17 #define SEP_PRIVILEGE_SET_MAX_COUNT 60 68 sizeof(LocalNameInfo),
90 if ((ObjectNameInfo) &&
95 if (ObjectNameInfo)
ExFreePool(ObjectNameInfo);
114 *AuditInfo = ObjectNameInfo;
133 *ProcessImageName =
NULL;
136 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
149 SeAuditProcessCreationInfo.ImageFileName,
164 AuditName =
Process->SeAuditProcessCreationInfo.ImageFileName;
209 DPRINT(
"SepAdtPrivilegedServiceAuditAlarm is unimplemented\n");
275 if (ObjectTypeListLength == 0)
277 *CapturedObjectTypeList =
NULL;
281 if (ObjectTypeList ==
NULL)
295 if (*CapturedObjectTypeList ==
NULL)
308 *CapturedObjectTypeList =
NULL;
348 ULONG ResultListLength,
i;
351 ResultListLength = UseResultList ? ObjectTypeListLength : 1;
357 for (
i = 0;
i < ResultListLength;
i++)
391 ULONG ResultListLength;
393 PTOKEN SubjectContextToken, ClientToken;
397 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
400 PSID CapturedPrincipalSelfSid;
411 AllocatedResultLists =
FALSE;
413 CapturedSecurityDescriptor =
NULL;
417 CapturedPrincipalSelfSid =
NULL;
418 CapturedObjectTypeList =
NULL;
424 DPRINT1(
"Invalid audit type: %u\n", AuditType);
432 if (ClientTokenHandle ==
NULL)
446 DPRINT1(
"Invalid impersonation level 0x%lx\n",
456 ResultListLength = ObjectTypeListLength;
457 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
460 DPRINT1(
"Invalud ResultListLength: 0x%lx\n", ResultListLength);
466 2 * ResultListLength *
sizeof(
ULONG),
468 if (SafeGrantedAccessList ==
NULL)
471 DPRINT1(
"Failed to allocate access lists\n");
475 SafeAccessStatusList = (
PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
476 AllocatedResultLists =
TRUE;
481 ResultListLength = 1;
490 ResultListLength *
sizeof(*AccessStatusList),
491 sizeof(*AccessStatusList));
493 ResultListLength *
sizeof(*GrantedAccessList),
494 sizeof(*GrantedAccessList));
503 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
509 if (ClientTokenHandle !=
NULL)
516 (
PVOID*)&ClientToken,
520 DPRINT1(
"Failed to reference token handle %p: %lx\n",
521 *ClientTokenHandle,
Status);
533 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
551 &CapturedSecurityDescriptor);
554 DPRINT1(
"Failed to capture security descriptor!\n");
563 DPRINT1(
"Invalid security descriptor\n");
573 DPRINT1(
"Failed to capture subsystem name!\n");
583 DPRINT1(
"Failed to capture object type name!\n");
593 DPRINT1(
"Failed to capture object name!\n");
598 if (PrincipalSelfSid !=
NULL)
605 &CapturedPrincipalSelfSid);
608 DPRINT1(
"Failed to capture PrincipalSelfSid!\n");
615 ObjectTypeListLength,
617 &CapturedObjectTypeList);
620 DPRINT1(
"Failed to capture object type list!\n");
628 &CapturedObjectTypeName,
630 CapturedSecurityDescriptor,
631 CapturedPrincipalSelfSid,
635 CapturedObjectTypeList,
636 ObjectTypeListLength,
637 &LocalGenericMapping,
638 SafeGrantedAccessList,
639 SafeAccessStatusList,
640 &LocalGenerateOnClose,
647 ASSERT(UseResultList || (ResultListLength == 1));
648 for (
i = 0;
i < ResultListLength;
i++)
650 AccessStatusList[
i] = SafeAccessStatusList[
i];
651 GrantedAccessList[
i] = SafeGrantedAccessList[
i];
659 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
665 if (CapturedObjectTypeList !=
NULL)
668 if (CapturedPrincipalSelfSid !=
NULL)
680 if (CapturedSecurityDescriptor !=
NULL)
683 if (ClientToken !=
NULL)
689 if (AllocatedResultLists)
892 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
903 DPRINT1(
"Failed to capture subsystem name!\n");
916 UseImpersonationToken =
TRUE;
922 UseImpersonationToken =
FALSE;
928 Token->UserAndGroups->Sid);
934 if (UseImpersonationToken)
1017 UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1018 ULONG PrivilegeCount, PrivilegeSetSize;
1021 PVOID CapturedHandleId;
1031 CapturedSecurityDescriptor =
NULL;
1032 CapturedPrivilegeSet =
NULL;
1042 (
PVOID*)&ClientToken,
1046 DPRINT1(
"Failed to reference token handle %p: %lx\n",
1047 ClientTokenHandle,
Status);
1058 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1066 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1084 &CapturedSecurityDescriptor);
1087 DPRINT1(
"Failed to capture security descriptor!\n");
1094 if (PrivilegeSet !=
NULL)
1100 PrivilegeCount = PrivilegeSet->PrivilegeCount;
1117 if (CapturedPrivilegeSet ==
NULL)
1119 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegeSetSize);
1125 RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1128 if (HandleId !=
NULL)
1131 CapturedHandleId = *(
PVOID*)HandleId;
1139 DPRINT1(
"Exception while probing parameters: 0x%lx\n",
Status);
1150 DPRINT1(
"Failed to capture subsystem name!\n");
1160 DPRINT1(
"Failed to capture object type name!\n");
1170 DPRINT1(
"Failed to capture object name!\n");
1176 &CapturedSubsystemName,
1178 &CapturedObjectTypeName,
1179 &CapturedObjectName,
1180 CapturedSecurityDescriptor,
1184 CapturedPrivilegeSet,
1187 &LocalGenerateOnClose);
1199 DPRINT1(
"Exception while copying back data: 0x%lx\n",
Status);
1214 if (CapturedSecurityDescriptor !=
NULL)
1217 if (CapturedPrivilegeSet !=
NULL)
1244 ULONG PrivilegeCount, PrivilegesSize;
1261 (
PVOID*)&ClientToken,
1265 DPRINT1(
"Failed to reference client token: 0x%lx\n",
Status);
1273 DPRINT1(
"Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1284 DPRINT1(
"Caller does not have SeAuditPrivilege\n");
1290 if (SubsystemName !=
NULL)
1298 DPRINT1(
"Failed to capture subsystem name!\n");
1312 DPRINT1(
"Failed to capture service name!\n");
1340 if (CapturedPrivileges ==
NULL)
1342 DPRINT1(
"Failed to allocate %u bytes\n", PrivilegesSize);
1360 SubsystemName ? &CapturedSubsystemName :
NULL,
1377 if (CapturedPrivileges !=
NULL)
1515 ObjectTypeListLength,
1560 ObjectTypeListLength,
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
VOID NTAPI SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
#define STATUS_PRIVILEGE_NOT_HELD
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
#define _Must_inspect_result_
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_INVALID_SECURITY_DESCR
#define STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_INSUFFICIENT_RESOURCES
struct _OBJECT_TYPE_LIST OBJECT_TYPE_LIST
#define STATUS_INFO_LENGTH_MISMATCH
static VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
#define PsGetCurrentThread()
#define STATUS_NOT_IMPLEMENTED
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
#define UNREFERENCED_PARAMETER(P)
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
#define STATUS_INVALID_PARAMETER
#define DBG_UNREFERENCED_PARAMETER(P)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN ObjectCreated
NTSTATUS NTAPI SeLocateProcessImageName(IN PEPROCESS Process, OUT PUNICODE_STRING *ProcessImageName)
VOID NTAPI SepAdtPrivilegedServiceAuditAlarm(PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
VOID NTAPI SeCloseObjectAuditAlarm(IN PVOID Object, IN HANDLE Handle, IN BOOLEAN PerformAction)
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
NTSTATUS NTAPI SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject, IN BOOLEAN DoAudit, OUT POBJECT_NAME_INFORMATION *AuditInfo)
_Out_ PBOOLEAN CopyOnOpen
NTSTATUS NTAPI ObQueryNameString(IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength)
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
static NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
VOID NTAPI ObDereferenceObject(IN PVOID Object)
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
#define SEP_PRIVILEGE_SET_MAX_COUNT
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
NTSTATUS NTAPI NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose)
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
#define STATUS_BUFFER_TOO_SMALL
#define _Out_writes_(size)
_Must_inspect_result_ _In_ ULONG Flags
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
enum _AUDIT_EVENT_TYPE AUDIT_EVENT_TYPE
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
#define InterlockedCompareExchangePointer
#define STATUS_GENERIC_NOT_MAPPED
#define PsGetCurrentProcess
#define EXCEPTION_EXECUTE_HANDLER
struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION
POBJECT_TYPE SeTokenObjectType
BOOLEAN NTAPI PsIsThreadImpersonating(IN PETHREAD Thread)
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
_Inout_ PFILE_OBJECT FileObject
#define STATUS_NO_IMPERSONATION_TOKEN
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
VOID NTAPI SeAuditProcessExit(IN PEPROCESS Process)
VOID NTAPI SeAuditHardLinkCreation(IN PUNICODE_STRING FileName, IN PUNICODE_STRING LinkName, IN BOOLEAN bSuccess)
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
__kernel_entry NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING SubsystemName, _In_opt_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientTokenHandle, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
_In_ KPROCESSOR_MODE PreviousMode
#define _SEH2_YIELD(STMT_)
#define NT_SUCCESS(StatCode)
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
VOID NTAPI SeDeleteObjectAuditAlarm(IN PVOID Object, IN HANDLE Handle)
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
_In_opt_ PVOID _In_opt_ PUNICODE_STRING AbsoluteObjectName
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
#define ExAllocatePoolWithTag(hernya, size, tag)
VOID NTAPI SeAuditProcessCreate(IN PEPROCESS Process)
static const char * ImageName
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose)
IN PVOID IN PVOID IN USHORT IN USHORT Size
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
static const WCHAR Cleanup[]
BOOLEAN NTAPI SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
__kernel_entry NTSTATUS NTAPI NtOpenObjectAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
FORCEINLINE PSID SepGetGroupFromDescriptor(PVOID _Descriptor)
static GENERIC_MAPPING GenericMapping
BOOLEAN NTAPI SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
#define STATUS_BUFFER_OVERFLOW
NTSTATUS NTAPI NtCloseObjectAuditAlarm(PUNICODE_STRING SubsystemName, PVOID HandleId, BOOLEAN GenerateOnClose)
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
UNICODE_STRING SeSubsystemName
#define FIELD_OFFSET(t, f)
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
BOOLEAN NTAPI SeDetailedAuditingWithToken(IN PTOKEN Token)
VOID NTAPI SepReleaseSid(IN PSID CapturedSid, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN CaptureIfKernel)
VOID NTAPI PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose)
#define AUDIT_ALLOW_NO_PRIVILEGE
#define _In_reads_opt_(size)
VOID NTAPI SePrivilegedServiceAuditAlarm(_In_opt_ PUNICODE_STRING ServiceName, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PPRIVILEGE_SET PrivilegeSet, _In_ BOOLEAN AccessGranted)
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
VOID NTAPI SePrivilegeObjectAuditAlarm(IN HANDLE Handle, IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE CurrentMode)
ACCESS_MASK * PACCESS_MASK
BOOLEAN NTAPI SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
#define RtlZeroMemory(Destination, Length)
PSID_AND_ATTRIBUTES UserAndGroups
VOID NTAPI SepAdtCloseObjectAuditAlarm(PUNICODE_STRING SubsystemName, PVOID HandleId, PSID Sid)
#define _SEH2_EXCEPT(...)
static _Must_inspect_result_ NTSTATUS SepAccessCheckAndAuditAlarmWorker(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ BOOLEAN HaveAuditPrivilege, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
#define TAG_PRIVILEGE_SET
#define ExFreePoolWithTag(_P, _T)
#define _SEH2_GetExceptionCode()
BOOLEAN NTAPI SeAuditingFileEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE ClientToken, IN ULONG DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted)
NTSTATUS NTAPI SepCaptureSid(IN PSID InputSid, IN KPROCESSOR_MODE AccessMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSID *CapturedSid)
BOOLEAN NTAPI SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
NTSTATUS NTAPI PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PFILE_OBJECT *FileObject)
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
#define RTL_CONSTANT_STRING(s)
PULONG MinorVersion OPTIONAL
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)