Change ebpfsvc to LocalService (#272)
* ebpfsvc should be localservice * cr comments, change sidtype to restricted * pr comments
This commit is contained in:
Родитель
3a73482d66
Коммит
6fde4777e5
|
@ -69,7 +69,7 @@ On the defender machine, do the following:
|
|||
9. Do `sc start EbpfCore`
|
||||
10. Do `sc create NetEbpfExt type=kernel start=boot binpath=%windir%\system32\drivers\netebpfext.sys`
|
||||
11. Do `sc start NetEbpfExt`
|
||||
12. Do `sc create ebpfsvc start= auto binpath=%windir%\system32\ebpfsvc.exe type=own`
|
||||
12. Do `%windir%\system32\ebpfsvc.exe install`
|
||||
13. Do `sc start ebpfsvc`
|
||||
14. Do `netsh add helper %windir%\system32\ebpfnetsh.dll`
|
||||
15. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)
|
||||
|
|
|
@ -27,6 +27,13 @@ Environment:
|
|||
static DEVICE_OBJECT* _ebpf_driver_device_object;
|
||||
static BOOLEAN _ebpf_driver_unloading_flag = FALSE;
|
||||
|
||||
// SID for ebpfsvc (generated using command "sc.exe showsid ebpfsvc"):
|
||||
// S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174
|
||||
//
|
||||
// SDDL_DEVOBJ_SYS_ALL_ADM_ALL + SID for ebpfsvc.
|
||||
#define EBPF_EXECUTION_CONTEXT_DEVICE_SDDL \
|
||||
L"D:P(A;;GA;;;S-1-5-80-3453964624-2861012444-1105579853-3193141192-1897355174)(A;;GA;;;BA)(A;;GA;;;SY)"
|
||||
|
||||
#ifndef CTL_CODE
|
||||
#define CTL_CODE(DeviceType, Function, Method, Access) \
|
||||
(((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method))
|
||||
|
@ -132,6 +139,8 @@ _ebpf_driver_initialize_objects(
|
|||
|
||||
WDF_DRIVER_CONFIG_INIT(&driver_configuration, WDF_NO_EVENT_CALLBACK);
|
||||
|
||||
DECLARE_CONST_UNICODE_STRING(security_descriptor, EBPF_EXECUTION_CONTEXT_DEVICE_SDDL);
|
||||
|
||||
driver_configuration.DriverInitFlags |= WdfDriverInitNonPnpDriver;
|
||||
driver_configuration.EvtDriverUnload = _ebpf_driver_unload;
|
||||
|
||||
|
@ -143,7 +152,7 @@ _ebpf_driver_initialize_objects(
|
|||
|
||||
device_initialize = WdfControlDeviceInitAllocate(
|
||||
*driver,
|
||||
&SDDL_DEVOBJ_SYS_ALL_ADM_ALL // only kernel/system and administrators.
|
||||
&security_descriptor // only kernel/system, administrators, and ebpfsvc.
|
||||
);
|
||||
if (!device_initialize) {
|
||||
status = STATUS_INSUFFICIENT_RESOURCES;
|
||||
|
|
|
@ -22,7 +22,7 @@ service_init(DWORD argc, PTSTR* argv);
|
|||
|
||||
void WINAPI
|
||||
service_main(DWORD argc, PTSTR* argv);
|
||||
void
|
||||
int
|
||||
service_install();
|
||||
|
||||
int __cdecl wmain(ULONG argc, PWSTR* argv)
|
||||
|
@ -34,9 +34,8 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
|
|||
// Otherwise, the service is probably being started by the SCM.
|
||||
|
||||
if (argc > 1) {
|
||||
if (wcscmp(argv[1], L"install") == 0) {
|
||||
service_install();
|
||||
return -1;
|
||||
if (_wcsicmp(argv[1], L"install") == 0) {
|
||||
return service_install();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -54,15 +53,18 @@ int __cdecl wmain(ULONG argc, PWSTR* argv)
|
|||
* @brief Installs a service in the SCM database.
|
||||
*
|
||||
*/
|
||||
void
|
||||
int
|
||||
service_install()
|
||||
{
|
||||
SC_HANDLE scmanager;
|
||||
SC_HANDLE service;
|
||||
SC_HANDLE scmanager = nullptr;
|
||||
SC_HANDLE service = nullptr;
|
||||
TCHAR path[MAX_PATH];
|
||||
SERVICE_SID_INFO sid_information = {0};
|
||||
int result = ERROR_SUCCESS;
|
||||
|
||||
if (!GetModuleFileName(nullptr, path, MAX_PATH)) {
|
||||
return;
|
||||
result = GetLastError();
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
// Get a handle to the SCM database.
|
||||
|
@ -73,10 +75,11 @@ service_install()
|
|||
SC_MANAGER_ALL_ACCESS); // full access rights
|
||||
|
||||
if (nullptr == scmanager) {
|
||||
return;
|
||||
result = GetLastError();
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
// Create the service
|
||||
// Create the service as LocalService.
|
||||
|
||||
service = CreateService(
|
||||
scmanager, // SCM database
|
||||
|
@ -90,18 +93,32 @@ service_install()
|
|||
nullptr, // no load ordering group
|
||||
nullptr, // no tag identifier
|
||||
nullptr, // no dependencies
|
||||
nullptr, // LocalSystem account
|
||||
L"NT AUTHORITY\\LocalService", // LocalService account
|
||||
nullptr); // no password
|
||||
|
||||
if (service == nullptr) {
|
||||
CloseServiceHandle(scmanager);
|
||||
return;
|
||||
result = GetLastError();
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
// Set service SID type to restricted.
|
||||
sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
|
||||
if (!ChangeServiceConfig2(service, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
|
||||
result = GetLastError();
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
Exit:
|
||||
if (service != nullptr) {
|
||||
CloseServiceHandle(service);
|
||||
}
|
||||
if (scmanager != nullptr) {
|
||||
CloseServiceHandle(scmanager);
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Entry point for the service.
|
||||
*
|
||||
|
|
|
@ -12,6 +12,7 @@ service_install_helper::initialize()
|
|||
{
|
||||
int error;
|
||||
int retry_count = 0;
|
||||
SERVICE_SID_INFO sid_information = {0};
|
||||
|
||||
if (initialized) {
|
||||
return ERROR_SUCCESS;
|
||||
|
@ -35,7 +36,7 @@ QueryService:
|
|||
return error;
|
||||
}
|
||||
|
||||
// Install the service
|
||||
// Install the service as LocalService.
|
||||
service_handle = CreateService(
|
||||
scm_handle, // SCM database
|
||||
service_name.c_str(), // name of service
|
||||
|
@ -48,7 +49,7 @@ QueryService:
|
|||
nullptr, // no load ordering group
|
||||
nullptr, // no tag identifier
|
||||
nullptr, // no dependencies
|
||||
nullptr, // LocalSystem account
|
||||
L"NT AUTHORITY\\LocalService", // LocalService account
|
||||
nullptr); // no password
|
||||
|
||||
if (service_handle == nullptr) {
|
||||
|
@ -61,6 +62,14 @@ QueryService:
|
|||
printf("CreateService for %ws failed, 0x%x.\n", service_name.c_str(), error);
|
||||
return error;
|
||||
}
|
||||
|
||||
// Set service SID type to restricted.
|
||||
sid_information.dwServiceSidType = SERVICE_SID_TYPE_RESTRICTED;
|
||||
if (!ChangeServiceConfig2(service_handle, SERVICE_CONFIG_SERVICE_SID_INFO, &sid_information)) {
|
||||
error = GetLastError();
|
||||
printf("ChangeServiceConfig2 for %ws failed, 0x%x.\n", service_name.c_str(), error);
|
||||
return error;
|
||||
}
|
||||
} else {
|
||||
already_installed = true;
|
||||
printf("Service %ws already installed.\n", service_name.c_str());
|
||||
|
|
Загрузка…
Ссылка в новой задаче