impersonate.hpp

Go to the documentation of this file.

//    OpenVPN -- An application to securely tunnel IP networks
//               over a single port, with support for SSL/TLS-based
//               session authentication and key exchange,
//               packet encryption, packet authentication, and
//               packet compression.
//
//    Copyright (C) 2012- OpenVPN Inc.
//
//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
//
 
#pragma once
 
#include <windows.h>
#include <lmcons.h>
#include <wtsapi32.h>
 
#include <openvpn/win/winerr.hpp>
 
namespace openvpn::Win {
 
class Impersonate
{
  public:
    explicit Impersonate(bool as_local_system)
        : local_system_(is_local_system_())
    {
        if (as_local_system)
        {
            if (local_system_)
                OPENVPN_LOG("ImpersonateAsSystem: running under SYSTEM account, no need to impersonate");
            else
                impersonate_as_local_system();
        }
        else
        {
            if (local_system_)
                impersonate_as_user();
            else
                OPENVPN_LOG("ImpersonateAsUser: running under user account, no need to impersonate");
        }
    }
 
    ~Impersonate()
    {
        if (impersonated)
        {
            if (!RevertToSelf())
            {
                const Win::LastError err;
                OPENVPN_LOG("Impersonate: RevertToSelf() failed: " << err.message());
            }
        }
    }
 
    bool is_local_system() const
    {
        return local_system_;
    }
 
  private:
    void impersonate_as_local_system()
    {
        HANDLE thread_token, process_snapshot, winlogon_process, winlogon_token, duplicated_token;
        PROCESSENTRY32 entry = {};
        entry.dwSize = sizeof(PROCESSENTRY32);
        BOOL ret;
        DWORD pid = 0;
        TOKEN_PRIVILEGES privileges = {};
        privileges.PrivilegeCount = 1;
        privileges.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
 
        if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &privileges.Privileges[0].Luid))
            return;
 
        if (!ImpersonateSelf(SecurityImpersonation))
            return;
 
        impersonated = true;
 
        if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &thread_token))
            return;
        if (!AdjustTokenPrivileges(thread_token, FALSE, &privileges, sizeof(privileges), NULL, NULL))
        {
            CloseHandle(thread_token);
            return;
        }
        CloseHandle(thread_token);
 
        process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (process_snapshot == INVALID_HANDLE_VALUE)
            return;
 
        for (ret = Process32First(process_snapshot, &entry); ret; ret = Process32Next(process_snapshot, &entry))
        {
            if (!_stricmp(entry.szExeFile, "winlogon.exe"))
            {
                pid = entry.th32ProcessID;
                break;
            }
        }
        CloseHandle(process_snapshot);
        if (!pid)
            return;
 
        winlogon_process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
        if (!winlogon_process)
            return;
 
        if (!OpenProcessToken(winlogon_process, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &winlogon_token))
        {
            CloseHandle(winlogon_process);
            return;
        }
        CloseHandle(winlogon_process);
 
        if (!DuplicateToken(winlogon_token, SecurityImpersonation, &duplicated_token))
        {
            CloseHandle(winlogon_token);
            return;
        }
        CloseHandle(winlogon_token);
 
        if (!SetThreadToken(NULL, duplicated_token))
        {
            CloseHandle(duplicated_token);
            return;
        }
        CloseHandle(duplicated_token);
    }
 
    void impersonate_as_user()
    {
        DWORD sessId = WTSGetActiveConsoleSessionId();
        if (sessId == 0xFFFFFFFF)
        {
            const Win::LastError err;
            OPENVPN_LOG("ImpersonateAsUser: WTSGetActiveConsoleSessionId() failed: " << err.message());
            return;
        }
 
        HANDLE hToken;
        if (!WTSQueryUserToken(sessId, &hToken))
        {
            const Win::LastError err;
            OPENVPN_LOG("ImpersonateAsUser: WTSQueryUserToken() failed: " << err.message());
            return;
        }
 
        if (!ImpersonateLoggedOnUser(hToken))
        {
            CloseHandle(hToken);
 
            const Win::LastError err;
            OPENVPN_LOG("ImpersonateAsUser: ImpersonateLoggedOnUser() failed: " << err.message());
            return;
        }
 
        CloseHandle(hToken);
 
        impersonated = true;
 
        char uname[UNLEN + 1];
        DWORD len = UNLEN + 1;
        GetUserNameA(uname, &len);
        OPENVPN_LOG("ImpersonateAsUser: impersonated as " << uname);
    }
 
    // https://stackoverflow.com/a/4024388/227024
    BOOL is_local_system_() const
    {
        HANDLE hToken;
        UCHAR bTokenUser[sizeof(TOKEN_USER) + 8 + 4 * SID_MAX_SUB_AUTHORITIES];
        PTOKEN_USER pTokenUser = (PTOKEN_USER)bTokenUser;
        ULONG cbTokenUser;
        SID_IDENTIFIER_AUTHORITY siaNT = SECURITY_NT_AUTHORITY;
        PSID pSystemSid;
        BOOL bSystem;
 
        // open process token
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
            return FALSE;
 
        // retrieve user SID
        if (!GetTokenInformation(hToken, TokenUser, pTokenUser, sizeof(bTokenUser), &cbTokenUser))
        {
            CloseHandle(hToken);
            return FALSE;
        }
 
        CloseHandle(hToken);
 
        // allocate LocalSystem well-known SID
        if (!AllocateAndInitializeSid(&siaNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSystemSid))
            return FALSE;
 
        // compare the user SID from the token with the LocalSystem SID
        bSystem = EqualSid(pTokenUser->User.Sid, pSystemSid);
 
        FreeSid(pSystemSid);
 
        return bSystem;
    }
 
    bool local_system_ = false;
    bool impersonated = false;
};
} // namespace openvpn::Win