandle = Handle; 00442 } 00443 except(EXCEPTION_EXECUTE_HANDLER) { 00444 return Status; 00445 } 00446 } 00447 return Status; 00448 } 00449 00450 if ( ClientIdPresent ) { 00451 00452 if ( CapturedCid.UniqueProcess ) { 00453 Status = PsLookupProcessThreadByCid( 00454 &CapturedCid, 00455 NULL, 00456 &Thread 00457 ); 00458 00459 if ( !NT_SUCCESS(Status) ) { 00460 SeDeleteAccessState( &AccessState ); 00461 return Status; 00462 } 00463 } 00464 else { 00465 Status = PsLookupThreadByThreadId( 00466 CapturedCid.UniqueThread, 00467 &Thread 00468 ); 00469 00470 if ( !NT_SUCCESS(Status) ) { 00471 SeDeleteAccessState( &AccessState ); 00472 return Status; 00473 } 00474 00475 } 00476 00477 Status = ObOpenObjectByPointer( 00478 Thread, 00479 HandleAttributes, 00480 &AccessState, 00481 0, 00482 PsThreadType, 00483 PreviousMode, 00484 &Handle 00485 ); 00486 00487 SeDeleteAccessState( &AccessState ); 00488 ObDereferenceObject(Thread); 00489 00490 if ( NT_SUCCESS(Status) ) { 00491 00492 try { 00493 *ThreadHandle = Handle; 00494 } 00495 except(EXCEPTION_EXECUTE_HANDLER) { 00496 return Status; 00497 } 00498 } 00499 00500 return Status; 00501 00502 } 00503 00504 return STATUS_INVALID_PARAMETER_MIX; 00505 } }

---