ReactOS 0.4.15-dev-5669-g09dde2c
audit.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for audit.c:

Go to the source code of this file.

Macros

#define NDEBUG
 
#define SEP_PRIVILEGE_SET_MAX_COUNT   60
 

Functions

BOOLEAN NTAPI SeDetailedAuditingWithToken (_In_ PTOKEN Token)
 Peforms a detailed security auditing with an access token.
 
VOID NTAPI SeAuditProcessCreate (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be created.
 
VOID NTAPI SeAuditProcessExit (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be terminated.
 
NTSTATUS NTAPI SeInitializeProcessAuditName (_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
 Initializes a process audit name and returns it to the caller.
 
NTSTATUS NTAPI SeLocateProcessImageName (_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
 Finds the process image name of a specific process.
 
VOID NTAPI SepAdtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
 Closes an audit alarm event of an object.
 
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request. This is a worker function.
 
VOID NTAPI SePrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request.
 
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel.
 
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Performs security auditing, if the specific object can be granted security access or not.
 
VOID NTAPI SeAuditHardLinkCreation (_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
 Performs an audit against a hard link creation.
 
BOOLEAN NTAPI SeAuditingFileEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against file events is being done or not.
 
BOOLEAN NTAPI SeAuditingFileEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against file events with subject context is being done or not.
 
BOOLEAN NTAPI SeAuditingHardLinkEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against hard links events is being done or not.
 
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against hard links events with subject context is being done or not.
 
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against files or global events with subject context is being done or not.
 
VOID NTAPI SeCloseObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
 Closes an alarm audit of an object.
 
VOID NTAPI SeDeleteObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle)
 Deletes an alarm audit of an object.
 
VOID NTAPI SeOpenObjectAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened.
 
VOID NTAPI SeOpenObjectForDeleteAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened for deletion.
 
VOID NTAPI SePrivilegeObjectAuditAlarm (_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
 Raises an audit with alarm notification message when an object tries to acquire this privilege.
 
NTSTATUS NTAPI NtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be closed.
 
NTSTATUS NTAPI NtDeleteObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be deleted.
 
VOID NTAPI SepOpenObjectAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened.
 
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened.
 
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to request a privileged service call.
 
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to access a privileged object.
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type.
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result.
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle.
 

Variables

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 12 of file audit.c.

◆ SEP_PRIVILEGE_SET_MAX_COUNT

#define SEP_PRIVILEGE_SET_MAX_COUNT   60

Definition at line 15 of file audit.c.

Function Documentation

◆ NtAccessCheckAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2125 of file audit.c.

2137{
2138 /* Call the internal function */
2139 return SepAccessCheckAndAuditAlarm(SubsystemName,
2140 HandleId,
2141 NULL,
2143 ObjectName,
2145 NULL,
2148 0,
2149 NULL,
2150 0,
2155 FALSE);
2156}
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
#define FALSE
Definition: types.h:117
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:79
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:64
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:422
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
@ AuditEventObjectAccess
Definition: setypes.h:864

Referenced by AccessCheckAndAuditAlarmA(), and AccessCheckAndAuditAlarmW().

◆ NtAccessCheckByTypeAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2222 of file audit.c.

2239{
2240 /* Call the internal function */
2241 return SepAccessCheckAndAuditAlarm(SubsystemName,
2242 HandleId,
2243 NULL,
2245 ObjectName,
2247 PrincipalSelfSid,
2249 AuditType,
2250 Flags,
2251 ObjectTypeList,
2252 ObjectTypeLength,
2257 FALSE);
2258}
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170

◆ NtAccessCheckByTypeResultListAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2324 of file audit.c.

2341{
2342 /* Call the internal function */
2343 return SepAccessCheckAndAuditAlarm(SubsystemName,
2344 HandleId,
2345 NULL,
2347 ObjectName,
2349 PrincipalSelfSid,
2351 AuditType,
2352 Flags,
2353 ObjectTypeList,
2354 ObjectTypeListLength,
2356 GrantedAccessList,
2357 AccessStatusList,
2359 TRUE);
2360}
#define TRUE
Definition: types.h:120

◆ NtAccessCheckByTypeResultListAndAuditAlarmByHandle()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2430 of file audit.c.

2448{
2449 UNREFERENCED_PARAMETER(ObjectCreation);
2450
2451 /* Call the internal function */
2452 return SepAccessCheckAndAuditAlarm(SubsystemName,
2453 HandleId,
2454 &ClientToken,
2456 ObjectName,
2458 PrincipalSelfSid,
2460 AuditType,
2461 Flags,
2462 ObjectTypeList,
2463 ObjectTypeListLength,
2465 GrantedAccessList,
2466 AccessStatusList,
2468 TRUE);
2469}
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317

◆ NtCloseObjectAuditAlarm()

NTSTATUS NTAPI NtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be closed.

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
Returns STATUS_SUCCESS if all the operations have completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the security subject context does not have the audit privilege to actually begin auditing procedures in the first place.

Definition at line 1358 of file audit.c.

1362{
1364 UNICODE_STRING CapturedSubsystemName;
1366 BOOLEAN UseImpersonationToken;
1367 PETHREAD CurrentThread;
1371 PTOKEN Token;
1372 PAGED_CODE();
1373
1374 /* Get the previous mode (only user mode is supported!) */
1377
1378 /* Do we even need to do anything? */
1379 if (!GenerateOnClose)
1380 {
1381 /* Nothing to do, return success */
1382 return STATUS_SUCCESS;
1383 }
1384
1385 /* Capture the security subject context */
1387
1388 /* Check for audit privilege */
1390 {
1391 DPRINT1("Caller does not have SeAuditPrivilege\n");
1393 goto Cleanup;
1394 }
1395
1396 /* Probe and capture the subsystem name */
1397 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1399 SubsystemName);
1400 if (!NT_SUCCESS(Status))
1401 {
1402 DPRINT1("Failed to capture subsystem name!\n");
1403 goto Cleanup;
1404 }
1405
1406 /* Get the current thread and check if it's impersonating */
1407 CurrentThread = PsGetCurrentThread();
1408 if (PsIsThreadImpersonating(CurrentThread))
1409 {
1410 /* Get the impersonation token */
1411 Token = PsReferenceImpersonationToken(CurrentThread,
1412 &CopyOnOpen,
1415 UseImpersonationToken = TRUE;
1416 }
1417 else
1418 {
1419 /* Get the primary token */
1421 UseImpersonationToken = FALSE;
1422 }
1423
1424 /* Call the internal function */
1425 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426 HandleId,
1427 Token->UserAndGroups->Sid);
1428
1429 /* Release the captured subsystem name */
1430 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1431
1432 /* Check what token we used */
1433 if (UseImpersonationToken)
1434 {
1435 /* Release impersonation token */
1437 }
1438 else
1439 {
1440 /* Release primary token */
1442 }
1443
1445
1446Cleanup:
1447
1448 /* Release the security subject context */
1450
1451 return Status;
1452}
#define PAGED_CODE()
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
unsigned char BOOLEAN
LONG NTSTATUS
Definition: precomp.h:26
#define DPRINT1
Definition: precomp.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
static const WCHAR Cleanup[]
Definition: register.c:80
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define ExGetPreviousMode
Definition: ex.h:139
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
Status
Definition: gdiplustypes.h:25
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define ASSERT(a)
Definition: mode.c:44
#define PsDereferencePrimaryToken(T)
Definition: imports.h:301
#define PsDereferenceImpersonationToken(T)
Definition: imports.h:298
#define KernelMode
Definition: asm.h:34
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:403
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
#define STATUS_SUCCESS
Definition: shellext.h:65
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PsGetCurrentProcess
Definition: psfuncs.h:17
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:156
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103

Referenced by ObjectCloseAuditAlarmA(), and ObjectCloseAuditAlarmW().

◆ NtDeleteObjectAuditAlarm()

NTSTATUS NTAPI NtDeleteObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be deleted.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
To be added...

Definition at line 1475 of file audit.c.

1479{
1482}
#define UNIMPLEMENTED
Definition: debug.h:115
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:239

Referenced by ObjectDeleteAuditAlarmA(), and ObjectDeleteAuditAlarmW().

◆ NtOpenObjectAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenHandleA handle to a client access token.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegeSetIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1622 of file audit.c.

1635{
1636 PTOKEN ClientToken;
1637 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1640 volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1641 BOOLEAN LocalGenerateOnClose;
1642 PVOID CapturedHandleId;
1645 PAGED_CODE();
1646
1647 /* Only user mode is supported! */
1649
1650 /* Start clean */
1651 ClientToken = NULL;
1652 CapturedSecurityDescriptor = NULL;
1653 CapturedPrivilegeSet = NULL;
1654 CapturedSubsystemName.Buffer = NULL;
1655 CapturedObjectTypeName.Buffer = NULL;
1656 CapturedObjectName.Buffer = NULL;
1657
1658 /* Reference the client token */
1659 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1662 UserMode,
1663 (PVOID*)&ClientToken,
1664 NULL);
1665 if (!NT_SUCCESS(Status))
1666 {
1667 DPRINT1("Failed to reference token handle %p: %lx\n",
1668 ClientTokenHandle, Status);
1669 return Status;
1670 }
1671
1672 /* Capture the security subject context */
1674
1675 /* Validate the token's impersonation level */
1676 if ((ClientToken->TokenType == TokenImpersonation) &&
1678 {
1679 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1681 goto Cleanup;
1682 }
1683
1684 /* Check for audit privilege */
1686 {
1687 DPRINT1("Caller does not have SeAuditPrivilege\n");
1689 goto Cleanup;
1690 }
1691
1692 /* Check for NULL SecurityDescriptor */
1693 if (SecurityDescriptor == NULL)
1694 {
1695 /* Nothing to do */
1697 goto Cleanup;
1698 }
1699
1700 /* Capture the security descriptor */
1702 UserMode,
1703 PagedPool,
1704 FALSE,
1705 &CapturedSecurityDescriptor);
1706 if (!NT_SUCCESS(Status))
1707 {
1708 DPRINT1("Failed to capture security descriptor!\n");
1709 goto Cleanup;
1710 }
1711
1712 _SEH2_TRY
1713 {
1714 /* Check if we have a privilege set */
1715 if (PrivilegeSet != NULL)
1716 {
1717 /* Probe the basic privilege set structure */
1718 ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1719
1720 /* Validate privilege count */
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1722 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1723 {
1725 _SEH2_YIELD(goto Cleanup);
1726 }
1727
1728 /* Calculate the size of the PrivilegeSet structure */
1729 PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1730
1731 /* Probe the whole structure */
1732 ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1733
1734 /* Allocate a temp buffer */
1735 CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1736 PrivilegeSetSize,
1738 if (CapturedPrivilegeSet == NULL)
1739 {
1740 DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1742 _SEH2_YIELD(goto Cleanup);
1743 }
1744
1745 /* Copy the privileges */
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747 }
1748
1749 if (HandleId != NULL)
1750 {
1751 ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1752 CapturedHandleId = *(PVOID*)HandleId;
1753 }
1754
1755 ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1756 }
1758 {
1760 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1761 _SEH2_YIELD(goto Cleanup);
1762 }
1763 _SEH2_END;
1764
1765 /* Probe and capture the subsystem name */
1766 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1767 UserMode,
1768 SubsystemName);
1769 if (!NT_SUCCESS(Status))
1770 {
1771 DPRINT1("Failed to capture subsystem name!\n");
1772 goto Cleanup;
1773 }
1774
1775 /* Probe and capture the object type name */
1776 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1777 UserMode,
1779 if (!NT_SUCCESS(Status))
1780 {
1781 DPRINT1("Failed to capture object type name!\n");
1782 goto Cleanup;
1783 }
1784
1785 /* Probe and capture the object name */
1786 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1787 UserMode,
1788 ObjectName);
1789 if (!NT_SUCCESS(Status))
1790 {
1791 DPRINT1("Failed to capture object name!\n");
1792 goto Cleanup;
1793 }
1794
1795 /* Call the internal function */
1797 &CapturedSubsystemName,
1798 CapturedHandleId,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1802 ClientToken,
1805 CapturedPrivilegeSet,
1806 ObjectCreation,
1808 &LocalGenerateOnClose);
1809
1811
1812 /* Enter SEH to copy the data back to user mode */
1813 _SEH2_TRY
1814 {
1815 *GenerateOnClose = LocalGenerateOnClose;
1816 }
1818 {
1820 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1821 }
1822 _SEH2_END;
1823
1824Cleanup:
1825
1826 if (CapturedObjectName.Buffer != NULL)
1827 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1828
1829 if (CapturedObjectTypeName.Buffer != NULL)
1830 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1831
1832 if (CapturedSubsystemName.Buffer != NULL)
1833 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1834
1835 if (CapturedSecurityDescriptor != NULL)
1836 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1837
1838 if (CapturedPrivilegeSet != NULL)
1839 ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1840
1841 /* Release the security subject context */
1843
1844 ObDereferenceObject(ClientToken);
1845
1846 return Status;
1847}
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PagedPool
Definition: env_spec_w32.h:308
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define _SEH2_END
Definition: filesup.c:22
#define _SEH2_TRY
Definition: filesup.c:19
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
@ SecurityIdentification
Definition: lsa.idl:56
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
@ TokenImpersonation
Definition: imports.h:274
#define UserMode
Definition: asm.h:35
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:159
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:34
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:162
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:240
TOKEN_TYPE TokenType
Definition: setypes.h:239
#define TAG_PRIVILEGE_SET
Definition: tag.h:157
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
uint32_t ULONG
Definition: typedefs.h:59
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:419
#define TOKEN_QUERY
Definition: setypes.h:924

Referenced by ObjectOpenAuditAlarmA(), and ObjectOpenAuditAlarmW().

◆ NtPrivilegedServiceAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientTokenHandle,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to request a privileged service call.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]ServiceNameA Unicode string that points to a name of the privileged service.
[in]ClientTokenHandleA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1883 of file audit.c.

1889{
1891 PTOKEN ClientToken;
1892 volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1893 UNICODE_STRING CapturedSubsystemName;
1894 UNICODE_STRING CapturedServiceName;
1895 ULONG PrivilegeCount, PrivilegesSize;
1898 PAGED_CODE();
1899
1900 /* Get the previous mode (only user mode is supported!) */
1903
1904 CapturedSubsystemName.Buffer = NULL;
1905 CapturedServiceName.Buffer = NULL;
1906
1907 /* Reference the client token */
1908 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1912 (PVOID*)&ClientToken,
1913 NULL);
1914 if (!NT_SUCCESS(Status))
1915 {
1916 DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1917 return Status;
1918 }
1919
1920 /* Validate the token's impersonation level */
1921 if ((ClientToken->TokenType == TokenImpersonation) &&
1923 {
1924 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1925 ObDereferenceObject(ClientToken);
1927 }
1928
1929 /* Capture the security subject context */
1931
1932 /* Check for audit privilege */
1934 {
1935 DPRINT1("Caller does not have SeAuditPrivilege\n");
1937 goto Cleanup;
1938 }
1939
1940 /* Do we have a subsystem name? */
1941 if (SubsystemName != NULL)
1942 {
1943 /* Probe and capture the subsystem name */
1944 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1946 SubsystemName);
1947 if (!NT_SUCCESS(Status))
1948 {
1949 DPRINT1("Failed to capture subsystem name!\n");
1950 goto Cleanup;
1951 }
1952 }
1953
1954 /* Do we have a service name? */
1955 if (ServiceName != NULL)
1956 {
1957 /* Probe and capture the service name */
1958 Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1960 ServiceName);
1961 if (!NT_SUCCESS(Status))
1962 {
1963 DPRINT1("Failed to capture service name!\n");
1964 goto Cleanup;
1965 }
1966 }
1967
1968 _SEH2_TRY
1969 {
1970 /* Probe the basic privilege set structure */
1971 ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1972
1973 /* Validate privilege count */
1974 PrivilegeCount = Privileges->PrivilegeCount;
1975 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1976 {
1978 _SEH2_YIELD(goto Cleanup);
1979 }
1980
1981 /* Calculate the size of the Privileges structure */
1982 PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1983
1984 /* Probe the whole structure */
1985 ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1986
1987 /* Allocate a temp buffer */
1988 CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1989 PrivilegesSize,
1991 if (CapturedPrivileges == NULL)
1992 {
1993 DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1995 _SEH2_YIELD(goto Cleanup);
1996 }
1997
1998 /* Copy the privileges */
1999 RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2000 }
2002 {
2004 DPRINT1("Got exception 0x%lx\n", Status);
2005 _SEH2_YIELD(goto Cleanup);
2006 }
2007 _SEH2_END;
2008
2009 /* Call the internal function */
2011 SubsystemName ? &CapturedSubsystemName : NULL,
2012 ServiceName ? &CapturedServiceName : NULL,
2013 ClientToken,
2014 SubjectContext.PrimaryToken,
2015 CapturedPrivileges,
2017
2019
2020Cleanup:
2021 /* Cleanup resources */
2022 if (CapturedSubsystemName.Buffer != NULL)
2023 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2024
2025 if (CapturedServiceName.Buffer != NULL)
2026 ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2027
2028 if (CapturedPrivileges != NULL)
2029 ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2030
2031 /* Release the security subject context */
2033
2034 ObDereferenceObject(ClientToken);
2035
2036 return Status;
2037}
static WCHAR ServiceName[]
Definition: browser.c:19
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17

Referenced by PrivilegedServiceAuditAlarmA(), and PrivilegedServiceAuditAlarmW().

◆ NtPrivilegeObjectAuditAlarm()

NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ ULONG  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to access a privileged object.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]DesiredAccessA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
To be added...

Definition at line 2066 of file audit.c.

2073{
2076}

Referenced by ObjectPrivilegeAuditAlarmA(), and ObjectPrivilegeAuditAlarmW().

◆ SeAuditHardLinkCreation()

VOID NTAPI SeAuditHardLinkCreation ( _In_ PUNICODE_STRING  FileName,
_In_ PUNICODE_STRING  LinkName,
_In_ BOOLEAN  bSuccess 
)

Performs an audit against a hard link creation.

@unimplemented

Parameters
[in]FileNameA Unicode string that points to the name of the file.
[in]LinkNameA Unicode string that points to a link.
[out]bSuccessIf TRUE, the function has successfully audited the hard link and security access can be granted, FALSE otherwise.
Returns
Nothing.

Definition at line 967 of file audit.c.

971{
973}

◆ SeAuditingFileEvents()

BOOLEAN NTAPI SeAuditingFileEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against file events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 993 of file audit.c.

996{
998 return FALSE;
999}

◆ SeAuditingFileEventsWithContext()

BOOLEAN NTAPI SeAuditingFileEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against file events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1023 of file audit.c.

1027{
1029 return FALSE;
1030}
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30

◆ SeAuditingFileOrGlobalEvents()

BOOLEAN NTAPI SeAuditingFileOrGlobalEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against files or global events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1111 of file audit.c.

1115{
1117 return FALSE;
1118}

◆ SeAuditingHardLinkEvents()

BOOLEAN NTAPI SeAuditingHardLinkEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against hard links events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1050 of file audit.c.

1053{
1055 return FALSE;
1056}

◆ SeAuditingHardLinkEventsWithContext()

BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against hard links events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1080 of file audit.c.

1084{
1086 return FALSE;
1087}

◆ SeAuditProcessCreate()

VOID NTAPI SeAuditProcessCreate ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be created.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of creation.
Returns
Nothing.

Definition at line 56 of file audit.c.

58{
59 /* FIXME */
60}

Referenced by PspCreateProcess().

◆ SeAuditProcessExit()

VOID NTAPI SeAuditProcessExit ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be terminated.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of termination.
Returns
Nothing.

Definition at line 77 of file audit.c.

79{
80 /* FIXME */
81}

Referenced by PspExitThread().

◆ SeCloseObjectAuditAlarm()

VOID NTAPI SeCloseObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle,
_In_ BOOLEAN  PerformAction 
)

Closes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
[in]PerformActionSet this to TRUE to perform any auxiliary action, otherwise set to FALSE.
Returns
Nothing.

Definition at line 1140 of file audit.c.

1144{
1146}

◆ SeDeleteObjectAuditAlarm()

VOID NTAPI SeDeleteObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle 
)

Deletes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
Returns
Nothing.

Definition at line 1163 of file audit.c.

1166{
1168}

◆ SeDetailedAuditingWithToken()

BOOLEAN NTAPI SeDetailedAuditingWithToken ( _In_ PTOKEN  Token)

Peforms a detailed security auditing with an access token.

@unimplemented

Parameters
[in]TokenA valid token object.
Returns
To be added...

Definition at line 34 of file audit.c.

36{
37 /* FIXME */
38 return FALSE;
39}

Referenced by ObInitProcess(), PspCreateProcess(), and PspExitThread().

◆ SeInitializeProcessAuditName()

NTSTATUS NTAPI SeInitializeProcessAuditName ( _In_ PFILE_OBJECT  FileObject,
_In_ BOOLEAN  DoAudit,
_Out_ POBJECT_NAME_INFORMATION AuditInfo 
)

Initializes a process audit name and returns it to the caller.

Parameters
[in]FileObjectFile object that points to a name to be queried.
[in]DoAuditIf set to TRUE, the function will perform various security auditing onto the audit name.
[out]AuditInfoThe returned audit info data.
Returns
Returns STATUS_SUCCESS if process audit name initialization has completed successfully. STATUS_NO_MEMORY is returned if pool allocation for object name info has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 105 of file audit.c.

109{
110 OBJECT_NAME_INFORMATION LocalNameInfo;
111 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
114
115 PAGED_CODE();
116 ASSERT(AuditInfo);
117
118 /* Check if we should do auditing */
119 if (DoAudit)
120 {
121 /* FIXME: TODO */
122 }
123
124 /* Now query the name */
126 &LocalNameInfo,
127 sizeof(LocalNameInfo),
128 &ReturnLength);
129 if (((Status == STATUS_BUFFER_OVERFLOW) ||
132 (ReturnLength != sizeof(LocalNameInfo)))
133 {
134 /* Allocate required size */
135 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
137 TAG_SEPA);
138 if (ObjectNameInfo)
139 {
140 /* Query the name again */
142 ObjectNameInfo,
144 &ReturnLength);
145 }
146 }
147
148 /* Check if we got here due to failure */
149 if ((ObjectNameInfo) &&
150 (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151 {
152 /* First, free any buffer we might've allocated */
153 ASSERT(FALSE);
154 if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155
156 /* Now allocate a temporary one */
158 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
160 TAG_SEPA);
161 if (ObjectNameInfo)
162 {
163 /* Clear it */
164 RtlZeroMemory(ObjectNameInfo, ReturnLength);
166 }
167 }
168
169 /* Check if memory allocation failed */
170 if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171
172 /* Return the audit name */
173 *AuditInfo = ObjectNameInfo;
174
175 /* Return status */
176 return Status;
177}
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:43
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define NonPagedPool
Definition: env_spec_w32.h:307
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
#define TAG_SEPA
Definition: tag.h:156
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:550

Referenced by MmInitializeProcessAddressSpace(), and SeLocateProcessImageName().

◆ SeLocateProcessImageName()

NTSTATUS NTAPI SeLocateProcessImageName ( _In_ PEPROCESS  Process,
_Out_ PUNICODE_STRING ProcessImageName 
)

Finds the process image name of a specific process.

Parameters
[in]ProcessProcess object submitted by the caller, where the image name is to be located.
[out]ProcessImageNameAn output Unicode string structure with the located process image name.
Returns
Returns STATUS_SUCCESS if process image name has been located successfully. STATUS_NO_MEMORY is returned if pool allocation for the image name has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 199 of file audit.c.

202{
203 POBJECT_NAME_INFORMATION AuditName;
207
208 PAGED_CODE();
209
210 /* Assume failure */
211 *ProcessImageName = NULL;
212
213 /* Check if we have audit info */
214 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215 if (!AuditName)
216 {
217 /* Get the file object */
219 if (!NT_SUCCESS(Status)) return Status;
220
221 /* Initialize the audit structure */
223 if (NT_SUCCESS(Status))
224 {
225 /* Set it */
227 SeAuditProcessCreationInfo.ImageFileName,
228 AuditName,
229 NULL))
230 {
231 /* Someone beat us to it, deallocate our copy */
232 ExFreePool(AuditName);
233 }
234 }
235
236 /* Dereference the file object */
238 if (!NT_SUCCESS(Status)) return Status;
239 }
240
241 /* Get audit info again, now we have it for sure */
242 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243
244 /* Allocate the output string */
246 AuditName->Name.MaximumLength +
247 sizeof(UNICODE_STRING),
248 TAG_SEPA);
249 if (!ImageName) return STATUS_NO_MEMORY;
250
251 /* Make a copy of it */
253 &AuditName->Name,
254 AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255
256 /* Fix up the buffer */
257 ImageName->Buffer = (PWSTR)(ImageName + 1);
258
259 /* Return it */
260 *ProcessImageName = ImageName;
261
262 /* Return status */
263 return Status;
264}
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
static const char * ImageName
Definition: image.c:34
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
UNICODE_STRING Name
Definition: nt_native.h:1270
USHORT MaximumLength
Definition: env_spec_w32.h:370
uint16_t * PWSTR
Definition: typedefs.h:56
* PFILE_OBJECT
Definition: iotypes.h:1998

Referenced by NtQueryInformationProcess(), and QSI_DEF().

◆ SeOpenObjectAuditAlarm()

VOID NTAPI SeOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1213 of file audit.c.

1223{
1224 PAGED_CODE();
1225
1226 /* Audits aren't done on kernel-mode access */
1227 if (AccessMode == KernelMode) return;
1228
1229 /* Otherwise, unimplemented! */
1230 //UNIMPLEMENTED;
1231 return;
1232}
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396

Referenced by IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), and ObCheckObjectAccess().

◆ SeOpenObjectForDeleteAuditAlarm()

VOID NTAPI SeOpenObjectForDeleteAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened for deletion.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1276 of file audit.c.

1286{
1288}

◆ SepAccessCheckAndAuditAlarm()

_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PHANDLE  ClientTokenHandle,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)

Performs security auditing, if the specific object can be granted security access or not.

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]FlagsFlag bitmask parameter.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the general requirements by the function. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation has failed. STATUS_PRIVILEGE_NOT_HELD is returned if the current security subject context does not have the required audit privilege to actually perform auditing in the first place. STATUS_INVALID_SECURITY_DESCR is returned if the security descriptor provided by the caller is not valid, that is, such descriptor doesn't belong to the main user (owner) and current group. STATUS_GENERIC_NOT_MAPPED is returned if the access rights masks aren't actually mapped. A failure NTSTATUS code is returned otherwise.

Definition at line 614 of file audit.c.

632{
634 ULONG ResultListLength;
635 GENERIC_MAPPING LocalGenericMapping;
636 PTOKEN SubjectContextToken, ClientToken;
637 BOOLEAN AllocatedResultLists;
638 BOOLEAN HaveAuditPrivilege;
639 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
641 ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
642 NTSTATUS AccessStatus, *SafeAccessStatusList;
643 PSID CapturedPrincipalSelfSid;
644 POBJECT_TYPE_LIST CapturedObjectTypeList;
645 ULONG i;
646 BOOLEAN LocalGenerateOnClose;
648 PAGED_CODE();
649
650 /* Only user mode is supported! */
652
653 /* Start clean */
654 AllocatedResultLists = FALSE;
655 ClientToken = NULL;
656 CapturedSecurityDescriptor = NULL;
657 CapturedSubsystemName.Buffer = NULL;
658 CapturedObjectTypeName.Buffer = NULL;
659 CapturedObjectName.Buffer = NULL;
660 CapturedPrincipalSelfSid = NULL;
661 CapturedObjectTypeList = NULL;
662
663 /* Validate AuditType */
664 if ((AuditType != AuditEventObjectAccess) &&
666 {
667 DPRINT1("Invalid audit type: %u\n", AuditType);
669 }
670
671 /* Capture the security subject context */
673
674 /* Did the caller pass a token handle? */
675 if (ClientTokenHandle == NULL)
676 {
677 /* Check if we have a token in the subject context */
678 if (SubjectContext.ClientToken == NULL)
679 {
681 DPRINT1("No token\n");
682 goto Cleanup;
683 }
684
685 /* Check if we have a valid impersonation level */
686 if (SubjectContext.ImpersonationLevel < SecurityIdentification)
687 {
689 DPRINT1("Invalid impersonation level 0x%lx\n",
690 SubjectContext.ImpersonationLevel);
691 goto Cleanup;
692 }
693 }
694
695 /* Are we using a result list? */
696 if (UseResultList)
697 {
698 /* The list length equals the object type list length */
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701 {
703 DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
704 goto Cleanup;
705 }
706
707 /* Allocate a safe buffer from paged pool */
708 SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
709 2 * ResultListLength * sizeof(ULONG),
710 TAG_SEPA);
711 if (SafeGrantedAccessList == NULL)
712 {
714 DPRINT1("Failed to allocate access lists\n");
715 goto Cleanup;
716 }
717
718 SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists = TRUE;
720 }
721 else
722 {
723 /* List length is 1 */
724 ResultListLength = 1;
725 SafeGrantedAccessList = &GrantedAccess;
726 SafeAccessStatusList = &AccessStatus;
727 }
728
730 {
731 /* Probe output buffers */
732 ProbeForWrite(AccessStatusList,
733 ResultListLength * sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
735 ProbeForWrite(GrantedAccessList,
736 ResultListLength * sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
738
739 /* Probe generic mapping and make a local copy */
741 LocalGenericMapping = * GenericMapping;
742 }
744 {
746 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
747 _SEH2_YIELD(goto Cleanup);
748 }
749 _SEH2_END;
750
751 /* Do we have a client token? */
752 if (ClientTokenHandle != NULL)
753 {
754 /* Reference the client token */
755 Status = ObReferenceObjectByHandle(*ClientTokenHandle,
758 UserMode,
759 (PVOID*)&ClientToken,
760 NULL);
761 if (!NT_SUCCESS(Status))
762 {
763 DPRINT1("Failed to reference token handle %p: %lx\n",
764 *ClientTokenHandle, Status);
765 goto Cleanup;
766 }
767
768 SubjectContextToken = SubjectContext.ClientToken;
769 SubjectContext.ClientToken = ClientToken;
770 }
771
772 /* Check for audit privilege */
773 HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
774 if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
775 {
776 DPRINT1("Caller does not have SeAuditPrivilege\n");
778 goto Cleanup;
779 }
780
781 /* Generic access must already be mapped to non-generic access types! */
783 {
784 DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
786 goto Cleanup;
787 }
788
789 /* Capture the security descriptor */
791 UserMode,
792 PagedPool,
793 FALSE,
794 &CapturedSecurityDescriptor);
795 if (!NT_SUCCESS(Status))
796 {
797 DPRINT1("Failed to capture security descriptor!\n");
798 goto Cleanup;
799 }
800
801 /* Validate the Security descriptor */
802 if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
803 (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
804 {
806 DPRINT1("Invalid security descriptor\n");
807 goto Cleanup;
808 }
809
810 /* Probe and capture the subsystem name */
811 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
812 UserMode,
813 SubsystemName);
814 if (!NT_SUCCESS(Status))
815 {
816 DPRINT1("Failed to capture subsystem name!\n");
817 goto Cleanup;
818 }
819
820 /* Probe and capture the object type name */
821 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
822 UserMode,
824 if (!NT_SUCCESS(Status))
825 {
826 DPRINT1("Failed to capture object type name!\n");
827 goto Cleanup;
828 }
829
830 /* Probe and capture the object name */
831 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
832 UserMode,
833 ObjectName);
834 if (!NT_SUCCESS(Status))
835 {
836 DPRINT1("Failed to capture object name!\n");
837 goto Cleanup;
838 }
839
840 /* Check if we have a PrincipalSelfSid */
841 if (PrincipalSelfSid != NULL)
842 {
843 /* Capture it */
844 Status = SepCaptureSid(PrincipalSelfSid,
845 UserMode,
846 PagedPool,
847 FALSE,
848 &CapturedPrincipalSelfSid);
849 if (!NT_SUCCESS(Status))
850 {
851 DPRINT1("Failed to capture PrincipalSelfSid!\n");
852 goto Cleanup;
853 }
854 }
855
856 /* Capture the object type list */
857 Status = SeCaptureObjectTypeList(ObjectTypeList,
858 ObjectTypeListLength,
859 UserMode,
860 &CapturedObjectTypeList);
861 if (!NT_SUCCESS(Status))
862 {
863 DPRINT1("Failed to capture object type list!\n");
864 goto Cleanup;
865 }
866
867 /* Call the worker routine with the captured buffers */
868 Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
869 HandleId,
871 &CapturedObjectTypeName,
872 &CapturedObjectName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
876 AuditType,
877 HaveAuditPrivilege,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
884 UseResultList);
885 if (!NT_SUCCESS(Status))
886 goto Cleanup;
887
888 /* Enter SEH to copy the data back to user mode */
890 {
891 /* Loop all result entries (only 1 when no list was requested) */
892 ASSERT(UseResultList || (ResultListLength == 1));
893 for (i = 0; i < ResultListLength; i++)
894 {
895 AccessStatusList[i] = SafeAccessStatusList[i];
896 GrantedAccessList[i] = SafeGrantedAccessList[i];
897 }
898
899 *GenerateOnClose = LocalGenerateOnClose;
900 }
902 {
904 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
905 }
906 _SEH2_END;
907
908Cleanup:
909
910 if (CapturedObjectTypeList != NULL)
911 SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
912
913 if (CapturedPrincipalSelfSid != NULL)
914 SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
915
916 if (CapturedObjectName.Buffer != NULL)
917 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
918
919 if (CapturedObjectTypeName.Buffer != NULL)
920 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
921
922 if (CapturedSubsystemName.Buffer != NULL)
923 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
924
925 if (CapturedSecurityDescriptor != NULL)
926 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
927
928 if (ClientToken != NULL)
929 {
930 ObDereferenceObject(ClientToken);
931 SubjectContext.ClientToken = SubjectContextToken;
932 }
933
934 if (AllocatedResultLists)
935 ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
936
937 /* Release the security subject context */
939
940 return Status;
941}
#define GENERIC_READ
Definition: compat.h:135
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
* PNTSTATUS
Definition: strlen.c:14
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define GENERIC_ALL
Definition: nt_native.h:92
#define GENERIC_WRITE
Definition: nt_native.h:90
#define GENERIC_EXECUTE
Definition: nt_native.h:91
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:99
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
Definition: objtype.c:39
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:107
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:868
@ AuditEventDirectoryServiceAccess
Definition: setypes.h:865

Referenced by NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), and NtAccessCheckByTypeResultListAndAuditAlarmByHandle().

◆ SepAccessCheckAndAuditAlarmWorker()

static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ BOOLEAN  HaveAuditPrivilege,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)
static

Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success.

FIXME: we should do some real work here...

HACK: we just pretend all access is granted!

Definition at line 489 of file audit.c.

507{
508 ULONG ResultListLength, i;
509
510 /* Get the length of the result list */
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512
515
517 for (i = 0; i < ResultListLength; i++)
518 {
519 GrantedAccessList[i] = DesiredAccess;
520 AccessStatusList[i] = STATUS_SUCCESS;
521 }
522
524
525 return STATUS_SUCCESS;
526}

Referenced by SepAccessCheckAndAuditAlarm().

◆ SepAdtCloseObjectAuditAlarm()

VOID NTAPI SepAdtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ PSID  Sid 
)

Closes an audit alarm event of an object.

Parameters
[in]SubsystemNameA Unicode string pointing to the name of the subsystem where auditing alarm event has to be closed.
[in]HandleIdA handle to an ID where such ID represents the identification of the object where audit alarm is to be closed.
[in]SidA SID that represents the user who attempted to close the audit alarm.
Returns
Nothing.

Definition at line 287 of file audit.c.

291{
293}

Referenced by NtCloseObjectAuditAlarm().

◆ SepAdtPrivilegedServiceAuditAlarm()

VOID NTAPI SepAdtPrivilegedServiceAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ PTOKEN  Token,
_In_ PTOKEN  PrimaryToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request. This is a worker function.

Parameters
[in]SubjectContextA security subject context used for the auditing process.
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuated the procedure of alarm auditing of a privileged service.
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]TokenAn access token.
[in]PrimaryTokenA primary access token.
[in]PrivilegesAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 332 of file audit.c.

340{
341 DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342}
#define DPRINT
Definition: sndvol32.h:71

Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm().

◆ SepOpenObjectAuditAlarm()

VOID NTAPI SepOpenObjectAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PTOKEN  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

@unimplemented

Parameters
[in]SubjectContextA security subject context for auditing.
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenA client access token, representing the client we want to impersonate.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegesIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1535 of file audit.c.

Referenced by NtOpenObjectAuditAlarm().

◆ SePrivilegedServiceAuditAlarm()

VOID NTAPI SePrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  ServiceName,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request.

Parameters
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]SubjectContextA security subject context used for the auditing process.
[in]PrivilegeSetAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 369 of file audit.c.

374{
375 PTOKEN EffectiveToken;
376 PSID UserSid;
377 PAGED_CODE();
378
379 /* Get the effective token */
380 if (SubjectContext->ClientToken != NULL)
381 EffectiveToken = SubjectContext->ClientToken;
382 else
383 EffectiveToken = SubjectContext->PrimaryToken;
384
385 /* Get the user SID */
386 UserSid = EffectiveToken->UserAndGroups->Sid;
387
388 /* Check if this is the local system SID */
389 if (RtlEqualSid(UserSid, SeLocalSystemSid))
390 {
391 /* Nothing to do */
392 return;
393 }
394
395 /* Check if this is the network service or local service SID */
398 {
399 // FIXME: should continue for a certain set of privileges
400 return;
401 }
402
403 /* Call the worker function */
407 SubjectContext->ClientToken,
408 SubjectContext->PrimaryToken,
409 PrivilegeSet,
411
412}
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
PSID SeLocalSystemSid
Definition: sid.c:38
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
PSE_EXPORTS SeExports
Definition: semgr.c:21
PSID SeNetworkServiceSid
Definition: setypes.h:1240
PSID SeLocalServiceSid
Definition: setypes.h:1239
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233

Referenced by SeCheckAuditPrivilege(), and SeSinglePrivilegeCheck().

◆ SePrivilegeObjectAuditAlarm()

VOID NTAPI SePrivilegeObjectAuditAlarm ( _In_ HANDLE  Handle,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  CurrentMode 
)

Raises an audit with alarm notification message when an object tries to acquire this privilege.

@unimplemented

Parameters
[in]HandleA handle to an object.
[in]SubjectContextThe security subject context for auditing.
[in]DesiredAccessThe desired right access masks requested by the caller.
[in]PrivilegesAn array set of privileges for auditing.
[out]AccessGrantedWhen the auditing procedure routine ends, it returns TRUE to the caller if the object has the required privileges for access, FALSE otherwise.
[in]CurrentModeProcessor level access mode.
Returns
Nothing.

Definition at line 1321 of file audit.c.

1328{
1330}

Referenced by HasPrivilege(), ObpCreateHandle(), and SeCheckPrivilegedObject().

Variable Documentation

◆ SeSubsystemName

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")

Definition at line 17 of file audit.c.

Referenced by SePrivilegedServiceAuditAlarm().