15 #define SEP_PRIVILEGE_SET_MAX_COUNT 60 127 sizeof(LocalNameInfo),
149 if ((ObjectNameInfo) &&
154 if (ObjectNameInfo)
ExFreePool(ObjectNameInfo);
173 *AuditInfo = ObjectNameInfo;
211 *ProcessImageName =
NULL;
214 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
227 SeAuditProcessCreationInfo.ImageFileName,
242 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
341 DPRINT(
"SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
451 if (ObjectTypeListLength == 0)
453 *CapturedObjectTypeList =
NULL;
457 if (ObjectTypeList ==
NULL)
471 if (*CapturedObjectTypeList ==
NULL)
484 *CapturedObjectTypeList =
NULL;
609 ULONG ResultListLength,
i;
612 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
618 for (
i = 0;
i < ResultListLength;
i++)
735 ULONG ResultListLength;
737 PTOKEN SubjectContextToken, ClientToken;
741 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
744 PSID CapturedPrincipalSelfSid;
755 AllocatedResultLists =
FALSE;
757 CapturedSecurityDescriptor =
NULL;
761 CapturedPrincipalSelfSid =
NULL;
762 CapturedObjectTypeList =
NULL;
768 DPRINT1(
"Invalid audit type: %u\n", AuditType);
776 if (ClientTokenHandle ==
NULL)
790 DPRINT1(
"Invalid impersonation level 0x%lx\n",
800 ResultListLength = ObjectTypeListLength;
801 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
804 DPRINT1(
"Invalid ResultListLength: 0x%lx\n", ResultListLength);
810 2 * ResultListLength *
sizeof(
ULONG),
812 if (SafeGrantedAccessList ==
NULL)
815 DPRINT1(
"Failed to allocate access lists\n");
819 SafeAccessStatusList = (
PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
820 AllocatedResultLists =
TRUE;
825 ResultListLength = 1;
834 ResultListLength *
sizeof(*AccessStatusList),
835 sizeof(*AccessStatusList));
837 ResultListLength *
sizeof(*GrantedAccessList),
838 sizeof(*GrantedAccessList));
847 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
853 if (ClientTokenHandle !=
NULL)
860 (
PVOID*)&ClientToken,
864 DPRINT1(
"Failed to reference token handle %p: %lx\n",
865 *ClientTokenHandle,
Status);
877 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
895 &CapturedSecurityDescriptor);
898 DPRINT1(
"Failed to capture security descriptor!\n");
907 DPRINT1(
"Invalid security descriptor\n");
917 DPRINT1(
"Failed to capture subsystem name!\n");
927 DPRINT1(
"Failed to capture object type name!\n");
937 DPRINT1(
"Failed to capture object name!\n");
942 if (PrincipalSelfSid !=
NULL)
949 &CapturedPrincipalSelfSid);
952 DPRINT1(
"Failed to capture PrincipalSelfSid!\n");
959 ObjectTypeListLength,
961 &CapturedObjectTypeList);
964 DPRINT1(
"Failed to capture object type list!\n");
972 &CapturedObjectTypeName,
974 CapturedSecurityDescriptor,
975 CapturedPrincipalSelfSid,
979 CapturedObjectTypeList,
980 ObjectTypeListLength,
981 &LocalGenericMapping,
982 SafeGrantedAccessList,
983 SafeAccessStatusList,
984 &LocalGenerateOnClose,
993 ASSERT(UseResultList || (ResultListLength == 1));
994 for (
i = 0;
i < ResultListLength;
i++)
996 AccessStatusList[
i] = SafeAccessStatusList[
i];
997 GrantedAccessList[
i] = SafeGrantedAccessList[
i];
1005 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
1011 if (CapturedObjectTypeList !=
NULL)
1014 if (CapturedPrincipalSelfSid !=
NULL)
1026 if (CapturedSecurityDescriptor !=
NULL)
1029 if (ClientToken !=
NULL)
1035 if (AllocatedResultLists)
1467 BOOLEAN UseImpersonationToken;
1492 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1503 DPRINT1(
"Failed to capture subsystem name!\n");
1516 UseImpersonationToken =
TRUE;
1522 UseImpersonationToken =
FALSE;
1528 Token->UserAndGroups->Sid);
1534 if (UseImpersonationToken)
1739 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1740 ULONG PrivilegeCount, PrivilegeSetSize;
1743 PVOID CapturedHandleId;
1753 CapturedSecurityDescriptor =
NULL;
1754 CapturedPrivilegeSet =
NULL;
1764 (
PVOID*)&ClientToken,
1768 DPRINT1(
"Failed to reference token handle %p: %lx\n",
1769 ClientTokenHandle,
Status);
1780 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1788 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1806 &CapturedSecurityDescriptor);
1809 DPRINT1(
"Failed to capture security descriptor!\n");
1816 if (PrivilegeSet !=
NULL)
1822 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1839 if (CapturedPrivilegeSet ==
NULL)
1841 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegeSetSize);
1847 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1850 if (HandleId !=
NULL)
1853 CapturedHandleId = *(
PVOID*)HandleId;
1861 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
1872 DPRINT1(
"Failed to capture subsystem name!\n");
1882 DPRINT1(
"Failed to capture object type name!\n");
1892 DPRINT1(
"Failed to capture object name!\n");
1898 &CapturedSubsystemName,
1900 &CapturedObjectTypeName,
1901 &CapturedObjectName,
1902 CapturedSecurityDescriptor,
1906 CapturedPrivilegeSet,
1909 &LocalGenerateOnClose);
1921 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
1936 if (CapturedSecurityDescriptor !=
NULL)
1939 if (CapturedPrivilegeSet !=
NULL)
1996 ULONG PrivilegeCount, PrivilegesSize;
2013 (
PVOID*)&ClientToken,
2017 DPRINT1(
"Failed to reference client token: 0x%lx\n",
Status);
2025 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
2036 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
2042 if (SubsystemName !=
NULL)
2050 DPRINT1(
"Failed to capture subsystem name!\n");
2064 DPRINT1(
"Failed to capture service name!\n");
2092 if (CapturedPrivileges ==
NULL)
2094 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegesSize);
2112 SubsystemName ? &CapturedSubsystemName :
NULL,
2129 if (CapturedPrivileges !=
NULL)
2455 ObjectTypeListLength,
2564 ObjectTypeListLength,
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
NTSTATUS NTAPI SeLocateProcessImageName(_In_ PEPROCESS Process, _Out_ PUNICODE_STRING *ProcessImageName)
Finds the process image name of a specific process.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
#define STATUS_PRIVILEGE_NOT_HELD
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
#define STATUS_INVALID_SECURITY_DESCR
#define STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_INSUFFICIENT_RESOURCES
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define STATUS_INFO_LENGTH_MISMATCH
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
#define PsGetCurrentThread()
BOOLEAN NTAPI SeAuditingHardLinkEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against hard links events is being done or not.
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
#define UNREFERENCED_PARAMETER(P)
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
#define STATUS_INVALID_PARAMETER
#define DBG_UNREFERENCED_PARAMETER(P)
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request. This is a worker function.
_Out_ PBOOLEAN CopyOnOpen
IN PVOID IN PVOID IN USHORT IN USHORT Size
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
BOOLEAN NTAPI SeDetailedAuditingWithToken(_In_ PTOKEN Token)
Peforms a detailed security auditing with an access token.
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
Captures a list of object types.
BOOLEAN NTAPI SeAuditingFileEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
Determines whether auditing against file events is being done or not.
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
#define SEP_PRIVILEGE_SET_MAX_COUNT
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to access a privileged object.
#define _In_reads_opt_(size)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
#define STATUS_BUFFER_TOO_SMALL
VOID NTAPI SepAdtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PSID Sid)
Closes an audit alarm event of an object.
return STATUS_NOT_IMPLEMENTED
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
#define InterlockedCompareExchangePointer
#define STATUS_GENERIC_NOT_MAPPED
#define PsGetCurrentProcess
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
POBJECT_TYPE SeTokenObjectType
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
#define STATUS_NO_IMPERSONATION_TOKEN
_In_ WDFREQUEST _In_ WDFFILEOBJECT FileObject
VOID NTAPI SeOpenObjectAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened.
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
Raises an alarm audit message when a caller attempts to request a privileged service call.
_In_ KPROCESSOR_MODE PreviousMode
_Must_inspect_result_ _In_ ULONG Flags
#define NT_SUCCESS(StatCode)
VOID NTAPI SeDeleteObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle)
Deletes an alarm audit of an object.
#define EXCEPTION_EXECUTE_HANDLER
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
#define ObDereferenceObject
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
#define ExAllocatePoolWithTag(hernya, size, tag)
static const char * ImageName
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be deleted.
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against files or global events with subject context is being done or not.
BOOLEAN NTAPI SeAuditingFileEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against file events with subject context is being done or not.
VOID NTAPI SePrivilegeObjectAuditAlarm(_In_ HANDLE Handle, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE CurrentMode)
Raises an audit with alarm notification message when an object tries to acquire this privilege.
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
static const WCHAR Cleanup[]
#define _Must_inspect_result_
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(_In_ PUNICODE_STRING ObjectTypeName, _In_opt_ PVOID Object, _In_opt_ PUNICODE_STRING AbsoluteObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ BOOLEAN ObjectCreated, _In_ BOOLEAN AccessGranted, _In_ KPROCESSOR_MODE AccessMode, _Out_ PBOOLEAN GenerateOnClose)
Creates an audit with alarm notification of an object that is being opened for deletion.
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
static GENERIC_MAPPING GenericMapping
#define STATUS_BUFFER_OVERFLOW
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
VOID NTAPI SeCloseObjectAuditAlarm(_In_ PVOID Object, _In_ HANDLE Handle, _In_ BOOLEAN PerformAction)
Closes an alarm audit of an object.
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(_In_ BOOLEAN AccessGranted, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
Determines whether auditing against hard links events with subject context is being done or not.
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
UNICODE_STRING SeSubsystemName
#define FIELD_OFFSET(t, f)
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when a caller attempts to access an object and determine if the access ...
#define AUDIT_ALLOW_NO_PRIVILEGE
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
Performs an audit alarm to a privileged service request.
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
NTSTATUS NTAPI SeInitializeProcessAuditName(_In_ PFILE_OBJECT FileObject, _In_ BOOLEAN DoAudit, _Out_ POBJECT_NAME_INFORMATION *AuditInfo)
Initializes a process audit name and returns it to the caller.
VOID NTAPI SeAuditProcessCreate(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be created.
ACCESS_MASK * PACCESS_MASK
#define RtlZeroMemory(Destination, Length)
PSID_AND_ATTRIBUTES UserAndGroups
#define RtlCopyMemory(Destination, Source, Length)
#define _SEH2_EXCEPT(...)
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Worker function that serves as the main heart and brain of the whole concept and implementation of au...
#define TAG_PRIVILEGE_SET
VOID NTAPI SeAuditProcessExit(_In_ PEPROCESS Process)
Peforms a security auditing against a process that is about to be terminated.
#define _SEH2_GetExceptionCode()
#define _SEH2_YIELD(__stmt)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
#define UNIMPLEMENTED_ONCE
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
#define ExFreePoolWithTag(_P, _T)
VOID NTAPI SeAuditHardLinkCreation(_In_ PUNICODE_STRING FileName, _In_ PUNICODE_STRING LinkName, _In_ BOOLEAN bSuccess)
Performs an audit against a hard link creation.
NTSTATUS NTAPI NtCloseObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ BOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be closed.
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
#define RTL_CONSTANT_STRING(s)
#define _Out_writes_(size)
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
1.8.15