class SecurityAttr
{
PSID pEveryoneSID ;
PSID pAdminSID ;
PACL pACL ;
PSECURITY_DESCRIPTOR pSD ;
HKEY hkSub ;
public :
SecurityAttr()
{
pEveryoneSID = NULL;
pAdminSID = NULL;
pACL = NULL;
pSD = NULL;
hkSub = NULL;
}
~SecurityAttr()
{
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pAdminSID)
FreeSid(pAdminSID);
if (pACL)
LocalFree(pACL);
if (pSD)
LocalFree(pSD);
if (hkSub)
RegCloseKey(hkSub);
}
BOOL GetSecurityAddt(SECURITY_ATTRIBUTES &sa)
{
DWORD dwRes;
//specifies access-control information for a specified trustee. Access control functions
// use this structure to describe the information in an access-control entry (ACE) of an access-control list (ACL)
EXPLICIT_ACCESS ea[1];
//represents the top-level authority of a security identifier (SID).
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
// LONG lRes;
// Create a well-known SID for the Everyone group.
/*
AllocateAndInitializeSid function allocates and initializes a security identifier (SID) with up to eight subauthorities.
A SID allocated with the AllocateAndInitializeSid function must be freed by using the FreeSid function.
*/
if(! AllocateAndInitializeSid( &SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID) )
{
printf( "AllocateAndInitializeSid Error %u\n", GetLastError() );
return FALSE;
}
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow Everyone read access to the key.
ZeroMemory(&ea, 1 * sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions = GENERIC_ALL;//KEY_READ;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT|CONTAINER_INHERIT_ACE;//NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// Create a SID for the BUILTIN\Administrators group.
if(! AllocateAndInitializeSid( &SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID) )
{
printf( "AllocateAndInitializeSid Error %u\n", GetLastError() );
return FALSE;
}
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow the Administrators group full access to the key.
/*
ea[1].grfAccessPermissions = KEY_ALL_ACCESS;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pAdminSID;
*/
// Create a new ACL that contains the new ACEs.
// function creates a new access-control list (ACL) by merging new access-control or audit-control information into an existing ACL.
//dwRes = SetEntriesInAcl(2, ea, NULL, &pACL);
dwRes = SetEntriesInAcl(1, ea, NULL, &pACL);
if (ERROR_SUCCESS != dwRes)
{
printf( "SetEntriesInAcl Error %u\n", GetLastError() );
return FALSE;
}
// Initialize a security descriptor.
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD == NULL)
{
printf( "LocalAlloc Error %u\n", GetLastError() );
return FALSE;
}
//function initializes a new security descriptor.
if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
printf( "InitializeSecurityDescriptor Error %u\n", GetLastError() );
return FALSE;
}
// Add the ACL to the security descriptor.
/************************************************************************
function sets information in a discretionary access-control list (ACL).
If a discretionary ACL is already present in the security descriptor, it is replaced.
************************************************************************/
if (!SetSecurityDescriptorDacl(pSD, TRUE, // fDaclPresent flag
pACL, FALSE)) // not a default DACL
{
printf( "SetSecurityDescriptorDacl Error %u\n", GetLastError() );
return FALSE;
}
// Initialize a security attributes structure.
sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;
// Use the security attributes to set the security descriptor
// when you create a key.
return TRUE;
}
};
|
