[NTOS:SE] Add token debug code

Implement initial token debug code. For now debug information that is being tracked are: process image file name, process and thread client IDs and token creation method. More specific debug code can be added later only if needed. As for the token creation method, this follows the same principle as on Windows where the creation method is defined by a value denoting the first letter of the said method of creation. That is, 0xC is for token creation, 0xD is for token duplication and 0xF is for token filtering. The debug field names are taken from Windows PDB symbols for WinDBG debug extension support purposes. The names must not be changed!
2024-06-01 02:01:57 +00:00 · 2022-04-18 10:39:33 +02:00 · 2022-04-18 10:39:33 +02:00 · 11d9c88c35
parent 5df5ef2bdf
commit 11d9c88c35
3 changed files with 67 additions and 1 deletions
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@ -34,6 +34,10 @@ typedef struct _TOKEN_AUDIT_POLICY_INFORMATION
    } Policies[1];
 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION;

+#define TOKEN_CREATE_METHOD    0xCUL
+#define TOKEN_DUPLICATE_METHOD 0xDUL
+#define TOKEN_FILTER_METHOD    0xFUL
+
 FORCEINLINE
 PSID
 SepGetGroupFromDescriptor(
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@ -1086,6 +1086,17 @@ SepDuplicateToken(
        goto Quit;
    }

+    /* Fill in token debug information */
+#if DBG
+    RtlCopyMemory(AccessToken->ImageFileName,
+                  PsGetCurrentProcess()->ImageFileName,
+                  min(sizeof(AccessToken->ImageFileName), sizeof(PsGetCurrentProcess()->ImageFileName)));
+
+    AccessToken->ProcessCid = PsGetCurrentProcessId();
+    AccessToken->ThreadCid = PsGetCurrentThreadId();
+    AccessToken->CreateMethod = TOKEN_DUPLICATE_METHOD;
+#endif
+
    /* Assign the data that reside in the TOKEN's variable information area */
    AccessToken->VariableLength = VariableLength;
    EndMem = (PVOID)&AccessToken->VariablePart;
@ -1844,6 +1855,32 @@ SepCreateToken(
        goto Quit;
    }

+    /* Fill in token debug information */
+#if DBG
+    /*
+     * We must determine ourselves that the current
+     * process is not the initial CPU one. The initial
+     * process is not a "real" process, that is, the
+     * Process Manager has not yet been initialized and
+     * as a matter of fact we are creating a token before
+     * any process gets created by Ps. If it turns out
+     * that the current process is the initial CPU process
+     * where token creation execution takes place, don't
+     * do anything.
+     */
+    if (PsGetCurrentProcess() != &KiInitialProcess)
+    {
+        RtlCopyMemory(AccessToken->ImageFileName,
+                      PsGetCurrentProcess()->ImageFileName,
+                      min(sizeof(AccessToken->ImageFileName), sizeof(PsGetCurrentProcess()->ImageFileName)));
+
+        AccessToken->ProcessCid = PsGetCurrentProcessId();
+        AccessToken->ThreadCid = PsGetCurrentThreadId();
+    }
+
+    AccessToken->CreateMethod = TOKEN_CREATE_METHOD;
+#endif
+
    /* Assign the data that reside in the TOKEN's variable information area */
    AccessToken->VariableLength = VariableLength;
    EndMem = (PVOID)&AccessToken->VariablePart;
@ -2181,6 +2218,17 @@ SepPerformTokenFiltering(
        goto Quit;
    }

+    /* Fill in token debug information */
+#if DBG
+    RtlCopyMemory(AccessToken->ImageFileName,
+                  PsGetCurrentProcess()->ImageFileName,
+                  min(sizeof(AccessToken->ImageFileName), sizeof(PsGetCurrentProcess()->ImageFileName)));
+
+    AccessToken->ProcessCid = PsGetCurrentProcessId();
+    AccessToken->ThreadCid = PsGetCurrentThreadId();
+    AccessToken->CreateMethod = TOKEN_FILTER_METHOD;
+#endif
+
    /* Assign the data that reside in the token's variable information area */
    AccessToken->VariableLength = VariableLength;
    EndMem = (PVOID)&AccessToken->VariablePart;
--- a/sdk/include/ndk/setypes.h
+++ b/sdk/include/ndk/setypes.h
@ -204,6 +204,14 @@ typedef struct _SECURITY_TOKEN_PROXY_DATA
 //
 // Token and auxiliary data
 //
+// ===================!!!IMPORTANT NOTE!!!=====================
+// ImageFileName, ProcessCid, ThreadCid and CreateMethod field
+// names are taken from Windows Server 2003 SP2 checked build
+// WinDBG debug extensions command purposes (such as !logonsession
+// command respectively). As such names are hardcoded, we have
+// to be compatible with them. THESE FIELD NAMES MUST NOT BE
+// CHANGED!!!
+// ============================================================
 typedef struct _TOKEN
 {
    TOKEN_SOURCE TokenSource;                         /* 0x00 */
@ -236,7 +244,13 @@ typedef struct _TOKEN
    PSECURITY_TOKEN_AUDIT_DATA AuditData;             /* 0x94 */
    PSEP_LOGON_SESSION_REFERENCES LogonSession;       /* 0x98 */
    LUID OriginatingLogonSession;                     /* 0x9C */
-    ULONG VariablePart;                               /* 0xA4 */
+#if DBG
+    UCHAR ImageFileName[16];                          /* 0xA4 */
+    HANDLE ProcessCid;                                /* 0xB4 */
+    HANDLE ThreadCid;                                 /* 0xB8 */
+    ULONG CreateMethod;                               /* 0xBC */
+#endif
+    ULONG VariablePart;                               /* 0xC0 */
 } TOKEN, *PTOKEN;

 typedef struct _AUX_ACCESS_DATA