[NTOS:SE] Set up an ACL and SD for the anonymous logon

2024-12-28 10:04:49 +00:00 · 2021-03-13 14:33:15 +01:00 · 2021-03-13 14:33:15 +01:00 · b28530d4ac
commit b28530d4ac
parent d5c72a2e09
3 changed files with 42 additions and 0 deletions
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@ -187,6 +187,7 @@ extern PACL SePublicDefaultUnrestrictedDacl;
 extern PACL SePublicOpenDacl;
 extern PACL SePublicOpenUnrestrictedDacl;
 extern PACL SeUnrestrictedDacl;
+extern PACL SeSystemAnonymousLogonDacl;

 /* SDs */
 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
@ -195,6 +196,7 @@ extern PSECURITY_DESCRIPTOR SePublicOpenSd;
 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
+extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;


 #define SepAcquireTokenLockExclusive(Token)                                    \
--- a/ntoskrnl/se/acl.c
+++ b/ntoskrnl/se/acl.c
@ -21,6 +21,7 @@ PACL SePublicDefaultUnrestrictedDacl = NULL;
 PACL SePublicOpenDacl = NULL;
 PACL SePublicOpenUnrestrictedDacl = NULL;
 PACL SeUnrestrictedDacl = NULL;
+PACL SeSystemAnonymousLogonDacl = NULL;

 /* FUNCTIONS ******************************************************************/

@ -217,6 +218,31 @@ SepInitDACLs(VOID)
                           GENERIC_READ | GENERIC_EXECUTE,
                           SeRestrictedCodeSid);

+    /* create SystemAnonymousLogonDacl */
+    AclLength = sizeof(ACL) +
+                (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+                (sizeof(ACE) + RtlLengthSid(SeAnonymousLogonSid));
+
+    SeSystemAnonymousLogonDacl = ExAllocatePoolWithTag(PagedPool,
+                                                       AclLength,
+                                                       TAG_ACL);
+    if (SeSystemAnonymousLogonDacl == NULL)
+        return FALSE;
+
+    RtlCreateAcl(SeSystemAnonymousLogonDacl,
+                 AclLength,
+                 ACL_REVISION);
+
+    RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeWorldSid);
+
+    RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeAnonymousLogonSid);
+
    return TRUE;
 }

--- a/ntoskrnl/se/sd.c
+++ b/ntoskrnl/se/sd.c
@ -21,6 +21,7 @@ PSECURITY_DESCRIPTOR SePublicOpenSd = NULL;
 PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL;
 PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL;
 PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL;
+PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd = NULL;

 /* PRIVATE FUNCTIONS **********************************************************/

@ -107,6 +108,19 @@ SepInitSDs(VOID)
                                 SeUnrestrictedDacl,
                                 FALSE);

+    /* Create SystemAnonymousLogonSd */
+    SeSystemAnonymousLogonSd = ExAllocatePoolWithTag(PagedPool,
+                                                     sizeof(SECURITY_DESCRIPTOR), TAG_SD);
+    if (SeSystemAnonymousLogonSd == NULL)
+        return FALSE;
+
+    RtlCreateSecurityDescriptor(SeSystemAnonymousLogonSd,
+                                SECURITY_DESCRIPTOR_REVISION);
+    RtlSetDaclSecurityDescriptor(SeSystemAnonymousLogonSd,
+                                 TRUE,
+                                 SeSystemAnonymousLogonDacl,
+                                 FALSE);
+
    return TRUE;
 }