ReactOS  0.4.15-dev-3165-gdf6fff7
audit.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for audit.c:

Go to the source code of this file.

Macros

#define NDEBUG
 
#define SEP_PRIVILEGE_SET_MAX_COUNT   60
 

Functions

BOOLEAN NTAPI SeDetailedAuditingWithToken (_In_ PTOKEN Token)
 Peforms a detailed security auditing with an access token. More...
 
VOID NTAPI SeAuditProcessCreate (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be created. More...
 
VOID NTAPI SeAuditProcessExit (_In_ PEPROCESS Process)
 Peforms a security auditing against a process that is about to be terminated. More...
 
NTSTATUS NTAPI SeInitializeProcessAuditName (_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
 Initializes a process audit name and returns it to the caller. More...
 
NTSTATUS NTAPI SeLocateProcessImageName (_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
 Finds the process image name of a specific process. More...
 
VOID NTAPI SepAdtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
 Closes an audit alarm event of an object. More...
 
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request. This is a worker function. More...
 
VOID NTAPI SePrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
 Performs an audit alarm to a privileged service request. More...
 
static NTSTATUS SeCaptureObjectTypeList (_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
 Captures a list of object types. More...
 
static VOID SeReleaseObjectTypeList (_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
 Releases a buffer list of object types. More...
 
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel. More...
 
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
 Performs security auditing, if the specific object can be granted security access or not. More...
 
VOID NTAPI SeAuditHardLinkCreation (_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
 Performs an audit against a hard link creation. More...
 
BOOLEAN NTAPI SeAuditingFileEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against file events is being done or not. More...
 
BOOLEAN NTAPI SeAuditingFileEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against file events with subject context is being done or not. More...
 
BOOLEAN NTAPI SeAuditingHardLinkEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 Determines whether auditing against hard links events is being done or not. More...
 
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against hard links events with subject context is being done or not. More...
 
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents (_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
 Determines whether auditing against files or global events with subject context is being done or not. More...
 
VOID NTAPI SeCloseObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
 Closes an alarm audit of an object. More...
 
VOID NTAPI SeDeleteObjectAuditAlarm (_In_ PVOID Object, _In_ HANDLE Handle)
 Deletes an alarm audit of an object. More...
 
VOID NTAPI SeOpenObjectAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened. More...
 
VOID NTAPI SeOpenObjectForDeleteAuditAlarm (_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
 Creates an audit with alarm notification of an object that is being opened for deletion. More...
 
VOID NTAPI SePrivilegeObjectAuditAlarm (_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
 Raises an audit with alarm notification message when an object tries to acquire this privilege. More...
 
NTSTATUS NTAPI NtCloseObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be closed. More...
 
NTSTATUS NTAPI NtDeleteObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be deleted. More...
 
VOID NTAPI SepOpenObjectAuditAlarm (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened. More...
 
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened. More...
 
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm (_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to request a privileged service call. More...
 
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 Raises an alarm audit message when a caller attempts to access a privileged object. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result. More...
 
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle. More...
 

Variables

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 12 of file audit.c.

◆ SEP_PRIVILEGE_SET_MAX_COUNT

#define SEP_PRIVILEGE_SET_MAX_COUNT   60

Definition at line 15 of file audit.c.

Function Documentation

◆ NtAccessCheckAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2226 of file audit.c.

2238 {
2239  /* Call the internal function */
2240  return SepAccessCheckAndAuditAlarm(SubsystemName,
2241  HandleId,
2242  NULL,
2244  ObjectName,
2246  NULL,
2247  DesiredAccess,
2249  0,
2250  NULL,
2251  0,
2253  GrantedAccess,
2254  AccessStatus,
2256  FALSE);
2257 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715

Referenced by AccessCheckAndAuditAlarmA(), and AccessCheckAndAuditAlarmW().

◆ NtAccessCheckByTypeAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by type.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2323 of file audit.c.

2340 {
2341  /* Call the internal function */
2342  return SepAccessCheckAndAuditAlarm(SubsystemName,
2343  HandleId,
2344  NULL,
2346  ObjectName,
2348  PrincipalSelfSid,
2349  DesiredAccess,
2350  AuditType,
2351  Flags,
2352  ObjectTypeList,
2353  ObjectTypeLength,
2355  GrantedAccess,
2356  AccessStatus,
2358  FALSE);
2359 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715

◆ NtAccessCheckByTypeResultListAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2425 of file audit.c.

2442 {
2443  /* Call the internal function */
2444  return SepAccessCheckAndAuditAlarm(SubsystemName,
2445  HandleId,
2446  NULL,
2448  ObjectName,
2450  PrincipalSelfSid,
2451  DesiredAccess,
2452  AuditType,
2453  Flags,
2454  ObjectTypeList,
2455  ObjectTypeListLength,
2457  GrantedAccessList,
2458  AccessStatusList,
2460  TRUE);
2461 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715

◆ NtAccessCheckByTypeResultListAndAuditAlarmByHandle()

_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made by given type result and a token handle.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start, influencing how the audit should be done.
[in]FlagsFlag bitmask, used to check if auditing can be done without privileges.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessListReturns the granted access rights.
[out]AccessStatusListReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2531 of file audit.c.

2549 {
2550  UNREFERENCED_PARAMETER(ObjectCreation);
2551 
2552  /* Call the internal function */
2553  return SepAccessCheckAndAuditAlarm(SubsystemName,
2554  HandleId,
2555  &ClientToken,
2557  ObjectName,
2559  PrincipalSelfSid,
2560  DesiredAccess,
2561  AuditType,
2562  Flags,
2563  ObjectTypeList,
2564  ObjectTypeListLength,
2566  GrantedAccessList,
2567  AccessStatusList,
2569  TRUE);
2570 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715

◆ NtCloseObjectAuditAlarm()

NTSTATUS NTAPI NtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be closed.

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
Returns STATUS_SUCCESS if all the operations have completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the security subject context does not have the audit privilege to actually begin auditing procedures in the first place.

Definition at line 1459 of file audit.c.

1463 {
1465  UNICODE_STRING CapturedSubsystemName;
1467  BOOLEAN UseImpersonationToken;
1468  PETHREAD CurrentThread;
1471  NTSTATUS Status;
1472  PTOKEN Token;
1473  PAGED_CODE();
1474 
1475  /* Get the previous mode (only user mode is supported!) */
1478 
1479  /* Do we even need to do anything? */
1480  if (!GenerateOnClose)
1481  {
1482  /* Nothing to do, return success */
1483  return STATUS_SUCCESS;
1484  }
1485 
1486  /* Capture the security subject context */
1488 
1489  /* Check for audit privilege */
1491  {
1492  DPRINT1("Caller does not have SeAuditPrivilege\n");
1494  goto Cleanup;
1495  }
1496 
1497  /* Probe and capture the subsystem name */
1498  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1499  PreviousMode,
1500  SubsystemName);
1501  if (!NT_SUCCESS(Status))
1502  {
1503  DPRINT1("Failed to capture subsystem name!\n");
1504  goto Cleanup;
1505  }
1506 
1507  /* Get the current thread and check if it's impersonating */
1508  CurrentThread = PsGetCurrentThread();
1509  if (PsIsThreadImpersonating(CurrentThread))
1510  {
1511  /* Get the impersonation token */
1512  Token = PsReferenceImpersonationToken(CurrentThread,
1513  &CopyOnOpen,
1514  &EffectiveOnly,
1516  UseImpersonationToken = TRUE;
1517  }
1518  else
1519  {
1520  /* Get the primary token */
1522  UseImpersonationToken = FALSE;
1523  }
1524 
1525  /* Call the internal function */
1526  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1527  HandleId,
1528  Token->UserAndGroups->Sid);
1529 
1530  /* Release the captured subsystem name */
1531  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1532 
1533  /* Check what token we used */
1534  if (UseImpersonationToken)
1535  {
1536  /* Release impersonation token */
1538  }
1539  else
1540  {
1541  /* Release primary token */
1543  }
1544 
1546 
1547 Cleanup:
1548 
1549  /* Release the security subject context */
1551 
1552  return Status;
1553 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define TRUE
Definition: types.h:120
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
#define FALSE
Definition: types.h:117
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
static const WCHAR Cleanup[]
Definition: register.c:80
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:358
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:902
#define DPRINT1
Definition: precomp.h:8
#define STATUS_SUCCESS
Definition: shellext.h:65
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:388
#define PAGED_CODE()
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888

Referenced by ObjectCloseAuditAlarmA(), and ObjectCloseAuditAlarmW().

◆ NtDeleteObjectAuditAlarm()

NTSTATUS NTAPI NtDeleteObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ BOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be deleted.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that points to the name of the subsystem.
[in]HandleIdA handle of an ID used for identification instance for auditing.
[in]GenerateOnCloseA boolean value previously created by the "open" equivalent of this function. If the caller explicitly sets this to FALSE, the function assumes that the object is not opened.
Returns
To be added...

Definition at line 1576 of file audit.c.

1580 {
1581  UNIMPLEMENTED;
1582  return STATUS_NOT_IMPLEMENTED;
1583 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by ObjectDeleteAuditAlarmA(), and ObjectDeleteAuditAlarmW().

◆ NtOpenObjectAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenHandleA handle to a client access token.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegeSetIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1723 of file audit.c.

1736 {
1737  PTOKEN ClientToken;
1738  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1739  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1740  ULONG PrivilegeCount, PrivilegeSetSize;
1741  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1742  BOOLEAN LocalGenerateOnClose;
1743  PVOID CapturedHandleId;
1745  NTSTATUS Status;
1746  PAGED_CODE();
1747 
1748  /* Only user mode is supported! */
1750 
1751  /* Start clean */
1752  ClientToken = NULL;
1753  CapturedSecurityDescriptor = NULL;
1754  CapturedPrivilegeSet = NULL;
1755  CapturedSubsystemName.Buffer = NULL;
1756  CapturedObjectTypeName.Buffer = NULL;
1757  CapturedObjectName.Buffer = NULL;
1758 
1759  /* Reference the client token */
1760  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1761  TOKEN_QUERY,
1763  UserMode,
1764  (PVOID*)&ClientToken,
1765  NULL);
1766  if (!NT_SUCCESS(Status))
1767  {
1768  DPRINT1("Failed to reference token handle %p: %lx\n",
1769  ClientTokenHandle, Status);
1770  return Status;
1771  }
1772 
1773  /* Capture the security subject context */
1775 
1776  /* Validate the token's impersonation level */
1777  if ((ClientToken->TokenType == TokenImpersonation) &&
1778  (ClientToken->ImpersonationLevel < SecurityIdentification))
1779  {
1780  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1782  goto Cleanup;
1783  }
1784 
1785  /* Check for audit privilege */
1787  {
1788  DPRINT1("Caller does not have SeAuditPrivilege\n");
1790  goto Cleanup;
1791  }
1792 
1793  /* Check for NULL SecurityDescriptor */
1794  if (SecurityDescriptor == NULL)
1795  {
1796  /* Nothing to do */
1798  goto Cleanup;
1799  }
1800 
1801  /* Capture the security descriptor */
1803  UserMode,
1804  PagedPool,
1805  FALSE,
1806  &CapturedSecurityDescriptor);
1807  if (!NT_SUCCESS(Status))
1808  {
1809  DPRINT1("Failed to capture security descriptor!\n");
1810  goto Cleanup;
1811  }
1812 
1813  _SEH2_TRY
1814  {
1815  /* Check if we have a privilege set */
1816  if (PrivilegeSet != NULL)
1817  {
1818  /* Probe the basic privilege set structure */
1819  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1820 
1821  /* Validate privilege count */
1822  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1823  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1824  {
1826  _SEH2_YIELD(goto Cleanup);
1827  }
1828 
1829  /* Calculate the size of the PrivilegeSet structure */
1830  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1831 
1832  /* Probe the whole structure */
1833  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1834 
1835  /* Allocate a temp buffer */
1836  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1837  PrivilegeSetSize,
1839  if (CapturedPrivilegeSet == NULL)
1840  {
1841  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1843  _SEH2_YIELD(goto Cleanup);
1844  }
1845 
1846  /* Copy the privileges */
1847  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1848  }
1849 
1850  if (HandleId != NULL)
1851  {
1852  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1853  CapturedHandleId = *(PVOID*)HandleId;
1854  }
1855 
1856  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1857  }
1859  {
1861  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1862  _SEH2_YIELD(goto Cleanup);
1863  }
1864  _SEH2_END;
1865 
1866  /* Probe and capture the subsystem name */
1867  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1868  UserMode,
1869  SubsystemName);
1870  if (!NT_SUCCESS(Status))
1871  {
1872  DPRINT1("Failed to capture subsystem name!\n");
1873  goto Cleanup;
1874  }
1875 
1876  /* Probe and capture the object type name */
1877  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1878  UserMode,
1879  ObjectTypeName);
1880  if (!NT_SUCCESS(Status))
1881  {
1882  DPRINT1("Failed to capture object type name!\n");
1883  goto Cleanup;
1884  }
1885 
1886  /* Probe and capture the object name */
1887  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1888  UserMode,
1889  ObjectName);
1890  if (!NT_SUCCESS(Status))
1891  {
1892  DPRINT1("Failed to capture object name!\n");
1893  goto Cleanup;
1894  }
1895 
1896  /* Call the internal function */
1898  &CapturedSubsystemName,
1899  CapturedHandleId,
1900  &CapturedObjectTypeName,
1901  &CapturedObjectName,
1902  CapturedSecurityDescriptor,
1903  ClientToken,
1904  DesiredAccess,
1905  GrantedAccess,
1906  CapturedPrivilegeSet,
1907  ObjectCreation,
1908  AccessGranted,
1909  &LocalGenerateOnClose);
1910 
1912 
1913  /* Enter SEH to copy the data back to user mode */
1914  _SEH2_TRY
1915  {
1916  *GenerateOnClose = LocalGenerateOnClose;
1917  }
1919  {
1921  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1922  }
1923  _SEH2_END;
1924 
1925 Cleanup:
1926 
1927  if (CapturedObjectName.Buffer != NULL)
1928  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1929 
1930  if (CapturedObjectTypeName.Buffer != NULL)
1931  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1932 
1933  if (CapturedSubsystemName.Buffer != NULL)
1934  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1935 
1936  if (CapturedSecurityDescriptor != NULL)
1937  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1938 
1939  if (CapturedPrivilegeSet != NULL)
1940  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1941 
1942  /* Release the security subject context */
1944 
1945  ObDereferenceObject(ClientToken);
1946 
1947  return Status;
1948 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
TOKEN_TYPE TokenType
Definition: setypes.h:221
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define FALSE
Definition: types.h:117
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
#define TOKEN_QUERY
Definition: setypes.h:893
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:362
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:736
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:358
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:222
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1636
#define PAGED_CODE()

Referenced by ObjectOpenAuditAlarmA(), and ObjectOpenAuditAlarmW().

◆ NtPrivilegedServiceAuditAlarm()

__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientTokenHandle,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to request a privileged service call.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]ServiceNameA Unicode string that points to a name of the privileged service.
[in]ClientTokenHandleA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1984 of file audit.c.

1990 {
1992  PTOKEN ClientToken;
1993  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1994  UNICODE_STRING CapturedSubsystemName;
1995  UNICODE_STRING CapturedServiceName;
1996  ULONG PrivilegeCount, PrivilegesSize;
1998  NTSTATUS Status;
1999  PAGED_CODE();
2000 
2001  /* Get the previous mode (only user mode is supported!) */
2004 
2005  CapturedSubsystemName.Buffer = NULL;
2006  CapturedServiceName.Buffer = NULL;
2007 
2008  /* Reference the client token */
2009  Status = ObReferenceObjectByHandle(ClientTokenHandle,
2010  TOKEN_QUERY,
2012  PreviousMode,
2013  (PVOID*)&ClientToken,
2014  NULL);
2015  if (!NT_SUCCESS(Status))
2016  {
2017  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
2018  return Status;
2019  }
2020 
2021  /* Validate the token's impersonation level */
2022  if ((ClientToken->TokenType == TokenImpersonation) &&
2023  (ClientToken->ImpersonationLevel < SecurityIdentification))
2024  {
2025  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
2026  ObDereferenceObject(ClientToken);
2028  }
2029 
2030  /* Capture the security subject context */
2032 
2033  /* Check for audit privilege */
2035  {
2036  DPRINT1("Caller does not have SeAuditPrivilege\n");
2038  goto Cleanup;
2039  }
2040 
2041  /* Do we have a subsystem name? */
2042  if (SubsystemName != NULL)
2043  {
2044  /* Probe and capture the subsystem name */
2045  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
2046  PreviousMode,
2047  SubsystemName);
2048  if (!NT_SUCCESS(Status))
2049  {
2050  DPRINT1("Failed to capture subsystem name!\n");
2051  goto Cleanup;
2052  }
2053  }
2054 
2055  /* Do we have a service name? */
2056  if (ServiceName != NULL)
2057  {
2058  /* Probe and capture the service name */
2059  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
2060  PreviousMode,
2061  ServiceName);
2062  if (!NT_SUCCESS(Status))
2063  {
2064  DPRINT1("Failed to capture service name!\n");
2065  goto Cleanup;
2066  }
2067  }
2068 
2069  _SEH2_TRY
2070  {
2071  /* Probe the basic privilege set structure */
2072  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
2073 
2074  /* Validate privilege count */
2075  PrivilegeCount = Privileges->PrivilegeCount;
2076  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
2077  {
2079  _SEH2_YIELD(goto Cleanup);
2080  }
2081 
2082  /* Calculate the size of the Privileges structure */
2083  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
2084 
2085  /* Probe the whole structure */
2086  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
2087 
2088  /* Allocate a temp buffer */
2089  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
2090  PrivilegesSize,
2092  if (CapturedPrivileges == NULL)
2093  {
2094  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
2096  _SEH2_YIELD(goto Cleanup);
2097  }
2098 
2099  /* Copy the privileges */
2100  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2101  }
2103  {
2105  DPRINT1("Got exception 0x%lx\n", Status);
2106  _SEH2_YIELD(goto Cleanup);
2107  }
2108  _SEH2_END;
2109 
2110  /* Call the internal function */
2112  SubsystemName ? &CapturedSubsystemName : NULL,
2113  ServiceName ? &CapturedServiceName : NULL,
2114  ClientToken,
2115  SubjectContext.PrimaryToken,
2116  CapturedPrivileges,
2117  AccessGranted);
2118 
2120 
2121 Cleanup:
2122  /* Cleanup resources */
2123  if (CapturedSubsystemName.Buffer != NULL)
2124  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2125 
2126  if (CapturedServiceName.Buffer != NULL)
2127  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2128 
2129  if (CapturedPrivileges != NULL)
2130  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2131 
2132  /* Release the security subject context */
2134 
2135  ObDereferenceObject(ClientToken);
2136 
2137  return Status;
2138 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
TOKEN_TYPE TokenType
Definition: setypes.h:221
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:893
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
#define ObDereferenceObject
Definition: obfuncs.h:203
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:358
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:222
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by PrivilegedServiceAuditAlarmA(), and PrivilegedServiceAuditAlarmW().

◆ NtPrivilegeObjectAuditAlarm()

NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ ULONG  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Raises an alarm audit message when a caller attempts to access a privileged object.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ClientTokenA handle to a client access token.
[in]DesiredAccessA handle to a client access token.
[in]PrivilegesAn array set of privileges.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
Returns
To be added...

Definition at line 2167 of file audit.c.

2174 {
2175  UNIMPLEMENTED;
2176  return STATUS_NOT_IMPLEMENTED;
2177 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by ObjectPrivilegeAuditAlarmA(), and ObjectPrivilegeAuditAlarmW().

◆ SeAuditHardLinkCreation()

VOID NTAPI SeAuditHardLinkCreation ( _In_ PUNICODE_STRING  FileName,
_In_ PUNICODE_STRING  LinkName,
_In_ BOOLEAN  bSuccess 
)

Performs an audit against a hard link creation.

@unimplemented

Parameters
[in]FileNameA Unicode string that points to the name of the file.
[in]LinkNameA Unicode string that points to a link.
[out]bSuccessIf TRUE, the function has successfully audited the hard link and security access can be granted, FALSE otherwise.
Returns
Nothing.

Definition at line 1068 of file audit.c.

1072 {
1073  UNIMPLEMENTED;
1074 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingFileEvents()

BOOLEAN NTAPI SeAuditingFileEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against file events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1094 of file audit.c.

1097 {
1098  UNIMPLEMENTED;
1099  return FALSE;
1100 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingFileEventsWithContext()

BOOLEAN NTAPI SeAuditingFileEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against file events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1124 of file audit.c.

1128 {
1130  return FALSE;
1131 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30

◆ SeAuditingFileOrGlobalEvents()

BOOLEAN NTAPI SeAuditingFileOrGlobalEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against files or global events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1212 of file audit.c.

1216 {
1217  UNIMPLEMENTED;
1218  return FALSE;
1219 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingHardLinkEvents()

BOOLEAN NTAPI SeAuditingHardLinkEvents ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Determines whether auditing against hard links events is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1151 of file audit.c.

1154 {
1155  UNIMPLEMENTED;
1156  return FALSE;
1157 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditingHardLinkEventsWithContext()

BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext ( _In_ BOOLEAN  AccessGranted,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext 
)

Determines whether auditing against hard links events with subject context is being done or not.

@unimplemented

Parameters
[in]AccessGrantedIf set to TRUE, the access attempt is deemed as successful otherwise set it to FALSE.
[in]SecurityDescriptorA security descriptor.
[in]SubjectSecurityContextIf specified, the function will check if security auditing is currently being done with this context.
Returns
Returns TRUE if auditing is being currently done, FALSE otherwise.

Definition at line 1181 of file audit.c.

1185 {
1186  UNIMPLEMENTED;
1187  return FALSE;
1188 }
#define FALSE
Definition: types.h:117
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAuditProcessCreate()

VOID NTAPI SeAuditProcessCreate ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be created.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of creation.
Returns
Nothing.

Definition at line 56 of file audit.c.

58 {
59  /* FIXME */
60 }

Referenced by PspCreateProcess().

◆ SeAuditProcessExit()

VOID NTAPI SeAuditProcessExit ( _In_ PEPROCESS  Process)

Peforms a security auditing against a process that is about to be terminated.

@unimplemented

Parameters
[in]ProcessAn object that points to a process which is in process of termination.
Returns
Nothing.

Definition at line 77 of file audit.c.

79 {
80  /* FIXME */
81 }

Referenced by PspExitThread().

◆ SeCaptureObjectTypeList()

static NTSTATUS SeCaptureObjectTypeList ( _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ KPROCESSOR_MODE  PreviousMode,
_Out_ POBJECT_TYPE_LIST CapturedObjectTypeList 
)
static

Captures a list of object types.

Parameters
[in]ObjectTypeListAn existing list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]PreviousModeProcessor access level mode.
[out]CapturedObjectTypeListThe captured list of object types.
Returns
Returns STATUS_SUCCESS if the list of object types has been captured successfully. STATUS_INVALID_PARAMETER is returned if the caller hasn't supplied a buffer list of object types. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation for the captured list has failed.

Definition at line 438 of file audit.c.

443 {
444  SIZE_T Size;
445 
446  if (PreviousMode == KernelMode)
447  {
448  return STATUS_NOT_IMPLEMENTED;
449  }
450 
451  if (ObjectTypeListLength == 0)
452  {
453  *CapturedObjectTypeList = NULL;
454  return STATUS_SUCCESS;
455  }
456 
457  if (ObjectTypeList == NULL)
458  {
460  }
461 
462  /* Calculate the list size and check for integer overflow */
463  Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
464  if (Size == 0)
465  {
467  }
468 
469  /* Allocate a new list */
470  *CapturedObjectTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
471  if (*CapturedObjectTypeList == NULL)
472  {
474  }
475 
476  _SEH2_TRY
477  {
478  ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
479  RtlCopyMemory(*CapturedObjectTypeList, ObjectTypeList, Size);
480  }
482  {
483  ExFreePoolWithTag(*CapturedObjectTypeList, TAG_SEPA);
484  *CapturedObjectTypeList = NULL;
486  }
487  _SEH2_END;
488 
489  return STATUS_SUCCESS;
490 }
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361
_SEH2_TRY
Definition: create.c:4226
return STATUS_NOT_IMPLEMENTED
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
ULONG_PTR SIZE_T
Definition: typedefs.h:80
_SEH2_END
Definition: create.c:4400
#define NULL
Definition: types.h:112
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_SEPA
Definition: tag.h:179
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099

Referenced by SepAccessCheckAndAuditAlarm().

◆ SeCloseObjectAuditAlarm()

VOID NTAPI SeCloseObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle,
_In_ BOOLEAN  PerformAction 
)

Closes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
[in]PerformActionSet this to TRUE to perform any auxiliary action, otherwise set to FALSE.
Returns
Nothing.

Definition at line 1241 of file audit.c.

1245 {
1246  UNIMPLEMENTED;
1247 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeDeleteObjectAuditAlarm()

VOID NTAPI SeDeleteObjectAuditAlarm ( _In_ PVOID  Object,
_In_ HANDLE  Handle 
)

Deletes an alarm audit of an object.

@unimplemented

Parameters
[in]ObjectAn arbitrary pointer data that points to the object.
[in]HandleA handle of the said object.
Returns
Nothing.

Definition at line 1264 of file audit.c.

1267 {
1268  UNIMPLEMENTED;
1269 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeDetailedAuditingWithToken()

BOOLEAN NTAPI SeDetailedAuditingWithToken ( _In_ PTOKEN  Token)

Peforms a detailed security auditing with an access token.

@unimplemented

Parameters
[in]TokenA valid token object.
Returns
To be added...

Definition at line 34 of file audit.c.

36 {
37  /* FIXME */
38  return FALSE;
39 }
#define FALSE
Definition: types.h:117

Referenced by ObInitProcess(), PspCreateProcess(), and PspExitThread().

◆ SeInitializeProcessAuditName()

NTSTATUS NTAPI SeInitializeProcessAuditName ( _In_ PFILE_OBJECT  FileObject,
_In_ BOOLEAN  DoAudit,
_Out_ POBJECT_NAME_INFORMATION AuditInfo 
)

Initializes a process audit name and returns it to the caller.

Parameters
[in]FileObjectFile object that points to a name to be queried.
[in]DoAuditIf set to TRUE, the function will perform various security auditing onto the audit name.
[out]AuditInfoThe returned audit info data.
Returns
Returns STATUS_SUCCESS if process audit name initialization has completed successfully. STATUS_NO_MEMORY is returned if pool allocation for object name info has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 105 of file audit.c.

109 {
110  OBJECT_NAME_INFORMATION LocalNameInfo;
111  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
112  ULONG ReturnLength = 8;
114 
115  PAGED_CODE();
116  ASSERT(AuditInfo);
117 
118  /* Check if we should do auditing */
119  if (DoAudit)
120  {
121  /* FIXME: TODO */
122  }
123 
124  /* Now query the name */
126  &LocalNameInfo,
127  sizeof(LocalNameInfo),
128  &ReturnLength);
129  if (((Status == STATUS_BUFFER_OVERFLOW) ||
132  (ReturnLength != sizeof(LocalNameInfo)))
133  {
134  /* Allocate required size */
135  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
136  ReturnLength,
137  TAG_SEPA);
138  if (ObjectNameInfo)
139  {
140  /* Query the name again */
142  ObjectNameInfo,
143  ReturnLength,
144  &ReturnLength);
145  }
146  }
147 
148  /* Check if we got here due to failure */
149  if ((ObjectNameInfo) &&
150  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151  {
152  /* First, free any buffer we might've allocated */
153  ASSERT(FALSE);
154  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155 
156  /* Now allocate a temporary one */
158  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
159  sizeof(OBJECT_NAME_INFORMATION),
160  TAG_SEPA);
161  if (ObjectNameInfo)
162  {
163  /* Clear it */
164  RtlZeroMemory(ObjectNameInfo, ReturnLength);
166  }
167  }
168 
169  /* Check if memory allocation failed */
170  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171 
172  /* Return the audit name */
173  *AuditInfo = ObjectNameInfo;
174 
175  /* Return status */
176  return Status;
177 }
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
LONG NTSTATUS
Definition: precomp.h:26
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1209
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define FALSE
Definition: types.h:117
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
Status
Definition: gdiplustypes.h:24
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define NULL
Definition: types.h:112
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
#define TAG_SEPA
Definition: tag.h:179
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PAGED_CODE()

Referenced by MmInitializeProcessAddressSpace(), and SeLocateProcessImageName().

◆ SeLocateProcessImageName()

NTSTATUS NTAPI SeLocateProcessImageName ( _In_ PEPROCESS  Process,
_Out_ PUNICODE_STRING ProcessImageName 
)

Finds the process image name of a specific process.

Parameters
[in]ProcessProcess object submitted by the caller, where the image name is to be located.
[out]ProcessImageNameAn output Unicode string structure with the located process image name.
Returns
Returns STATUS_SUCCESS if process image name has been located successfully. STATUS_NO_MEMORY is returned if pool allocation for the image name has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 199 of file audit.c.

202 {
203  POBJECT_NAME_INFORMATION AuditName;
207 
208  PAGED_CODE();
209 
210  /* Assume failure */
211  *ProcessImageName = NULL;
212 
213  /* Check if we have audit info */
214  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215  if (!AuditName)
216  {
217  /* Get the file object */
219  if (!NT_SUCCESS(Status)) return Status;
220 
221  /* Initialize the audit structure */
223  if (NT_SUCCESS(Status))
224  {
225  /* Set it */
227  SeAuditProcessCreationInfo.ImageFileName,
228  AuditName,
229  NULL))
230  {
231  /* Someone beat us to it, deallocate our copy */
232  ExFreePool(AuditName);
233  }
234  }
235 
236  /* Dereference the file object */
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /* Get audit info again, now we have it for sure */
242  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243 
244  /* Allocate the output string */
246  AuditName->Name.MaximumLength +
247  sizeof(UNICODE_STRING),
248  TAG_SEPA);
249  if (!ImageName) return STATUS_NO_MEMORY;
250 
251  /* Make a copy of it */
253  &AuditName->Name,
254  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255 
256  /* Fix up the buffer */
257  ImageName->Buffer = (PWSTR)(ImageName + 1);
258 
259  /* Return it */
260  *ProcessImageName = ImageName;
261 
262  /* Return status */
263  return Status;
264 }
USHORT MaximumLength
Definition: env_spec_w32.h:370
#define TRUE
Definition: types.h:120
uint16_t * PWSTR
Definition: typedefs.h:56
LONG NTSTATUS
Definition: precomp.h:26
UNICODE_STRING Name
Definition: nt_native.h:1270
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
Status
Definition: gdiplustypes.h:24
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ObDereferenceObject
Definition: obfuncs.h:203
* PFILE_OBJECT
Definition: iotypes.h:1998
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
static const char * ImageName
Definition: image.c:34
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define NULL
Definition: types.h:112
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define TAG_SEPA
Definition: tag.h:179
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
#define PAGED_CODE()

Referenced by NtQueryInformationProcess(), and QSI_DEF().

◆ SeOpenObjectAuditAlarm()

VOID NTAPI SeOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1314 of file audit.c.

1324 {
1325  PAGED_CODE();
1326 
1327  /* Audits aren't done on kernel-mode access */
1328  if (AccessMode == KernelMode) return;
1329 
1330  /* Otherwise, unimplemented! */
1331  //UNIMPLEMENTED;
1332  return;
1333 }
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define PAGED_CODE()

Referenced by IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), and ObCheckObjectAccess().

◆ SeOpenObjectForDeleteAuditAlarm()

VOID NTAPI SeOpenObjectForDeleteAuditAlarm ( _In_ PUNICODE_STRING  ObjectTypeName,
_In_opt_ PVOID  Object,
_In_opt_ PUNICODE_STRING  AbsoluteObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PACCESS_STATE  AccessState,
_In_ BOOLEAN  ObjectCreated,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  AccessMode,
_Out_ PBOOLEAN  GenerateOnClose 
)

Creates an audit with alarm notification of an object that is being opened for deletion.

@unimplemented

Parameters
[in]ObjectTypeNameA Unicode string that points to the object type name.
[in]ObjectIf specified, the function will use this parameter to directly open the object.
[in]AbsoluteObjectNameIf specified, the function will use this parameter to directly open the object through the absolute name of the object.
[in]SecurityDescriptorA security descriptor.
[in]AccessStateAn access state right mask when opening the object.
[in]ObjectCreatedSet this to TRUE if the object has been fully created, FALSE otherwise.
[in]AccessGrantedSet this to TRUE if access was deemed as granted.
[in]AccessModeProcessor level access mode.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1377 of file audit.c.

1387 {
1388  UNIMPLEMENTED;
1389 }
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SepAccessCheckAndAuditAlarm()

_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PHANDLE  ClientTokenHandle,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ ULONG  Flags,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)

Performs security auditing, if the specific object can be granted security access or not.

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]FlagsFlag bitmask parameter.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the general requirements by the function. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation has failed. STATUS_PRIVILEGE_NOT_HELD is returned if the current security subject context does not have the required audit privilege to actually perform auditing in the first place. STATUS_INVALID_SECURITY_DESCR is returned if the security descriptor provided by the caller is not valid, that is, such descriptor doesn't belong to the main user (owner) and current group. STATUS_GENERIC_NOT_MAPPED is returned if the access rights masks aren't actually mapped. A failure NTSTATUS code is returned otherwise.

Definition at line 715 of file audit.c.

733 {
735  ULONG ResultListLength;
736  GENERIC_MAPPING LocalGenericMapping;
737  PTOKEN SubjectContextToken, ClientToken;
738  BOOLEAN AllocatedResultLists;
739  BOOLEAN HaveAuditPrivilege;
740  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
741  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
742  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
743  NTSTATUS AccessStatus, *SafeAccessStatusList;
744  PSID CapturedPrincipalSelfSid;
745  POBJECT_TYPE_LIST CapturedObjectTypeList;
746  ULONG i;
747  BOOLEAN LocalGenerateOnClose;
749  PAGED_CODE();
750 
751  /* Only user mode is supported! */
753 
754  /* Start clean */
755  AllocatedResultLists = FALSE;
756  ClientToken = NULL;
757  CapturedSecurityDescriptor = NULL;
758  CapturedSubsystemName.Buffer = NULL;
759  CapturedObjectTypeName.Buffer = NULL;
760  CapturedObjectName.Buffer = NULL;
761  CapturedPrincipalSelfSid = NULL;
762  CapturedObjectTypeList = NULL;
763 
764  /* Validate AuditType */
765  if ((AuditType != AuditEventObjectAccess) &&
766  (AuditType != AuditEventDirectoryServiceAccess))
767  {
768  DPRINT1("Invalid audit type: %u\n", AuditType);
770  }
771 
772  /* Capture the security subject context */
774 
775  /* Did the caller pass a token handle? */
776  if (ClientTokenHandle == NULL)
777  {
778  /* Check if we have a token in the subject context */
779  if (SubjectContext.ClientToken == NULL)
780  {
782  DPRINT1("No token\n");
783  goto Cleanup;
784  }
785 
786  /* Check if we have a valid impersonation level */
787  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
788  {
790  DPRINT1("Invalid impersonation level 0x%lx\n",
791  SubjectContext.ImpersonationLevel);
792  goto Cleanup;
793  }
794  }
795 
796  /* Are we using a result list? */
797  if (UseResultList)
798  {
799  /* The list length equals the object type list length */
800  ResultListLength = ObjectTypeListLength;
801  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
802  {
804  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
805  goto Cleanup;
806  }
807 
808  /* Allocate a safe buffer from paged pool */
809  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
810  2 * ResultListLength * sizeof(ULONG),
811  TAG_SEPA);
812  if (SafeGrantedAccessList == NULL)
813  {
815  DPRINT1("Failed to allocate access lists\n");
816  goto Cleanup;
817  }
818 
819  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
820  AllocatedResultLists = TRUE;
821  }
822  else
823  {
824  /* List length is 1 */
825  ResultListLength = 1;
826  SafeGrantedAccessList = &GrantedAccess;
827  SafeAccessStatusList = &AccessStatus;
828  }
829 
830  _SEH2_TRY
831  {
832  /* Probe output buffers */
833  ProbeForWrite(AccessStatusList,
834  ResultListLength * sizeof(*AccessStatusList),
835  sizeof(*AccessStatusList));
836  ProbeForWrite(GrantedAccessList,
837  ResultListLength * sizeof(*GrantedAccessList),
838  sizeof(*GrantedAccessList));
839 
840  /* Probe generic mapping and make a local copy */
841  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
842  LocalGenericMapping = * GenericMapping;
843  }
845  {
847  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
848  _SEH2_YIELD(goto Cleanup);
849  }
850  _SEH2_END;
851 
852  /* Do we have a client token? */
853  if (ClientTokenHandle != NULL)
854  {
855  /* Reference the client token */
856  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
857  TOKEN_QUERY,
859  UserMode,
860  (PVOID*)&ClientToken,
861  NULL);
862  if (!NT_SUCCESS(Status))
863  {
864  DPRINT1("Failed to reference token handle %p: %lx\n",
865  *ClientTokenHandle, Status);
866  goto Cleanup;
867  }
868 
869  SubjectContextToken = SubjectContext.ClientToken;
870  SubjectContext.ClientToken = ClientToken;
871  }
872 
873  /* Check for audit privilege */
874  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
875  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
876  {
877  DPRINT1("Caller does not have SeAuditPrivilege\n");
879  goto Cleanup;
880  }
881 
882  /* Generic access must already be mapped to non-generic access types! */
884  {
885  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
887  goto Cleanup;
888  }
889 
890  /* Capture the security descriptor */
892  UserMode,
893  PagedPool,
894  FALSE,
895  &CapturedSecurityDescriptor);
896  if (!NT_SUCCESS(Status))
897  {
898  DPRINT1("Failed to capture security descriptor!\n");
899  goto Cleanup;
900  }
901 
902  /* Validate the Security descriptor */
903  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
904  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
905  {
907  DPRINT1("Invalid security descriptor\n");
908  goto Cleanup;
909  }
910 
911  /* Probe and capture the subsystem name */
912  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
913  UserMode,
914  SubsystemName);
915  if (!NT_SUCCESS(Status))
916  {
917  DPRINT1("Failed to capture subsystem name!\n");
918  goto Cleanup;
919  }
920 
921  /* Probe and capture the object type name */
922  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
923  UserMode,
925  if (!NT_SUCCESS(Status))
926  {
927  DPRINT1("Failed to capture object type name!\n");
928  goto Cleanup;
929  }
930 
931  /* Probe and capture the object name */
932  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
933  UserMode,
934  ObjectName);
935  if (!NT_SUCCESS(Status))
936  {
937  DPRINT1("Failed to capture object name!\n");
938  goto Cleanup;
939  }
940 
941  /* Check if we have a PrincipalSelfSid */
942  if (PrincipalSelfSid != NULL)
943  {
944  /* Capture it */
945  Status = SepCaptureSid(PrincipalSelfSid,
946  UserMode,
947  PagedPool,
948  FALSE,
949  &CapturedPrincipalSelfSid);
950  if (!NT_SUCCESS(Status))
951  {
952  DPRINT1("Failed to capture PrincipalSelfSid!\n");
953  goto Cleanup;
954  }
955  }
956 
957  /* Capture the object type list */
958  Status = SeCaptureObjectTypeList(ObjectTypeList,
959  ObjectTypeListLength,
960  UserMode,
961  &CapturedObjectTypeList);
962  if (!NT_SUCCESS(Status))
963  {
964  DPRINT1("Failed to capture object type list!\n");
965  goto Cleanup;
966  }
967 
968  /* Call the worker routine with the captured buffers */
969  Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
970  HandleId,
972  &CapturedObjectTypeName,
973  &CapturedObjectName,
974  CapturedSecurityDescriptor,
975  CapturedPrincipalSelfSid,
977  AuditType,
978  HaveAuditPrivilege,
979  CapturedObjectTypeList,
980  ObjectTypeListLength,
981  &LocalGenericMapping,
982  SafeGrantedAccessList,
983  SafeAccessStatusList,
984  &LocalGenerateOnClose,
985  UseResultList);
986  if (!NT_SUCCESS(Status))
987  goto Cleanup;
988 
989  /* Enter SEH to copy the data back to user mode */
990  _SEH2_TRY
991  {
992  /* Loop all result entries (only 1 when no list was requested) */
993  ASSERT(UseResultList || (ResultListLength == 1));
994  for (i = 0; i < ResultListLength; i++)
995  {
996  AccessStatusList[i] = SafeAccessStatusList[i];
997  GrantedAccessList[i] = SafeGrantedAccessList[i];
998  }
999 
1000  *GenerateOnClose = LocalGenerateOnClose;
1001  }
1003  {
1005  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1006  }
1007  _SEH2_END;
1008 
1009 Cleanup:
1010 
1011  if (CapturedObjectTypeList != NULL)
1012  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
1013 
1014  if (CapturedPrincipalSelfSid != NULL)
1015  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
1016 
1017  if (CapturedObjectName.Buffer != NULL)
1018  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1019 
1020  if (CapturedObjectTypeName.Buffer != NULL)
1021  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1022 
1023  if (CapturedSubsystemName.Buffer != NULL)
1024  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1025 
1026  if (CapturedSecurityDescriptor != NULL)
1027  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1028 
1029  if (ClientToken != NULL)
1030  {
1031  ObDereferenceObject(ClientToken);
1032  SubjectContext.ClientToken = SubjectContextToken;
1033  }
1034 
1035  if (AllocatedResultLists)
1036  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
1037 
1038  /* Release the security subject context */
1040 
1041  return Status;
1042 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define GENERIC_ALL
Definition: nt_native.h:92
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: audit.c:507
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:306
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:39
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
Definition: audit.c:438
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:59
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:392
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define FALSE
Definition: types.h:117
#define GENERIC_WRITE
Definition: nt_native.h:90
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
#define TOKEN_QUERY
Definition: setypes.h:893
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:362
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define GENERIC_READ
Definition: compat.h:135
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:736
static const WCHAR Cleanup[]
Definition: register.c:80
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
Definition: create.c:4400
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:358
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define DPRINT1
Definition: precomp.h:8
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:837
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:590
#define TAG_SEPA
Definition: tag.h:179
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define PAGED_CODE()

Referenced by NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), and NtAccessCheckByTypeResultListAndAuditAlarmByHandle().

◆ SepAccessCheckAndAuditAlarmWorker()

static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_opt_ PSID  PrincipalSelfSid,
_In_ ACCESS_MASK  DesiredAccess,
_In_ AUDIT_EVENT_TYPE  AuditType,
_In_ BOOLEAN  HaveAuditPrivilege,
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeListLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_writes_(ObjectTypeListLength) PACCESS_MASK  GrantedAccessList,
_Out_writes_(ObjectTypeListLength) PNTSTATUS  AccessStatusList,
_Out_ PBOOLEAN  GenerateOnClose,
_In_ BOOLEAN  UseResultList 
)
static

Worker function that serves as the main heart and brain of the whole concept and implementation of auditing in the kernel.

@unimplemented

Parameters
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuates the auditing process.
[in]HandleIdA handle to an ID used to identify an object where auditing is to be done.
[in]SubjectContextSecurity subject context.
[in]ObjectTypeNameA Unicode string that represents the name of an object type.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor with internal security information details for audit.
[in]PrincipalSelfSidA principal self user SID.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]AuditTypeType of audit to start. This parameter influences how an audit should be done.
[in]HaveAuditPrivilegeIf set to TRUE, the security subject context has the audit privilege thus it is allowed the ability to perform the audit.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeListLengthThe length size of the list.
[in]GenericMappingThe generic mapping table of access rights used whilst performing auditing sequence procedure.
[out]GrantedAccessListThis parameter is used to return to the caller a list of actual granted access rights masks that the audited object has.
[out]AccessStatusListThis parameter is used to return to the caller a list of status return codes. The function may actually return a single NTSTATUS code if the calling thread sets UseResultList parameter to FALSE.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
[in]UseResultListIf set to TRUE, the caller wants that the function should only return a single NTSTATUS code.
Returns
Returns STATUS_SUCCESS if the function has completed the whole internal auditing procedure mechanism with success.

FIXME: we should do some real work here...

HACK: we just pretend all access is granted!

Definition at line 590 of file audit.c.

608 {
609  ULONG ResultListLength, i;
610 
611  /* Get the length of the result list */
612  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
613 
616 
618  for (i = 0; i < ResultListLength; i++)
619  {
620  GrantedAccessList[i] = DesiredAccess;
621  AccessStatusList[i] = STATUS_SUCCESS;
622  }
623 
625 
626  return STATUS_SUCCESS;
627 }
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
unsigned int ULONG
Definition: retypes.h:1
#define UNIMPLEMENTED
Definition: debug.h:115
#define STATUS_SUCCESS
Definition: shellext.h:65

Referenced by SepAccessCheckAndAuditAlarm().

◆ SepAdtCloseObjectAuditAlarm()

VOID NTAPI SepAdtCloseObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ PSID  Sid 
)

Closes an audit alarm event of an object.

Parameters
[in]SubsystemNameA Unicode string pointing to the name of the subsystem where auditing alarm event has to be closed.
[in]HandleIdA handle to an ID where such ID represents the identification of the object where audit alarm is to be closed.
[in]SidA SID that represents the user who attempted to close the audit alarm.
Returns
Nothing.

Definition at line 287 of file audit.c.

291 {
293 }
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by NtCloseObjectAuditAlarm().

◆ SepAdtPrivilegedServiceAuditAlarm()

VOID NTAPI SepAdtPrivilegedServiceAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_opt_ PUNICODE_STRING  SubsystemName,
_In_opt_ PUNICODE_STRING  ServiceName,
_In_ PTOKEN  Token,
_In_ PTOKEN  PrimaryToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request. This is a worker function.

Parameters
[in]SubjectContextA security subject context used for the auditing process.
[in]SubsystemNameA Unicode string that represents the name of a subsystem that actuated the procedure of alarm auditing of a privileged service.
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]TokenAn access token.
[in]PrimaryTokenA primary access token.
[in]PrivilegesAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 332 of file audit.c.

340 {
341  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342 }
#define DPRINT
Definition: sndvol32.h:71

Referenced by NtPrivilegedServiceAuditAlarm(), and SePrivilegedServiceAuditAlarm().

◆ SepOpenObjectAuditAlarm()

VOID NTAPI SepOpenObjectAuditAlarm ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PTOKEN  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

@unimplemented

Parameters
[in]SubjectContextA security subject context for auditing.
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenA client access token, representing the client we want to impersonate.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegesIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Nothing.

Definition at line 1636 of file audit.c.

1650 {
1652  DBG_UNREFERENCED_PARAMETER(SubsystemName);
1653  DBG_UNREFERENCED_PARAMETER(HandleId);
1657  DBG_UNREFERENCED_PARAMETER(ClientToken);
1661  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1663  UNIMPLEMENTED;
1665 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define UNIMPLEMENTED
Definition: debug.h:115
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13

Referenced by NtOpenObjectAuditAlarm().

◆ SePrivilegedServiceAuditAlarm()

VOID NTAPI SePrivilegedServiceAuditAlarm ( _In_opt_ PUNICODE_STRING  ServiceName,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  AccessGranted 
)

Performs an audit alarm to a privileged service request.

Parameters
[in]ServiceNameA Unicode string that represents the name of a privileged service request for auditing.
[in]SubjectContextA security subject context used for the auditing process.
[in]PrivilegeSetAn array set of privileges used to check if the privileged service does actually have all the required set of privileges for security access.
[in]AccessGrantedWhen auditing is done, the function will return TRUE to the caller if access is granted, FALSE otherwise.
Returns
Nothing.

Definition at line 369 of file audit.c.

374 {
375  PTOKEN EffectiveToken;
376  PSID UserSid;
377  PAGED_CODE();
378 
379  /* Get the effective token */
380  if (SubjectContext->ClientToken != NULL)
381  EffectiveToken = SubjectContext->ClientToken;
382  else
383  EffectiveToken = SubjectContext->PrimaryToken;
384 
385  /* Get the user SID */
386  UserSid = EffectiveToken->UserAndGroups->Sid;
387 
388  /* Check if this is the local system SID */
389  if (RtlEqualSid(UserSid, SeLocalSystemSid))
390  {
391  /* Nothing to do */
392  return;
393  }
394 
395  /* Check if this is the network service or local service SID */
396  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
398  {
399  // FIXME: should continue for a certain set of privileges
400  return;
401  }
402 
403  /* Call the worker function */
406  ServiceName,
407  SubjectContext->ClientToken,
408  SubjectContext->PrimaryToken,
409  PrivilegeSet,
410  AccessGranted);
411 
412 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
PSE_EXPORTS SeExports
Definition: semgr.c:21
PSID SeNetworkServiceSid
Definition: setypes.h:1209
LPTSTR ServiceName
Definition: ServiceMain.c:15
PSID SeLocalServiceSid
Definition: setypes.h:1208
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
#define NULL
Definition: types.h:112
PSID SeLocalSystemSid
Definition: sid.c:36
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:215
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
#define PAGED_CODE()

Referenced by SeCheckAuditPrivilege(), and SeSinglePrivilegeCheck().

◆ SePrivilegeObjectAuditAlarm()

VOID NTAPI SePrivilegeObjectAuditAlarm ( _In_ HANDLE  Handle,
_In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted,
_In_ KPROCESSOR_MODE  CurrentMode 
)

Raises an audit with alarm notification message when an object tries to acquire this privilege.

@unimplemented

Parameters
[in]HandleA handle to an object.
[in]SubjectContextThe security subject context for auditing.
[in]DesiredAccessThe desired right access masks requested by the caller.
[in]PrivilegesAn array set of privileges for auditing.
[out]AccessGrantedWhen the auditing procedure routine ends, it returns TRUE to the caller if the object has the required privileges for access, FALSE otherwise.
[in]CurrentModeProcessor level access mode.
Returns
Nothing.

Definition at line 1422 of file audit.c.

1429 {
1430  UNIMPLEMENTED;
1431 }
#define UNIMPLEMENTED
Definition: debug.h:115

Referenced by HasPrivilege(), ObpCreateHandle(), and SeCheckPrivilegedObject().

◆ SeReleaseObjectTypeList()

static VOID SeReleaseObjectTypeList ( _In_ _Post_invalid_ POBJECT_TYPE_LIST  CapturedObjectTypeList,
_In_ KPROCESSOR_MODE  PreviousMode 
)
static

Releases a buffer list of object types.

Parameters
[in]CapturedObjectTypeListA list of object types to free.
[in]PreviousModeProcessor access level mode.
Returns
Nothing.

Definition at line 507 of file audit.c.

510 {
511  if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
512  ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
513 }
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NULL
Definition: types.h:112
#define TAG_SEPA
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099

Referenced by SepAccessCheckAndAuditAlarm().

Variable Documentation

◆ SeSubsystemName

UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security")

Definition at line 17 of file audit.c.

Referenced by SePrivilegedServiceAuditAlarm().