Some code correctness issues in PPLDump
These are hygiene issues. Some of these are low priority and edge cases.
I initially spotted these in the port of the code here:
EspressoCake/PPLDump_BOF#1
and decided to file the bugs upstream here too.
Edge case leak if allocation fails
BOOL TokenCompareSids(PSID pSidA, PSID pSidB)
{
BOOL bReturnValue = FALSE;
LPWSTR pwszSidA = NULL;
LPWSTR pwszSidB = NULL;
if (ConvertSidToStringSid(pSidA, &pwszSidA) && ConvertSidToStringSid(pSidB, &pwszSidB))
{
bReturnValue = _wcsicmp(pwszSidA, pwszSidB) == 0;
LocalFree(pwszSidA);
LocalFree(pwszSidB);
}
else
! it's possible only one of the calls to ConvertSidToStringSid failed and this branch will leak the Sid for the success case
PrintLastError(L"ConvertSidToStringSid");
return bReturnValue;
}
See:
|
if (ConvertSidToStringSid(pSidA, &pwszSidA) && ConvertSidToStringSid(pSidB, &pwszSidB)) |
There is another case here:
if (TokenGetSid(hTokenDup, &pSidTmp) && TokenGetUsername(hTokenDup, &pwszUsername))
|
if (TokenGetSid(hTokenDup, &pSidTmp) && TokenGetUsername(hTokenDup, &pwszUsername)) |
Consider calling ADVAPI32!IsTokenRestricted instead of rolling your own function here:
BOOL TokenIsNotRestricted(HANDLE hToken, PBOOL pbIsNotRestricted) {
...
|
BOOL TokenIsNotRestricted(HANDLE hToken, PBOOL pbIsNotRestricted) |
Fail to check if memory was successfully allocated for guid
Check for failed allocation from MiscGenerateGuidString
MiscGenerateGuidString(&pwszGuid);
|
MiscGenerateGuidString(&pwszGuid); |
Leak of hCurrentToken
token in DumpProcess()
if (bCurrentUserIsSystem)
{
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_PRIVILEGES, &hCurrentToken))
{
PrintLastError(L"OpenProcessToken");
goto end;
}
}
else
{
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_PRIVILEGES, FALSE, &hCurrentToken))
{
PrintLastError(L"OpenThreadToken");
goto end;
}
}
PrintDebug(L"Enable privilege %ws\n", SE_ASSIGNPRIMARYTOKEN_NAME);
if (!TokenCheckPrivilege(hCurrentToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE))
goto end;
PrintDebug(L"Create a primary token\n");
if (!DuplicateTokenEx(hCurrentToken, MAXIMUM_ALLOWED, NULL, SecurityAnonymous, TokenPrimary, &hNewProcessToken))
{
PrintLastError(L"DuplicateTokenEx");
goto end;
}
! No call to CloseHandle on hCurrentToken
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_PRIVILEGES, &hCurrentToken)) |
Handle of hTransaction
leaked in WritePayloadDllTransacted
No call to CloseHandle
for hTransaction
status = NtCreateTransaction(&hTransaction, TRANSACTION_ALL_ACCESS, &oa, NULL, NULL, 0, 0, 0, NULL, NULL);
|
BOOL WritePayloadDllTransacted(_Out_ PHANDLE pdhFile) |
FindFileForTransaction
leaks memory for pSidTarget
Need a call to LocalFree
at function exit for pSidTarget
PSID pSidTarget = NULL;
ConvertStringSidToSid(L"S-1-5-18", &pSidTarget);
|
ConvertStringSidToSid(L"S-1-5-18", &pSidTarget); |