How to work with DACL? #1031

vitkuz573 · 2023-09-06T14:13:19Z

vitkuz573
Sep 6, 2023

This is my first time working with DACL and I need the process to be able to be terminated only by an administrator. Other users should not be able to terminate the process. Is this possible? As I understand it, I need to compose SDDL correctly

It doesn't work like that.

using System.ComponentModel;
using RemoteMaster.Client.Abstractions;
using RemoteMaster.Client.Core.Abstractions;
using RemoteMaster.Client.Core.Extensions;
using RemoteMaster.Client.Services;
using Windows.Win32.Foundation;
using Windows.Win32.Security.Authorization;
using static Windows.Win32.PInvoke;

internal class Program
{
    private static void Main(string[] args)
    {
        var builder = WebApplication.CreateBuilder(args).ConfigureCoreUrls();

        builder.Services.AddCoreServices();
        builder.Services.AddSingleton<IScreenCapturerService, BitBltCapturer>();
        builder.Services.AddSingleton<ICursorRenderService, CursorRenderService>();
        builder.Services.AddSingleton<IInputService, InputService>();
        builder.Services.AddSingleton<IPowerService, PowerService>();

        var app = builder.Build();

        app.MapCoreHubs();

        app.Run();

        ProtectCurrentProcess();
    }

    private static unsafe void ProtectCurrentProcess()
    {
        const uint DACL_SECURITY_INFORMATION = 0x00000004;
        const uint SDDL_REVISION_1 = 1;

        using var currentProcess = GetCurrentProcess_SafeHandle();

        if (!ConvertStringSecurityDescriptorToSecurityDescriptor("D:P(A;;GA;;;BA)(D;;GA;;;WD)", SDDL_REVISION_1, out var sd, null))
        {
            throw new Win32Exception();
        }

        if (!GetSecurityDescriptorDacl(sd, out var daclPresent, out var pDacl, out var defaultDacl) || !daclPresent)
        {
            throw new Win32Exception();
        }

        var result = SetSecurityInfo(currentProcess, SE_OBJECT_TYPE.SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, default, default, *pDacl, null);

        if (result != WIN32_ERROR.ERROR_SUCCESS)
        {
            throw new Win32Exception((int)result);
        }
    }
}

I don't exclude that I may not have drafted the SDDL correctly or applied it correctly at all

vitkuz573 · 2023-09-07T04:18:46Z

vitkuz573
Sep 7, 2023
Author

I started doing this

using System.ComponentModel;
using RemoteMaster.Client.Abstractions;
using RemoteMaster.Client.Core.Abstractions;
using RemoteMaster.Client.Core.Extensions;
using RemoteMaster.Client.Services;
using Windows.Win32.Foundation;
using Windows.Win32.Security;
using Windows.Win32.Security.Authorization;
using static Windows.Win32.PInvoke;

internal class Program
{
    private static void Main(string[] args)
    {
        var builder = WebApplication.CreateBuilder(args).ConfigureCoreUrls();

        builder.Services.AddCoreServices();
        builder.Services.AddSingleton<IScreenCapturerService, BitBltCapturer>();
        builder.Services.AddSingleton<ICursorRenderService, CursorRenderService>();
        builder.Services.AddSingleton<IInputService, InputService>();
        builder.Services.AddSingleton<IPowerService, PowerService>();

        var app = builder.Build();

        app.MapCoreHubs();

        ProtectCurrentProcess();

        app.Run();
    }

    private static unsafe void ProtectCurrentProcess()
    {
        using var currentProcess = GetCurrentProcess_SafeHandle();

        if (!ConvertStringSecurityDescriptorToSecurityDescriptor("D:P(A;;GA;;;BA)(D;;GA;;;WD)", SDDL_REVISION_1, out var sd, null))
        {
            throw new Win32Exception();
        }

        if (!GetSecurityDescriptorDacl(sd, out var daclPresent, out var pDacl, out var defaultDacl) || !daclPresent)
        {
            throw new Win32Exception();
        }

        var result = SetSecurityInfo(currentProcess, SE_OBJECT_TYPE.SE_KERNEL_OBJECT, (uint)OBJECT_SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, default, default, *pDacl, null);

        if (result != WIN32_ERROR.ERROR_SUCCESS)
        {
            throw new Win32Exception((int)result);
        }
    }
}

But now at startup it says the following:

Unhandled exception. System.ComponentModel.Win32Exception (1336): The access control list (ACL) structure is invalid.
at Program.ProtectCurrentProcess() in C:\Users\vitaly\source\repos\RemoteMaster\RemoteMaster.Client.Windows\Program.cs:line 54
at Program.Main(String[] args) in C:\Users\vitaly\source\repos\RemoteMaster\RemoteMaster.Client.Windows\Program.cs:line 31

0 replies

AArnott · 2023-09-07T15:26:06Z

AArnott
Sep 7, 2023
Maintainer

I don't know the answer, but I expect a user-mode process cannot make itself require elevation to close, as that would be a security risk since it could flood memory with processes the user couldn't close. It would also theoretically block the user logging out.
But if your process has elevated privileges already, then it seems there might be a way to accomplish this.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to work with DACL? #1031

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

How to work with DACL? #1031

vitkuz573 Sep 6, 2023

Replies: 2 comments

vitkuz573 Sep 7, 2023 Author

AArnott Sep 7, 2023 Maintainer

vitkuz573
Sep 6, 2023

vitkuz573
Sep 7, 2023
Author

AArnott
Sep 7, 2023
Maintainer