objtype.c File Reference

#include <ntoskrnl.h>
#include <debug.h>

Include dependency graph for objtype.c:

Go to the source code of this file.

Macros
#define	NDEBUG

Functions
static NTSTATUS	SepValidateObjectTypeList (_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength)
	Validates a list of object types passed from user mode, ensuring the following conditions are met for a valid list:
static BOOLEAN	SepIsEqualObjectTypeGuid (_In_ CONST GUID *Guid1, _In_ CONST GUID *Guid2)
	Compares two object type GUIDs for equality.
PGUID	SepGetObjectTypeGuidFromAce (_In_ PACE Ace, _In_ BOOLEAN IsAceDenied)
	Captures an object type GUID from an object access control entry (ACE).
BOOLEAN	SepObjectTypeGuidInList (_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGUID ObjectTypeGuid, _Out_ PULONG ObjectIndex)
	Searches for an object type GUID if it exists on an object type list.
NTSTATUS	SeCaptureObjectTypeList (_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
	Captures a list of object types and converts it to an internal form for use by the kernel. The list is validated before its data is copied.
VOID	SeReleaseObjectTypeList (_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
	Releases a buffer list of object types.

Macro Definition Documentation

NDEBUG

#define NDEBUG

Definition at line 12 of file objtype.c.

Function Documentation

SeCaptureObjectTypeList()

NTSTATUS SeCaptureObjectTypeList	(	_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST	ObjectTypeList,
		_In_ ULONG	ObjectTypeListLength,
		_In_ KPROCESSOR_MODE	PreviousMode,
		_Out_ POBJECT_TYPE_LIST_INTERNAL *	CapturedObjectTypeList
	)

Captures a list of object types and converts it to an internal form for use by the kernel. The list is validated before its data is copied.

Parameters

[in]	ObjectTypeList	A pointer to a list of object types passed from UM to be captured.
[in]	ObjectTypeListLength	The length size of the list. This length represents the number of object elements in that list.
[in]	PreviousMode	Processor access level mode. This has to be set to UserMode as object type access check is not supported in the kernel.
[out]	CapturedObjectTypeList	A pointer to a returned captured list of object types.

Returns

Returns STATUS_SUCCESS if the list of object types has been captured successfully. STATUS_INVALID_PARAMETER is returned if the caller hasn't supplied a buffer list of object types or the list is invalid. STATUS_INSUFFICIENT_RESOURCES is returned if pool memory allocation for the captured list has failed.

Definition at line 282 of file objtype.c.

{
    NTSTATUS Status;
    ULONG ObjectTypeIndex;
    SIZE_T Size;
    PGUID ObjectTypeGuid;
    POBJECT_TYPE_LIST_INTERNAL InternalTypeList;
 
    PAGED_CODE();
 
    /* We do not support that in the kernel */
    if (PreviousMode == KernelMode)
    {
        return STATUS_NOT_IMPLEMENTED;
    }
 
    /* No count elements of objects means no captured list for you */
    if (ObjectTypeListLength == 0)
    {
        *CapturedObjectTypeList = NULL;
        return STATUS_SUCCESS;
    }
 
    /* Check if the caller supplied a list since we have the count of elements */
    if (ObjectTypeList == NULL)
    {
        DPRINT1("The caller did not provide a list of object types!\n");
        return STATUS_INVALID_PARAMETER;
    }
 
    /* Validate that list before we copy contents from it */
    Status = SepValidateObjectTypeList(ObjectTypeList, ObjectTypeListLength);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SepValidateObjectTypeList failed (Status 0x%08lx)\n", Status);
        return Status;
    }
 
    /* Allocate a new list */
    Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST_INTERNAL);
    InternalTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
    if (InternalTypeList == NULL)
    {
        DPRINT1("Failed to allocate pool memory for the object type list!\n");
        return STATUS_INSUFFICIENT_RESOURCES;
    }
 
    _SEH2_TRY
    {
        /* Loop for every object element, data was already probed */
        for (ObjectTypeIndex = 0;
             ObjectTypeIndex < ObjectTypeListLength;
             ObjectTypeIndex++)
        {
            /* Copy the object type GUID */
            ObjectTypeGuid = ObjectTypeList[ObjectTypeIndex].ObjectType;
            InternalTypeList[ObjectTypeIndex].ObjectTypeGuid = *ObjectTypeGuid;
 
            /* Copy the object hierarchy level */
            InternalTypeList[ObjectTypeIndex].Level = ObjectTypeList[ObjectTypeIndex].Level;
 
            /* Initialize the access check rights */
            InternalTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights = 0;
            InternalTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights = 0;
            InternalTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights = 0;
        }
 
        /* Give the captured list to caller */
        *CapturedObjectTypeList = InternalTypeList;
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        ExFreePoolWithTag(InternalTypeList, TAG_SEPA);
        InternalTypeList = NULL;
        _SEH2_YIELD(return _SEH2_GetExceptionCode());
    }
    _SEH2_END;
 
    return STATUS_SUCCESS;
}

Referenced by SepAccessCheck(), and SepAccessCheckAndAuditAlarm().

SepGetObjectTypeGuidFromAce()

PGUID SepGetObjectTypeGuidFromAce	(	_In_ PACE	Ace,
		_In_ BOOLEAN	IsAceDenied
	)

Captures an object type GUID from an object access control entry (ACE).

Parameters

[in]	Ace	A pointer to an access control entry, of which the object type GUID is to be captured from.
[in]	IsAceDenied	If set to TRUE, the function will capture the GUID from a denied object ACE, otherwise from the allowed object ACE.

Returns

Returns a pointer to an object type GUID, otherwise NULL is returned if the target ACE does not have an object type GUID.

Definition at line 180 of file objtype.c.

{
    PGUID ObjectTypeGuid = NULL;
 
    PAGED_CODE();
 
    /* This Ace must not be NULL */
    ASSERT(Ace);
 
    /* Grab the GUID based on the object type ACE header */
    ObjectTypeGuid = IsAceDenied ? (PGUID)&((PACCESS_DENIED_OBJECT_ACE)Ace)->ObjectType :
        (PGUID)&((PACCESS_ALLOWED_OBJECT_ACE)Ace)->ObjectType;
    return ObjectTypeGuid;
}

Referenced by SepAnalyzeAcesFromDacl().

SepIsEqualObjectTypeGuid()

static BOOLEAN SepIsEqualObjectTypeGuid ( _In_ CONST GUID *  Guid1, _In_ CONST GUID *  Guid2  )

static

Compares two object type GUIDs for equality.

Parameters

[in]	Guid1	A pointer to the first object type GUID.
[in]	Guid2	A pointer to the second object type GUID.

Returns

Returns TRUE if both GUIDs are equal, FALSE otherwise.

Definition at line 151 of file objtype.c.

{
    return RtlCompareMemory(Guid1, Guid2, sizeof(GUID)) == sizeof(GUID);
}

Referenced by SepObjectTypeGuidInList().

SepObjectTypeGuidInList()

BOOLEAN SepObjectTypeGuidInList	(	_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL	ObjectTypeList,
		_In_ ULONG	ObjectTypeListLength,
		_In_ PGUID	ObjectTypeGuid,
		_Out_ PULONG	ObjectIndex
	)

Searches for an object type GUID if it exists on an object type list.

Parameters

[in]	ObjectTypeList	A pointer to an object type list.
[in]	ObjectTypeListLength	The length of the list, representing the number of object elements in that list.
[in]	ObjectTypeGuid	A pointer to an object type GUID to search in the list of interest.
[out]	ObjectIndex	If the function found the target GUID, the function returns a pointer to the object index location to this parameter.

Returns

Returns TRUE if the object type GUID of interest exists in the target list, FALSE otherwise.

Definition at line 223 of file objtype.c.

{
    ULONG ObjectTypeIndex;
    GUID ObjectTypeGuidToSearch;
 
    PAGED_CODE();
 
    /* Loop over the object elements */
    for (ObjectTypeIndex = 0;
         ObjectTypeIndex < ObjectTypeListLength;
         ObjectTypeIndex++)
    {
        /* Is this the object we are searching for? */
        ObjectTypeGuidToSearch = ObjectTypeList[ObjectTypeIndex].ObjectTypeGuid;
        if (SepIsEqualObjectTypeGuid(ObjectTypeGuid, &ObjectTypeGuidToSearch))
        {
            /* Return the indext of that object to caller */
            *ObjectIndex = ObjectTypeIndex;
            return TRUE;
        }
    }
 
    return FALSE;
}

Referenced by SepAllowAccessObjectTypeList(), SepAllowAccessObjectTypeResultList(), SepDenyAccessObjectTypeList(), and SepDenyAccessObjectTypeResultList().

SepValidateObjectTypeList()

static NTSTATUS SepValidateObjectTypeList ( _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST  ObjectTypeList, _In_ ULONG  ObjectTypeListLength  )

static

Validates a list of object types passed from user mode, ensuring the following conditions are met for a valid list:

• The list must not be too big and it can be read
• Each object must have a valid level
• The level hierarchy between objects has to be consistent (e.g. a root cannot have a level 2 subordinate object)
• The list must have only one root and it must be in the first position
• Each object type GUID can be read and captured

Parameters

[in]	ObjectTypeList	A pointer to an object type list of which the elements are being validated.
[in]	ObjectTypeListLength	The length of the list, representing the number of object elements in that list.

Returns

Returns STATUS_SUCCESS if the list has been validated and it contains valid objects. STATUS_INVALID_PARAMETER is returned if the list is not valid. Otherwise a NTSTATUS code is returned.

Definition at line 46 of file objtype.c.

{
    PGUID ObjectTypeGuid;
    ULONG ObjectTypeIndex;
    USHORT Level, PrevLevel;
    SIZE_T Size;
 
    /* Ensure we do not hit an integer overflow */
    Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
    if (Size == 0)
    {
        DPRINT1("The object type list is too big, integer overflow alert!\n");
        return STATUS_INVALID_PARAMETER;
    }
 
    _SEH2_TRY
    {
        /* Ensure we can actually read from that list */
        ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
 
        /* Begin looping for each object from the list */
        for (ObjectTypeIndex = 0;
             ObjectTypeIndex < ObjectTypeListLength;
             ObjectTypeIndex++)
        {
            /* Get the level of this object and check for validity */
            Level = ObjectTypeList[ObjectTypeIndex].Level;
            if (Level > ACCESS_MAX_LEVEL)
            {
                DPRINT1("Invalid object level found (level %u, at index %lu)\n", Level, ObjectTypeIndex);
                _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
            }
 
            /* Are we past the first position in the list? */
            if (ObjectTypeIndex != 0)
            {
                /* Ensure that we do not have two object roots */
                if (Level == ACCESS_OBJECT_GUID)
                {
                    DPRINT1("This list has two roots (at index %lu)\n", ObjectTypeIndex);
                    _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
                }
 
                /*
                 * Ensure the current level is consistent with the prior level.
                 * That means, if the previous object is the root (denoted by the
                 * level as ACCESS_OBJECT_GUID aka 0) the current object must
                 * be a child of the parent which is the root (also called a
                 * property set). Whereas a property is a sibling of the
                 * child, the property set.
                 */
                if (Level > PrevLevel + 1)
                {
                    DPRINT1("The object levels are not consistent (current level %u, previous level %u, at index %lu)\n",
                            Level, PrevLevel, ObjectTypeIndex);
                    _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
                }
            }
            else
            {
                /* This is the first position so the object must be the root */
                if (Level != ACCESS_OBJECT_GUID)
                {
                    DPRINT1("The object is not the root at first index!\n");
                    _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
                }
            }
 
            /* Get the object type and check that we can read from it */
            ObjectTypeGuid = ObjectTypeList[ObjectTypeIndex].ObjectType;
            ProbeForRead(ObjectTypeGuid, sizeof(GUID), sizeof(ULONG));
 
            /*
             * Cache the level, we need it to ensure the levels between
             * the previous and the next object are consistent with each other.
             */
            PrevLevel = Level;
        }
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        _SEH2_YIELD(return _SEH2_GetExceptionCode());
    }
    _SEH2_END;
 
    return STATUS_SUCCESS;
}

Referenced by SeCaptureObjectTypeList().

SeReleaseObjectTypeList()

VOID SeReleaseObjectTypeList	(	_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL	CapturedObjectTypeList,
		_In_ KPROCESSOR_MODE	PreviousMode
	)

Releases a buffer list of object types.

Parameters

[in]	CapturedObjectTypeList	A list of object types to free.
[in]	PreviousMode	Processor access level mode.

Definition at line 378 of file objtype.c.

{
    PAGED_CODE();
 
    if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
    {
        ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
    }
}

Referenced by SepAccessCheck(), and SepAccessCheckAndAuditAlarm().