- // SeCaptureLuidAndAttributesArray(NewState->Privileges,
- // PrivilegeCount,
- // PreviousMode,
- // NULL,
- // 0,
- // NonPagedPool,
- // 1,
- // &Privileges,
- // &Length);
-
- Status = ObReferenceObjectByHandle (TokenHandle,
- TOKEN_ADJUST_PRIVILEGES | (PreviousState != NULL ? TOKEN_QUERY : 0),
- SepTokenObjectType,
- PreviousMode,
- (PVOID*)&Token,
- NULL);
+ if (PreviousMode != KernelMode)
+ {
+ _SEH2_TRY
+ {
+ /* Probe NewState */
+ if (DisableAllPrivileges == FALSE)
+ {
+ ProbeForRead(NewState,
+ sizeof(TOKEN_PRIVILEGES),
+ sizeof(ULONG));
+
+ CapturedCount = NewState->PrivilegeCount;
+ NewStateSize = (ULONG)sizeof(TOKEN_PRIVILEGES) +
+ ((CapturedCount - ANYSIZE_ARRAY) * (ULONG)sizeof(LUID_AND_ATTRIBUTES));
+
+ ProbeForRead(NewState,
+ NewStateSize,
+ sizeof(ULONG));
+ }
+
+ /* Probe PreviousState and ReturnLength */
+ if (PreviousState != NULL)
+ {
+ ProbeForWrite(PreviousState,
+ BufferLength,
+ sizeof(ULONG));
+
+ ProbeForWrite(ReturnLength,
+ sizeof(ULONG),
+ sizeof(ULONG));
+ }
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ /* Return the exception code */
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+ }
+ else
+ {
+ if (DisableAllPrivileges == FALSE)
+ CapturedCount = NewState->PrivilegeCount;
+ }
+
+ if (DisableAllPrivileges == FALSE)
+ {
+ _SEH2_TRY
+ {
+ /* Capture the new state array of privileges */
+ Status = SeCaptureLuidAndAttributesArray(NewState->Privileges,
+ CapturedCount,
+ PreviousMode,
+ NULL,
+ 0,
+ PagedPool,
+ TRUE,
+ &CapturedPrivileges,
+ &CapturedLength);
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ /* Return the exception code */
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+
+ if (!NT_SUCCESS(Status))
+ return Status;
+ }
+
+ /* Reference the token */
+ Status = ObReferenceObjectByHandle(TokenHandle,
+ TOKEN_ADJUST_PRIVILEGES | (PreviousState != NULL ? TOKEN_QUERY : 0),
+ SepTokenObjectType,
+ PreviousMode,
+ (PVOID*)&Token,
+ NULL);