15#define SEP_PRIVILEGE_SET_MAX_COUNT 60
127 sizeof(LocalNameInfo),
149 if ((ObjectNameInfo) &&
154 if (ObjectNameInfo)
ExFreePool(ObjectNameInfo);
173 *AuditInfo = ObjectNameInfo;
211 *ProcessImageName =
NULL;
214 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
227 SeAuditProcessCreationInfo.ImageFileName,
242 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
341 DPRINT(
"SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
508 ULONG ResultListLength,
i;
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
517 for (
i = 0;
i < ResultListLength;
i++)
634 ULONG ResultListLength;
636 PTOKEN SubjectContextToken, ClientToken;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
643 PSID CapturedPrincipalSelfSid;
654 AllocatedResultLists =
FALSE;
656 CapturedSecurityDescriptor =
NULL;
660 CapturedPrincipalSelfSid =
NULL;
661 CapturedObjectTypeList =
NULL;
667 DPRINT1(
"Invalid audit type: %u\n", AuditType);
675 if (ClientTokenHandle ==
NULL)
689 DPRINT1(
"Invalid impersonation level 0x%lx\n",
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
703 DPRINT1(
"Invalid ResultListLength: 0x%lx\n", ResultListLength);
709 2 * ResultListLength *
sizeof(
ULONG),
711 if (SafeGrantedAccessList ==
NULL)
714 DPRINT1(
"Failed to allocate access lists\n");
718 SafeAccessStatusList = (
PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists =
TRUE;
724 ResultListLength = 1;
733 ResultListLength *
sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
736 ResultListLength *
sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
746 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
752 if (ClientTokenHandle !=
NULL)
759 (
PVOID*)&ClientToken,
763 DPRINT1(
"Failed to reference token handle %p: %lx\n",
764 *ClientTokenHandle,
Status);
776 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
794 &CapturedSecurityDescriptor);
797 DPRINT1(
"Failed to capture security descriptor!\n");
806 DPRINT1(
"Invalid security descriptor\n");
816 DPRINT1(
"Failed to capture subsystem name!\n");
826 DPRINT1(
"Failed to capture object type name!\n");
836 DPRINT1(
"Failed to capture object name!\n");
841 if (PrincipalSelfSid !=
NULL)
848 &CapturedPrincipalSelfSid);
851 DPRINT1(
"Failed to capture PrincipalSelfSid!\n");
858 ObjectTypeListLength,
860 &CapturedObjectTypeList);
863 DPRINT1(
"Failed to capture object type list!\n");
871 &CapturedObjectTypeName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
892 ASSERT(UseResultList || (ResultListLength == 1));
893 for (
i = 0;
i < ResultListLength;
i++)
895 AccessStatusList[
i] = SafeAccessStatusList[
i];
896 GrantedAccessList[
i] = SafeGrantedAccessList[
i];
904 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
910 if (CapturedObjectTypeList !=
NULL)
913 if (CapturedPrincipalSelfSid !=
NULL)
925 if (CapturedSecurityDescriptor !=
NULL)
928 if (ClientToken !=
NULL)
934 if (AllocatedResultLists)
1366 BOOLEAN UseImpersonationToken;
1391 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1402 DPRINT1(
"Failed to capture subsystem name!\n");
1415 UseImpersonationToken =
TRUE;
1421 UseImpersonationToken =
FALSE;
1427 Token->UserAndGroups->Sid);
1433 if (UseImpersonationToken)
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1642 PVOID CapturedHandleId;
1652 CapturedSecurityDescriptor =
NULL;
1653 CapturedPrivilegeSet =
NULL;
1663 (
PVOID*)&ClientToken,
1667 DPRINT1(
"Failed to reference token handle %p: %lx\n",
1668 ClientTokenHandle,
Status);
1687 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1705 &CapturedSecurityDescriptor);
1708 DPRINT1(
"Failed to capture security descriptor!\n");
1715 if (PrivilegeSet !=
NULL)
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1738 if (CapturedPrivilegeSet ==
NULL)
1740 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegeSetSize);
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1749 if (HandleId !=
NULL)
1752 CapturedHandleId = *(
PVOID*)HandleId;
1760 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
1771 DPRINT1(
"Failed to capture subsystem name!\n");
1781 DPRINT1(
"Failed to capture object type name!\n");
1791 DPRINT1(
"Failed to capture object name!\n");
1797 &CapturedSubsystemName,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1805 CapturedPrivilegeSet,
1808 &LocalGenerateOnClose);
1820 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
1835 if (CapturedSecurityDescriptor !=
NULL)
1838 if (CapturedPrivilegeSet !=
NULL)
1895 ULONG PrivilegeCount, PrivilegesSize;
1912 (
PVOID*)&ClientToken,
1916 DPRINT1(
"Failed to reference client token: 0x%lx\n",
Status);
1935 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1941 if (SubsystemName !=
NULL)
1949 DPRINT1(
"Failed to capture subsystem name!\n");
1963 DPRINT1(
"Failed to capture service name!\n");
1991 if (CapturedPrivileges ==
NULL)
1993 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegesSize);
2011 SubsystemName ? &CapturedSubsystemName :
NULL,
2028 if (CapturedPrivileges !=
NULL)
2354 ObjectTypeListLength,
2463 ObjectTypeListLength,
#define STATUS_PRIVILEGE_NOT_HELD
static GENERIC_MAPPING GenericMapping
static WCHAR ServiceName[]
#define NT_SUCCESS(StatCode)
static const WCHAR Cleanup[]
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
#define ExAllocatePoolWithTag(hernya, size, tag)
#define PsGetCurrentThread()
#define ExGetPreviousMode
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
#define EXCEPTION_EXECUTE_HANDLER
#define InterlockedCompareExchangePointer
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define ExFreePoolWithTag(_P, _T)
#define PsDereferencePrimaryToken(T)
#define PsDereferenceImpersonationToken(T)
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
static const char * ImageName
#define _Out_writes_(size)
#define _Must_inspect_result_
#define _In_reads_opt_(size)
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
ACCESS_MASK * PACCESS_MASK
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
#define DBG_UNREFERENCED_PARAMETER(P)
#define UNREFERENCED_PARAMETER(P)
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
Captures a list of object types and converts it to an internal form for use by the kernel....
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
#define SEP_PRIVILEGE_SET_MAX_COUNT
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
UNICODE_STRING SeSubsystemName
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
POBJECT_TYPE SeTokenObjectType
#define STATUS_NO_IMPERSONATION_TOKEN
#define STATUS_INVALID_SECURITY_DESCR
#define STATUS_NOT_IMPLEMENTED
#define STATUS_GENERIC_NOT_MAPPED
#define STATUS_BAD_IMPERSONATION_LEVEL
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
#define _SEH2_GetExceptionCode()
#define _SEH2_EXCEPT(...)
#define _SEH2_YIELD(__stmt)
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
#define STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_OVERFLOW
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
PSID_AND_ATTRIBUTES UserAndGroups
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
#define TAG_PRIVILEGE_SET
#define RTL_CONSTANT_STRING(s)
#define UNIMPLEMENTED_ONCE
#define FIELD_OFFSET(t, f)
#define RtlCopyMemory(Destination, Source, Length)
#define RtlZeroMemory(Destination, Length)
#define STATUS_INVALID_PARAMETER
#define STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INSUFFICIENT_RESOURCES
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
_Must_inspect_result_ _In_ ULONG Flags
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
#define ObDereferenceObject
_Out_ PBOOLEAN CopyOnOpen
#define PsGetCurrentProcess
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
_In_ KPROCESSOR_MODE PreviousMode
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
#define AUDIT_ALLOW_NO_PRIVILEGE
@ AuditEventDirectoryServiceAccess
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
1.9.6