ReactOS  0.4.15-dev-3173-g40ee59d
audit.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security auditing functions
5  * COPYRIGHT: Copyright Eric Kohl
6  * Copyright Timo Kreuzer <timo.kreuzer@reactos.org>
7  */
8 
9 /* INCLUDES *******************************************************************/
10 
11 #include <ntoskrnl.h>
12 #define NDEBUG
13 #include <debug.h>
14 
15 #define SEP_PRIVILEGE_SET_MAX_COUNT 60
16 
18 
19 /* PRIVATE FUNCTIONS***********************************************************/
20 
32 BOOLEAN
33 NTAPI
36 {
37  /* FIXME */
38  return FALSE;
39 }
40 
54 VOID
55 NTAPI
58 {
59  /* FIXME */
60 }
61 
75 VOID
76 NTAPI
79 {
80  /* FIXME */
81 }
82 
103 NTSTATUS
104 NTAPI
107  _In_ BOOLEAN DoAudit,
108  _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
109 {
110  OBJECT_NAME_INFORMATION LocalNameInfo;
111  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
112  ULONG ReturnLength = 8;
114 
115  PAGED_CODE();
116  ASSERT(AuditInfo);
117 
118  /* Check if we should do auditing */
119  if (DoAudit)
120  {
121  /* FIXME: TODO */
122  }
123 
124  /* Now query the name */
126  &LocalNameInfo,
127  sizeof(LocalNameInfo),
128  &ReturnLength);
129  if (((Status == STATUS_BUFFER_OVERFLOW) ||
132  (ReturnLength != sizeof(LocalNameInfo)))
133  {
134  /* Allocate required size */
135  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
136  ReturnLength,
137  TAG_SEPA);
138  if (ObjectNameInfo)
139  {
140  /* Query the name again */
142  ObjectNameInfo,
143  ReturnLength,
144  &ReturnLength);
145  }
146  }
147 
148  /* Check if we got here due to failure */
149  if ((ObjectNameInfo) &&
150  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151  {
152  /* First, free any buffer we might've allocated */
153  ASSERT(FALSE);
154  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155 
156  /* Now allocate a temporary one */
158  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
159  sizeof(OBJECT_NAME_INFORMATION),
160  TAG_SEPA);
161  if (ObjectNameInfo)
162  {
163  /* Clear it */
164  RtlZeroMemory(ObjectNameInfo, ReturnLength);
166  }
167  }
168 
169  /* Check if memory allocation failed */
170  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171 
172  /* Return the audit name */
173  *AuditInfo = ObjectNameInfo;
174 
175  /* Return status */
176  return Status;
177 }
178 
197 NTSTATUS
198 NTAPI
201  _Out_ PUNICODE_STRING *ProcessImageName)
202 {
203  POBJECT_NAME_INFORMATION AuditName;
207 
208  PAGED_CODE();
209 
210  /* Assume failure */
211  *ProcessImageName = NULL;
212 
213  /* Check if we have audit info */
214  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215  if (!AuditName)
216  {
217  /* Get the file object */
219  if (!NT_SUCCESS(Status)) return Status;
220 
221  /* Initialize the audit structure */
223  if (NT_SUCCESS(Status))
224  {
225  /* Set it */
227  SeAuditProcessCreationInfo.ImageFileName,
228  AuditName,
229  NULL))
230  {
231  /* Someone beat us to it, deallocate our copy */
232  ExFreePool(AuditName);
233  }
234  }
235 
236  /* Dereference the file object */
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /* Get audit info again, now we have it for sure */
242  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243 
244  /* Allocate the output string */
246  AuditName->Name.MaximumLength +
247  sizeof(UNICODE_STRING),
248  TAG_SEPA);
249  if (!ImageName) return STATUS_NO_MEMORY;
250 
251  /* Make a copy of it */
253  &AuditName->Name,
254  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255 
256  /* Fix up the buffer */
257  ImageName->Buffer = (PWSTR)(ImageName + 1);
258 
259  /* Return it */
260  *ProcessImageName = ImageName;
261 
262  /* Return status */
263  return Status;
264 }
265 
285 VOID
286 NTAPI
288  _In_ PUNICODE_STRING SubsystemName,
289  _In_ PVOID HandleId,
290  _In_ PSID Sid)
291 {
293 }
294 
330 VOID
331 NTAPI
334  _In_opt_ PUNICODE_STRING SubsystemName,
336  _In_ PTOKEN Token,
337  _In_ PTOKEN PrimaryToken,
340 {
341  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342 }
343 
367 VOID
368 NTAPI
372  _In_ PPRIVILEGE_SET PrivilegeSet,
374 {
375  PTOKEN EffectiveToken;
376  PSID UserSid;
377  PAGED_CODE();
378 
379  /* Get the effective token */
380  if (SubjectContext->ClientToken != NULL)
381  EffectiveToken = SubjectContext->ClientToken;
382  else
383  EffectiveToken = SubjectContext->PrimaryToken;
384 
385  /* Get the user SID */
386  UserSid = EffectiveToken->UserAndGroups->Sid;
387 
388  /* Check if this is the local system SID */
389  if (RtlEqualSid(UserSid, SeLocalSystemSid))
390  {
391  /* Nothing to do */
392  return;
393  }
394 
395  /* Check if this is the network service or local service SID */
396  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
398  {
399  // FIXME: should continue for a certain set of privileges
400  return;
401  }
402 
403  /* Call the worker function */
406  ServiceName,
407  SubjectContext->ClientToken,
408  SubjectContext->PrimaryToken,
409  PrivilegeSet,
410  AccessGranted);
411 
412 }
413 
436 static
437 NTSTATUS
439  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
440  _In_ ULONG ObjectTypeListLength,
442  _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
443 {
444  SIZE_T Size;
445 
446  if (PreviousMode == KernelMode)
447  {
448  return STATUS_NOT_IMPLEMENTED;
449  }
450 
451  if (ObjectTypeListLength == 0)
452  {
453  *CapturedObjectTypeList = NULL;
454  return STATUS_SUCCESS;
455  }
456 
457  if (ObjectTypeList == NULL)
458  {
460  }
461 
462  /* Calculate the list size and check for integer overflow */
463  Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
464  if (Size == 0)
465  {
467  }
468 
469  /* Allocate a new list */
470  *CapturedObjectTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
471  if (*CapturedObjectTypeList == NULL)
472  {
474  }
475 
476  _SEH2_TRY
477  {
478  ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
479  RtlCopyMemory(*CapturedObjectTypeList, ObjectTypeList, Size);
480  }
482  {
483  ExFreePoolWithTag(*CapturedObjectTypeList, TAG_SEPA);
484  *CapturedObjectTypeList = NULL;
486  }
487  _SEH2_END;
488 
489  return STATUS_SUCCESS;
490 }
491 
505 static
506 VOID
508  _In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList,
510 {
511  if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
512  ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
513 }
514 
588 static
589 NTSTATUS
591  _In_ PUNICODE_STRING SubsystemName,
592  _In_opt_ PVOID HandleId,
597  _In_opt_ PSID PrincipalSelfSid,
599  _In_ AUDIT_EVENT_TYPE AuditType,
600  _In_ BOOLEAN HaveAuditPrivilege,
601  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
602  _In_ ULONG ObjectTypeListLength,
604  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
605  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
607  _In_ BOOLEAN UseResultList)
608 {
609  ULONG ResultListLength, i;
610 
611  /* Get the length of the result list */
612  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
613 
616 
618  for (i = 0; i < ResultListLength; i++)
619  {
620  GrantedAccessList[i] = DesiredAccess;
621  AccessStatusList[i] = STATUS_SUCCESS;
622  }
623 
625 
626  return STATUS_SUCCESS;
627 }
628 
713 NTSTATUS
714 NTAPI
716  _In_ PUNICODE_STRING SubsystemName,
717  _In_opt_ PVOID HandleId,
718  _In_ PHANDLE ClientTokenHandle,
722  _In_opt_ PSID PrincipalSelfSid,
724  _In_ AUDIT_EVENT_TYPE AuditType,
725  _In_ ULONG Flags,
726  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
727  _In_ ULONG ObjectTypeListLength,
729  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
730  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
732  _In_ BOOLEAN UseResultList)
733 {
735  ULONG ResultListLength;
736  GENERIC_MAPPING LocalGenericMapping;
737  PTOKEN SubjectContextToken, ClientToken;
738  BOOLEAN AllocatedResultLists;
739  BOOLEAN HaveAuditPrivilege;
740  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
741  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
742  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
743  NTSTATUS AccessStatus, *SafeAccessStatusList;
744  PSID CapturedPrincipalSelfSid;
745  POBJECT_TYPE_LIST CapturedObjectTypeList;
746  ULONG i;
747  BOOLEAN LocalGenerateOnClose;
749  PAGED_CODE();
750 
751  /* Only user mode is supported! */
753 
754  /* Start clean */
755  AllocatedResultLists = FALSE;
756  ClientToken = NULL;
757  CapturedSecurityDescriptor = NULL;
758  CapturedSubsystemName.Buffer = NULL;
759  CapturedObjectTypeName.Buffer = NULL;
760  CapturedObjectName.Buffer = NULL;
761  CapturedPrincipalSelfSid = NULL;
762  CapturedObjectTypeList = NULL;
763 
764  /* Validate AuditType */
765  if ((AuditType != AuditEventObjectAccess) &&
766  (AuditType != AuditEventDirectoryServiceAccess))
767  {
768  DPRINT1("Invalid audit type: %u\n", AuditType);
770  }
771 
772  /* Capture the security subject context */
774 
775  /* Did the caller pass a token handle? */
776  if (ClientTokenHandle == NULL)
777  {
778  /* Check if we have a token in the subject context */
779  if (SubjectContext.ClientToken == NULL)
780  {
782  DPRINT1("No token\n");
783  goto Cleanup;
784  }
785 
786  /* Check if we have a valid impersonation level */
787  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
788  {
790  DPRINT1("Invalid impersonation level 0x%lx\n",
791  SubjectContext.ImpersonationLevel);
792  goto Cleanup;
793  }
794  }
795 
796  /* Are we using a result list? */
797  if (UseResultList)
798  {
799  /* The list length equals the object type list length */
800  ResultListLength = ObjectTypeListLength;
801  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
802  {
804  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
805  goto Cleanup;
806  }
807 
808  /* Allocate a safe buffer from paged pool */
809  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
810  2 * ResultListLength * sizeof(ULONG),
811  TAG_SEPA);
812  if (SafeGrantedAccessList == NULL)
813  {
815  DPRINT1("Failed to allocate access lists\n");
816  goto Cleanup;
817  }
818 
819  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
820  AllocatedResultLists = TRUE;
821  }
822  else
823  {
824  /* List length is 1 */
825  ResultListLength = 1;
826  SafeGrantedAccessList = &GrantedAccess;
827  SafeAccessStatusList = &AccessStatus;
828  }
829 
830  _SEH2_TRY
831  {
832  /* Probe output buffers */
833  ProbeForWrite(AccessStatusList,
834  ResultListLength * sizeof(*AccessStatusList),
835  sizeof(*AccessStatusList));
836  ProbeForWrite(GrantedAccessList,
837  ResultListLength * sizeof(*GrantedAccessList),
838  sizeof(*GrantedAccessList));
839 
840  /* Probe generic mapping and make a local copy */
841  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
842  LocalGenericMapping = * GenericMapping;
843  }
845  {
847  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
848  _SEH2_YIELD(goto Cleanup);
849  }
850  _SEH2_END;
851 
852  /* Do we have a client token? */
853  if (ClientTokenHandle != NULL)
854  {
855  /* Reference the client token */
856  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
857  TOKEN_QUERY,
859  UserMode,
860  (PVOID*)&ClientToken,
861  NULL);
862  if (!NT_SUCCESS(Status))
863  {
864  DPRINT1("Failed to reference token handle %p: %lx\n",
865  *ClientTokenHandle, Status);
866  goto Cleanup;
867  }
868 
869  SubjectContextToken = SubjectContext.ClientToken;
870  SubjectContext.ClientToken = ClientToken;
871  }
872 
873  /* Check for audit privilege */
874  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
875  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
876  {
877  DPRINT1("Caller does not have SeAuditPrivilege\n");
879  goto Cleanup;
880  }
881 
882  /* Generic access must already be mapped to non-generic access types! */
884  {
885  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
887  goto Cleanup;
888  }
889 
890  /* Capture the security descriptor */
892  UserMode,
893  PagedPool,
894  FALSE,
895  &CapturedSecurityDescriptor);
896  if (!NT_SUCCESS(Status))
897  {
898  DPRINT1("Failed to capture security descriptor!\n");
899  goto Cleanup;
900  }
901 
902  /* Validate the Security descriptor */
903  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
904  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
905  {
907  DPRINT1("Invalid security descriptor\n");
908  goto Cleanup;
909  }
910 
911  /* Probe and capture the subsystem name */
912  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
913  UserMode,
914  SubsystemName);
915  if (!NT_SUCCESS(Status))
916  {
917  DPRINT1("Failed to capture subsystem name!\n");
918  goto Cleanup;
919  }
920 
921  /* Probe and capture the object type name */
922  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
923  UserMode,
925  if (!NT_SUCCESS(Status))
926  {
927  DPRINT1("Failed to capture object type name!\n");
928  goto Cleanup;
929  }
930 
931  /* Probe and capture the object name */
932  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
933  UserMode,
934  ObjectName);
935  if (!NT_SUCCESS(Status))
936  {
937  DPRINT1("Failed to capture object name!\n");
938  goto Cleanup;
939  }
940 
941  /* Check if we have a PrincipalSelfSid */
942  if (PrincipalSelfSid != NULL)
943  {
944  /* Capture it */
945  Status = SepCaptureSid(PrincipalSelfSid,
946  UserMode,
947  PagedPool,
948  FALSE,
949  &CapturedPrincipalSelfSid);
950  if (!NT_SUCCESS(Status))
951  {
952  DPRINT1("Failed to capture PrincipalSelfSid!\n");
953  goto Cleanup;
954  }
955  }
956 
957  /* Capture the object type list */
958  Status = SeCaptureObjectTypeList(ObjectTypeList,
959  ObjectTypeListLength,
960  UserMode,
961  &CapturedObjectTypeList);
962  if (!NT_SUCCESS(Status))
963  {
964  DPRINT1("Failed to capture object type list!\n");
965  goto Cleanup;
966  }
967 
968  /* Call the worker routine with the captured buffers */
969  Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
970  HandleId,
972  &CapturedObjectTypeName,
973  &CapturedObjectName,
974  CapturedSecurityDescriptor,
975  CapturedPrincipalSelfSid,
977  AuditType,
978  HaveAuditPrivilege,
979  CapturedObjectTypeList,
980  ObjectTypeListLength,
981  &LocalGenericMapping,
982  SafeGrantedAccessList,
983  SafeAccessStatusList,
984  &LocalGenerateOnClose,
985  UseResultList);
986  if (!NT_SUCCESS(Status))
987  goto Cleanup;
988 
989  /* Enter SEH to copy the data back to user mode */
990  _SEH2_TRY
991  {
992  /* Loop all result entries (only 1 when no list was requested) */
993  ASSERT(UseResultList || (ResultListLength == 1));
994  for (i = 0; i < ResultListLength; i++)
995  {
996  AccessStatusList[i] = SafeAccessStatusList[i];
997  GrantedAccessList[i] = SafeGrantedAccessList[i];
998  }
999 
1000  *GenerateOnClose = LocalGenerateOnClose;
1001  }
1003  {
1005  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1006  }
1007  _SEH2_END;
1008 
1009 Cleanup:
1010 
1011  if (CapturedObjectTypeList != NULL)
1012  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
1013 
1014  if (CapturedPrincipalSelfSid != NULL)
1015  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
1016 
1017  if (CapturedObjectName.Buffer != NULL)
1018  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1019 
1020  if (CapturedObjectTypeName.Buffer != NULL)
1021  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1022 
1023  if (CapturedSubsystemName.Buffer != NULL)
1024  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1025 
1026  if (CapturedSecurityDescriptor != NULL)
1027  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1028 
1029  if (ClientToken != NULL)
1030  {
1031  ObDereferenceObject(ClientToken);
1032  SubjectContext.ClientToken = SubjectContextToken;
1033  }
1034 
1035  if (AllocatedResultLists)
1036  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
1037 
1038  /* Release the security subject context */
1040 
1041  return Status;
1042 }
1043 
1044 
1045 /* PUBLIC FUNCTIONS ***********************************************************/
1046 
1066 VOID
1067 NTAPI
1070  _In_ PUNICODE_STRING LinkName,
1072 {
1073  UNIMPLEMENTED;
1074 }
1075 
1092 BOOLEAN
1093 NTAPI
1097 {
1098  UNIMPLEMENTED;
1099  return FALSE;
1100 }
1101 
1122 BOOLEAN
1123 NTAPI
1128 {
1130  return FALSE;
1131 }
1132 
1149 BOOLEAN
1150 NTAPI
1154 {
1155  UNIMPLEMENTED;
1156  return FALSE;
1157 }
1158 
1179 BOOLEAN
1180 NTAPI
1185 {
1186  UNIMPLEMENTED;
1187  return FALSE;
1188 }
1189 
1210 BOOLEAN
1211 NTAPI
1216 {
1217  UNIMPLEMENTED;
1218  return FALSE;
1219 }
1220 
1239 VOID
1240 NTAPI
1242  _In_ PVOID Object,
1243  _In_ HANDLE Handle,
1244  _In_ BOOLEAN PerformAction)
1245 {
1246  UNIMPLEMENTED;
1247 }
1248 
1263 VOID NTAPI
1265  _In_ PVOID Object,
1266  _In_ HANDLE Handle)
1267 {
1268  UNIMPLEMENTED;
1269 }
1270 
1312 VOID
1313 NTAPI
1324 {
1325  PAGED_CODE();
1326 
1327  /* Audits aren't done on kernel-mode access */
1328  if (AccessMode == KernelMode) return;
1329 
1330  /* Otherwise, unimplemented! */
1331  //UNIMPLEMENTED;
1332  return;
1333 }
1334 
1376 VOID NTAPI
1387 {
1388  UNIMPLEMENTED;
1389 }
1390 
1420 VOID
1421 NTAPI
1423  _In_ HANDLE Handle,
1428  _In_ KPROCESSOR_MODE CurrentMode)
1429 {
1430  UNIMPLEMENTED;
1431 }
1432 
1433 /* SYSTEM CALLS ***************************************************************/
1434 
1457 NTSTATUS
1458 NTAPI
1460  _In_ PUNICODE_STRING SubsystemName,
1461  _In_ PVOID HandleId,
1463 {
1465  UNICODE_STRING CapturedSubsystemName;
1467  BOOLEAN UseImpersonationToken;
1468  PETHREAD CurrentThread;
1471  NTSTATUS Status;
1472  PTOKEN Token;
1473  PAGED_CODE();
1474 
1475  /* Get the previous mode (only user mode is supported!) */
1478 
1479  /* Do we even need to do anything? */
1480  if (!GenerateOnClose)
1481  {
1482  /* Nothing to do, return success */
1483  return STATUS_SUCCESS;
1484  }
1485 
1486  /* Capture the security subject context */
1488 
1489  /* Check for audit privilege */
1491  {
1492  DPRINT1("Caller does not have SeAuditPrivilege\n");
1494  goto Cleanup;
1495  }
1496 
1497  /* Probe and capture the subsystem name */
1498  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1499  PreviousMode,
1500  SubsystemName);
1501  if (!NT_SUCCESS(Status))
1502  {
1503  DPRINT1("Failed to capture subsystem name!\n");
1504  goto Cleanup;
1505  }
1506 
1507  /* Get the current thread and check if it's impersonating */
1508  CurrentThread = PsGetCurrentThread();
1509  if (PsIsThreadImpersonating(CurrentThread))
1510  {
1511  /* Get the impersonation token */
1512  Token = PsReferenceImpersonationToken(CurrentThread,
1513  &CopyOnOpen,
1514  &EffectiveOnly,
1516  UseImpersonationToken = TRUE;
1517  }
1518  else
1519  {
1520  /* Get the primary token */
1522  UseImpersonationToken = FALSE;
1523  }
1524 
1525  /* Call the internal function */
1526  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1527  HandleId,
1528  Token->UserAndGroups->Sid);
1529 
1530  /* Release the captured subsystem name */
1531  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1532 
1533  /* Check what token we used */
1534  if (UseImpersonationToken)
1535  {
1536  /* Release impersonation token */
1538  }
1539  else
1540  {
1541  /* Release primary token */
1543  }
1544 
1546 
1547 Cleanup:
1548 
1549  /* Release the security subject context */
1551 
1552  return Status;
1553 }
1554 
1577  _In_ PUNICODE_STRING SubsystemName,
1578  _In_ PVOID HandleId,
1580 {
1581  UNIMPLEMENTED;
1582  return STATUS_NOT_IMPLEMENTED;
1583 }
1584 
1634 VOID
1635 NTAPI
1638  _In_ PUNICODE_STRING SubsystemName,
1639  _In_opt_ PVOID HandleId,
1643  _In_ PTOKEN ClientToken,
1647  _In_ BOOLEAN ObjectCreation,
1650 {
1652  DBG_UNREFERENCED_PARAMETER(SubsystemName);
1653  DBG_UNREFERENCED_PARAMETER(HandleId);
1657  DBG_UNREFERENCED_PARAMETER(ClientToken);
1661  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1663  UNIMPLEMENTED;
1665 }
1666 
1721 NTSTATUS
1722 NTAPI
1724  _In_ PUNICODE_STRING SubsystemName,
1725  _In_opt_ PVOID HandleId,
1729  _In_ HANDLE ClientTokenHandle,
1732  _In_opt_ PPRIVILEGE_SET PrivilegeSet,
1733  _In_ BOOLEAN ObjectCreation,
1736 {
1737  PTOKEN ClientToken;
1738  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1739  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1740  ULONG PrivilegeCount, PrivilegeSetSize;
1741  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1742  BOOLEAN LocalGenerateOnClose;
1743  PVOID CapturedHandleId;
1745  NTSTATUS Status;
1746  PAGED_CODE();
1747 
1748  /* Only user mode is supported! */
1750 
1751  /* Start clean */
1752  ClientToken = NULL;
1753  CapturedSecurityDescriptor = NULL;
1754  CapturedPrivilegeSet = NULL;
1755  CapturedSubsystemName.Buffer = NULL;
1756  CapturedObjectTypeName.Buffer = NULL;
1757  CapturedObjectName.Buffer = NULL;
1758 
1759  /* Reference the client token */
1760  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1761  TOKEN_QUERY,
1763  UserMode,
1764  (PVOID*)&ClientToken,
1765  NULL);
1766  if (!NT_SUCCESS(Status))
1767  {
1768  DPRINT1("Failed to reference token handle %p: %lx\n",
1769  ClientTokenHandle, Status);
1770  return Status;
1771  }
1772 
1773  /* Capture the security subject context */
1775 
1776  /* Validate the token's impersonation level */
1777  if ((ClientToken->TokenType == TokenImpersonation) &&
1778  (ClientToken->ImpersonationLevel < SecurityIdentification))
1779  {
1780  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1782  goto Cleanup;
1783  }
1784 
1785  /* Check for audit privilege */
1787  {
1788  DPRINT1("Caller does not have SeAuditPrivilege\n");
1790  goto Cleanup;
1791  }
1792 
1793  /* Check for NULL SecurityDescriptor */
1794  if (SecurityDescriptor == NULL)
1795  {
1796  /* Nothing to do */
1798  goto Cleanup;
1799  }
1800 
1801  /* Capture the security descriptor */
1803  UserMode,
1804  PagedPool,
1805  FALSE,
1806  &CapturedSecurityDescriptor);
1807  if (!NT_SUCCESS(Status))
1808  {
1809  DPRINT1("Failed to capture security descriptor!\n");
1810  goto Cleanup;
1811  }
1812 
1813  _SEH2_TRY
1814  {
1815  /* Check if we have a privilege set */
1816  if (PrivilegeSet != NULL)
1817  {
1818  /* Probe the basic privilege set structure */
1819  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1820 
1821  /* Validate privilege count */
1822  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1823  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1824  {
1826  _SEH2_YIELD(goto Cleanup);
1827  }
1828 
1829  /* Calculate the size of the PrivilegeSet structure */
1830  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1831 
1832  /* Probe the whole structure */
1833  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1834 
1835  /* Allocate a temp buffer */
1836  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1837  PrivilegeSetSize,
1839  if (CapturedPrivilegeSet == NULL)
1840  {
1841  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1843  _SEH2_YIELD(goto Cleanup);
1844  }
1845 
1846  /* Copy the privileges */
1847  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1848  }
1849 
1850  if (HandleId != NULL)
1851  {
1852  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1853  CapturedHandleId = *(PVOID*)HandleId;
1854  }
1855 
1856  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1857  }
1859  {
1861  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1862  _SEH2_YIELD(goto Cleanup);
1863  }
1864  _SEH2_END;
1865 
1866  /* Probe and capture the subsystem name */
1867  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1868  UserMode,
1869  SubsystemName);
1870  if (!NT_SUCCESS(Status))
1871  {
1872  DPRINT1("Failed to capture subsystem name!\n");
1873  goto Cleanup;
1874  }
1875 
1876  /* Probe and capture the object type name */
1877  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1878  UserMode,
1879  ObjectTypeName);
1880  if (!NT_SUCCESS(Status))
1881  {
1882  DPRINT1("Failed to capture object type name!\n");
1883  goto Cleanup;
1884  }
1885 
1886  /* Probe and capture the object name */
1887  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1888  UserMode,
1889  ObjectName);
1890  if (!NT_SUCCESS(Status))
1891  {
1892  DPRINT1("Failed to capture object name!\n");
1893  goto Cleanup;
1894  }
1895 
1896  /* Call the internal function */
1898  &CapturedSubsystemName,
1899  CapturedHandleId,
1900  &CapturedObjectTypeName,
1901  &CapturedObjectName,
1902  CapturedSecurityDescriptor,
1903  ClientToken,
1904  DesiredAccess,
1905  GrantedAccess,
1906  CapturedPrivilegeSet,
1907  ObjectCreation,
1908  AccessGranted,
1909  &LocalGenerateOnClose);
1910 
1912 
1913  /* Enter SEH to copy the data back to user mode */
1914  _SEH2_TRY
1915  {
1916  *GenerateOnClose = LocalGenerateOnClose;
1917  }
1919  {
1921  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1922  }
1923  _SEH2_END;
1924 
1925 Cleanup:
1926 
1927  if (CapturedObjectName.Buffer != NULL)
1928  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1929 
1930  if (CapturedObjectTypeName.Buffer != NULL)
1931  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1932 
1933  if (CapturedSubsystemName.Buffer != NULL)
1934  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1935 
1936  if (CapturedSecurityDescriptor != NULL)
1937  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1938 
1939  if (CapturedPrivilegeSet != NULL)
1940  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1941 
1942  /* Release the security subject context */
1944 
1945  ObDereferenceObject(ClientToken);
1946 
1947  return Status;
1948 }
1949 
1982 NTSTATUS
1983 NTAPI
1985  _In_opt_ PUNICODE_STRING SubsystemName,
1987  _In_ HANDLE ClientTokenHandle,
1990 {
1992  PTOKEN ClientToken;
1993  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1994  UNICODE_STRING CapturedSubsystemName;
1995  UNICODE_STRING CapturedServiceName;
1996  ULONG PrivilegeCount, PrivilegesSize;
1998  NTSTATUS Status;
1999  PAGED_CODE();
2000 
2001  /* Get the previous mode (only user mode is supported!) */
2004 
2005  CapturedSubsystemName.Buffer = NULL;
2006  CapturedServiceName.Buffer = NULL;
2007 
2008  /* Reference the client token */
2009  Status = ObReferenceObjectByHandle(ClientTokenHandle,
2010  TOKEN_QUERY,
2012  PreviousMode,
2013  (PVOID*)&ClientToken,
2014  NULL);
2015  if (!NT_SUCCESS(Status))
2016  {
2017  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
2018  return Status;
2019  }
2020 
2021  /* Validate the token's impersonation level */
2022  if ((ClientToken->TokenType == TokenImpersonation) &&
2023  (ClientToken->ImpersonationLevel < SecurityIdentification))
2024  {
2025  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
2026  ObDereferenceObject(ClientToken);
2028  }
2029 
2030  /* Capture the security subject context */
2032 
2033  /* Check for audit privilege */
2035  {
2036  DPRINT1("Caller does not have SeAuditPrivilege\n");
2038  goto Cleanup;
2039  }
2040 
2041  /* Do we have a subsystem name? */
2042  if (SubsystemName != NULL)
2043  {
2044  /* Probe and capture the subsystem name */
2045  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
2046  PreviousMode,
2047  SubsystemName);
2048  if (!NT_SUCCESS(Status))
2049  {
2050  DPRINT1("Failed to capture subsystem name!\n");
2051  goto Cleanup;
2052  }
2053  }
2054 
2055  /* Do we have a service name? */
2056  if (ServiceName != NULL)
2057  {
2058  /* Probe and capture the service name */
2059  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
2060  PreviousMode,
2061  ServiceName);
2062  if (!NT_SUCCESS(Status))
2063  {
2064  DPRINT1("Failed to capture service name!\n");
2065  goto Cleanup;
2066  }
2067  }
2068 
2069  _SEH2_TRY
2070  {
2071  /* Probe the basic privilege set structure */
2072  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
2073 
2074  /* Validate privilege count */
2075  PrivilegeCount = Privileges->PrivilegeCount;
2076  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
2077  {
2079  _SEH2_YIELD(goto Cleanup);
2080  }
2081 
2082  /* Calculate the size of the Privileges structure */
2083  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
2084 
2085  /* Probe the whole structure */
2086  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
2087 
2088  /* Allocate a temp buffer */
2089  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
2090  PrivilegesSize,
2092  if (CapturedPrivileges == NULL)
2093  {
2094  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
2096  _SEH2_YIELD(goto Cleanup);
2097  }
2098 
2099  /* Copy the privileges */
2100  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2101  }
2103  {
2105  DPRINT1("Got exception 0x%lx\n", Status);
2106  _SEH2_YIELD(goto Cleanup);
2107  }
2108  _SEH2_END;
2109 
2110  /* Call the internal function */
2112  SubsystemName ? &CapturedSubsystemName : NULL,
2113  ServiceName ? &CapturedServiceName : NULL,
2114  ClientToken,
2115  SubjectContext.PrimaryToken,
2116  CapturedPrivileges,
2117  AccessGranted);
2118 
2120 
2121 Cleanup:
2122  /* Cleanup resources */
2123  if (CapturedSubsystemName.Buffer != NULL)
2124  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2125 
2126  if (CapturedServiceName.Buffer != NULL)
2127  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2128 
2129  if (CapturedPrivileges != NULL)
2130  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2131 
2132  /* Release the security subject context */
2134 
2135  ObDereferenceObject(ClientToken);
2136 
2137  return Status;
2138 }
2139 
2168  _In_ PUNICODE_STRING SubsystemName,
2169  _In_ PVOID HandleId,
2170  _In_ HANDLE ClientToken,
2174 {
2175  UNIMPLEMENTED;
2176  return STATUS_NOT_IMPLEMENTED;
2177 }
2178 
2224 NTSTATUS
2225 NTAPI
2227  _In_ PUNICODE_STRING SubsystemName,
2228  _In_opt_ PVOID HandleId,
2234  _In_ BOOLEAN ObjectCreation,
2238 {
2239  /* Call the internal function */
2240  return SepAccessCheckAndAuditAlarm(SubsystemName,
2241  HandleId,
2242  NULL,
2244  ObjectName,
2246  NULL,
2247  DesiredAccess,
2249  0,
2250  NULL,
2251  0,
2253  GrantedAccess,
2254  AccessStatus,
2256  FALSE);
2257 }
2258 
2321 NTSTATUS
2322 NTAPI
2324  _In_ PUNICODE_STRING SubsystemName,
2325  _In_opt_ PVOID HandleId,
2329  _In_opt_ PSID PrincipalSelfSid,
2331  _In_ AUDIT_EVENT_TYPE AuditType,
2332  _In_ ULONG Flags,
2333  _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
2334  _In_ ULONG ObjectTypeLength,
2336  _In_ BOOLEAN ObjectCreation,
2340 {
2341  /* Call the internal function */
2342  return SepAccessCheckAndAuditAlarm(SubsystemName,
2343  HandleId,
2344  NULL,
2346  ObjectName,
2348  PrincipalSelfSid,
2349  DesiredAccess,
2350  AuditType,
2351  Flags,
2352  ObjectTypeList,
2353  ObjectTypeLength,
2355  GrantedAccess,
2356  AccessStatus,
2358  FALSE);
2359 }
2360 
2423 NTSTATUS
2424 NTAPI
2426  _In_ PUNICODE_STRING SubsystemName,
2427  _In_opt_ PVOID HandleId,
2431  _In_opt_ PSID PrincipalSelfSid,
2433  _In_ AUDIT_EVENT_TYPE AuditType,
2434  _In_ ULONG Flags,
2435  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2436  _In_ ULONG ObjectTypeListLength,
2438  _In_ BOOLEAN ObjectCreation,
2439  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2440  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2442 {
2443  /* Call the internal function */
2444  return SepAccessCheckAndAuditAlarm(SubsystemName,
2445  HandleId,
2446  NULL,
2448  ObjectName,
2450  PrincipalSelfSid,
2451  DesiredAccess,
2452  AuditType,
2453  Flags,
2454  ObjectTypeList,
2455  ObjectTypeListLength,
2457  GrantedAccessList,
2458  AccessStatusList,
2460  TRUE);
2461 }
2462 
2529 NTSTATUS
2530 NTAPI
2532  _In_ PUNICODE_STRING SubsystemName,
2533  _In_opt_ PVOID HandleId,
2534  _In_ HANDLE ClientToken,
2538  _In_opt_ PSID PrincipalSelfSid,
2540  _In_ AUDIT_EVENT_TYPE AuditType,
2541  _In_ ULONG Flags,
2542  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2543  _In_ ULONG ObjectTypeListLength,
2545  _In_ BOOLEAN ObjectCreation,
2546  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2547  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2549 {
2550  UNREFERENCED_PARAMETER(ObjectCreation);
2551 
2552  /* Call the internal function */
2553  return SepAccessCheckAndAuditAlarm(SubsystemName,
2554  HandleId,
2555  &ClientToken,
2557  ObjectName,
2559  PrincipalSelfSid,
2560  DesiredAccess,
2561  AuditType,
2562  Flags,
2563  ObjectTypeList,
2564  ObjectTypeListLength,
2566  GrantedAccessList,
2567  AccessStatusList,
2569  TRUE);
2570 }
2571 
2572 /* EOF */
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
Definition: audit.c:199
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2425
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define GENERIC_ALL
Definition: nt_native.h:92
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define _In_opt_
Definition: ms_sal.h:309
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: audit.c:507
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
USHORT MaximumLength
Definition: env_spec_w32.h:370
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
Definition: audit.c:1151
#define _Out_
Definition: ms_sal.h:345
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
uint16_t * PWSTR
Definition: typedefs.h:56
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:306
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
Definition: sefuncs.h:414
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1209
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
Definition: audit.c:34
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:39
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
Definition: audit.c:438
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
Definition: audit.c:1094
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:59
UNICODE_STRING Name
Definition: nt_native.h:1270
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2323
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
Definition: audit.c:2167
#define _In_reads_opt_(size)
Definition: ms_sal.h:320
static BOOLEAN bSuccess
Definition: drive.cpp:432
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:392
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SEH2_TRY
Definition: create.c:4226
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
return STATUS_NOT_IMPLEMENTED
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
PSE_EXPORTS SeExports
Definition: semgr.c:21
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define GENERIC_WRITE
Definition: nt_native.h:90
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
PSID SeNetworkServiceSid
Definition: setypes.h:1209
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
#define _In_
Definition: ms_sal.h:308
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
Definition: audit.c:1314
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2226
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
Definition: audit.c:1984
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:893
#define __kernel_entry
Definition: specstrings.h:355
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
Definition: audit.c:1264
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:362
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
* PFILE_OBJECT
Definition: iotypes.h:1998
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
Definition: sefuncs.h:414
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
static const char * ImageName
Definition: image.c:34
char * PBOOLEAN
Definition: retypes.h:11
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
static const WCHAR L[]
Definition: oid.c:1250
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
Definition: audit.c:1576
PSID SeLocalServiceSid
Definition: setypes.h:1208
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
Definition: audit.c:1212
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:454
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
Definition: audit.c:1124
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
Definition: audit.c:1422
#define GENERIC_READ
Definition: compat.h:135
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:736
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
static const WCHAR Cleanup[]
Definition: register.c:80
#define _Must_inspect_result_
Definition: ms_sal.h:558
#define _Post_invalid_
Definition: ms_sal.h:695
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
Definition: audit.c:1377
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1723
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
ULONG_PTR SIZE_T
Definition: typedefs.h:80
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
Definition: create.c:4400
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
Definition: audit.c:1241
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
Definition: audit.c:1181
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:358
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:902
#define DPRINT1
Definition: precomp.h:8
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2531
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:837
PSID SeLocalSystemSid
Definition: sid.c:36
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
Definition: audit.c:369
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
_In_ HANDLE Handle
Definition: extypes.h:390
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
Definition: audit.c:56
unsigned int ULONG
Definition: retypes.h:1
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
#define UNIMPLEMENTED
Definition: debug.h:115
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:215
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:590
#define TAG_SEPA
Definition: tag.h:179
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
#define STATUS_SUCCESS
Definition: shellext.h:65
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
Definition: audit.c:77
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:388
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
ULONG ACCESS_MASK
Definition: nt_native.h:40
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
Definition: audit.c:1068
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
Definition: audit.c:1459
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1636
#define PAGED_CODE()
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
#define _Out_writes_(size)
Definition: ms_sal.h:348
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888