22 #define SEP_LOGON_SESSION_TAG 'sLeS' 23 #define SEP_LOGON_NOTIFICATION_TAG 'nLeS' 67 #define POLICY_AUDIT_EVENT_TYPE_COUNT 9 // (AuditCategoryAccountLogon - AuditCategorySystem + 1) 95 } KeyValueInformation;
116 &KeyValueInformation.Partial,
117 sizeof(KeyValueInformation),
124 if ((KeyValueInformation.Partial.Type !=
ValueType) ||
125 (KeyValueInformation.Partial.DataLength !=
DataLength))
199 DPRINT1(
"Security: Rm Create Command Port failed 0x%lx\n",
Status);
213 DPRINT1(
"Security: LSA init event creation failed.0x%xl\n",
Status);
227 DPRINT1(
"Security: Rm Server Thread creation failed 0x%lx\n",
Status);
260 if ((ListBounds.MaxLength < ListBounds.MinLength) ||
261 (ListBounds.MinLength < 16) ||
262 (ListBounds.MaxLength - ListBounds.MinLength < 16))
264 DPRINT1(
"ListBounds are invalid: %u, %u\n",
265 ListBounds.MinLength, ListBounds.MaxLength);
313 DPRINT(
"SepRmCreateLogonSession(%08lx:%08lx)\n",
320 if (NewSession ==
NULL)
326 NewSession->
LogonId = *LogonLuid;
328 NewSession->
Flags = 0;
337 CurrentSession !=
NULL;
338 CurrentSession = CurrentSession->
Next)
371 DPRINT(
"SepRmDeleteLogonSession(%08lx:%08lx)\n",
388 DPRINT(
"SepRmReferenceLogonSession(%08lx:%08lx)\n",
396 CurrentSession !=
NULL;
397 CurrentSession = CurrentSession->
Next)
439 if (LogonLuid ==
NULL)
459 L"\\Sessions\\0\\DosDevices\\%08x-%08x",
485 DirectoryInfo =
NULL;
491 LinksSize = LinksCount *
sizeof(
HANDLE);
503 if (LinksBuffer ==
NULL)
515 if (DirectoryInfo !=
NULL)
558 if (DirectoryInfo !=
NULL)
568 if (DirectoryInfo ==
NULL)
588 if (CurrentLinks >= LinksCount)
591 for (
i = 0;
i < CurrentLinks; ++
i)
600 LinksSize = LinksCount *
sizeof(
HANDLE);
603 goto AllocateLinksAgain;
608 &DirectoryInfo->
Name,
624 LinksBuffer[CurrentLinks] = LinkHandle;
637 for (
i = 0;
i < CurrentLinks; ++
i)
645 if (DirectoryInfo !=
NULL)
671 DPRINT(
"SepRmDereferenceLogonSession(%08lx:%08lx)\n",
679 CurrentSession !=
NULL;
680 CurrentSession = CurrentSession->
Next)
697 if (DeviceMap !=
NULL)
731 SectionHandle =
NULL;
741 DPRINT1(
"Security Rm Init: Waiting for LSA Init Event failed 0x%lx\n",
Status);
750 Message.Header.u1.s1.DataLength = 0;
756 DPRINT1(
"Security Rm Init: Listen to Command Port failed 0x%lx\n",
Status);
761 RemotePortView.
Length =
sizeof(RemotePortView);
772 DPRINT1(
"Security Rm Init: Accept Connect to Command Port failed 0x%lx\n",
Status);
780 DPRINT1(
"Security Rm Init: Complete Connect to Command Port failed 0x%lx\n",
Status);
786 Status = ZwCreateSection(&SectionHandle,
795 DPRINT1(
"Security Rm Init: Create Memory Section for LSA port failed: %X\n",
Status);
800 PortView.
Length =
sizeof(PortView);
808 SecurityQos.
Length =
sizeof(SecurityQos);
825 DPRINT1(
"Security Rm Init: Connect to LSA Port failed 0x%lx\n",
Status);
835 DPRINT(
"SepRmCommandServerThreadInit: done\n");
841 if (PortHandle !=
NULL)
850 if (SectionHandle !=
NULL)
871 DPRINT1(
"Security: Terminating Rm Command Server Thread\n");
920 DPRINT1(
"SepRmCommandServerThread: unexpected message type: 0x%lx\n",
945 DPRINT1(
"SepRmDispatchRequest: invalid API number: 0x%lx\n",
992 CurrentSession !=
NULL;
993 CurrentSession = CurrentSession->
Next)
1003 if (CurrentSession ==
NULL)
1034 L"\\Sessions\\0\\DosDevices\\%08x-%08x",
1189 Current = Current->
Next)
1198 if (Current ==
NULL)
1205 if (Previous ==
NULL)
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
NTSYSAPI NTSTATUS NTAPI ZwListenPort(_In_ HANDLE PortHandle, _In_ PPORT_MESSAGE ConnectionRequest)
#define THREAD_ALL_ACCESS
struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION SEP_LOGON_SESSION_TERMINATED_NOTIFICATION
#define STATUS_INSUFFICIENT_RESOURCES
BOOLEAN NTAPI SeRmInitPhase0(VOID)
BOOLEAN SepAdtAuditingEnabled
NTSTATUS NTAPI SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
#define STATUS_NO_MORE_ENTRIES
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ ULONG _In_ BOOLEAN _In_ ULONG _In_opt_ PULONG _In_ BOOLEAN RestartScan
#define OBJ_CASE_INSENSITIVE
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
VOID FASTCALL KeAcquireGuardedMutex(IN PKGUARDED_MUTEX GuardedMutex)
NTSTATUS NTAPI SepRegQueryHelper(PCWSTR KeyName, PCWSTR ValueName, ULONG ValueType, ULONG DataLength, PVOID ValueData)
NTSYSAPI NTSTATUS NTAPI ZwCompleteConnectPort(_In_ HANDLE PortHandle)
#define STATUS_NO_SUCH_LOGON_SESSION
#define STATUS_INVALID_PARAMETER
NTSYSAPI NTSTATUS NTAPI ZwClose(_In_ HANDLE Handle)
VOID FASTCALL ObfDereferenceDeviceMap(IN PDEVICE_MAP DeviceMap)
NTSTATUS NTAPI SeGetLogonIdDeviceMap(IN PLUID LogonId, OUT PDEVICE_MAP *DeviceMap)
NTSYSAPI NTSTATUS NTAPI ZwAcceptConnectPort(_Out_ PHANDLE PortHandle, _In_opt_ PVOID PortContext, _In_ PPORT_MESSAGE ConnectionRequest, _In_ BOOLEAN AcceptConnection, _In_opt_ PPORT_VIEW ServerView, _In_opt_ PREMOTE_PORT_VIEW ClientView)
ULONG SepAdtMinListLength
static HANDLE DirectoryHandle
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
static NTSTATUS SepRmCreateLogonSession(PLUID LogonLuid)
NTSTATUS SepRmReferenceLogonSession(PLUID LogonLuid)
PVOID SepCommandPortViewRemoteBase
_Must_inspect_result_ _In_ WDFKEY _In_ PCUNICODE_STRING _In_ ULONG _Out_opt_ PULONG _Out_opt_ PULONG ValueType
#define OBJ_KERNEL_HANDLE
#define SYMBOLIC_LINK_ALL_ACCESS
#define STATUS_BUFFER_TOO_SMALL
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
BOOLEAN FASTCALL ObReferenceObjectSafe(IN PVOID Object)
struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION * PSEP_LOGON_SESSION_TERMINATED_NOTIFICATION
PVOID SepCommandPortViewBase
_Must_inspect_result_ _In_ PFLT_GET_OPERATION_STATUS_CALLBACK CallbackRoutine
#define SECTION_ALL_ACCESS
return STATUS_NOT_IMPLEMENTED
VOID NTAPI SepRmCommandServerThread(PVOID StartContext)
ULONG SepAdtMaxListLength
#define TAG_SE_DIR_BUFFER
ULONG_PTR SepCommandPortViewBaseOffset
static HANDLE SepRmCommandMessagePort
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
PEPROCESS PsInitialSystemProcess
VOID NTAPI KeStackAttachProcess(IN PKPROCESS Process, OUT PRKAPC_STATE ApcState)
#define RtlEqualLuid(Luid1, Luid2)
NTSTATUS NTAPI ObSetDirectoryDeviceMap(OUT PDEVICE_MAP *DeviceMap, IN HANDLE DirectoryHandle)
PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
#define PsGetCurrentProcess
NTSYSAPI NTSTATUS NTAPI ZwCreateDirectoryObject(_Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
UCHAR SeAuditingState[POLICY_AUDIT_EVENT_TYPE_COUNT]
int _snwprintf(wchar_t *buffer, size_t count, const wchar_t *format,...)
#define STATUS_LOGON_SESSION_EXISTS
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
static NTSTATUS SepRmSetAuditEvent(PSEP_RM_API_MESSAGE Message)
_In_ ULONG _In_opt_ WDFREQUEST _In_opt_ PVOID _In_ size_t _In_ PVOID _In_ size_t _Out_ size_t * DataLength
BOOL WINAPI ReplyMessage(_In_ LRESULT)
_Must_inspect_result_ _In_ WDFDEVICE _In_ PCUNICODE_STRING KeyName
#define POLICY_AUDIT_EVENT_TYPE_COUNT
BOOLEAN NTAPI SepRmCommandServerThreadInit(VOID)
NTSYSAPI NTSTATUS NTAPI ZwConnectPort(_Out_ PHANDLE PortHandle, _In_ PUNICODE_STRING PortName, _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, _In_opt_ PPORT_VIEW ClientView, _In_opt_ PREMOTE_PORT_VIEW ServerView, _In_opt_ PULONG MaxMessageLength, _In_opt_ PVOID ConnectionInformation, _In_opt_ PULONG ConnectionInformationLength)
#define STATUS_OBJECT_TYPE_MISMATCH
#define SEP_LOGON_NOTIFICATION_TAG
#define NT_SUCCESS(StatCode)
NTSYSAPI NTSTATUS NTAPI ZwCreateSymbolicLinkObject(_Out_ PHANDLE SymbolicLinkHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PUNICODE_STRING Name)
NTSTATUS(NTAPI * PSE_LOGON_SESSION_TERMINATED_ROUTINE)(IN PLUID LogonId)
#define ObDereferenceObject
LUID SeAnonymousAuthenticationId
_In_ GUID _In_ PVOID ValueData
struct _SEP_LOGON_SESSION_REFERENCES * Next
LUID SeSystemAuthenticationId
#define TAG_SE_HANDLES_TAB
#define ExAllocatePoolWithTag(hernya, size, tag)
_Must_inspect_result_ _In_ WDFKEY _In_ PCUNICODE_STRING ValueName
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
#define SECURITY_DYNAMIC_TRACKING
PSEP_LOGON_SESSION_TERMINATED_NOTIFICATION SepLogonNotifications
NTSTATUS SepCleanupLUIDDeviceMapDirectory(PLUID LogonLuid)
NTSYSAPI NTSTATUS NTAPI ZwReplyWaitReceivePort(_In_ HANDLE PortHandle, _Out_opt_ PVOID *PortContext, _In_opt_ PPORT_MESSAGE ReplyMessage, _Out_ PPORT_MESSAGE ReceiveMessage)
static const WCHAR Cleanup[]
_In_ PWDFDEVICE_INIT _In_ PFN_WDF_DEVICE_SHUTDOWN_NOTIFICATION Notification
struct _SEP_LOGON_SESSION_REFERENCES SEP_LOGON_SESSION_REFERENCES
static NTSTATUS SepRmDeleteLogonSession(PLUID LogonLuid)
_Check_return_ _CRTIMP int __cdecl wcscmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
static VOID SepAdtInitializeBounds(VOID)
VOID FASTCALL KeInitializeGuardedMutex(OUT PKGUARDED_MUTEX GuardedMutex)
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
#define SEP_LOGON_SESSION_TAG
VOID NTAPI KeUnstackDetachProcess(IN PRKAPC_STATE ApcState)
#define InitializeListHead(ListHead)
#define DIRECTORY_ALL_ACCESS
struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION * Next
#define PORT_MAXIMUM_MESSAGE_LENGTH
PSEP_LOGON_SESSION_REFERENCES SepLogonSessions
NTSTATUS NTAPI PsCreateSystemThread(OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN PCLIENT_ID ClientId, IN PKSTART_ROUTINE StartRoutine, IN PVOID StartContext)
_Out_ PKAPC_STATE ApcState
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID LogonId
VOID FASTCALL KeReleaseGuardedMutex(IN OUT PKGUARDED_MUTEX GuardedMutex)
struct tagContext Context
BOOLEAN NTAPI SeRmInitPhase1(VOID)
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define InitializeObjectAttributes(p, n, a, r, s)
NTSTATUS NTAPI SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
#define RtlCopyMemory(Destination, Source, Length)
NTSYSAPI NTSTATUS NTAPI ZwCreatePort(_Out_ PHANDLE PortHandle, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG MaxConnectionInfoLength, _In_ ULONG MaxMessageLength, _In_ ULONG MaxPoolUsage)
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG _Out_ PULONG ResultLength
#define ExFreePoolWithTag(_P, _T)
NTSTATUS NTAPI SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
NTSTATUS SepRmDereferenceLogonSession(PLUID LogonLuid)
NTSYSAPI NTSTATUS NTAPI ZwMakeTemporaryObject(_In_ HANDLE Handle)
NTSYSAPI NTSTATUS NTAPI ZwOpenSymbolicLinkObject(_Out_ PHANDLE SymbolicLinkHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
struct _SEP_LOGON_SESSION_REFERENCES * PSEP_LOGON_SESSION_REFERENCES
IN PUNICODE_STRING PortName
KGUARDED_MUTEX SepRmDbLock