Windows Kernel Security API Reference
Introduction to Kernel Security
The Windows kernel provides a robust security model to protect system resources, enforce access control, and maintain system integrity. Understanding and utilizing the Kernel Security APIs is crucial for developing secure and reliable Windows applications and drivers.
This section details the core components and functions used to manage security at the kernel level, including access tokens, privileges, security descriptors, and auditing mechanisms.
API Overview
The primary APIs for kernel security are exposed through the Windows API and can be accessed from user-mode and kernel-mode code. Key concepts include:
- Security Identifiers (SIDs): Unique identifiers for security principals (users, groups, computers).
- Access Control Lists (ACLs): Lists of Access Control Entries (ACEs) that grant or deny specific permissions to SIDs.
- Security Descriptors: Objects that contain ACLs, owner SIDs, group SIDs, and other security information for securable objects.
- Access Tokens: Objects that represent a user's security context, containing SIDs, privileges, and impersonation levels.
Access Tokens
Access tokens are central to the Windows security model. They are created when a user logs in and are associated with processes and threads. A token contains the security attributes of a user account, including SIDs, privileges, and a logon session identifier.
Key Functions:
`CreateProcessAsUser`
BOOL CreateProcessAsUser(
HANDLE hToken,
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
Creates a new process and its primary thread. The new process runs under the security context specified by the access token of the calling process or a token provided.
hToken: Handle to the access token for the user account under which to create the process.
Other parameters define process creation details.
TRUE if the function succeeds, FALSE otherwise.
`OpenProcessToken`
BOOL OpenProcessToken(
HANDLE ProcessHandle,
DWORD DesiredAccess,
PHANDLE TokenHandle
);
Opens the access token associated with a process.
ProcessHandle: Handle to the process whose access token is opened.
DesiredAccess: Mask of access rights that are requested for the token.
TokenHandle: Pointer to a variable that receives the handle to the newly opened access token.
TRUE if the function succeeds, FALSE otherwise.
Privileges
Privileges are special rights granted to accounts, allowing them to perform system-related operations, such as shutting down the system or debugging programs. Privileges are typically enabled or disabled within an access token.
Key Functions:
`AdjustTokenPrivileges`
BOOL AdjustTokenPrivileges(
HANDLE TokenHandle,
BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState,
DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState,
PDWORD ReturnLength
);
Enables or disables the privileges in a specified access token. Tokens have a default state for privileges, but applications can dynamically adjust them.
TokenHandle: Handle to the access token to be modified.
DisableAllPrivileges: If TRUE, all privileges in the token are disabled.
NewState: Pointer to a TOKEN_PRIVILEGES structure that specifies the privileges to be added or modified.
BufferLength: Size, in bytes, of the buffer pointed to by PreviousState.
PreviousState: Pointer to a buffer that receives a TOKEN_PRIVILEGES structure containing the previous state of the privileges.
ReturnLength: Pointer to a variable that receives the required size, in bytes, of the buffer pointed to by PreviousState.
TRUE if the function succeeds, FALSE otherwise.
Security Descriptors
Security descriptors define the security properties of an object. They include the owner SID, the primary group SID, an optional system ACL (SACL), and an optional discretionary ACL (DACL).
Key Structures:
`SECURITY_DESCRIPTOR`
typedef struct _SECURITY_DESCRIPTOR {
DWORD Revision;
DWORD Size;
BOOL OwnerDefaulted;
PSID Owner;
BOOL GroupDefaulted;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR;
Structure that contains the security information associated with a securable object.
Key Functions:
`SetKernelObjectSecurity`
BOOL SetKernelObjectSecurity(
HANDLE Handle,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor
);
Sets the security descriptor for a kernel object, such as a process, thread, or event.
Handle: Handle to the kernel object whose security descriptor is being set.
SecurityInformation: Bitmask that indicates the security information being set.
SecurityDescriptor: Pointer to a SECURITY_DESCRIPTOR structure containing the new security information.
TRUE if the function succeeds, FALSE otherwise.
System Access Control List (SACL)
The SACL specifies the types of access attempts that generate audit- சேவை messages. It is used for system auditing purposes.
Key Functions:
`SetSecurityInfo`
DWORD SetSecurityInfo(
HANDLE Handle,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
PSID psidOwner,
PSID psidGroup,
PACL pDacl,
PACL pSacl
);
Modifies the security of a securable object. This function can be used to set the SACL.
Handle: Handle to the object.
ObjectType: Type of the object.
SecurityInfo: Flags indicating which parts of the security descriptor to set, including LABEL_SECURITY_INFORMATION for SACL.
psidOwner: Pointer to the owner SID.
psidGroup: Pointer to the primary group SID.
pDacl: Pointer to the DACL.
pSacl: Pointer to the SACL.
Zero if successful, or a Win32 error code otherwise.
Audit Policy
Audit policy determines which security events are logged. This can be configured system-wide or for specific users. Kernel-level auditing is often managed through the SACL and system event logging.
Key Concepts:
Auditing is controlled by the SACL in a security descriptor and by system-wide audit policies set via Group Policy or local security policy.
Authentication
Windows uses various authentication protocols to verify user identities. The kernel plays a role in establishing and managing logon sessions and trust relationships.
While many authentication APIs are user-mode (e.g., SSPI), the kernel handles the secure storage and management of credentials and session information.
Secure Process Creation
When creating processes, developers can specify security attributes to control their access rights and inheritance. Using appropriate security settings for processes is vital for preventing privilege escalation and unauthorized access.
Key Functions:
`CreateProcess`
BOOL CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
Creates a new process and its primary thread. The lpProcessAttributes and lpThreadAttributes parameters allow specifying security settings for the new process and thread.
lpProcessAttributes: Pointer to a SECURITY_ATTRIBUTES structure that specifies the security attributes for the process.
lpThreadAttributes: Pointer to a SECURITY_ATTRIBUTES structure that specifies the security attributes for the primary thread of the process.
TRUE if the function succeeds, FALSE otherwise.
Resource Protection
Kernel objects, such as files, registry keys, processes, and threads, can be protected using security descriptors. By assigning appropriate DACLs, access to these resources can be controlled granularly.
The principle of least privilege should always be applied when setting permissions on securable objects.