ReactOS  0.4.13-dev-455-g28ed234
audit.c
Go to the documentation of this file.
1 /*
2  * COPYRIGHT: See COPYING in the top level directory
3  * PROJECT: ReactOS kernel
4  * FILE: ntoskrnl/se/audit.c
5  * PURPOSE: Audit functions
6  *
7  * PROGRAMMERS: Eric Kohl
8  * Timo Kreuzer (timo.kreuzer@reactos.org)
9  */
10 
11 /* INCLUDES *******************************************************************/
12 
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16 
17 #define SEP_PRIVILEGE_SET_MAX_COUNT 60
18 
20 
21 /* PRIVATE FUNCTIONS***********************************************************/
22 
23 BOOLEAN
24 NTAPI
26 {
27  /* FIXME */
28  return FALSE;
29 }
30 
31 VOID
32 NTAPI
34 {
35  /* FIXME */
36 }
37 
38 VOID
39 NTAPI
41 {
42  /* FIXME */
43 }
44 
46 NTAPI
48  IN BOOLEAN DoAudit,
49  OUT POBJECT_NAME_INFORMATION *AuditInfo)
50 {
51  OBJECT_NAME_INFORMATION LocalNameInfo;
52  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
53  ULONG ReturnLength = 8;
55 
56  PAGED_CODE();
57  ASSERT(AuditInfo);
58 
59  /* Check if we should do auditing */
60  if (DoAudit)
61  {
62  /* FIXME: TODO */
63  }
64 
65  /* Now query the name */
67  &LocalNameInfo,
68  sizeof(LocalNameInfo),
69  &ReturnLength);
70  if (((Status == STATUS_BUFFER_OVERFLOW) ||
73  (ReturnLength != sizeof(LocalNameInfo)))
74  {
75  /* Allocate required size */
76  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
78  TAG_SEPA);
79  if (ObjectNameInfo)
80  {
81  /* Query the name again */
83  ObjectNameInfo,
85  &ReturnLength);
86  }
87  }
88 
89  /* Check if we got here due to failure */
90  if ((ObjectNameInfo) &&
91  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
92  {
93  /* First, free any buffer we might've allocated */
94  ASSERT(FALSE);
95  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
96 
97  /* Now allocate a temporary one */
99  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
100  sizeof(OBJECT_NAME_INFORMATION),
101  TAG_SEPA);
102  if (ObjectNameInfo)
103  {
104  /* Clear it */
105  RtlZeroMemory(ObjectNameInfo, ReturnLength);
107  }
108  }
109 
110  /* Check if memory allocation failed */
111  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
112 
113  /* Return the audit name */
114  *AuditInfo = ObjectNameInfo;
115 
116  /* Return status */
117  return Status;
118 }
119 
120 NTSTATUS
121 NTAPI
123  OUT PUNICODE_STRING *ProcessImageName)
124 {
125  POBJECT_NAME_INFORMATION AuditName;
129 
130  PAGED_CODE();
131 
132  /* Assume failure */
133  *ProcessImageName = NULL;
134 
135  /* Check if we have audit info */
136  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
137  if (!AuditName)
138  {
139  /* Get the file object */
141  if (!NT_SUCCESS(Status)) return Status;
142 
143  /* Initialize the audit structure */
145  if (NT_SUCCESS(Status))
146  {
147  /* Set it */
149  SeAuditProcessCreationInfo.ImageFileName,
150  AuditName,
151  NULL))
152  {
153  /* Someone beat us to it, deallocate our copy */
154  ExFreePool(AuditName);
155  }
156  }
157 
158  /* Dereference the file object */
160  if (!NT_SUCCESS(Status)) return Status;
161  }
162 
163  /* Get audit info again, now we have it for sure */
164  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
165 
166  /* Allocate the output string */
168  AuditName->Name.MaximumLength +
169  sizeof(UNICODE_STRING),
170  TAG_SEPA);
171  if (!ImageName) return STATUS_NO_MEMORY;
172 
173  /* Make a copy of it */
175  &AuditName->Name,
176  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
177 
178  /* Fix up the buffer */
179  ImageName->Buffer = (PWSTR)(ImageName + 1);
180 
181  /* Return it */
182  *ProcessImageName = ImageName;
183 
184  /* Return status */
185  return Status;
186 }
187 
188 VOID
189 NTAPI
191  PUNICODE_STRING SubsystemName,
192  PVOID HandleId,
193  PSID Sid)
194 {
196 }
197 
198 VOID
199 NTAPI
202  _In_opt_ PUNICODE_STRING SubsystemName,
204  _In_ PTOKEN Token,
205  _In_ PTOKEN PrimaryToken,
208 {
209  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
210 }
211 
212 VOID
213 NTAPI
217  _In_ PPRIVILEGE_SET PrivilegeSet,
219 {
220  PTOKEN EffectiveToken;
221  PSID UserSid;
222  PAGED_CODE();
223 
224  /* Get the effective token */
225  if (SubjectContext->ClientToken != NULL)
226  EffectiveToken = SubjectContext->ClientToken;
227  else
228  EffectiveToken = SubjectContext->PrimaryToken;
229 
230  /* Get the user SID */
231  UserSid = EffectiveToken->UserAndGroups->Sid;
232 
233  /* Check if this is the local system SID */
234  if (RtlEqualSid(UserSid, SeLocalSystemSid))
235  {
236  /* Nothing to do */
237  return;
238  }
239 
240  /* Check if this is the network service or local service SID */
241  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
243  {
244  // FIXME: should continue for a certain set of privileges
245  return;
246  }
247 
248  /* Call the worker function */
251  ServiceName,
252  SubjectContext->ClientToken,
253  SubjectContext->PrimaryToken,
254  PrivilegeSet,
255  AccessGranted);
256 
257 }
258 
259 
260 static
261 NTSTATUS
263  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
264  _In_ ULONG ObjectTypeListLength,
266  _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
267 {
268  SIZE_T Size;
269 
270  if (PreviousMode == KernelMode)
271  {
272  return STATUS_NOT_IMPLEMENTED;
273  }
274 
275  if (ObjectTypeListLength == 0)
276  {
277  *CapturedObjectTypeList = NULL;
278  return STATUS_SUCCESS;
279  }
280 
281  if (ObjectTypeList == NULL)
282  {
284  }
285 
286  /* Calculate the list size and check for integer overflow */
287  Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
288  if (Size == 0)
289  {
291  }
292 
293  /* Allocate a new list */
294  *CapturedObjectTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
295  if (*CapturedObjectTypeList == NULL)
296  {
298  }
299 
300  _SEH2_TRY
301  {
302  ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
303  RtlCopyMemory(*CapturedObjectTypeList, ObjectTypeList, Size);
304  }
306  {
307  ExFreePoolWithTag(*CapturedObjectTypeList, TAG_SEPA);
308  *CapturedObjectTypeList = NULL;
310  }
311  _SEH2_END;
312 
313  return STATUS_SUCCESS;
314 }
315 
316 static
317 VOID
319  _In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList,
321 {
322  if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
323  ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
324 }
325 
327 static
328 NTSTATUS
330  _In_ PUNICODE_STRING SubsystemName,
331  _In_opt_ PVOID HandleId,
336  _In_opt_ PSID PrincipalSelfSid,
338  _In_ AUDIT_EVENT_TYPE AuditType,
339  _In_ BOOLEAN HaveAuditPrivilege,
340  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
341  _In_ ULONG ObjectTypeListLength,
343  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
344  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
346  _In_ BOOLEAN UseResultList)
347 {
348  ULONG ResultListLength, i;
349 
350  /* Get the length of the result list */
351  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
352 
355 
357  for (i = 0; i < ResultListLength; i++)
358  {
359  GrantedAccessList[i] = DesiredAccess;
360  AccessStatusList[i] = STATUS_SUCCESS;
361  }
362 
364 
365  return STATUS_SUCCESS;
366 }
367 
369 NTSTATUS
370 NTAPI
372  _In_ PUNICODE_STRING SubsystemName,
373  _In_opt_ PVOID HandleId,
374  _In_ PHANDLE ClientTokenHandle,
378  _In_opt_ PSID PrincipalSelfSid,
380  _In_ AUDIT_EVENT_TYPE AuditType,
381  _In_ ULONG Flags,
382  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
383  _In_ ULONG ObjectTypeListLength,
385  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
386  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
388  _In_ BOOLEAN UseResultList)
389 {
391  ULONG ResultListLength;
392  GENERIC_MAPPING LocalGenericMapping;
393  PTOKEN SubjectContextToken, ClientToken;
394  BOOLEAN AllocatedResultLists;
395  BOOLEAN HaveAuditPrivilege;
396  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
397  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
398  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
399  NTSTATUS AccessStatus, *SafeAccessStatusList;
400  PSID CapturedPrincipalSelfSid;
401  POBJECT_TYPE_LIST CapturedObjectTypeList;
402  ULONG i;
403  BOOLEAN LocalGenerateOnClose;
405  PAGED_CODE();
406 
407  /* Only user mode is supported! */
409 
410  /* Start clean */
411  AllocatedResultLists = FALSE;
412  ClientToken = NULL;
413  CapturedSecurityDescriptor = NULL;
414  CapturedSubsystemName.Buffer = NULL;
415  CapturedObjectTypeName.Buffer = NULL;
416  CapturedObjectName.Buffer = NULL;
417  CapturedPrincipalSelfSid = NULL;
418  CapturedObjectTypeList = NULL;
419 
420  /* Validate AuditType */
421  if ((AuditType != AuditEventObjectAccess) &&
422  (AuditType != AuditEventDirectoryServiceAccess))
423  {
424  DPRINT1("Invalid audit type: %u\n", AuditType);
426  }
427 
428  /* Capture the security subject context */
430 
431  /* Did the caller pass a token handle? */
432  if (ClientTokenHandle == NULL)
433  {
434  /* Check if we have a token in the subject context */
435  if (SubjectContext.ClientToken == NULL)
436  {
438  DPRINT1("No token\n");
439  goto Cleanup;
440  }
441 
442  /* Check if we have a valid impersonation level */
443  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
444  {
446  DPRINT1("Invalid impersonation level 0x%lx\n",
447  SubjectContext.ImpersonationLevel);
448  goto Cleanup;
449  }
450  }
451 
452  /* Are we using a result list? */
453  if (UseResultList)
454  {
455  /* The list length equals the object type list length */
456  ResultListLength = ObjectTypeListLength;
457  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
458  {
460  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
461  goto Cleanup;
462  }
463 
464  /* Allocate a safe buffer from paged pool */
465  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
466  2 * ResultListLength * sizeof(ULONG),
467  TAG_SEPA);
468  if (SafeGrantedAccessList == NULL)
469  {
471  DPRINT1("Failed to allocate access lists\n");
472  goto Cleanup;
473  }
474 
475  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
476  AllocatedResultLists = TRUE;
477  }
478  else
479  {
480  /* List length is 1 */
481  ResultListLength = 1;
482  SafeGrantedAccessList = &GrantedAccess;
483  SafeAccessStatusList = &AccessStatus;
484  }
485 
486  _SEH2_TRY
487  {
488  /* Probe output buffers */
489  ProbeForWrite(AccessStatusList,
490  ResultListLength * sizeof(*AccessStatusList),
491  sizeof(*AccessStatusList));
492  ProbeForWrite(GrantedAccessList,
493  ResultListLength * sizeof(*GrantedAccessList),
494  sizeof(*GrantedAccessList));
495 
496  /* Probe generic mapping and make a local copy */
497  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
498  LocalGenericMapping = * GenericMapping;
499  }
501  {
503  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
504  _SEH2_YIELD(goto Cleanup);
505  }
506  _SEH2_END;
507 
508  /* Do we have a client token? */
509  if (ClientTokenHandle != NULL)
510  {
511  /* Reference the client token */
512  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
513  TOKEN_QUERY,
515  UserMode,
516  (PVOID*)&ClientToken,
517  NULL);
518  if (!NT_SUCCESS(Status))
519  {
520  DPRINT1("Failed to reference token handle %p: %lx\n",
521  *ClientTokenHandle, Status);
522  goto Cleanup;
523  }
524 
525  SubjectContextToken = SubjectContext.ClientToken;
526  SubjectContext.ClientToken = ClientToken;
527  }
528 
529  /* Check for audit privilege */
530  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
531  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
532  {
533  DPRINT1("Caller does not have SeAuditPrivilege\n");
535  goto Cleanup;
536  }
537 
538  /* Generic access must already be mapped to non-generic access types! */
540  {
541  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
543  goto Cleanup;
544  }
545 
546  /* Capture the security descriptor */
548  UserMode,
549  PagedPool,
550  FALSE,
551  &CapturedSecurityDescriptor);
552  if (!NT_SUCCESS(Status))
553  {
554  DPRINT1("Failed to capture security descriptor!\n");
555  goto Cleanup;
556  }
557 
558  /* Validate the Security descriptor */
559  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
560  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
561  {
563  DPRINT1("Invalid security descriptor\n");
564  goto Cleanup;
565  }
566 
567  /* Probe and capture the subsystem name */
568  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
569  UserMode,
570  SubsystemName);
571  if (!NT_SUCCESS(Status))
572  {
573  DPRINT1("Failed to capture subsystem name!\n");
574  goto Cleanup;
575  }
576 
577  /* Probe and capture the object type name */
578  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
579  UserMode,
581  if (!NT_SUCCESS(Status))
582  {
583  DPRINT1("Failed to capture object type name!\n");
584  goto Cleanup;
585  }
586 
587  /* Probe and capture the object name */
588  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
589  UserMode,
590  ObjectName);
591  if (!NT_SUCCESS(Status))
592  {
593  DPRINT1("Failed to capture object name!\n");
594  goto Cleanup;
595  }
596 
597  /* Check if we have a PrincipalSelfSid */
598  if (PrincipalSelfSid != NULL)
599  {
600  /* Capture it */
601  Status = SepCaptureSid(PrincipalSelfSid,
602  UserMode,
603  PagedPool,
604  FALSE,
605  &CapturedPrincipalSelfSid);
606  if (!NT_SUCCESS(Status))
607  {
608  DPRINT1("Failed to capture PrincipalSelfSid!\n");
609  goto Cleanup;
610  }
611  }
612 
613  /* Capture the object type list */
614  Status = SeCaptureObjectTypeList(ObjectTypeList,
615  ObjectTypeListLength,
616  UserMode,
617  &CapturedObjectTypeList);
618  if (!NT_SUCCESS(Status))
619  {
620  DPRINT1("Failed to capture object type list!\n");
621  goto Cleanup;
622  }
623 
624  /* Call the worker routine with the captured buffers */
625  SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
626  HandleId,
628  &CapturedObjectTypeName,
629  &CapturedObjectName,
630  CapturedSecurityDescriptor,
631  CapturedPrincipalSelfSid,
633  AuditType,
634  HaveAuditPrivilege,
635  CapturedObjectTypeList,
636  ObjectTypeListLength,
637  &LocalGenericMapping,
638  SafeGrantedAccessList,
639  SafeAccessStatusList,
640  &LocalGenerateOnClose,
641  UseResultList);
642 
643  /* Enter SEH to copy the data back to user mode */
644  _SEH2_TRY
645  {
646  /* Loop all result entries (only 1 when no list was requested) */
647  ASSERT(UseResultList || (ResultListLength == 1));
648  for (i = 0; i < ResultListLength; i++)
649  {
650  AccessStatusList[i] = SafeAccessStatusList[i];
651  GrantedAccessList[i] = SafeGrantedAccessList[i];
652  }
653 
654  *GenerateOnClose = LocalGenerateOnClose;
655  }
657  {
659  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
660  }
661  _SEH2_END;
662 
663 Cleanup:
664 
665  if (CapturedObjectTypeList != NULL)
666  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
667 
668  if (CapturedPrincipalSelfSid != NULL)
669  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
670 
671  if (CapturedObjectName.Buffer != NULL)
672  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
673 
674  if (CapturedObjectTypeName.Buffer != NULL)
675  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
676 
677  if (CapturedSubsystemName.Buffer != NULL)
678  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
679 
680  if (CapturedSecurityDescriptor != NULL)
681  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
682 
683  if (ClientToken != NULL)
684  {
685  ObDereferenceObject(ClientToken);
686  SubjectContext.ClientToken = SubjectContextToken;
687  }
688 
689  if (AllocatedResultLists)
690  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
691 
692  /* Release the security subject context */
694 
695  return Status;
696 }
697 
698 
699 /* PUBLIC FUNCTIONS ***********************************************************/
700 
701 /*
702  * @unimplemented
703  */
704 VOID
705 NTAPI
707  IN PUNICODE_STRING LinkName,
709 {
711 }
712 
713 /*
714  * @unimplemented
715  */
716 BOOLEAN
717 NTAPI
720 {
722  return FALSE;
723 }
724 
725 /*
726  * @unimplemented
727  */
728 BOOLEAN
729 NTAPI
733 {
735  return FALSE;
736 }
737 
738 /*
739  * @unimplemented
740  */
741 BOOLEAN
742 NTAPI
745 {
747  return FALSE;
748 }
749 
750 /*
751  * @unimplemented
752  */
753 BOOLEAN
754 NTAPI
758 {
760  return FALSE;
761 }
762 
763 /*
764  * @unimplemented
765  */
766 BOOLEAN
767 NTAPI
771 {
773  return FALSE;
774 }
775 
776 /*
777  * @unimplemented
778  */
779 VOID
780 NTAPI
782  IN HANDLE Handle,
783  IN BOOLEAN PerformAction)
784 {
786 }
787 
788 /*
789  * @unimplemented
790  */
791 VOID NTAPI
793  IN HANDLE Handle)
794 {
796 }
797 
798 /*
799  * @unimplemented
800  */
801 VOID
802 NTAPI
812 {
813  PAGED_CODE();
814 
815  /* Audits aren't done on kernel-mode access */
816  if (AccessMode == KernelMode) return;
817 
818  /* Otherwise, unimplemented! */
819  //UNIMPLEMENTED;
820  return;
821 }
822 
823 /*
824  * @unimplemented
825  */
826 VOID NTAPI
836 {
838 }
839 
840 /*
841  * @unimplemented
842  */
843 VOID
844 NTAPI
850  IN KPROCESSOR_MODE CurrentMode)
851 {
853 }
854 
855 /* SYSTEM CALLS ***************************************************************/
856 
857 NTSTATUS
858 NTAPI
860  PUNICODE_STRING SubsystemName,
861  PVOID HandleId,
863 {
865  UNICODE_STRING CapturedSubsystemName;
867  BOOLEAN UseImpersonationToken;
868  PETHREAD CurrentThread;
872  PTOKEN Token;
873  PAGED_CODE();
874 
875  /* Get the previous mode (only user mode is supported!) */
878 
879  /* Do we even need to do anything? */
880  if (!GenerateOnClose)
881  {
882  /* Nothing to do, return success */
883  return STATUS_SUCCESS;
884  }
885 
886  /* Capture the security subject context */
888 
889  /* Check for audit privilege */
891  {
892  DPRINT1("Caller does not have SeAuditPrivilege\n");
894  goto Cleanup;
895  }
896 
897  /* Probe and capture the subsystem name */
898  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
899  PreviousMode,
900  SubsystemName);
901  if (!NT_SUCCESS(Status))
902  {
903  DPRINT1("Failed to capture subsystem name!\n");
904  goto Cleanup;
905  }
906 
907  /* Get the current thread and check if it's impersonating */
908  CurrentThread = PsGetCurrentThread();
909  if (PsIsThreadImpersonating(CurrentThread))
910  {
911  /* Get the impersonation token */
912  Token = PsReferenceImpersonationToken(CurrentThread,
913  &CopyOnOpen,
914  &EffectiveOnly,
916  UseImpersonationToken = TRUE;
917  }
918  else
919  {
920  /* Get the primary token */
922  UseImpersonationToken = FALSE;
923  }
924 
925  /* Call the internal function */
926  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
927  HandleId,
928  Token->UserAndGroups->Sid);
929 
930  /* Release the captured subsystem name */
931  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
932 
933  /* Check what token we used */
934  if (UseImpersonationToken)
935  {
936  /* Release impersonation token */
938  }
939  else
940  {
941  /* Release primary token */
943  }
944 
946 
947 Cleanup:
948 
949  /* Release the security subject context */
951 
952  return Status;
953 }
954 
955 
958  IN PVOID HandleId,
960 {
962  return STATUS_NOT_IMPLEMENTED;
963 }
964 
965 VOID
966 NTAPI
969  _In_ PUNICODE_STRING SubsystemName,
970  _In_opt_ PVOID HandleId,
974  _In_ PTOKEN ClientToken,
978  _In_ BOOLEAN ObjectCreation,
981 {
983  DBG_UNREFERENCED_PARAMETER(SubsystemName);
984  DBG_UNREFERENCED_PARAMETER(HandleId);
988  DBG_UNREFERENCED_PARAMETER(ClientToken);
992  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
996 }
997 
999 NTSTATUS
1000 NTAPI
1002  _In_ PUNICODE_STRING SubsystemName,
1003  _In_opt_ PVOID HandleId,
1007  _In_ HANDLE ClientTokenHandle,
1010  _In_opt_ PPRIVILEGE_SET PrivilegeSet,
1011  _In_ BOOLEAN ObjectCreation,
1014 {
1015  PTOKEN ClientToken;
1016  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1017  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1018  ULONG PrivilegeCount, PrivilegeSetSize;
1019  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1020  BOOLEAN LocalGenerateOnClose;
1021  PVOID CapturedHandleId;
1023  NTSTATUS Status;
1024  PAGED_CODE();
1025 
1026  /* Only user mode is supported! */
1028 
1029  /* Start clean */
1030  ClientToken = NULL;
1031  CapturedSecurityDescriptor = NULL;
1032  CapturedPrivilegeSet = NULL;
1033  CapturedSubsystemName.Buffer = NULL;
1034  CapturedObjectTypeName.Buffer = NULL;
1035  CapturedObjectName.Buffer = NULL;
1036 
1037  /* Reference the client token */
1038  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1039  TOKEN_QUERY,
1041  UserMode,
1042  (PVOID*)&ClientToken,
1043  NULL);
1044  if (!NT_SUCCESS(Status))
1045  {
1046  DPRINT1("Failed to reference token handle %p: %lx\n",
1047  ClientTokenHandle, Status);
1048  return Status;
1049  }
1050 
1051  /* Capture the security subject context */
1053 
1054  /* Validate the token's impersonation level */
1055  if ((ClientToken->TokenType == TokenImpersonation) &&
1056  (ClientToken->ImpersonationLevel < SecurityIdentification))
1057  {
1058  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1060  goto Cleanup;
1061  }
1062 
1063  /* Check for audit privilege */
1065  {
1066  DPRINT1("Caller does not have SeAuditPrivilege\n");
1068  goto Cleanup;
1069  }
1070 
1071  /* Check for NULL SecurityDescriptor */
1072  if (SecurityDescriptor == NULL)
1073  {
1074  /* Nothing to do */
1076  goto Cleanup;
1077  }
1078 
1079  /* Capture the security descriptor */
1081  UserMode,
1082  PagedPool,
1083  FALSE,
1084  &CapturedSecurityDescriptor);
1085  if (!NT_SUCCESS(Status))
1086  {
1087  DPRINT1("Failed to capture security descriptor!\n");
1088  goto Cleanup;
1089  }
1090 
1091  _SEH2_TRY
1092  {
1093  /* Check if we have a privilege set */
1094  if (PrivilegeSet != NULL)
1095  {
1096  /* Probe the basic privilege set structure */
1097  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1098 
1099  /* Validate privilege count */
1100  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1101  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1102  {
1104  _SEH2_YIELD(goto Cleanup);
1105  }
1106 
1107  /* Calculate the size of the PrivilegeSet structure */
1108  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1109 
1110  /* Probe the whole structure */
1111  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1112 
1113  /* Allocate a temp buffer */
1114  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1115  PrivilegeSetSize,
1117  if (CapturedPrivilegeSet == NULL)
1118  {
1119  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1121  _SEH2_YIELD(goto Cleanup);
1122  }
1123 
1124  /* Copy the privileges */
1125  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1126  }
1127 
1128  if (HandleId != NULL)
1129  {
1130  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1131  CapturedHandleId = *(PVOID*)HandleId;
1132  }
1133 
1134  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1135  }
1137  {
1139  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1140  _SEH2_YIELD(goto Cleanup);
1141  }
1142  _SEH2_END;
1143 
1144  /* Probe and capture the subsystem name */
1145  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1146  UserMode,
1147  SubsystemName);
1148  if (!NT_SUCCESS(Status))
1149  {
1150  DPRINT1("Failed to capture subsystem name!\n");
1151  goto Cleanup;
1152  }
1153 
1154  /* Probe and capture the object type name */
1155  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1156  UserMode,
1157  ObjectTypeName);
1158  if (!NT_SUCCESS(Status))
1159  {
1160  DPRINT1("Failed to capture object type name!\n");
1161  goto Cleanup;
1162  }
1163 
1164  /* Probe and capture the object name */
1165  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1166  UserMode,
1167  ObjectName);
1168  if (!NT_SUCCESS(Status))
1169  {
1170  DPRINT1("Failed to capture object name!\n");
1171  goto Cleanup;
1172  }
1173 
1174  /* Call the internal function */
1176  &CapturedSubsystemName,
1177  CapturedHandleId,
1178  &CapturedObjectTypeName,
1179  &CapturedObjectName,
1180  CapturedSecurityDescriptor,
1181  ClientToken,
1182  DesiredAccess,
1183  GrantedAccess,
1184  CapturedPrivilegeSet,
1185  ObjectCreation,
1186  AccessGranted,
1187  &LocalGenerateOnClose);
1188 
1190 
1191  /* Enter SEH to copy the data back to user mode */
1192  _SEH2_TRY
1193  {
1194  *GenerateOnClose = LocalGenerateOnClose;
1195  }
1197  {
1199  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1200  }
1201  _SEH2_END;
1202 
1203 Cleanup:
1204 
1205  if (CapturedObjectName.Buffer != NULL)
1206  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1207 
1208  if (CapturedObjectTypeName.Buffer != NULL)
1209  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1210 
1211  if (CapturedSubsystemName.Buffer != NULL)
1212  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1213 
1214  if (CapturedSecurityDescriptor != NULL)
1215  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1216 
1217  if (CapturedPrivilegeSet != NULL)
1218  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1219 
1220  /* Release the security subject context */
1222 
1223  ObDereferenceObject(ClientToken);
1224 
1225  return Status;
1226 }
1227 
1228 
1230 NTSTATUS
1231 NTAPI
1233  _In_opt_ PUNICODE_STRING SubsystemName,
1235  _In_ HANDLE ClientTokenHandle,
1238 {
1240  PTOKEN ClientToken;
1241  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1242  UNICODE_STRING CapturedSubsystemName;
1243  UNICODE_STRING CapturedServiceName;
1244  ULONG PrivilegeCount, PrivilegesSize;
1246  NTSTATUS Status;
1247  PAGED_CODE();
1248 
1249  /* Get the previous mode (only user mode is supported!) */
1252 
1253  CapturedSubsystemName.Buffer = NULL;
1254  CapturedServiceName.Buffer = NULL;
1255 
1256  /* Reference the client token */
1257  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1258  TOKEN_QUERY,
1260  PreviousMode,
1261  (PVOID*)&ClientToken,
1262  NULL);
1263  if (!NT_SUCCESS(Status))
1264  {
1265  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1266  return Status;
1267  }
1268 
1269  /* Validate the token's impersonation level */
1270  if ((ClientToken->TokenType == TokenImpersonation) &&
1271  (ClientToken->ImpersonationLevel < SecurityIdentification))
1272  {
1273  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1274  ObDereferenceObject(ClientToken);
1276  }
1277 
1278  /* Capture the security subject context */
1280 
1281  /* Check for audit privilege */
1283  {
1284  DPRINT1("Caller does not have SeAuditPrivilege\n");
1286  goto Cleanup;
1287  }
1288 
1289  /* Do we have a subsystem name? */
1290  if (SubsystemName != NULL)
1291  {
1292  /* Probe and capture the subsystem name */
1293  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1294  PreviousMode,
1295  SubsystemName);
1296  if (!NT_SUCCESS(Status))
1297  {
1298  DPRINT1("Failed to capture subsystem name!\n");
1299  goto Cleanup;
1300  }
1301  }
1302 
1303  /* Do we have a service name? */
1304  if (ServiceName != NULL)
1305  {
1306  /* Probe and capture the service name */
1307  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1308  PreviousMode,
1309  ServiceName);
1310  if (!NT_SUCCESS(Status))
1311  {
1312  DPRINT1("Failed to capture service name!\n");
1313  goto Cleanup;
1314  }
1315  }
1316 
1317  _SEH2_TRY
1318  {
1319  /* Probe the basic privilege set structure */
1320  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1321 
1322  /* Validate privilege count */
1323  PrivilegeCount = Privileges->PrivilegeCount;
1324  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1325  {
1327  _SEH2_YIELD(goto Cleanup);
1328  }
1329 
1330  /* Calculate the size of the Privileges structure */
1331  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1332 
1333  /* Probe the whole structure */
1334  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1335 
1336  /* Allocate a temp buffer */
1337  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1338  PrivilegesSize,
1340  if (CapturedPrivileges == NULL)
1341  {
1342  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1344  _SEH2_YIELD(goto Cleanup);
1345  }
1346 
1347  /* Copy the privileges */
1348  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
1349  }
1351  {
1353  DPRINT1("Got exception 0x%lx\n", Status);
1354  _SEH2_YIELD(goto Cleanup);
1355  }
1356  _SEH2_END;
1357 
1358  /* Call the internal function */
1360  SubsystemName ? &CapturedSubsystemName : NULL,
1361  ServiceName ? &CapturedServiceName : NULL,
1362  ClientToken,
1363  SubjectContext.PrimaryToken,
1364  CapturedPrivileges,
1365  AccessGranted);
1366 
1368 
1369 Cleanup:
1370  /* Cleanup resources */
1371  if (CapturedSubsystemName.Buffer != NULL)
1372  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1373 
1374  if (CapturedServiceName.Buffer != NULL)
1375  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
1376 
1377  if (CapturedPrivileges != NULL)
1378  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
1379 
1380  /* Release the security subject context */
1382 
1383  ObDereferenceObject(ClientToken);
1384 
1385  return Status;
1386 }
1387 
1388 
1391  IN PVOID HandleId,
1392  IN HANDLE ClientToken,
1396 {
1397  UNIMPLEMENTED;
1398  return STATUS_NOT_IMPLEMENTED;
1399 }
1400 
1401 
1404 NTSTATUS
1405 NTAPI
1407  _In_ PUNICODE_STRING SubsystemName,
1408  _In_opt_ PVOID HandleId,
1414  _In_ BOOLEAN ObjectCreation,
1418 {
1419  /* Call the internal function */
1420  return SepAccessCheckAndAuditAlarm(SubsystemName,
1421  HandleId,
1422  NULL,
1424  ObjectName,
1426  NULL,
1427  DesiredAccess,
1429  0,
1430  NULL,
1431  0,
1433  GrantedAccess,
1434  AccessStatus,
1436  FALSE);
1437 }
1438 
1441 NTSTATUS
1442 NTAPI
1444  _In_ PUNICODE_STRING SubsystemName,
1445  _In_opt_ PVOID HandleId,
1449  _In_opt_ PSID PrincipalSelfSid,
1451  _In_ AUDIT_EVENT_TYPE AuditType,
1452  _In_ ULONG Flags,
1453  _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
1454  _In_ ULONG ObjectTypeLength,
1456  _In_ BOOLEAN ObjectCreation,
1460 {
1461  /* Call the internal function */
1462  return SepAccessCheckAndAuditAlarm(SubsystemName,
1463  HandleId,
1464  NULL,
1466  ObjectName,
1468  PrincipalSelfSid,
1469  DesiredAccess,
1470  AuditType,
1471  Flags,
1472  ObjectTypeList,
1473  ObjectTypeLength,
1475  GrantedAccess,
1476  AccessStatus,
1478  FALSE);
1479 }
1480 
1483 NTSTATUS
1484 NTAPI
1486  _In_ PUNICODE_STRING SubsystemName,
1487  _In_opt_ PVOID HandleId,
1491  _In_opt_ PSID PrincipalSelfSid,
1493  _In_ AUDIT_EVENT_TYPE AuditType,
1494  _In_ ULONG Flags,
1495  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
1496  _In_ ULONG ObjectTypeListLength,
1498  _In_ BOOLEAN ObjectCreation,
1499  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
1500  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
1502 {
1503  /* Call the internal function */
1504  return SepAccessCheckAndAuditAlarm(SubsystemName,
1505  HandleId,
1506  NULL,
1508  ObjectName,
1510  PrincipalSelfSid,
1511  DesiredAccess,
1512  AuditType,
1513  Flags,
1514  ObjectTypeList,
1515  ObjectTypeListLength,
1517  GrantedAccessList,
1518  AccessStatusList,
1520  TRUE);
1521 }
1522 
1525 NTSTATUS
1526 NTAPI
1528  _In_ PUNICODE_STRING SubsystemName,
1529  _In_opt_ PVOID HandleId,
1530  _In_ HANDLE ClientToken,
1534  _In_opt_ PSID PrincipalSelfSid,
1536  _In_ AUDIT_EVENT_TYPE AuditType,
1537  _In_ ULONG Flags,
1538  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
1539  _In_ ULONG ObjectTypeListLength,
1541  _In_ BOOLEAN ObjectCreation,
1542  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
1543  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
1545 {
1546  UNREFERENCED_PARAMETER(ObjectCreation);
1547 
1548  /* Call the internal function */
1549  return SepAccessCheckAndAuditAlarm(SubsystemName,
1550  HandleId,
1551  &ClientToken,
1553  ObjectName,
1555  PrincipalSelfSid,
1556  DesiredAccess,
1557  AuditType,
1558  Flags,
1559  ObjectTypeList,
1560  ObjectTypeListLength,
1562  GrantedAccessList,
1563  AccessStatusList,
1565  TRUE);
1566 }
1567 
1568 /* EOF */
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
#define IN
Definition: typedefs.h:38
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
Definition: audit.c:827
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:1485
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
#define GENERIC_ALL
Definition: nt_native.h:92
#define _Must_inspect_result_
Definition: no_sal2.h:314
#define TRUE
Definition: types.h:120
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:343
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define _Post_invalid_
Definition: no_sal2.h:457
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Definition: audit.c:318
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
USHORT MaximumLength
Definition: env_spec_w32.h:370
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:323
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:325
uint16_t * PWSTR
Definition: typedefs.h:54
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
Definition: sefuncs.h:414
NTSTATUS NTAPI SeLocateProcessImageName(IN PEPROCESS Process, OUT PUNICODE_STRING *ProcessImageName)
Definition: audit.c:122
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Definition: audit.c:200
VOID NTAPI SeCloseObjectAuditAlarm(IN PVOID Object, IN HANDLE Handle, IN BOOLEAN PerformAction)
Definition: audit.c:781
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
NTSTATUS NTAPI SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject, IN BOOLEAN DoAudit, OUT POBJECT_NAME_INFORMATION *AuditInfo)
Definition: audit.c:47
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1192
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2982
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Definition: audit.c:262
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
UNICODE_STRING Name
Definition: nt_native.h:1270
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:17
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:1443
static BOOLEAN bSuccess
Definition: drive.cpp:417
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define PAGED_CODE()
Definition: video.h:57
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose)
Definition: audit.c:957
#define _In_opt_
Definition: no_sal2.h:213
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:766
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
_SEH2_TRY
Definition: create.c:4250
#define _Out_writes_(size)
Definition: no_sal2.h:367
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
PSE_EXPORTS SeExports
Definition: semgr.c:18
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define GENERIC_WRITE
Definition: nt_native.h:90
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:452
#define PsGetCurrentProcess
Definition: psfuncs.h:17
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
unsigned char BOOLEAN
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
PSID SeNetworkServiceSid
Definition: setypes.h:1190
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
#define _Out_
Definition: no_sal2.h:323
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
void DPRINT(...)
Definition: polytest.cpp:61
_Inout_ PFILE_OBJECT FileObject
Definition: cdprocs.h:593
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:314
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:1406
VOID NTAPI SeAuditProcessExit(IN PEPROCESS Process)
Definition: audit.c:40
VOID NTAPI SeAuditHardLinkCreation(IN PUNICODE_STRING FileName, IN PUNICODE_STRING LinkName, IN BOOLEAN bSuccess)
Definition: audit.c:706
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:48
_In_ HANDLE Handle
Definition: extypes.h:390
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:228
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Definition: audit.c:1232
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:874
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define __kernel_entry
Definition: specstrings.h:50
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
VOID NTAPI SeDeleteObjectAuditAlarm(IN PVOID Object, IN HANDLE Handle)
Definition: audit.c:792
* PFILE_OBJECT
Definition: iotypes.h:1954
static IUnknown Object
Definition: main.c:512
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
Definition: sefuncs.h:414
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI SeAuditProcessCreate(IN PEPROCESS Process)
Definition: audit.c:33
static const char * ImageName
Definition: image.c:34
char * PBOOLEAN
Definition: retypes.h:11
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR L[]
Definition: oid.c:1250
PSID SeLocalServiceSid
Definition: setypes.h:1189
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:414
VOID NTAPI SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
Definition: audit.c:803
#define GENERIC_READ
Definition: compat.h:124
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:359
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
static const WCHAR Cleanup[]
Definition: register.c:80
BOOLEAN NTAPI SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
Definition: audit.c:730
Status
Definition: gdiplustypes.h:24
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:1001
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:782
FORCEINLINE PSID SepGetGroupFromDescriptor(PVOID _Descriptor)
Definition: se.h:29
#define _In_
Definition: no_sal2.h:204
ULONG_PTR SIZE_T
Definition: typedefs.h:78
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
Definition: audit.c:755
_SEH2_END
Definition: create.c:4424
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:61
NTSTATUS NTAPI NtCloseObjectAuditAlarm(PUNICODE_STRING SubsystemName, PVOID HandleId, BOOLEAN GenerateOnClose)
Definition: audit.c:859
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define STATUS_NO_MEMORY
Definition: ntstatus.h:246
UNICODE_STRING SeSubsystemName
Definition: audit.c:19
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:257
BOOLEAN NTAPI SeDetailedAuditingWithToken(IN PTOKEN Token)
Definition: audit.c:25
VOID NTAPI SepReleaseSid(IN PSID CapturedSid, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN CaptureIfKernel)
Definition: sid.c:342
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:835
#define DPRINT1
Definition: precomp.h:8
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:1527
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:818
#define _In_reads_opt_(size)
Definition: no_sal2.h:231
PSID SeLocalSystemSid
Definition: sid.c:44
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Definition: audit.c:214
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
VOID NTAPI SePrivilegeObjectAuditAlarm(IN HANDLE Handle, IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE CurrentMode)
Definition: audit.c:845
#define OUT
Definition: typedefs.h:39
unsigned int ULONG
Definition: retypes.h:1
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
BOOLEAN NTAPI SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: audit.c:743
#define UNIMPLEMENTED
Definition: debug.h:114
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:261
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:169
VOID NTAPI SepAdtCloseObjectAuditAlarm(PUNICODE_STRING SubsystemName, PVOID HandleId, PSID Sid)
Definition: audit.c:190
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:329
#define TAG_SEPA
Definition: tag.h:189
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:434
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
BOOLEAN NTAPI SeAuditingFileEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: audit.c:718
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE ClientToken, IN ULONG DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted)
Definition: audit.c:1390
return STATUS_SUCCESS
Definition: btrfs.c:2777
NTSTATUS NTAPI SepCaptureSid(IN PSID InputSid, IN KPROCESSOR_MODE AccessMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSID *CapturedSid)
Definition: sid.c:274
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Definition: audit.c:768
ULONG ACCESS_MASK
Definition: nt_native.h:40
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Definition: audit.c:371
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Definition: audit.c:967
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:821