Unable to add ACE to SACl of Kernel Object using SetKernelObjectSecurity

  acl, security, windows

I am trying to add Audit ACE to a kernel security object and remove all existing ACE. So I was able to come up with the following code by referring to documentation and other posts on the internet. Finally, I am able to run SetKernelObjectSecurity without error but when I again try to validate if the ACE is added then I see ACE Count to be 0. As of right now, I am stuck at this point. It will be great if someone can help me with how to properly change ACE in Kernel Object SACl.

Thank you.

Here is a brief overview of the code:

  • You can see that there are 5 Sections
  • SECTION 1: Create handle
  • SECTION 2: Get Kernel object security and pOldSacl
  • SECTION 3: Create newSACL from oldSACL
  • SECTION 4: Add newSACL to kernel object security
  • SECTION 5: Validate if SACL is updated
  • Aside from this there are 5 // NOTE tags which shows value of ace count at various points

Code is as follows:

void setAceAudit()
{
    DWORD dwRes = 0;
    PACL pOldSACL = NULL, pNewSACL = NULL;
    PSECURITY_DESCRIPTOR pSS = NULL;
    EXPLICIT_ACCESS ea;

    HANDLE  hFile = NULL;

// SECTION 1: Create handle

    hFile = CreateFile2(filePath,
        FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
        OPEN_EXISTING,
        nullptr);

    if (hFile == INVALID_HANDLE_VALUE && GetLastError() == ERROR_ACCESS_DENIED)
    {
        // A directory will fail without FILE_FLAG_BACKUP_SEMANTICS.
        CREATEFILE2_EXTENDED_PARAMETERS extendedParams = {
            sizeof(CREATEFILE2_EXTENDED_PARAMETERS),
            FILE_ATTRIBUTE_NORMAL,
            FILE_FLAG_BACKUP_SEMANTICS,
            0,
            nullptr,
            nullptr
        };
        hFile = CreateFile2(filePath,
            FILE_GENERIC_EXECUTE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | READ_CONTROL | WRITE_OWNER | ACCESS_SYSTEM_SECURITY,
            FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
            OPEN_EXISTING,
            &extendedParams);
    }

// SECTION 1: End
// SECTION 2: Get Kernel object security and pOldSacl

    DWORD                dwSize = 0;
    HRESULT hr = S_OK;
    if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
    {
        DWORD dwError = GetLastError();

        if (ERROR_INSUFFICIENT_BUFFER != dwError)
        {
            hr = HRESULT_FROM_WIN32(dwError);
        }
        else if (NULL == (pSS = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
        {
            hr = E_OUTOFMEMORY;
        }
        else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSS, dwSize, &dwSize))
        {
            hr = HRESULT_FROM_WIN32(GetLastError());
        }
    }
    else
    {
        hr = E_UNEXPECTED;
    }

    VERIFY_ARE_EQUAL(hr, S_OK);

    
    BOOL bSaclPresent = FALSE;
    BOOL bSaclDefaulted = FALSE;

    if (!GetSecurityDescriptorSacl(pSS, &bSaclPresent, &pOldSACL, &bSaclDefaulted))
    {
        hr = HRESULT_FROM_WIN32(GetLastError());
    }

// SECTION 2: End
// SECTION 3: Create newSACL from oldSACL

    ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
    ea.grfAccessPermissions = 0X11000000;
    ea.grfAccessMode = SET_AUDIT_SUCCESS;
    ea.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
    ea.Trustee.ptstrName = L"Administrator";

    dwRes = SetEntriesInAcl(1, &ea, pOldSACL, &pNewSACL);
    if (ERROR_SUCCESS != dwRes) {
        LOG_OUTPUT(L"SetEntriesInAcl Error %lu %ldn", dwRes, GetLastError());
        return dwRes;
    }

    for (int ii = pNewSACL->AceCount - 1; ii >= 0; ii--)
    {
        PSYSTEM_MANDATORY_LABEL_ACE pAce = NULL; // Only access pAce->Header until checking AceType

        if (!GetAce(pNewSACL, ii, (LPVOID*)&pAce))
        {
            VERIFY_ARE_EQUAL((DWORD)0, GetLastError());
        }
        DeleteAce(pNewSACL, ii);
    }

    PSID    pIntegritySid = NULL;

    BOOL    fRet;

    if (true)
    {
        fRet = ConvertStringSidToSidW(SDDL_ML_HIGH, &pIntegritySid);
    }
    else
    {
        fRet = ConvertStringSidToSidW(SDDL_ML_MEDIUM, &pIntegritySid);
    }

    VERIFY_IS_TRUE(fRet);

    fRet = AddAuditAccessAce(pNewSACL, ACL_REVISION_DS, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, pIntegritySid, FALSE, FALSE);

    VERIFY_IS_TRUE(fRet);

    DWORD absSize = 0;
    DWORD daclSize = 0;
    DWORD saclSize = 0;
    DWORD ownerSize = 0;
    DWORD primGroupSize = 0;
    fRet = MakeAbsoluteSD(pSS, NULL, &absSize, NULL, &daclSize, NULL, &saclSize, NULL, &ownerSize, NULL, &primGroupSize);

    PSECURITY_DESCRIPTOR pSD = LocalAlloc(0, absSize);
    fRet = MakeAbsoluteSD(pSS,
        pSD, &absSize,
        /*pSD->Dacl =*/ (PACL)LocalAlloc(0, daclSize), &daclSize,
        /*pSD->Sacl =*/ (PACL)LocalAlloc(0, saclSize), &saclSize,
        /*pSD->Owner =*/ (PSID)LocalAlloc(0, ownerSize), &ownerSize,
        /*pSD->Group =*/ (PSID)LocalAlloc(0, primGroupSize), &primGroupSize);

// NOTE 1: Verified that ACE count is 1 in pNewSACL before inserting it
// SECTION 3: End
// SECTION 4: Add newSACL to kernel object security

    if (!SetSecurityDescriptorSacl(pSD, TRUE, pNewSACL, FALSE))
    {
        DWORD dwError = GetLastError();
        hr = HRESULT_FROM_WIN32(dwError);
    }

// NOTE 2: Verified that new SACL in pSD has ACE count as 1 by using GetSecurityDescriptorSacl

    if (!SetKernelObjectSecurity(hFile, SACL_SECURITY_INFORMATION, pSD))
    {
        // NOTE 3: Call flow doesn't go here so SetKernelObjectSecurity is success.
        DWORD dwError = GetLastError();
        hr = HRESULT_FROM_WIN32(dwError);
    }

// SECTION 4: End
// SECTION 5: Validate if SACL is updated

// NOTE 4: Following code is to validate that ACE count is changed by using GetKernelObjectSecurity and GetSecurityDescriptorSacl but as in (NOTE 5) it is found to be 0

    dwSize = 0;
    PSECURITY_DESCRIPTOR pSD1 = NULL;

    if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
    {
        DWORD dwError = GetLastError();

        if (ERROR_INSUFFICIENT_BUFFER != dwError)
        {
            hr = HRESULT_FROM_WIN32(dwError);
        }
        else if (NULL == (pSD1 = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSize)))
        {
            hr = E_OUTOFMEMORY;
        }
        else if (!GetKernelObjectSecurity(hFile, LABEL_SECURITY_INFORMATION, pSD1, dwSize, &dwSize))
        {
            hr = HRESULT_FROM_WIN32(GetLastError());
        }
    }
    else
    {
        // Should never get here, as dwSize was initialized to 0,
        // so the call to GetKernelObjectSecurity should fail.
        // Adding this to avoid Prefast/Prefix complaining that
        // potential use of NULL pSD below.
        hr = E_UNEXPECTED;
    }

    VERIFY_ARE_EQUAL(hr, S_OK);

    PACL pSacl = NULL;
    bSaclPresent = FALSE;
    bSaclDefaulted = FALSE;

    if (!GetSecurityDescriptorSacl(pSD1, &bSaclPresent, &pSacl, &bSaclDefaulted))
    {
        hr = HRESULT_FROM_WIN32(GetLastError());
    }

    VERIFY_ARE_EQUAL(hr, S_OK);
    VERIFY_ARE_NOT_EQUAL(pSacl, (PACL)NULL);
    VERIFY_ARE_EQUAL(bSaclPresent, (BOOL)true);
    VERIFY_ARE_NOT_EQUAL(pSacl->AceCount, (WORD)0); // NOTE 5: ACE Count is 0

// SECTION 5: End

    CloseHandle(hFile);

}

Source: Windows Questions

LEAVE A COMMENT