15 #define SEP_PRIVILEGE_SET_MAX_COUNT 60 127 sizeof(LocalNameInfo),
149 if ((ObjectNameInfo) &&
154 if (ObjectNameInfo)
ExFreePool(ObjectNameInfo);
173 *AuditInfo = ObjectNameInfo;
211 *ProcessImageName =
NULL;
214 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
227 SeAuditProcessCreationInfo.ImageFileName,
242 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
341 DPRINT(
"SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
508 ULONG ResultListLength,
i;
511 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
517 for (
i = 0;
i < ResultListLength;
i++)
634 ULONG ResultListLength;
636 PTOKEN SubjectContextToken, ClientToken;
640 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
643 PSID CapturedPrincipalSelfSid;
654 AllocatedResultLists =
FALSE;
656 CapturedSecurityDescriptor =
NULL;
660 CapturedPrincipalSelfSid =
NULL;
661 CapturedObjectTypeList =
NULL;
667 DPRINT1(
"Invalid audit type: %u\n", AuditType);
675 if (ClientTokenHandle ==
NULL)
689 DPRINT1(
"Invalid impersonation level 0x%lx\n",
699 ResultListLength = ObjectTypeListLength;
700 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
703 DPRINT1(
"Invalid ResultListLength: 0x%lx\n", ResultListLength);
709 2 * ResultListLength *
sizeof(
ULONG),
711 if (SafeGrantedAccessList ==
NULL)
714 DPRINT1(
"Failed to allocate access lists\n");
718 SafeAccessStatusList = (
PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
719 AllocatedResultLists =
TRUE;
724 ResultListLength = 1;
733 ResultListLength *
sizeof(*AccessStatusList),
734 sizeof(*AccessStatusList));
736 ResultListLength *
sizeof(*GrantedAccessList),
737 sizeof(*GrantedAccessList));
746 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
752 if (ClientTokenHandle !=
NULL)
759 (
PVOID*)&ClientToken,
763 DPRINT1(
"Failed to reference token handle %p: %lx\n",
764 *ClientTokenHandle,
Status);
776 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
794 &CapturedSecurityDescriptor);
797 DPRINT1(
"Failed to capture security descriptor!\n");
806 DPRINT1(
"Invalid security descriptor\n");
816 DPRINT1(
"Failed to capture subsystem name!\n");
826 DPRINT1(
"Failed to capture object type name!\n");
836 DPRINT1(
"Failed to capture object name!\n");
841 if (PrincipalSelfSid !=
NULL)
848 &CapturedPrincipalSelfSid);
851 DPRINT1(
"Failed to capture PrincipalSelfSid!\n");
858 ObjectTypeListLength,
860 &CapturedObjectTypeList);
863 DPRINT1(
"Failed to capture object type list!\n");
871 &CapturedObjectTypeName,
873 CapturedSecurityDescriptor,
874 CapturedPrincipalSelfSid,
878 CapturedObjectTypeList,
879 ObjectTypeListLength,
880 &LocalGenericMapping,
881 SafeGrantedAccessList,
882 SafeAccessStatusList,
883 &LocalGenerateOnClose,
892 ASSERT(UseResultList || (ResultListLength == 1));
893 for (
i = 0;
i < ResultListLength;
i++)
895 AccessStatusList[
i] = SafeAccessStatusList[
i];
896 GrantedAccessList[
i] = SafeGrantedAccessList[
i];
904 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
910 if (CapturedObjectTypeList !=
NULL)
913 if (CapturedPrincipalSelfSid !=
NULL)
925 if (CapturedSecurityDescriptor !=
NULL)
928 if (ClientToken !=
NULL)
934 if (AllocatedResultLists)
1366 BOOLEAN UseImpersonationToken;
1391 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1402 DPRINT1(
"Failed to capture subsystem name!\n");
1415 UseImpersonationToken =
TRUE;
1421 UseImpersonationToken =
FALSE;
1427 Token->UserAndGroups->Sid);
1433 if (UseImpersonationToken)
1638 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1639 ULONG PrivilegeCount, PrivilegeSetSize;
1642 PVOID CapturedHandleId;
1652 CapturedSecurityDescriptor =
NULL;
1653 CapturedPrivilegeSet =
NULL;
1663 (
PVOID*)&ClientToken,
1667 DPRINT1(
"Failed to reference token handle %p: %lx\n",
1668 ClientTokenHandle,
Status);
1679 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1687 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1705 &CapturedSecurityDescriptor);
1708 DPRINT1(
"Failed to capture security descriptor!\n");
1715 if (PrivilegeSet !=
NULL)
1721 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1738 if (CapturedPrivilegeSet ==
NULL)
1740 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegeSetSize);
1746 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1749 if (HandleId !=
NULL)
1752 CapturedHandleId = *(
PVOID*)HandleId;
1760 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
1771 DPRINT1(
"Failed to capture subsystem name!\n");
1781 DPRINT1(
"Failed to capture object type name!\n");
1791 DPRINT1(
"Failed to capture object name!\n");
1797 &CapturedSubsystemName,
1799 &CapturedObjectTypeName,
1800 &CapturedObjectName,
1801 CapturedSecurityDescriptor,
1805 CapturedPrivilegeSet,
1808 &LocalGenerateOnClose);
1820 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
1835 if (CapturedSecurityDescriptor !=
NULL)
1838 if (CapturedPrivilegeSet !=
NULL)
1895 ULONG PrivilegeCount, PrivilegesSize;
1912 (
PVOID*)&ClientToken,
1916 DPRINT1(
"Failed to reference client token: 0x%lx\n",
Status);
1924 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1935 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1941 if (SubsystemName !=
NULL)
1949 DPRINT1(
"Failed to capture subsystem name!\n");
1963 DPRINT1(
"Failed to capture service name!\n");
1991 if (CapturedPrivileges ==
NULL)
1993 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegesSize);
2011 SubsystemName ? &CapturedSubsystemName :
NULL,
2028 if (CapturedPrivileges !=
NULL)
2354 ObjectTypeListLength,
2463 ObjectTypeListLength,
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
#define STATUS_PRIVILEGE_NOT_HELD
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
#define STATUS_INVALID_SECURITY_DESCR
#define STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INFO_LENGTH_MISMATCH
#define PsGetCurrentThread()
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
#define UNREFERENCED_PARAMETER(P)
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
#define STATUS_INVALID_PARAMETER
#define DBG_UNREFERENCED_PARAMETER(P)
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
_Out_ PBOOLEAN CopyOnOpen
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
#define SEP_PRIVILEGE_SET_MAX_COUNT
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
#define _In_reads_opt_(size)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
#define STATUS_BUFFER_TOO_SMALL
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
return STATUS_NOT_IMPLEMENTED
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
#define InterlockedCompareExchangePointer
#define STATUS_GENERIC_NOT_MAPPED
#define PsGetCurrentProcess
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
POBJECT_TYPE SeTokenObjectType
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
#define STATUS_NO_IMPERSONATION_TOKEN
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
_In_ KPROCESSOR_MODE PreviousMode
_Must_inspect_result_ _In_ ULONG Flags
#define NT_SUCCESS(StatCode)
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
#define EXCEPTION_EXECUTE_HANDLER
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
#define ObDereferenceObject
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
#define ExAllocatePoolWithTag(hernya, size, tag)
static const char * ImageName
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
static const WCHAR Cleanup[]
#define _Must_inspect_result_
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
static GENERIC_MAPPING GenericMapping
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
#define STATUS_BUFFER_OVERFLOW
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
UNICODE_STRING SeSubsystemName
#define FIELD_OFFSET(t, f)
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
#define AUDIT_ALLOW_NO_PRIVILEGE
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
ACCESS_MASK * PACCESS_MASK
#define RtlZeroMemory(Destination, Length)
PSID_AND_ATTRIBUTES UserAndGroups
#define RtlCopyMemory(Destination, Source, Length)
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
#define _SEH2_EXCEPT(...)
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
#define TAG_PRIVILEGE_SET
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
#define _SEH2_GetExceptionCode()
#define _SEH2_YIELD(__stmt)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
#define UNIMPLEMENTED_ONCE
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
#define ExFreePoolWithTag(_P, _T)
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
#define RTL_CONSTANT_STRING(s)
#define _Out_writes_(size)
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
1.8.15