[NTOS:SE] Minor refactor on NtOpenThreadTokenEx

- Remove a redundant call of ObReferenceObjectByHandle. Not only it didn't make much sense (we reference the object from thread handle and the new thread object referencing the same handle!), specifying a request access of THREAD_ALL_ACCESS for the thread object is kind of suspicious and all of these access rights are unwanted. - Add some failure checks involving the CopyOnOpen code paths - Add some DPRINT1 debug prints (concerning the CopyOnOpen code paths as usual)
2025-04-04 20:50:41 +00:00 · 2021-06-18 18:38:12 +02:00 · 2021-06-18 18:38:12 +02:00 · 5912c11650
commit 5912c11650
parent 5ee09256de
1 changed files with 48 additions and 29 deletions
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@ -4233,7 +4233,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
                    IN ULONG HandleAttributes,
                    OUT PHANDLE TokenHandle)
 {
-    PETHREAD Thread, NewThread;
+    PETHREAD Thread;
    HANDLE hToken;
    PTOKEN Token, NewToken = NULL, PrimaryToken;
    BOOLEAN CopyOnOpen, EffectiveOnly;
@ -4307,40 +4307,53 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,

    if (CopyOnOpen)
    {
-        Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS,
-                                           PsThreadType, KernelMode,
-                                           (PVOID*)&NewThread, NULL);
+        PrimaryToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
+
+        Status = SepCreateImpersonationTokenDacl(Token, PrimaryToken, &Dacl);
+
+        ObFastDereferenceObject(&Thread->ThreadsProcess->Token, PrimaryToken);
+
        if (NT_SUCCESS(Status))
        {
-            PrimaryToken = PsReferencePrimaryToken(NewThread->ThreadsProcess);
-
-            Status = SepCreateImpersonationTokenDacl(Token, PrimaryToken, &Dacl);
-
-            ObFastDereferenceObject(&NewThread->ThreadsProcess->Token, PrimaryToken);
-
-            if (NT_SUCCESS(Status))
+            if (Dacl)
            {
-                if (Dacl)
+                Status = RtlCreateSecurityDescriptor(&SecurityDescriptor,
+                                                     SECURITY_DESCRIPTOR_REVISION);
+                if (!NT_SUCCESS(Status))
                {
-                    RtlCreateSecurityDescriptor(&SecurityDescriptor,
-                                                SECURITY_DESCRIPTOR_REVISION);
-                    RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl,
-                                                 FALSE);
+                    DPRINT1("NtOpenThreadTokenEx(): Failed to create a security descriptor (Status 0x%lx)\n", Status);
                }

-                InitializeObjectAttributes(&ObjectAttributes, NULL, HandleAttributes,
-                                           NULL, Dacl ? &SecurityDescriptor : NULL);
-
-                Status = SepDuplicateToken(Token, &ObjectAttributes, EffectiveOnly,
-                                           TokenImpersonation, ImpersonationLevel,
-                                           KernelMode, &NewToken);
-                if (NT_SUCCESS(Status))
+                Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl,
+                                                      FALSE);
+                if (!NT_SUCCESS(Status))
                {
-                    ObReferenceObject(NewToken);
-                    Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL,
-                                            &hToken);
+                    DPRINT1("NtOpenThreadTokenEx(): Failed to set a DACL to the security descriptor (Status 0x%lx)\n", Status);
                }
            }
+
+            InitializeObjectAttributes(&ObjectAttributes, NULL, HandleAttributes,
+                                       NULL, Dacl ? &SecurityDescriptor : NULL);
+
+            Status = SepDuplicateToken(Token, &ObjectAttributes, EffectiveOnly,
+                                       TokenImpersonation, ImpersonationLevel,
+                                       KernelMode, &NewToken);
+            if (!NT_SUCCESS(Status))
+            {
+                DPRINT1("NtOpenThreadTokenEx(): Failed to duplicate the token (Status 0x%lx)\n");
+            }
+
+            ObReferenceObject(NewToken);
+            Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL,
+                                    &hToken);
+            if (!NT_SUCCESS(Status))
+            {
+                DPRINT1("NtOpenThreadTokenEx(): Failed to insert the token object (Status 0x%lx)\n", Status);
+            }
+        }
+        else
+        {
+            DPRINT1("NtOpenThreadTokenEx(): Failed to impersonate token from DACL (Status 0x%lx)\n", Status);
        }
    }
    else
@ -4348,6 +4361,10 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
        Status = ObOpenObjectByPointer(Token, HandleAttributes,
                                       NULL, DesiredAccess, SeTokenObjectType,
                                       PreviousMode, &hToken);
+        if (!NT_SUCCESS(Status))
+        {
+            DPRINT1("NtOpenThreadTokenEx(): Failed to open the object (Status 0x%lx)\n", Status);
+        }
    }

    if (Dacl) ExFreePoolWithTag(Dacl, TAG_ACL);
@ -4361,13 +4378,15 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,

    if (NT_SUCCESS(Status) && CopyOnOpen)
    {
-        PsImpersonateClient(Thread, NewToken, FALSE, EffectiveOnly, ImpersonationLevel);
+        Status = PsImpersonateClient(Thread, NewToken, FALSE, EffectiveOnly, ImpersonationLevel);
+        if (!NT_SUCCESS(Status))
+        {
+            DPRINT1("NtOpenThreadTokenEx(): Failed to impersonate the client (Status 0x%lx)\n");
+        }
    }

    if (NewToken) ObDereferenceObject(NewToken);

-    if (CopyOnOpen && NewThread) ObDereferenceObject(NewThread);
-
    ObDereferenceObject(Thread);

    if (NT_SUCCESS(Status))