From ed0ced76f9dcc6991f44d2866f24a1226a099ed5 Mon Sep 17 00:00:00 2001 From: momo5502 Date: Sun, 22 Dec 2024 21:47:43 +0100 Subject: [PATCH] Progress on tokens --- src/windows-emulator/handles.hpp | 3 ++ src/windows-emulator/syscalls.cpp | 64 ++++++++++++++++++++--- src/windows-emulator/windows_emulator.cpp | 4 ++ 3 files changed, 63 insertions(+), 8 deletions(-) diff --git a/src/windows-emulator/handles.hpp b/src/windows-emulator/handles.hpp index 50123adb..08ed0831 100644 --- a/src/windows-emulator/handles.hpp +++ b/src/windows-emulator/handles.hpp @@ -16,6 +16,7 @@ struct handle_types thread, registry, mutant, + token, }; }; @@ -353,6 +354,8 @@ constexpr auto CONSOLE_HANDLE = make_pseudo_handle(0x1, handle_types::file); constexpr auto STDOUT_HANDLE = make_pseudo_handle(0x2, handle_types::file); constexpr auto STDIN_HANDLE = make_pseudo_handle(0x3, handle_types::file); +constexpr auto DUMMY_IMPERSONATION_TOKEN = make_pseudo_handle(0x1, handle_types::token); + constexpr auto CURRENT_PROCESS = make_handle(~0ULL); constexpr auto CURRENT_THREAD = make_handle(~1ULL); diff --git a/src/windows-emulator/syscalls.cpp b/src/windows-emulator/syscalls.cpp index b1f7c8c7..a16663b5 100644 --- a/src/windows-emulator/syscalls.cpp +++ b/src/windows-emulator/syscalls.cpp @@ -325,6 +325,19 @@ namespace return STATUS_SUCCESS; } + if (info_class == ThreadImpersonationToken) + { + if (thread_information_length != sizeof(handle)) + { + return STATUS_BUFFER_OVERFLOW; + } + + const emulator_object info{c.emu, thread_information}; + info.write(DUMMY_IMPERSONATION_TOKEN); + + return STATUS_SUCCESS; + } + if (info_class == ThreadZeroTlsCell) { if (thread_information_length != sizeof(ULONG)) @@ -2029,21 +2042,22 @@ namespace if (token_handle != CURRENT_PROCESS_TOKEN && token_handle != CURRENT_THREAD_TOKEN && token_handle != CURRENT_THREAD_EFFECTIVE_TOKEN + && token_handle != DUMMY_IMPERSONATION_TOKEN ) { return STATUS_NOT_SUPPORTED; } + const uint8_t sid[] = + { + 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x05, 0x15, 0x00, 0x00, 0x00, 0x84, 0x94, + 0xD4, 0x04, 0x4B, 0x68, 0x42, 0x34, 0x23, + 0xBE, 0x69, 0x4E, 0xE9, 0x03, 0x00, 0x00, + }; + if (token_information_class == TokenUser) { - const uint8_t sid[] = - { - 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x05, 0x15, 0x00, 0x00, 0x00, 0x84, 0x94, - 0xD4, 0x04, 0x4B, 0x68, 0x42, 0x34, 0x23, - 0xBE, 0x69, 0x4E, 0xE9, 0x03, 0x00, 0x00, - }; - constexpr auto required_size = sizeof(sid) + 0x10; return_length.write(required_size); @@ -2061,6 +2075,21 @@ namespace return STATUS_SUCCESS; } + if (token_information_class == TokenType) + { + constexpr auto required_size = sizeof(TOKEN_TYPE); + return_length.write(required_size); + + if (required_size > token_information_length) + { + return STATUS_BUFFER_TOO_SMALL; + } + + emulator_object{c.emu, token_information}.write( + token_handle == DUMMY_IMPERSONATION_TOKEN ? TokenImpersonation : TokenPrimary); + return STATUS_SUCCESS; + } + if (token_information_class == TokenSessionId) { constexpr auto required_size = sizeof(ULONG); @@ -2151,6 +2180,25 @@ namespace return STATUS_SUCCESS; } + if (token_information_class == TokenIntegrityLevel) + { + constexpr auto required_size = sizeof(sid) + sizeof(TOKEN_MANDATORY_LABEL); + return_length.write(required_size); + + if (required_size > token_information_length) + { + return STATUS_BUFFER_TOO_SMALL; + } + + TOKEN_MANDATORY_LABEL label{}; + label.Label.Attributes = 0; + label.Label.Sid = reinterpret_cast(token_information + sizeof(TOKEN_MANDATORY_LABEL)); + + emulator_object{c.emu, token_information}.write(label); + c.emu.write_memory(token_information + sizeof(TOKEN_MANDATORY_LABEL), sid, sizeof(sid)); + return STATUS_SUCCESS; + } + if (token_information_class == TokenBnoIsolation) { constexpr auto required_size = sizeof(TOKEN_BNO_ISOLATION_INFORMATION); diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp index 524d38f7..b420c102 100644 --- a/src/windows-emulator/windows_emulator.cpp +++ b/src/windows-emulator/windows_emulator.cpp @@ -263,6 +263,10 @@ namespace peb.HeapDeCommitFreeBlockThreshold = 0x0000000000001000; peb.NumberOfHeaps = 0x00000000; peb.MaximumNumberOfHeaps = 0x00000010; + + peb.OSPlatformId = 2; + peb.OSMajorVersion = 0x0000000a; + peb.OSBuildNumber = 0x00006c51; }); }