ReactOS  0.4.15-dev-4872-g8a3db97
audit.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security auditing functions
5  * COPYRIGHT: Copyright Eric Kohl
6  * Copyright Timo Kreuzer <timo.kreuzer@reactos.org>
7  */
8 
9 /* INCLUDES *******************************************************************/
10 
11 #include <ntoskrnl.h>
12 #define NDEBUG
13 #include <debug.h>
14 
15 #define SEP_PRIVILEGE_SET_MAX_COUNT 60
16 
18 
19 /* PRIVATE FUNCTIONS ***********************************************************/
20 
32 BOOLEAN
33 NTAPI
36 {
37  /* FIXME */
38  return FALSE;
39 }
40 
54 VOID
55 NTAPI
58 {
59  /* FIXME */
60 }
61 
75 VOID
76 NTAPI
79 {
80  /* FIXME */
81 }
82 
103 NTSTATUS
104 NTAPI
107  _In_ BOOLEAN DoAudit,
108  _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
109 {
110  OBJECT_NAME_INFORMATION LocalNameInfo;
111  POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
112  ULONG ReturnLength = 8;
114 
115  PAGED_CODE();
116  ASSERT(AuditInfo);
117 
118  /* Check if we should do auditing */
119  if (DoAudit)
120  {
121  /* FIXME: TODO */
122  }
123 
124  /* Now query the name */
126  &LocalNameInfo,
127  sizeof(LocalNameInfo),
128  &ReturnLength);
129  if (((Status == STATUS_BUFFER_OVERFLOW) ||
132  (ReturnLength != sizeof(LocalNameInfo)))
133  {
134  /* Allocate required size */
135  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
136  ReturnLength,
137  TAG_SEPA);
138  if (ObjectNameInfo)
139  {
140  /* Query the name again */
142  ObjectNameInfo,
143  ReturnLength,
144  &ReturnLength);
145  }
146  }
147 
148  /* Check if we got here due to failure */
149  if ((ObjectNameInfo) &&
150  (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151  {
152  /* First, free any buffer we might've allocated */
153  ASSERT(FALSE);
154  if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155 
156  /* Now allocate a temporary one */
158  ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
159  sizeof(OBJECT_NAME_INFORMATION),
160  TAG_SEPA);
161  if (ObjectNameInfo)
162  {
163  /* Clear it */
164  RtlZeroMemory(ObjectNameInfo, ReturnLength);
166  }
167  }
168 
169  /* Check if memory allocation failed */
170  if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171 
172  /* Return the audit name */
173  *AuditInfo = ObjectNameInfo;
174 
175  /* Return status */
176  return Status;
177 }
178 
197 NTSTATUS
198 NTAPI
201  _Out_ PUNICODE_STRING *ProcessImageName)
202 {
203  POBJECT_NAME_INFORMATION AuditName;
207 
208  PAGED_CODE();
209 
210  /* Assume failure */
211  *ProcessImageName = NULL;
212 
213  /* Check if we have audit info */
214  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215  if (!AuditName)
216  {
217  /* Get the file object */
219  if (!NT_SUCCESS(Status)) return Status;
220 
221  /* Initialize the audit structure */
223  if (NT_SUCCESS(Status))
224  {
225  /* Set it */
227  SeAuditProcessCreationInfo.ImageFileName,
228  AuditName,
229  NULL))
230  {
231  /* Someone beat us to it, deallocate our copy */
232  ExFreePool(AuditName);
233  }
234  }
235 
236  /* Dereference the file object */
238  if (!NT_SUCCESS(Status)) return Status;
239  }
240 
241  /* Get audit info again, now we have it for sure */
242  AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243 
244  /* Allocate the output string */
246  AuditName->Name.MaximumLength +
247  sizeof(UNICODE_STRING),
248  TAG_SEPA);
249  if (!ImageName) return STATUS_NO_MEMORY;
250 
251  /* Make a copy of it */
253  &AuditName->Name,
254  AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255 
256  /* Fix up the buffer */
257  ImageName->Buffer = (PWSTR)(ImageName + 1);
258 
259  /* Return it */
260  *ProcessImageName = ImageName;
261 
262  /* Return status */
263  return Status;
264 }
265 
285 VOID
286 NTAPI
288  _In_ PUNICODE_STRING SubsystemName,
289  _In_ PVOID HandleId,
290  _In_ PSID Sid)
291 {
293 }
294 
330 VOID
331 NTAPI
334  _In_opt_ PUNICODE_STRING SubsystemName,
336  _In_ PTOKEN Token,
337  _In_ PTOKEN PrimaryToken,
340 {
341  DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342 }
343 
367 VOID
368 NTAPI
372  _In_ PPRIVILEGE_SET PrivilegeSet,
374 {
375  PTOKEN EffectiveToken;
376  PSID UserSid;
377  PAGED_CODE();
378 
379  /* Get the effective token */
380  if (SubjectContext->ClientToken != NULL)
381  EffectiveToken = SubjectContext->ClientToken;
382  else
383  EffectiveToken = SubjectContext->PrimaryToken;
384 
385  /* Get the user SID */
386  UserSid = EffectiveToken->UserAndGroups->Sid;
387 
388  /* Check if this is the local system SID */
389  if (RtlEqualSid(UserSid, SeLocalSystemSid))
390  {
391  /* Nothing to do */
392  return;
393  }
394 
395  /* Check if this is the network service or local service SID */
396  if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
398  {
399  // FIXME: should continue for a certain set of privileges
400  return;
401  }
402 
403  /* Call the worker function */
406  ServiceName,
407  SubjectContext->ClientToken,
408  SubjectContext->PrimaryToken,
409  PrivilegeSet,
410  AccessGranted);
411 
412 }
413 
487 static
488 NTSTATUS
490  _In_ PUNICODE_STRING SubsystemName,
491  _In_opt_ PVOID HandleId,
496  _In_opt_ PSID PrincipalSelfSid,
498  _In_ AUDIT_EVENT_TYPE AuditType,
499  _In_ BOOLEAN HaveAuditPrivilege,
500  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
501  _In_ ULONG ObjectTypeListLength,
503  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
504  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
506  _In_ BOOLEAN UseResultList)
507 {
508  ULONG ResultListLength, i;
509 
510  /* Get the length of the result list */
511  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512 
515 
517  for (i = 0; i < ResultListLength; i++)
518  {
519  GrantedAccessList[i] = DesiredAccess;
520  AccessStatusList[i] = STATUS_SUCCESS;
521  }
522 
524 
525  return STATUS_SUCCESS;
526 }
527 
612 NTSTATUS
613 NTAPI
615  _In_ PUNICODE_STRING SubsystemName,
616  _In_opt_ PVOID HandleId,
617  _In_ PHANDLE ClientTokenHandle,
621  _In_opt_ PSID PrincipalSelfSid,
623  _In_ AUDIT_EVENT_TYPE AuditType,
624  _In_ ULONG Flags,
625  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
626  _In_ ULONG ObjectTypeListLength,
628  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
629  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
631  _In_ BOOLEAN UseResultList)
632 {
634  ULONG ResultListLength;
635  GENERIC_MAPPING LocalGenericMapping;
636  PTOKEN SubjectContextToken, ClientToken;
637  BOOLEAN AllocatedResultLists;
638  BOOLEAN HaveAuditPrivilege;
639  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
641  ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
642  NTSTATUS AccessStatus, *SafeAccessStatusList;
643  PSID CapturedPrincipalSelfSid;
644  POBJECT_TYPE_LIST CapturedObjectTypeList;
645  ULONG i;
646  BOOLEAN LocalGenerateOnClose;
648  PAGED_CODE();
649 
650  /* Only user mode is supported! */
652 
653  /* Start clean */
654  AllocatedResultLists = FALSE;
655  ClientToken = NULL;
656  CapturedSecurityDescriptor = NULL;
657  CapturedSubsystemName.Buffer = NULL;
658  CapturedObjectTypeName.Buffer = NULL;
659  CapturedObjectName.Buffer = NULL;
660  CapturedPrincipalSelfSid = NULL;
661  CapturedObjectTypeList = NULL;
662 
663  /* Validate AuditType */
664  if ((AuditType != AuditEventObjectAccess) &&
665  (AuditType != AuditEventDirectoryServiceAccess))
666  {
667  DPRINT1("Invalid audit type: %u\n", AuditType);
669  }
670 
671  /* Capture the security subject context */
673 
674  /* Did the caller pass a token handle? */
675  if (ClientTokenHandle == NULL)
676  {
677  /* Check if we have a token in the subject context */
678  if (SubjectContext.ClientToken == NULL)
679  {
681  DPRINT1("No token\n");
682  goto Cleanup;
683  }
684 
685  /* Check if we have a valid impersonation level */
686  if (SubjectContext.ImpersonationLevel < SecurityIdentification)
687  {
689  DPRINT1("Invalid impersonation level 0x%lx\n",
690  SubjectContext.ImpersonationLevel);
691  goto Cleanup;
692  }
693  }
694 
695  /* Are we using a result list? */
696  if (UseResultList)
697  {
698  /* The list length equals the object type list length */
699  ResultListLength = ObjectTypeListLength;
700  if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701  {
703  DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
704  goto Cleanup;
705  }
706 
707  /* Allocate a safe buffer from paged pool */
708  SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
709  2 * ResultListLength * sizeof(ULONG),
710  TAG_SEPA);
711  if (SafeGrantedAccessList == NULL)
712  {
714  DPRINT1("Failed to allocate access lists\n");
715  goto Cleanup;
716  }
717 
718  SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719  AllocatedResultLists = TRUE;
720  }
721  else
722  {
723  /* List length is 1 */
724  ResultListLength = 1;
725  SafeGrantedAccessList = &GrantedAccess;
726  SafeAccessStatusList = &AccessStatus;
727  }
728 
729  _SEH2_TRY
730  {
731  /* Probe output buffers */
732  ProbeForWrite(AccessStatusList,
733  ResultListLength * sizeof(*AccessStatusList),
734  sizeof(*AccessStatusList));
735  ProbeForWrite(GrantedAccessList,
736  ResultListLength * sizeof(*GrantedAccessList),
737  sizeof(*GrantedAccessList));
738 
739  /* Probe generic mapping and make a local copy */
740  ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
741  LocalGenericMapping = * GenericMapping;
742  }
744  {
746  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
747  _SEH2_YIELD(goto Cleanup);
748  }
749  _SEH2_END;
750 
751  /* Do we have a client token? */
752  if (ClientTokenHandle != NULL)
753  {
754  /* Reference the client token */
755  Status = ObReferenceObjectByHandle(*ClientTokenHandle,
756  TOKEN_QUERY,
758  UserMode,
759  (PVOID*)&ClientToken,
760  NULL);
761  if (!NT_SUCCESS(Status))
762  {
763  DPRINT1("Failed to reference token handle %p: %lx\n",
764  *ClientTokenHandle, Status);
765  goto Cleanup;
766  }
767 
768  SubjectContextToken = SubjectContext.ClientToken;
769  SubjectContext.ClientToken = ClientToken;
770  }
771 
772  /* Check for audit privilege */
773  HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
774  if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
775  {
776  DPRINT1("Caller does not have SeAuditPrivilege\n");
778  goto Cleanup;
779  }
780 
781  /* Generic access must already be mapped to non-generic access types! */
783  {
784  DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
786  goto Cleanup;
787  }
788 
789  /* Capture the security descriptor */
791  UserMode,
792  PagedPool,
793  FALSE,
794  &CapturedSecurityDescriptor);
795  if (!NT_SUCCESS(Status))
796  {
797  DPRINT1("Failed to capture security descriptor!\n");
798  goto Cleanup;
799  }
800 
801  /* Validate the Security descriptor */
802  if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
803  (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
804  {
806  DPRINT1("Invalid security descriptor\n");
807  goto Cleanup;
808  }
809 
810  /* Probe and capture the subsystem name */
811  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
812  UserMode,
813  SubsystemName);
814  if (!NT_SUCCESS(Status))
815  {
816  DPRINT1("Failed to capture subsystem name!\n");
817  goto Cleanup;
818  }
819 
820  /* Probe and capture the object type name */
821  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
822  UserMode,
824  if (!NT_SUCCESS(Status))
825  {
826  DPRINT1("Failed to capture object type name!\n");
827  goto Cleanup;
828  }
829 
830  /* Probe and capture the object name */
831  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
832  UserMode,
833  ObjectName);
834  if (!NT_SUCCESS(Status))
835  {
836  DPRINT1("Failed to capture object name!\n");
837  goto Cleanup;
838  }
839 
840  /* Check if we have a PrincipalSelfSid */
841  if (PrincipalSelfSid != NULL)
842  {
843  /* Capture it */
844  Status = SepCaptureSid(PrincipalSelfSid,
845  UserMode,
846  PagedPool,
847  FALSE,
848  &CapturedPrincipalSelfSid);
849  if (!NT_SUCCESS(Status))
850  {
851  DPRINT1("Failed to capture PrincipalSelfSid!\n");
852  goto Cleanup;
853  }
854  }
855 
856  /* Capture the object type list */
857  Status = SeCaptureObjectTypeList(ObjectTypeList,
858  ObjectTypeListLength,
859  UserMode,
860  &CapturedObjectTypeList);
861  if (!NT_SUCCESS(Status))
862  {
863  DPRINT1("Failed to capture object type list!\n");
864  goto Cleanup;
865  }
866 
867  /* Call the worker routine with the captured buffers */
868  Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
869  HandleId,
871  &CapturedObjectTypeName,
872  &CapturedObjectName,
873  CapturedSecurityDescriptor,
874  CapturedPrincipalSelfSid,
876  AuditType,
877  HaveAuditPrivilege,
878  CapturedObjectTypeList,
879  ObjectTypeListLength,
880  &LocalGenericMapping,
881  SafeGrantedAccessList,
882  SafeAccessStatusList,
883  &LocalGenerateOnClose,
884  UseResultList);
885  if (!NT_SUCCESS(Status))
886  goto Cleanup;
887 
888  /* Enter SEH to copy the data back to user mode */
889  _SEH2_TRY
890  {
891  /* Loop all result entries (only 1 when no list was requested) */
892  ASSERT(UseResultList || (ResultListLength == 1));
893  for (i = 0; i < ResultListLength; i++)
894  {
895  AccessStatusList[i] = SafeAccessStatusList[i];
896  GrantedAccessList[i] = SafeGrantedAccessList[i];
897  }
898 
899  *GenerateOnClose = LocalGenerateOnClose;
900  }
902  {
904  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
905  }
906  _SEH2_END;
907 
908 Cleanup:
909 
910  if (CapturedObjectTypeList != NULL)
911  SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
912 
913  if (CapturedPrincipalSelfSid != NULL)
914  SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
915 
916  if (CapturedObjectName.Buffer != NULL)
917  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
918 
919  if (CapturedObjectTypeName.Buffer != NULL)
920  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
921 
922  if (CapturedSubsystemName.Buffer != NULL)
923  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
924 
925  if (CapturedSecurityDescriptor != NULL)
926  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
927 
928  if (ClientToken != NULL)
929  {
930  ObDereferenceObject(ClientToken);
931  SubjectContext.ClientToken = SubjectContextToken;
932  }
933 
934  if (AllocatedResultLists)
935  ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
936 
937  /* Release the security subject context */
939 
940  return Status;
941 }
942 
943 
944 /* PUBLIC FUNCTIONS ***********************************************************/
945 
965 VOID
966 NTAPI
969  _In_ PUNICODE_STRING LinkName,
971 {
973 }
974 
991 BOOLEAN
992 NTAPI
996 {
998  return FALSE;
999 }
1000 
1021 BOOLEAN
1022 NTAPI
1027 {
1029  return FALSE;
1030 }
1031 
1048 BOOLEAN
1049 NTAPI
1053 {
1054  UNIMPLEMENTED;
1055  return FALSE;
1056 }
1057 
1078 BOOLEAN
1079 NTAPI
1084 {
1085  UNIMPLEMENTED;
1086  return FALSE;
1087 }
1088 
1109 BOOLEAN
1110 NTAPI
1115 {
1116  UNIMPLEMENTED;
1117  return FALSE;
1118 }
1119 
1138 VOID
1139 NTAPI
1141  _In_ PVOID Object,
1142  _In_ HANDLE Handle,
1143  _In_ BOOLEAN PerformAction)
1144 {
1145  UNIMPLEMENTED;
1146 }
1147 
1162 VOID NTAPI
1164  _In_ PVOID Object,
1165  _In_ HANDLE Handle)
1166 {
1167  UNIMPLEMENTED;
1168 }
1169 
1211 VOID
1212 NTAPI
1223 {
1224  PAGED_CODE();
1225 
1226  /* Audits aren't done on kernel-mode access */
1227  if (AccessMode == KernelMode) return;
1228 
1229  /* Otherwise, unimplemented! */
1230  //UNIMPLEMENTED;
1231  return;
1232 }
1233 
1275 VOID NTAPI
1286 {
1287  UNIMPLEMENTED;
1288 }
1289 
1319 VOID
1320 NTAPI
1322  _In_ HANDLE Handle,
1327  _In_ KPROCESSOR_MODE CurrentMode)
1328 {
1329  UNIMPLEMENTED;
1330 }
1331 
1332 /* SYSTEM CALLS ***************************************************************/
1333 
1356 NTSTATUS
1357 NTAPI
1359  _In_ PUNICODE_STRING SubsystemName,
1360  _In_ PVOID HandleId,
1362 {
1364  UNICODE_STRING CapturedSubsystemName;
1366  BOOLEAN UseImpersonationToken;
1367  PETHREAD CurrentThread;
1370  NTSTATUS Status;
1371  PTOKEN Token;
1372  PAGED_CODE();
1373 
1374  /* Get the previous mode (only user mode is supported!) */
1377 
1378  /* Do we even need to do anything? */
1379  if (!GenerateOnClose)
1380  {
1381  /* Nothing to do, return success */
1382  return STATUS_SUCCESS;
1383  }
1384 
1385  /* Capture the security subject context */
1387 
1388  /* Check for audit privilege */
1390  {
1391  DPRINT1("Caller does not have SeAuditPrivilege\n");
1393  goto Cleanup;
1394  }
1395 
1396  /* Probe and capture the subsystem name */
1397  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1398  PreviousMode,
1399  SubsystemName);
1400  if (!NT_SUCCESS(Status))
1401  {
1402  DPRINT1("Failed to capture subsystem name!\n");
1403  goto Cleanup;
1404  }
1405 
1406  /* Get the current thread and check if it's impersonating */
1407  CurrentThread = PsGetCurrentThread();
1408  if (PsIsThreadImpersonating(CurrentThread))
1409  {
1410  /* Get the impersonation token */
1411  Token = PsReferenceImpersonationToken(CurrentThread,
1412  &CopyOnOpen,
1413  &EffectiveOnly,
1415  UseImpersonationToken = TRUE;
1416  }
1417  else
1418  {
1419  /* Get the primary token */
1421  UseImpersonationToken = FALSE;
1422  }
1423 
1424  /* Call the internal function */
1425  SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426  HandleId,
1427  Token->UserAndGroups->Sid);
1428 
1429  /* Release the captured subsystem name */
1430  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1431 
1432  /* Check what token we used */
1433  if (UseImpersonationToken)
1434  {
1435  /* Release impersonation token */
1437  }
1438  else
1439  {
1440  /* Release primary token */
1442  }
1443 
1445 
1446 Cleanup:
1447 
1448  /* Release the security subject context */
1450 
1451  return Status;
1452 }
1453 
1476  _In_ PUNICODE_STRING SubsystemName,
1477  _In_ PVOID HandleId,
1479 {
1480  UNIMPLEMENTED;
1481  return STATUS_NOT_IMPLEMENTED;
1482 }
1483 
1533 VOID
1534 NTAPI
1537  _In_ PUNICODE_STRING SubsystemName,
1538  _In_opt_ PVOID HandleId,
1542  _In_ PTOKEN ClientToken,
1546  _In_ BOOLEAN ObjectCreation,
1549 {
1551  DBG_UNREFERENCED_PARAMETER(SubsystemName);
1552  DBG_UNREFERENCED_PARAMETER(HandleId);
1556  DBG_UNREFERENCED_PARAMETER(ClientToken);
1560  DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1562  UNIMPLEMENTED;
1564 }
1565 
1620 NTSTATUS
1621 NTAPI
1623  _In_ PUNICODE_STRING SubsystemName,
1624  _In_opt_ PVOID HandleId,
1628  _In_ HANDLE ClientTokenHandle,
1631  _In_opt_ PPRIVILEGE_SET PrivilegeSet,
1632  _In_ BOOLEAN ObjectCreation,
1635 {
1636  PTOKEN ClientToken;
1637  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639  ULONG PrivilegeCount, PrivilegeSetSize;
1640  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1641  BOOLEAN LocalGenerateOnClose;
1642  PVOID CapturedHandleId;
1644  NTSTATUS Status;
1645  PAGED_CODE();
1646 
1647  /* Only user mode is supported! */
1649 
1650  /* Start clean */
1651  ClientToken = NULL;
1652  CapturedSecurityDescriptor = NULL;
1653  CapturedPrivilegeSet = NULL;
1654  CapturedSubsystemName.Buffer = NULL;
1655  CapturedObjectTypeName.Buffer = NULL;
1656  CapturedObjectName.Buffer = NULL;
1657 
1658  /* Reference the client token */
1659  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1660  TOKEN_QUERY,
1662  UserMode,
1663  (PVOID*)&ClientToken,
1664  NULL);
1665  if (!NT_SUCCESS(Status))
1666  {
1667  DPRINT1("Failed to reference token handle %p: %lx\n",
1668  ClientTokenHandle, Status);
1669  return Status;
1670  }
1671 
1672  /* Capture the security subject context */
1674 
1675  /* Validate the token's impersonation level */
1676  if ((ClientToken->TokenType == TokenImpersonation) &&
1677  (ClientToken->ImpersonationLevel < SecurityIdentification))
1678  {
1679  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1681  goto Cleanup;
1682  }
1683 
1684  /* Check for audit privilege */
1686  {
1687  DPRINT1("Caller does not have SeAuditPrivilege\n");
1689  goto Cleanup;
1690  }
1691 
1692  /* Check for NULL SecurityDescriptor */
1693  if (SecurityDescriptor == NULL)
1694  {
1695  /* Nothing to do */
1697  goto Cleanup;
1698  }
1699 
1700  /* Capture the security descriptor */
1702  UserMode,
1703  PagedPool,
1704  FALSE,
1705  &CapturedSecurityDescriptor);
1706  if (!NT_SUCCESS(Status))
1707  {
1708  DPRINT1("Failed to capture security descriptor!\n");
1709  goto Cleanup;
1710  }
1711 
1712  _SEH2_TRY
1713  {
1714  /* Check if we have a privilege set */
1715  if (PrivilegeSet != NULL)
1716  {
1717  /* Probe the basic privilege set structure */
1718  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1719 
1720  /* Validate privilege count */
1721  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1722  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1723  {
1725  _SEH2_YIELD(goto Cleanup);
1726  }
1727 
1728  /* Calculate the size of the PrivilegeSet structure */
1729  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1730 
1731  /* Probe the whole structure */
1732  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1733 
1734  /* Allocate a temp buffer */
1735  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1736  PrivilegeSetSize,
1738  if (CapturedPrivilegeSet == NULL)
1739  {
1740  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1742  _SEH2_YIELD(goto Cleanup);
1743  }
1744 
1745  /* Copy the privileges */
1746  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747  }
1748 
1749  if (HandleId != NULL)
1750  {
1751  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1752  CapturedHandleId = *(PVOID*)HandleId;
1753  }
1754 
1755  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1756  }
1758  {
1760  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1761  _SEH2_YIELD(goto Cleanup);
1762  }
1763  _SEH2_END;
1764 
1765  /* Probe and capture the subsystem name */
1766  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1767  UserMode,
1768  SubsystemName);
1769  if (!NT_SUCCESS(Status))
1770  {
1771  DPRINT1("Failed to capture subsystem name!\n");
1772  goto Cleanup;
1773  }
1774 
1775  /* Probe and capture the object type name */
1776  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1777  UserMode,
1778  ObjectTypeName);
1779  if (!NT_SUCCESS(Status))
1780  {
1781  DPRINT1("Failed to capture object type name!\n");
1782  goto Cleanup;
1783  }
1784 
1785  /* Probe and capture the object name */
1786  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1787  UserMode,
1788  ObjectName);
1789  if (!NT_SUCCESS(Status))
1790  {
1791  DPRINT1("Failed to capture object name!\n");
1792  goto Cleanup;
1793  }
1794 
1795  /* Call the internal function */
1797  &CapturedSubsystemName,
1798  CapturedHandleId,
1799  &CapturedObjectTypeName,
1800  &CapturedObjectName,
1801  CapturedSecurityDescriptor,
1802  ClientToken,
1803  DesiredAccess,
1804  GrantedAccess,
1805  CapturedPrivilegeSet,
1806  ObjectCreation,
1807  AccessGranted,
1808  &LocalGenerateOnClose);
1809 
1811 
1812  /* Enter SEH to copy the data back to user mode */
1813  _SEH2_TRY
1814  {
1815  *GenerateOnClose = LocalGenerateOnClose;
1816  }
1818  {
1820  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1821  }
1822  _SEH2_END;
1823 
1824 Cleanup:
1825 
1826  if (CapturedObjectName.Buffer != NULL)
1827  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1828 
1829  if (CapturedObjectTypeName.Buffer != NULL)
1830  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1831 
1832  if (CapturedSubsystemName.Buffer != NULL)
1833  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1834 
1835  if (CapturedSecurityDescriptor != NULL)
1836  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1837 
1838  if (CapturedPrivilegeSet != NULL)
1839  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1840 
1841  /* Release the security subject context */
1843 
1844  ObDereferenceObject(ClientToken);
1845 
1846  return Status;
1847 }
1848 
1881 NTSTATUS
1882 NTAPI
1884  _In_opt_ PUNICODE_STRING SubsystemName,
1886  _In_ HANDLE ClientTokenHandle,
1889 {
1891  PTOKEN ClientToken;
1892  volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1893  UNICODE_STRING CapturedSubsystemName;
1894  UNICODE_STRING CapturedServiceName;
1895  ULONG PrivilegeCount, PrivilegesSize;
1897  NTSTATUS Status;
1898  PAGED_CODE();
1899 
1900  /* Get the previous mode (only user mode is supported!) */
1903 
1904  CapturedSubsystemName.Buffer = NULL;
1905  CapturedServiceName.Buffer = NULL;
1906 
1907  /* Reference the client token */
1908  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1909  TOKEN_QUERY,
1911  PreviousMode,
1912  (PVOID*)&ClientToken,
1913  NULL);
1914  if (!NT_SUCCESS(Status))
1915  {
1916  DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1917  return Status;
1918  }
1919 
1920  /* Validate the token's impersonation level */
1921  if ((ClientToken->TokenType == TokenImpersonation) &&
1922  (ClientToken->ImpersonationLevel < SecurityIdentification))
1923  {
1924  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1925  ObDereferenceObject(ClientToken);
1927  }
1928 
1929  /* Capture the security subject context */
1931 
1932  /* Check for audit privilege */
1934  {
1935  DPRINT1("Caller does not have SeAuditPrivilege\n");
1937  goto Cleanup;
1938  }
1939 
1940  /* Do we have a subsystem name? */
1941  if (SubsystemName != NULL)
1942  {
1943  /* Probe and capture the subsystem name */
1944  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1945  PreviousMode,
1946  SubsystemName);
1947  if (!NT_SUCCESS(Status))
1948  {
1949  DPRINT1("Failed to capture subsystem name!\n");
1950  goto Cleanup;
1951  }
1952  }
1953 
1954  /* Do we have a service name? */
1955  if (ServiceName != NULL)
1956  {
1957  /* Probe and capture the service name */
1958  Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1959  PreviousMode,
1960  ServiceName);
1961  if (!NT_SUCCESS(Status))
1962  {
1963  DPRINT1("Failed to capture service name!\n");
1964  goto Cleanup;
1965  }
1966  }
1967 
1968  _SEH2_TRY
1969  {
1970  /* Probe the basic privilege set structure */
1971  ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1972 
1973  /* Validate privilege count */
1974  PrivilegeCount = Privileges->PrivilegeCount;
1975  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1976  {
1978  _SEH2_YIELD(goto Cleanup);
1979  }
1980 
1981  /* Calculate the size of the Privileges structure */
1982  PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1983 
1984  /* Probe the whole structure */
1985  ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1986 
1987  /* Allocate a temp buffer */
1988  CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1989  PrivilegesSize,
1991  if (CapturedPrivileges == NULL)
1992  {
1993  DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1995  _SEH2_YIELD(goto Cleanup);
1996  }
1997 
1998  /* Copy the privileges */
1999  RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2000  }
2002  {
2004  DPRINT1("Got exception 0x%lx\n", Status);
2005  _SEH2_YIELD(goto Cleanup);
2006  }
2007  _SEH2_END;
2008 
2009  /* Call the internal function */
2011  SubsystemName ? &CapturedSubsystemName : NULL,
2012  ServiceName ? &CapturedServiceName : NULL,
2013  ClientToken,
2014  SubjectContext.PrimaryToken,
2015  CapturedPrivileges,
2016  AccessGranted);
2017 
2019 
2020 Cleanup:
2021  /* Cleanup resources */
2022  if (CapturedSubsystemName.Buffer != NULL)
2023  ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2024 
2025  if (CapturedServiceName.Buffer != NULL)
2026  ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2027 
2028  if (CapturedPrivileges != NULL)
2029  ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2030 
2031  /* Release the security subject context */
2033 
2034  ObDereferenceObject(ClientToken);
2035 
2036  return Status;
2037 }
2038 
2067  _In_ PUNICODE_STRING SubsystemName,
2068  _In_ PVOID HandleId,
2069  _In_ HANDLE ClientToken,
2073 {
2074  UNIMPLEMENTED;
2075  return STATUS_NOT_IMPLEMENTED;
2076 }
2077 
2123 NTSTATUS
2124 NTAPI
2126  _In_ PUNICODE_STRING SubsystemName,
2127  _In_opt_ PVOID HandleId,
2133  _In_ BOOLEAN ObjectCreation,
2137 {
2138  /* Call the internal function */
2139  return SepAccessCheckAndAuditAlarm(SubsystemName,
2140  HandleId,
2141  NULL,
2143  ObjectName,
2145  NULL,
2146  DesiredAccess,
2148  0,
2149  NULL,
2150  0,
2152  GrantedAccess,
2153  AccessStatus,
2155  FALSE);
2156 }
2157 
2220 NTSTATUS
2221 NTAPI
2223  _In_ PUNICODE_STRING SubsystemName,
2224  _In_opt_ PVOID HandleId,
2228  _In_opt_ PSID PrincipalSelfSid,
2230  _In_ AUDIT_EVENT_TYPE AuditType,
2231  _In_ ULONG Flags,
2232  _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
2233  _In_ ULONG ObjectTypeLength,
2235  _In_ BOOLEAN ObjectCreation,
2239 {
2240  /* Call the internal function */
2241  return SepAccessCheckAndAuditAlarm(SubsystemName,
2242  HandleId,
2243  NULL,
2245  ObjectName,
2247  PrincipalSelfSid,
2248  DesiredAccess,
2249  AuditType,
2250  Flags,
2251  ObjectTypeList,
2252  ObjectTypeLength,
2254  GrantedAccess,
2255  AccessStatus,
2257  FALSE);
2258 }
2259 
2322 NTSTATUS
2323 NTAPI
2325  _In_ PUNICODE_STRING SubsystemName,
2326  _In_opt_ PVOID HandleId,
2330  _In_opt_ PSID PrincipalSelfSid,
2332  _In_ AUDIT_EVENT_TYPE AuditType,
2333  _In_ ULONG Flags,
2334  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2335  _In_ ULONG ObjectTypeListLength,
2337  _In_ BOOLEAN ObjectCreation,
2338  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2339  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2341 {
2342  /* Call the internal function */
2343  return SepAccessCheckAndAuditAlarm(SubsystemName,
2344  HandleId,
2345  NULL,
2347  ObjectName,
2349  PrincipalSelfSid,
2350  DesiredAccess,
2351  AuditType,
2352  Flags,
2353  ObjectTypeList,
2354  ObjectTypeListLength,
2356  GrantedAccessList,
2357  AccessStatusList,
2359  TRUE);
2360 }
2361 
2428 NTSTATUS
2429 NTAPI
2431  _In_ PUNICODE_STRING SubsystemName,
2432  _In_opt_ PVOID HandleId,
2433  _In_ HANDLE ClientToken,
2437  _In_opt_ PSID PrincipalSelfSid,
2439  _In_ AUDIT_EVENT_TYPE AuditType,
2440  _In_ ULONG Flags,
2441  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2442  _In_ ULONG ObjectTypeListLength,
2444  _In_ BOOLEAN ObjectCreation,
2445  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2446  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2448 {
2449  UNREFERENCED_PARAMETER(ObjectCreation);
2450 
2451  /* Call the internal function */
2452  return SepAccessCheckAndAuditAlarm(SubsystemName,
2453  HandleId,
2454  &ClientToken,
2456  ObjectName,
2458  PrincipalSelfSid,
2459  DesiredAccess,
2460  AuditType,
2461  Flags,
2462  ObjectTypeList,
2463  ObjectTypeListLength,
2465  GrantedAccessList,
2466  AccessStatusList,
2468  TRUE);
2469 }
2470 
2471 /* EOF */
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
* PNTSTATUS
Definition: strlen.c:14
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
Definition: audit.c:199
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2324
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define GENERIC_ALL
Definition: nt_native.h:92
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define _In_opt_
Definition: ms_sal.h:309
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:107
USHORT MaximumLength
Definition: env_spec_w32.h:370
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
Definition: audit.c:1050
#define _Out_
Definition: ms_sal.h:345
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
uint16_t * PWSTR
Definition: typedefs.h:56
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
Definition: sefuncs.h:414
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
Definition: audit.c:34
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3063
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
Definition: audit.c:993
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:99
UNICODE_STRING Name
Definition: nt_native.h:1270
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2222
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
Definition: audit.c:2066
#define _In_reads_opt_(size)
Definition: ms_sal.h:320
static BOOLEAN bSuccess
Definition: drive.cpp:430
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SEH2_TRY
Definition: create.c:4226
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
return STATUS_NOT_IMPLEMENTED
#define L(x)
Definition: ntvdm.h:50
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
PSE_EXPORTS SeExports
Definition: semgr.c:21
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
#define GENERIC_WRITE
Definition: nt_native.h:90
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define InterlockedCompareExchangePointer
Definition: interlocked.h:129
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
PSID SeNetworkServiceSid
Definition: setypes.h:1240
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
#define _In_
Definition: ms_sal.h:308
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:547
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
Definition: audit.c:1213
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2125
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
Definition: audit.c:1883
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
LPTSTR ServiceName
Definition: ServiceMain.c:15
#define TOKEN_QUERY
Definition: setypes.h:924
#define __kernel_entry
Definition: specstrings.h:355
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
Definition: audit.c:1163
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
* PFILE_OBJECT
Definition: iotypes.h:1998
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
Definition: sefuncs.h:414
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
static const char * ImageName
Definition: image.c:34
char * PBOOLEAN
Definition: retypes.h:11
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
Definition: audit.c:1475
PSID SeLocalServiceSid
Definition: setypes.h:1239
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
Definition: audit.c:1111
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:454
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
Definition: audit.c:1023
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
Definition: audit.c:1321
#define GENERIC_READ
Definition: compat.h:135
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
static const WCHAR Cleanup[]
Definition: register.c:80
#define _Must_inspect_result_
Definition: ms_sal.h:558
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
Definition: audit.c:1276
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1622
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
Definition: create.c:4400
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
Definition: audit.c:1140
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
Definition: audit.c:1080
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
Definition: security.c:902
#define DPRINT1
Definition: precomp.h:8
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2430
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:868
PSID SeLocalSystemSid
Definition: sid.c:38
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
Definition: audit.c:369
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
_In_ HANDLE Handle
Definition: extypes.h:390
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
Definition: audit.c:56
unsigned int ULONG
Definition: retypes.h:1
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
#define UNIMPLEMENTED
Definition: debug.h:115
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
#define TAG_SEPA
Definition: tag.h:153
#define TAG_PRIVILEGE_SET
Definition: tag.h:154
#define STATUS_SUCCESS
Definition: shellext.h:65
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
Definition: audit.c:77
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:401
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
Definition: objtype.c:39
ULONG ACCESS_MASK
Definition: nt_native.h:40
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
Definition: audit.c:967
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
Definition: audit.c:1358
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
#define PAGED_CODE()
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
#define _Out_writes_(size)
Definition: ms_sal.h:348
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888