CreateMutex Fails After Impersonation

NT WinObj.

"" ( "" - Event, Mutant (), Section, Device,...). , , NT Namespaces. (, NTFS) . .

, (, ):

i (John) "mutex_good" %USERPROFILE%\Documents, . , .

() zoom "mutex_797" %USERPROFILE%\Documents (%USERPROFILE% , c:\Users\John )

zoom . ? . John, Administartors, SYSTEM c:\Users\John, zoom.

NT. CreateMutexA( NULL, FALSE, "mutex_797" ); "mutex_797" ?

appcontainer session 0 - session <N>, \Sessions\<N>\BaseNamedObjects, N = 1,2..

CreateMutexA( NULL, FALSE, "mutex_797" );

\Sessions\<N>\BaseNamedObjects\mutex_797

\Sessions\<N>\BaseNamedObjects SymbolicLinks ( NTFS):

Global -> \BaseNamedObjects
Local  -> \Sessions\<N>\BaseNamedObjects
Session -> \Sessions\BNOLINKS

, CreateMutexA( NULL, FALSE, "Global\\mutex_797" );

\BaseNamedObjects\mutex_797

, , AccessCheck

:

//
// Object Manager Directory Specific Access Rights.
//

#define DIRECTORY_QUERY                 (0x0001)
#define DIRECTORY_TRAVERSE              (0x0002)
#define DIRECTORY_CREATE_OBJECT         (0x0004)
#define DIRECTORY_CREATE_SUBDIRECTORY   (0x0008)

DirectoryObject DesiredAccess

DIRECTORY_CREATE_OBJECT ( ) ( )

, \Sessions\<N>\BaseNamedObjects, zoom - Security Descriptor . :

T FL AcessMsK Sid
0 00 000F000F S-1-5-90-0-1 DWM-1
0 00 000F000F S-1-5-18 SYSTEM
0 0B 10000000 S-1-5-18 SYSTEM
0 0B 10000000 S-1-3-0 CREATOR OWNER
0 00 000F000F S-1-5-21-4026734978-3280735129-2412320105-1001 John
0 0B 10000000 S-1-5-5-0-294807 LogonSessionId_0_294807
0 00 0002000F S-1-5-5-0-294807 LogonSessionId_0_294807
0 00 0002000F S-1-5-32-544 Administrators
0 02 00000003 S-1-1-0 Everyone
0 00 00000002 S-1-5-12 RESTRICTED
17 00 00000001 S-1-16-4096 Low Mandatory Level

DIRECTORY_CREATE_OBJECT (4) ? DWM-1, SYSTEM, Administrators, (LogonSessionId_0_294807), (John) - . zoom .

Everyone (3) - DIRECTORY_QUERY|DIRECTORY_TRAVERSE - Name lookup Query, Name creation

, ? \BaseNamedObjects ( ) \BaseNamedObjects\Restricted - :

\BaseNamedObjects

T FL AcessMsK Sid
0 00 0002000F S-1-1-0 Everyone
0 00 00000002 S-1-5-12 RESTRICTED
0 00 000F000F S-1-5-90-0-0 
0 00 000F000F S-1-5-18 SYSTEM
17 00 00000001 S-1-16-4096 Low Mandatory Level

\BaseNamedObjects\Restricted

T FL AcessMsK Sid
0 00 0002000F S-1-1-0 Everyone
0 00 0002000F S-1-5-12 RESTRICTED
0 00 000F000F S-1-5-90-0-0 
0 00 000F000F S-1-5-18 SYSTEM
17 00 00000001 S-1-16-4096 Low Mandatory Level

Everyone, 2000F - . zoom Everyone? ,

CreateMutexA(0, 0, "Global\\mutex_797");

\BaseNamedObjects ( ) :

, CreateFileMapping, , , . - , (RD Session Host) SeCreateGlobalPrivilege, file-mapping . , . , , , , .

Mutex say Event - SeCreateGlobalPrivilege

, zoom Administrator \Sessions\<N>\BaseNamedObjects - ? LOGON32_LOGON_INTERACTIVE UAC zoom . Administrator (S-1-5-32-544) , SE_GROUP_USE_FOR_DENY_ONLY - ACE SID. zoom LogonSessionId_0_XXX SID - ERROR_ACCESS_DENIED

@Harry Johnston - LOGON32_LOGON_BATCH LOGON32_LOGON_INTERACTIVE - - Administrator SE_GROUP_ENABLED - ACE

- Global\ - \BaseNamedObjects, Everyone

, NULL CreateMutex . , , .

- SECURITY_ATTRIBUTES . , . Directory, - DIRECTORY_CREATE_OBJECT, SECURITY_ATTRIBUTES - ,

, , NT Namespace