Windows NT (access token), . , NT (SID), , , , ( , , ). ( , , , ), NT (SRM Security Reference Monitor) ( ) .
ORPC- , COM RPC- ( , ), , ( , STA). , . , , , , . , , ; , . Windows NT . , . , . , COM ORPC- , . , , .
, , ORPC- . API- CoGetCallContext. IServerSecurity:
[local, object, uuid(0000013E-0000-0000-C000-000000000046)] interface IServerSecurity : IUnknown { // get caller's security settings // HRESULT QueryBlanket( [out] DWORD *pAuthnSvc, // authentication pkg // [out] DWORD *pAuthzSvc, // authorization pkg // [out] OLECHAR **pServerName, // server principal // [out] DWORD *pAuthnLevel, // authentication level // [out] DWORD *pImpLevel, // impersonation level // [out] void **pPrivs, // client principal // [out] DWORD *pCaps // EOAC flags // EOAC ); // start running with credentials of caller // HRESULT ImpersonateClient(void); // stop running with credentials of caller // HRESULT RevertToSelf(void); // test for impersonation // BOOL IsImpersonating(void); }
QueryBlanket. . ImpersonateClient , , . IServerSecurity::ImpersonateClient, , . RevertToSelf , . , COM . , IServerSecurity::IsImpersonating , : . QueryBlanket, IServerSecurity , CoGetCallContext :
HRESULT CoImpersonateClient(void); HRESULT CoRevertToSelf(void);
, IServerSecurity, CoGetCallContext , IServerSecurity.
:
STDMETHODIMP MyClass::ReadWrite(DWORD dwNew, DWORD *pdw0ld) { // execute using server's token to let anyone read the value // , // ULONG cb; HANDLE hfile = CreateFile("C:\\file1.bin", GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hfile == INVALID_HANDLE_VALUE) return MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, GetLastError()); ReadFile(hfile, pdwOld, sizeof(DWORD), &cb, 0); CloseHandle(hfile); // get call context object // IServerSecurlty *pss = 0; HRESULT hr = CoGetCallContext(IID_IServerSecurity, (void**)&pss); if (FAILED(hr)) return hr; // set thread token to use caller's credentials // // hr = pss->ImpersonateClient(); assert(SUCCEEDED(hr)); // execute using client's token to let only users that can // write to the file change the value // , // , // hfile = CreateFile("C:\\file2.bin", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hfile == INVALID_HANDLE_VALUE) hr = MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, GetLastError()); else { WriteFile(hfile, &dwNew, sizeof(DWORD), &cb, 0); CloseHandle(hfile); } // restore thread to use process-level token // pss->RevertToSelf(); // release call context // pss->Release(); return hr; }
, CreateFile , . / , CreateFile , .
, IServerSecurity::ImpersonateClient , , , . , (RPC_C_IMP_LEVEL_ANONYMOUS, RPC_C_IMP_LEVEL_IDENTIFY, RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELEGATE). COM , CoInitializeSecurity; IClientSecurity::SetBlanket. IServerSecurity::ImpersonateClient, , , . , RPC_C_IMP_LEVEL_IDENTIFY, . , , API- Win32 OpenThreadToken GetTokenInformation ( , ID , ) (impersonation token). , RPC_C_IMP_LEVEL_DELEGATE, , . , COM- . , NTLM RPC_C_IMP_LEVEL_DELEGATE, Windows NT 4.0 .
, . , , . SCM , , RunAs AppID. AppID RunAs, , . " " , SCM , . " " ("As Activator"), , . " " . - , " ", COM , , REGCLS_MULTIPLEUSE CoRegisterClassObject. . - , , RPC_C_IMP_LEVEL_IMPERSONATE, , 1.
. , RunAs AppID:
[HKCR\AppID\{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}] RunAs="DomainX\UserY"
, SCM (login token) . . - , (LSA Local Security Authority). - , " " ("Logon as a batch job"). RunAs DCOMCNFG.EXE 2.
(spoofing, ) CoRegisterClassObject , AppID . AppID RunAs, COM , , . RunAs AppID , CoRegister lassObject HRESULT CO_E_WRONG_SERVER_IDENTITY. COM , .
, AppID RunAs, SCM window- (window station)3. , , , , (clipboard). , , (naive) COM , 4. , (logged on) . window- (desktop) API- COM, . , , , , , (hardware messages) . , , / , API- Win32 MessageBox MB_SERVICE_NOTIFICATION, , - , .
, Win32 API window- . , window- , , . , , window- , COM RunAs "Interactive User" (" "):
[HKCR\AppID\{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}] RunAs="Interactive User"
COM window- , . COM . , . , . - , , - , E_ACCESSDENIED. , , , , . , , , . 5.
window- NT. , LocalService SCM NT Service Control Manager CreateProcess CreateProcessAsUser. NT COM , , NT. COM RunAs, , CoRegisterClassObject. LocalService , NT. SYSTEM, window- , window- , NT SYSTEM ( , NT). NT , NT Service Control Manager NT window- , .
COM NT , NT SYSTEM. , . , , (trusted computing base) , . , SYSTEM , , COM. SYSTEM , . , NT Win32, COM, .
1 , , , RPC_C_IMP_LEVEL_IMPERSONATE , CoInitializeSecurity, , COAUTHINFO.
2 . DCOMPERM SDK Win32, (Mike Nelson).
3 AppID RunAs ( " "), SCM window- ( window- , ). , , .
4 . , SCM RunAs, window- . Windows NT 4.0 14 . , 14 ( ) RunAs . Q171890 Microsoft (Microsoft Knowledge Base) , .
5 , RPC_E_WRONG_SERVER_IDENTITY .