microsoft
/
ebpf-for-windows
зеркало из https://github.com/microsoft/ebpf-for-windows.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Change ebpfsvc to LocalService (#272) 

* ebpfsvc should be localservice

* cr comments, change sidtype to restricted

* pr comments
This commit is contained in:
saxena-anurag 2021-06-14 15:38:42 -07:00 коммит произвёл GitHub
Родитель 3a73482d66
Коммит 6fde4777e5
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 78 добавлений и 43 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
docs/GettingStarted.md
Просмотреть файл

@ -69,7 +69,7 @@ On the defender machine, do the following:
9. Do `sc start EbpfCore` 9. Do `sc start EbpfCore`
10. Do `sc create NetEbpfExt type=kernel start=boot binpath=%windir%\system32\drivers\netebpfext.sys` 10. Do `sc create NetEbpfExt type=kernel start=boot binpath=%windir%\system32\drivers\netebpfext.sys`
11. Do `sc start NetEbpfExt` 11. Do `sc start NetEbpfExt`
12. Do `sc create ebpfsvc start= auto binpath=%windir%\system32\ebpfsvc.exe type=own` 12. Do `%windir%\system32\ebpfsvc.exe install`
13. Do `sc start ebpfsvc` 13. Do `sc start ebpfsvc`
14. Do `netsh add helper %windir%\system32\ebpfnetsh.dll` 14. Do `netsh add helper %windir%\system32\ebpfnetsh.dll`
15. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe) 15. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)

11
ebpfcore/ebpf_drv.c
Просмотреть файл

@ -27,6 +27,13 @@ Environment:
static DEVICE_OBJECT* _ebpf_driver_device_object; static DEVICE_OBJECT* _ebpf_driver_device_object;
static BOOLEAN _ebpf_driver_unloading_flag = FALSE; static BOOLEAN _ebpf_driver_unloading_flag = FALSE;
// SID for ebpfsvc (generated using command "sc.exe showsid ebpfsvc"):
// S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174
//
// SDDL_DEVOBJ_SYS_ALL_ADM_ALL + SID for ebpfsvc.
#define EBPF_EXECUTION_CONTEXT_DEVICE_SDDL \
L"D:P(A;;GA;;;S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174)(A;;GA;;;BA)(A;;GA;;;SY)"
#ifndef CTL_CODE #ifndef CTL_CODE
#define CTL_CODE(DeviceType, Function, Method, Access) \ #define CTL_CODE(DeviceType, Function, Method, Access) \
(((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method)) (((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method))
@ -132,6 +139,8 @@ _ebpf_driver_initialize_objects(
WDF_DRIVER_CONFIG_INIT(&driver_configuration, WDF_NO_EVENT_CALLBACK); WDF_DRIVER_CONFIG_INIT(&driver_configuration, WDF_NO_EVENT_CALLBACK);
DECLARE_CONST_UNICODE_STRING(security_descriptor, EBPF_EXECUTION_CONTEXT_DEVICE_SDDL);
driver_configuration.DriverInitFlags |= WdfDriverInitNonPnpDriver; driver_configuration.DriverInitFlags |= WdfDriverInitNonPnpDriver;
driver_configuration.EvtDriverUnload = _ebpf_driver_unload; driver_configuration.EvtDriverUnload = _ebpf_driver_unload;
@ -143,7 +152,7 @@ _ebpf_driver_initialize_objects(
device_initialize = WdfControlDeviceInitAllocate( device_initialize = WdfControlDeviceInitAllocate(
*driver, *driver,
&SDDL_DEVOBJ_SYS_ALL_ADM_ALL // only kernel/system and administrators. &security_descriptor // only kernel/system, administrators, and ebpfsvc.
); );
if (!device_initialize) { if (!device_initialize) {
status = STATUS_INSUFFICIENT_RESOURCES; status = STATUS_INSUFFICIENT_RESOURCES;

71
ebpfsvc/svcmain.cpp
Просмотреть файл

@ -22,7 +22,7 @@ service_init(DWORD argc, PTSTR* argv);
void WINAPI void WINAPI
service_main(DWORD argc, PTSTR* argv); service_main(DWORD argc, PTSTR* argv);
void int
service_install(); service_install();
int __cdecl wmain(ULONG argc, PWSTR* argv) int __cdecl wmain(ULONG argc, PWSTR* argv)
@ -34,9 +34,8 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
// Otherwise, the service is probably being started by the SCM. // Otherwise, the service is probably being started by the SCM.
if (argc > 1) { if (argc > 1) {
if (wcscmp(argv[1], L"install") == 0) { if (_wcsicmp(argv[1], L"install") == 0) {
service_install(); return service_install();
return -1;
} }
} }
@ -54,15 +53,18 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
* @brief Installs a service in the SCM database. * @brief Installs a service in the SCM database.
* *
*/ */
void int
service_install() service_install()
{ {
SC_HANDLE scmanager; SC_HANDLE scmanager = nullptr;
SC_HANDLE service; SC_HANDLE service = nullptr;
TCHAR path[MAX_PATH]; TCHAR path[MAX_PATH];
SERVICE_SID_INFO sid_information = {0};
int result = ERROR_SUCCESS;
if (!GetModuleFileName(nullptr, path, MAX_PATH)) { if (!GetModuleFileName(nullptr, path, MAX_PATH)) {
return; result = GetLastError();
goto Exit;
} }
// Get a handle to the SCM database. // Get a handle to the SCM database.
@ -73,33 +75,48 @@ service_install()
SC_MANAGER_ALL_ACCESS); // full access rights SC_MANAGER_ALL_ACCESS); // full access rights
if (nullptr == scmanager) { if (nullptr == scmanager) {
return; result = GetLastError();
goto Exit;
} }
// Create the service // Create the service as LocalService.
service = CreateService( service = CreateService(
scmanager, // SCM database scmanager, // SCM database
SERVICE_NAME, // name of service SERVICE_NAME, // name of service
SERVICE_NAME, // service name to display SERVICE_NAME, // service name to display
SERVICE_ALL_ACCESS, // desired access SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_DEMAND_START, // start type SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type SERVICE_ERROR_NORMAL, // error control type
path, // path to service's binary path, // path to service's binary
nullptr, // no load ordering group nullptr, // no load ordering group
nullptr, // no tag identifier nullptr, // no tag identifier
nullptr, // no dependencies nullptr, // no dependencies
nullptr, // LocalSystem account L"NT AUTHORITY\\LocalService", // LocalService account
nullptr); // no password nullptr); // no password
if (service == nullptr) { if (service == nullptr) {
CloseServiceHandle(scmanager); result = GetLastError();
return; goto Exit;
} }
CloseServiceHandle(service); // Set service SID type to restricted.
CloseServiceHandle(scmanager); sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
if (!ChangeServiceConfig2(service, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
result = GetLastError();
goto Exit;
}
Exit:
if (service != nullptr) {
CloseServiceHandle(service);
}
if (scmanager != nullptr) {
CloseServiceHandle(scmanager);
}
return result;
} }
/** /**

37
tests/libs/util/service_helper.cpp
Просмотреть файл

@ -12,6 +12,7 @@ service_install_helper::initialize()
{ {
int error; int error;
int retry_count = 0; int retry_count = 0;
SERVICE_SID_INFO sid_information = {0};
if (initialized) { if (initialized) {
return ERROR_SUCCESS; return ERROR_SUCCESS;
@ -35,21 +36,21 @@ QueryService:
return error; return error;
} }
// Install the service // Install the service as LocalService.
service_handle = CreateService( service_handle = CreateService(
scm_handle, // SCM database scm_handle, // SCM database
service_name.c_str(), // name of service service_name.c_str(), // name of service
service_name.c_str(), // service name to display service_name.c_str(), // service name to display
SERVICE_ALL_ACCESS, // desired access SERVICE_ALL_ACCESS, // desired access
service_type, // service type service_type, // service type
SERVICE_AUTO_START, // start type SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type SERVICE_ERROR_NORMAL, // error control type
file_path, // path to service's binary file_path, // path to service's binary
nullptr, // no load ordering group nullptr, // no load ordering group
nullptr, // no tag identifier nullptr, // no tag identifier
nullptr, // no dependencies nullptr, // no dependencies
nullptr, // LocalSystem account L"NT AUTHORITY\\LocalService", // LocalService account
nullptr); // no password nullptr); // no password
if (service_handle == nullptr) { if (service_handle == nullptr) {
error = GetLastError(); error = GetLastError();
@ -61,6 +62,14 @@ QueryService:
printf("CreateService for %ws failed, 0x%x.\n", service_name.c_str(), error); printf("CreateService for %ws failed, 0x%x.\n", service_name.c_str(), error);
return error; return error;
} }
// Set service SID type to restricted.
sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
if (!ChangeServiceConfig2(service_handle, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
error = GetLastError();
printf("ChangeServiceConfig2 for %ws failed, 0x%x.\n", service_name.c_str(), error);
return error;
}
} else { } else {
already_installed = true; already_installed = true;
printf("Service %ws already installed.\n", service_name.c_str()); printf("Service %ws already installed.\n", service_name.c_str());