debug.c File Reference

#include <ntoskrnl.h>
#include <debug.h>

Include dependency graph for debug.c:

Go to the source code of this file.

Macros
#define	NDEBUG
#define	TOSTR(x)   #x
#define	ACE_FLAG_PRINT(x)
#define	SD_CONTROL_PRINT(x)

Functions
static PCSTR	SepGetAceTypeString (_In_ UCHAR AceType)
	Converts an Access Control Entry (ACE) type to a string. More...
static VOID	SepDumpAceFlags (_In_ UCHAR AceFlags)
	Dumps the ACE flags to the debugger output. More...
static VOID	SepDumpAces (_In_ PACL Acl)
	Iterates and dumps each ACE debug info in an ACL. More...
static VOID	SepDumpAclInfo (_In_ PACL Acl, _In_ BOOLEAN IsSacl)
	Dumps debug info of an Access Control List (ACL). More...
static VOID	SepDumpSdControlInfo (_In_ SECURITY_DESCRIPTOR_CONTROL SdControl)
	Dumps control flags of a security descriptor to the debugger. More...
static VOID	SepDumpSidsOfToken (_In_ PSID_AND_ATTRIBUTES Sids, _In_ ULONG SidCount)
	Dumps each security identifier (SID) of an access token to debugger. More...
VOID	SepDumpSdDebugInfo (_In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor)
	Dumps debug information of a security descriptor to the debugger. More...
VOID	SepDumpTokenDebugInfo (_In_opt_ PTOKEN Token)
	Dumps debug information of an access token to the debugger. More...
VOID	SepDumpAccessRightsStats (_In_opt_ PACCESS_CHECK_RIGHTS AccessRights)
	Dumps security access rights to the debugger. More...

Macro Definition Documentation

ACE_FLAG_PRINT

#define ACE_FLAG_PRINT

(

x

)

Value:

if (AceFlags & x)      \
    {                      \
        DbgPrint(#x "\n"); \
    }

NDEBUG

#define NDEBUG

Definition at line 11 of file debug.c.

SD_CONTROL_PRINT

#define SD_CONTROL_PRINT

(

x

)

Value:

if (SdControl & x)      \
    {                       \
        DbgPrint(#x "\n");  \
    }

TOSTR

#define TOSTR

(

x

)

#x

Function Documentation

SepDumpAccessRightsStats()

VOID SepDumpAccessRightsStats

(

_In_opt_ PACCESS_CHECK_RIGHTS

AccessRights

)

Dumps security access rights to the debugger.

Definition at line 315 of file debug.c.

{
    /* Don't dump anything if no access check rights list was provided */
    if (!AccessRights)
    {
        return;
    }

    DbgPrint("================== ACCESS CHECK RIGHTS STATISTICS ==================\n");
    DbgPrint("Remaining access rights -> 0x%08lx\n", AccessRights->RemainingAccessRights);
    DbgPrint("Granted access rights -> 0x%08lx\n", AccessRights->GrantedAccessRights);
    DbgPrint("Denied access rights -> 0x%08lx\n", AccessRights->DeniedAccessRights);
}

Referenced by SepAccessCheck().

SepDumpAceFlags()

static VOID SepDumpAceFlags ( _In_ UCHAR  AceFlags )

static

Dumps the ACE flags to the debugger output.

Definition at line 66 of file debug.c.

{
#define ACE_FLAG_PRINT(x)  \
    if (AceFlags & x)      \
    {                      \
        DbgPrint(#x "\n"); \
    }

    ACE_FLAG_PRINT(OBJECT_INHERIT_ACE);
    ACE_FLAG_PRINT(CONTAINER_INHERIT_ACE);
    ACE_FLAG_PRINT(NO_PROPAGATE_INHERIT_ACE);
    ACE_FLAG_PRINT(INHERIT_ONLY_ACE);
    ACE_FLAG_PRINT(INHERITED_ACE);
#undef ACE_FLAG_PRINT
}

Referenced by SepDumpAces().

SepDumpAces()

static VOID SepDumpAces ( _In_ PACL  Acl )

static

Iterates and dumps each ACE debug info in an ACL.

Definition at line 89 of file debug.c.

{
    NTSTATUS Status;
    PACE Ace;
    ULONG AceIndex;
    PSID Sid;
    UNICODE_STRING SidString;

    /* Loop all ACEs and dump their info */
    for (AceIndex = 0; AceIndex < Acl->AceCount; AceIndex++)
    {
        /* Get the ACE at this index */
        Status = RtlGetAce(Acl, AceIndex, (PVOID*)&Ace);
        if (!NT_SUCCESS(Status))
        {
            /*
             * Normally this should never happen.
             * Just fail gracefully and stop further
             * debugging of ACEs.
             */
            DbgPrint("SepDumpAces(): Failed to find the next ACE, stop dumping info...\n");
            return;
        }

        DbgPrint("================== %lu# ACE DUMP INFO ==================\n", AceIndex);
        DbgPrint("Ace -> 0x%p\n", Ace);
        DbgPrint("Ace->Header -> 0x%p\n", Ace->Header);
        DbgPrint("Ace->Header.AceType -> %s\n", SepGetAceTypeString(Ace->Header.AceType));
        DbgPrint("Ace->AccessMask -> 0x%08lx\n", Ace->AccessMask);

        Sid = SepGetSidFromAce(Ace->Header.AceType, Ace);
        ASSERT(Sid);
        RtlConvertSidToUnicodeString(&SidString, Sid, TRUE);
        DbgPrint("Ace SID -> %wZ\n", &SidString);
        RtlFreeUnicodeString(&SidString);

        DbgPrint("Ace->Header.AceSize -> %u\n", Ace->Header.AceSize);
        DbgPrint("Ace->Header.AceFlags:\n");
        SepDumpAceFlags(Ace->Header.AceFlags);
    }
}

Referenced by SepDumpAclInfo().

SepDumpAclInfo()

static VOID SepDumpAclInfo ( _In_ PACL  Acl, _In_ BOOLEAN  IsSacl  )

static

Dumps debug info of an Access Control List (ACL).

Definition at line 138 of file debug.c.

{
    /* Dump relevant info */
    DbgPrint("================== %s DUMP INFO ==================\n", IsSacl ? "SACL" : "DACL");
    DbgPrint("Acl->AclRevision -> %u\n", Acl->AclRevision);
    DbgPrint("Acl->AclSize -> %u\n", Acl->AclSize);
    DbgPrint("Acl->AceCount -> %u\n", Acl->AceCount);

    /* Dump all the ACEs present on this ACL */
    SepDumpAces(Acl);
}

Referenced by SepDumpSdDebugInfo().

SepDumpSdControlInfo()

static VOID SepDumpSdControlInfo ( _In_ SECURITY_DESCRIPTOR_CONTROL  SdControl )

static

Dumps control flags of a security descriptor to the debugger.

Definition at line 158 of file debug.c.

{
#define SD_CONTROL_PRINT(x) \
    if (SdControl & x)      \
    {                       \
        DbgPrint(#x "\n");  \
    }

    SD_CONTROL_PRINT(SE_OWNER_DEFAULTED);
    SD_CONTROL_PRINT(SE_GROUP_DEFAULTED);
    SD_CONTROL_PRINT(SE_DACL_PRESENT);
    SD_CONTROL_PRINT(SE_DACL_DEFAULTED);
    SD_CONTROL_PRINT(SE_SACL_PRESENT);
    SD_CONTROL_PRINT(SE_SACL_DEFAULTED);
    SD_CONTROL_PRINT(SE_DACL_UNTRUSTED);
    SD_CONTROL_PRINT(SE_SERVER_SECURITY);
    SD_CONTROL_PRINT(SE_DACL_AUTO_INHERIT_REQ);
    SD_CONTROL_PRINT(SE_SACL_AUTO_INHERIT_REQ);
    SD_CONTROL_PRINT(SE_DACL_AUTO_INHERITED);
    SD_CONTROL_PRINT(SE_SACL_AUTO_INHERITED);
    SD_CONTROL_PRINT(SE_DACL_PROTECTED);
    SD_CONTROL_PRINT(SE_SACL_PROTECTED);
    SD_CONTROL_PRINT(SE_RM_CONTROL_VALID);
    SD_CONTROL_PRINT(SE_SELF_RELATIVE);
#undef SD_CONTROL_PRINT
}

Referenced by SepDumpSdDebugInfo().

SepDumpSdDebugInfo()

VOID SepDumpSdDebugInfo

(

_In_opt_ PISECURITY_DESCRIPTOR

SecurityDescriptor

)

Dumps debug information of a security descriptor to the debugger.

Definition at line 215 of file debug.c.

{
    UNICODE_STRING SidString;
    PSID OwnerSid, GroupSid;
    PACL Dacl, Sacl;

    /* Don't dump anything if no SD was provided */
    if (!SecurityDescriptor)
    {
        return;
    }

    /* Cache the necessary security buffers to dump info from */
    OwnerSid = SepGetOwnerFromDescriptor(SecurityDescriptor);
    GroupSid = SepGetGroupFromDescriptor(SecurityDescriptor);
    Sacl = SepGetSaclFromDescriptor(SecurityDescriptor);
    Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);

    DbgPrint("================== SECURITY DESCRIPTOR DUMP INFO ==================\n");
    DbgPrint("SecurityDescriptor -> 0x%p\n", SecurityDescriptor);
    DbgPrint("SecurityDescriptor->Revision -> %u\n", SecurityDescriptor->Revision);
    DbgPrint("SecurityDescriptor->Control:\n");
    SepDumpSdControlInfo(SecurityDescriptor->Control);

    /* Dump the Owner SID if the SD belongs to an owner */
    if (OwnerSid)
    {
        RtlConvertSidToUnicodeString(&SidString, OwnerSid, TRUE);
        DbgPrint("SD Owner SID -> %wZ\n", &SidString);
        RtlFreeUnicodeString(&SidString);
    }

    /* Dump the Group SID if the SD belongs to a group */
    if (GroupSid)
    {
        RtlConvertSidToUnicodeString(&SidString, GroupSid, TRUE);
        DbgPrint("SD Group SID -> %wZ\n", &SidString);
        RtlFreeUnicodeString(&SidString);
    }

    /* Dump the ACL contents of SACL if this SD has one */
    if (Sacl)
    {
        SepDumpAclInfo(Sacl, TRUE);
    }

    /* Dump the ACL contents of DACL if this SD has one */
    if (Dacl)
    {
        SepDumpAclInfo(Dacl, FALSE);
    }
}

Referenced by SepAccessCheck().

SepDumpSidsOfToken()

static VOID SepDumpSidsOfToken ( _In_ PSID_AND_ATTRIBUTES  Sids, _In_ ULONG  SidCount  )

static

Dumps each security identifier (SID) of an access token to debugger.

Definition at line 192 of file debug.c.

{
    ULONG SidIndex;
    UNICODE_STRING SidString;

    /* Loop all SIDs and dump them */
    for (SidIndex = 0; SidIndex < SidCount; SidIndex++)
    {
        RtlConvertSidToUnicodeString(&SidString, Sids[SidIndex].Sid, TRUE);
        DbgPrint("%lu# %wZ\n", SidIndex, &SidString);
        RtlFreeUnicodeString(&SidString);
    }
}

Referenced by SepDumpTokenDebugInfo().

SepDumpTokenDebugInfo()

VOID SepDumpTokenDebugInfo

(

_In_opt_ PTOKEN

Token

)

Dumps debug information of an access token to the debugger.

Definition at line 274 of file debug.c.

{
    UNICODE_STRING SidString;

    /* Don't dump anything if no token was provided */
    if (!Token)
    {
        return;
    }

    /* Dump relevant token info */
    DbgPrint("================== ACCESS TOKEN DUMP INFO ==================\n");
    DbgPrint("Token -> 0x%p\n", Token);
    DbgPrint("Token->ImageFileName -> %s\n", Token->ImageFileName);
    DbgPrint("Token->TokenSource.SourceName -> \"%-.*s\"\n",
             RTL_NUMBER_OF(Token->TokenSource.SourceName),
             Token->TokenSource.SourceName);
    DbgPrint("Token->TokenSource.SourceIdentifier -> %lu.%lu\n",
             Token->TokenSource.SourceIdentifier.HighPart,
             Token->TokenSource.SourceIdentifier.LowPart);

    RtlConvertSidToUnicodeString(&SidString, Token->PrimaryGroup, TRUE);
    DbgPrint("Token primary group SID -> %wZ\n", &SidString);
    RtlFreeUnicodeString(&SidString);

    DbgPrint("Token user and groups SIDs:\n");
    SepDumpSidsOfToken(Token->UserAndGroups, Token->UserAndGroupCount);

    if (SeTokenIsRestricted(Token))
    {
        DbgPrint("Token restricted SIDs:\n");
        SepDumpSidsOfToken(Token->RestrictedSids, Token->RestrictedSidCount);
    }
}

Referenced by SepAccessCheck().

SepGetAceTypeString()

static PCSTR SepGetAceTypeString ( _In_ UCHAR  AceType )

static

Converts an Access Control Entry (ACE) type to a string.

Returns

Returns a converted ACE type strings. If no known ACE type is found, it will return UNKNOWN TYPE.

Definition at line 27 of file debug.c.

{
#define TOSTR(x)    #x
    static const PCSTR AceTypes[] =
    {
        TOSTR(ACCESS_ALLOWED_ACE_TYPE),
        TOSTR(ACCESS_DENIED_ACE_TYPE),
        TOSTR(SYSTEM_AUDIT_ACE_TYPE),
        TOSTR(SYSTEM_ALARM_ACE_TYPE),
        TOSTR(ACCESS_ALLOWED_COMPOUND_ACE_TYPE),
        TOSTR(ACCESS_ALLOWED_OBJECT_ACE_TYPE),
        TOSTR(ACCESS_DENIED_OBJECT_ACE_TYPE),
        TOSTR(SYSTEM_AUDIT_OBJECT_ACE_TYPE),
        TOSTR(SYSTEM_ALARM_OBJECT_ACE_TYPE),
        TOSTR(ACCESS_ALLOWED_CALLBACK_ACE_TYPE),
        TOSTR(ACCESS_DENIED_CALLBACK_ACE_TYPE),
        TOSTR(ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE),
        TOSTR(ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE),
        TOSTR(SYSTEM_AUDIT_CALLBACK_ACE_TYPE),
        TOSTR(SYSTEM_ALARM_CALLBACK_ACE_TYPE),
        TOSTR(SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE),
        TOSTR(SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE),
        TOSTR(SYSTEM_MANDATORY_LABEL_ACE_TYPE),
    };
#undef TOSTR

    if (AceType < RTL_NUMBER_OF(AceTypes))
        return AceTypes[AceType];
    else
        return "UNKNOWN TYPE";
}

Referenced by SepDumpAces().