elevate: move service/token into proper module

3 files changed, 89 insertions, 3 deletions

diff --git a/elevate/membership.go b/elevate/membership.go
new file mode 100644
index 00000000..baa4d71b
--- /dev/null
+++ b/elevate/membership.go
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package elevate
+
+import (
+	"runtime"
+
+	"golang.org/x/sys/windows"
+)
+
+func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
+	gs, err := token.GetTokenGroups()
+	if err != nil {
+		return false
+	}
+	isAdmin := false
+	for _, g := range gs.AllGroups() {
+		if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
+			isAdmin = true
+			break
+		}
+	}
+	runtime.KeepAlive(gs)
+	return isAdmin
+}
diff --git a/elevate/privileges.go b/elevate/privileges.go
new file mode 100644
index 00000000..a02d8a5d
--- /dev/null
+++ b/elevate/privileges.go
@@ -0,0 +1,60 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package elevate
+
+import (
+	"errors"
+	"runtime"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func DropAllPrivileges(retainDriverLoading bool) error {
+	processHandle, err := windows.GetCurrentProcess()
+	if err != nil {
+		return err
+	}
+	var luid windows.LUID
+	if retainDriverLoading {
+		err = windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr("SeLoadDriverPrivilege"), &luid)
+		if err != nil {
+			return err
+		}
+	}
+	var processToken windows.Token
+	err = windows.OpenProcessToken(processHandle, windows.TOKEN_READ|windows.TOKEN_WRITE, &processToken)
+	if err != nil {
+		return err
+	}
+	defer processToken.Close()
+
+	var bufferSizeRequired uint32
+	windows.GetTokenInformation(processToken, windows.TokenPrivileges, nil, 0, &bufferSizeRequired)
+	if bufferSizeRequired == 0 || bufferSizeRequired < uint32(unsafe.Sizeof(windows.Tokenprivileges{}.PrivilegeCount)) {
+		return errors.New("GetTokenInformation failed to provide a buffer size")
+	}
+	buffer := make([]byte, bufferSizeRequired)
+	var bytesWritten uint32
+	err = windows.GetTokenInformation(processToken, windows.TokenPrivileges, &buffer[0], uint32(len(buffer)), &bytesWritten)
+	if err != nil {
+		return err
+	}
+	if bytesWritten != bufferSizeRequired {
+		return errors.New("GetTokenInformation returned incomplete data")
+	}
+	tokenPrivileges := (*windows.Tokenprivileges)(unsafe.Pointer(&buffer[0]))
+	for i := uint32(0); i < tokenPrivileges.PrivilegeCount; i++ {
+		item := (*windows.LUIDAndAttributes)(unsafe.Pointer(uintptr(unsafe.Pointer(&tokenPrivileges.Privileges[0])) + unsafe.Sizeof(tokenPrivileges.Privileges[0])*uintptr(i)))
+		if retainDriverLoading && item.Luid == luid {
+			continue
+		}
+		item.Attributes = windows.SE_PRIVILEGE_REMOVED
+	}
+	err = windows.AdjustTokenPrivileges(processToken, false, tokenPrivileges, 0, nil, nil)
+	runtime.KeepAlive(buffer)
+	return err
+}
diff --git a/elevate/shellexecute.go b/elevate/shellexecute.go
index 6e71e576..00f2d915 100644
--- a/elevate/shellexecute.go
+++ b/elevate/shellexecute.go
@@ -13,8 +13,6 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
-
-	"golang.zx2c4.com/wireguard/windows/services"
 )
 
 const (
@@ -79,7 +77,7 @@ func ShellExecute(program string, arguments string, directory string, show int32
 		err = windows.ERROR_SUCCESS
 		return
 	}
-	if !services.TokenIsMemberOfBuiltInAdministrator(processToken) {
+	if !TokenIsMemberOfBuiltInAdministrator(processToken) {
 		err = windows.ERROR_ACCESS_DENIED
 		return
 	}