ReactOS  0.4.15-dev-4874-g57c84dd
audit.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for audit.c:

Go to the source code of this file.

Macros

#define NDEBUG
 
#define SEP_PRIVILEGE_SET_MAX_COUNT   60
 

Functions

BOOLEAN NTAPI SeDetailedAuditingWithToken (_In_ PTOKEN Token)
 Peforms a detailed security auditing with an access token. More...
 
VOID NTAPI SeAuditProcessCreate (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be created. More...
 
VOID NTAPI SeAuditProcessExit (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be terminated. More...
 
NTSTATUS NTAPI SeInitializeProcessAuditName (_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
 Initializes a process audit name and returns it to the caller. More...
 
NTSTATUS NTAPI SeLocateProcessImageName (_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
 Finds the process image name of a specific process. More...
 
VOID NTAPI SepAdtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
 Closes an audit alarm event of an object. More...
 
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request. This is a worker function. More...
 
VOID NTAPI SePrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request. More...
 
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel. More...
 
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Performs security auditing, if the specific object can be granted security access or not. More...
 
VOID NTAPI SeAuditHardLinkCreation (_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
 Performs an audit against a hard link creation. More...
 
BOOLEAN NTAPI SeAuditingFileEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against file events is being done or not. More...
 
BOOLEAN NTAPI SeAuditingFileEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against file events with subject context is being done or not. More...
 
BOOLEAN NTAPI SeAuditingHardLinkEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against hard links events is being done or not. More...
 
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against hard links events with subject context is being done or not. More...
 
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against files or global events with subject context is being done or not. More...
 
VOID NTAPI SeCloseObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
 Closes an alarm audit of an object. More...
 
VOID NTAPI SeDeleteObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle)
 Deletes an alarm audit of an object. More...
 
VOID NTAPI SeOpenObjectAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened. More...
 
VOID NTAPI SeOpenObjectForDeleteAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened for deletion. More...
 
VOID NTAPI SePrivilegeObjectAuditAlarm (_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
 Raises an audit with alarm notification message when an object tries to acquire this privilege. More...
 
NTSTATUS NTAPI NtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be closed. More...
 
NTSTATUS NTAPI NtDeleteObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be deleted. More...
 
VOID NTAPI SepOpenObjectAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened. More...
 
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened. More...
 
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to request a privileged service call. More...
 
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to access a privileged object. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle. More...
 

Variables

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 12 of file audit.c.

◆ SEP_PRIVILEGE_SET_MAX_COUNT

#define SEP_PRIVILEGE_SET_MAX_COUNT   60

Definition at line 15 of file audit.c.

Function Documentation

◆ NtAccessCheckAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2125 of file audit.c.

2137 {
2138  /* Call the internal function */
2139  return SepAccessCheckAndAuditAlarm(SubsystemName,
2140  HandleId,
2141  NULL,
2143  ObjectName,
2145  NULL,
2146  DesiredAccess,
2148  0,
2149  NULL,
2150  0,
2152  GrantedAccess,
2153  AccessStatus,
2155  FALSE);
2156 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614

Referenced by AccessCheckAndAuditAlarmA(), and AccessCheckAndAuditAlarmW().

◆ NtAccessCheckByTypeAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2222 of file audit.c.

2239 {
2240  /* Call the internal function */
2241  return SepAccessCheckAndAuditAlarm(SubsystemName,
2242  HandleId,
2243  NULL,
2245  ObjectName,
2247  PrincipalSelfSid,
2248  DesiredAccess,
2249  AuditType,
2250  Flags,
2251  ObjectTypeList,
2252  ObjectTypeLength,
2254  GrantedAccess,
2255  AccessStatus,
2257  FALSE);
2258 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614

◆ NtAccessCheckByTypeResultListAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2324 of file audit.c.

2341 {
2342  /* Call the internal function */
2343  return SepAccessCheckAndAuditAlarm(SubsystemName,
2344  HandleId,
2345  NULL,
2347  ObjectName,
2349  PrincipalSelfSid,
2350  DesiredAccess,
2351  AuditType,
2352  Flags,
2353  ObjectTypeList,
2354  ObjectTypeListLength,
2356  GrantedAccessList,
2357  AccessStatusList,
2359  TRUE);
2360 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614

◆ NtAccessCheckByTypeResultListAndAuditAlarmByHandle()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2430 of file audit.c.

2448 {
2449  UNREFERENCED_PARAMETER(ObjectCreation);
2450 
2451  /* Call the internal function */
2452  return SepAccessCheckAndAuditAlarm(SubsystemName,
2453  HandleId,
2454  &ClientToken,
2456  ObjectName,
2458  PrincipalSelfSid,
2459  DesiredAccess,
2460  AuditType,
2461  Flags,
2462  ObjectTypeList,
2463  ObjectTypeListLength,
2465  GrantedAccessList,
2466  AccessStatusList,
2468  TRUE);
2469 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614

◆ NtCloseObjectAuditAlarm()

NTSTATUS NTAPI NtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be closed.

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
Returns STATUS_SUCCESS if all the operations have completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the security subject context does not have the audit privilege to actually begin auditing procedures in the first place.

Definition at line 1358 of file audit.c.

1362 {
1364  UNICODE_STRING CapturedSubsystemName;
1366  BOOLEAN UseImpersonationToken;
1367  PETHREAD CurrentThread;
1370  NTSTATUS Status;
1371  PTOKEN Token;
1372  PAGED_CODE();
1373 
1374  /* Get the previous mode (only user mode is supported!) */
1377 
1378  /* Do we even need to do anything? */
1379  if (!GenerateOnClose)
1380  {
1381  /* Nothing to do, return success */
1382  return STATUS_SUCCESS;
1383  }
1384 
1385  /* Capture the security subject context */
1387 
1388  /* Check for audit privilege */
1390  {
1391  DPRINT1("Caller does not have SeAuditPrivilege\n");
1393  goto Cleanup;
1394  }
1395 
1396  /* Probe and capture the subsystem name */
1397  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1398  PreviousMode,
1399  SubsystemName);
1400  if (!NT_SUCCESS(Status))
1401  {
1402  DPRINT1("Failed to capture subsystem name!\n");
1403  goto Cleanup;
1404  }
1405 
1406  /* Get the current thread and check if it's impersonating */
1407  CurrentThread = PsGetCurrentThread();
1408  if (PsIsThreadImpersonating(CurrentThread))
1409  {
1410  /* Get the impersonation token */
1411  Token = PsReferenceImpersonationToken(CurrentThread,
1412  &CopyOnOpen,
1413  &EffectiveOnly,
1415  UseImpersonationToken = TRUE;
1416  }
1417  else
1418  {
1419  /* Get the primary token */
1421  UseImpersonationToken = FALSE;
1422  }
1423 
1424  /* Call the internal function */
1425  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426  HandleId,
1427  Token->UserAndGroups->Sid);
1428 
1429  /* Release the captured subsystem name */
1430  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1431 
1432  /* Check what token we used */
1433  if (UseImpersonationToken)
1434  {
1435  /* Release impersonation token */
1437  }
1438  else
1439  {
1440  /* Release primary token */
1442  }
1443 
1445 
1446 Cleanup:
1447 
1448  /* Release the security subject context */
1450 
1451  return Status;
1452 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define TRUE
Definition: types.h:120
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3063
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
#define FALSE
Definition: types.h:117
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
static const WCHAR Cleanup[]
Definition: register.c:80
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:902
#define DPRINT1
Definition: precomp.h:8
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
#define STATUS_SUCCESS
Definition: shellext.h:65
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:401
#define PAGED_CODE()
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888

Referenced by ObjectCloseAuditAlarmA(), and ObjectCloseAuditAlarmW().

◆ NtDeleteObjectAuditAlarm()

NTSTATUS NTAPI NtDeleteObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be deleted.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
To be added...

Definition at line 1475 of file audit.c.

1479 {
1480  UNIMPLEMENTED;
1481  return STATUS_NOT_IMPLEMENTED;
1482 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by ObjectDeleteAuditAlarmA(), and ObjectDeleteAuditAlarmW().

◆ NtOpenObjectAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenHandleA handle to a client access token.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegeSetIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1622 of file audit.c.

1635 {
1636  PTOKEN ClientToken;
1637  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639  ULONG PrivilegeCount, PrivilegeSetSize;
1640  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1641  BOOLEAN LocalGenerateOnClose;
1642  PVOID CapturedHandleId;
1644  NTSTATUS Status;
1645  PAGED_CODE();
1646 
1647  /* Only user mode is supported! */
1649 
1650  /* Start clean */
1651  ClientToken = NULL;
1652  CapturedSecurityDescriptor = NULL;
1653  CapturedPrivilegeSet = NULL;
1654  CapturedSubsystemName.Buffer = NULL;
1655  CapturedObjectTypeName.Buffer = NULL;
1656  CapturedObjectName.Buffer = NULL;
1657 
1658  /* Reference the client token */
1659  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1660  TOKEN_QUERY,
1662  UserMode,
1663  (PVOID*)&ClientToken,
1664  NULL);
1665  if (!NT_SUCCESS(Status))
1666  {
1667  DPRINT1("Failed to reference token handle %p: %lx\n",
1668  ClientTokenHandle, Status);
1669  return Status;
1670  }
1671 
1672  /* Capture the security subject context */
1674 
1675  /* Validate the token's impersonation level */
1676  if ((ClientToken->TokenType == TokenImpersonation) &&
1677  (ClientToken->ImpersonationLevel < SecurityIdentification))
1678  {
1679  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1681  goto Cleanup;
1682  }
1683 
1684  /* Check for audit privilege */
1686  {
1687  DPRINT1("Caller does not have SeAuditPrivilege\n");
1689  goto Cleanup;
1690  }
1691 
1692  /* Check for NULL SecurityDescriptor */
1693  if (SecurityDescriptor == NULL)
1694  {
1695  /* Nothing to do */
1697  goto Cleanup;
1698  }
1699 
1700  /* Capture the security descriptor */
1702  UserMode,
1703  PagedPool,
1704  FALSE,
1705  &CapturedSecurityDescriptor);
1706  if (!NT_SUCCESS(Status))
1707  {
1708  DPRINT1("Failed to capture security descriptor!\n");
1709  goto Cleanup;
1710  }
1711 
1712  _SEH2_TRY
1713  {
1714  /* Check if we have a privilege set */
1715  if (PrivilegeSet != NULL)
1716  {
1717  /* Probe the basic privilege set structure */
1718  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1719 
1720  /* Validate privilege count */
1721  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1722  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1723  {
1725  _SEH2_YIELD(goto Cleanup);
1726  }
1727 
1728  /* Calculate the size of the PrivilegeSet structure */
1729  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1730 
1731  /* Probe the whole structure */
1732  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1733 
1734  /* Allocate a temp buffer */
1735  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1736  PrivilegeSetSize,
1738  if (CapturedPrivilegeSet == NULL)
1739  {
1740  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1742  _SEH2_YIELD(goto Cleanup);
1743  }
1744 
1745  /* Copy the privileges */
1746  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747  }
1748 
1749  if (HandleId != NULL)
1750  {
1751  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1752  CapturedHandleId = *(PVOID*)HandleId;
1753  }
1754 
1755  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1756  }
1758  {
1760  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1761  _SEH2_YIELD(goto Cleanup);
1762  }
1763  _SEH2_END;
1764 
1765  /* Probe and capture the subsystem name */
1766  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1767  UserMode,
1768  SubsystemName);
1769  if (!NT_SUCCESS(Status))
1770  {
1771  DPRINT1("Failed to capture subsystem name!\n");
1772  goto Cleanup;
1773  }
1774 
1775  /* Probe and capture the object type name */
1776  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1777  UserMode,
1778  ObjectTypeName);
1779  if (!NT_SUCCESS(Status))
1780  {
1781  DPRINT1("Failed to capture object type name!\n");
1782  goto Cleanup;
1783  }
1784 
1785  /* Probe and capture the object name */
1786  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1787  UserMode,
1788  ObjectName);
1789  if (!NT_SUCCESS(Status))
1790  {
1791  DPRINT1("Failed to capture object name!\n");
1792  goto Cleanup;
1793  }
1794 
1795  /* Call the internal function */
1797  &CapturedSubsystemName,
1798  CapturedHandleId,
1799  &CapturedObjectTypeName,
1800  &CapturedObjectName,
1801  CapturedSecurityDescriptor,
1802  ClientToken,
1803  DesiredAccess,
1804  GrantedAccess,
1805  CapturedPrivilegeSet,
1806  ObjectCreation,
1807  AccessGranted,
1808  &LocalGenerateOnClose);
1809 
1811 
1812  /* Enter SEH to copy the data back to user mode */
1813  _SEH2_TRY
1814  {
1815  *GenerateOnClose = LocalGenerateOnClose;
1816  }
1818  {
1820  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1821  }
1822  _SEH2_END;
1823 
1824 Cleanup:
1825 
1826  if (CapturedObjectName.Buffer != NULL)
1827  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1828 
1829  if (CapturedObjectTypeName.Buffer != NULL)
1830  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1831 
1832  if (CapturedSubsystemName.Buffer != NULL)
1833  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1834 
1835  if (CapturedSecurityDescriptor != NULL)
1836  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1837 
1838  if (CapturedPrivilegeSet != NULL)
1839  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1840 
1841  /* Release the security subject context */
1843 
1844  ObDereferenceObject(ClientToken);
1845 
1846  return Status;
1847 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
TOKEN_TYPE TokenType
Definition: setypes.h:239
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3063
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define FALSE
Definition: types.h:117
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
#define TOKEN_QUERY
Definition: setypes.h:924
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:240
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_PRIVILEGE_SET
Definition: tag.h:154
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
#define PAGED_CODE()

Referenced by ObjectOpenAuditAlarmA(), and ObjectOpenAuditAlarmW().

◆ NtPrivilegedServiceAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientTokenHandle,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to request a privileged service call.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]ServiceNameA Unicode string that points to a name of the privileged service.
[in]ClientTokenHandleA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1883 of file audit.c.

1889 {
1891  PTOKEN ClientToken;
1892  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1893  UNICODE_STRING CapturedSubsystemName;
1894  UNICODE_STRING CapturedServiceName;
1895  ULONG PrivilegeCount, PrivilegesSize;
1897  NTSTATUS Status;
1898  PAGED_CODE();
1899 
1900  /* Get the previous mode (only user mode is supported!) */
1903 
1904  CapturedSubsystemName.Buffer = NULL;
1905  CapturedServiceName.Buffer = NULL;
1906 
1907  /* Reference the client token */
1908  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1909  TOKEN_QUERY,
1911  PreviousMode,
1912  (PVOID*)&ClientToken,
1913  NULL);
1914  if (!NT_SUCCESS(Status))
1915  {
1916  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1917  return Status;
1918  }
1919 
1920  /* Validate the token's impersonation level */
1921  if ((ClientToken->TokenType == TokenImpersonation) &&
1922  (ClientToken->ImpersonationLevel < SecurityIdentification))
1923  {
1924  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1925  ObDereferenceObject(ClientToken);
1927  }
1928 
1929  /* Capture the security subject context */
1931 
1932  /* Check for audit privilege */
1934  {
1935  DPRINT1("Caller does not have SeAuditPrivilege\n");
1937  goto Cleanup;
1938  }
1939 
1940  /* Do we have a subsystem name? */
1941  if (SubsystemName != NULL)
1942  {
1943  /* Probe and capture the subsystem name */
1944  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1945  PreviousMode,
1946  SubsystemName);
1947  if (!NT_SUCCESS(Status))
1948  {
1949  DPRINT1("Failed to capture subsystem name!\n");
1950  goto Cleanup;
1951  }
1952  }
1953 
1954  /* Do we have a service name? */
1955  if (ServiceName != NULL)
1956  {
1957  /* Probe and capture the service name */
1958  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1959  PreviousMode,
1960  ServiceName);
1961  if (!NT_SUCCESS(Status))
1962  {
1963  DPRINT1("Failed to capture service name!\n");
1964  goto Cleanup;
1965  }
1966  }
1967 
1968  _SEH2_TRY
1969  {
1970  /* Probe the basic privilege set structure */
1971  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1972 
1973  /* Validate privilege count */
1974  PrivilegeCount = Privileges->PrivilegeCount;
1975  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1976  {
1978  _SEH2_YIELD(goto Cleanup);
1979  }
1980 
1981  /* Calculate the size of the Privileges structure */
1982  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1983 
1984  /* Probe the whole structure */
1985  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1986 
1987  /* Allocate a temp buffer */
1988  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1989  PrivilegesSize,
1991  if (CapturedPrivileges == NULL)
1992  {
1993  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1995  _SEH2_YIELD(goto Cleanup);
1996  }
1997 
1998  /* Copy the privileges */
1999  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2000  }
2002  {
2004  DPRINT1("Got exception 0x%lx\n", Status);
2005  _SEH2_YIELD(goto Cleanup);
2006  }
2007  _SEH2_END;
2008 
2009  /* Call the internal function */
2011  SubsystemName ? &CapturedSubsystemName : NULL,
2012  ServiceName ? &CapturedServiceName : NULL,
2013  ClientToken,
2014  SubjectContext.PrimaryToken,
2015  CapturedPrivileges,
2016  AccessGranted);
2017 
2019 
2020 Cleanup:
2021  /* Cleanup resources */
2022  if (CapturedSubsystemName.Buffer != NULL)
2023  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2024 
2025  if (CapturedServiceName.Buffer != NULL)
2026  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2027 
2028  if (CapturedPrivileges != NULL)
2029  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2030 
2031  /* Release the security subject context */
2033 
2034  ObDereferenceObject(ClientToken);
2035 
2036  return Status;
2037 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
TOKEN_TYPE TokenType
Definition: setypes.h:239
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3063
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:924
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ObDereferenceObject
Definition: obfuncs.h:203
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:240
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_PRIVILEGE_SET
Definition: tag.h:154
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by PrivilegedServiceAuditAlarmA(), and PrivilegedServiceAuditAlarmW().

◆ NtPrivilegeObjectAuditAlarm()

NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ ULONG  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to access a privileged object.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]DesiredAccessA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
To be added...

Definition at line 2066 of file audit.c.

2073 {
2074  UNIMPLEMENTED;
2075  return STATUS_NOT_IMPLEMENTED;
2076 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by ObjectPrivilegeAuditAlarmA(), and ObjectPrivilegeAuditAlarmW().

◆ SeAuditHardLinkCreation()

VOID NTAPI SeAuditHardLinkCreation ( _In_ PUNICODE_STRING  FileName,
_In_ PUNICODE_STRING  LinkName,
_In_ BOOLEAN  bSuccess 
)

Performs an audit against a hard link creation.

@unimplemented

Parameters
[in]FileNameA Unicode string that points to the name of the file.
[in]LinkNameA Unicode string that points to a link.
[out]bSuccessIf TRUE, the function has successfully audited the hard link and security access can be granted, FALSE otherwise.
Returns
Nothing.

Definition at line 967 of file audit.c.

971 {
973 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingFileEvents()

BOOLEAN NTAPI SeAuditingFileEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against file events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 993 of file audit.c.

996 {
998  return FALSE;
999 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingFileEventsWithContext()

BOOLEAN NTAPI SeAuditingFileEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against file events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1023 of file audit.c.

1027 {
1029  return FALSE;
1030 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30

◆ SeAuditingFileOrGlobalEvents()

BOOLEAN NTAPI SeAuditingFileOrGlobalEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against files or global events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1111 of file audit.c.

1115 {
1116  UNIMPLEMENTED;
1117  return FALSE;
1118 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingHardLinkEvents()

BOOLEAN NTAPI SeAuditingHardLinkEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against hard links events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1050 of file audit.c.

1053 {
1054  UNIMPLEMENTED;
1055  return FALSE;
1056 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingHardLinkEventsWithContext()

BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against hard links events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1080 of file audit.c.

1084 {
1085  UNIMPLEMENTED;
1086  return FALSE;
1087 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditProcessCreate()

VOID NTAPI SeAuditProcessCreate ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be created.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of creation.
Returns
Nothing.

Definition at line 56 of file audit.c.

58 {
59  /* FIXME */
60 }

Referenced by PspCreateProcess().

◆ SeAuditProcessExit()

VOID NTAPI SeAuditProcessExit ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be terminated.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of termination.
Returns
Nothing.

Definition at line 77 of file audit.c.

79 {
80  /* FIXME */
81 }

Referenced by PspExitThread().

◆ SeCloseObjectAuditAlarm()

VOID NTAPI SeCloseObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle,
_In_ BOOLEAN  PerformAction 
)

Closes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
[in]PerformActionSet this to TRUE to perform any auxiliary action, otherwise set to FALSE.
Returns
Nothing.

Definition at line 1140 of file audit.c.

1144 {
1145  UNIMPLEMENTED;
1146 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeDeleteObjectAuditAlarm()

VOID NTAPI SeDeleteObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle 
)

Deletes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
Returns
Nothing.

Definition at line 1163 of file audit.c.

1166 {
1167  UNIMPLEMENTED;
1168 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeDetailedAuditingWithToken()

BOOLEAN NTAPI SeDetailedAuditingWithToken ( _In_ PTOKEN  Token)

Peforms a detailed security auditing with an access token.

@unimplemented

Parameters
[in]TokenA valid token object.
Returns
To be added...

Definition at line 34 of file audit.c.

36 {
37  /* FIXME */
38  return FALSE;
39 }
#define FALSE
Definition: types.h:117

Referenced by ObInitProcess(), PspCreateProcess(), and PspExitThread().

◆ SeInitializeProcessAuditName()

NTSTATUS NTAPI SeInitializeProcessAuditName ( _In_ PFILE_OBJECT  FileObject,
_In_ BOOLEAN  DoAudit,
_Out_ POBJECT_NAME_INFORMATION AuditInfo 
)

Initializes a process audit name and returns it to the caller.

Parameters
[in]FileObjectFile object that points to a name to be queried.
[in]DoAuditIf set to TRUE, the function will perform various security auditing onto the audit name.
[out]AuditInfoThe returned audit info data.
Returns
Returns STATUS_SUCCESS if process audit name initialization has completed successfully. STATUS_NO_MEMORY is returned if pool allocation for object name info has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 105 of file audit.c.

109 {
110  OBJECT_NAME_INFORMATION LocalNameInfo;
111  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
112  ULONG ReturnLength = 8;
114 
115  PAGED_CODE();
116  ASSERT(AuditInfo);
117 
118  /* Check if we should do auditing */
119  if (DoAudit)
120  {
121  /* FIXME: TODO */
122  }
123 
124  /* Now query the name */
126  &LocalNameInfo,
127  sizeof(LocalNameInfo),
128  &ReturnLength);
129  if (((Status == STATUS_BUFFER_OVERFLOW) ||
132  (ReturnLength != sizeof(LocalNameInfo)))
133  {
134  /* Allocate required size */
135  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
136  ReturnLength,
137  TAG_SEPA);
138  if (ObjectNameInfo)
139  {
140  /* Query the name again */
142  ObjectNameInfo,
143  ReturnLength,
144  &ReturnLength);
145  }
146  }
147 
148  /* Check if we got here due to failure */
149  if ((ObjectNameInfo) &&
150  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151  {
152  /* First, free any buffer we might've allocated */
153  ASSERT(FALSE);
154  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155 
156  /* Now allocate a temporary one */
158  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
159  sizeof(OBJECT_NAME_INFORMATION),
160  TAG_SEPA);
161  if (ObjectNameInfo)
162  {
163  /* Clear it */
164  RtlZeroMemory(ObjectNameInfo, ReturnLength);
166  }
167  }
168 
169  /* Check if memory allocation failed */
170  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171 
172  /* Return the audit name */
173  *AuditInfo = ObjectNameInfo;
174 
175  /* Return status */
176  return Status;
177 }
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
LONG NTSTATUS
Definition: precomp.h:26
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define FALSE
Definition: types.h:117
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
Status
Definition: gdiplustypes.h:24
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define NULL
Definition: types.h:112
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
#define TAG_SEPA
Definition: tag.h:153
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PAGED_CODE()

Referenced by MmInitializeProcessAddressSpace(), and SeLocateProcessImageName().

◆ SeLocateProcessImageName()

NTSTATUS NTAPI SeLocateProcessImageName ( _In_ PEPROCESS  Process,
_Out_ PUNICODE_STRING ProcessImageName 
)

Finds the process image name of a specific process.

Parameters
[in]ProcessProcess object submitted by the caller, where the image name is to be located.
[out]ProcessImageNameAn output Unicode string structure with the located process image name.
Returns
Returns STATUS_SUCCESS if process image name has been located successfully. STATUS_NO_MEMORY is returned if pool allocation for the image name has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 199 of file audit.c.

202 {
203  POBJECT_NAME_INFORMATION AuditName;
207 
208  PAGED_CODE();
209 
210  /* Assume failure */
211  *ProcessImageName = NULL;
212 
213  /* Check if we have audit info */
214  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215  if (!AuditName)
216  {
217  /* Get the file object */
219  if (!NT_SUCCESS(Status)) return Status;
220 
221  /* Initialize the audit structure */
223  if (NT_SUCCESS(Status))
224  {
225  /* Set it */
227  SeAuditProcessCreationInfo.ImageFileName,
228  AuditName,
229  NULL))
230  {
231  /* Someone beat us to it, deallocate our copy */
232  ExFreePool(AuditName);
233  }
234  }
235 
236  /* Dereference the file object */
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /* Get audit info again, now we have it for sure */
242  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243 
244  /* Allocate the output string */
246  AuditName->Name.MaximumLength +
247  sizeof(UNICODE_STRING),
248  TAG_SEPA);
249  if (!ImageName) return STATUS_NO_MEMORY;
250 
251  /* Make a copy of it */
253  &AuditName->Name,
254  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255 
256  /* Fix up the buffer */
257  ImageName->Buffer = (PWSTR)(ImageName + 1);
258 
259  /* Return it */
260  *ProcessImageName = ImageName;
261 
262  /* Return status */
263  return Status;
264 }
USHORT MaximumLength
Definition: env_spec_w32.h:370
#define TRUE
Definition: types.h:120
uint16_t * PWSTR
Definition: typedefs.h:56
LONG NTSTATUS
Definition: precomp.h:26
UNICODE_STRING Name
Definition: nt_native.h:1270
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
Status
Definition: gdiplustypes.h:24
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ObDereferenceObject
Definition: obfuncs.h:203
* PFILE_OBJECT
Definition: iotypes.h:1998
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
static const char * ImageName
Definition: image.c:34
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define NULL
Definition: types.h:112
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define TAG_SEPA
Definition: tag.h:153
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
#define PAGED_CODE()

Referenced by NtQueryInformationProcess(), and QSI_DEF().

◆ SeOpenObjectAuditAlarm()

VOID NTAPI SeOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1213 of file audit.c.

1223 {
1224  PAGED_CODE();
1225 
1226  /* Audits aren't done on kernel-mode access */
1227  if (AccessMode == KernelMode) return;
1228 
1229  /* Otherwise, unimplemented! */
1230  //UNIMPLEMENTED;
1231  return;
1232 }
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define PAGED_CODE()

Referenced by IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), and ObCheckObjectAccess().

◆ SeOpenObjectForDeleteAuditAlarm()

VOID NTAPI SeOpenObjectForDeleteAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened for deletion.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1276 of file audit.c.

1286 {
1287  UNIMPLEMENTED;
1288 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SepAccessCheckAndAuditAlarm()

_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PHANDLE  ClientTokenHandle,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)

Performs security auditing, if the specific object can be granted security access or not.

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]FlagsFlag bitmask parameter.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the general requirements by the function. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation has failed. STATUS_PRIVILEGE_NOT_HELD is returned if the current security subject context does not have the required audit privilege to actually perform auditing in the first place. STATUS_INVALID_SECURITY_DESCR is returned if the security descriptor provided by the caller is not valid, that is, such descriptor doesn't belong to the main user (owner) and current group. STATUS_GENERIC_NOT_MAPPED is returned if the access rights masks aren't actually mapped. A failure NTSTATUS code is returned otherwise.

Definition at line 614 of file audit.c.

632 {
634  ULONG ResultListLength;
635  GENERIC_MAPPING LocalGenericMapping;
636  PTOKEN SubjectContextToken, ClientToken;
637  BOOLEAN AllocatedResultLists;
638  BOOLEAN HaveAuditPrivilege;
639  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
641  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
642  NTSTATUS AccessStatus, *SafeAccessStatusList;
643  PSID CapturedPrincipalSelfSid;
644  POBJECT_TYPE_LIST CapturedObjectTypeList;
645  ULONG i;
646  BOOLEAN LocalGenerateOnClose;
648  PAGED_CODE();
649 
650  /* Only user mode is supported! */
652 
653  /* Start clean */
654  AllocatedResultLists = FALSE;
655  ClientToken = NULL;
656  CapturedSecurityDescriptor = NULL;
657  CapturedSubsystemName.Buffer = NULL;
658  CapturedObjectTypeName.Buffer = NULL;
659  CapturedObjectName.Buffer = NULL;
660  CapturedPrincipalSelfSid = NULL;
661  CapturedObjectTypeList = NULL;
662 
663  /* Validate AuditType */
664  if ((AuditType != AuditEventObjectAccess) &&
665  (AuditType != AuditEventDirectoryServiceAccess))
666  {
667  DPRINT1("Invalid audit type: %u\n", AuditType);
669  }
670 
671  /* Capture the security subject context */
673 
674  /* Did the caller pass a token handle? */
675  if (ClientTokenHandle == NULL)
676  {
677  /* Check if we have a token in the subject context */
678  if (SubjectContext.ClientToken == NULL)
679  {
681  DPRINT1("No token\n");
682  goto Cleanup;
683  }
684 
685  /* Check if we have a valid impersonation level */
686  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
687  {
689  DPRINT1("Invalid impersonation level 0x%lx\n",
690  SubjectContext.ImpersonationLevel);
691  goto Cleanup;
692  }
693  }
694 
695  /* Are we using a result list? */
696  if (UseResultList)
697  {
698  /* The list length equals the object type list length */
699  ResultListLength = ObjectTypeListLength;
700  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701  {
703  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
704  goto Cleanup;
705  }
706 
707  /* Allocate a safe buffer from paged pool */
708  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
709  2 * ResultListLength * sizeof(ULONG),
710  TAG_SEPA);
711  if (SafeGrantedAccessList == NULL)
712  {
714  DPRINT1("Failed to allocate access lists\n");
715  goto Cleanup;
716  }
717 
718  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719  AllocatedResultLists = TRUE;
720  }
721  else
722  {
723  /* List length is 1 */
724  ResultListLength = 1;
725  SafeGrantedAccessList = &GrantedAccess;
726  SafeAccessStatusList = &AccessStatus;
727  }
728 
729  _SEH2_TRY
730  {
731  /* Probe output buffers */
732  ProbeForWrite(AccessStatusList,
733  ResultListLength * sizeof(*AccessStatusList),
734  sizeof(*AccessStatusList));
735  ProbeForWrite(GrantedAccessList,
736  ResultListLength * sizeof(*GrantedAccessList),
737  sizeof(*GrantedAccessList));
738 
739  /* Probe generic mapping and make a local copy */
740  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
741  LocalGenericMapping = * GenericMapping;
742  }
744  {
746  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
747  _SEH2_YIELD(goto Cleanup);
748  }
749  _SEH2_END;
750 
751  /* Do we have a client token? */
752  if (ClientTokenHandle != NULL)
753  {
754  /* Reference the client token */
755  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
756  TOKEN_QUERY,
758  UserMode,
759  (PVOID*)&ClientToken,
760  NULL);
761  if (!NT_SUCCESS(Status))
762  {
763  DPRINT1("Failed to reference token handle %p: %lx\n",
764  *ClientTokenHandle, Status);
765  goto Cleanup;
766  }
767 
768  SubjectContextToken = SubjectContext.ClientToken;
769  SubjectContext.ClientToken = ClientToken;
770  }
771 
772  /* Check for audit privilege */
773  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
774  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
775  {
776  DPRINT1("Caller does not have SeAuditPrivilege\n");
778  goto Cleanup;
779  }
780 
781  /* Generic access must already be mapped to non-generic access types! */
783  {
784  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
786  goto Cleanup;
787  }
788 
789  /* Capture the security descriptor */
791  UserMode,
792  PagedPool,
793  FALSE,
794  &CapturedSecurityDescriptor);
795  if (!NT_SUCCESS(Status))
796  {
797  DPRINT1("Failed to capture security descriptor!\n");
798  goto Cleanup;
799  }
800 
801  /* Validate the Security descriptor */
802  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
803  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
804  {
806  DPRINT1("Invalid security descriptor\n");
807  goto Cleanup;
808  }
809 
810  /* Probe and capture the subsystem name */
811  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
812  UserMode,
813  SubsystemName);
814  if (!NT_SUCCESS(Status))
815  {
816  DPRINT1("Failed to capture subsystem name!\n");
817  goto Cleanup;
818  }
819 
820  /* Probe and capture the object type name */
821  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
822  UserMode,
824  if (!NT_SUCCESS(Status))
825  {
826  DPRINT1("Failed to capture object type name!\n");
827  goto Cleanup;
828  }
829 
830  /* Probe and capture the object name */
831  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
832  UserMode,
833  ObjectName);
834  if (!NT_SUCCESS(Status))
835  {
836  DPRINT1("Failed to capture object name!\n");
837  goto Cleanup;
838  }
839 
840  /* Check if we have a PrincipalSelfSid */
841  if (PrincipalSelfSid != NULL)
842  {
843  /* Capture it */
844  Status = SepCaptureSid(PrincipalSelfSid,
845  UserMode,
846  PagedPool,
847  FALSE,
848  &CapturedPrincipalSelfSid);
849  if (!NT_SUCCESS(Status))
850  {
851  DPRINT1("Failed to capture PrincipalSelfSid!\n");
852  goto Cleanup;
853  }
854  }
855 
856  /* Capture the object type list */
857  Status = SeCaptureObjectTypeList(ObjectTypeList,
858  ObjectTypeListLength,
859  UserMode,
860  &CapturedObjectTypeList);
861  if (!NT_SUCCESS(Status))
862  {
863  DPRINT1("Failed to capture object type list!\n");
864  goto Cleanup;
865  }
866 
867  /* Call the worker routine with the captured buffers */
868  Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
869  HandleId,
871  &CapturedObjectTypeName,
872  &CapturedObjectName,
873  CapturedSecurityDescriptor,
874  CapturedPrincipalSelfSid,
876  AuditType,
877  HaveAuditPrivilege,
878  CapturedObjectTypeList,
879  ObjectTypeListLength,
880  &LocalGenericMapping,
881  SafeGrantedAccessList,
882  SafeAccessStatusList,
883  &LocalGenerateOnClose,
884  UseResultList);
885  if (!NT_SUCCESS(Status))
886  goto Cleanup;
887 
888  /* Enter SEH to copy the data back to user mode */
889  _SEH2_TRY
890  {
891  /* Loop all result entries (only 1 when no list was requested) */
892  ASSERT(UseResultList || (ResultListLength == 1));
893  for (i = 0; i < ResultListLength; i++)
894  {
895  AccessStatusList[i] = SafeAccessStatusList[i];
896  GrantedAccessList[i] = SafeGrantedAccessList[i];
897  }
898 
899  *GenerateOnClose = LocalGenerateOnClose;
900  }
902  {
904  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
905  }
906  _SEH2_END;
907 
908 Cleanup:
909 
910  if (CapturedObjectTypeList != NULL)
911  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
912 
913  if (CapturedPrincipalSelfSid != NULL)
914  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
915 
916  if (CapturedObjectName.Buffer != NULL)
917  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
918 
919  if (CapturedObjectTypeName.Buffer != NULL)
920  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
921 
922  if (CapturedSubsystemName.Buffer != NULL)
923  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
924 
925  if (CapturedSecurityDescriptor != NULL)
926  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
927 
928  if (ClientToken != NULL)
929  {
930  ObDereferenceObject(ClientToken);
931  SubjectContext.ClientToken = SubjectContextToken;
932  }
933 
934  if (AllocatedResultLists)
935  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
936 
937  /* Release the security subject context */
939 
940  return Status;
941 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define GENERIC_ALL
Definition: nt_native.h:92
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:107
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3063
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:99
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define FALSE
Definition: types.h:117
#define GENERIC_WRITE
Definition: nt_native.h:90
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
#define TOKEN_QUERY
Definition: setypes.h:924
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define GENERIC_READ
Definition: compat.h:135
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
static const WCHAR Cleanup[]
Definition: register.c:80
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
Definition: create.c:4400
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
#define DPRINT1
Definition: precomp.h:8
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:868
unsigned int ULONG
Definition: retypes.h:1
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
#define TAG_SEPA
Definition: tag.h:153
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
Definition: objtype.c:39
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define PAGED_CODE()

Referenced by NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), and NtAccessCheckByTypeResultListAndAuditAlarmByHandle().

◆ SepAccessCheckAndAuditAlarmWorker()

static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ BOOLEAN  HaveAuditPrivilege,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)
static

Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success.

FIXME: we should do some real work here...

HACK: we just pretend all access is granted!

Definition at line 489 of file audit.c.

507 {
508  ULONG ResultListLength, i;
509 
510  /* Get the length of the result list */
511  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512 
515 
517  for (i = 0; i < ResultListLength; i++)
518  {
519  GrantedAccessList[i] = DesiredAccess;
520  AccessStatusList[i] = STATUS_SUCCESS;
521  }
522 
524 
525  return STATUS_SUCCESS;
526 }
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
unsigned int ULONG
Definition: retypes.h:1
#define UNIMPLEMENTED
Definition: debug.h:115
#define STATUS_SUCCESS
Definition: shellext.h:65

Referenced by SepAccessCheckAndAuditAlarm().

◆ SepAdtCloseObjectAuditAlarm()

VOID NTAPI SepAdtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ PSID  Sid 
)

Closes an audit alarm event of an object.

Parameters
[in]SubsystemNameA Unicode string pointing to the name of the subsystem where auditing alarm event has to be closed.
[in]HandleIdA handle to an ID where such ID represents the identification of the object where audit alarm is to be closed.
[in]SidA SID that represents the user who attempted to close the audit alarm.
Returns
Nothing.

Definition at line 287 of file audit.c.

291 {
293 }
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by NtCloseObjectAuditAlarm().

◆ SepAdtPrivilegedServiceAuditAlarm()

VOID NTAPI SepAdtPrivilegedServiceAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ PTOKEN  Token,
_In_ PTOKEN  PrimaryToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request. This is a worker function.

Parameters
[in]SubjectContextA security subject context used for the auditing process.
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuated the procedure of alarm auditing of a privileged service.
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]TokenAn access token.
[in]PrimaryTokenA primary access token.
[in]PrivilegesAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 332 of file audit.c.

340 {
341  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342 }
#define DPRINT
Definition: sndvol32.h:71

Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm().

◆ SepOpenObjectAuditAlarm()

VOID NTAPI SepOpenObjectAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PTOKEN  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

@unimplemented

Parameters
[in]SubjectContextA security subject context for auditing.
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenA client access token, representing the client we want to impersonate.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegesIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1535 of file audit.c.

1549 {
1551  DBG_UNREFERENCED_PARAMETER(SubsystemName);
1552  DBG_UNREFERENCED_PARAMETER(HandleId);
1556  DBG_UNREFERENCED_PARAMETER(ClientToken);
1560  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1562  UNIMPLEMENTED;
1564 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define UNIMPLEMENTED
Definition: debug.h:115
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13

Referenced by NtOpenObjectAuditAlarm().

◆ SePrivilegedServiceAuditAlarm()

VOID NTAPI SePrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  ServiceName,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request.

Parameters
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]SubjectContextA security subject context used for the auditing process.
[in]PrivilegeSetAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 369 of file audit.c.

374 {
375  PTOKEN EffectiveToken;
376  PSID UserSid;
377  PAGED_CODE();
378 
379  /* Get the effective token */
380  if (SubjectContext->ClientToken != NULL)
381  EffectiveToken = SubjectContext->ClientToken;
382  else
383  EffectiveToken = SubjectContext->PrimaryToken;
384 
385  /* Get the user SID */
386  UserSid = EffectiveToken->UserAndGroups->Sid;
387 
388  /* Check if this is the local system SID */
389  if (RtlEqualSid(UserSid, SeLocalSystemSid))
390  {
391  /* Nothing to do */
392  return;
393  }
394 
395  /* Check if this is the network service or local service SID */
396  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
398  {
399  // FIXME: should continue for a certain set of privileges
400  return;
401  }
402 
403  /* Call the worker function */
406  ServiceName,
407  SubjectContext->ClientToken,
408  SubjectContext->PrimaryToken,
409  PrivilegeSet,
410  AccessGranted);
411 
412 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
PSE_EXPORTS SeExports
Definition: semgr.c:21
PSID SeNetworkServiceSid
Definition: setypes.h:1240
LPTSTR ServiceName
Definition: ServiceMain.c:15
PSID SeLocalServiceSid
Definition: setypes.h:1239
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
#define NULL
Definition: types.h:112
PSID SeLocalSystemSid
Definition: sid.c:38
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
#define PAGED_CODE()

Referenced by SeCheckAuditPrivilege(), and SeSinglePrivilegeCheck().

◆ SePrivilegeObjectAuditAlarm()

VOID NTAPI SePrivilegeObjectAuditAlarm ( _In_ HANDLE  Handle,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  CurrentMode 
)

Raises an audit with alarm notification message when an object tries to acquire this privilege.

@unimplemented

Parameters
[in]HandleA handle to an object.
[in]SubjectContextThe security subject context for auditing.
[in]DesiredAccessThe desired right access masks requested by the caller.
[in]PrivilegesAn array set of privileges for auditing.
[out]AccessGrantedWhen the auditing procedure routine ends, it returns TRUE to the caller if the object has the required privileges for access, FALSE otherwise.
[in]CurrentModeProcessor level access mode.
Returns
Nothing.

Definition at line 1321 of file audit.c.

1328 {
1329  UNIMPLEMENTED;
1330 }
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by HasPrivilege(), ObpCreateHandle(), and SeCheckPrivilegedObject().

Variable Documentation

◆ SeSubsystemName

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")

Definition at line 17 of file audit.c.

Referenced by SePrivilegedServiceAuditAlarm().