ReactOS 0.4.15-dev-7788-g1ad9096
audit.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Security auditing functions
5 * COPYRIGHT: Copyright Eric Kohl
6 * Copyright Timo Kreuzer <timo.kreuzer@reactos.org>
7 */
8
9/* INCLUDES *******************************************************************/
10
11#include <ntoskrnl.h>
12#define NDEBUG
13#include <debug.h>
14
15#define SEP_PRIVILEGE_SET_MAX_COUNT 60
16
18
19/* PRIVATE FUNCTIONS ***********************************************************/
20
36{
37 /* FIXME */
38 return FALSE;
39}
40
54VOID
58{
59 /* FIXME */
60}
61
75VOID
79{
80 /* FIXME */
81}
82
104NTAPI
107 _In_ BOOLEAN DoAudit,
109{
110 OBJECT_NAME_INFORMATION LocalNameInfo;
111 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
114
115 PAGED_CODE();
116 ASSERT(AuditInfo);
117
118 /* Check if we should do auditing */
119 if (DoAudit)
120 {
121 /* FIXME: TODO */
122 }
123
124 /* Now query the name */
126 &LocalNameInfo,
127 sizeof(LocalNameInfo),
128 &ReturnLength);
129 if (((Status == STATUS_BUFFER_OVERFLOW) ||
132 (ReturnLength != sizeof(LocalNameInfo)))
133 {
134 /* Allocate required size */
135 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
137 TAG_SEPA);
138 if (ObjectNameInfo)
139 {
140 /* Query the name again */
142 ObjectNameInfo,
144 &ReturnLength);
145 }
146 }
147
148 /* Check if we got here due to failure */
149 if ((ObjectNameInfo) &&
150 (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151 {
152 /* First, free any buffer we might've allocated */
153 ASSERT(FALSE);
154 if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155
156 /* Now allocate a temporary one */
158 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
160 TAG_SEPA);
161 if (ObjectNameInfo)
162 {
163 /* Clear it */
164 RtlZeroMemory(ObjectNameInfo, ReturnLength);
166 }
167 }
168
169 /* Check if memory allocation failed */
170 if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171
172 /* Return the audit name */
173 *AuditInfo = ObjectNameInfo;
174
175 /* Return status */
176 return Status;
177}
178
198NTAPI
201 _Out_ PUNICODE_STRING *ProcessImageName)
202{
203 POBJECT_NAME_INFORMATION AuditName;
207
208 PAGED_CODE();
209
210 /* Assume failure */
211 *ProcessImageName = NULL;
212
213 /* Check if we have audit info */
214 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215 if (!AuditName)
216 {
217 /* Get the file object */
219 if (!NT_SUCCESS(Status)) return Status;
220
221 /* Initialize the audit structure */
223 if (NT_SUCCESS(Status))
224 {
225 /* Set it */
227 SeAuditProcessCreationInfo.ImageFileName,
228 AuditName,
229 NULL))
230 {
231 /* Someone beat us to it, deallocate our copy */
232 ExFreePool(AuditName);
233 }
234 }
235
236 /* Dereference the file object */
238 if (!NT_SUCCESS(Status)) return Status;
239 }
240
241 /* Get audit info again, now we have it for sure */
242 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243
244 /* Allocate the output string */
246 AuditName->Name.MaximumLength +
247 sizeof(UNICODE_STRING),
248 TAG_SEPA);
249 if (!ImageName) return STATUS_NO_MEMORY;
250
251 /* Make a copy of it */
253 &AuditName->Name,
254 AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255
256 /* Fix up the buffer */
257 ImageName->Buffer = (PWSTR)(ImageName + 1);
258
259 /* Return it */
260 *ProcessImageName = ImageName;
261
262 /* Return status */
263 return Status;
264}
265
285VOID
286NTAPI
288 _In_ PUNICODE_STRING SubsystemName,
289 _In_ PVOID HandleId,
290 _In_ PSID Sid)
291{
293}
294
330VOID
331NTAPI
334 _In_opt_ PUNICODE_STRING SubsystemName,
337 _In_ PTOKEN PrimaryToken,
340{
341 DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342}
343
367VOID
368NTAPI
372 _In_ PPRIVILEGE_SET PrivilegeSet,
374{
375 PTOKEN EffectiveToken;
376 PSID UserSid;
377 PAGED_CODE();
378
379 /* Get the effective token */
380 if (SubjectContext->ClientToken != NULL)
381 EffectiveToken = SubjectContext->ClientToken;
382 else
383 EffectiveToken = SubjectContext->PrimaryToken;
384
385 /* Get the user SID */
386 UserSid = EffectiveToken->UserAndGroups->Sid;
387
388 /* Check if this is the local system SID */
389 if (RtlEqualSid(UserSid, SeLocalSystemSid))
390 {
391 /* Nothing to do */
392 return;
393 }
394
395 /* Check if this is the network service or local service SID */
398 {
399 // FIXME: should continue for a certain set of privileges
400 return;
401 }
402
403 /* Call the worker function */
407 SubjectContext->ClientToken,
408 SubjectContext->PrimaryToken,
409 PrivilegeSet,
411
412}
413
487static
490 _In_ PUNICODE_STRING SubsystemName,
491 _In_opt_ PVOID HandleId,
496 _In_opt_ PSID PrincipalSelfSid,
498 _In_ AUDIT_EVENT_TYPE AuditType,
499 _In_ BOOLEAN HaveAuditPrivilege,
500 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
501 _In_ ULONG ObjectTypeListLength,
503 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
504 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
506 _In_ BOOLEAN UseResultList)
507{
508 ULONG ResultListLength, i;
509
510 /* Get the length of the result list */
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512
515
517 for (i = 0; i < ResultListLength; i++)
518 {
519 GrantedAccessList[i] = DesiredAccess;
520 AccessStatusList[i] = STATUS_SUCCESS;
521 }
522
524
525 return STATUS_SUCCESS;
526}
527
613NTAPI
615 _In_ PUNICODE_STRING SubsystemName,
616 _In_opt_ PVOID HandleId,
617 _In_ PHANDLE ClientTokenHandle,
621 _In_opt_ PSID PrincipalSelfSid,
623 _In_ AUDIT_EVENT_TYPE AuditType,
625 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
626 _In_ ULONG ObjectTypeListLength,
628 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
629 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
631 _In_ BOOLEAN UseResultList)
632{
634 ULONG ResultListLength;
635 GENERIC_MAPPING LocalGenericMapping;
636 PTOKEN SubjectContextToken, ClientToken;
637 BOOLEAN AllocatedResultLists;
638 BOOLEAN HaveAuditPrivilege;
639 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
641 ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
642 NTSTATUS AccessStatus, *SafeAccessStatusList;
643 PSID CapturedPrincipalSelfSid;
644 POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList;
645 ULONG i;
646 BOOLEAN LocalGenerateOnClose;
648 PAGED_CODE();
649
650 /* Only user mode is supported! */
652
653 /* Start clean */
654 AllocatedResultLists = FALSE;
655 ClientToken = NULL;
656 CapturedSecurityDescriptor = NULL;
657 CapturedSubsystemName.Buffer = NULL;
658 CapturedObjectTypeName.Buffer = NULL;
659 CapturedObjectName.Buffer = NULL;
660 CapturedPrincipalSelfSid = NULL;
661 CapturedObjectTypeList = NULL;
662
663 /* Validate AuditType */
664 if ((AuditType != AuditEventObjectAccess) &&
666 {
667 DPRINT1("Invalid audit type: %u\n", AuditType);
669 }
670
671 /* Capture the security subject context */
673
674 /* Did the caller pass a token handle? */
675 if (ClientTokenHandle == NULL)
676 {
677 /* Check if we have a token in the subject context */
678 if (SubjectContext.ClientToken == NULL)
679 {
681 DPRINT1("No token\n");
682 goto Cleanup;
683 }
684
685 /* Check if we have a valid impersonation level */
686 if (SubjectContext.ImpersonationLevel < SecurityIdentification)
687 {
689 DPRINT1("Invalid impersonation level 0x%lx\n",
690 SubjectContext.ImpersonationLevel);
691 goto Cleanup;
692 }
693 }
694
695 /* Are we using a result list? */
696 if (UseResultList)
697 {
698 /* The list length equals the object type list length */
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701 {
703 DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
704 goto Cleanup;
705 }
706
707 /* Allocate a safe buffer from paged pool */
708 SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
709 2 * ResultListLength * sizeof(ULONG),
710 TAG_SEPA);
711 if (SafeGrantedAccessList == NULL)
712 {
714 DPRINT1("Failed to allocate access lists\n");
715 goto Cleanup;
716 }
717
718 SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists = TRUE;
720 }
721 else
722 {
723 /* List length is 1 */
724 ResultListLength = 1;
725 SafeGrantedAccessList = &GrantedAccess;
726 SafeAccessStatusList = &AccessStatus;
727 }
728
730 {
731 /* Probe output buffers */
732 ProbeForWrite(AccessStatusList,
733 ResultListLength * sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
735 ProbeForWrite(GrantedAccessList,
736 ResultListLength * sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
738
739 /* Probe generic mapping and make a local copy */
741 LocalGenericMapping = * GenericMapping;
742 }
744 {
746 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
747 _SEH2_YIELD(goto Cleanup);
748 }
749 _SEH2_END;
750
751 /* Do we have a client token? */
752 if (ClientTokenHandle != NULL)
753 {
754 /* Reference the client token */
755 Status = ObReferenceObjectByHandle(*ClientTokenHandle,
758 UserMode,
759 (PVOID*)&ClientToken,
760 NULL);
761 if (!NT_SUCCESS(Status))
762 {
763 DPRINT1("Failed to reference token handle %p: %lx\n",
764 *ClientTokenHandle, Status);
765 goto Cleanup;
766 }
767
768 SubjectContextToken = SubjectContext.ClientToken;
769 SubjectContext.ClientToken = ClientToken;
770 }
771
772 /* Check for audit privilege */
773 HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
774 if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
775 {
776 DPRINT1("Caller does not have SeAuditPrivilege\n");
778 goto Cleanup;
779 }
780
781 /* Generic access must already be mapped to non-generic access types! */
783 {
784 DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
786 goto Cleanup;
787 }
788
789 /* Capture the security descriptor */
791 UserMode,
792 PagedPool,
793 FALSE,
794 &CapturedSecurityDescriptor);
795 if (!NT_SUCCESS(Status))
796 {
797 DPRINT1("Failed to capture security descriptor!\n");
798 goto Cleanup;
799 }
800
801 /* Validate the Security descriptor */
802 if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
803 (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
804 {
806 DPRINT1("Invalid security descriptor\n");
807 goto Cleanup;
808 }
809
810 /* Probe and capture the subsystem name */
811 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
812 UserMode,
813 SubsystemName);
814 if (!NT_SUCCESS(Status))
815 {
816 DPRINT1("Failed to capture subsystem name!\n");
817 goto Cleanup;
818 }
819
820 /* Probe and capture the object type name */
821 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
822 UserMode,
824 if (!NT_SUCCESS(Status))
825 {
826 DPRINT1("Failed to capture object type name!\n");
827 goto Cleanup;
828 }
829
830 /* Probe and capture the object name */
831 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
832 UserMode,
833 ObjectName);
834 if (!NT_SUCCESS(Status))
835 {
836 DPRINT1("Failed to capture object name!\n");
837 goto Cleanup;
838 }
839
840 /* Check if we have a PrincipalSelfSid */
841 if (PrincipalSelfSid != NULL)
842 {
843 /* Capture it */
844 Status = SepCaptureSid(PrincipalSelfSid,
845 UserMode,
846 PagedPool,
847 FALSE,
848 &CapturedPrincipalSelfSid);
849 if (!NT_SUCCESS(Status))
850 {
851 DPRINT1("Failed to capture PrincipalSelfSid!\n");
852 goto Cleanup;
853 }
854 }
855
856 /* Capture the object type list */
857 Status = SeCaptureObjectTypeList(ObjectTypeList,
858 ObjectTypeListLength,
859 UserMode,
860 &CapturedObjectTypeList);
861 if (!NT_SUCCESS(Status))
862 {
863 DPRINT1("Failed to capture object type list!\n");
864 goto Cleanup;
865 }
866
867 /* Call the worker routine with the captured buffers */
868 Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
869 HandleId,
871 &CapturedObjectTypeName,
872 &CapturedObjectName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
876 AuditType,
877 HaveAuditPrivilege,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
884 UseResultList);
885 if (!NT_SUCCESS(Status))
886 goto Cleanup;
887
888 /* Enter SEH to copy the data back to user mode */
890 {
891 /* Loop all result entries (only 1 when no list was requested) */
892 ASSERT(UseResultList || (ResultListLength == 1));
893 for (i = 0; i < ResultListLength; i++)
894 {
895 AccessStatusList[i] = SafeAccessStatusList[i];
896 GrantedAccessList[i] = SafeGrantedAccessList[i];
897 }
898
899 *GenerateOnClose = LocalGenerateOnClose;
900 }
902 {
904 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
905 }
906 _SEH2_END;
907
908Cleanup:
909
910 if (CapturedObjectTypeList != NULL)
911 SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
912
913 if (CapturedPrincipalSelfSid != NULL)
914 SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
915
916 if (CapturedObjectName.Buffer != NULL)
917 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
918
919 if (CapturedObjectTypeName.Buffer != NULL)
920 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
921
922 if (CapturedSubsystemName.Buffer != NULL)
923 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
924
925 if (CapturedSecurityDescriptor != NULL)
926 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
927
928 if (ClientToken != NULL)
929 {
930 ObDereferenceObject(ClientToken);
931 SubjectContext.ClientToken = SubjectContextToken;
932 }
933
934 if (AllocatedResultLists)
935 ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
936
937 /* Release the security subject context */
939
940 return Status;
941}
942
943
944/* PUBLIC FUNCTIONS ***********************************************************/
945
965VOID
966NTAPI
969 _In_ PUNICODE_STRING LinkName,
971{
973}
974
992NTAPI
996{
998 return FALSE;
999}
1000
1021BOOLEAN
1022NTAPI
1027{
1029 return FALSE;
1030}
1031
1048BOOLEAN
1049NTAPI
1053{
1055 return FALSE;
1056}
1057
1078BOOLEAN
1079NTAPI
1084{
1086 return FALSE;
1087}
1088
1109BOOLEAN
1110NTAPI
1115{
1117 return FALSE;
1118}
1119
1138VOID
1139NTAPI
1143 _In_ BOOLEAN PerformAction)
1144{
1146}
1147
1162VOID NTAPI
1166{
1168}
1169
1211VOID
1212NTAPI
1223{
1224 PAGED_CODE();
1225
1226 /* Audits aren't done on kernel-mode access */
1227 if (AccessMode == KernelMode) return;
1228
1229 /* Otherwise, unimplemented! */
1230 //UNIMPLEMENTED;
1231 return;
1232}
1233
1275VOID NTAPI
1286{
1288}
1289
1319VOID
1320NTAPI
1327 _In_ KPROCESSOR_MODE CurrentMode)
1328{
1330}
1331
1332/* SYSTEM CALLS ***************************************************************/
1333
1357NTAPI
1359 _In_ PUNICODE_STRING SubsystemName,
1360 _In_ PVOID HandleId,
1362{
1364 UNICODE_STRING CapturedSubsystemName;
1366 BOOLEAN UseImpersonationToken;
1367 PETHREAD CurrentThread;
1371 PTOKEN Token;
1372 PAGED_CODE();
1373
1374 /* Get the previous mode (only user mode is supported!) */
1377
1378 /* Do we even need to do anything? */
1379 if (!GenerateOnClose)
1380 {
1381 /* Nothing to do, return success */
1382 return STATUS_SUCCESS;
1383 }
1384
1385 /* Capture the security subject context */
1387
1388 /* Check for audit privilege */
1390 {
1391 DPRINT1("Caller does not have SeAuditPrivilege\n");
1393 goto Cleanup;
1394 }
1395
1396 /* Probe and capture the subsystem name */
1397 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1399 SubsystemName);
1400 if (!NT_SUCCESS(Status))
1401 {
1402 DPRINT1("Failed to capture subsystem name!\n");
1403 goto Cleanup;
1404 }
1405
1406 /* Get the current thread and check if it's impersonating */
1407 CurrentThread = PsGetCurrentThread();
1408 if (PsIsThreadImpersonating(CurrentThread))
1409 {
1410 /* Get the impersonation token */
1411 Token = PsReferenceImpersonationToken(CurrentThread,
1412 &CopyOnOpen,
1415 UseImpersonationToken = TRUE;
1416 }
1417 else
1418 {
1419 /* Get the primary token */
1421 UseImpersonationToken = FALSE;
1422 }
1423
1424 /* Call the internal function */
1425 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426 HandleId,
1427 Token->UserAndGroups->Sid);
1428
1429 /* Release the captured subsystem name */
1430 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1431
1432 /* Check what token we used */
1433 if (UseImpersonationToken)
1434 {
1435 /* Release impersonation token */
1437 }
1438 else
1439 {
1440 /* Release primary token */
1442 }
1443
1445
1446Cleanup:
1447
1448 /* Release the security subject context */
1450
1451 return Status;
1452}
1453
1476 _In_ PUNICODE_STRING SubsystemName,
1477 _In_ PVOID HandleId,
1479{
1482}
1483
1533VOID
1534NTAPI
1537 _In_ PUNICODE_STRING SubsystemName,
1538 _In_opt_ PVOID HandleId,
1542 _In_ PTOKEN ClientToken,
1546 _In_ BOOLEAN ObjectCreation,
1549{
1551 DBG_UNREFERENCED_PARAMETER(SubsystemName);
1556 DBG_UNREFERENCED_PARAMETER(ClientToken);
1560 DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1564}
1565
1621NTAPI
1623 _In_ PUNICODE_STRING SubsystemName,
1624 _In_opt_ PVOID HandleId,
1628 _In_ HANDLE ClientTokenHandle,
1631 _In_opt_ PPRIVILEGE_SET PrivilegeSet,
1632 _In_ BOOLEAN ObjectCreation,
1635{
1636 PTOKEN ClientToken;
1637 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1640 volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1641 BOOLEAN LocalGenerateOnClose;
1642 PVOID CapturedHandleId;
1645 PAGED_CODE();
1646
1647 /* Only user mode is supported! */
1649
1650 /* Start clean */
1651 ClientToken = NULL;
1652 CapturedSecurityDescriptor = NULL;
1653 CapturedPrivilegeSet = NULL;
1654 CapturedSubsystemName.Buffer = NULL;
1655 CapturedObjectTypeName.Buffer = NULL;
1656 CapturedObjectName.Buffer = NULL;
1657
1658 /* Reference the client token */
1659 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1662 UserMode,
1663 (PVOID*)&ClientToken,
1664 NULL);
1665 if (!NT_SUCCESS(Status))
1666 {
1667 DPRINT1("Failed to reference token handle %p: %lx\n",
1668 ClientTokenHandle, Status);
1669 return Status;
1670 }
1671
1672 /* Capture the security subject context */
1674
1675 /* Validate the token's impersonation level */
1676 if ((ClientToken->TokenType == TokenImpersonation) &&
1678 {
1679 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1681 goto Cleanup;
1682 }
1683
1684 /* Check for audit privilege */
1686 {
1687 DPRINT1("Caller does not have SeAuditPrivilege\n");
1689 goto Cleanup;
1690 }
1691
1692 /* Check for NULL SecurityDescriptor */
1693 if (SecurityDescriptor == NULL)
1694 {
1695 /* Nothing to do */
1697 goto Cleanup;
1698 }
1699
1700 /* Capture the security descriptor */
1702 UserMode,
1703 PagedPool,
1704 FALSE,
1705 &CapturedSecurityDescriptor);
1706 if (!NT_SUCCESS(Status))
1707 {
1708 DPRINT1("Failed to capture security descriptor!\n");
1709 goto Cleanup;
1710 }
1711
1712 _SEH2_TRY
1713 {
1714 /* Check if we have a privilege set */
1715 if (PrivilegeSet != NULL)
1716 {
1717 /* Probe the basic privilege set structure */
1718 ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1719
1720 /* Validate privilege count */
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1722 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1723 {
1725 _SEH2_YIELD(goto Cleanup);
1726 }
1727
1728 /* Calculate the size of the PrivilegeSet structure */
1729 PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1730
1731 /* Probe the whole structure */
1732 ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1733
1734 /* Allocate a temp buffer */
1735 CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1736 PrivilegeSetSize,
1738 if (CapturedPrivilegeSet == NULL)
1739 {
1740 DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1742 _SEH2_YIELD(goto Cleanup);
1743 }
1744
1745 /* Copy the privileges */
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747 }
1748
1749 if (HandleId != NULL)
1750 {
1751 ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1752 CapturedHandleId = *(PVOID*)HandleId;
1753 }
1754
1755 ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1756 }
1758 {
1760 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1761 _SEH2_YIELD(goto Cleanup);
1762 }
1763 _SEH2_END;
1764
1765 /* Probe and capture the subsystem name */
1766 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1767 UserMode,
1768 SubsystemName);
1769 if (!NT_SUCCESS(Status))
1770 {
1771 DPRINT1("Failed to capture subsystem name!\n");
1772 goto Cleanup;
1773 }
1774
1775 /* Probe and capture the object type name */
1776 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1777 UserMode,
1779 if (!NT_SUCCESS(Status))
1780 {
1781 DPRINT1("Failed to capture object type name!\n");
1782 goto Cleanup;
1783 }
1784
1785 /* Probe and capture the object name */
1786 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1787 UserMode,
1788 ObjectName);
1789 if (!NT_SUCCESS(Status))
1790 {
1791 DPRINT1("Failed to capture object name!\n");
1792 goto Cleanup;
1793 }
1794
1795 /* Call the internal function */
1797 &CapturedSubsystemName,
1798 CapturedHandleId,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1802 ClientToken,
1805 CapturedPrivilegeSet,
1806 ObjectCreation,
1808 &LocalGenerateOnClose);
1809
1811
1812 /* Enter SEH to copy the data back to user mode */
1813 _SEH2_TRY
1814 {
1815 *GenerateOnClose = LocalGenerateOnClose;
1816 }
1818 {
1820 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1821 }
1822 _SEH2_END;
1823
1824Cleanup:
1825
1826 if (CapturedObjectName.Buffer != NULL)
1827 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1828
1829 if (CapturedObjectTypeName.Buffer != NULL)
1830 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1831
1832 if (CapturedSubsystemName.Buffer != NULL)
1833 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1834
1835 if (CapturedSecurityDescriptor != NULL)
1836 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1837
1838 if (CapturedPrivilegeSet != NULL)
1839 ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1840
1841 /* Release the security subject context */
1843
1844 ObDereferenceObject(ClientToken);
1845
1846 return Status;
1847}
1848
1882NTAPI
1884 _In_opt_ PUNICODE_STRING SubsystemName,
1886 _In_ HANDLE ClientTokenHandle,
1889{
1891 PTOKEN ClientToken;
1892 volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1893 UNICODE_STRING CapturedSubsystemName;
1894 UNICODE_STRING CapturedServiceName;
1895 ULONG PrivilegeCount, PrivilegesSize;
1898 PAGED_CODE();
1899
1900 /* Get the previous mode (only user mode is supported!) */
1903
1904 CapturedSubsystemName.Buffer = NULL;
1905 CapturedServiceName.Buffer = NULL;
1906
1907 /* Reference the client token */
1908 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1912 (PVOID*)&ClientToken,
1913 NULL);
1914 if (!NT_SUCCESS(Status))
1915 {
1916 DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1917 return Status;
1918 }
1919
1920 /* Validate the token's impersonation level */
1921 if ((ClientToken->TokenType == TokenImpersonation) &&
1923 {
1924 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1925 ObDereferenceObject(ClientToken);
1927 }
1928
1929 /* Capture the security subject context */
1931
1932 /* Check for audit privilege */
1934 {
1935 DPRINT1("Caller does not have SeAuditPrivilege\n");
1937 goto Cleanup;
1938 }
1939
1940 /* Do we have a subsystem name? */
1941 if (SubsystemName != NULL)
1942 {
1943 /* Probe and capture the subsystem name */
1944 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1946 SubsystemName);
1947 if (!NT_SUCCESS(Status))
1948 {
1949 DPRINT1("Failed to capture subsystem name!\n");
1950 goto Cleanup;
1951 }
1952 }
1953
1954 /* Do we have a service name? */
1955 if (ServiceName != NULL)
1956 {
1957 /* Probe and capture the service name */
1958 Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1960 ServiceName);
1961 if (!NT_SUCCESS(Status))
1962 {
1963 DPRINT1("Failed to capture service name!\n");
1964 goto Cleanup;
1965 }
1966 }
1967
1968 _SEH2_TRY
1969 {
1970 /* Probe the basic privilege set structure */
1971 ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1972
1973 /* Validate privilege count */
1974 PrivilegeCount = Privileges->PrivilegeCount;
1975 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1976 {
1978 _SEH2_YIELD(goto Cleanup);
1979 }
1980
1981 /* Calculate the size of the Privileges structure */
1982 PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1983
1984 /* Probe the whole structure */
1985 ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1986
1987 /* Allocate a temp buffer */
1988 CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1989 PrivilegesSize,
1991 if (CapturedPrivileges == NULL)
1992 {
1993 DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1995 _SEH2_YIELD(goto Cleanup);
1996 }
1997
1998 /* Copy the privileges */
1999 RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2000 }
2002 {
2004 DPRINT1("Got exception 0x%lx\n", Status);
2005 _SEH2_YIELD(goto Cleanup);
2006 }
2007 _SEH2_END;
2008
2009 /* Call the internal function */
2011 SubsystemName ? &CapturedSubsystemName : NULL,
2012 ServiceName ? &CapturedServiceName : NULL,
2013 ClientToken,
2014 SubjectContext.PrimaryToken,
2015 CapturedPrivileges,
2017
2019
2020Cleanup:
2021 /* Cleanup resources */
2022 if (CapturedSubsystemName.Buffer != NULL)
2023 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2024
2025 if (CapturedServiceName.Buffer != NULL)
2026 ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2027
2028 if (CapturedPrivileges != NULL)
2029 ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2030
2031 /* Release the security subject context */
2033
2034 ObDereferenceObject(ClientToken);
2035
2036 return Status;
2037}
2038
2067 _In_ PUNICODE_STRING SubsystemName,
2068 _In_ PVOID HandleId,
2069 _In_ HANDLE ClientToken,
2073{
2076}
2077
2124NTAPI
2126 _In_ PUNICODE_STRING SubsystemName,
2127 _In_opt_ PVOID HandleId,
2133 _In_ BOOLEAN ObjectCreation,
2137{
2138 /* Call the internal function */
2139 return SepAccessCheckAndAuditAlarm(SubsystemName,
2140 HandleId,
2141 NULL,
2143 ObjectName,
2145 NULL,
2148 0,
2149 NULL,
2150 0,
2155 FALSE);
2156}
2157
2221NTAPI
2223 _In_ PUNICODE_STRING SubsystemName,
2224 _In_opt_ PVOID HandleId,
2228 _In_opt_ PSID PrincipalSelfSid,
2230 _In_ AUDIT_EVENT_TYPE AuditType,
2232 _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
2233 _In_ ULONG ObjectTypeLength,
2235 _In_ BOOLEAN ObjectCreation,
2239{
2240 /* Call the internal function */
2241 return SepAccessCheckAndAuditAlarm(SubsystemName,
2242 HandleId,
2243 NULL,
2245 ObjectName,
2247 PrincipalSelfSid,
2249 AuditType,
2250 Flags,
2251 ObjectTypeList,
2252 ObjectTypeLength,
2257 FALSE);
2258}
2259
2323NTAPI
2325 _In_ PUNICODE_STRING SubsystemName,
2326 _In_opt_ PVOID HandleId,
2330 _In_opt_ PSID PrincipalSelfSid,
2332 _In_ AUDIT_EVENT_TYPE AuditType,
2334 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2335 _In_ ULONG ObjectTypeListLength,
2337 _In_ BOOLEAN ObjectCreation,
2338 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2339 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2341{
2342 /* Call the internal function */
2343 return SepAccessCheckAndAuditAlarm(SubsystemName,
2344 HandleId,
2345 NULL,
2347 ObjectName,
2349 PrincipalSelfSid,
2351 AuditType,
2352 Flags,
2353 ObjectTypeList,
2354 ObjectTypeListLength,
2356 GrantedAccessList,
2357 AccessStatusList,
2359 TRUE);
2360}
2361
2429NTAPI
2431 _In_ PUNICODE_STRING SubsystemName,
2432 _In_opt_ PVOID HandleId,
2433 _In_ HANDLE ClientToken,
2437 _In_opt_ PSID PrincipalSelfSid,
2439 _In_ AUDIT_EVENT_TYPE AuditType,
2441 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2442 _In_ ULONG ObjectTypeListLength,
2444 _In_ BOOLEAN ObjectCreation,
2445 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2446 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2448{
2449 UNREFERENCED_PARAMETER(ObjectCreation);
2450
2451 /* Call the internal function */
2452 return SepAccessCheckAndAuditAlarm(SubsystemName,
2453 HandleId,
2454 &ClientToken,
2456 ObjectName,
2458 PrincipalSelfSid,
2460 AuditType,
2461 Flags,
2462 ObjectTypeList,
2463 ObjectTypeListLength,
2465 GrantedAccessList,
2466 AccessStatusList,
2468 TRUE);
2469}
2470
2471/* EOF */
#define PAGED_CODE()
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
unsigned char BOOLEAN
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
LONG NTSTATUS
Definition: precomp.h:26
#define DPRINT1
Definition: precomp.h:8
static WCHAR ServiceName[]
Definition: browser.c:19
#define UNIMPLEMENTED
Definition: debug.h:115
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define GENERIC_READ
Definition: compat.h:135
static const WCHAR Cleanup[]
Definition: register.c:80
static BOOLEAN bSuccess
Definition: drive.cpp:433
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:43
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define NonPagedPool
Definition: env_spec_w32.h:307
#define PagedPool
Definition: env_spec_w32.h:308
#define ExGetPreviousMode
Definition: ex.h:140
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define _SEH2_END
Definition: filesup.c:22
#define _SEH2_TRY
Definition: filesup.c:19
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
ULONG Handle
Definition: gdb_input.c:15
Status
Definition: gdiplustypes.h:25
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
@ SecurityIdentification
Definition: lsa.idl:56
#define ASSERT(a)
Definition: mode.c:44
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
@ TokenImpersonation
Definition: imports.h:274
#define PsDereferencePrimaryToken(T)
Definition: imports.h:301
#define PsDereferenceImpersonationToken(T)
Definition: imports.h:298
* PNTSTATUS
Definition: strlen.c:14
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:79
static const char * ImageName
Definition: image.c:34
#define _Out_writes_(size)
Definition: ms_sal.h:348
#define _Must_inspect_result_
Definition: ms_sal.h:558
#define _Out_
Definition: ms_sal.h:345
#define _In_reads_opt_(size)
Definition: ms_sal.h:320
#define _In_
Definition: ms_sal.h:308
#define _In_opt_
Definition: ms_sal.h:309
#define KernelMode
Definition: asm.h:34
#define UserMode
Definition: asm.h:35
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1133
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
ULONG ACCESS_MASK
Definition: nt_native.h:40
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
#define GENERIC_ALL
Definition: nt_native.h:92
#define GENERIC_WRITE
Definition: nt_native.h:90
#define GENERIC_EXECUTE
Definition: nt_native.h:91
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
PSID SeLocalSystemSid
Definition: sid.c:38
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:378
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
Captures a list of object types and converts it to an internal form for use by the kernel....
Definition: objtype.c:282
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:109
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:89
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:871
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
Definition: audit.c:1111
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2430
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
Definition: audit.c:77
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
Definition: audit.c:369
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
Definition: audit.c:993
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
Definition: audit.c:1050
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
Definition: audit.c:967
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
Definition: audit.c:1163
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
Definition: audit.c:1321
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
Definition: audit.c:1475
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2222
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
Definition: audit.c:1023
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
Definition: audit.c:1080
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
Definition: audit.c:1213
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
Definition: audit.c:199
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
Definition: audit.c:1883
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
Definition: audit.c:1276
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2324
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1622
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
Definition: audit.c:34
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
Definition: audit.c:1140
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
Definition: audit.c:2066
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
Definition: audit.c:1358
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
Definition: audit.c:56
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2125
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:455
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:239
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define L(x)
Definition: ntvdm.h:50
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:159
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:34
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:162
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
PSE_EXPORTS SeExports
Definition: semgr.c:21
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
#define DPRINT
Definition: sndvol32.h:71
#define __kernel_entry
Definition: specstrings.h:355
UNICODE_STRING Name
Definition: nt_native.h:1270
PSID SeNetworkServiceSid
Definition: setypes.h:1244
PSID SeLocalServiceSid
Definition: setypes.h:1243
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:240
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233
TOKEN_TYPE TokenType
Definition: setypes.h:239
USHORT MaximumLength
Definition: env_spec_w32.h:370
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
#define TAG_SEPA
Definition: tag.h:156
#define TAG_PRIVILEGE_SET
Definition: tag.h:157
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
uint16_t * PWSTR
Definition: typedefs.h:56
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
unsigned char * PBOOLEAN
Definition: typedefs.h:53
#define NTAPI
Definition: typedefs.h:36
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
uint32_t ULONG
Definition: typedefs.h:59
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:550
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:64
* PFILE_OBJECT
Definition: iotypes.h:1998
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
#define ObDereferenceObject
Definition: obfuncs.h:203
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PsGetCurrentProcess
Definition: psfuncs.h:17
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:156
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
Definition: sefuncs.h:415
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:422
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
Definition: sefuncs.h:418
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:419
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:417
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:872
#define TOKEN_QUERY
Definition: setypes.h:928
@ AuditEventDirectoryServiceAccess
Definition: setypes.h:869
@ AuditEventObjectAccess
Definition: setypes.h:868
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE