ReactOS 0.4.16-dev-1475-g410db43
audit.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Security auditing functions
5 * COPYRIGHT: Copyright Eric Kohl
6 * Copyright Timo Kreuzer <timo.kreuzer@reactos.org>
7 */
8
9/* INCLUDES *******************************************************************/
10
11#include <ntoskrnl.h>
12#define NDEBUG
13#include <debug.h>
14
15#define SEP_PRIVILEGE_SET_MAX_COUNT 60
16
17UNICODE_STRING SeSubsystemName = RTL_CONSTANT_STRING(L"Security");
18
19/* PRIVATE FUNCTIONS ***********************************************************/
20
32BOOLEAN
33NTAPI
34SeDetailedAuditingWithToken(
35 _In_ PTOKEN Token)
36{
37 /* FIXME */
38 return FALSE;
39}
40
54VOID
55NTAPI
56SeAuditProcessCreate(
57 _In_ PEPROCESS Process)
58{
59 /* FIXME */
60}
61
75VOID
76NTAPI
77SeAuditProcessExit(
78 _In_ PEPROCESS Process)
79{
80 /* FIXME */
81}
82
103NTSTATUS
104NTAPI
105SeInitializeProcessAuditName(
106 _In_ PFILE_OBJECT FileObject,
107 _In_ BOOLEAN DoAudit,
108 _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
109{
110 OBJECT_NAME_INFORMATION LocalNameInfo;
111 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
112 ULONG ReturnLength = 8;
113 NTSTATUS Status;
114
115 PAGED_CODE();
116 ASSERT(AuditInfo);
117
118 /* Check if we should do auditing */
119 if (DoAudit)
120 {
121 /* FIXME: TODO */
122 }
123
124 /* Now query the name */
125 Status = ObQueryNameString(FileObject,
126 &LocalNameInfo,
127 sizeof(LocalNameInfo),
128 &ReturnLength);
129 if (((Status == STATUS_BUFFER_OVERFLOW) ||
130 (Status == STATUS_BUFFER_TOO_SMALL) ||
131 (Status == STATUS_INFO_LENGTH_MISMATCH)) &&
132 (ReturnLength != sizeof(LocalNameInfo)))
133 {
134 /* Allocate required size */
135 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
136 ReturnLength,
137 TAG_SEPA);
138 if (ObjectNameInfo)
139 {
140 /* Query the name again */
141 Status = ObQueryNameString(FileObject,
142 ObjectNameInfo,
143 ReturnLength,
144 &ReturnLength);
145 }
146 }
147
148 /* Check if we got here due to failure */
149 if ((ObjectNameInfo) &&
150 (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
151 {
152 /* First, free any buffer we might've allocated */
153 ASSERT(FALSE);
154 if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
155
156 /* Now allocate a temporary one */
157 ReturnLength = sizeof(OBJECT_NAME_INFORMATION);
158 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
159 sizeof(OBJECT_NAME_INFORMATION),
160 TAG_SEPA);
161 if (ObjectNameInfo)
162 {
163 /* Clear it */
164 RtlZeroMemory(ObjectNameInfo, ReturnLength);
165 Status = STATUS_SUCCESS;
166 }
167 }
168
169 /* Check if memory allocation failed */
170 if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
171
172 /* Return the audit name */
173 *AuditInfo = ObjectNameInfo;
174
175 /* Return status */
176 return Status;
177}
178
197NTSTATUS
198NTAPI
199SeLocateProcessImageName(
200 _In_ PEPROCESS Process,
201 _Out_ PUNICODE_STRING *ProcessImageName)
202{
203 POBJECT_NAME_INFORMATION AuditName;
204 PUNICODE_STRING ImageName;
205 PFILE_OBJECT FileObject;
206 NTSTATUS Status = STATUS_SUCCESS;
207
208 PAGED_CODE();
209
210 /* Assume failure */
211 *ProcessImageName = NULL;
212
213 /* Check if we have audit info */
214 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
215 if (!AuditName)
216 {
217 /* Get the file object */
218 Status = PsReferenceProcessFilePointer(Process, &FileObject);
219 if (!NT_SUCCESS(Status)) return Status;
220
221 /* Initialize the audit structure */
222 Status = SeInitializeProcessAuditName(FileObject, TRUE, &AuditName);
223 if (NT_SUCCESS(Status))
224 {
225 /* Set it */
226 if (InterlockedCompareExchangePointer((PVOID*)&Process->
227 SeAuditProcessCreationInfo.ImageFileName,
228 AuditName,
229 NULL))
230 {
231 /* Someone beat us to it, deallocate our copy */
232 ExFreePool(AuditName);
233 }
234 }
235
236 /* Dereference the file object */
237 ObDereferenceObject(FileObject);
238 if (!NT_SUCCESS(Status)) return Status;
239 }
240
241 /* Get audit info again, now we have it for sure */
242 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
243
244 /* Allocate the output string */
245 ImageName = ExAllocatePoolWithTag(NonPagedPool,
246 AuditName->Name.MaximumLength +
247 sizeof(UNICODE_STRING),
248 TAG_SEPA);
249 if (!ImageName) return STATUS_NO_MEMORY;
250
251 /* Make a copy of it */
252 RtlCopyMemory(ImageName,
253 &AuditName->Name,
254 AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
255
256 /* Fix up the buffer */
257 ImageName->Buffer = (PWSTR)(ImageName + 1);
258
259 /* Return it */
260 *ProcessImageName = ImageName;
261
262 /* Return status */
263 return Status;
264}
265
285VOID
286NTAPI
287SepAdtCloseObjectAuditAlarm(
288 _In_ PUNICODE_STRING SubsystemName,
289 _In_ PVOID HandleId,
290 _In_ PSID Sid)
291{
292 UNIMPLEMENTED;
293}
294
330VOID
331NTAPI
332SepAdtPrivilegedServiceAuditAlarm(
333 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
334 _In_opt_ PUNICODE_STRING SubsystemName,
335 _In_opt_ PUNICODE_STRING ServiceName,
336 _In_ PTOKEN Token,
337 _In_ PTOKEN PrimaryToken,
338 _In_ PPRIVILEGE_SET Privileges,
339 _In_ BOOLEAN AccessGranted)
340{
341 DPRINT("SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
342}
343
367VOID
368NTAPI
369SePrivilegedServiceAuditAlarm(
370 _In_opt_ PUNICODE_STRING ServiceName,
371 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
372 _In_ PPRIVILEGE_SET PrivilegeSet,
373 _In_ BOOLEAN AccessGranted)
374{
375 PTOKEN EffectiveToken;
376 PSID UserSid;
377 PAGED_CODE();
378
379 /* Get the effective token */
380 if (SubjectContext->ClientToken != NULL)
381 EffectiveToken = SubjectContext->ClientToken;
382 else
383 EffectiveToken = SubjectContext->PrimaryToken;
384
385 /* Get the user SID */
386 UserSid = EffectiveToken->UserAndGroups->Sid;
387
388 /* Check if this is the local system SID */
389 if (RtlEqualSid(UserSid, SeLocalSystemSid))
390 {
391 /* Nothing to do */
392 return;
393 }
394
395 /* Check if this is the network service or local service SID */
396 if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
397 RtlEqualSid(UserSid, SeExports->SeLocalServiceSid))
398 {
399 // FIXME: should continue for a certain set of privileges
400 return;
401 }
402
403 /* Call the worker function */
404 SepAdtPrivilegedServiceAuditAlarm(SubjectContext,
405 &SeSubsystemName,
406 ServiceName,
407 SubjectContext->ClientToken,
408 SubjectContext->PrimaryToken,
409 PrivilegeSet,
410 AccessGranted);
411
412}
413
486_Must_inspect_result_
487static
488NTSTATUS
489SepAccessCheckAndAuditAlarmWorker(
490 _In_ PUNICODE_STRING SubsystemName,
491 _In_opt_ PVOID HandleId,
492 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
493 _In_ PUNICODE_STRING ObjectTypeName,
494 _In_ PUNICODE_STRING ObjectName,
495 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
496 _In_opt_ PSID PrincipalSelfSid,
497 _In_ ACCESS_MASK DesiredAccess,
498 _In_ AUDIT_EVENT_TYPE AuditType,
499 _In_ BOOLEAN HaveAuditPrivilege,
500 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
501 _In_ ULONG ObjectTypeListLength,
502 _In_ PGENERIC_MAPPING GenericMapping,
503 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
504 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
505 _Out_ PBOOLEAN GenerateOnClose,
506 _In_ BOOLEAN UseResultList)
507{
508 ULONG ResultListLength, i;
509
510 /* Get the length of the result list */
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
512
514 UNIMPLEMENTED;
515
517 for (i = 0; i < ResultListLength; i++)
518 {
519 GrantedAccessList[i] = DesiredAccess;
520 AccessStatusList[i] = STATUS_SUCCESS;
521 }
522
523 *GenerateOnClose = FALSE;
524
525 return STATUS_SUCCESS;
526}
527
611_Must_inspect_result_
612NTSTATUS
613NTAPI
614SepAccessCheckAndAuditAlarm(
615 _In_ PUNICODE_STRING SubsystemName,
616 _In_opt_ PVOID HandleId,
617 _In_ PHANDLE ClientTokenHandle,
618 _In_ PUNICODE_STRING ObjectTypeName,
619 _In_ PUNICODE_STRING ObjectName,
620 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
621 _In_opt_ PSID PrincipalSelfSid,
622 _In_ ACCESS_MASK DesiredAccess,
623 _In_ AUDIT_EVENT_TYPE AuditType,
624 _In_ ULONG Flags,
625 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
626 _In_ ULONG ObjectTypeListLength,
627 _In_ PGENERIC_MAPPING GenericMapping,
628 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
629 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
630 _Out_ PBOOLEAN GenerateOnClose,
631 _In_ BOOLEAN UseResultList)
632{
633 SECURITY_SUBJECT_CONTEXT SubjectContext;
634 ULONG ResultListLength;
635 GENERIC_MAPPING LocalGenericMapping;
636 PTOKEN SubjectContextToken, ClientToken;
637 BOOLEAN AllocatedResultLists;
638 BOOLEAN HaveAuditPrivilege;
639 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
641 ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
642 NTSTATUS AccessStatus, *SafeAccessStatusList;
643 PSID CapturedPrincipalSelfSid;
644 POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList;
645 ULONG i;
646 BOOLEAN LocalGenerateOnClose;
647 NTSTATUS Status;
648 PAGED_CODE();
649
650 /* Only user mode is supported! */
651 ASSERT(ExGetPreviousMode() != KernelMode);
652
653 /* Start clean */
654 AllocatedResultLists = FALSE;
655 ClientToken = NULL;
656 CapturedSecurityDescriptor = NULL;
657 CapturedSubsystemName.Buffer = NULL;
658 CapturedObjectTypeName.Buffer = NULL;
659 CapturedObjectName.Buffer = NULL;
660 CapturedPrincipalSelfSid = NULL;
661 CapturedObjectTypeList = NULL;
662
663 /* Validate AuditType */
664 if ((AuditType != AuditEventObjectAccess) &&
665 (AuditType != AuditEventDirectoryServiceAccess))
666 {
667 DPRINT1("Invalid audit type: %u\n", AuditType);
668 return STATUS_INVALID_PARAMETER;
669 }
670
671 /* Capture the security subject context */
672 SeCaptureSubjectContext(&SubjectContext);
673
674 /* Did the caller pass a token handle? */
675 if (ClientTokenHandle == NULL)
676 {
677 /* Check if we have a token in the subject context */
678 if (SubjectContext.ClientToken == NULL)
679 {
680 Status = STATUS_NO_IMPERSONATION_TOKEN;
681 DPRINT1("No token\n");
682 goto Cleanup;
683 }
684
685 /* Check if we have a valid impersonation level */
686 if (SubjectContext.ImpersonationLevel < SecurityIdentification)
687 {
688 Status = STATUS_BAD_IMPERSONATION_LEVEL;
689 DPRINT1("Invalid impersonation level 0x%lx\n",
690 SubjectContext.ImpersonationLevel);
691 goto Cleanup;
692 }
693 }
694
695 /* Are we using a result list? */
696 if (UseResultList)
697 {
698 /* The list length equals the object type list length */
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
701 {
702 Status = STATUS_INVALID_PARAMETER;
703 DPRINT1("Invalid ResultListLength: 0x%lx\n", ResultListLength);
704 goto Cleanup;
705 }
706
707 /* Allocate a safe buffer from paged pool */
708 SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
709 2 * ResultListLength * sizeof(ULONG),
710 TAG_SEPA);
711 if (SafeGrantedAccessList == NULL)
712 {
713 Status = STATUS_INSUFFICIENT_RESOURCES;
714 DPRINT1("Failed to allocate access lists\n");
715 goto Cleanup;
716 }
717
718 SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists = TRUE;
720 }
721 else
722 {
723 /* List length is 1 */
724 ResultListLength = 1;
725 SafeGrantedAccessList = &GrantedAccess;
726 SafeAccessStatusList = &AccessStatus;
727 }
728
729 _SEH2_TRY
730 {
731 /* Probe output buffers */
732 ProbeForWrite(AccessStatusList,
733 ResultListLength * sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
735 ProbeForWrite(GrantedAccessList,
736 ResultListLength * sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
738
739 /* Probe generic mapping and make a local copy */
740 ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
741 LocalGenericMapping = * GenericMapping;
742 }
743 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
744 {
745 Status = _SEH2_GetExceptionCode();
746 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
747 _SEH2_YIELD(goto Cleanup);
748 }
749 _SEH2_END;
750
751 /* Do we have a client token? */
752 if (ClientTokenHandle != NULL)
753 {
754 /* Reference the client token */
755 Status = ObReferenceObjectByHandle(*ClientTokenHandle,
756 TOKEN_QUERY,
757 SeTokenObjectType,
758 UserMode,
759 (PVOID*)&ClientToken,
760 NULL);
761 if (!NT_SUCCESS(Status))
762 {
763 DPRINT1("Failed to reference token handle %p: %lx\n",
764 *ClientTokenHandle, Status);
765 goto Cleanup;
766 }
767
768 SubjectContextToken = SubjectContext.ClientToken;
769 SubjectContext.ClientToken = ClientToken;
770 }
771
772 /* Check for audit privilege */
773 HaveAuditPrivilege = SeCheckAuditPrivilege(&SubjectContext, UserMode);
774 if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
775 {
776 DPRINT1("Caller does not have SeAuditPrivilege\n");
777 Status = STATUS_PRIVILEGE_NOT_HELD;
778 goto Cleanup;
779 }
780
781 /* Generic access must already be mapped to non-generic access types! */
782 if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
783 {
784 DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
785 Status = STATUS_GENERIC_NOT_MAPPED;
786 goto Cleanup;
787 }
788
789 /* Capture the security descriptor */
790 Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
791 UserMode,
792 PagedPool,
793 FALSE,
794 &CapturedSecurityDescriptor);
795 if (!NT_SUCCESS(Status))
796 {
797 DPRINT1("Failed to capture security descriptor!\n");
798 goto Cleanup;
799 }
800
801 /* Validate the Security descriptor */
802 if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
803 (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
804 {
805 Status = STATUS_INVALID_SECURITY_DESCR;
806 DPRINT1("Invalid security descriptor\n");
807 goto Cleanup;
808 }
809
810 /* Probe and capture the subsystem name */
811 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
812 UserMode,
813 SubsystemName);
814 if (!NT_SUCCESS(Status))
815 {
816 DPRINT1("Failed to capture subsystem name!\n");
817 goto Cleanup;
818 }
819
820 /* Probe and capture the object type name */
821 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
822 UserMode,
823 ObjectTypeName);
824 if (!NT_SUCCESS(Status))
825 {
826 DPRINT1("Failed to capture object type name!\n");
827 goto Cleanup;
828 }
829
830 /* Probe and capture the object name */
831 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
832 UserMode,
833 ObjectName);
834 if (!NT_SUCCESS(Status))
835 {
836 DPRINT1("Failed to capture object name!\n");
837 goto Cleanup;
838 }
839
840 /* Check if we have a PrincipalSelfSid */
841 if (PrincipalSelfSid != NULL)
842 {
843 /* Capture it */
844 Status = SepCaptureSid(PrincipalSelfSid,
845 UserMode,
846 PagedPool,
847 FALSE,
848 &CapturedPrincipalSelfSid);
849 if (!NT_SUCCESS(Status))
850 {
851 DPRINT1("Failed to capture PrincipalSelfSid!\n");
852 goto Cleanup;
853 }
854 }
855
856 /* Capture the object type list */
857 Status = SeCaptureObjectTypeList(ObjectTypeList,
858 ObjectTypeListLength,
859 UserMode,
860 &CapturedObjectTypeList);
861 if (!NT_SUCCESS(Status))
862 {
863 DPRINT1("Failed to capture object type list!\n");
864 goto Cleanup;
865 }
866
867 /* Call the worker routine with the captured buffers */
868 Status = SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
869 HandleId,
870 &SubjectContext,
871 &CapturedObjectTypeName,
872 &CapturedObjectName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
875 DesiredAccess,
876 AuditType,
877 HaveAuditPrivilege,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
884 UseResultList);
885 if (!NT_SUCCESS(Status))
886 goto Cleanup;
887
888 /* Enter SEH to copy the data back to user mode */
889 _SEH2_TRY
890 {
891 /* Loop all result entries (only 1 when no list was requested) */
892 ASSERT(UseResultList || (ResultListLength == 1));
893 for (i = 0; i < ResultListLength; i++)
894 {
895 AccessStatusList[i] = SafeAccessStatusList[i];
896 GrantedAccessList[i] = SafeGrantedAccessList[i];
897 }
898
899 *GenerateOnClose = LocalGenerateOnClose;
900 }
901 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
902 {
903 Status = _SEH2_GetExceptionCode();
904 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
905 }
906 _SEH2_END;
907
908Cleanup:
909
910 if (CapturedObjectTypeList != NULL)
911 SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
912
913 if (CapturedPrincipalSelfSid != NULL)
914 SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
915
916 if (CapturedObjectName.Buffer != NULL)
917 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
918
919 if (CapturedObjectTypeName.Buffer != NULL)
920 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
921
922 if (CapturedSubsystemName.Buffer != NULL)
923 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
924
925 if (CapturedSecurityDescriptor != NULL)
926 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
927
928 if (ClientToken != NULL)
929 {
930 ObDereferenceObject(ClientToken);
931 SubjectContext.ClientToken = SubjectContextToken;
932 }
933
934 if (AllocatedResultLists)
935 ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
936
937 /* Release the security subject context */
938 SeReleaseSubjectContext(&SubjectContext);
939
940 return Status;
941}
942
943
944/* PUBLIC FUNCTIONS ***********************************************************/
945
965VOID
966NTAPI
967SeAuditHardLinkCreation(
968 _In_ PUNICODE_STRING FileName,
969 _In_ PUNICODE_STRING LinkName,
970 _In_ BOOLEAN bSuccess)
971{
972 UNIMPLEMENTED;
973}
974
991BOOLEAN
992NTAPI
993SeAuditingFileEvents(
994 _In_ BOOLEAN AccessGranted,
995 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
996{
997 UNIMPLEMENTED;
998 return FALSE;
999}
1000
1021BOOLEAN
1022NTAPI
1023SeAuditingFileEventsWithContext(
1024 _In_ BOOLEAN AccessGranted,
1025 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1026 _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
1027{
1028 UNIMPLEMENTED_ONCE;
1029 return FALSE;
1030}
1031
1048BOOLEAN
1049NTAPI
1050SeAuditingHardLinkEvents(
1051 _In_ BOOLEAN AccessGranted,
1052 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
1053{
1054 UNIMPLEMENTED;
1055 return FALSE;
1056}
1057
1078BOOLEAN
1079NTAPI
1080SeAuditingHardLinkEventsWithContext(
1081 _In_ BOOLEAN AccessGranted,
1082 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1083 _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
1084{
1085 UNIMPLEMENTED;
1086 return FALSE;
1087}
1088
1109BOOLEAN
1110NTAPI
1111SeAuditingFileOrGlobalEvents(
1112 _In_ BOOLEAN AccessGranted,
1113 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1114 _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
1115{
1116 UNIMPLEMENTED;
1117 return FALSE;
1118}
1119
1138VOID
1139NTAPI
1140SeCloseObjectAuditAlarm(
1141 _In_ PVOID Object,
1142 _In_ HANDLE Handle,
1143 _In_ BOOLEAN PerformAction)
1144{
1145 UNIMPLEMENTED;
1146}
1147
1162VOID NTAPI
1163SeDeleteObjectAuditAlarm(
1164 _In_ PVOID Object,
1165 _In_ HANDLE Handle)
1166{
1167 UNIMPLEMENTED;
1168}
1169
1211VOID
1212NTAPI
1213SeOpenObjectAuditAlarm(
1214 _In_ PUNICODE_STRING ObjectTypeName,
1215 _In_opt_ PVOID Object,
1216 _In_opt_ PUNICODE_STRING AbsoluteObjectName,
1217 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1218 _In_ PACCESS_STATE AccessState,
1219 _In_ BOOLEAN ObjectCreated,
1220 _In_ BOOLEAN AccessGranted,
1221 _In_ KPROCESSOR_MODE AccessMode,
1222 _Out_ PBOOLEAN GenerateOnClose)
1223{
1224 PAGED_CODE();
1225
1226 /* Audits aren't done on kernel-mode access */
1227 if (AccessMode == KernelMode) return;
1228
1229 /* Otherwise, unimplemented! */
1230 //UNIMPLEMENTED;
1231 return;
1232}
1233
1275VOID NTAPI
1276SeOpenObjectForDeleteAuditAlarm(
1277 _In_ PUNICODE_STRING ObjectTypeName,
1278 _In_opt_ PVOID Object,
1279 _In_opt_ PUNICODE_STRING AbsoluteObjectName,
1280 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1281 _In_ PACCESS_STATE AccessState,
1282 _In_ BOOLEAN ObjectCreated,
1283 _In_ BOOLEAN AccessGranted,
1284 _In_ KPROCESSOR_MODE AccessMode,
1285 _Out_ PBOOLEAN GenerateOnClose)
1286{
1287 UNIMPLEMENTED;
1288}
1289
1319VOID
1320NTAPI
1321SePrivilegeObjectAuditAlarm(
1322 _In_ HANDLE Handle,
1323 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
1324 _In_ ACCESS_MASK DesiredAccess,
1325 _In_ PPRIVILEGE_SET Privileges,
1326 _In_ BOOLEAN AccessGranted,
1327 _In_ KPROCESSOR_MODE CurrentMode)
1328{
1329 UNIMPLEMENTED;
1330}
1331
1332/* SYSTEM CALLS ***************************************************************/
1333
1356NTSTATUS
1357NTAPI
1358NtCloseObjectAuditAlarm(
1359 _In_ PUNICODE_STRING SubsystemName,
1360 _In_ PVOID HandleId,
1361 _In_ BOOLEAN GenerateOnClose)
1362{
1363 SECURITY_SUBJECT_CONTEXT SubjectContext;
1364 UNICODE_STRING CapturedSubsystemName;
1365 KPROCESSOR_MODE PreviousMode;
1366 BOOLEAN UseImpersonationToken;
1367 PETHREAD CurrentThread;
1368 BOOLEAN CopyOnOpen, EffectiveOnly;
1369 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
1370 NTSTATUS Status;
1371 PTOKEN Token;
1372 PAGED_CODE();
1373
1374 /* Get the previous mode (only user mode is supported!) */
1375 PreviousMode = ExGetPreviousMode();
1376 ASSERT(PreviousMode != KernelMode);
1377
1378 /* Do we even need to do anything? */
1379 if (!GenerateOnClose)
1380 {
1381 /* Nothing to do, return success */
1382 return STATUS_SUCCESS;
1383 }
1384
1385 /* Capture the security subject context */
1386 SeCaptureSubjectContext(&SubjectContext);
1387
1388 /* Check for audit privilege */
1389 if (!SeCheckAuditPrivilege(&SubjectContext, PreviousMode))
1390 {
1391 DPRINT1("Caller does not have SeAuditPrivilege\n");
1392 Status = STATUS_PRIVILEGE_NOT_HELD;
1393 goto Cleanup;
1394 }
1395
1396 /* Probe and capture the subsystem name */
1397 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1398 PreviousMode,
1399 SubsystemName);
1400 if (!NT_SUCCESS(Status))
1401 {
1402 DPRINT1("Failed to capture subsystem name!\n");
1403 goto Cleanup;
1404 }
1405
1406 /* Get the current thread and check if it's impersonating */
1407 CurrentThread = PsGetCurrentThread();
1408 if (PsIsThreadImpersonating(CurrentThread))
1409 {
1410 /* Get the impersonation token */
1411 Token = PsReferenceImpersonationToken(CurrentThread,
1412 &CopyOnOpen,
1413 &EffectiveOnly,
1414 &ImpersonationLevel);
1415 UseImpersonationToken = TRUE;
1416 }
1417 else
1418 {
1419 /* Get the primary token */
1420 Token = PsReferencePrimaryToken(PsGetCurrentProcess());
1421 UseImpersonationToken = FALSE;
1422 }
1423
1424 /* Call the internal function */
1425 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
1426 HandleId,
1427 Token->UserAndGroups->Sid);
1428
1429 /* Release the captured subsystem name */
1430 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
1431
1432 /* Check what token we used */
1433 if (UseImpersonationToken)
1434 {
1435 /* Release impersonation token */
1436 PsDereferenceImpersonationToken(Token);
1437 }
1438 else
1439 {
1440 /* Release primary token */
1441 PsDereferencePrimaryToken(Token);
1442 }
1443
1444 Status = STATUS_SUCCESS;
1445
1446Cleanup:
1447
1448 /* Release the security subject context */
1449 SeReleaseSubjectContext(&SubjectContext);
1450
1451 return Status;
1452}
1453
1474NTSTATUS NTAPI
1475NtDeleteObjectAuditAlarm(
1476 _In_ PUNICODE_STRING SubsystemName,
1477 _In_ PVOID HandleId,
1478 _In_ BOOLEAN GenerateOnClose)
1479{
1480 UNIMPLEMENTED;
1481 return STATUS_NOT_IMPLEMENTED;
1482}
1483
1533VOID
1534NTAPI
1535SepOpenObjectAuditAlarm(
1536 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
1537 _In_ PUNICODE_STRING SubsystemName,
1538 _In_opt_ PVOID HandleId,
1539 _In_ PUNICODE_STRING ObjectTypeName,
1540 _In_ PUNICODE_STRING ObjectName,
1541 _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1542 _In_ PTOKEN ClientToken,
1543 _In_ ACCESS_MASK DesiredAccess,
1544 _In_ ACCESS_MASK GrantedAccess,
1545 _In_opt_ PPRIVILEGE_SET Privileges,
1546 _In_ BOOLEAN ObjectCreation,
1547 _In_ BOOLEAN AccessGranted,
1548 _Out_ PBOOLEAN GenerateOnClose)
1549{
1550 DBG_UNREFERENCED_PARAMETER(SubjectContext);
1551 DBG_UNREFERENCED_PARAMETER(SubsystemName);
1552 DBG_UNREFERENCED_PARAMETER(HandleId);
1553 DBG_UNREFERENCED_PARAMETER(ObjectTypeName);
1554 DBG_UNREFERENCED_PARAMETER(ObjectName);
1555 DBG_UNREFERENCED_PARAMETER(SecurityDescriptor);
1556 DBG_UNREFERENCED_PARAMETER(ClientToken);
1557 DBG_UNREFERENCED_PARAMETER(DesiredAccess);
1558 DBG_UNREFERENCED_PARAMETER(GrantedAccess);
1559 DBG_UNREFERENCED_PARAMETER(Privileges);
1560 DBG_UNREFERENCED_PARAMETER(ObjectCreation);
1561 DBG_UNREFERENCED_PARAMETER(AccessGranted);
1562 UNIMPLEMENTED;
1563 *GenerateOnClose = FALSE;
1564}
1565
1619__kernel_entry
1620NTSTATUS
1621NTAPI
1622NtOpenObjectAuditAlarm(
1623 _In_ PUNICODE_STRING SubsystemName,
1624 _In_opt_ PVOID HandleId,
1625 _In_ PUNICODE_STRING ObjectTypeName,
1626 _In_ PUNICODE_STRING ObjectName,
1627 _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
1628 _In_ HANDLE ClientTokenHandle,
1629 _In_ ACCESS_MASK DesiredAccess,
1630 _In_ ACCESS_MASK GrantedAccess,
1631 _In_opt_ PPRIVILEGE_SET PrivilegeSet,
1632 _In_ BOOLEAN ObjectCreation,
1633 _In_ BOOLEAN AccessGranted,
1634 _Out_ PBOOLEAN GenerateOnClose)
1635{
1636 PTOKEN ClientToken;
1637 PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1640 volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1641 BOOLEAN LocalGenerateOnClose;
1642 PVOID CapturedHandleId;
1643 SECURITY_SUBJECT_CONTEXT SubjectContext;
1644 NTSTATUS Status;
1645 PAGED_CODE();
1646
1647 /* Only user mode is supported! */
1648 ASSERT(ExGetPreviousMode() != KernelMode);
1649
1650 /* Start clean */
1651 ClientToken = NULL;
1652 CapturedSecurityDescriptor = NULL;
1653 CapturedPrivilegeSet = NULL;
1654 CapturedSubsystemName.Buffer = NULL;
1655 CapturedObjectTypeName.Buffer = NULL;
1656 CapturedObjectName.Buffer = NULL;
1657
1658 /* Reference the client token */
1659 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1660 TOKEN_QUERY,
1661 SeTokenObjectType,
1662 UserMode,
1663 (PVOID*)&ClientToken,
1664 NULL);
1665 if (!NT_SUCCESS(Status))
1666 {
1667 DPRINT1("Failed to reference token handle %p: %lx\n",
1668 ClientTokenHandle, Status);
1669 return Status;
1670 }
1671
1672 /* Capture the security subject context */
1673 SeCaptureSubjectContext(&SubjectContext);
1674
1675 /* Validate the token's impersonation level */
1676 if ((ClientToken->TokenType == TokenImpersonation) &&
1677 (ClientToken->ImpersonationLevel < SecurityIdentification))
1678 {
1679 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1680 Status = STATUS_BAD_IMPERSONATION_LEVEL;
1681 goto Cleanup;
1682 }
1683
1684 /* Check for audit privilege */
1685 if (!SeCheckAuditPrivilege(&SubjectContext, UserMode))
1686 {
1687 DPRINT1("Caller does not have SeAuditPrivilege\n");
1688 Status = STATUS_PRIVILEGE_NOT_HELD;
1689 goto Cleanup;
1690 }
1691
1692 /* Check for NULL SecurityDescriptor */
1693 if (SecurityDescriptor == NULL)
1694 {
1695 /* Nothing to do */
1696 Status = STATUS_SUCCESS;
1697 goto Cleanup;
1698 }
1699
1700 /* Capture the security descriptor */
1701 Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
1702 UserMode,
1703 PagedPool,
1704 FALSE,
1705 &CapturedSecurityDescriptor);
1706 if (!NT_SUCCESS(Status))
1707 {
1708 DPRINT1("Failed to capture security descriptor!\n");
1709 goto Cleanup;
1710 }
1711
1712 _SEH2_TRY
1713 {
1714 /* Check if we have a privilege set */
1715 if (PrivilegeSet != NULL)
1716 {
1717 /* Probe the basic privilege set structure */
1718 ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1719
1720 /* Validate privilege count */
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1722 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1723 {
1724 Status = STATUS_INVALID_PARAMETER;
1725 _SEH2_YIELD(goto Cleanup);
1726 }
1727
1728 /* Calculate the size of the PrivilegeSet structure */
1729 PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1730
1731 /* Probe the whole structure */
1732 ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1733
1734 /* Allocate a temp buffer */
1735 CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1736 PrivilegeSetSize,
1737 TAG_PRIVILEGE_SET);
1738 if (CapturedPrivilegeSet == NULL)
1739 {
1740 DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1741 Status = STATUS_INSUFFICIENT_RESOURCES;
1742 _SEH2_YIELD(goto Cleanup);
1743 }
1744
1745 /* Copy the privileges */
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1747 }
1748
1749 if (HandleId != NULL)
1750 {
1751 ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1752 CapturedHandleId = *(PVOID*)HandleId;
1753 }
1754
1755 ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1756 }
1757 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1758 {
1759 Status = _SEH2_GetExceptionCode();
1760 DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1761 _SEH2_YIELD(goto Cleanup);
1762 }
1763 _SEH2_END;
1764
1765 /* Probe and capture the subsystem name */
1766 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1767 UserMode,
1768 SubsystemName);
1769 if (!NT_SUCCESS(Status))
1770 {
1771 DPRINT1("Failed to capture subsystem name!\n");
1772 goto Cleanup;
1773 }
1774
1775 /* Probe and capture the object type name */
1776 Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1777 UserMode,
1778 ObjectTypeName);
1779 if (!NT_SUCCESS(Status))
1780 {
1781 DPRINT1("Failed to capture object type name!\n");
1782 goto Cleanup;
1783 }
1784
1785 /* Probe and capture the object name */
1786 Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1787 UserMode,
1788 ObjectName);
1789 if (!NT_SUCCESS(Status))
1790 {
1791 DPRINT1("Failed to capture object name!\n");
1792 goto Cleanup;
1793 }
1794
1795 /* Call the internal function */
1796 SepOpenObjectAuditAlarm(&SubjectContext,
1797 &CapturedSubsystemName,
1798 CapturedHandleId,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1802 ClientToken,
1803 DesiredAccess,
1804 GrantedAccess,
1805 CapturedPrivilegeSet,
1806 ObjectCreation,
1807 AccessGranted,
1808 &LocalGenerateOnClose);
1809
1810 Status = STATUS_SUCCESS;
1811
1812 /* Enter SEH to copy the data back to user mode */
1813 _SEH2_TRY
1814 {
1815 *GenerateOnClose = LocalGenerateOnClose;
1816 }
1817 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1818 {
1819 Status = _SEH2_GetExceptionCode();
1820 DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1821 }
1822 _SEH2_END;
1823
1824Cleanup:
1825
1826 if (CapturedObjectName.Buffer != NULL)
1827 ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1828
1829 if (CapturedObjectTypeName.Buffer != NULL)
1830 ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1831
1832 if (CapturedSubsystemName.Buffer != NULL)
1833 ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1834
1835 if (CapturedSecurityDescriptor != NULL)
1836 SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1837
1838 if (CapturedPrivilegeSet != NULL)
1839 ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1840
1841 /* Release the security subject context */
1842 SeReleaseSubjectContext(&SubjectContext);
1843
1844 ObDereferenceObject(ClientToken);
1845
1846 return Status;
1847}
1848
1880__kernel_entry
1881NTSTATUS
1882NTAPI
1883NtPrivilegedServiceAuditAlarm(
1884 _In_opt_ PUNICODE_STRING SubsystemName,
1885 _In_opt_ PUNICODE_STRING ServiceName,
1886 _In_ HANDLE ClientTokenHandle,
1887 _In_ PPRIVILEGE_SET Privileges,
1888 _In_ BOOLEAN AccessGranted)
1889{
1890 KPROCESSOR_MODE PreviousMode;
1891 PTOKEN ClientToken;
1892 volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
1893 UNICODE_STRING CapturedSubsystemName;
1894 UNICODE_STRING CapturedServiceName;
1895 ULONG PrivilegeCount, PrivilegesSize;
1896 SECURITY_SUBJECT_CONTEXT SubjectContext;
1897 NTSTATUS Status;
1898 PAGED_CODE();
1899
1900 /* Get the previous mode (only user mode is supported!) */
1901 PreviousMode = ExGetPreviousMode();
1902 ASSERT(PreviousMode != KernelMode);
1903
1904 CapturedSubsystemName.Buffer = NULL;
1905 CapturedServiceName.Buffer = NULL;
1906
1907 /* Reference the client token */
1908 Status = ObReferenceObjectByHandle(ClientTokenHandle,
1909 TOKEN_QUERY,
1910 SeTokenObjectType,
1911 PreviousMode,
1912 (PVOID*)&ClientToken,
1913 NULL);
1914 if (!NT_SUCCESS(Status))
1915 {
1916 DPRINT1("Failed to reference client token: 0x%lx\n", Status);
1917 return Status;
1918 }
1919
1920 /* Validate the token's impersonation level */
1921 if ((ClientToken->TokenType == TokenImpersonation) &&
1922 (ClientToken->ImpersonationLevel < SecurityIdentification))
1923 {
1924 DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1925 ObDereferenceObject(ClientToken);
1926 return STATUS_BAD_IMPERSONATION_LEVEL;
1927 }
1928
1929 /* Capture the security subject context */
1930 SeCaptureSubjectContext(&SubjectContext);
1931
1932 /* Check for audit privilege */
1933 if (!SeCheckAuditPrivilege(&SubjectContext, PreviousMode))
1934 {
1935 DPRINT1("Caller does not have SeAuditPrivilege\n");
1936 Status = STATUS_PRIVILEGE_NOT_HELD;
1937 goto Cleanup;
1938 }
1939
1940 /* Do we have a subsystem name? */
1941 if (SubsystemName != NULL)
1942 {
1943 /* Probe and capture the subsystem name */
1944 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1945 PreviousMode,
1946 SubsystemName);
1947 if (!NT_SUCCESS(Status))
1948 {
1949 DPRINT1("Failed to capture subsystem name!\n");
1950 goto Cleanup;
1951 }
1952 }
1953
1954 /* Do we have a service name? */
1955 if (ServiceName != NULL)
1956 {
1957 /* Probe and capture the service name */
1958 Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
1959 PreviousMode,
1960 ServiceName);
1961 if (!NT_SUCCESS(Status))
1962 {
1963 DPRINT1("Failed to capture service name!\n");
1964 goto Cleanup;
1965 }
1966 }
1967
1968 _SEH2_TRY
1969 {
1970 /* Probe the basic privilege set structure */
1971 ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1972
1973 /* Validate privilege count */
1974 PrivilegeCount = Privileges->PrivilegeCount;
1975 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1976 {
1977 Status = STATUS_INVALID_PARAMETER;
1978 _SEH2_YIELD(goto Cleanup);
1979 }
1980
1981 /* Calculate the size of the Privileges structure */
1982 PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1983
1984 /* Probe the whole structure */
1985 ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
1986
1987 /* Allocate a temp buffer */
1988 CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
1989 PrivilegesSize,
1990 TAG_PRIVILEGE_SET);
1991 if (CapturedPrivileges == NULL)
1992 {
1993 DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
1994 Status = STATUS_INSUFFICIENT_RESOURCES;
1995 _SEH2_YIELD(goto Cleanup);
1996 }
1997
1998 /* Copy the privileges */
1999 RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
2000 }
2001 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2002 {
2003 Status = _SEH2_GetExceptionCode();
2004 DPRINT1("Got exception 0x%lx\n", Status);
2005 _SEH2_YIELD(goto Cleanup);
2006 }
2007 _SEH2_END;
2008
2009 /* Call the internal function */
2010 SepAdtPrivilegedServiceAuditAlarm(&SubjectContext,
2011 SubsystemName ? &CapturedSubsystemName : NULL,
2012 ServiceName ? &CapturedServiceName : NULL,
2013 ClientToken,
2014 SubjectContext.PrimaryToken,
2015 CapturedPrivileges,
2016 AccessGranted);
2017
2018 Status = STATUS_SUCCESS;
2019
2020Cleanup:
2021 /* Cleanup resources */
2022 if (CapturedSubsystemName.Buffer != NULL)
2023 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
2024
2025 if (CapturedServiceName.Buffer != NULL)
2026 ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
2027
2028 if (CapturedPrivileges != NULL)
2029 ExFreePoolWithTag(CapturedPrivileges, TAG_PRIVILEGE_SET);
2030
2031 /* Release the security subject context */
2032 SeReleaseSubjectContext(&SubjectContext);
2033
2034 ObDereferenceObject(ClientToken);
2035
2036 return Status;
2037}
2038
2065NTSTATUS NTAPI
2066NtPrivilegeObjectAuditAlarm(
2067 _In_ PUNICODE_STRING SubsystemName,
2068 _In_ PVOID HandleId,
2069 _In_ HANDLE ClientToken,
2070 _In_ ULONG DesiredAccess,
2071 _In_ PPRIVILEGE_SET Privileges,
2072 _In_ BOOLEAN AccessGranted)
2073{
2074 UNIMPLEMENTED;
2075 return STATUS_NOT_IMPLEMENTED;
2076}
2077
2121_Must_inspect_result_
2122__kernel_entry
2123NTSTATUS
2124NTAPI
2125NtAccessCheckAndAuditAlarm(
2126 _In_ PUNICODE_STRING SubsystemName,
2127 _In_opt_ PVOID HandleId,
2128 _In_ PUNICODE_STRING ObjectTypeName,
2129 _In_ PUNICODE_STRING ObjectName,
2130 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
2131 _In_ ACCESS_MASK DesiredAccess,
2132 _In_ PGENERIC_MAPPING GenericMapping,
2133 _In_ BOOLEAN ObjectCreation,
2134 _Out_ PACCESS_MASK GrantedAccess,
2135 _Out_ PNTSTATUS AccessStatus,
2136 _Out_ PBOOLEAN GenerateOnClose)
2137{
2138 /* Call the internal function */
2139 return SepAccessCheckAndAuditAlarm(SubsystemName,
2140 HandleId,
2141 NULL,
2142 ObjectTypeName,
2143 ObjectName,
2144 SecurityDescriptor,
2145 NULL,
2146 DesiredAccess,
2147 AuditEventObjectAccess,
2148 0,
2149 NULL,
2150 0,
2151 GenericMapping,
2152 GrantedAccess,
2153 AccessStatus,
2154 GenerateOnClose,
2155 FALSE);
2156}
2157
2218_Must_inspect_result_
2219__kernel_entry
2220NTSTATUS
2221NTAPI
2222NtAccessCheckByTypeAndAuditAlarm(
2223 _In_ PUNICODE_STRING SubsystemName,
2224 _In_opt_ PVOID HandleId,
2225 _In_ PUNICODE_STRING ObjectTypeName,
2226 _In_ PUNICODE_STRING ObjectName,
2227 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
2228 _In_opt_ PSID PrincipalSelfSid,
2229 _In_ ACCESS_MASK DesiredAccess,
2230 _In_ AUDIT_EVENT_TYPE AuditType,
2231 _In_ ULONG Flags,
2232 _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
2233 _In_ ULONG ObjectTypeLength,
2234 _In_ PGENERIC_MAPPING GenericMapping,
2235 _In_ BOOLEAN ObjectCreation,
2236 _Out_ PACCESS_MASK GrantedAccess,
2237 _Out_ PNTSTATUS AccessStatus,
2238 _Out_ PBOOLEAN GenerateOnClose)
2239{
2240 /* Call the internal function */
2241 return SepAccessCheckAndAuditAlarm(SubsystemName,
2242 HandleId,
2243 NULL,
2244 ObjectTypeName,
2245 ObjectName,
2246 SecurityDescriptor,
2247 PrincipalSelfSid,
2248 DesiredAccess,
2249 AuditType,
2250 Flags,
2251 ObjectTypeList,
2252 ObjectTypeLength,
2253 GenericMapping,
2254 GrantedAccess,
2255 AccessStatus,
2256 GenerateOnClose,
2257 FALSE);
2258}
2259
2320_Must_inspect_result_
2321__kernel_entry
2322NTSTATUS
2323NTAPI
2324NtAccessCheckByTypeResultListAndAuditAlarm(
2325 _In_ PUNICODE_STRING SubsystemName,
2326 _In_opt_ PVOID HandleId,
2327 _In_ PUNICODE_STRING ObjectTypeName,
2328 _In_ PUNICODE_STRING ObjectName,
2329 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
2330 _In_opt_ PSID PrincipalSelfSid,
2331 _In_ ACCESS_MASK DesiredAccess,
2332 _In_ AUDIT_EVENT_TYPE AuditType,
2333 _In_ ULONG Flags,
2334 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2335 _In_ ULONG ObjectTypeListLength,
2336 _In_ PGENERIC_MAPPING GenericMapping,
2337 _In_ BOOLEAN ObjectCreation,
2338 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2339 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2340 _Out_ PBOOLEAN GenerateOnClose)
2341{
2342 /* Call the internal function */
2343 return SepAccessCheckAndAuditAlarm(SubsystemName,
2344 HandleId,
2345 NULL,
2346 ObjectTypeName,
2347 ObjectName,
2348 SecurityDescriptor,
2349 PrincipalSelfSid,
2350 DesiredAccess,
2351 AuditType,
2352 Flags,
2353 ObjectTypeList,
2354 ObjectTypeListLength,
2355 GenericMapping,
2356 GrantedAccessList,
2357 AccessStatusList,
2358 GenerateOnClose,
2359 TRUE);
2360}
2361
2426_Must_inspect_result_
2427__kernel_entry
2428NTSTATUS
2429NTAPI
2430NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
2431 _In_ PUNICODE_STRING SubsystemName,
2432 _In_opt_ PVOID HandleId,
2433 _In_ HANDLE ClientToken,
2434 _In_ PUNICODE_STRING ObjectTypeName,
2435 _In_ PUNICODE_STRING ObjectName,
2436 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
2437 _In_opt_ PSID PrincipalSelfSid,
2438 _In_ ACCESS_MASK DesiredAccess,
2439 _In_ AUDIT_EVENT_TYPE AuditType,
2440 _In_ ULONG Flags,
2441 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
2442 _In_ ULONG ObjectTypeListLength,
2443 _In_ PGENERIC_MAPPING GenericMapping,
2444 _In_ BOOLEAN ObjectCreation,
2445 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
2446 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
2447 _Out_ PBOOLEAN GenerateOnClose)
2448{
2449 UNREFERENCED_PARAMETER(ObjectCreation);
2450
2451 /* Call the internal function */
2452 return SepAccessCheckAndAuditAlarm(SubsystemName,
2453 HandleId,
2454 &ClientToken,
2455 ObjectTypeName,
2456 ObjectName,
2457 SecurityDescriptor,
2458 PrincipalSelfSid,
2459 DesiredAccess,
2460 AuditType,
2461 Flags,
2462 ObjectTypeList,
2463 ObjectTypeListLength,
2464 GenericMapping,
2465 GrantedAccessList,
2466 AccessStatusList,
2467 GenerateOnClose,
2468 TRUE);
2469}
2470
2471/* EOF */
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_EvalMethod.c:87
STATUS_PRIVILEGE_NOT_HELD
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
ReturnLength
_In_ PVOID _In_ ULONG _Out_ PVOID _In_ ULONG _Inout_ PULONG ReturnLength
Definition: KdSystemDebugControl.c:34
PreviousMode
_In_ PVOID _In_ ULONG _Out_ PVOID _In_ ULONG _Inout_ PULONG _In_ KPROCESSOR_MODE PreviousMode
Definition: KdSystemDebugControl.c:35
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
DPRINT1
#define DPRINT1
Definition: precomp.h:8
ServiceName
static WCHAR ServiceName[]
Definition: browser.c:19
UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: ntoskrnl.c:15
STATUS_NO_MEMORY
#define STATUS_NO_MEMORY
Definition: d3dkmdt.h:51
STATUS_NOT_IMPLEMENTED
#define STATUS_NOT_IMPLEMENTED
Definition: d3dkmdt.h:42
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
GENERIC_READ
#define GENERIC_READ
Definition: compat.h:135
Cleanup
static const WCHAR Cleanup[]
Definition: register.c:80
L
#define L(x)
Definition: resources.c:13
ExAllocatePoolWithTag
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
ExFreePool
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NonPagedPool
#define NonPagedPool
Definition: env_spec_w32.h:307
PagedPool
#define PagedPool
Definition: env_spec_w32.h:308
ExGetPreviousMode
#define ExGetPreviousMode
Definition: ex.h:143
ProbeForRead
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
ProbeForWrite
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
Handle
ULONG Handle
Definition: gdb_input.c:15
Status
Status
Definition: gdiplustypes.h:25
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:90
InterlockedCompareExchangePointer
#define InterlockedCompareExchangePointer
Definition: interlocked.h:144
SECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
SecurityIdentification
@ SecurityIdentification
Definition: lsa.idl:56
ASSERT
#define ASSERT(a)
Definition: mode.c:44
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
TokenImpersonation
@ TokenImpersonation
Definition: imports.h:274
PsDereferencePrimaryToken
#define PsDereferencePrimaryToken(T)
Definition: imports.h:301
PsDereferenceImpersonationToken
#define PsDereferenceImpersonationToken(T)
Definition: imports.h:298
PNTSTATUS
* PNTSTATUS
Definition: strlen.c:14
ObjectTypeName
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:79
ImageName
static const char * ImageName
Definition: image.c:34
KernelMode
#define KernelMode
Definition: asm.h:38
UserMode
#define UserMode
Definition: asm.h:39
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1157
RtlEqualSid
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
_Must_inspect_result_
#define _Must_inspect_result_
Definition: no_sal2.h:62
_Out_writes_
#define _Out_writes_(s)
Definition: no_sal2.h:176
_Out_
#define _Out_
Definition: no_sal2.h:160
_In_reads_opt_
#define _In_reads_opt_(s)
Definition: no_sal2.h:222
_In_
#define _In_
Definition: no_sal2.h:158
_In_opt_
#define _In_opt_
Definition: no_sal2.h:212
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
PACCESS_MASK
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
OBJECT_NAME_INFORMATION
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
GENERIC_ALL
#define GENERIC_ALL
Definition: nt_native.h:92
GENERIC_WRITE
#define GENERIC_WRITE
Definition: nt_native.h:90
GENERIC_EXECUTE
#define GENERIC_EXECUTE
Definition: nt_native.h:91
DBG_UNREFERENCED_PARAMETER
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:330
UNREFERENCED_PARAMETER
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:329
SeLocalSystemSid
PSID SeLocalSystemSid
Definition: sid.c:38
SepReleaseSid
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
SepCaptureSid
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
SeReleaseObjectTypeList
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
Definition: objtype.c:378
SeCaptureObjectTypeList
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
Captures a list of object types and converts it to an internal form for use by the kernel....
Definition: objtype.c:282
SepGetOwnerFromDescriptor
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:109
SeCheckAuditPrivilege
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
SepGetGroupFromDescriptor
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:89
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PsReferenceImpersonationToken
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:871
PsIsThreadImpersonating
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
Definition: thread.c:888
SEP_PRIVILEGE_SET_MAX_COUNT
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
SepOpenObjectAuditAlarm
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1535
SeAuditingFileOrGlobalEvents
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
Definition: audit.c:1111
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2430
SepAdtCloseObjectAuditAlarm
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
Definition: audit.c:287
SeSubsystemName
UNICODE_STRING SeSubsystemName
Definition: audit.c:17
SepAccessCheckAndAuditAlarmWorker
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
Definition: audit.c:489
SeAuditProcessExit
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
Definition: audit.c:77
SePrivilegedServiceAuditAlarm
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
Definition: audit.c:369
SeAuditingFileEvents
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
Definition: audit.c:993
SeAuditingHardLinkEvents
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
Definition: audit.c:1050
SeAuditHardLinkCreation
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
Definition: audit.c:967
SeDeleteObjectAuditAlarm
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
Definition: audit.c:1163
SePrivilegeObjectAuditAlarm
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
Definition: audit.c:1321
NtDeleteObjectAuditAlarm
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
Definition: audit.c:1475
NtAccessCheckByTypeAndAuditAlarm
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2222
SeAuditingFileEventsWithContext
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
Definition: audit.c:1023
SeAuditingHardLinkEventsWithContext
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
Definition: audit.c:1080
SeOpenObjectAuditAlarm
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
Definition: audit.c:1213
SeLocateProcessImageName
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
Definition: audit.c:199
NtPrivilegedServiceAuditAlarm
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
Definition: audit.c:1883
SepAdtPrivilegedServiceAuditAlarm
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
Definition: audit.c:332
SeOpenObjectForDeleteAuditAlarm
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
Definition: audit.c:1276
NtAccessCheckByTypeResultListAndAuditAlarm
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2324
NtOpenObjectAuditAlarm
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1622
SeDetailedAuditingWithToken
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
Definition: audit.c:34
SeCloseObjectAuditAlarm
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
Definition: audit.c:1140
NtPrivilegeObjectAuditAlarm
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
Definition: audit.c:2066
NtCloseObjectAuditAlarm
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
Definition: audit.c:1358
SepAccessCheckAndAuditAlarm
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:614
SeAuditProcessCreate
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
Definition: audit.c:56
SeInitializeProcessAuditName
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
Definition: audit.c:105
NtAccessCheckAndAuditAlarm
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
Definition: audit.c:2125
SeCaptureSecurityDescriptor
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
SeReleaseSecurityDescriptor
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
SeTokenObjectType
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
PHANDLE
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:455
STATUS_NO_IMPERSONATION_TOKEN
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:328
STATUS_INVALID_SECURITY_DESCR
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:357
STATUS_GENERIC_NOT_MAPPED
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:466
STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
ObQueryNameString
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
Definition: obname.c:1207
ObReferenceObjectByHandle
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
PsReferenceProcessFilePointer
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
Definition: query.c:24
_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:181
_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:82
_SEH2_END
#define _SEH2_END
Definition: pseh2_64.h:171
_SEH2_TRY
#define _SEH2_TRY
Definition: pseh2_64.h:71
_SEH2_YIELD
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:184
ProbeAndCaptureUnicodeString
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
ReleaseCapturedUnicodeString
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
SeExports
PSE_EXPORTS SeExports
Definition: semgr.c:21
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
STATUS_BUFFER_OVERFLOW
#define STATUS_BUFFER_OVERFLOW
Definition: shellext.h:66
DPRINT
#define DPRINT
Definition: sndvol32.h:73
__kernel_entry
#define __kernel_entry
Definition: specstrings.h:355
_ACCESS_STATE
Definition: setypes.h:224
_EPROCESS
Definition: pstypes.h:1262
_ETHREAD
Definition: pstypes.h:1103
_FileName
Definition: filecomp.c:348
_GENERIC_MAPPING
Definition: nt_native.h:564
_OBJECT_NAME_INFORMATION
Definition: nt_native.h:1269
_OBJECT_NAME_INFORMATION::Name
UNICODE_STRING Name
Definition: nt_native.h:1270
_OBJECT_TYPE_LIST_INTERNAL
Definition: se.h:52
_OBJECT_TYPE_LIST
Definition: setypes.h:868
_PRIVILEGE_SET
Definition: setypes.h:85
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:217
_SE_EXPORTS::SeNetworkServiceSid
PSID SeNetworkServiceSid
Definition: setypes.h:1256
_SE_EXPORTS::SeLocalServiceSid
PSID SeLocalServiceSid
Definition: setypes.h:1255
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:506
_SID
Definition: ms-dtyp.idl:198
_TOKEN
Definition: setypes.h:216
_TOKEN::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:240
_TOKEN::UserAndGroups
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233
_TOKEN::TokenType
TOKEN_TYPE TokenType
Definition: setypes.h:239
_UNICODE_STRING
Definition: env_spec_w32.h:368
_UNICODE_STRING::MaximumLength
USHORT MaximumLength
Definition: env_spec_w32.h:370
_UNICODE_STRING::Buffer
PWSTR Buffer
Definition: env_spec_w32.h:371
SeReleaseSubjectContext
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
SeCaptureSubjectContext
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
TAG_SEPA
#define TAG_SEPA
Definition: tag.h:155
TAG_PRIVILEGE_SET
#define TAG_PRIVILEGE_SET
Definition: tag.h:156
RTL_CONSTANT_STRING
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
PWSTR
uint16_t * PWSTR
Definition: typedefs.h:56
UNIMPLEMENTED_ONCE
#define UNIMPLEMENTED_ONCE
Definition: typedefs.h:30
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
PBOOLEAN
unsigned char * PBOOLEAN
Definition: typedefs.h:53
NTAPI
#define NTAPI
Definition: typedefs.h:36
RtlCopyMemory
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
ULONG
uint32_t ULONG
Definition: typedefs.h:59
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
Privilege
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
Object
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
Definition: wdfcollection.h:123
DesiredAccess
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
FileObject
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
Definition: wdfdevice.h:550
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
Flags
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
ObjectName
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:64
PFILE_OBJECT
* PFILE_OBJECT
Definition: iotypes.h:1998
KPROCESSOR_MODE
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
AccessMode
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
ObDereferenceObject
#define ObDereferenceObject
Definition: obfuncs.h:203
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:156
AbsoluteObjectName
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
Definition: sefuncs.h:415
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17
GenerateOnClose
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:422
ObjectCreated
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
Definition: sefuncs.h:418
AccessGranted
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:419
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:417
SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
AUDIT_ALLOW_NO_PRIVILEGE
#define AUDIT_ALLOW_NO_PRIVILEGE
Definition: setypes.h:884
TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:940
AuditEventDirectoryServiceAccess
@ AuditEventDirectoryServiceAccess
Definition: setypes.h:881
AuditEventObjectAccess
@ AuditEventObjectAccess
Definition: setypes.h:880
AUDIT_EVENT_TYPE
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE