For the purpose of understanding the DACL check, the AccessCheck function will go
through something like the process pictured in Figure 16-7 and described in the steps
that follow.
Check Explicit Deny ACEs The first step of the DACL check is to compare the
desiredAccess mask passed in against the security descriptor??™s DACL, looking for any
ACEs that apply to the process??™s token explicitly denying access. If any single bit of the
desired access is denied, the access check returns ???access denied.??? Anytime you??™re testing
access, be sure to request only the minimum access rights that you really need. We??™ll
show an example later of type.exe and notepad.exe returning ???access denied??? because
they open files requesting Generic Read, which is overkill. You can read files without
some of the access included in Generic Read.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
398
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
399
PART IV
Check Inherited Deny ACEs If no ACE explicitly denies access, the
AccessCheck function next looks to the inherited ACEs. If any desiredAccess bit is explicitly
denied, AccessCheck will return ???access denied.??? However, if any ACE is inherited
denying access, that can be overridden with a grant ACE.
Pages:
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717