ReactOS  0.4.13-dev-99-g7e18b6d
audit.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for audit.c:

Go to the source code of this file.

Macros

#define NDEBUG
 
#define SEP_PRIVILEGE_SET_MAX_COUNT   60
 

Functions

BOOLEAN NTAPI SeDetailedAuditingWithToken (IN PTOKEN Token)
 
VOID NTAPI SeAuditProcessCreate (IN PEPROCESS Process)
 
VOID NTAPI SeAuditProcessExit (IN PEPROCESS Process)
 
NTSTATUS NTAPI SeInitializeProcessAuditName (IN PFILE_OBJECT FileObject, IN BOOLEAN DoAudit, OUT POBJECT_NAME_INFORMATION *AuditInfo)
 
NTSTATUS NTAPI SeLocateProcessImageName (IN PEPROCESS Process, OUT PUNICODE_STRING *ProcessImageName)
 
VOID NTAPI SepAdtCloseObjectAuditAlarm (PUNICODE_STRING SubsystemName, PVOID HandleId, PSID Sid)
 
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm (PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
VOID NTAPI SePrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
 
static NTSTATUS SeCaptureObjectTypeList (_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
 
static VOID SeReleaseObjectTypeList (_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
 
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 
VOID NTAPI SeAuditHardLinkCreation (IN PUNICODE_STRING FileName, IN PUNICODE_STRING LinkName, IN BOOLEAN bSuccess)
 
BOOLEAN NTAPI SeAuditingFileEvents (IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
 
BOOLEAN NTAPI SeAuditingFileEventsWithContext (IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
 
BOOLEAN NTAPI SeAuditingHardLinkEvents (IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
 
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext (IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
 
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents (IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 
VOID NTAPI SeCloseObjectAuditAlarm (IN PVOID Object, IN HANDLE Handle, IN BOOLEAN PerformAction)
 
VOID NTAPI SeDeleteObjectAuditAlarm (IN PVOID Object, IN HANDLE Handle)
 
VOID NTAPI SeOpenObjectAuditAlarm (IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
 
VOID NTAPI SeOpenObjectForDeleteAuditAlarm (IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
 
VOID NTAPI SePrivilegeObjectAuditAlarm (IN HANDLE Handle, IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE CurrentMode)
 
NTSTATUS NTAPI NtCloseObjectAuditAlarm (PUNICODE_STRING SubsystemName, PVOID HandleId, BOOLEAN GenerateOnClose)
 
NTSTATUS NTAPI NtDeleteObjectAuditAlarm (IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose)
 
VOID NTAPI SepOpenObjectAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm (IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE ClientToken, IN ULONG DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted)
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 

Variables

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file audit.c.

◆ SEP_PRIVILEGE_SET_MAX_COUNT

#define SEP_PRIVILEGE_SET_MAX_COUNT   60

Definition at line 17 of file audit.c.

Function Documentation

◆ NtAccessCheckAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 1406 of file audit.c.

1418 {
1419  /* Call the internal function */
1420  return SepAccessCheckAndAuditAlarm(SubsystemName,
1421  HandleId,
1422  NULL,
1424  ObjectName,
1426  NULL,
1427  DesiredAccess,
1429  0,
1430  NULL,
1431  0,
1433  GrantedAccess,
1434  AccessStatus,
1436  FALSE);
1437 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:371

Referenced by AccessCheckAndAuditAlarmA(), and AccessCheckAndAuditAlarmW().

◆ NtAccessCheckByTypeAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 1443 of file audit.c.

1460 {
1461  /* Call the internal function */
1462  return SepAccessCheckAndAuditAlarm(SubsystemName,
1463  HandleId,
1464  NULL,
1466  ObjectName,
1468  PrincipalSelfSid,
1469  DesiredAccess,
1470  AuditType,
1471  Flags,
1472  ObjectTypeList,
1473  ObjectTypeLength,
1475  GrantedAccess,
1476  AccessStatus,
1478  FALSE);
1479 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:371

◆ NtAccessCheckByTypeResultListAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 1485 of file audit.c.

1502 {
1503  /* Call the internal function */
1504  return SepAccessCheckAndAuditAlarm(SubsystemName,
1505  HandleId,
1506  NULL,
1508  ObjectName,
1510  PrincipalSelfSid,
1511  DesiredAccess,
1512  AuditType,
1513  Flags,
1514  ObjectTypeList,
1515  ObjectTypeListLength,
1517  GrantedAccessList,
1518  AccessStatusList,
1520  TRUE);
1521 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:371

◆ NtAccessCheckByTypeResultListAndAuditAlarmByHandle()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 1527 of file audit.c.

1545 {
1546  UNREFERENCED_PARAMETER(ObjectCreation);
1547 
1548  /* Call the internal function */
1549  return SepAccessCheckAndAuditAlarm(SubsystemName,
1550  HandleId,
1551  &ClientToken,
1553  ObjectName,
1555  PrincipalSelfSid,
1556  DesiredAccess,
1557  AuditType,
1558  Flags,
1559  ObjectTypeList,
1560  ObjectTypeListLength,
1562  GrantedAccessList,
1563  AccessStatusList,
1565  TRUE);
1566 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:323
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:371

◆ NtCloseObjectAuditAlarm()

NTSTATUS NTAPI NtCloseObjectAuditAlarm ( PUNICODE_STRING  SubsystemName,
PVOID  HandleId,
BOOLEAN  GenerateOnClose 
)

Definition at line 859 of file audit.c.

863 {
865  UNICODE_STRING CapturedSubsystemName;
867  BOOLEAN UseImpersonationToken;
868  PETHREAD CurrentThread;
872  PTOKEN Token;
873  PAGED_CODE();
874 
875  /* Get the previous mode (only user mode is supported!) */
878 
879  /* Do we even need to do anything? */
880  if (!GenerateOnClose)
881  {
882  /* Nothing to do, return success */
883  return STATUS_SUCCESS;
884  }
885 
886  /* Capture the security subject context */
888 
889  /* Check for audit privilege */
891  {
892  DPRINT1("Caller does not have SeAuditPrivilege\n");
894  goto Cleanup;
895  }
896 
897  /* Probe and capture the subsystem name */
898  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
899  PreviousMode,
900  SubsystemName);
901  if (!NT_SUCCESS(Status))
902  {
903  DPRINT1("Failed to capture subsystem name!\n");
904  goto Cleanup;
905  }
906 
907  /* Get the current thread and check if it's impersonating */
908  CurrentThread = PsGetCurrentThread();
909  if (PsIsThreadImpersonating(CurrentThread))
910  {
911  /* Get the impersonation token */
912  Token = PsReferenceImpersonationToken(CurrentThread,
913  &CopyOnOpen,
914  &EffectiveOnly,
916  UseImpersonationToken = TRUE;
917  }
918  else
919  {
920  /* Get the primary token */
922  UseImpersonationToken = FALSE;
923  }
924 
925  /* Call the internal function */
926  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
927  HandleId,
928  Token->UserAndGroups->Sid);
929 
930  /* Release the captured subsystem name */
931  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
932 
933  /* Check what token we used */
934  if (UseImpersonationToken)
935  {
936  /* Release impersonation token */
938  }
939  else
940  {
941  /* Release primary token */
943  }
944 
946 
947 Cleanup:
948 
949  /* Release the security subject context */
951 
952  return Status;
953 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
#define TRUE
Definition: types.h:120
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
#define PAGED_CODE()
Definition: video.h:57
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:228
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:432
static const WCHAR Cleanup[]
Definition: register.c:80
Status
Definition: gdiplustypes.h:24
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:774
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:257
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:827
#define DPRINT1
Definition: precomp.h:8
VOID NTAPI SepAdtCloseObjectAuditAlarm(PUNICODE_STRING SubsystemName, PVOID HandleId, PSID Sid)
Definition: audit.c:190
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
return STATUS_SUCCESS
Definition: btrfs.c:2725
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:813

Referenced by ObjectCloseAuditAlarmA(), and ObjectCloseAuditAlarmW().

◆ NtDeleteObjectAuditAlarm()

NTSTATUS NTAPI NtDeleteObjectAuditAlarm ( IN PUNICODE_STRING  SubsystemName,
IN PVOID  HandleId,
IN BOOLEAN  GenerateOnClose 
)

Definition at line 957 of file audit.c.

960 {
962  return STATUS_NOT_IMPLEMENTED;
963 }
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
#define UNIMPLEMENTED
Definition: debug.h:114

Referenced by ObjectDeleteAuditAlarmA(), and ObjectDeleteAuditAlarmW().

◆ NtOpenObjectAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 1001 of file audit.c.

1014 {
1015  PTOKEN ClientToken;
1016  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1017  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1018  ULONG PrivilegeCount, PrivilegeSetSize;
1019  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1020  BOOLEAN LocalGenerateOnClose;
1021  PVOID CapturedHandleId;
1023  NTSTATUS Status;
1024  PAGED_CODE();
1025 
1026  /* Only user mode is supported! */
1028 
1029  /* Start clean */
1030  ClientToken = NULL;
1031  CapturedSecurityDescriptor = NULL;
1032  CapturedPrivilegeSet = NULL;
1033  CapturedSubsystemName.Buffer = NULL;
1034  CapturedObjectTypeName.Buffer = NULL;
1035  CapturedObjectName.Buffer = NULL;
1036 
1037  /* Reference the client token */
1038  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1039  TOKEN_QUERY,
1041  UserMode,
1042  (PVOID*)&ClientToken,
1043  NULL);
1044  if (!NT_SUCCESS(Status))
1045  {
1046  DPRINT1("Failed to reference token handle %p: %lx\n",
1047  ClientTokenHandle, Status);
1048  return Status;
1049  }
1050 
1051  /* Capture the security subject context */
1053 
1054  /* Validate the token's impersonation level */
1055  if ((ClientToken->TokenType == TokenImpersonation) &&
1056  (ClientToken->ImpersonationLevel < SecurityIdentification))
1057  {
1058  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1060  goto Cleanup;
1061  }
1062 
1063  /* Check for audit privilege */
1065  {
1066  DPRINT1("Caller does not have SeAuditPrivilege\n");
1068  goto Cleanup;
1069  }
1070 
1071  /* Check for NULL SecurityDescriptor */
1072  if (SecurityDescriptor == NULL)
1073  {
1074  /* Nothing to do */
1076  goto Cleanup;
1077  }
1078 
1079  /* Capture the security descriptor */
1081  UserMode,
1082  PagedPool,
1083  FALSE,
1084  &CapturedSecurityDescriptor);
1085  if (!NT_SUCCESS(Status))
1086  {
1087  DPRINT1("Failed to capture security descriptor!\n");
1088  goto Cleanup;
1089  }
1090 
1091  _SEH2_TRY
1092  {
1093  /* Check if we have a privilege set */
1094  if (PrivilegeSet != NULL)
1095  {
1096  /* Probe the basic privilege set structure */
1097  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1098 
1099  /* Validate privilege count */
1100  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1101  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1102  {
1104  _SEH2_YIELD(goto Cleanup);
1105  }
1106 
1107  /* Calculate the size of the PrivilegeSet structure */
1108  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1109 
1110  /* Probe the whole structure */
1111  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1112 
1113  /* Allocate a temp buffer */
1114  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1115  PrivilegeSetSize,
1117  if (CapturedPrivilegeSet == NULL)
1118  {
1119  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1121  _SEH2_YIELD(goto Cleanup);
1122  }
1123 
1124  /* Copy the privileges */
1125  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1126  }
1127 
1128  if (HandleId != NULL)
1129  {
1130  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1131  CapturedHandleId = *(PVOID*)HandleId;
1132  }
1133 
1134  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1135  }
1137  {
1139  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1140  _SEH2_YIELD(goto Cleanup);
1141  }
1142  _SEH2_END;
1143 
1144  /* Probe and capture the subsystem name */
1145  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1146  UserMode,
1147  SubsystemName);
1148  if (!NT_SUCCESS(Status))
1149  {
1150  DPRINT1("Failed to capture subsystem name!\n");
1151  goto Cleanup;
1152  }
1153 
1154  /* Probe and capture the object type name */
1155  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1156  UserMode,
1157  ObjectTypeName);
1158  if (!NT_SUCCESS(Status))
1159  {
1160  DPRINT1("Failed to capture object type name!\n");
1161  goto Cleanup;
1162  }
1163 
1164  /* Probe and capture the object name */
1165  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1166  UserMode,
1167  ObjectName);
1168  if (!NT_SUCCESS(Status))
1169  {
1170  DPRINT1("Failed to capture object name!\n");
1171  goto Cleanup;
1172  }
1173 
1174  /* Call the internal function */
1176  &CapturedSubsystemName,
1177  CapturedHandleId,
1178  &CapturedObjectTypeName,
1179  &CapturedObjectName,
1180  CapturedSecurityDescriptor,
1181  ClientToken,
1182  DesiredAccess,
1183  GrantedAccess,
1184  CapturedPrivilegeSet,
1185  ObjectCreation,
1186  AccessGranted,
1187  &LocalGenerateOnClose);
1188 
1190 
1191  /* Enter SEH to copy the data back to user mode */
1192  _SEH2_TRY
1193  {
1194  *GenerateOnClose = LocalGenerateOnClose;
1195  }
1197  {
1199  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1200  }
1201  _SEH2_END;
1202 
1203 Cleanup:
1204 
1205  if (CapturedObjectName.Buffer != NULL)
1206  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1207 
1208  if (CapturedObjectTypeName.Buffer != NULL)
1209  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1210 
1211  if (CapturedSubsystemName.Buffer != NULL)
1212  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1213 
1214  if (CapturedSecurityDescriptor != NULL)
1215  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1216 
1217  if (CapturedPrivilegeSet != NULL)
1218  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1219 
1220  /* Release the security subject context */
1222 
1223  ObDereferenceObject(ClientToken);
1224 
1225  return Status;
1226 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
TOKEN_TYPE TokenType
Definition: setypes.h:175
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:17
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:766
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:228
#define TOKEN_QUERY
Definition: setypes.h:874
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR Cleanup[]
Definition: register.c:80
Status
Definition: gdiplustypes.h:24
_SEH2_END
Definition: create.c:4424
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:257
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:176
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:434
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
return STATUS_SUCCESS
Definition: btrfs.c:2725
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:967

Referenced by ObjectOpenAuditAlarmA(), and ObjectOpenAuditAlarmW().

◆ NtPrivilegedServiceAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientTokenHandle,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Definition at line 1232 of file audit.c.

1238 {
1240  PTOKEN ClientToken;
1241  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1242  UNICODE_STRING CapturedSubsystemName;
1243  UNICODE_STRING CapturedServiceName;
1244  ULONG PrivilegeCount, PrivilegesSize;
1246  NTSTATUS Status;
1247  PAGED_CODE();
1248 
1249  /* Get the previous mode (only user mode is supported!) */
1252 
1253  CapturedSubsystemName.Buffer = NULL;
1254  CapturedServiceName.Buffer = NULL;
1255 
1256  /* Reference the client token */
1257  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1258  TOKEN_QUERY,
1260  PreviousMode,
1261  (PVOID*)&ClientToken,
1262  NULL);
1263  if (!NT_SUCCESS(Status))
1264  {
1265  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1266  return Status;
1267  }
1268 
1269  /* Validate the token's impersonation level */
1270  if ((ClientToken->TokenType == TokenImpersonation) &&
1271  (ClientToken->ImpersonationLevel < SecurityIdentification))
1272  {
1273  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1274  ObDereferenceObject(ClientToken);
1276  }
1277 
1278  /* Capture the security subject context */
1280 
1281  /* Check for audit privilege */
1283  {
1284  DPRINT1("Caller does not have SeAuditPrivilege\n");
1286  goto Cleanup;
1287  }
1288 
1289  /* Do we have a subsystem name? */
1290  if (SubsystemName != NULL)
1291  {
1292  /* Probe and capture the subsystem name */
1293  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1294  PreviousMode,
1295  SubsystemName);
1296  if (!NT_SUCCESS(Status))
1297  {
1298  DPRINT1("Failed to capture subsystem name!\n");
1299  goto Cleanup;
1300  }
1301  }
1302 
1303  /* Do we have a service name? */
1304  if (ServiceName != NULL)
1305  {
1306  /* Probe and capture the service name */
1307  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1308  PreviousMode,
1309  ServiceName);
1310  if (!NT_SUCCESS(Status))
1311  {
1312  DPRINT1("Failed to capture service name!\n");
1313  goto Cleanup;
1314  }
1315  }
1316 
1317  _SEH2_TRY
1318  {
1319  /* Probe the basic privilege set structure */
1320  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1321 
1322  /* Validate privilege count */
1323  PrivilegeCount = Privileges->PrivilegeCount;
1324  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1325  {
1327  _SEH2_YIELD(goto Cleanup);
1328  }
1329 
1330  /* Calculate the size of the Privileges structure */
1331  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1332 
1333  /* Probe the whole structure */
1334  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1335 
1336  /* Allocate a temp buffer */
1337  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1338  PrivilegesSize,
1340  if (CapturedPrivileges == NULL)
1341  {
1342  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1344  _SEH2_YIELD(goto Cleanup);
1345  }
1346 
1347  /* Copy the privileges */
1348  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
1349  }
1351  {
1353  DPRINT1("Got exception 0x%lx\n", Status);
1354  _SEH2_YIELD(goto Cleanup);
1355  }
1356  _SEH2_END;
1357 
1358  /* Call the internal function */
1360  SubsystemName ? &CapturedSubsystemName : NULL,
1361  ServiceName ? &CapturedServiceName : NULL,
1362  ClientToken,
1363  SubjectContext.PrimaryToken,
1364  CapturedPrivileges,
1365  AccessGranted);
1366 
1368 
1369 Cleanup:
1370  /* Cleanup resources */
1371  if (CapturedSubsystemName.Buffer != NULL)
1372  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1373 
1374  if (CapturedServiceName.Buffer != NULL)
1375  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
1376 
1377  if (CapturedPrivileges != NULL)
1378  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
1379 
1380  /* Release the security subject context */
1382 
1383  ObDereferenceObject(ClientToken);
1384 
1385  return Status;
1386 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
TOKEN_TYPE TokenType
Definition: setypes.h:175
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Definition: audit.c:200
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:17
#define PAGED_CODE()
Definition: video.h:57
_SEH2_TRY
Definition: create.c:4250
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:228
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:874
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR Cleanup[]
Definition: register.c:80
Status
Definition: gdiplustypes.h:24
_SEH2_END
Definition: create.c:4424
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:257
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:176
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by PrivilegedServiceAuditAlarmA(), and PrivilegedServiceAuditAlarmW().

◆ NtPrivilegeObjectAuditAlarm()

NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( IN PUNICODE_STRING  SubsystemName,
IN PVOID  HandleId,
IN HANDLE  ClientToken,
IN ULONG  DesiredAccess,
IN PPRIVILEGE_SET  Privileges,
IN BOOLEAN  AccessGranted 
)

Definition at line 1390 of file audit.c.

1396 {
1397  UNIMPLEMENTED;
1398  return STATUS_NOT_IMPLEMENTED;
1399 }
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
#define UNIMPLEMENTED
Definition: debug.h:114

Referenced by ObjectPrivilegeAuditAlarmA(), and ObjectPrivilegeAuditAlarmW().

◆ SeAuditHardLinkCreation()

VOID NTAPI SeAuditHardLinkCreation ( IN PUNICODE_STRING  FileName,
IN PUNICODE_STRING  LinkName,
IN BOOLEAN  bSuccess 
)

Definition at line 706 of file audit.c.

709 {
711 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditingFileEvents()

BOOLEAN NTAPI SeAuditingFileEvents ( IN BOOLEAN  AccessGranted,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Definition at line 718 of file audit.c.

720 {
722  return FALSE;
723 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditingFileEventsWithContext()

BOOLEAN NTAPI SeAuditingFileEventsWithContext ( IN BOOLEAN  AccessGranted,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext  OPTIONAL 
)

Definition at line 730 of file audit.c.

733 {
735  return FALSE;
736 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditingFileOrGlobalEvents()

BOOLEAN NTAPI SeAuditingFileOrGlobalEvents ( IN BOOLEAN  AccessGranted,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Definition at line 768 of file audit.c.

771 {
773  return FALSE;
774 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditingHardLinkEvents()

BOOLEAN NTAPI SeAuditingHardLinkEvents ( IN BOOLEAN  AccessGranted,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Definition at line 743 of file audit.c.

745 {
747  return FALSE;
748 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditingHardLinkEventsWithContext()

BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext ( IN BOOLEAN  AccessGranted,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext  OPTIONAL 
)

Definition at line 755 of file audit.c.

758 {
760  return FALSE;
761 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeAuditProcessCreate()

VOID NTAPI SeAuditProcessCreate ( IN PEPROCESS  Process)

Definition at line 33 of file audit.c.

34 {
35  /* FIXME */
36 }

Referenced by PspCreateProcess().

◆ SeAuditProcessExit()

VOID NTAPI SeAuditProcessExit ( IN PEPROCESS  Process)

Definition at line 40 of file audit.c.

41 {
42  /* FIXME */
43 }

Referenced by PspExitThread().

◆ SeCaptureObjectTypeList()

static NTSTATUS SeCaptureObjectTypeList ( _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ KPROCESSOR_MODE  PreviousMode,
_Out_ POBJECT_TYPE_LIST CapturedObjectTypeList 
)
static

Definition at line 262 of file audit.c.

267 {
268  SIZE_T Size;
269 
270  if (PreviousMode == KernelMode)
271  {
272  return STATUS_NOT_IMPLEMENTED;
273  }
274 
275  if (ObjectTypeListLength == 0)
276  {
277  *CapturedObjectTypeList = NULL;
278  return STATUS_SUCCESS;
279  }
280 
281  if (ObjectTypeList == NULL)
282  {
284  }
285 
286  /* Calculate the list size and check for integer overflow */
287  Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
288  if (Size == 0)
289  {
291  }
292 
293  /* Allocate a new list */
294  *CapturedObjectTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
295  if (*CapturedObjectTypeList == NULL)
296  {
298  }
299 
300  _SEH2_TRY
301  {
302  ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
303  RtlCopyMemory(*CapturedObjectTypeList, ObjectTypeList, Size);
304  }
306  {
307  ExFreePoolWithTag(*CapturedObjectTypeList, TAG_SEPA);
308  *CapturedObjectTypeList = NULL;
310  }
311  _SEH2_END;
312 
313  return STATUS_SUCCESS;
314 }
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_SEH2_TRY
Definition: create.c:4250
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
smooth NULL
Definition: ftsmooth.c:416
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:359
ULONG_PTR SIZE_T
Definition: typedefs.h:78
_SEH2_END
Definition: create.c:4424
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
#define TAG_SEPA
Definition: tag.h:187
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by SepAccessCheckAndAuditAlarm().

◆ SeCloseObjectAuditAlarm()

VOID NTAPI SeCloseObjectAuditAlarm ( IN PVOID  Object,
IN HANDLE  Handle,
IN BOOLEAN  PerformAction 
)

Definition at line 781 of file audit.c.

784 {
786 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeDeleteObjectAuditAlarm()

VOID NTAPI SeDeleteObjectAuditAlarm ( IN PVOID  Object,
IN HANDLE  Handle 
)

Definition at line 792 of file audit.c.

794 {
796 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SeDetailedAuditingWithToken()

BOOLEAN NTAPI SeDetailedAuditingWithToken ( IN PTOKEN  Token)

Definition at line 25 of file audit.c.

26 {
27  /* FIXME */
28  return FALSE;
29 }

Referenced by ObInitProcess(), PspCreateProcess(), and PspExitThread().

◆ SeInitializeProcessAuditName()

NTSTATUS NTAPI SeInitializeProcessAuditName ( IN PFILE_OBJECT  FileObject,
IN BOOLEAN  DoAudit,
OUT POBJECT_NAME_INFORMATION AuditInfo 
)

Definition at line 47 of file audit.c.

50 {
51  OBJECT_NAME_INFORMATION LocalNameInfo;
52  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
53  ULONG ReturnLength = 8;
55 
56  PAGED_CODE();
57  ASSERT(AuditInfo);
58 
59  /* Check if we should do auditing */
60  if (DoAudit)
61  {
62  /* FIXME: TODO */
63  }
64 
65  /* Now query the name */
67  &LocalNameInfo,
68  sizeof(LocalNameInfo),
69  &ReturnLength);
70  if (((Status == STATUS_BUFFER_OVERFLOW) ||
73  (ReturnLength != sizeof(LocalNameInfo)))
74  {
75  /* Allocate required size */
76  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
78  TAG_SEPA);
79  if (ObjectNameInfo)
80  {
81  /* Query the name again */
83  ObjectNameInfo,
85  &ReturnLength);
86  }
87  }
88 
89  /* Check if we got here due to failure */
90  if ((ObjectNameInfo) &&
91  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
92  {
93  /* First, free any buffer we might've allocated */
94  ASSERT(FALSE);
95  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
96 
97  /* Now allocate a temporary one */
99  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
100  sizeof(OBJECT_NAME_INFORMATION),
101  TAG_SEPA);
102  if (ObjectNameInfo)
103  {
104  /* Clear it */
105  RtlZeroMemory(ObjectNameInfo, ReturnLength);
107  }
108  }
109 
110  /* Check if memory allocation failed */
111  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
112 
113  /* Return the audit name */
114  *AuditInfo = ObjectNameInfo;
115 
116  /* Return status */
117  return Status;
118 }
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
LONG NTSTATUS
Definition: precomp.h:26
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1135
#define PAGED_CODE()
Definition: video.h:57
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
smooth NULL
Definition: ftsmooth.c:416
_Inout_ PFILE_OBJECT FileObject
Definition: cdprocs.h:593
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
Status
Definition: gdiplustypes.h:24
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:61
#define STATUS_NO_MEMORY
Definition: ntstatus.h:246
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:261
#define TAG_SEPA
Definition: tag.h:187
return STATUS_SUCCESS
Definition: btrfs.c:2725
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by MmInitializeProcessAddressSpace(), and SeLocateProcessImageName().

◆ SeLocateProcessImageName()

NTSTATUS NTAPI SeLocateProcessImageName ( IN PEPROCESS  Process,
OUT PUNICODE_STRING ProcessImageName 
)

Definition at line 122 of file audit.c.

124 {
125  POBJECT_NAME_INFORMATION AuditName;
129 
130  PAGED_CODE();
131 
132  /* Assume failure */
133  *ProcessImageName = NULL;
134 
135  /* Check if we have audit info */
136  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
137  if (!AuditName)
138  {
139  /* Get the file object */
141  if (!NT_SUCCESS(Status)) return Status;
142 
143  /* Initialize the audit structure */
145  if (NT_SUCCESS(Status))
146  {
147  /* Set it */
149  SeAuditProcessCreationInfo.ImageFileName,
150  AuditName,
151  NULL))
152  {
153  /* Someone beat us to it, deallocate our copy */
154  ExFreePool(AuditName);
155  }
156  }
157 
158  /* Dereference the file object */
160  if (!NT_SUCCESS(Status)) return Status;
161  }
162 
163  /* Get audit info again, now we have it for sure */
164  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
165 
166  /* Allocate the output string */
168  AuditName->Name.MaximumLength +
169  sizeof(UNICODE_STRING),
170  TAG_SEPA);
171  if (!ImageName) return STATUS_NO_MEMORY;
172 
173  /* Make a copy of it */
175  &AuditName->Name,
176  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
177 
178  /* Fix up the buffer */
179  ImageName->Buffer = (PWSTR)(ImageName + 1);
180 
181  /* Return it */
182  *ProcessImageName = ImageName;
183 
184  /* Return status */
185  return Status;
186 }
#define TRUE
Definition: types.h:120
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
USHORT MaximumLength
Definition: env_spec_w32.h:370
uint16_t * PWSTR
Definition: typedefs.h:54
LONG NTSTATUS
Definition: precomp.h:26
NTSTATUS NTAPI SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject, IN BOOLEAN DoAudit, OUT POBJECT_NAME_INFORMATION *AuditInfo)
Definition: audit.c:47
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
UNICODE_STRING Name
Definition: nt_native.h:1270
#define PAGED_CODE()
Definition: video.h:57
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
smooth NULL
Definition: ftsmooth.c:416
_Inout_ PFILE_OBJECT FileObject
Definition: cdprocs.h:593
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
* PFILE_OBJECT
Definition: iotypes.h:1954
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
static const char * ImageName
Definition: image.c:34
Status
Definition: gdiplustypes.h:24
#define STATUS_NO_MEMORY
Definition: ntstatus.h:246
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define TAG_SEPA
Definition: tag.h:187
return STATUS_SUCCESS
Definition: btrfs.c:2725
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24

Referenced by NtQueryInformationProcess(), and QSI_DEF().

◆ SeOpenObjectAuditAlarm()

VOID NTAPI SeOpenObjectAuditAlarm ( IN PUNICODE_STRING  ObjectTypeName,
IN PVOID Object  OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName  OPTIONAL,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PACCESS_STATE  AccessState,
IN BOOLEAN  ObjectCreated,
IN BOOLEAN  AccessGranted,
IN KPROCESSOR_MODE  AccessMode,
OUT PBOOLEAN  GenerateOnClose 
)

Definition at line 803 of file audit.c.

812 {
813  PAGED_CODE();
814 
815  /* Audits aren't done on kernel-mode access */
816  if (AccessMode == KernelMode) return;
817 
818  /* Otherwise, unimplemented! */
819  //UNIMPLEMENTED;
820  return;
821 }
#define PAGED_CODE()
Definition: video.h:57
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396

Referenced by IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), and ObCheckObjectAccess().

◆ SeOpenObjectForDeleteAuditAlarm()

VOID NTAPI SeOpenObjectForDeleteAuditAlarm ( IN PUNICODE_STRING  ObjectTypeName,
IN PVOID Object  OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName  OPTIONAL,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PACCESS_STATE  AccessState,
IN BOOLEAN  ObjectCreated,
IN BOOLEAN  AccessGranted,
IN KPROCESSOR_MODE  AccessMode,
OUT PBOOLEAN  GenerateOnClose 
)

Definition at line 827 of file audit.c.

836 {
838 }
#define UNIMPLEMENTED
Definition: debug.h:114

◆ SepAccessCheckAndAuditAlarm()

_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PHANDLE  ClientTokenHandle,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)

Definition at line 371 of file audit.c.

389 {
391  ULONG ResultListLength;
392  GENERIC_MAPPING LocalGenericMapping;
393  PTOKEN SubjectContextToken, ClientToken;
394  BOOLEAN AllocatedResultLists;
395  BOOLEAN HaveAuditPrivilege;
396  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
397  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
398  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
399  NTSTATUS AccessStatus, *SafeAccessStatusList;
400  PSID CapturedPrincipalSelfSid;
401  POBJECT_TYPE_LIST CapturedObjectTypeList;
402  ULONG i;
403  BOOLEAN LocalGenerateOnClose;
405  PAGED_CODE();
406 
407  /* Only user mode is supported! */
409 
410  /* Start clean */
411  AllocatedResultLists = FALSE;
412  ClientToken = NULL;
413  CapturedSecurityDescriptor = NULL;
414  CapturedSubsystemName.Buffer = NULL;
415  CapturedObjectTypeName.Buffer = NULL;
416  CapturedObjectName.Buffer = NULL;
417  CapturedPrincipalSelfSid = NULL;
418  CapturedObjectTypeList = NULL;
419 
420  /* Validate AuditType */
421  if ((AuditType != AuditEventObjectAccess) &&
422  (AuditType != AuditEventDirectoryServiceAccess))
423  {
424  DPRINT1("Invalid audit type: %u\n", AuditType);
426  }
427 
428  /* Capture the security subject context */
430 
431  /* Did the caller pass a token handle? */
432  if (ClientTokenHandle == NULL)
433  {
434  /* Check if we have a token in the subject context */
435  if (SubjectContext.ClientToken == NULL)
436  {
438  DPRINT1("No token\n");
439  goto Cleanup;
440  }
441 
442  /* Check if we have a valid impersonation level */
443  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
444  {
446  DPRINT1("Invalid impersonation level 0x%lx\n",
447  SubjectContext.ImpersonationLevel);
448  goto Cleanup;
449  }
450  }
451 
452  /* Are we using a result list? */
453  if (UseResultList)
454  {
455  /* The list length equals the object type list length */
456  ResultListLength = ObjectTypeListLength;
457  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
458  {
460  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
461  goto Cleanup;
462  }
463 
464  /* Allocate a safe buffer from paged pool */
465  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
466  2 * ResultListLength * sizeof(ULONG),
467  TAG_SEPA);
468  if (SafeGrantedAccessList == NULL)
469  {
471  DPRINT1("Failed to allocate access lists\n");
472  goto Cleanup;
473  }
474 
475  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
476  AllocatedResultLists = TRUE;
477  }
478  else
479  {
480  /* List length is 1 */
481  ResultListLength = 1;
482  SafeGrantedAccessList = &GrantedAccess;
483  SafeAccessStatusList = &AccessStatus;
484  }
485 
486  _SEH2_TRY
487  {
488  /* Probe output buffers */
489  ProbeForWrite(AccessStatusList,
490  ResultListLength * sizeof(*AccessStatusList),
491  sizeof(*AccessStatusList));
492  ProbeForWrite(GrantedAccessList,
493  ResultListLength * sizeof(*GrantedAccessList),
494  sizeof(*GrantedAccessList));
495 
496  /* Probe generic mapping and make a local copy */
497  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
498  LocalGenericMapping = * GenericMapping;
499  }
501  {
503  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
504  _SEH2_YIELD(goto Cleanup);
505  }
506  _SEH2_END;
507 
508  /* Do we have a client token? */
509  if (ClientTokenHandle != NULL)
510  {
511  /* Reference the client token */
512  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
513  TOKEN_QUERY,
515  UserMode,
516  (PVOID*)&ClientToken,
517  NULL);
518  if (!NT_SUCCESS(Status))
519  {
520  DPRINT1("Failed to reference token handle %p: %lx\n",
521  *ClientTokenHandle, Status);
522  goto Cleanup;
523  }
524 
525  SubjectContextToken = SubjectContext.ClientToken;
526  SubjectContext.ClientToken = ClientToken;
527  }
528 
529  /* Check for audit privilege */
530  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
531  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
532  {
533  DPRINT1("Caller does not have SeAuditPrivilege\n");
535  goto Cleanup;
536  }
537 
538  /* Generic access must already be mapped to non-generic access types! */
540  {
541  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
543  goto Cleanup;
544  }
545 
546  /* Capture the security descriptor */
548  UserMode,
549  PagedPool,
550  FALSE,
551  &CapturedSecurityDescriptor);
552  if (!NT_SUCCESS(Status))
553  {
554  DPRINT1("Failed to capture security descriptor!\n");
555  goto Cleanup;
556  }
557 
558  /* Validate the Security descriptor */
559  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
560  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
561  {
563  DPRINT1("Invalid security descriptor\n");
564  goto Cleanup;
565  }
566 
567  /* Probe and capture the subsystem name */
568  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
569  UserMode,
570  SubsystemName);
571  if (!NT_SUCCESS(Status))
572  {
573  DPRINT1("Failed to capture subsystem name!\n");
574  goto Cleanup;
575  }
576 
577  /* Probe and capture the object type name */
578  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
579  UserMode,
581  if (!NT_SUCCESS(Status))
582  {
583  DPRINT1("Failed to capture object type name!\n");
584  goto Cleanup;
585  }
586 
587  /* Probe and capture the object name */
588  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
589  UserMode,
590  ObjectName);
591  if (!NT_SUCCESS(Status))
592  {
593  DPRINT1("Failed to capture object name!\n");
594  goto Cleanup;
595  }
596 
597  /* Check if we have a PrincipalSelfSid */
598  if (PrincipalSelfSid != NULL)
599  {
600  /* Capture it */
601  Status = SepCaptureSid(PrincipalSelfSid,
602  UserMode,
603  PagedPool,
604  FALSE,
605  &CapturedPrincipalSelfSid);
606  if (!NT_SUCCESS(Status))
607  {
608  DPRINT1("Failed to capture PrincipalSelfSid!\n");
609  goto Cleanup;
610  }
611  }
612 
613  /* Capture the object type list */
614  Status = SeCaptureObjectTypeList(ObjectTypeList,
615  ObjectTypeListLength,
616  UserMode,
617  &CapturedObjectTypeList);
618  if (!NT_SUCCESS(Status))
619  {
620  DPRINT1("Failed to capture object type list!\n");
621  goto Cleanup;
622  }
623 
624  /* Call the worker routine with the captured buffers */
625  SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
626  HandleId,
628  &CapturedObjectTypeName,
629  &CapturedObjectName,
630  CapturedSecurityDescriptor,
631  CapturedPrincipalSelfSid,
633  AuditType,
634  HaveAuditPrivilege,
635  CapturedObjectTypeList,
636  ObjectTypeListLength,
637  &LocalGenericMapping,
638  SafeGrantedAccessList,
639  SafeAccessStatusList,
640  &LocalGenerateOnClose,
641  UseResultList);
642 
643  /* Enter SEH to copy the data back to user mode */
644  _SEH2_TRY
645  {
646  /* Loop all result entries (only 1 when no list was requested) */
647  ASSERT(UseResultList || (ResultListLength == 1));
648  for (i = 0; i < ResultListLength; i++)
649  {
650  AccessStatusList[i] = SafeAccessStatusList[i];
651  GrantedAccessList[i] = SafeGrantedAccessList[i];
652  }
653 
654  *GenerateOnClose = LocalGenerateOnClose;
655  }
657  {
659  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
660  }
661  _SEH2_END;
662 
663 Cleanup:
664 
665  if (CapturedObjectTypeList != NULL)
666  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
667 
668  if (CapturedPrincipalSelfSid != NULL)
669  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
670 
671  if (CapturedObjectName.Buffer != NULL)
672  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
673 
674  if (CapturedObjectTypeName.Buffer != NULL)
675  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
676 
677  if (CapturedSubsystemName.Buffer != NULL)
678  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
679 
680  if (CapturedSecurityDescriptor != NULL)
681  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
682 
683  if (ClientToken != NULL)
684  {
685  ObDereferenceObject(ClientToken);
686  SubjectContext.ClientToken = SubjectContextToken;
687  }
688 
689  if (AllocatedResultLists)
690  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
691 
692  /* Release the security subject context */
694 
695  return Status;
696 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
#define GENERIC_ALL
Definition: nt_native.h:92
#define TRUE
Definition: types.h:120
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:343
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Definition: audit.c:318
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Definition: audit.c:262
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:766
_SEH2_TRY
Definition: create.c:4250
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
#define GENERIC_WRITE
Definition: nt_native.h:90
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:452
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:314
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:48
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:228
#define TOKEN_QUERY
Definition: setypes.h:874
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define GENERIC_READ
Definition: compat.h:124
static const WCHAR Cleanup[]
Definition: register.c:80
Status
Definition: gdiplustypes.h:24
FORCEINLINE PSID SepGetGroupFromDescriptor(PVOID _Descriptor)
Definition: se.h:29
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
Definition: create.c:4424
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:257
VOID NTAPI SepReleaseSid(IN PSID CapturedSid, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN CaptureIfKernel)
Definition: sid.c:342
#define DPRINT1
Definition: precomp.h:8
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:818
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:329
#define TAG_SEPA
Definition: tag.h:187
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:434
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
NTSTATUS NTAPI SepCaptureSid(IN PSID InputSid, IN KPROCESSOR_MODE AccessMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSID *CapturedSid)
Definition: sid.c:274
ULONG ACCESS_MASK
Definition: nt_native.h:40

Referenced by NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), and NtAccessCheckByTypeResultListAndAuditAlarmByHandle().

◆ SepAccessCheckAndAuditAlarmWorker()

static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ BOOLEAN  HaveAuditPrivilege,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)
static

FIXME: we should do some real work here...

HACK: we just pretend all access is granted!

Definition at line 329 of file audit.c.

347 {
348  ULONG ResultListLength, i;
349 
350  /* Get the length of the result list */
351  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
352 
355 
357  for (i = 0; i < ResultListLength; i++)
358  {
359  GrantedAccessList[i] = DesiredAccess;
360  AccessStatusList[i] = STATUS_SUCCESS;
361  }
362 
364 
365  return STATUS_SUCCESS;
366 }
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
unsigned int ULONG
Definition: retypes.h:1
#define UNIMPLEMENTED
Definition: debug.h:114
return STATUS_SUCCESS
Definition: btrfs.c:2725

Referenced by SepAccessCheckAndAuditAlarm().

◆ SepAdtCloseObjectAuditAlarm()

VOID NTAPI SepAdtCloseObjectAuditAlarm ( PUNICODE_STRING  SubsystemName,
PVOID  HandleId,
PSID  Sid 
)

Definition at line 190 of file audit.c.

194 {
196 }
#define UNIMPLEMENTED
Definition: debug.h:114

Referenced by NtCloseObjectAuditAlarm().

◆ SepAdtPrivilegedServiceAuditAlarm()

VOID NTAPI SepAdtPrivilegedServiceAuditAlarm ( PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ PTOKEN  Token,
_In_ PTOKEN  PrimaryToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Definition at line 200 of file audit.c.

208 {
209  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
210 }
void DPRINT(...)
Definition: polytest.cpp:61

Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm().

◆ SepOpenObjectAuditAlarm()

VOID NTAPI SepOpenObjectAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PTOKEN  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Definition at line 967 of file audit.c.

981 {
983  DBG_UNREFERENCED_PARAMETER(SubsystemName);
984  DBG_UNREFERENCED_PARAMETER(HandleId);
988  DBG_UNREFERENCED_PARAMETER(ClientToken);
992  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
996 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:325
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define UNIMPLEMENTED
Definition: debug.h:114
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13

Referenced by NtOpenObjectAuditAlarm().

◆ SePrivilegedServiceAuditAlarm()

VOID NTAPI SePrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  ServiceName,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  AccessGranted 
)

Definition at line 214 of file audit.c.

219 {
220  PTOKEN EffectiveToken;
221  PSID UserSid;
222  PAGED_CODE();
223 
224  /* Get the effective token */
225  if (SubjectContext->ClientToken != NULL)
226  EffectiveToken = SubjectContext->ClientToken;
227  else
228  EffectiveToken = SubjectContext->PrimaryToken;
229 
230  /* Get the user SID */
231  UserSid = EffectiveToken->UserAndGroups->Sid;
232 
233  /* Check if this is the local system SID */
234  if (RtlEqualSid(UserSid, SeLocalSystemSid))
235  {
236  /* Nothing to do */
237  return;
238  }
239 
240  /* Check if this is the network service or local service SID */
241  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
243  {
244  // FIXME: should continue for a certain set of privileges
245  return;
246  }
247 
248  /* Call the worker function */
251  ServiceName,
252  SubjectContext->ClientToken,
253  SubjectContext->PrimaryToken,
254  PrivilegeSet,
255  AccessGranted);
256 
257 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Definition: audit.c:200
#define PAGED_CODE()
Definition: video.h:57
PSE_EXPORTS SeExports
Definition: semgr.c:18
PSID SeNetworkServiceSid
Definition: setypes.h:1190
smooth NULL
Definition: ftsmooth.c:416
LPTSTR ServiceName
Definition: ServiceMain.c:15
PSID SeLocalServiceSid
Definition: setypes.h:1189
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
UNICODE_STRING SeSubsystemName
Definition: audit.c:19
PSID SeLocalSystemSid
Definition: sid.c:44
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:169
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)

Referenced by SeCheckAuditPrivilege(), and SeSinglePrivilegeCheck().

◆ SePrivilegeObjectAuditAlarm()

VOID NTAPI SePrivilegeObjectAuditAlarm ( IN HANDLE  Handle,
IN PSECURITY_SUBJECT_CONTEXT  SubjectContext,
IN ACCESS_MASK  DesiredAccess,
IN PPRIVILEGE_SET  Privileges,
IN BOOLEAN  AccessGranted,
IN KPROCESSOR_MODE  CurrentMode 
)

Definition at line 845 of file audit.c.

851 {
853 }
#define UNIMPLEMENTED
Definition: debug.h:114

Referenced by HasPrivilege(), ObpCreateHandle(), and SeCheckPrivilegedObject().

◆ SeReleaseObjectTypeList()

static VOID SeReleaseObjectTypeList ( _In_ _Post_invalid_ POBJECT_TYPE_LIST  CapturedObjectTypeList,
_In_ KPROCESSOR_MODE  PreviousMode 
)
static

Definition at line 318 of file audit.c.

321 {
322  if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
323  ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
324 }
smooth NULL
Definition: ftsmooth.c:416
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define TAG_SEPA
Definition: tag.h:187
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099

Referenced by SepAccessCheckAndAuditAlarm().

Variable Documentation

◆ SeSubsystemName

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")

Definition at line 19 of file audit.c.

Referenced by SePrivilegedServiceAuditAlarm().