Change ebpfsvc to LocalService (#272)
* ebpfsvc should be localservice * cr comments, change sidtype to restricted * pr comments
This commit is contained in:
Родитель
3a73482d66
Коммит
6fde4777e5
|
@ -69,7 +69,7 @@ On the defender machine, do the following:
|
||||||
9. Do `sc start EbpfCore`
|
9. Do `sc start EbpfCore`
|
||||||
10. Do `sc create NetEbpfExt type=kernel start=boot binpath=%windir%\system32\drivers\netebpfext.sys`
|
10. Do `sc create NetEbpfExt type=kernel start=boot binpath=%windir%\system32\drivers\netebpfext.sys`
|
||||||
11. Do `sc start NetEbpfExt`
|
11. Do `sc start NetEbpfExt`
|
||||||
12. Do `sc create ebpfsvc start= auto binpath=%windir%\system32\ebpfsvc.exe type=own`
|
12. Do `%windir%\system32\ebpfsvc.exe install`
|
||||||
13. Do `sc start ebpfsvc`
|
13. Do `sc start ebpfsvc`
|
||||||
14. Do `netsh add helper %windir%\system32\ebpfnetsh.dll`
|
14. Do `netsh add helper %windir%\system32\ebpfnetsh.dll`
|
||||||
15. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)
|
15. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)
|
||||||
|
|
|
@ -27,6 +27,13 @@ Environment:
|
||||||
static DEVICE_OBJECT* _ebpf_driver_device_object;
|
static DEVICE_OBJECT* _ebpf_driver_device_object;
|
||||||
static BOOLEAN _ebpf_driver_unloading_flag = FALSE;
|
static BOOLEAN _ebpf_driver_unloading_flag = FALSE;
|
||||||
|
|
||||||
|
// SID for ebpfsvc (generated using command "sc.exe showsid ebpfsvc"):
|
||||||
|
// S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174
|
||||||
|
//
|
||||||
|
// SDDL_DEVOBJ_SYS_ALL_ADM_ALL + SID for ebpfsvc.
|
||||||
|
#define EBPF_EXECUTION_CONTEXT_DEVICE_SDDL \
|
||||||
|
L"D:P(A;;GA;;;S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174)(A;;GA;;;BA)(A;;GA;;;SY)"
|
||||||
|
|
||||||
#ifndef CTL_CODE
|
#ifndef CTL_CODE
|
||||||
#define CTL_CODE(DeviceType, Function, Method, Access) \
|
#define CTL_CODE(DeviceType, Function, Method, Access) \
|
||||||
(((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method))
|
(((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method))
|
||||||
|
@ -132,6 +139,8 @@ _ebpf_driver_initialize_objects(
|
||||||
|
|
||||||
WDF_DRIVER_CONFIG_INIT(&driver_configuration, WDF_NO_EVENT_CALLBACK);
|
WDF_DRIVER_CONFIG_INIT(&driver_configuration, WDF_NO_EVENT_CALLBACK);
|
||||||
|
|
||||||
|
DECLARE_CONST_UNICODE_STRING(security_descriptor, EBPF_EXECUTION_CONTEXT_DEVICE_SDDL);
|
||||||
|
|
||||||
driver_configuration.DriverInitFlags |= WdfDriverInitNonPnpDriver;
|
driver_configuration.DriverInitFlags |= WdfDriverInitNonPnpDriver;
|
||||||
driver_configuration.EvtDriverUnload = _ebpf_driver_unload;
|
driver_configuration.EvtDriverUnload = _ebpf_driver_unload;
|
||||||
|
|
||||||
|
@ -143,7 +152,7 @@ _ebpf_driver_initialize_objects(
|
||||||
|
|
||||||
device_initialize = WdfControlDeviceInitAllocate(
|
device_initialize = WdfControlDeviceInitAllocate(
|
||||||
*driver,
|
*driver,
|
||||||
&SDDL_DEVOBJ_SYS_ALL_ADM_ALL // only kernel/system and administrators.
|
&security_descriptor // only kernel/system, administrators, and ebpfsvc.
|
||||||
);
|
);
|
||||||
if (!device_initialize) {
|
if (!device_initialize) {
|
||||||
status = STATUS_INSUFFICIENT_RESOURCES;
|
status = STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
|
|
@ -22,7 +22,7 @@ service_init(DWORD argc, PTSTR* argv);
|
||||||
|
|
||||||
void WINAPI
|
void WINAPI
|
||||||
service_main(DWORD argc, PTSTR* argv);
|
service_main(DWORD argc, PTSTR* argv);
|
||||||
void
|
int
|
||||||
service_install();
|
service_install();
|
||||||
|
|
||||||
int __cdecl wmain(ULONG argc, PWSTR* argv)
|
int __cdecl wmain(ULONG argc, PWSTR* argv)
|
||||||
|
@ -34,9 +34,8 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
|
||||||
// Otherwise, the service is probably being started by the SCM.
|
// Otherwise, the service is probably being started by the SCM.
|
||||||
|
|
||||||
if (argc > 1) {
|
if (argc > 1) {
|
||||||
if (wcscmp(argv[1], L"install") == 0) {
|
if (_wcsicmp(argv[1], L"install") == 0) {
|
||||||
service_install();
|
return service_install();
|
||||||
return -1;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -54,15 +53,18 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
|
||||||
* @brief Installs a service in the SCM database.
|
* @brief Installs a service in the SCM database.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
void
|
int
|
||||||
service_install()
|
service_install()
|
||||||
{
|
{
|
||||||
SC_HANDLE scmanager;
|
SC_HANDLE scmanager = nullptr;
|
||||||
SC_HANDLE service;
|
SC_HANDLE service = nullptr;
|
||||||
TCHAR path[MAX_PATH];
|
TCHAR path[MAX_PATH];
|
||||||
|
SERVICE_SID_INFO sid_information = {0};
|
||||||
|
int result = ERROR_SUCCESS;
|
||||||
|
|
||||||
if (!GetModuleFileName(nullptr, path, MAX_PATH)) {
|
if (!GetModuleFileName(nullptr, path, MAX_PATH)) {
|
||||||
return;
|
result = GetLastError();
|
||||||
|
goto Exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get a handle to the SCM database.
|
// Get a handle to the SCM database.
|
||||||
|
@ -73,33 +75,48 @@ service_install()
|
||||||
SC_MANAGER_ALL_ACCESS); // full access rights
|
SC_MANAGER_ALL_ACCESS); // full access rights
|
||||||
|
|
||||||
if (nullptr == scmanager) {
|
if (nullptr == scmanager) {
|
||||||
return;
|
result = GetLastError();
|
||||||
|
goto Exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the service
|
// Create the service as LocalService.
|
||||||
|
|
||||||
service = CreateService(
|
service = CreateService(
|
||||||
scmanager, // SCM database
|
scmanager, // SCM database
|
||||||
SERVICE_NAME, // name of service
|
SERVICE_NAME, // name of service
|
||||||
SERVICE_NAME, // service name to display
|
SERVICE_NAME, // service name to display
|
||||||
SERVICE_ALL_ACCESS, // desired access
|
SERVICE_ALL_ACCESS, // desired access
|
||||||
SERVICE_WIN32_OWN_PROCESS, // service type
|
SERVICE_WIN32_OWN_PROCESS, // service type
|
||||||
SERVICE_DEMAND_START, // start type
|
SERVICE_DEMAND_START, // start type
|
||||||
SERVICE_ERROR_NORMAL, // error control type
|
SERVICE_ERROR_NORMAL, // error control type
|
||||||
path, // path to service's binary
|
path, // path to service's binary
|
||||||
nullptr, // no load ordering group
|
nullptr, // no load ordering group
|
||||||
nullptr, // no tag identifier
|
nullptr, // no tag identifier
|
||||||
nullptr, // no dependencies
|
nullptr, // no dependencies
|
||||||
nullptr, // LocalSystem account
|
L"NT AUTHORITY\\LocalService", // LocalService account
|
||||||
nullptr); // no password
|
nullptr); // no password
|
||||||
|
|
||||||
if (service == nullptr) {
|
if (service == nullptr) {
|
||||||
CloseServiceHandle(scmanager);
|
result = GetLastError();
|
||||||
return;
|
goto Exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
CloseServiceHandle(service);
|
// Set service SID type to restricted.
|
||||||
CloseServiceHandle(scmanager);
|
sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
|
||||||
|
if (!ChangeServiceConfig2(service, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
|
||||||
|
result = GetLastError();
|
||||||
|
goto Exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
Exit:
|
||||||
|
if (service != nullptr) {
|
||||||
|
CloseServiceHandle(service);
|
||||||
|
}
|
||||||
|
if (scmanager != nullptr) {
|
||||||
|
CloseServiceHandle(scmanager);
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -12,6 +12,7 @@ service_install_helper::initialize()
|
||||||
{
|
{
|
||||||
int error;
|
int error;
|
||||||
int retry_count = 0;
|
int retry_count = 0;
|
||||||
|
SERVICE_SID_INFO sid_information = {0};
|
||||||
|
|
||||||
if (initialized) {
|
if (initialized) {
|
||||||
return ERROR_SUCCESS;
|
return ERROR_SUCCESS;
|
||||||
|
@ -35,21 +36,21 @@ QueryService:
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Install the service
|
// Install the service as LocalService.
|
||||||
service_handle = CreateService(
|
service_handle = CreateService(
|
||||||
scm_handle, // SCM database
|
scm_handle, // SCM database
|
||||||
service_name.c_str(), // name of service
|
service_name.c_str(), // name of service
|
||||||
service_name.c_str(), // service name to display
|
service_name.c_str(), // service name to display
|
||||||
SERVICE_ALL_ACCESS, // desired access
|
SERVICE_ALL_ACCESS, // desired access
|
||||||
service_type, // service type
|
service_type, // service type
|
||||||
SERVICE_AUTO_START, // start type
|
SERVICE_AUTO_START, // start type
|
||||||
SERVICE_ERROR_NORMAL, // error control type
|
SERVICE_ERROR_NORMAL, // error control type
|
||||||
file_path, // path to service's binary
|
file_path, // path to service's binary
|
||||||
nullptr, // no load ordering group
|
nullptr, // no load ordering group
|
||||||
nullptr, // no tag identifier
|
nullptr, // no tag identifier
|
||||||
nullptr, // no dependencies
|
nullptr, // no dependencies
|
||||||
nullptr, // LocalSystem account
|
L"NT AUTHORITY\\LocalService", // LocalService account
|
||||||
nullptr); // no password
|
nullptr); // no password
|
||||||
|
|
||||||
if (service_handle == nullptr) {
|
if (service_handle == nullptr) {
|
||||||
error = GetLastError();
|
error = GetLastError();
|
||||||
|
@ -61,6 +62,14 @@ QueryService:
|
||||||
printf("CreateService for %ws failed, 0x%x.\n", service_name.c_str(), error);
|
printf("CreateService for %ws failed, 0x%x.\n", service_name.c_str(), error);
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Set service SID type to restricted.
|
||||||
|
sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
|
||||||
|
if (!ChangeServiceConfig2(service_handle, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
|
||||||
|
error = GetLastError();
|
||||||
|
printf("ChangeServiceConfig2 for %ws failed, 0x%x.\n", service_name.c_str(), error);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
already_installed = true;
|
already_installed = true;
|
||||||
printf("Service %ws already installed.\n", service_name.c_str());
|
printf("Service %ws already installed.\n", service_name.c_str());
|
||||||
|
|
Загрузка…
Ссылка в новой задаче