Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 97 lines (75 sloc) 3.692 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using NJasmine;
using NUnit.Framework;
using PShochu.PInvoke;
using PShochu.PInvoke.NetWrappers;

namespace PShochu.Tests
{
[Explicit]
    public class verify_privileges : GivenWhenThenFixture
    {
        public override void Specify()
        {
            given("the current user's access token", delegate
            {

                //var currentUserToken = arrange(() => AccessToken.GetCurrentAccessToken());
                var currentUserToken = arrange(() => AccessToken.LogonUser("user", "password"));
                var duplicatedToken = arrange(() => AccessToken.DuplicateTokenAsPrimaryToken(currentUserToken));

                it("should have SE_SHUTDOWN_NAME", delegate
                {
                    var exectedPrivilege = AdvApi32PInvoke.SE_SHUTDOWN_NAME;

                    expect(() => CheckPrivilege(exectedPrivilege, duplicatedToken));
                });

                it("should not have privilege SE_ASSIGNPRIMARYTOKEN_NAME", delegate
                {
                    var exectedPrivilege = AdvApi32PInvoke.SE_ASSIGNPRIMARYTOKEN_NAME;

                    expect(() => !CheckPrivilege(exectedPrivilege, duplicatedToken));
                });

                it("should not have privilege SE_TCB_NAME", delegate
                {
                    var exectedPrivilege = AdvApi32PInvoke.SE_TCB_NAME;

                    expect(() => !CheckPrivilege(exectedPrivilege, duplicatedToken));
                });
            });

            given("the local system account", delegate
            {
                SafeHandle localSystemToken = null; // TODO

                it("should privilege SE_TCB_NAME", delegate
                {
                    var exectedPrivilege = AdvApi32PInvoke.SE_TCB_NAME;

                    expect(() => CheckPrivilege(exectedPrivilege, localSystemToken));
                });
            });

            given("we'd like CreateProcessWithTokenW to work", delegate
            {
                it("should have privilege SE_ASSIGNPRIMARYTOKEN_NAME");
                it("should have privilege SE_INCREASE_QUOTA_NAME");
                it("should have privilege SE_TCB_NAME");
            });
        }

        private bool CheckPrivilege(string exectedPrivilege, SafeHandle currentUserToken)
        {
            AdvApi32PInvoke.LUID luid = default(AdvApi32PInvoke.LUID);

            expect(() => get_privilege_identifier(exectedPrivilege, out luid));

            AdvApi32PInvoke.PRIVILEGE_SET privilegeSet = new AdvApi32PInvoke.PRIVILEGE_SET();
            privilegeSet.PrivilegeCount = 1;
            privilegeSet.Control = AdvApi32PInvoke.PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY;
            privilegeSet.Privilege = new AdvApi32PInvoke.LUID_AND_ATTRIBUTES[1];
            privilegeSet.Privilege[0].Luid = luid;
            privilegeSet.Privilege[0].Attributes = AdvApi32PInvoke.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_REMOVED;

            bool privilegeCheckResult;

            bool executionResult = AdvApi32PInvoke.PrivilegeCheck(currentUserToken.DangerousGetHandle(),
                ref privilegeSet, out privilegeCheckResult);

            expect(() => executionResult);

            return privilegeCheckResult;
        }

        private bool get_privilege_identifier(string expectedPrivilege, out AdvApi32PInvoke.LUID luid)
        {
            string systemName = null;

            return AdvApi32PInvoke.LookupPrivilegeValue(systemName, expectedPrivilege, out luid);
        }
    }
}
Something went wrong with that request. Please try again.