ReactOS  0.4.15-dev-3303-g1ade494
sefuncs.h File Reference
#include <umtypes.h>
Include dependency graph for sefuncs.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

NTKERNELAPI NTSTATUS NTAPI SeCaptureSecurityDescriptor (_In_ PSECURITY_DESCRIPTOR OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
 Captures a security descriptor. More...
 
NTKERNELAPI NTSTATUS NTAPI SeReleaseSecurityDescriptor (_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
 Releases a captured security descriptor buffer. More...
 
NTKERNELAPI NTSTATUS NTAPI SeCreateAccessState (_In_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
 
NTKERNELAPI VOID NTAPI SeDeleteAccessState (_In_ PACCESS_STATE AccessState)
 Deletes an allocated access state from the memory. More...
 
NTKERNELAPI SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel (_In_ PACCESS_TOKEN Token)
 Gathers the security impersonation level of an access token. More...
 
NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheck (_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_ PPRIVILEGE_SET PrivilegeSet, _Out_ PULONG ReturnLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
 
NTSTATUS NTAPI NtAccessCheckByType (_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
 Determines whether security access could be granted or not on an object by the requestor who wants such access through type. More...
 
NTSTATUS NTAPI NtAccessCheckByTypeResultList (_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeLength, _In_ PGENERIC_MAPPING GenericMapping, _In_ PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
 Determines whether security access could be granted or not on an object by the requestor who wants such access through type list. More...
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckAndAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ BOOLEAN ObjectCreation, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made. More...
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAdjustGroupsToken (_In_ HANDLE TokenHandle, _In_ BOOLEAN ResetToDefault, _In_opt_ PTOKEN_GROUPS NewState, _In_opt_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, _When_(PreviousState !=NULL, _Out_) PULONG ReturnLength)
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAdjustPrivilegesToken (_In_ HANDLE TokenHandle, _In_ BOOLEAN DisableAllPrivileges, _In_opt_ PTOKEN_PRIVILEGES NewState, _In_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, _When_(PreviousState !=NULL, _Out_) PULONG ReturnLength)
 
NTSYSCALLAPI NTSTATUS NTAPI NtAllocateLocallyUniqueId (_Out_ LUID *LocallyUniqueId)
 
NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUuids (_Out_ PULARGE_INTEGER Time, _Out_ PULONG Range, _Out_ PULONG Sequence, _Out_ PUCHAR Seed)
 
NTSYSCALLAPI NTSTATUS NTAPI NtCompareTokens (_In_ HANDLE FirstTokenHandle, _In_ HANDLE SecondTokenHandle, _Out_ PBOOLEAN Equal)
 Compares tokens if they're equal or not. More...
 
__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateToken (_Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ TOKEN_TYPE TokenType, _In_ PLUID AuthenticationId, _In_ PLARGE_INTEGER ExpirationTime, _In_ PTOKEN_USER TokenUser, _In_ PTOKEN_GROUPS TokenGroups, _In_ PTOKEN_PRIVILEGES TokenPrivileges, _In_opt_ PTOKEN_OWNER TokenOwner, _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, _In_opt_ PTOKEN_DEFAULT_DACL TokenDefaultDacl, _In_ PTOKEN_SOURCE TokenSource)
 Creates an access token. More...
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtDuplicateToken (_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
 Duplicates a token. More...
 
NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateAnonymousToken (_In_ HANDLE ThreadHandle)
 Allows the calling thread to impersonate the system's anonymous logon token. More...
 
__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 Raises an alarm audit message when an object is about to be opened. More...
 
NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessTokenEx (_In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _Out_ PHANDLE TokenHandle)
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeCheck (_In_ HANDLE ClientToken, _Inout_ PPRIVILEGE_SET RequiredPrivileges, _Out_ PBOOLEAN Result)
 
NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
 _When_ (TokenInformationClass==TokenAccessInformation, _At_(TokenInformationLength, _In_range_(>=, sizeof(TOKEN_ACCESS_INFORMATION)))) _Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle
 
_In_ TOKEN_INFORMATION_CLASS _Out_writes_bytes_to_opt_ (TokenInformationLength, *ReturnLength) PVOID TokenInformation
 
_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationToken (_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength)
 Sets (modifies) some specific information in regard of an access token. The calling thread must have specific access rights in order to modify token's information data. More...
 
NTSYSAPI NTSTATUS NTAPI ZwAccessCheck (_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_ PPRIVILEGE_SET PrivilegeSet, _Out_ PULONG ReturnLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
 
NTSYSAPI NTSTATUS NTAPI ZwAdjustGroupsToken (_In_ HANDLE TokenHandle, _In_ BOOLEAN ResetToDefault, _In_ PTOKEN_GROUPS NewState, _In_ ULONG BufferLength, _Out_opt_ PTOKEN_GROUPS PreviousState, _Out_ PULONG ReturnLength)
 
_Must_inspect_result_ NTSYSAPI NTSTATUS NTAPI ZwAdjustPrivilegesToken (_In_ HANDLE TokenHandle, _In_ BOOLEAN DisableAllPrivileges, _In_opt_ PTOKEN_PRIVILEGES NewState, _In_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, _When_(PreviousState !=NULL, _Out_) PULONG ReturnLength)
 
NTSYSAPI NTSTATUS NTAPI ZwAllocateLocallyUniqueId (_Out_ LUID *LocallyUniqueId)
 
NTSYSAPI NTSTATUS NTAPI ZwAllocateUuids (_Out_ PULARGE_INTEGER Time, _Out_ PULONG Range, _Out_ PULONG Sequence, _Out_ PUCHAR Seed)
 
NTSYSAPI NTSTATUS NTAPI ZwCreateToken (_Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ TOKEN_TYPE TokenType, _In_ PLUID AuthenticationId, _In_ PLARGE_INTEGER ExpirationTime, _In_ PTOKEN_USER TokenUser, _In_ PTOKEN_GROUPS TokenGroups, _In_ PTOKEN_PRIVILEGES TokenPrivileges, _In_ PTOKEN_OWNER TokenOwner, _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, _In_ PTOKEN_DEFAULT_DACL TokenDefaultDacl, _In_ PTOKEN_SOURCE TokenSource)
 
 _IRQL_requires_max_ (PASSIVE_LEVEL) NTSYSAPI NTSTATUS NTAPI ZwDuplicateToken(_In_ HANDLE ExistingTokenHandle
 Queries information details about a security descriptor. More...
 
NTSYSAPI NTSTATUS NTAPI ZwImpersonateAnonymousToken (_In_ HANDLE Thread)
 
NTSYSAPI NTSTATUS NTAPI ZwOpenObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ ULONG GrantedAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
 
NTSYSAPI NTSTATUS NTAPI ZwOpenProcessTokenEx (_In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _Out_ PHANDLE TokenHandle)
 
NTSYSAPI NTSTATUS NTAPI ZwPrivilegeCheck (_In_ HANDLE ClientToken, _In_ PPRIVILEGE_SET RequiredPrivileges, _In_ PBOOLEAN Result)
 
NTSYSAPI NTSTATUS NTAPI ZwPrivilegedServiceAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PUNICODE_STRING ServiceName, _In_ HANDLE ClientToken, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
NTSYSAPI NTSTATUS NTAPI ZwPrivilegeObjectAuditAlarm (_In_ PUNICODE_STRING SubsystemName, _In_ PVOID HandleId, _In_ HANDLE ClientToken, _In_ ULONG DesiredAccess, _In_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN AccessGranted)
 
_In_ TOKEN_INFORMATION_CLASS _Out_writes_bytes_to_opt_ (Length, *ResultLength) PVOID TokenInformation
 
NTSYSAPI NTSTATUS NTAPI ZwSetInformationToken (_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID TokenInformation, _In_ ULONG TokenInformationLength)
 

Variables

_In_ TOKEN_INFORMATION_CLASS TokenInformationClass
 
_In_ TOKEN_INFORMATION_CLASS _In_ ULONG TokenInformationLength
 
_In_ TOKEN_INFORMATION_CLASS _In_ ULONG _Out_ PULONG ReturnLength
 
_In_ ACCESS_MASK DesiredAccess
 
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
 
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
 
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
 
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE _Out_ PHANDLE NewTokenHandle
 
_In_ ACCESS_MASK _Out_ PHANDLE TokenHandle
 
_In_ TOKEN_INFORMATION_CLASS _In_ ULONG Length
 
_In_ TOKEN_INFORMATION_CLASS _In_ ULONG _Out_ PULONG ResultLength
 

Function Documentation

◆ _IRQL_requires_max_()

_IRQL_requires_max_ ( PASSIVE_LEVEL  )

Queries information details about a security descriptor.

Computes the quota size of a security descriptor.

Assigns a security descriptor for a new object.

An extended function that assigns a security descriptor for a new object.

Frees a security descriptor.

An extended function that sets new information data to a security descriptor.

Modifies some information data about a security descriptor.

Parameters
[in]SecurityInformationSecurity information details to be queried from a security descriptor.
[out]SecurityDescriptorThe returned security descriptor with security information data.
[in,out]LengthThe returned length of a security descriptor.
[in,out]ObjectsSecurityDescriptorThe returned object security descriptor.
Returns
Returns STATUS_SUCCESS if the operations have been completed successfully and that the specific information about the security descriptor has been queried. STATUS_BUFFER_TOO_SMALL is returned if the buffer size is too small to contain the queried info about the security descriptor.
Parameters
[in]ObjectIf specified, the function will use this arbitrary object that points to an object security descriptor.
[in]SecurityInformationSecurity information details to be set.
[in]SecurityDescriptorA security descriptor where its info is to be changed.
[in,out]ObjectsSecurityDescriptorThe returned pointer to security descriptor objects.
[in]PoolTypePool type for the new security descriptor to allocate.
[in]GenericMappingThe generic mapping of access rights masks.
Returns
See SeSetSecurityDescriptorInfoEx.
Parameters
[in]ObjectIf specified, the function will use this arbitrary object that points to an object security descriptor.
[in]SecurityInformationSecurity information details to be set.
[in]SecurityDescriptorA security descriptor where its info is to be changed.
[in,out]ObjectsSecurityDescriptorThe returned pointer to security descriptor objects.
[in]AutoInheritFlagsFlags bitmask inheritation, influencing how the security descriptor can be inherited and if it can be in the first place.
[in]PoolTypePool type for the new security descriptor to allocate.
[in]GenericMappingThe generic mapping of access rights masks.
Returns
Returns STATUS_SUCCESS if the operations have been completed without problems and that new info has been set to the security descriptor. STATUS_NO_SECURITY_ON_OBJECT is returned if the object does not have a security descriptor. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the new security descriptor with new info set has failed.
Parameters
[in]SecurityDescriptorA security descriptor to be freed from memory.
Returns
Returns STATUS_SUCCESS.
Parameters
[in]_ParentDescriptorA security descriptor of the parent object that is being created.
[in]_ExplicitDescriptorAn explicit security descriptor that is applied to a new object.
[out]NewDescriptorThe new allocated security descriptor.
[in]ObjectTypeThe type of the new object.
[in]IsDirectoryObjectSet this to TRUE if the newly created object is a directory object, otherwise set this to FALSE.
[in]AutoInheritFlagsAutomatic inheritance flags that influence how access control entries within ACLs from security descriptors are inherited.
[in]SubjectContextSecurity subject context of the new object.
[in]GenericMappingGeneric mapping of access mask rights.
[in]PoolTypeThis parameter is unused.
Returns
Returns STATUS_SUCCESS if the operations have been completed successfully and that the security descriptor has been assigned to the new object. STATUS_NO_TOKEN is returned if the caller hasn't supplied a valid argument to a security subject context. STATUS_INVALID_OWNER is returned if the caller hasn't supplied a parent descriptor that belongs to the main user (owner). STATUS_INVALID_PRIMARY_GROUP is returned by the same reason as with the previous NTSTATUS code. The two NTSTATUS codes are returned if the calling thread stated that the owner and/or group is defaulted to the parent descriptor (SEF_DEFAULT_OWNER_FROM_PARENT and/or SEF_DEFAULT_GROUP_FROM_PARENT respectively). STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the descriptor buffer has failed. A failure NTSTATUS is returned otherwise.
Parameters
[in]ParentDescriptorA security descriptor of the parent object that is being created.
[in]ExplicitDescriptorAn explicit security descriptor that is applied to a new object.
[out]NewDescriptorThe new allocated security descriptor.
[in]IsDirectoryObjectSet this to TRUE if the newly created object is a directory object, otherwise set this to FALSE.
[in]SubjectContextSecurity subject context of the new object.
[in]GenericMappingGeneric mapping of access mask rights.
[in]PoolTypeThis parameter is unused.
Returns
See SeAssignSecurityEx.
Parameters
[in]SecurityDescriptorA security descriptor.
[out]QuotaInfoSizeThe returned quota size of the given security descriptor to the caller. The function may return 0 to this parameter if the descriptor doesn't have a group or a discretionary access control list (DACL) even.
Returns
Returns STATUS_SUCCESS if the quota size of a security descriptor has been computed successfully. STATUS_UNKNOWN_REVISION is returned if the security descriptor has an invalid revision.

Definition at line 64 of file Messaging.c.

75 {
76  PFLT_SERVER_PORT_OBJECT PortObject;
78 
79  /* The caller must allow at least one connection */
80  if (MaxConnections == 0)
81  {
83  }
84 
85  /* The request must be for a kernel handle */
86  if (!(ObjectAttributes->Attributes & OBJ_KERNEL_HANDLE))
87  {
89  }
90 
91  /*
92  * Get rundown protection on the target to stop the owner
93  * from unloading whilst this port object is open. It gets
94  * removed in the FltpServerPortClose callback
95  */
97  if (!NT_SUCCESS(Status))
98  {
99  return Status;
100  }
101 
102  /* Create the server port object for this filter */
106  KernelMode,
107  NULL,
108  sizeof(FLT_SERVER_PORT_OBJECT),
109  0,
110  0,
111  (PVOID *)&PortObject);
112  if (NT_SUCCESS(Status))
113  {
114  /* Zero out the struct */
115  RtlZeroMemory(PortObject, sizeof(FLT_SERVER_PORT_OBJECT));
116 
117  /* Increment the ref count on the target filter */
119 
120  /* Setup the filter port object */
121  PortObject->Filter = Filter;
122  PortObject->ConnectNotify = ConnectNotifyCallback;
124  PortObject->MessageNotify = MessageNotifyCallback;
125  PortObject->Cookie = ServerPortCookie;
126  PortObject->MaxConnections = MaxConnections;
127 
128  /* Insert the object */
129  Status = ObInsertObject(PortObject,
130  NULL,
132  0,
133  NULL,
135  if (NT_SUCCESS(Status))
136  {
137  /* Lock the connection list */
139 
140  /* Add the new port object to the connection list and increment the count */
143 
144  /* Unlock the connection list*/
146  }
147  }
148 
149  if (!NT_SUCCESS(Status))
150  {
151  /* Allow the filter to be cleaned up */
153  }
154 
155  return Status;
156 }
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_Must_inspect_result_ _Outptr_ PFLT_PORT * ServerPort
Definition: fltkernel.h:1872
PFLT_CONNECT_NOTIFY ConnectNotify
Definition: fltmgrint.h:191
VOID FLTAPI FltObjectDereference(_Inout_ PVOID Object)
Definition: Object.c:53
LONG NTSTATUS
Definition: precomp.h:26
#define InsertTailList(ListHead, Entry)
#define OBJ_KERNEL_HANDLE
Definition: winternl.h:231
VOID FASTCALL ExReleaseFastMutex(IN PFAST_MUTEX FastMutex)
Definition: fmutex.c:31
ULONG FltpObjectPointerReference(_In_ PFLT_OBJECT Object)
Definition: Object.c:322
LIST_ENTRY mList
Definition: fltmgrint.h:56
_Must_inspect_result_ _In_opt_ PFLT_FILTER Filter
Definition: fltkernel.h:1801
#define FILE_READ_DATA
Definition: nt_native.h:628
NTSTATUS NTAPI ObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL, IN POBJECT_TYPE Type, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, IN ULONG ObjectSize, IN ULONG PagedPoolCharge OPTIONAL, IN ULONG NonPagedPoolCharge OPTIONAL, OUT PVOID *Object)
Definition: oblife.c:952
Status
Definition: gdiplustypes.h:24
POBJECT_TYPE ServerPortObjectType
Definition: Messaging.c:24
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_Must_inspect_result_ _Outptr_ PFLT_PORT _In_ POBJECT_ATTRIBUTES _In_opt_ PVOID _In_ PFLT_CONNECT_NOTIFY _In_ PFLT_DISCONNECT_NOTIFY DisconnectNotifyCallback
Definition: fltkernel.h:1872
PVOID *typedef PHANDLE
Definition: ntsecpkg.h:454
_Must_inspect_result_ _Outptr_ PFLT_PORT _In_ POBJECT_ATTRIBUTES _In_opt_ PVOID _In_ PFLT_CONNECT_NOTIFY ConnectNotifyCallback
Definition: fltkernel.h:1872
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
Definition: obhandle.c:2931
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
VOID FASTCALL ExAcquireFastMutex(IN PFAST_MUTEX FastMutex)
Definition: fmutex.c:23
NTSTATUS FLTAPI FltObjectReference(_Inout_ PVOID Object)
Definition: Object.c:41
_Must_inspect_result_ _Outptr_ PFLT_PORT _In_ POBJECT_ATTRIBUTES _In_opt_ PVOID ServerPortCookie
Definition: fltkernel.h:1872
#define NULL
Definition: types.h:112
FAST_MUTEX mLock
Definition: fltmgrint.h:55
PFLT_MESSAGE_NOTIFY MessageNotify
Definition: fltmgrint.h:193
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
_Must_inspect_result_ _Outptr_ PFLT_PORT _In_ POBJECT_ATTRIBUTES _In_opt_ PVOID _In_ PFLT_CONNECT_NOTIFY _In_ PFLT_DISCONNECT_NOTIFY _In_opt_ PFLT_MESSAGE_NOTIFY _In_ LONG MaxConnections
Definition: fltkernel.h:1872
PFLT_DISCONNECT_NOTIFY DisconnectNotify
Definition: fltmgrint.h:192
_Must_inspect_result_ _Outptr_ PFLT_PORT _In_ POBJECT_ATTRIBUTES _In_opt_ PVOID _In_ PFLT_CONNECT_NOTIFY _In_ PFLT_DISCONNECT_NOTIFY _In_opt_ PFLT_MESSAGE_NOTIFY MessageNotifyCallback
Definition: fltkernel.h:1872
FLT_MUTEX_LIST_HEAD ConnectionList
Definition: fltmgrint.h:121

◆ _Out_writes_bytes_to_opt_() [1/2]

_In_ TOKEN_INFORMATION_CLASS _Out_writes_bytes_to_opt_ ( TokenInformationLength  ,
ReturnLength 
)

◆ _Out_writes_bytes_to_opt_() [2/2]

_In_ TOKEN_INFORMATION_CLASS _Out_writes_bytes_to_opt_ ( Length  ,
ResultLength 
)

◆ _When_()

◆ NtAccessCheck()

NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheck ( _In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_ PPRIVILEGE_SET  PrivilegeSet,
_Out_ PULONG  ReturnLength,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus 
)

◆ NtAccessCheckAndAuditAlarm()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ BOOLEAN  ObjectCreation,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when a caller attempts to access an object and determine if the access can be made.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID that is used as identification instance for auditing.
[in]ObjectTypeNameThe name of the object type.
[in]ObjectNameThe object name.
[in]SecurityDescriptorA security descriptor.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GenericMappingThe generic mapping of access mask rights.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[out]GrantedAccessReturns the granted access rights.
[out]AccessStatusReturns a NTSTATUS status code indicating whether access check can be granted or not.
[out]GenerateOnCloseReturns TRUE if the function has generated a list of granted access rights and status codes on termination, FALSE otherwise.
Returns
See SepAccessCheckAndAuditAlarm.

Definition at line 2226 of file audit.c.

2238 {
2239  /* Call the internal function */
2240  return SepAccessCheckAndAuditAlarm(SubsystemName,
2241  HandleId,
2242  NULL,
2244  ObjectName,
2246  NULL,
2247  DesiredAccess,
2249  0,
2250  NULL,
2251  0,
2253  GrantedAccess,
2254  AccessStatus,
2256  FALSE);
2257 }
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define FALSE
Definition: types.h:117
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define NULL
Definition: types.h:112
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
_Must_inspect_result_ NTSTATUS NTAPI SepAccessCheckAndAuditAlarm(_In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PHANDLE ClientTokenHandle, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ AUDIT_EVENT_TYPE AuditType, _In_ ULONG Flags, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList, _Out_ PBOOLEAN GenerateOnClose, _In_ BOOLEAN UseResultList)
Performs security auditing, if the specific object can be granted security access or not.
Definition: audit.c:715

◆ NtAccessCheckByType()

NTSTATUS NTAPI NtAccessCheckByType ( _In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PSID  PrincipalSelfSid,
_In_ HANDLE  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_Inout_ PULONG  PrivilegeSetLength,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus 
)

Determines whether security access could be granted or not on an object by the requestor who wants such access through type.

Parameters
[in]SecurityDescriptorA security descriptor with information data for auditing.
[in]PrincipalSelfSidA principal self user SID.
[in]ClientTokenA client access token.
[in]DesiredAccessThe desired access masks rights requested by the caller.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping list of access masks rights.
[in]PrivilegeSetAn array set of privileges.
[in,out]PrivilegeSetLengthThe length size of the array set of privileges.
[out]GrantedAccessThe returned granted access rights.
[out]AccessStatusThe returned NTSTATUS code indicating the final results of auditing.
Returns
To be added...

Definition at line 998 of file accesschk.c.

1010 {
1011  UNIMPLEMENTED;
1012  return STATUS_NOT_IMPLEMENTED;
1013 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

◆ NtAccessCheckByTypeResultList()

NTSTATUS NTAPI NtAccessCheckByTypeResultList ( _In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ PSID  PrincipalSelfSid,
_In_ HANDLE  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ POBJECT_TYPE_LIST  ObjectTypeList,
_In_ ULONG  ObjectTypeLength,
_In_ PGENERIC_MAPPING  GenericMapping,
_In_ PPRIVILEGE_SET  PrivilegeSet,
_Inout_ PULONG  PrivilegeSetLength,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus 
)

Determines whether security access could be granted or not on an object by the requestor who wants such access through type list.

Parameters
[in]SecurityDescriptorA security descriptor with information data for auditing.
[in]PrincipalSelfSidA principal self user SID.
[in]ClientTokenA client access token.
[in]DesiredAccessThe desired access masks rights requested by the caller.
[in]ObjectTypeListA list of object types.
[in]ObjectTypeLengthThe length size of the list.
[in]GenericMappingThe generic mapping list of access masks rights.
[in]PrivilegeSetAn array set of privileges.
[in,out]PrivilegeSetLengthThe length size of the array set of privileges.
[out]GrantedAccessThe returned granted access rights.
[out]AccessStatusThe returned NTSTATUS code indicating the final results of auditing.
Returns
To be added...

Definition at line 1060 of file accesschk.c.

1072 {
1073  UNIMPLEMENTED;
1074  return STATUS_NOT_IMPLEMENTED;
1075 }
return STATUS_NOT_IMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

◆ NtAdjustGroupsToken()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAdjustGroupsToken ( _In_ HANDLE  TokenHandle,
_In_ BOOLEAN  ResetToDefault,
_In_opt_ PTOKEN_GROUPS  NewState,
_In_opt_ ULONG  BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS  PreviousState,
_When_(PreviousState !=NULL, _Out_) PULONG  ReturnLength 
)

◆ NtAdjustPrivilegesToken()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAdjustPrivilegesToken ( _In_ HANDLE  TokenHandle,
_In_ BOOLEAN  DisableAllPrivileges,
_In_opt_ PTOKEN_PRIVILEGES  NewState,
_In_ ULONG  BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES  PreviousState,
_When_(PreviousState !=NULL, _Out_) PULONG  ReturnLength 
)

◆ NtAllocateLocallyUniqueId()

NTSYSCALLAPI NTSTATUS NTAPI NtAllocateLocallyUniqueId ( _Out_ LUID LocallyUniqueId)

◆ NtAllocateUuids()

NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUuids ( _Out_ PULARGE_INTEGER  Time,
_Out_ PULONG  Range,
_Out_ PULONG  Sequence,
_Out_ PUCHAR  Seed 
)

◆ NtCompareTokens()

NTSYSCALLAPI NTSTATUS NTAPI NtCompareTokens ( _In_ HANDLE  FirstTokenHandle,
_In_ HANDLE  SecondTokenHandle,
_Out_ PBOOLEAN  Equal 
)

Compares tokens if they're equal or not.

Parameters
[in]FirstTokenThe first token.
[in]SecondTokenThe second token.
[out]EqualThe retrieved value which determines if the tokens are equal or not.
Returns
Returns STATUS_SUCCESS, otherwise it returns a failure NTSTATUS code.

Definition at line 5754 of file token.c.

5758 {
5760  PTOKEN FirstToken, SecondToken;
5761  BOOLEAN IsEqual;
5762  NTSTATUS Status;
5763 
5764  PAGED_CODE();
5765 
5767 
5768  if (PreviousMode != KernelMode)
5769  {
5770  _SEH2_TRY
5771  {
5772  ProbeForWriteBoolean(Equal);
5773  }
5775  {
5776  /* Return the exception code */
5778  }
5779  _SEH2_END;
5780  }
5781 
5782  Status = ObReferenceObjectByHandle(FirstTokenHandle,
5783  TOKEN_QUERY,
5785  PreviousMode,
5786  (PVOID*)&FirstToken,
5787  NULL);
5788  if (!NT_SUCCESS(Status))
5789  {
5790  DPRINT1("ObReferenceObjectByHandle() failed (Status 0x%lx)\n", Status);
5791  return Status;
5792  }
5793 
5794  Status = ObReferenceObjectByHandle(SecondTokenHandle,
5795  TOKEN_QUERY,
5797  PreviousMode,
5798  (PVOID*)&SecondToken,
5799  NULL);
5800  if (!NT_SUCCESS(Status))
5801  {
5802  DPRINT1("ObReferenceObjectByHandle() failed (Status 0x%lx)\n", Status);
5803  ObDereferenceObject(FirstToken);
5804  return Status;
5805  }
5806 
5807  if (FirstToken != SecondToken)
5808  {
5809  Status = SepCompareTokens(FirstToken,
5810  SecondToken,
5811  &IsEqual);
5812  }
5813  else
5814  {
5815  IsEqual = TRUE;
5816  }
5817 
5818  ObDereferenceObject(SecondToken);
5819  ObDereferenceObject(FirstToken);
5820 
5821  if (NT_SUCCESS(Status))
5822  {
5823  _SEH2_TRY
5824  {
5825  *Equal = IsEqual;
5826  }
5828  {
5830  }
5831  _SEH2_END;
5832  }
5833 
5834  return Status;
5835 }
#define TRUE
Definition: types.h:120
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define TOKEN_QUERY
Definition: setypes.h:893
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
static NTSTATUS SepCompareTokens(_In_ PTOKEN FirstToken, _In_ PTOKEN SecondToken, _Out_ PBOOLEAN Equal)
Compares tokens if they're equal based on all the following properties. If all of the said conditions...
Definition: token.c:288
#define ObDereferenceObject
Definition: obfuncs.h:203
#define ProbeForWriteBoolean(Ptr)
Definition: probe.h:31
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_SEH2_END
Definition: create.c:4400
LONG NTAPI ExSystemExceptionFilter(VOID)
Definition: harderr.c:351
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define PAGED_CODE()

Referenced by START_TEST().

◆ NtCreateToken()

__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateToken ( _Out_ PHANDLE  TokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES  ObjectAttributes,
_In_ TOKEN_TYPE  TokenType,
_In_ PLUID  AuthenticationId,
_In_ PLARGE_INTEGER  ExpirationTime,
_In_ PTOKEN_USER  TokenUser,
_In_ PTOKEN_GROUPS  TokenGroups,
_In_ PTOKEN_PRIVILEGES  TokenPrivileges,
_In_opt_ PTOKEN_OWNER  TokenOwner,
_In_ PTOKEN_PRIMARY_GROUP  TokenPrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL  TokenDefaultDacl,
_In_ PTOKEN_SOURCE  TokenSource 
)

Creates an access token.

Parameters
[out]TokenHandleThe returned created token handle to the caller.
[in]DesiredAccessThe desired access rights for the token that we're creating.
[in]ObjectAttributesThe object attributes for the token object that we're creating.
[in]TokenTypeThe type of token to assign for the newly created token.
[in]AuthenticationIdAuthentication ID that represents the token's identity.
[in]ExpirationTimeExpiration time for the token. If set to -1, the token never expires.
[in]TokenUserThe main user entity for the token to assign.
[in]TokenGroupsGroup list of SIDs for the token to assign.
[in]TokenPrivilegesPrivileges for the token.
[in]TokenOwnerThe main user that owns the newly created token.
[in]TokenPrimaryGroupThe primary group that represents as the main group of the token.
[in]TokenDefaultDaclDiscretionary access control list for the token. This limits on how the token can be used, accessed and used by whom.
[in]TokenSourceThe source origin of the token who creates it.
Returns
Returns STATUS_SUCCESS if the function has successfully created the token. A failure NTSTATUS code is returned otherwise.

Definition at line 5224 of file token.c.

5238 {
5239  HANDLE hToken;
5241  ULONG PrivilegeCount, GroupCount;
5242  PSID OwnerSid, PrimaryGroupSid;
5243  PACL DefaultDacl;
5244  LARGE_INTEGER LocalExpirationTime = {{0, 0}};
5245  LUID LocalAuthenticationId;
5246  TOKEN_SOURCE LocalTokenSource;
5247  SECURITY_QUALITY_OF_SERVICE LocalSecurityQos;
5248  PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
5249  PSID_AND_ATTRIBUTES CapturedUser = NULL;
5250  PSID_AND_ATTRIBUTES CapturedGroups = NULL;
5251  PSID CapturedOwnerSid = NULL;
5252  PSID CapturedPrimaryGroupSid = NULL;
5253  PACL CapturedDefaultDacl = NULL;
5254  ULONG PrivilegesLength, UserLength, GroupsLength;
5255  NTSTATUS Status;
5256 
5257  PAGED_CODE();
5258 
5260 
5261  if (PreviousMode != KernelMode)
5262  {
5263  _SEH2_TRY
5264  {
5266 
5267  if (ObjectAttributes != NULL)
5268  {
5270  sizeof(OBJECT_ATTRIBUTES),
5271  sizeof(ULONG));
5272  LocalSecurityQos = *(SECURITY_QUALITY_OF_SERVICE*)ObjectAttributes->SecurityQualityOfService;
5273  }
5274 
5275  ProbeForRead(AuthenticationId,
5276  sizeof(LUID),
5277  sizeof(ULONG));
5278  LocalAuthenticationId = *AuthenticationId;
5279 
5280  LocalExpirationTime = ProbeForReadLargeInteger(ExpirationTime);
5281 
5283  sizeof(TOKEN_USER),
5284  sizeof(ULONG));
5285 
5287  sizeof(TOKEN_GROUPS),
5288  sizeof(ULONG));
5289  GroupCount = TokenGroups->GroupCount;
5290 
5292  sizeof(TOKEN_PRIVILEGES),
5293  sizeof(ULONG));
5294  PrivilegeCount = TokenPrivileges->PrivilegeCount;
5295 
5296  if (TokenOwner != NULL)
5297  {
5299  sizeof(TOKEN_OWNER),
5300  sizeof(ULONG));
5301  OwnerSid = TokenOwner->Owner;
5302  }
5303  else
5304  {
5305  OwnerSid = NULL;
5306  }
5307 
5309  sizeof(TOKEN_PRIMARY_GROUP),
5310  sizeof(ULONG));
5311  PrimaryGroupSid = TokenPrimaryGroup->PrimaryGroup;
5312 
5313  if (TokenDefaultDacl != NULL)
5314  {
5316  sizeof(TOKEN_DEFAULT_DACL),
5317  sizeof(ULONG));
5318  DefaultDacl = TokenDefaultDacl->DefaultDacl;
5319  }
5320  else
5321  {
5322  DefaultDacl = NULL;
5323  }
5324 
5326  sizeof(TOKEN_SOURCE),
5327  sizeof(ULONG));
5328  LocalTokenSource = *TokenSource;
5329  }
5331  {
5332  /* Return the exception code */
5334  }
5335  _SEH2_END;
5336  }
5337  else
5338  {
5339  if (ObjectAttributes != NULL)
5340  LocalSecurityQos = *(SECURITY_QUALITY_OF_SERVICE*)ObjectAttributes->SecurityQualityOfService;
5341  LocalAuthenticationId = *AuthenticationId;
5342  LocalExpirationTime = *ExpirationTime;
5343  GroupCount = TokenGroups->GroupCount;
5344  PrivilegeCount = TokenPrivileges->PrivilegeCount;
5345  OwnerSid = TokenOwner ? TokenOwner->Owner : NULL;
5346  PrimaryGroupSid = TokenPrimaryGroup->PrimaryGroup;
5347  DefaultDacl = TokenDefaultDacl ? TokenDefaultDacl->DefaultDacl : NULL;
5348  LocalTokenSource = *TokenSource;
5349  }
5350 
5351  /* Check token type */
5352  if ((TokenType < TokenPrimary) ||
5354  {
5355  return STATUS_BAD_TOKEN_TYPE;
5356  }
5357 
5358  /* Check for token creation privilege */
5360  {
5362  }
5363 
5364  /* Capture the user SID and attributes */
5366  1,
5367  PreviousMode,
5368  NULL,
5369  0,
5370  PagedPool,
5371  FALSE,
5372  &CapturedUser,
5373  &UserLength);
5374  if (!NT_SUCCESS(Status))
5375  {
5376  goto Cleanup;
5377  }
5378 
5379  /* Capture the groups SID and attributes array */
5381  GroupCount,
5382  PreviousMode,
5383  NULL,
5384  0,
5385  PagedPool,
5386  FALSE,
5387  &CapturedGroups,
5388  &GroupsLength);
5389  if (!NT_SUCCESS(Status))
5390  {
5391  goto Cleanup;
5392  }
5393 
5394  /* Capture privileges */
5396  PrivilegeCount,
5397  PreviousMode,
5398  NULL,
5399  0,
5400  PagedPool,
5401  FALSE,
5402  &CapturedPrivileges,
5403  &PrivilegesLength);
5404  if (!NT_SUCCESS(Status))
5405  {
5406  goto Cleanup;
5407  }
5408 
5409  /* Capture the token owner SID */
5410  if (TokenOwner != NULL)
5411  {
5412  Status = SepCaptureSid(OwnerSid,
5413  PreviousMode,
5414  PagedPool,
5415  FALSE,
5416  &CapturedOwnerSid);
5417  if (!NT_SUCCESS(Status))
5418  {
5419  goto Cleanup;
5420  }
5421  }
5422 
5423  /* Capture the token primary group SID */
5424  Status = SepCaptureSid(PrimaryGroupSid,
5425  PreviousMode,
5426  PagedPool,
5427  FALSE,
5428  &CapturedPrimaryGroupSid);
5429  if (!NT_SUCCESS(Status))
5430  {
5431  goto Cleanup;
5432  }
5433 
5434  /* Capture DefaultDacl */
5435  if (DefaultDacl != NULL)
5436  {
5437  Status = SepCaptureAcl(DefaultDacl,
5438  PreviousMode,
5439  NonPagedPool,
5440  FALSE,
5441  &CapturedDefaultDacl);
5442  if (!NT_SUCCESS(Status))
5443  {
5444  goto Cleanup;
5445  }
5446  }
5447 
5448  /* Call the internal function */
5449  Status = SepCreateToken(&hToken,
5450  PreviousMode,
5451  DesiredAccess,
5453  TokenType,
5454  LocalSecurityQos.ImpersonationLevel,
5455  &LocalAuthenticationId,
5456  &LocalExpirationTime,
5457  CapturedUser,
5458  GroupCount,
5459  CapturedGroups,
5460  GroupsLength,
5461  PrivilegeCount,
5462  CapturedPrivileges,
5463  CapturedOwnerSid,
5464  CapturedPrimaryGroupSid,
5465  CapturedDefaultDacl,
5466  &LocalTokenSource,
5467  FALSE);
5468  if (NT_SUCCESS(Status))
5469  {
5470  _SEH2_TRY
5471  {
5472  *TokenHandle = hToken;
5473  }
5475  {
5477  }
5478  _SEH2_END;
5479  }
5480 
5481 Cleanup:
5482 
5483  /* Release what we captured */
5486  SeReleaseLuidAndAttributesArray(CapturedPrivileges, PreviousMode, FALSE);
5487  SepReleaseSid(CapturedOwnerSid, PreviousMode, FALSE);
5488  SepReleaseSid(CapturedPrimaryGroupSid, PreviousMode, FALSE);
5489  SepReleaseAcl(CapturedDefaultDacl, PreviousMode, FALSE);
5490 
5491  return Status;
5492 }
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
VOID NTAPI SepReleaseAcl(_In_ PACL CapturedAcl, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases (frees) a captured ACL from the memory pool.
Definition: acl.c:459
const LUID SeCreateTokenPrivilege
Definition: priv.c:21
VOID NTAPI SeReleaseSidAndAttributesArray(_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID with attributes.
Definition: sid.c:676
NTSTATUS NTAPI SeCaptureLuidAndAttributesArray(_In_ PLUID_AND_ATTRIBUTES Src, _In_ ULONG PrivilegeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_ PLUID_AND_ATTRIBUTES AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PLUID_AND_ATTRIBUTES *Dest, _Inout_ PULONG Length)
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:308
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:394
_SEH2_TRY
Definition: create.c:4226
#define FALSE
Definition: types.h:117
NTSTATUS NTAPI SepCaptureAcl(_In_ PACL InputAcl, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PACL *CapturedAcl)
Captures an access control list from an already valid input ACL.
Definition: acl.c:352
#define STATUS_BAD_TOKEN_TYPE
Definition: ntstatus.h:404
NTSTATUS NTAPI SepCreateToken(_Out_ PHANDLE TokenHandle, _In_ KPROCESSOR_MODE PreviousMode, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ TOKEN_TYPE TokenType, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_ PLUID AuthenticationId, _In_ PLARGE_INTEGER ExpirationTime, _In_ PSID_AND_ATTRIBUTES User, _In_ ULONG GroupCount, _In_ PSID_AND_ATTRIBUTES Groups, _In_ ULONG GroupsLength, _In_ ULONG PrivilegeCount, _In_ PLUID_AND_ATTRIBUTES Privileges, _In_opt_ PSID Owner, _In_ PSID PrimaryGroup, _In_opt_ PACL DefaultDacl, _In_ PTOKEN_SOURCE TokenSource, _In_ BOOLEAN SystemToken)
Internal function responsible for access token object creation in the kernel. A fully created token o...
Definition: token.c:1700
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
VOID NTAPI SeReleaseLuidAndAttributesArray(_In_ PLUID_AND_ATTRIBUTES Privilege, _In_ KPROCESSOR_MODE PreviousMode, _In_ BOOLEAN CaptureIfKernel)
Releases a LUID with attributes structure.
Definition: priv.c:554
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
#define ProbeForReadLargeInteger(Ptr)
Definition: probe.h:75
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
NTSTATUS NTAPI SeCaptureSidAndAttributesArray(_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, _In_ ULONG AttributeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_opt_ PVOID AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, _Out_ PULONG ResultLength)
Captures a SID with attributes.
Definition: sid.c:458
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeSinglePrivilegeCheck(_In_ LUID PrivilegeValue, _In_ KPROCESSOR_MODE PreviousMode)
Checks if a single privilege is present in the context of the calling thread.
Definition: priv.c:744
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:388
#define PAGED_CODE()

Referenced by LsapLogonUser().

◆ NtDuplicateToken()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtDuplicateToken ( _In_ HANDLE  ExistingTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES  ObjectAttributes,
_In_ BOOLEAN  EffectiveOnly,
_In_ TOKEN_TYPE  TokenType,
_Out_ PHANDLE  NewTokenHandle 
)

Duplicates a token.

Parameters
[in]ExistingTokenHandleAn existing token to duplicate.
[in]DesiredAccessThe desired access rights for the new duplicated token.
[in]ObjectAttributesObject attributes for the new duplicated token.
[in]EffectiveOnlyIf set to TRUE, the function removes all the disabled privileges and groups of the token to duplicate.
[in]TokenTypeType of token to assign to the duplicated token.
[out]NewTokenHandleThe returned duplicated token handle.
Returns
STATUS_SUCCESS is returned if token duplication has completed successfully. STATUS_BAD_IMPERSONATION_LEVEL is returned if the caller erroneously wants to raise the impersonation level even though the conditions do not permit it. A failure NTSTATUS code is returned otherwise.
Remarks
Some sources claim 4th param is ImpersonationLevel, but on W2K this is certainly NOT true, although I can't say for sure that EffectiveOnly is correct either. -Gunnar This is true. EffectiveOnly overrides SQOS.EffectiveOnly. - IAI NOTE for readers: http://hex.pp.ua/nt/NtDuplicateToken.php is therefore wrong in that regard, while MSDN documentation is correct.

Definition at line 4133 of file token.c.

4140 {
4142  HANDLE hToken;
4143  PTOKEN Token;
4144  PTOKEN NewToken;
4145  PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService;
4146  BOOLEAN QoSPresent;
4148  NTSTATUS Status;
4149 
4150  PAGED_CODE();
4151 
4152  if (TokenType != TokenImpersonation &&
4154  {
4155  return STATUS_INVALID_PARAMETER;
4156  }
4157 
4159 
4160  if (PreviousMode != KernelMode)
4161  {
4162  _SEH2_TRY
4163  {
4165  }
4167  {
4168  /* Return the exception code */
4170  }
4171  _SEH2_END;
4172  }
4173 
4175  PreviousMode,
4176  PagedPool,
4177  FALSE,
4178  &CapturedSecurityQualityOfService,
4179  &QoSPresent);
4180  if (!NT_SUCCESS(Status))
4181  {
4182  DPRINT1("NtDuplicateToken() failed to capture QoS! Status: 0x%x\n", Status);
4183  return Status;
4184  }
4185 
4186  Status = ObReferenceObjectByHandle(ExistingTokenHandle,
4189  PreviousMode,
4190  (PVOID*)&Token,
4192  if (!NT_SUCCESS(Status))
4193  {
4194  DPRINT1("Failed to reference token (Status 0x%lx)\n", Status);
4195  SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService,
4196  PreviousMode,
4197  FALSE);
4198  return Status;
4199  }
4200 
4201  /*
4202  * Fail, if the original token is an impersonation token and the caller
4203  * tries to raise the impersonation level of the new token above the
4204  * impersonation level of the original token.
4205  */
4206  if (Token->TokenType == TokenImpersonation)
4207  {
4208  if (QoSPresent &&
4209  CapturedSecurityQualityOfService->ImpersonationLevel >Token->ImpersonationLevel)
4210  {
4212  SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService,
4213  PreviousMode,
4214  FALSE);
4216  }
4217  }
4218 
4219  /*
4220  * Fail, if a primary token is to be created from an impersonation token
4221  * and and the impersonation level of the impersonation token is below SecurityImpersonation.
4222  */
4223  if (Token->TokenType == TokenImpersonation &&
4224  TokenType == TokenPrimary &&
4225  Token->ImpersonationLevel < SecurityImpersonation)
4226  {
4228  SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService,
4229  PreviousMode,
4230  FALSE);
4232  }
4233 
4236  EffectiveOnly,
4237  TokenType,
4238  (QoSPresent ? CapturedSecurityQualityOfService->ImpersonationLevel : SecurityAnonymous),
4239  PreviousMode,
4240  &NewToken);
4241 
4243 
4244  if (NT_SUCCESS(Status))
4245  {
4246  Status = ObInsertObject(NewToken,
4247  NULL,
4248  (DesiredAccess ? DesiredAccess : HandleInformation.GrantedAccess),
4249  0,
4250  NULL,
4251  &hToken);
4252  if (NT_SUCCESS(Status))
4253  {
4254  _SEH2_TRY
4255  {
4256  *NewTokenHandle = hToken;
4257  }
4259  {
4261  }
4262  _SEH2_END;
4263  }
4264  }
4265 
4266  /* Free the captured structure */
4267  SepReleaseSecurityQualityOfService(CapturedSecurityQualityOfService,
4268  PreviousMode,
4269  FALSE);
4270 
4271  return Status;
4272 }
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define KeGetPreviousMode()
Definition: ketypes.h:1107
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI SepDuplicateToken(_In_ PTOKEN Token, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _In_ SECURITY_IMPERSONATION_LEVEL Level, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PTOKEN *NewAccessToken)
Duplicates an access token, from an existing valid token.
Definition: token.c:995
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE _Out_ PHANDLE NewTokenHandle
Definition: sefuncs.h:388
#define FALSE
Definition: types.h:117
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ObDereferenceObject
Definition: obfuncs.h:203
#define ProbeForWriteHandle(Ptr)
Definition: probe.h:43
_In_ ACCESS_MASK _In_opt_ POBJECT_TYPE _In_ KPROCESSOR_MODE _Out_ PVOID _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation
Definition: obfuncs.h:40
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
#define TOKEN_DUPLICATE
Definition: setypes.h:891
VOID NTAPI SepReleaseSecurityQualityOfService(_In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases (frees) the captured SQOS data from an object in the memory pool.
Definition: sqos.c:225
_SEH2_END
Definition: create.c:4400
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
Definition: obhandle.c:2931
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
NTSTATUS NTAPI SepCaptureSecurityQualityOfService(_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, _Out_ PBOOLEAN Present)
Captures the security quality of service data given the object attributes from an object.
Definition: sqos.c:52
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:388
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:388
#define PAGED_CODE()

◆ NtImpersonateAnonymousToken()

NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateAnonymousToken ( _In_ HANDLE  ThreadHandle)

Allows the calling thread to impersonate the system's anonymous logon token.

Parameters
[in]ThreadHandleA handle to the thread to start the procedure of logon token impersonation. The thread must have the THREAD_IMPERSONATE access right.
Returns
Returns STATUS_SUCCESS if the thread has successfully impersonated the anonymous logon token, otherwise a failure NTSTATUS code is returned.
Remarks
By default the system gives the opportunity to the caller to impersonate the anonymous logon token without including the Everyone Group SID. In cases where the caller wants to impersonate the token including such group, the EveryoneIncludesAnonymous registry value setting has to be set to 1, from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry path. The calling thread must invoke PsRevertToSelf when impersonation is no longer needed or RevertToSelf if the calling execution is done in user mode.

Definition at line 5904 of file token.c.

5906 {
5907  PETHREAD Thread;
5909  NTSTATUS Status;
5910  PAGED_CODE();
5911 
5913 
5914  /* Obtain the thread object from the handle */
5915  Status = ObReferenceObjectByHandle(ThreadHandle,
5917  PsThreadType,
5918  PreviousMode,
5919  (PVOID*)&Thread,
5920  NULL);
5921  if (!NT_SUCCESS(Status))
5922  {
5923  DPRINT1("NtImpersonateAnonymousToken(): Failed to reference the object (Status 0x%lx)\n", Status);
5924  return Status;
5925  }
5926 
5927  /* Call the private routine to impersonate the token */
5929  if (!NT_SUCCESS(Status))
5930  {
5931  DPRINT1("NtImpersonateAnonymousToken(): Failed to impersonate the token (Status 0x%lx)\n", Status);
5932  }
5933 
5935  return Status;
5936 }
#define THREAD_IMPERSONATE
Definition: pstypes.h:151
LONG NTSTATUS
Definition: precomp.h:26
static NTSTATUS SepImpersonateAnonymousToken(_In_ PETHREAD Thread, _In_ KPROCESSOR_MODE PreviousMode)
Private function that impersonates the system's anonymous logon token. The major bulk of the imperson...
Definition: token.c:379
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2652
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
POBJECT_TYPE PsThreadType
Definition: thread.c:20
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
#define PAGED_CODE()

◆ NtOpenObjectAuditAlarm()

__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientTokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ACCESS_MASK  GrantedAccess,
_In_opt_ PPRIVILEGE_SET  PrivilegeSet,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

Raises an alarm audit message when an object is about to be opened.

Parameters
[in]SubsystemNameA Unicode string that points to a name of the subsystem.
[in]HandleIdA handle to an ID used for identification instance for auditing.
[in]ObjectTypeNameA Unicode string that points to an object type name.
[in]ObjectNameThe name of the object.
[in]SecurityDescriptorA security descriptor.
[in]ClientTokenHandleA handle to a client access token.
[in]DesiredAccessThe desired access rights masks requested by the caller.
[in]GrantedAccessThe granted access mask rights.
[in]PrivilegeSetIf specified, the function will use this set of privileges to audit.
[in]ObjectCreationSet this to TRUE if the object has just been created.
[in]AccessGrantedSet this to TRUE if the access attempt was deemed as granted.
[out]GenerateOnCloseA boolean flag returned to the caller once audit generation procedure finishes.
Returns
Returns STATUS_SUCCESS if all the operations have been completed successfully. STATUS_PRIVILEGE_NOT_HELD is returned if the given subject context does not hold the required audit privilege to actually begin auditing in the first place. STATUS_BAD_IMPERSONATION_LEVEL is returned if the security impersonation level of the client token is not on par with the impersonation level that alllows impersonation. STATUS_INVALID_PARAMETER is returned if the caller has submitted a bogus set of privileges as such array set exceeds the maximum count of privileges that the kernel can accept. A failure NTSTATUS code is returned otherwise.

Definition at line 1723 of file audit.c.

1736 {
1737  PTOKEN ClientToken;
1738  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor;
1739  UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
1740  ULONG PrivilegeCount, PrivilegeSetSize;
1741  volatile PPRIVILEGE_SET CapturedPrivilegeSet;
1742  BOOLEAN LocalGenerateOnClose;
1743  PVOID CapturedHandleId;
1745  NTSTATUS Status;
1746  PAGED_CODE();
1747 
1748  /* Only user mode is supported! */
1750 
1751  /* Start clean */
1752  ClientToken = NULL;
1753  CapturedSecurityDescriptor = NULL;
1754  CapturedPrivilegeSet = NULL;
1755  CapturedSubsystemName.Buffer = NULL;
1756  CapturedObjectTypeName.Buffer = NULL;
1757  CapturedObjectName.Buffer = NULL;
1758 
1759  /* Reference the client token */
1760  Status = ObReferenceObjectByHandle(ClientTokenHandle,
1761  TOKEN_QUERY,
1763  UserMode,
1764  (PVOID*)&ClientToken,
1765  NULL);
1766  if (!NT_SUCCESS(Status))
1767  {
1768  DPRINT1("Failed to reference token handle %p: %lx\n",
1769  ClientTokenHandle, Status);
1770  return Status;
1771  }
1772 
1773  /* Capture the security subject context */
1775 
1776  /* Validate the token's impersonation level */
1777  if ((ClientToken->TokenType == TokenImpersonation) &&
1778  (ClientToken->ImpersonationLevel < SecurityIdentification))
1779  {
1780  DPRINT1("Invalid impersonation level (%u)\n", ClientToken->ImpersonationLevel);
1782  goto Cleanup;
1783  }
1784 
1785  /* Check for audit privilege */
1787  {
1788  DPRINT1("Caller does not have SeAuditPrivilege\n");
1790  goto Cleanup;
1791  }
1792 
1793  /* Check for NULL SecurityDescriptor */
1794  if (SecurityDescriptor == NULL)
1795  {
1796  /* Nothing to do */
1798  goto Cleanup;
1799  }
1800 
1801  /* Capture the security descriptor */
1803  UserMode,
1804  PagedPool,
1805  FALSE,
1806  &CapturedSecurityDescriptor);
1807  if (!NT_SUCCESS(Status))
1808  {
1809  DPRINT1("Failed to capture security descriptor!\n");
1810  goto Cleanup;
1811  }
1812 
1813  _SEH2_TRY
1814  {
1815  /* Check if we have a privilege set */
1816  if (PrivilegeSet != NULL)
1817  {
1818  /* Probe the basic privilege set structure */
1819  ProbeForRead(PrivilegeSet, sizeof(PRIVILEGE_SET), sizeof(ULONG));
1820 
1821  /* Validate privilege count */
1822  PrivilegeCount = PrivilegeSet->PrivilegeCount;
1823  if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
1824  {
1826  _SEH2_YIELD(goto Cleanup);
1827  }
1828 
1829  /* Calculate the size of the PrivilegeSet structure */
1830  PrivilegeSetSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
1831 
1832  /* Probe the whole structure */
1833  ProbeForRead(PrivilegeSet, PrivilegeSetSize, sizeof(ULONG));
1834 
1835  /* Allocate a temp buffer */
1836  CapturedPrivilegeSet = ExAllocatePoolWithTag(PagedPool,
1837  PrivilegeSetSize,
1839  if (CapturedPrivilegeSet == NULL)
1840  {
1841  DPRINT1("Failed to allocate %u bytes\n", PrivilegeSetSize);
1843  _SEH2_YIELD(goto Cleanup);
1844  }
1845 
1846  /* Copy the privileges */
1847  RtlCopyMemory(CapturedPrivilegeSet, PrivilegeSet, PrivilegeSetSize);
1848  }
1849 
1850  if (HandleId != NULL)
1851  {
1852  ProbeForRead(HandleId, sizeof(PVOID), sizeof(PVOID));
1853  CapturedHandleId = *(PVOID*)HandleId;
1854  }
1855 
1856  ProbeForWrite(GenerateOnClose, sizeof(BOOLEAN), sizeof(BOOLEAN));
1857  }
1859  {
1861  DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
1862  _SEH2_YIELD(goto Cleanup);
1863  }
1864  _SEH2_END;
1865 
1866  /* Probe and capture the subsystem name */
1867  Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
1868  UserMode,
1869  SubsystemName);
1870  if (!NT_SUCCESS(Status))
1871  {
1872  DPRINT1("Failed to capture subsystem name!\n");
1873  goto Cleanup;
1874  }
1875 
1876  /* Probe and capture the object type name */
1877  Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
1878  UserMode,
1879  ObjectTypeName);
1880  if (!NT_SUCCESS(Status))
1881  {
1882  DPRINT1("Failed to capture object type name!\n");
1883  goto Cleanup;
1884  }
1885 
1886  /* Probe and capture the object name */
1887  Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
1888  UserMode,
1889  ObjectName);
1890  if (!NT_SUCCESS(Status))
1891  {
1892  DPRINT1("Failed to capture object name!\n");
1893  goto Cleanup;
1894  }
1895 
1896  /* Call the internal function */
1898  &CapturedSubsystemName,
1899  CapturedHandleId,
1900  &CapturedObjectTypeName,
1901  &CapturedObjectName,
1902  CapturedSecurityDescriptor,
1903  ClientToken,
1904  DesiredAccess,
1905  GrantedAccess,
1906  CapturedPrivilegeSet,
1907  ObjectCreation,
1908  AccessGranted,
1909  &LocalGenerateOnClose);
1910 
1912 
1913  /* Enter SEH to copy the data back to user mode */
1914  _SEH2_TRY
1915  {
1916  *GenerateOnClose = LocalGenerateOnClose;
1917  }
1919  {
1921  DPRINT1("Exception while copying back data: 0x%lx\n", Status);
1922  }
1923  _SEH2_END;
1924 
1925 Cleanup:
1926 
1927  if (CapturedObjectName.Buffer != NULL)
1928  ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
1929 
1930  if (CapturedObjectTypeName.Buffer != NULL)
1931  ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
1932 
1933  if (CapturedSubsystemName.Buffer != NULL)
1934  ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
1935 
1936  if (CapturedSecurityDescriptor != NULL)
1937  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
1938 
1939  if (CapturedPrivilegeSet != NULL)
1940  ExFreePoolWithTag(CapturedPrivilegeSet, TAG_PRIVILEGE_SET);
1941 
1942  /* Release the security subject context */
1944 
1945  ObDereferenceObject(ClientToken);
1946 
1947  return Status;
1948 }
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
Definition: probe.h:142
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
Definition: security.c:77
TOKEN_TYPE TokenType
Definition: setypes.h:221
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
_In_ PVOID _Out_opt_ PULONG_PTR _Outptr_opt_ PCUNICODE_STRING * ObjectName
Definition: cmfuncs.h:62
#define SEP_PRIVILEGE_SET_MAX_COUNT
Definition: audit.c:15
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
_SEH2_TRY
Definition: create.c:4226
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
#define FALSE
Definition: types.h:117
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
Status
Definition: gdiplustypes.h:24
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
Definition: probe.h:239
#define TOKEN_QUERY
Definition: setypes.h:893
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN _In_ KPROCESSOR_MODE _In_opt_ GUID _Out_ PBOOLEAN GenerateOnClose
Definition: sefuncs.h:414
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
static const WCHAR Cleanup[]
Definition: register.c:80
_SEH2_END
Definition: create.c:4400
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE _In_ BOOLEAN _In_ BOOLEAN AccessGranted
Definition: sefuncs.h:414
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define NULL
Definition: types.h:112
BOOLEAN NTAPI SeCheckAuditPrivilege(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ KPROCESSOR_MODE PreviousMode)
Checks a single privilege and performs an audit against a privileged service based on a security subj...
Definition: priv.c:360
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:222
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
VOID NTAPI SepOpenObjectAuditAlarm(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PUNICODE_STRING SubsystemName, _In_opt_ PVOID HandleId, _In_ PUNICODE_STRING ObjectTypeName, _In_ PUNICODE_STRING ObjectName, _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PTOKEN ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK GrantedAccess, _In_opt_ PPRIVILEGE_SET Privileges, _In_ BOOLEAN ObjectCreation, _In_ BOOLEAN AccessGranted, _Out_ PBOOLEAN GenerateOnClose)
Raises an alarm audit message when an object is about to be opened.
Definition: audit.c:1636
#define PAGED_CODE()

◆ NtOpenProcessTokenEx()

NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessTokenEx ( _In_ HANDLE  ProcessHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ULONG  HandleAttributes,
_Out_ PHANDLE  TokenHandle 
)

◆ NtPrivilegeCheck()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeCheck ( _In_ HANDLE  ClientToken,
_Inout_ PPRIVILEGE_SET  RequiredPrivileges,
_Out_ PBOOLEAN  Result 
)

◆ NtPrivilegedServiceAuditAlarm()

NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

◆ NtPrivilegeObjectAuditAlarm()

__kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_opt_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

◆ NtSetInformationToken()

_Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationToken ( _In_ HANDLE  TokenHandle,
_In_ TOKEN_INFORMATION_CLASS  TokenInformationClass,
_In_reads_bytes_(TokenInformationLength) PVOID  TokenInformation,
_In_ ULONG  TokenInformationLength 
)

Sets (modifies) some specific information in regard of an access token. The calling thread must have specific access rights in order to modify token's information data.

@unimplemented

Parameters
[in]TokenHandleA handle of a token where information is to be modified.
[in]TokenInformationClassToken information class.
[in]TokenInformationAn arbitrary pointer to a buffer with token information to set. Such arbitrary buffer depends on the information class chosen that the caller wants to modify such information data of a token.
[in]TokenInformationLengthLength of the token information buffer, in bytes.
Returns
Returns STATUS_SUCCESS if information setting has completed successfully. STATUS_INFO_LENGTH_MISMATCH is returned if the information length of the buffer is less than the required length. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation has failed. STATUS_PRIVILEGE_NOT_HELD is returned if the calling thread hasn't the required privileges to perform the operation in question. A failure NTSTATUS code is returned otherwise.
Remarks
The function is partly implemented, mainly TokenOrigin and TokenDefaultDacl.

Definition at line 3574 of file token.c.

3579 {
3580  NTSTATUS Status;
3581  PTOKEN Token;
3583  ULONG NeededAccess = TOKEN_ADJUST_DEFAULT;
3584 
3585  PAGED_CODE();
3586 
3588 
3592  TokenInformation,
3594  PreviousMode);
3595  if (!NT_SUCCESS(Status))
3596  {
3597  /* Invalid buffers */
3598  DPRINT("NtSetInformationToken() failed, Status: 0x%x\n", Status);
3599  return Status;
3600  }
3601 
3603  {
3604  NeededAccess |= TOKEN_ADJUST_SESSIONID;
3605  }
3606 
3608  NeededAccess,
3610  PreviousMode,
3611  (PVOID*)&Token,
3612  NULL);
3613  if (NT_SUCCESS(Status))
3614  {
3615  switch (TokenInformationClass)
3616  {
3617  case TokenOwner:
3618  {
3619  if (TokenInformationLength >= sizeof(TOKEN_OWNER))
3620  {
3621  PTOKEN_OWNER to = (PTOKEN_OWNER)TokenInformation;
3622  PSID InputSid = NULL, CapturedSid;
3623  ULONG DefaultOwnerIndex;
3624 
3625  _SEH2_TRY
3626  {
3627  InputSid = to->Owner;
3628  }
3630  {
3632  _SEH2_YIELD(goto Cleanup);
3633  }
3634  _SEH2_END;
3635 
3636  Status = SepCaptureSid(InputSid,
3637  PreviousMode,
3638  PagedPool,
3639  FALSE,
3640  &CapturedSid);
3641  if (NT_SUCCESS(Status))
3642  {
3643  /* Lock the token */
3645 
3646  /* Find the owner amongst the existing token user and groups */
3648  NULL,
3649  CapturedSid,
3650  NULL,
3651  &DefaultOwnerIndex);
3652  if (NT_SUCCESS(Status))
3653  {
3654  /* Found it */
3655  Token->DefaultOwnerIndex = DefaultOwnerIndex;
3656  ExAllocateLocallyUniqueId(&Token->ModifiedId);
3657  }
3658 
3659  /* Unlock the token */
3661 
3662  SepReleaseSid(CapturedSid,
3663  PreviousMode,
3664  FALSE);
3665  }
3666  }
3667  else
3668  {
3670  }
3671  break;
3672  }
3673 
3674  case TokenPrimaryGroup:
3675  {
3677  {
3678  PTOKEN_PRIMARY_GROUP tpg = (PTOKEN_PRIMARY_GROUP)TokenInformation;
3679  PSID InputSid = NULL, CapturedSid;
3680  ULONG PrimaryGroupIndex;
3681 
3682  _SEH2_TRY
3683  {
3684  InputSid = tpg->PrimaryGroup;
3685  }
3687  {
3689  _SEH2_YIELD(goto Cleanup);
3690  }
3691  _SEH2_END;
3692 
3693  Status = SepCaptureSid(InputSid,
3694  PreviousMode,
3695  PagedPool,
3696  FALSE,
3697  &CapturedSid);
3698  if (NT_SUCCESS(Status))
3699  {
3700  /* Lock the token */
3702 
3703  /* Find the primary group amongst the existing token user and groups */
3705  CapturedSid,
3706  NULL,
3707  &PrimaryGroupIndex,
3708  NULL);
3709  if (NT_SUCCESS(Status))
3710  {
3711  /* Found it */
3712  Token->PrimaryGroup = Token->UserAndGroups[PrimaryGroupIndex].Sid;
3713  ExAllocateLocallyUniqueId(&Token->ModifiedId);
3714  }
3715 
3716  /* Unlock the token */
3718 
3719  SepReleaseSid(CapturedSid,
3720  PreviousMode,
3721  FALSE);
3722  }
3723  }
3724  else
3725  {
3727  }
3728  break;
3729  }
3730 
3731  case TokenDefaultDacl:
3732  {
3734  {
3735  PTOKEN_DEFAULT_DACL tdd = (PTOKEN_DEFAULT_DACL)TokenInformation;
3736  PACL InputAcl = NULL;
3737 
3738  _SEH2_TRY
3739  {
3740  InputAcl = tdd->DefaultDacl;
3741  }
3743  {
3745  _SEH2_YIELD(goto Cleanup);
3746  }
3747  _SEH2_END;
3748 
3749  if (InputAcl != NULL)
3750  {
3751  PACL CapturedAcl;
3752 
3753  /* Capture and copy the dacl */
3754  Status = SepCaptureAcl(InputAcl,
3755  PreviousMode,
3756  PagedPool,
3757  TRUE,
3758  &CapturedAcl);
3759  if (NT_SUCCESS(Status))
3760  {
3761  ULONG DynamicLength;
3762 
3763  /* Lock the token */
3765 
3766  //
3767  // NOTE: So far our dynamic area only contains
3768  // the default dacl, so this makes the following
3769  // code pretty simple. The day where it stores
3770  // other data, the code will require adaptations.
3771  //
3772 
3773  DynamicLength = Token->DynamicAvailable;
3774  // Add here any other data length present in the dynamic area...
3775  if (Token->DefaultDacl)
3776  DynamicLength += Token->DefaultDacl->AclSize;
3777 
3778  /* Reallocate the dynamic area if it is too small */
3780  if ((DynamicLength < CapturedAcl->AclSize) ||
3781  (Token->DynamicPart == NULL))
3782  {
3783  PVOID NewDynamicPart;
3784 
3785  NewDynamicPart = ExAllocatePoolWithTag(PagedPool,
3786  CapturedAcl->AclSize,
3788  if (NewDynamicPart == NULL)
3789  {
3791  }
3792  else
3793  {
3794  if (Token->DynamicPart != NULL)
3795  {
3796  // RtlCopyMemory(NewDynamicPart, Token->DynamicPart, DynamicLength);
3797  ExFreePoolWithTag(Token->DynamicPart, TAG_TOKEN_DYNAMIC);
3798  }
3799  Token->DynamicPart = NewDynamicPart;
3800  Token->DynamicAvailable = 0;
3801  }
3802  }
3803  else
3804  {
3805  Token->DynamicAvailable = DynamicLength - CapturedAcl->AclSize;
3806  }
3807 
3808  if (NT_SUCCESS(Status))
3809  {
3810  /* Set the new dacl */
3811  Token->DefaultDacl = (PVOID)Token->DynamicPart;
3812  RtlCopyMemory(Token->DefaultDacl,
3813  CapturedAcl,
3814  CapturedAcl->AclSize);
3815 
3816  ExAllocateLocallyUniqueId(&Token->ModifiedId);
3817  }
3818 
3819  /* Unlock the token */
3821 
3822  ExFreePoolWithTag(CapturedAcl, TAG_ACL);
3823  }
3824  }
3825  else
3826  {
3827  /* Lock the token */
3829 
3830  /* Clear the default dacl if present */
3831  if (Token->DefaultDacl != NULL)
3832  {
3833  Token->DynamicAvailable += Token->DefaultDacl->AclSize;
3834  RtlZeroMemory(Token->DefaultDacl, Token->DefaultDacl->AclSize);
3835  Token->DefaultDacl = NULL;
3836 
3837  ExAllocateLocallyUniqueId(&Token->ModifiedId);
3838  }
3839 
3840  /* Unlock the token */
3842  }
3843  }
3844  else
3845  {
3847  }
3848  break;
3849  }
3850 
3851  case TokenSessionId:
3852  {
3853  ULONG SessionId = 0;
3854 
3855  _SEH2_TRY
3856  {
3857  /* Buffer size was already verified, no need to check here again */
3858  SessionId = *(PULONG)TokenInformation;
3859  }
3861  {
3863  _SEH2_YIELD(goto Cleanup);
3864  }
3865  _SEH2_END;
3866 
3867  /* Check for TCB privilege */
3869  {
3871  break;
3872  }
3873 
3874  /* Lock the token */
3876 
3877  Token->SessionId = SessionId;
3878  ExAllocateLocallyUniqueId(&Token->ModifiedId);
3879 
3880  /* Unlock the token */
3882 
3883  break;
3884  }
3885 
3886  case TokenSessionReference:
3887  {
3888  ULONG SessionReference;
3889 
3890  _SEH2_TRY
3891  {
3892  /* Buffer size was already verified, no need to check here again */
3893  SessionReference = *(PULONG)TokenInformation;
3894  }
3896  {
3898  _SEH2_YIELD(goto Cleanup);
3899  }
3900  _SEH2_END;
3901 
3902  /* Check for TCB privilege */
3904  {
3906  goto Cleanup;
3907  }
3908 
3909  /* Check if it is 0 */
3910  if (SessionReference == 0)
3911  {
3912  ULONG OldTokenFlags;
3913 
3914  /* Lock the token */
3916 
3917  /* Atomically set the flag in the token */
3918  OldTokenFlags = RtlInterlockedSetBits(&Token->TokenFlags,
3920  /*
3921  * If the flag was already set, do not dereference again
3922  * the logon session. Use SessionReference as an indicator
3923  * to know whether to really dereference the session.
3924  */
3925  if (OldTokenFlags == Token->TokenFlags)
3926  SessionReference = ULONG_MAX;
3927 
3928  /*
3929  * Otherwise if the flag was never set but just for this first time then
3930  * remove the referenced logon session data from the token and dereference
3931  * the logon session when needed.
3932  */
3933  if (SessionReference == 0)
3934  {
3936  SepRmDereferenceLogonSession(&Token->AuthenticationId);
3937  }
3938 
3939  /* Unlock the token */
3941  }
3942  break;
3943  }
3944 
3945  case TokenAuditPolicy:
3946  {
3947  PTOKEN_AUDIT_POLICY_INFORMATION PolicyInformation =
3948  (PTOKEN_AUDIT_POLICY_INFORMATION)TokenInformation;
3949  SEP_AUDIT_POLICY AuditPolicy;
3950  ULONG i;
3951 
3952  _SEH2_TRY
3953  {
3954  ProbeForRead(PolicyInformation,
3956  Policies[PolicyInformation->PolicyCount]),
3957  sizeof(ULONG));
3958 
3959  /* Loop all policies in the structure */
3960  for (i = 0; i < PolicyInformation->PolicyCount; i++)
3961  {
3962  /* Set the corresponding bits in the packed structure */
3963  switch (PolicyInformation->Policies[i].Category)
3964  {
3965  case AuditCategorySystem:
3966  AuditPolicy.PolicyElements.System = PolicyInformation->Policies[i].Value;
3967  break;
3968 
3969  case AuditCategoryLogon:
3970  AuditPolicy.PolicyElements.Logon = PolicyInformation->Policies[i].Value;
3971  break;
3972 
3974  AuditPolicy.PolicyElements.ObjectAccess = PolicyInformation->Policies[i].Value;
3975  break;
3976 
3978  AuditPolicy.PolicyElements.PrivilegeUse = PolicyInformation->Policies[i].Value;
3979  break;
3980 
3982  AuditPolicy.PolicyElements.DetailedTracking = PolicyInformation->Policies[i].Value;
3983  break;
3984 
3986  AuditPolicy.PolicyElements.PolicyChange = PolicyInformation->Policies[i].Value;
3987  break;
3988 
3990  AuditPolicy.PolicyElements.AccountManagement = PolicyInformation->Policies[i].Value;
3991  break;
3992 
3994  AuditPolicy.PolicyElements.DirectoryServiceAccess = PolicyInformation->Policies[i].Value;
3995  break;
3996 
3998  AuditPolicy.PolicyElements.AccountLogon = PolicyInformation->Policies[i].Value;
3999  break;
4000  }
4001  }
4002  }
4004  {
4006  _SEH2_YIELD(goto Cleanup);
4007  }
4008  _SEH2_END;
4009 
4010  /* Check for TCB privilege */
4012  {
4014  break;
4015  }
4016 
4017  /* Lock the token */
4019 
4020  /* Set the new audit policy */
4021  Token->AuditPolicy = AuditPolicy;
4022  ExAllocateLocallyUniqueId(&Token->ModifiedId);
4023 
4024  /* Unlock the token */
4026 
4027  break;
4028  }
4029 
4030  case TokenOrigin:
4031  {
4033 
4034  _SEH2_TRY
4035  {
4036  /* Copy the token origin */
4037  TokenOrigin = *(PTOKEN_ORIGIN)TokenInformation;
4038  }
4040  {
4042  _SEH2_YIELD(goto Cleanup);
4043  }
4044  _SEH2_END;
4045 
4046  /* Check for TCB privilege */
4048  {
4050  break;
4051  }
4052 
4053  /* Lock the token */
4055 
4056  /* Check if there is no token origin set yet */
4057  if (RtlIsZeroLuid(&Token->OriginatingLogonSession))
4058  {
4059  /* Set the token origin */
4060  Token->OriginatingLogonSession =
4061  TokenOrigin.OriginatingLogonSession;
4062 
4063  ExAllocateLocallyUniqueId(&Token->ModifiedId);
4064  }
4065 
4066  /* Unlock the token */
4068 
4069  break;
4070  }
4071 
4072  default:
4073  {
4074  DPRINT1("Invalid TokenInformationClass: 0x%lx\n",
4077  break;
4078  }
4079  }
4080 Cleanup:
4082  }
4083 
4084  if (!NT_SUCCESS(Status))
4085  {
4086  DPRINT1("NtSetInformationToken failed with Status 0x%lx\n", Status);
4087  }
4088 
4089  return Status;
4090 }
#define SepAcquireTokenLockExclusive(Token)
Definition: se.h:220
static NTSTATUS SepFindPrimaryGroupAndDefaultOwner(_In_ PTOKEN Token, _In_ PSID PrimaryGroup, _In_opt_ PSID DefaultOwner, _Out_opt_ PULONG PrimaryGroupIndex, _Out_opt_ PULONG DefaultOwnerIndex)
Finds the primary group and default owner entity based on the submitted primary group instance and an...
Definition: token.c:869
#define STATUS_PRIVILEGE_NOT_HELD
Definition: DriverTester.h:9
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define STATUS_INFO_LENGTH_MISMATCH
Definition: udferr_usr.h:133
struct _TOKEN_PRIMARY_GROUP * PTOKEN_PRIMARY_GROUP
_In_ TOKEN_INFORMATION_CLASS _In_ ULONG TokenInformationLength
Definition: sefuncs.h:299
#define TRUE
Definition: types.h:120
USHORT AclSize
Definition: ms-dtyp.idl:296
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:308
ULONG SessionId
Definition: dllmain.c:28
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3070
static __inline NTSTATUS DefaultSetInfoBufferCheck(ULONG Class, const INFORMATION_CLASS_INFO *ClassList, ULONG ClassListEntries, PVOID Buffer, ULONG BufferLength, KPROCESSOR_MODE PreviousMode)
Definition: probe.h:8
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:394
_SEH2_TRY
Definition: create.c:4226
NTSTATUS SepRmDereferenceLogonSession(_Inout_ PLUID LogonLuid)
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
struct _TOKEN_DEFAULT_DACL * PTOKEN_DEFAULT_DACL
#define FALSE
Definition: types.h:117
struct _TOKEN_ORIGIN * PTOKEN_ORIGIN
NTSTATUS NTAPI SepCaptureAcl(_In_ PACL InputAcl, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PACL *CapturedAcl)
Captures an access control list from an already valid input ACL.
Definition: acl.c:352
POBJECT_TYPE SeTokenObjectType
Definition: token.c:19
PSID Owner
Definition: setypes.h:993
#define TOKEN_ADJUST_DEFAULT
Definition: setypes.h:897
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
struct _TOKEN_AUDIT_POLICY_INFORMATION::@1760 Policies[1]
void * PVOID
Definition: retypes.h:9
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ObDereferenceObject
Definition: obfuncs.h:203
#define RtlIsZeroLuid(_L1)
Definition: rtlfuncs.h:753
SEP_AUDIT_POLICY_CATEGORIES PolicyElements
Definition: setypes.h:148
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
struct _TOKEN_OWNER * PTOKEN_OWNER
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define STATUS_INVALID_INFO_CLASS
Definition: ntstatus.h:240
#define SepReleaseTokenLock(Token)
Definition: se.h:231
#define TAG_TOKEN_DYNAMIC
Definition: tag.h:181
static const WCHAR Cleanup[]
Definition: register.c:80
NTSTATUS NTAPI SepRmRemoveLogonSessionFromToken(_Inout_ PTOKEN Token)
Removes a logon session from an access token.
Definition: srm.c:449
const LUID SeTcbPrivilege
Definition: priv.c:26
#define TAG_ACL
Definition: tag.h:174
_SEH2_END
Definition: create.c:4400
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define RTL_NUMBER_OF(x)
Definition: RtlRegistry.c:12
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:335
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
unsigned int * PULONG
Definition: retypes.h:1
#define NULL
Definition: types.h:112
struct _TOKEN_AUDIT_POLICY_INFORMATION * PTOKEN_AUDIT_POLICY_INFORMATION
#define DPRINT1
Definition: precomp.h:8
BOOLEAN NTAPI SeSinglePrivilegeCheck(_In_ LUID PrivilegeValue, _In_ KPROCESSOR_MODE PreviousMode)
Checks if a single privilege is present in the context of the calling thread.
Definition: priv.c:744
#define RtlInterlockedSetBits(Flags, Flag)
Definition: rtlfuncs.h:3434
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
static const INFORMATION_CLASS_INFO SeTokenInformationClass[]
Definition: token.c:32
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define TOKEN_ADJUST_SESSIONID
Definition: setypes.h:898
#define TOKEN_SESSION_NOT_REFERENCED
Definition: setypes.h:1149
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass
Definition: sefuncs.h:297
#define ULONG_MAX
Definition: limits.h:44
#define PAGED_CODE()

◆ SeCaptureSecurityDescriptor()

NTKERNELAPI NTSTATUS NTAPI SeCaptureSecurityDescriptor ( _In_ PSECURITY_DESCRIPTOR  _OriginalSecurityDescriptor,
_In_ KPROCESSOR_MODE  CurrentMode,
_In_ POOL_TYPE  PoolType,
_In_ BOOLEAN  CaptureIfKernel,
_Out_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor 
)

Captures a security descriptor.

Parameters
[in]_OriginalSecurityDescriptorAn already existing and valid security descriptor to be captured.
[in]CurrentModeProcessor level access mode.
[in]PoolTypePool type to be used when allocating the captured buffer.
[in]CaptureIfKernelSet this to TRUE if capturing is done within the kernel.
[out]CapturedSecurityDescriptorThe captured security descriptor.
Returns
Returns STATUS_SUCCESS if the operations have been completed successfully and that the security descriptor has been captured. STATUS_UNKNOWN_REVISION is returned if the security descriptor has an unknown revision. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the captured buffer has failed. A failure NTSTATUS code is returned otherwise.

Definition at line 386 of file sd.c.

392 {
393  PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
394  SECURITY_DESCRIPTOR DescriptorCopy;
396  ULONG OwnerSAC = 0, GroupSAC = 0;
397  ULONG OwnerSize = 0, GroupSize = 0;
398  ULONG SaclSize = 0, DaclSize = 0;
399  ULONG DescriptorSize = 0;
400  ULONG Offset;
401 
402  if (!OriginalDescriptor)
403  {
404  /* Nothing to do... */
405  *CapturedSecurityDescriptor = NULL;
406  return STATUS_SUCCESS;
407  }
408 
409  /* Quick path */
410  if (CurrentMode == KernelMode && !CaptureIfKernel)
411  {
412  /* Check descriptor version */
413  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
414  {
416  }
417 
418  *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
419  return STATUS_SUCCESS;
420  }
421 
422  _SEH2_TRY
423  {
424  if (CurrentMode != KernelMode)
425  {
426  ProbeForRead(OriginalDescriptor,
428  sizeof(ULONG));
429  }
430 
431  /* Check the descriptor version */
432  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
433  {
435  }
436 
437  if (CurrentMode != KernelMode)
438  {
439  /* Get the size of the descriptor */
440  DescriptorSize = (OriginalDescriptor->Control & SE_SELF_RELATIVE) ?
442 
443  /* Probe the entire security descriptor structure. The SIDs
444  * and ACLs will be probed and copied later though */
445  ProbeForRead(OriginalDescriptor, DescriptorSize, sizeof(ULONG));
446  }
447 
448  /* Now capture all fields and convert to an absolute descriptor */
449  DescriptorCopy.Revision = OriginalDescriptor->Revision;
450  DescriptorCopy.Sbz1 = OriginalDescriptor->Sbz1;
451  DescriptorCopy.Control = OriginalDescriptor->Control & ~SE_SELF_RELATIVE;
452  DescriptorCopy.Owner = SepGetOwnerFromDescriptor(OriginalDescriptor);
453  DescriptorCopy.Group = SepGetGroupFromDescriptor(OriginalDescriptor);
454  DescriptorCopy.Sacl = SepGetSaclFromDescriptor(OriginalDescriptor);
455  DescriptorCopy.Dacl = SepGetDaclFromDescriptor(OriginalDescriptor);
456  DescriptorSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
457 
458  /* Determine owner and group sizes */
459  OwnerSize = DetermineSIDSize(DescriptorCopy.Owner, &OwnerSAC, CurrentMode);
460  DescriptorSize += ROUND_UP(OwnerSize, sizeof(ULONG));
461  GroupSize = DetermineSIDSize(DescriptorCopy.Group, &GroupSAC, CurrentMode);
462  DescriptorSize += ROUND_UP(GroupSize, sizeof(ULONG));
463 
464  /* Determine the size of the ACLs */
465  if (DescriptorCopy.Control & SE_SACL_PRESENT)
466  {
467  /* Get the size and probe if user mode */
468  SaclSize = DetermineACLSize(DescriptorCopy.Sacl, CurrentMode);
469  DescriptorSize += ROUND_UP(SaclSize, sizeof(ULONG));
470  }
471 
472  if (DescriptorCopy.Control & SE_DACL_PRESENT)
473  {
474  /* Get the size and probe if user mode */
475  DaclSize = DetermineACLSize(DescriptorCopy.Dacl, CurrentMode);
476  DescriptorSize += ROUND_UP(DaclSize, sizeof(ULONG));
477  }
478  }
480  {
482  }
483  _SEH2_END;
484 
485  /*
486  * Allocate enough memory to store a complete copy of a self-relative
487  * security descriptor
488  */
490  DescriptorSize,
491  TAG_SD);
493 
494  RtlZeroMemory(NewDescriptor, DescriptorSize);
495  NewDescriptor->Revision = DescriptorCopy.Revision;
496  NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
497  NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
498 
499  _SEH2_TRY
500  {
501  /*
502  * Setup the offsets and copy the SIDs and ACLs to the new
503  * self-relative security descriptor. Probing the pointers is not
504  * neccessary anymore as we did that when collecting the sizes!
505  * Make sure to validate the SIDs and ACLs *again* as they could have
506  * been modified in the meanwhile!
507  */
509 
510  if (DescriptorCopy.Owner)
511  {
512  if (!RtlValidSid(DescriptorCopy.Owner)) RtlRaiseStatus(STATUS_INVALID_SID);
515  DescriptorCopy.Owner,
516  OwnerSize);
517  Offset += ROUND_UP(OwnerSize, sizeof(ULONG));
518  }
519 
520  if (DescriptorCopy.Group)
521  {
522  if (!RtlValidSid(DescriptorCopy.Group)) RtlRaiseStatus(STATUS_INVALID_SID);
525  DescriptorCopy.Group,
526  GroupSize);
527  Offset += ROUND_UP(GroupSize, sizeof(ULONG));
528  }
529 
530  if (DescriptorCopy.Sacl)
531  {
532  if (!RtlValidAcl(DescriptorCopy.Sacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
535  DescriptorCopy.Sacl,
536  SaclSize);
537  Offset += ROUND_UP(SaclSize, sizeof(ULONG));
538  }
539 
540  if (DescriptorCopy.Dacl)
541  {
542  if (!RtlValidAcl(DescriptorCopy.Dacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
545  DescriptorCopy.Dacl,
546  DaclSize);
547  Offset += ROUND_UP(DaclSize, sizeof(ULONG));
548  }
549 
550  /* Make sure the size was correct */
551  ASSERT(Offset == DescriptorSize);
552  }
554  {
555  /* We failed to copy the data to the new descriptor */
558  }
559  _SEH2_END;
560 
561  /*
562  * We're finally done!
563  * Copy the pointer to the captured descriptor to to the caller.
564  */
565  *CapturedSecurityDescriptor = NewDescriptor;
566  return STATUS_SUCCESS;
567 }
#define SE_SACL_PRESENT
Definition: setypes.h:788
DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlRaiseStatus(_In_ NTSTATUS Status)
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define SE_SELF_RELATIVE
Definition: setypes.h:799
#define ROUND_UP(n, align)
Definition: eventvwr.h:31
static ULONG DetermineACLSize(_In_ PACL Acl, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of an ACL.
Definition: sd.c:336
unsigned char * PUCHAR
Definition: retypes.h:3
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:39
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:59
#define SE_DACL_PRESENT
Definition: setypes.h:786
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR * NewDescriptor
Definition: sefuncs.h:29
_SEH2_TRY
Definition: create.c:4226
NTSYSAPI BOOLEAN NTAPI RtlValidAcl(PACL Acl)
FORCEINLINE PACL SepGetSaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:101
static ULONG DetermineSIDSize(_In_ PISID Sid, _Inout_ PULONG OutSAC, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of a SID.
Definition: sd.c:290
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1554
#define STATUS_INVALID_SID
Definition: ntstatus.h:356
#define TAG_SD
Definition: tag.h:176
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
#define ASSERT(a)
Definition: mode.c:44
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR
_In_ ULONG _In_ ULONG Offset
Definition: ntddpcm.h:101
_SEH2_END
Definition: create.c:4400
#define STATUS_INVALID_ACL
Definition: ntstatus.h:355
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG OwnerSize
Definition: rtlfuncs.h:1556
#define NULL
Definition: types.h:112
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
FORCEINLINE PACL SepGetDaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define SECURITY_DESCRIPTOR_REVISION1
Definition: setypes.h:59
#define STATUS_UNKNOWN_REVISION
Definition: ntstatus.h:324

Referenced by NtAccessCheck(), NtOpenObjectAuditAlarm(), NtSetSecurityObject(), ObpCaptureObjectCreateInformation(), ProbeAndCaptureObjectAttributes(), and SepAccessCheckAndAuditAlarm().

◆ SeCreateAccessState()

NTKERNELAPI NTSTATUS NTAPI SeCreateAccessState ( _In_ PACCESS_STATE  AccessState,
_In_ PAUX_ACCESS_DATA  AuxData,
_In_ ACCESS_MASK  Access,
_In_ PGENERIC_MAPPING  GenericMapping 
)

◆ SeDeleteAccessState()

NTKERNELAPI VOID NTAPI SeDeleteAccessState ( _In_ PACCESS_STATE  AccessState)

Deletes an allocated access state from the memory.

Parameters
[in]AccessStateA valid access state.
Returns
Nothing.

Definition at line 668 of file access.c.

670 {
671  PAUX_ACCESS_DATA AuxData;
672  PAGED_CODE();
673 
674  /* Get the Auxiliary Data */
675  AuxData = AccessState->AuxData;
676 
677  /* Deallocate Privileges */
678  if (AccessState->PrivilegesAllocated)
680 
681  /* Deallocate Name and Type Name */
682  if (AccessState->ObjectName.Buffer)
683  {
684  ExFreePool(AccessState->ObjectName.Buffer);
685  }
686 
687  if (AccessState->ObjectTypeName.Buffer)
688  {
689  ExFreePool(AccessState->ObjectTypeName.Buffer);
690  }
691 
692  /* Release the Subject Context */
693  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
694 }
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:234
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PAGED_CODE()

Referenced by NtOpenProcess(), NtOpenThread(), ObDuplicateObject(), ObInsertObject(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObReferenceObjectByName(), PspCreateProcess(), PspCreateThread(), and START_TEST().

◆ SeReleaseSecurityDescriptor()

NTKERNELAPI NTSTATUS NTAPI SeReleaseSecurityDescriptor ( _In_ PSECURITY_DESCRIPTOR  CapturedSecurityDescriptor,
_In_ KPROCESSOR_MODE  CurrentMode,
_In_ BOOLEAN  CaptureIfKernelMode 
)

Releases a captured security descriptor buffer.

Parameters
[in]CapturedSecurityDescriptorThe captured security descriptor to be freed.
[in]CurrentModeProcessor level access mode.
[in]CaptureIfKernelModeSet this to TRUE if the releasing is to be done within the kernel.
Returns
Returns STATUS_SUCCESS.

Definition at line 760 of file sd.c.

764 {
765  PAGED_CODE();
766 
767  /*
768  * WARNING! You need to call this function with the same value for CurrentMode
769  * and CaptureIfKernelMode that you previously passed to
770  * SeCaptureSecurityDescriptor() in order to avoid memory leaks!
771  */
772  if (CapturedSecurityDescriptor != NULL &&
773  (CurrentMode != KernelMode ||
774  (CurrentMode == KernelMode && CaptureIfKernelMode)))
775  {
776  /* Only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */
777  ExFreePoolWithTag(CapturedSecurityDescriptor, TAG_SD);
778  }
779 
780  return STATUS_SUCCESS;
781 }
#define TAG_SD
Definition: tag.h:176
#define NULL
Definition: types.h:112
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by NtAccessCheck(), NtOpenObjectAuditAlarm(), NtSetSecurityObject(), ObInsertObject(), ObpReleaseObjectCreateInformation(), ReleaseCapturedObjectAttributes(), and SepAccessCheckAndAuditAlarm().

◆ SeTokenImpersonationLevel()

NTKERNELAPI SECURITY_IMPERSONATION_LEVEL NTAPI SeTokenImpersonationLevel ( _In_ PACCESS_TOKEN  Token)

Gathers the security impersonation level of an access token.

Parameters
[in]TokenA valid access token where the impersonation level has to be gathered.
Returns
Returns the security impersonation level from a valid token.

Definition at line 2734 of file token.c.

2736 {
2737  PAGED_CODE();
2738 
2739  return ((PTOKEN)Token)->ImpersonationLevel;
2740 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()

Referenced by PsAssignImpersonationToken().

◆ ZwAccessCheck()

NTSYSAPI NTSTATUS NTAPI ZwAccessCheck ( _In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientToken,
_In_ ACCESS_MASK  DesiredAccess,
_In_ PGENERIC_MAPPING  GenericMapping,
_Out_ PPRIVILEGE_SET  PrivilegeSet,
_Out_ PULONG  ReturnLength,
_Out_ PACCESS_MASK  GrantedAccess,
_Out_ PNTSTATUS  AccessStatus 
)

◆ ZwAdjustGroupsToken()

NTSYSAPI NTSTATUS NTAPI ZwAdjustGroupsToken ( _In_ HANDLE  TokenHandle,
_In_ BOOLEAN  ResetToDefault,
_In_ PTOKEN_GROUPS  NewState,
_In_ ULONG  BufferLength,
_Out_opt_ PTOKEN_GROUPS  PreviousState,
_Out_ PULONG  ReturnLength 
)

◆ ZwAdjustPrivilegesToken()

◆ ZwAllocateLocallyUniqueId()

NTSYSAPI NTSTATUS NTAPI ZwAllocateLocallyUniqueId ( _Out_ LUID LocallyUniqueId)

◆ ZwAllocateUuids()

NTSYSAPI NTSTATUS NTAPI ZwAllocateUuids ( _Out_ PULARGE_INTEGER  Time,
_Out_ PULONG  Range,
_Out_ PULONG  Sequence,
_Out_ PUCHAR  Seed 
)

◆ ZwCreateToken()

NTSYSAPI NTSTATUS NTAPI ZwCreateToken ( _Out_ PHANDLE  TokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ POBJECT_ATTRIBUTES  ObjectAttributes,
_In_ TOKEN_TYPE  TokenType,
_In_ PLUID  AuthenticationId,
_In_ PLARGE_INTEGER  ExpirationTime,
_In_ PTOKEN_USER  TokenUser,
_In_ PTOKEN_GROUPS  TokenGroups,
_In_ PTOKEN_PRIVILEGES  TokenPrivileges,
_In_ PTOKEN_OWNER  TokenOwner,
_In_ PTOKEN_PRIMARY_GROUP  TokenPrimaryGroup,
_In_ PTOKEN_DEFAULT_DACL  TokenDefaultDacl,
_In_ PTOKEN_SOURCE  TokenSource 
)

◆ ZwImpersonateAnonymousToken()

NTSYSAPI NTSTATUS NTAPI ZwImpersonateAnonymousToken ( _In_ HANDLE  Thread)

◆ ZwOpenObjectAuditAlarm()

NTSYSAPI NTSTATUS NTAPI ZwOpenObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ PUNICODE_STRING  ObjectTypeName,
_In_ PUNICODE_STRING  ObjectName,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_In_ HANDLE  ClientToken,
_In_ ULONG  DesiredAccess,
_In_ ULONG  GrantedAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  ObjectCreation,
_In_ BOOLEAN  AccessGranted,
_Out_ PBOOLEAN  GenerateOnClose 
)

◆ ZwOpenProcessTokenEx()

NTSYSAPI NTSTATUS NTAPI ZwOpenProcessTokenEx ( _In_ HANDLE  ProcessHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ULONG  HandleAttributes,
_Out_ PHANDLE  TokenHandle 
)

◆ ZwPrivilegeCheck()

NTSYSAPI NTSTATUS NTAPI ZwPrivilegeCheck ( _In_ HANDLE  ClientToken,
_In_ PPRIVILEGE_SET  RequiredPrivileges,
_In_ PBOOLEAN  Result 
)

◆ ZwPrivilegedServiceAuditAlarm()

NTSYSAPI NTSTATUS NTAPI ZwPrivilegedServiceAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PUNICODE_STRING  ServiceName,
_In_ HANDLE  ClientToken,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

◆ ZwPrivilegeObjectAuditAlarm()

NTSYSAPI NTSTATUS NTAPI ZwPrivilegeObjectAuditAlarm ( _In_ PUNICODE_STRING  SubsystemName,
_In_ PVOID  HandleId,
_In_ HANDLE  ClientToken,
_In_ ULONG  DesiredAccess,
_In_ PPRIVILEGE_SET  Privileges,
_In_ BOOLEAN  AccessGranted 
)

◆ ZwSetInformationToken()

NTSYSAPI NTSTATUS NTAPI ZwSetInformationToken ( _In_ HANDLE  TokenHandle,
_In_ TOKEN_INFORMATION_CLASS  TokenInformationClass,
_Out_ PVOID  TokenInformation,
_In_ ULONG  TokenInformationLength 
)

Variable Documentation

◆ DesiredAccess

Definition at line 388 of file sefuncs.h.

◆ EffectiveOnly

◆ Length

Definition at line 472 of file sefuncs.h.

◆ NewTokenHandle

Definition at line 388 of file sefuncs.h.

Referenced by NtDuplicateToken().

◆ ObjectAttributes

Definition at line 388 of file sefuncs.h.

◆ ResultLength

◆ ReturnLength

Definition at line 299 of file sefuncs.h.

◆ TokenHandle

Definition at line 423 of file sefuncs.h.

◆ TokenInformationClass

◆ TokenInformationLength

◆ TokenType