ReactOS  0.4.15-dev-5488-ge316d61
sid.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for sid.c:

Go to the source code of this file.

Classes

struct  _SID_VALIDATE
 

Macros

#define NDEBUG
 
#define SE_MAXIMUM_GROUP_LIMIT   0x1000
 

Typedefs

typedef struct _SID_VALIDATE SID_VALIDATE
 
typedef struct _SID_VALIDATEPSID_VALIDATE
 

Functions

VOID NTAPI FreeInitializedSids (VOID)
 Frees all the known initialized SIDs in the system from the memory. More...
 
BOOLEAN NTAPI SepInitSecurityIDs (VOID)
 Initializes all the SIDs known in the system. More...
 
NTSTATUS NTAPI SepCaptureSid (_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
 Captures a SID. More...
 
VOID NTAPI SepReleaseSid (_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
 Releases a captured SID. More...
 
BOOLEAN NTAPI SepSidInTokenEx (_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
 Checks if a SID is present in a token. More...
 
BOOLEAN NTAPI SepSidInToken (_In_ PACCESS_TOKEN _Token, _In_ PSID Sid)
 Checks if a SID is present in a token. More...
 
PSID NTAPI SepGetSidFromAce (_In_ UCHAR AceType, _In_ PACE Ace)
 Captures a security identifier from a given access control entry. This identifier is valid for the whole of its lifetime. More...
 
NTSTATUS NTAPI SeCaptureSidAndAttributesArray (_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, _In_ ULONG AttributeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_opt_ PVOID AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, _Out_ PULONG ResultLength)
 Captures a SID with attributes. More...
 
VOID NTAPI SeReleaseSidAndAttributesArray (_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
 Releases a captured SID with attributes. More...
 

Variables

SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY}
 
SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY}
 
SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY}
 
SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY}
 
SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY}
 
PSID SeNullSid = NULL
 
PSID SeWorldSid = NULL
 
PSID SeLocalSid = NULL
 
PSID SeCreatorOwnerSid = NULL
 
PSID SeCreatorGroupSid = NULL
 
PSID SeCreatorOwnerServerSid = NULL
 
PSID SeCreatorGroupServerSid = NULL
 
PSID SeNtAuthoritySid = NULL
 
PSID SeDialupSid = NULL
 
PSID SeNetworkSid = NULL
 
PSID SeBatchSid = NULL
 
PSID SeInteractiveSid = NULL
 
PSID SeServiceSid = NULL
 
PSID SePrincipalSelfSid = NULL
 
PSID SeLocalSystemSid = NULL
 
PSID SeAuthenticatedUserSid = NULL
 
PSID SeRestrictedCodeSid = NULL
 
PSID SeAliasAdminsSid = NULL
 
PSID SeAliasUsersSid = NULL
 
PSID SeAliasGuestsSid = NULL
 
PSID SeAliasPowerUsersSid = NULL
 
PSID SeAliasAccountOpsSid = NULL
 
PSID SeAliasSystemOpsSid = NULL
 
PSID SeAliasPrintOpsSid = NULL
 
PSID SeAliasBackupOpsSid = NULL
 
PSID SeAuthenticatedUsersSid = NULL
 
PSID SeRestrictedSid = NULL
 
PSID SeAnonymousLogonSid = NULL
 
PSID SeLocalServiceSid = NULL
 
PSID SeNetworkServiceSid = NULL
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 11 of file sid.c.

◆ SE_MAXIMUM_GROUP_LIMIT

#define SE_MAXIMUM_GROUP_LIMIT   0x1000

Definition at line 16 of file sid.c.

Typedef Documentation

◆ PSID_VALIDATE

◆ SID_VALIDATE

Function Documentation

◆ FreeInitializedSids()

VOID NTAPI FreeInitializedSids ( VOID  )

Frees all the known initialized SIDs in the system from the memory.

Returns
Nothing.

Definition at line 72 of file sid.c.

73 {
102 }
PSID SeAliasPrintOpsSid
Definition: sid.c:47
PSID SeAnonymousLogonSid
Definition: sid.c:51
PSID SeBatchSid
Definition: sid.c:34
PSID SeLocalSystemSid
Definition: sid.c:38
PSID SeAliasAdminsSid
Definition: sid.c:41
PSID SeDialupSid
Definition: sid.c:32
#define TAG_SID
Definition: sid.c:15
PSID SeAliasBackupOpsSid
Definition: sid.c:48
PSID SePrincipalSelfSid
Definition: sid.c:37
PSID SeCreatorOwnerServerSid
Definition: sid.c:29
PSID SeServiceSid
Definition: sid.c:36
PSID SeAliasUsersSid
Definition: sid.c:42
PSID SeAliasGuestsSid
Definition: sid.c:43
PSID SeAuthenticatedUserSid
Definition: sid.c:39
PSID SeWorldSid
Definition: sid.c:25
PSID SeLocalSid
Definition: sid.c:26
PSID SeAuthenticatedUsersSid
Definition: sid.c:49
PSID SeAliasPowerUsersSid
Definition: sid.c:44
PSID SeNetworkSid
Definition: sid.c:33
PSID SeCreatorGroupSid
Definition: sid.c:28
PSID SeRestrictedSid
Definition: sid.c:50
PSID SeCreatorGroupServerSid
Definition: sid.c:30
PSID SeRestrictedCodeSid
Definition: sid.c:40
PSID SeCreatorOwnerSid
Definition: sid.c:27
PSID SeAliasSystemOpsSid
Definition: sid.c:46
PSID SeInteractiveSid
Definition: sid.c:35
PSID SeNullSid
Definition: sid.c:24
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
PSID SeNtAuthoritySid
Definition: sid.c:31
PSID SeAliasAccountOpsSid
Definition: sid.c:45

Referenced by SepInitSecurityIDs().

◆ SeCaptureSidAndAttributesArray()

NTSTATUS NTAPI SeCaptureSidAndAttributesArray ( _In_ PSID_AND_ATTRIBUTES  SrcSidAndAttributes,
_In_ ULONG  AttributeCount,
_In_ KPROCESSOR_MODE  PreviousMode,
_In_opt_ PVOID  AllocatedMem,
_In_ ULONG  AllocatedLength,
_In_ POOL_TYPE  PoolType,
_In_ BOOLEAN  CaptureIfKernel,
_Out_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
_Out_ PULONG  ResultLength 
)

Captures a SID with attributes.

Parameters
[in]SrcSidAndAttributesSource of the SID with attributes to be captured.
[in]AttributeCountThe number count of attributes, in total.
[in]PreviousModeProcessor access level mode.
[in]AllocatedMemThe allocated memory buffer for the captured SID. If the caller supplies no allocated block of memory then the function will allocate some buffer block of memory for the captured SID automatically.
[in]AllocatedLengthThe length of the buffer that points to the allocated memory, in bytes.
[in]PoolTypeThe pool type for the captured SID and attributes to assign.
[in]CaptureIfKernelIf set to TRUE, the capturing is done within the kernel. Otherwise the capturing is done in a kernel mode driver.
[out]CapturedSidAndAttributesThe captured SID and attributes.
[out]ResultLengthThe length of the captured SID and attributes, in bytes.
Returns
Returns STATUS_SUCCESS if SID and attributes capturing has been completed successfully. STATUS_INVALID_PARAMETER is returned if the count of attributes exceeds the maximum threshold that the kernel can permit, with the purpose of avoiding integer overflows. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the captured SID has failed. STATUS_BUFFER_TOO_SMALL is returned if the length of the allocated buffer is less than the required size. STATUS_INVALID_SID is returned if a SID doesn't meet certain requirements to be considered a valid SID by the security manager. A failure NTSTATUS code is returned otherwise.
Remarks
A security identifier (SID) is a variable-length data structure that can change in size over time, depending on the factors that influence this effect in question. An attacker can take advantage of this fact and can potentially modify certain properties of a SID making it different in size than it was originally before. This is what we'd call, a TOCTOU vulnerability.

For this reason, the logic of copying the SIDs and their attributes into a new buffer goes like this: first, allocate a buffer array that just holds the lengths and subauthority count of each SID. Such information is copied in the first loop. Then in a second loop, iterate over the array with SID provided and copy them into the final array. The moment we're doing this, validate the lengths of each SID basing upon the captured lengths we've got before. In this way we ensure that the SIDs have remained intact. The validation checks are done in user mode as a general rule that we just cannot trust UM and whatever data is coming from it.

Definition at line 711 of file sid.c.

721 {
722  ULONG ArraySize, RequiredLength, SidLength, i;
723  ULONG TempArrayValidate, TempLengthValidate;
724  PSID_AND_ATTRIBUTES SidAndAttributes;
725  _SEH2_VOLATILE PSID_VALIDATE ValidateArray;
726  PUCHAR CurrentDest;
727  PISID Sid;
729  PAGED_CODE();
730 
731  ValidateArray = NULL;
732  SidAndAttributes = NULL;
733  *CapturedSidAndAttributes = NULL;
734  *ResultLength = 0;
735 
736  if (AttributeCount == 0)
737  {
738  return STATUS_SUCCESS;
739  }
740 
741  if (AttributeCount > SE_MAXIMUM_GROUP_LIMIT)
742  {
743  DPRINT1("SeCaptureSidAndAttributesArray(): Maximum group limit exceeded!\n");
745  }
746 
747  if ((PreviousMode == KernelMode) && !CaptureIfKernel)
748  {
749  *CapturedSidAndAttributes = SrcSidAndAttributes;
750  return STATUS_SUCCESS;
751  }
752 
753  ArraySize = AttributeCount * sizeof(SID_AND_ATTRIBUTES);
754  RequiredLength = ALIGN_UP_BY(ArraySize, sizeof(ULONG));
755 
756  if (PreviousMode != KernelMode)
757  {
758  /* Check for user mode data */
759  _SEH2_TRY
760  {
761  /* First probe the whole array */
762  ProbeForRead(SrcSidAndAttributes, ArraySize, sizeof(ULONG));
763 
764  /* We're in user mode, set up the size for the temporary array */
765  TempArrayValidate = AttributeCount * sizeof(SID_VALIDATE);
766  TempLengthValidate = ALIGN_UP_BY(TempArrayValidate, sizeof(ULONG));
767 
768  /*
769  * Allocate a buffer for the array that we're going to
770  * temporarily hold the subauthority count and the SID
771  * elements. We'll be going to use this array to perform
772  * validation checks later.
773  */
775  TempLengthValidate,
777 
778  /* Loop the array elements */
779  for (i = 0; i < AttributeCount; i++)
780  {
781  /* Get the SID and probe the minimal structure */
782  Sid = SrcSidAndAttributes[i].Sid;
783  ProbeForRead(Sid, sizeof(*Sid), sizeof(ULONG));
784 
785  /*
786  * Capture the subauthority count and hold it
787  * into the temporary array for later validation.
788  * This way we ensure that the said count of each
789  * SID has remained the same.
790  */
791  ValidateArray[i].SubAuthorityCount = Sid->SubAuthorityCount;
792 
793  /* Capture the SID */
794  ValidateArray[i].ProbeSid = Sid;
795 
796  /* Calculate the SID length and probe the full SID */
797  SidLength = RtlLengthRequiredSid(ValidateArray[i].SubAuthorityCount);
798  ProbeForRead(ValidateArray[i].ProbeSid, SidLength, sizeof(ULONG));
799 
800  /* Add the aligned length to the required length */
801  RequiredLength += ALIGN_UP_BY(SidLength, sizeof(ULONG));
802  }
803  }
805  {
807  _SEH2_YIELD(goto Cleanup);
808  }
809  _SEH2_END;
810  }
811  else
812  {
813  /* Loop the array elements */
814  for (i = 0; i < AttributeCount; i++)
815  {
816  /* Get the SID and it's length */
817  Sid = SrcSidAndAttributes[i].Sid;
819 
820  /* Add the aligned length to the required length */
821  RequiredLength += ALIGN_UP_BY(SidLength, sizeof(ULONG));
822  }
823  }
824 
825  /* Assume success */
828 
829  /* Check if we have no buffer */
830  if (AllocatedMem == NULL)
831  {
832  /* Allocate a new buffer */
833  SidAndAttributes = ExAllocatePoolWithTag(PoolType,
836  if (SidAndAttributes == NULL)
837  {
838  DPRINT1("SeCaptureSidAndAttributesArray(): Failed to allocate memory for SID and attributes array (requested size -> %lu)!\n", RequiredLength);
840  goto Cleanup;
841  }
842  }
843  /* Otherwise check if the buffer is large enough */
844  else if (AllocatedLength >= RequiredLength)
845  {
846  /* Buffer is large enough, use it */
847  SidAndAttributes = AllocatedMem;
848  }
849  else
850  {
851  /* Buffer is too small, fail */
852  DPRINT1("SeCaptureSidAndAttributesArray(): The provided buffer is small (expected size -> %lu || current size -> %lu)!\n", RequiredLength, AllocatedLength);
854  goto Cleanup;
855  }
856 
857  *CapturedSidAndAttributes = SidAndAttributes;
858 
859  /* Check again for user mode */
860  if (PreviousMode != KernelMode)
861  {
862  _SEH2_TRY
863  {
864  /* The rest of the data starts after the array */
865  CurrentDest = (PUCHAR)SidAndAttributes;
866  CurrentDest += ALIGN_UP_BY(ArraySize, sizeof(ULONG));
867 
868  /* Loop the array elements */
869  for (i = 0; i < AttributeCount; i++)
870  {
871  /*
872  * Get the SID length from the subauthority
873  * count we've captured before.
874  */
875  SidLength = RtlLengthRequiredSid(ValidateArray[i].SubAuthorityCount);
876 
877  /* Copy attributes */
878  SidAndAttributes[i].Attributes = SrcSidAndAttributes[i].Attributes;
879 
880  /* Copy the SID to the current destination address */
881  SidAndAttributes[i].Sid = (PSID)CurrentDest;
882  RtlCopyMemory(CurrentDest, ValidateArray[i].ProbeSid, SidLength);
883 
884  /* Obtain the SID we've captured before for validation */
885  Sid = SidAndAttributes[i].Sid;
886 
887  /* Validate that the subauthority count hasn't changed */
888  if (ValidateArray[i].SubAuthorityCount !=
890  {
891  /* It's changed, bail out */
892  DPRINT1("SeCaptureSidAndAttributesArray(): The subauthority counts have changed (captured count -> %u || current count -> %u)\n",
893  ValidateArray[i].SubAuthorityCount, Sid->SubAuthorityCount);
895  goto Cleanup;
896  }
897 
898  /* Validate that the SID length is the same */
899  if (SidLength != RtlLengthSid(Sid))
900  {
901  /* They're no longer the same, bail out */
902  DPRINT1("SeCaptureSidAndAttributesArray(): The SID lengths have changed (captured length -> %lu || current length -> %lu)\n",
903  SidLength, RtlLengthSid(Sid));
905  goto Cleanup;
906  }
907 
908  /* Check that the SID is valid */
909  if (!RtlValidSid(Sid))
910  {
911  DPRINT1("SeCaptureSidAndAttributesArray(): The SID is not valid!\n");
913  goto Cleanup;
914  }
915 
916  /* Update the current destination address */
917  CurrentDest += ALIGN_UP_BY(SidLength, sizeof(ULONG));
918  }
919  }
921  {
923  }
924  _SEH2_END;
925  }
926  else
927  {
928  /* The rest of the data starts after the array */
929  CurrentDest = (PUCHAR)SidAndAttributes;
930  CurrentDest += ALIGN_UP_BY(ArraySize, sizeof(ULONG));
931 
932  /* Loop the array elements */
933  for (i = 0; i < AttributeCount; i++)
934  {
935  /* Get the SID and it's length */
936  Sid = SrcSidAndAttributes[i].Sid;
938 
939  /* Copy attributes */
940  SidAndAttributes[i].Attributes = SrcSidAndAttributes[i].Attributes;
941 
942  /* Copy the SID to the current destination address */
943  SidAndAttributes[i].Sid = (PSID)CurrentDest;
944  RtlCopyMemory(CurrentDest, SrcSidAndAttributes[i].Sid, SidLength);
945 
946  /* Update the current destination address */
947  CurrentDest += ALIGN_UP_BY(SidLength, sizeof(ULONG));
948  }
949  }
950 
951 Cleanup:
952  /* Check for failure */
953  if (!NT_SUCCESS(Status))
954  {
955  /* Check if we allocated a new array */
956  if ((SidAndAttributes != AllocatedMem) && (SidAndAttributes != NULL))
957  {
958  /* Free the array */
959  ExFreePoolWithTag(SidAndAttributes, TAG_SID_AND_ATTRIBUTES);
960  }
961 
962  /* Set returned address to NULL */
963  *CapturedSidAndAttributes = NULL;
964  }
965 
966  /* Free the temporary validation array */
967  if ((PreviousMode != KernelMode) && (ValidateArray != NULL))
968  {
969  ExFreePoolWithTag(ValidateArray, TAG_SID_VALIDATE);
970  }
971 
972  return Status;
973 }
_SEH2_TRY
Definition: create.c:4226
#define SE_MAXIMUM_GROUP_LIMIT
Definition: sid.c:16
#define TAG_SID_AND_ATTRIBUTES
Definition: tag.h:165
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
unsigned char * PUCHAR
Definition: retypes.h:3
LONG NTSTATUS
Definition: precomp.h:26
_SEH2_END
Definition: create.c:4400
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
struct _SID_VALIDATE SID_VALIDATE
ULONG NTAPI RtlLengthSid(IN PSID Sid_)
Definition: sid.c:150
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
#define STATUS_INVALID_SID
Definition: ntstatus.h:356
BOOLEAN NTAPI RtlValidSid(IN PSID Sid_)
Definition: sid.c:21
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
struct _SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES
#define TAG_SID_VALIDATE
Definition: tag.h:166
struct _SID * PSID
Definition: eventlog.c:35
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
_In_ PSID_IDENTIFIER_AUTHORITY _In_ UCHAR SubAuthorityCount
Definition: rtlfuncs.h:1513
static const WCHAR Cleanup[]
Definition: register.c:80
#define _SEH2_VOLATILE
Definition: pseh2_64.h:169
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
_In_ ULONG _Out_opt_ PULONG RequiredLength
Definition: wmifuncs.h:29
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define ALIGN_UP_BY(size, align)
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG _Out_ PULONG ResultLength
Definition: wdfdevice.h:3776
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define POOL_RAISE_IF_ALLOCATION_FAILURE
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by NtAdjustGroupsToken(), NtCreateToken(), and NtFilterToken().

◆ SepCaptureSid()

NTSTATUS NTAPI SepCaptureSid ( _In_ PSID  InputSid,
_In_ KPROCESSOR_MODE  AccessMode,
_In_ POOL_TYPE  PoolType,
_In_ BOOLEAN  CaptureIfKernel,
_Out_ PSID CapturedSid 
)

Captures a SID.

Parameters
[in]InputSidA valid security identifier to be captured.
[in]AccessModeProcessor level access mode.
[in]PoolTypePool memory type for the captured SID to assign upon allocation.
[in]CaptureIfKernelIf set to TRUE, the capturing is done within the kernel. Otherwise the capturing is done in a kernel mode driver.
[out]CapturedSidThe captured security identifier, returned to the caller.
Returns
Returns STATUS_SUCCESS if the SID was captured. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the captured SID has failed.

Definition at line 314 of file sid.c.

320 {
321  ULONG SidSize = 0;
322  PISID NewSid, Sid = (PISID)InputSid;
323 
324  PAGED_CODE();
325 
326  if (AccessMode != KernelMode)
327  {
328  _SEH2_TRY
329  {
330  ProbeForRead(Sid, FIELD_OFFSET(SID, SubAuthority), sizeof(UCHAR));
332  ProbeForRead(Sid, SidSize, sizeof(UCHAR));
333  }
335  {
336  /* Return the exception code */
338  }
339  _SEH2_END;
340 
341  /* Allocate a SID and copy it */
343  if (!NewSid)
345 
346  _SEH2_TRY
347  {
348  RtlCopyMemory(NewSid, Sid, SidSize);
349 
350  *CapturedSid = NewSid;
351  }
353  {
354  /* Free the SID and return the exception code */
357  }
358  _SEH2_END;
359  }
360  else if (!CaptureIfKernel)
361  {
362  *CapturedSid = InputSid;
363  }
364  else
365  {
367 
368  /* Allocate a SID and copy it */
370  if (NewSid == NULL)
372 
373  RtlCopyMemory(NewSid, Sid, SidSize);
374 
375  *CapturedSid = NewSid;
376  }
377 
378  return STATUS_SUCCESS;
379 }
_SEH2_TRY
Definition: create.c:4226
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define TAG_SID
Definition: sid.c:15
_SEH2_END
Definition: create.c:4400
struct _SID * PISID
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
unsigned char UCHAR
Definition: xmlstorage.h:181
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define NULL
Definition: types.h:112
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ PSID _In_ PSID NewSid
Definition: rtlfuncs.h:2813
#define PAGED_CODE()

Referenced by NtCreateToken(), NtSecureConnectPort(), NtSetInformationToken(), and SepAccessCheckAndAuditAlarm().

◆ SepGetSidFromAce()

PSID NTAPI SepGetSidFromAce ( _In_ UCHAR  AceType,
_In_ PACE  Ace 
)

Captures a security identifier from a given access control entry. This identifier is valid for the whole of its lifetime.

Parameters
[in]AceTypeThe type of an access control entry. This type that is given by the calling thread must coincide with the actual ACE that is given in the second parameter otherwise this can potentially lead to UNDEFINED behavior!
[in]AceA pointer to an access control entry, which can be obtained from a DACL.
Returns
Returns a pointer to a security identifier (SID), otherwise NULL is returned if an unsupported ACE type was given to the function.

Definition at line 579 of file sid.c.

582 {
583  PSID Sid;
584  PAGED_CODE();
585 
586  /* Sanity check */
587  ASSERT(Ace);
588 
589  /* Initialize the SID */
590  Sid = NULL;
591 
592  /* Obtain the SID based upon ACE type */
593  switch (AceType)
594  {
596  {
597  Sid = (PSID)&((PACCESS_DENIED_ACE)Ace)->SidStart;
598  break;
599  }
600 
602  {
603  Sid = (PSID)&((PACCESS_ALLOWED_ACE)Ace)->SidStart;
604  break;
605  }
606 
608  {
609  Sid = (PSID)&((PACCESS_DENIED_OBJECT_ACE)Ace)->SidStart;
610  break;
611  }
612 
614  {
615  Sid = (PSID)&((PACCESS_ALLOWED_OBJECT_ACE)Ace)->SidStart;
616  break;
617  }
618 
620  {
621  Sid = (PSID)&((PSYSTEM_AUDIT_ACE)Ace)->SidStart;
622  break;
623  }
624 
626  {
627  Sid = (PSID)&((PSYSTEM_ALARM_ACE)Ace)->SidStart;
628  break;
629  }
630 
631  default:
632  {
633  DPRINT1("SepGetSidFromAce(): Unknown ACE type (Ace 0x%p, Type %u)\n", Ace, AceType);
634  break;
635  }
636  }
637 
638  return Sid;
639 }
#define ACCESS_DENIED_OBJECT_ACE_TYPE
Definition: setypes.h:726
Definition: card.h:12
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
#define ASSERT(a)
Definition: mode.c:44
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE
Definition: setypes.h:725
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:718
struct _SID * PSID
Definition: eventlog.c:35
static const ACEFLAG AceType[]
Definition: security.c:2382
#define SYSTEM_ALARM_ACE_TYPE
Definition: setypes.h:720
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
#define SYSTEM_AUDIT_ACE_TYPE
Definition: setypes.h:719
#define PAGED_CODE()

Referenced by SepAnalyzeAcesFromDacl(), and SepDumpAces().

◆ SepInitSecurityIDs()

BOOLEAN NTAPI SepInitSecurityIDs ( VOID  )

Initializes all the SIDs known in the system.

Returns
Returns TRUE if all the SIDs have been initialized, FALSE otherwise.

Definition at line 115 of file sid.c.

116 {
117  ULONG SidLength0;
118  ULONG SidLength1;
119  ULONG SidLength2;
120  PULONG SubAuthority;
121 
122  SidLength0 = RtlLengthRequiredSid(0);
123  SidLength1 = RtlLengthRequiredSid(1);
124  SidLength2 = RtlLengthRequiredSid(2);
125 
126  /* create NullSid */
157 
158  if (SeNullSid == NULL || SeWorldSid == NULL ||
162  SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
173  {
175  return FALSE;
176  }
177 
208 
209  SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
210  *SubAuthority = SECURITY_NULL_RID;
211  SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
212  *SubAuthority = SECURITY_WORLD_RID;
213  SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
214  *SubAuthority = SECURITY_LOCAL_RID;
215  SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
216  *SubAuthority = SECURITY_CREATOR_OWNER_RID;
217  SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
218  *SubAuthority = SECURITY_CREATOR_GROUP_RID;
219  SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
220  *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
221  SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
222  *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
223  SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
224  *SubAuthority = SECURITY_DIALUP_RID;
225  SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
226  *SubAuthority = SECURITY_NETWORK_RID;
227  SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
228  *SubAuthority = SECURITY_BATCH_RID;
229  SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
230  *SubAuthority = SECURITY_INTERACTIVE_RID;
231  SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
232  *SubAuthority = SECURITY_SERVICE_RID;
233  SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
234  *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
235  SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
236  *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
237  SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
238  *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
239  SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
240  *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
241  SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
242  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
243  SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
244  *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
245  SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
246  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
247  SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
248  *SubAuthority = DOMAIN_ALIAS_RID_USERS;
249  SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
250  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
251  SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
252  *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
253  SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
254  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
255  SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
256  *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
257  SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
258  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
259  SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
260  *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
261  SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
262  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
263  SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
264  *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
265  SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
266  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
267  SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
268  *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
269  SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
270  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
271  SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
272  *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
273  SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
274  *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
275  SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
276  *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
277  SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
278  *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
279  SubAuthority = RtlSubAuthoritySid(SeLocalServiceSid, 0);
280  *SubAuthority = SECURITY_LOCAL_SERVICE_RID;
281  SubAuthority = RtlSubAuthoritySid(SeNetworkServiceSid, 0);
282  *SubAuthority = SECURITY_NETWORK_SERVICE_RID;
283 
284  return TRUE;
285 }
PSID SeLocalServiceSid
Definition: sid.c:52
#define SECURITY_BATCH_RID
Definition: setypes.h:558
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:568
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
#define DOMAIN_ALIAS_RID_GUESTS
Definition: setypes.h:654
PSID SeAliasPrintOpsSid
Definition: sid.c:47
VOID NTAPI FreeInitializedSids(VOID)
Frees all the known initialized SIDs in the system from the memory.
Definition: sid.c:72
PSID SeAnonymousLogonSid
Definition: sid.c:51
PSID SeBatchSid
Definition: sid.c:34
#define TRUE
Definition: types.h:120
PSID SeLocalSystemSid
Definition: sid.c:38
PSID SeAliasAdminsSid
Definition: sid.c:41
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS
Definition: setypes.h:657
PSID SeDialupSid
Definition: sid.c:32
#define SECURITY_DIALUP_RID
Definition: setypes.h:556
#define SECURITY_NETWORK_RID
Definition: setypes.h:557
#define TAG_SID
Definition: sid.c:15
#define DOMAIN_ALIAS_RID_POWER_USERS
Definition: setypes.h:655
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
PSID SeAliasBackupOpsSid
Definition: sid.c:48
PSID SePrincipalSelfSid
Definition: sid.c:37
PULONG NTAPI RtlSubAuthoritySid(IN PSID Sid_, IN ULONG SubAuthority)
Definition: sid.c:89
#define SECURITY_PRINCIPAL_SELF_RID
Definition: setypes.h:567
PSID SeCreatorOwnerServerSid
Definition: sid.c:29
#define FALSE
Definition: types.h:117
SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
Definition: sid.c:21
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:575
#define SECURITY_CREATOR_GROUP_SERVER_RID
Definition: setypes.h:548
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define DOMAIN_ALIAS_RID_BACKUP_OPS
Definition: setypes.h:660
PSID SeServiceSid
Definition: sid.c:36
#define DOMAIN_ALIAS_RID_SYSTEM_OPS
Definition: setypes.h:658
#define SECURITY_LOCAL_RID
Definition: setypes.h:542
SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
Definition: sid.c:19
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563
PSID SeAliasUsersSid
Definition: sid.c:42
PSID SeAliasGuestsSid
Definition: sid.c:43
#define SECURITY_CREATOR_OWNER_RID
Definition: setypes.h:545
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define SECURITY_NULL_RID
Definition: setypes.h:540
PSID SeAuthenticatedUserSid
Definition: sid.c:39
PSID SeWorldSid
Definition: sid.c:25
ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
PSID SeLocalSid
Definition: sid.c:26
PSID SeAuthenticatedUsersSid
Definition: sid.c:49
PSID SeAliasPowerUsersSid
Definition: sid.c:44
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
PSID SeNetworkSid
Definition: sid.c:33
SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
Definition: sid.c:18
#define SECURITY_CREATOR_GROUP_RID
Definition: setypes.h:546
NTSTATUS NTAPI RtlInitializeSid(IN PSID Sid_, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
Definition: sid.c:68
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653
unsigned int * PULONG
Definition: retypes.h:1
#define SECURITY_RESTRICTED_CODE_RID
Definition: setypes.h:569
#define NULL
Definition: types.h:112
PSID SeCreatorGroupSid
Definition: sid.c:28
PSID SeRestrictedSid
Definition: sid.c:50
PSID SeCreatorGroupServerSid
Definition: sid.c:30
PSID SeNetworkServiceSid
Definition: sid.c:53
#define SECURITY_CREATOR_OWNER_SERVER_RID
Definition: setypes.h:547
PSID SeRestrictedCodeSid
Definition: sid.c:40
#define DOMAIN_ALIAS_RID_PRINT_OPS
Definition: setypes.h:659
#define SECURITY_SERVICE_RID
Definition: setypes.h:562
unsigned int ULONG
Definition: retypes.h:1
SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
Definition: sid.c:20
PSID SeCreatorOwnerSid
Definition: sid.c:27
PSID SeAliasSystemOpsSid
Definition: sid.c:46
PSID SeInteractiveSid
Definition: sid.c:35
PSID SeNullSid
Definition: sid.c:24
SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
Definition: sid.c:22
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
PSID SeNtAuthoritySid
Definition: sid.c:31
PSID SeAliasAccountOpsSid
Definition: sid.c:45

Referenced by SepInitializationPhase0().

◆ SepReleaseSid()

VOID NTAPI SepReleaseSid ( _In_ PSID  CapturedSid,
_In_ KPROCESSOR_MODE  AccessMode,
_In_ BOOLEAN  CaptureIfKernel 
)

Releases a captured SID.

Parameters
[in]CapturedSidThe captured SID to be released.
[in]AccessModeProcessor level access mode.
[in]CaptureIfKernelIf set to TRUE, the releasing is done within the kernel. Otherwise the releasing is done in a kernel mode driver.
Returns
Nothing.

Definition at line 400 of file sid.c.

404 {
405  PAGED_CODE();
406 
407  if (CapturedSid != NULL &&
408  (AccessMode != KernelMode ||
409  (AccessMode == KernelMode && CaptureIfKernel)))
410  {
411  ExFreePoolWithTag(CapturedSid, TAG_SID);
412  }
413 }
#define TAG_SID
Definition: sid.c:15
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define NULL
Definition: types.h:112
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by NtCreateToken(), NtSecureConnectPort(), NtSetInformationToken(), and SepAccessCheckAndAuditAlarm().

◆ SepSidInToken()

BOOLEAN NTAPI SepSidInToken ( _In_ PACCESS_TOKEN  _Token,
_In_ PSID  Sid 
)

Checks if a SID is present in a token.

Parameters
[in]_TokenA valid token object.
[in]_SidA regular SID.
Returns
Returns TRUE if the specified SID in the call is present in the token, FALSE otherwise.

Definition at line 547 of file sid.c.

550 {
551  /* Call extended API */
552  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
553 }
#define FALSE
Definition: types.h:117
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
BOOLEAN NTAPI SepSidInTokenEx(_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
Checks if a SID is present in a token.
Definition: sid.c:443
#define NULL
Definition: types.h:112

Referenced by SepTokenIsOwner().

◆ SepSidInTokenEx()

BOOLEAN NTAPI SepSidInTokenEx ( _In_ PACCESS_TOKEN  _Token,
_In_ PSID  PrincipalSelfSid,
_In_ PSID  _Sid,
_In_ BOOLEAN  Deny,
_In_ BOOLEAN  Restricted 
)

Checks if a SID is present in a token.

Parameters
[in]_TokenA valid token object.
[in]PrincipalSelfSidA principal self SID.
[in]_SidA regular SID.
[in]DenyIf set to TRUE, the caller expected that a SID in a token must be a deny-only SID, that is, access checks are performed only for deny-only ACEs of the said SID.
[in]RestrictedIf set to TRUE, the caller expects that a SID in a token is restricted (by the general definition, a token is restricted).
Returns
Returns TRUE if the specified SID in the call is present in the token, FALSE otherwise.

Definition at line 443 of file sid.c.

449 {
450  ULONG SidIndex;
451  PTOKEN Token = (PTOKEN)_Token;
452  PISID TokenSid, Sid = (PISID)_Sid;
453  PSID_AND_ATTRIBUTES SidAndAttributes;
454  ULONG SidCount, SidLength;
455  USHORT SidMetadata;
456  PAGED_CODE();
457 
458  /* Check if a principal SID was given, and this is our current SID already */
459  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
460  {
461  /* Just use the principal SID in this case */
462  Sid = PrincipalSelfSid;
463  }
464 
465  /* Check if this is a restricted token or not */
466  if (Restricted)
467  {
468  /* Use the restricted SIDs and count */
469  SidAndAttributes = Token->RestrictedSids;
470  SidCount = Token->RestrictedSidCount;
471  }
472  else
473  {
474  /* Use the normal SIDs and count */
475  SidAndAttributes = Token->UserAndGroups;
476  SidCount = Token->UserAndGroupCount;
477  }
478 
479  /* Do checks here by hand instead of the usual 4 function calls */
480  SidLength = FIELD_OFFSET(SID,
481  SubAuthority[Sid->SubAuthorityCount]);
482  SidMetadata = *(PUSHORT)&Sid->Revision;
483 
484  /* Loop every SID */
485  for (SidIndex = 0; SidIndex < SidCount; SidIndex++)
486  {
487  TokenSid = (PISID)SidAndAttributes->Sid;
488 #if SE_SID_DEBUG
489  UNICODE_STRING sidString;
490  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
491  DPRINT1("SID in Token: %wZ\n", &sidString);
492  RtlFreeUnicodeString(&sidString);
493 #endif
494  /* Check if the SID metadata matches */
495  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
496  {
497  /* Check if the SID data matches */
498  if (RtlEqualMemory(Sid, TokenSid, SidLength))
499  {
500  /*
501  * Check if the group is enabled, or used for deny only.
502  * Otherwise we have to check if this is the first user.
503  * We understand that by looking if this SID is not
504  * restricted, this is the first element we are iterating
505  * and that it doesn't have SE_GROUP_USE_FOR_DENY_ONLY
506  * attribute.
507  */
508  if ((!Restricted && (SidIndex == 0) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
509  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
510  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
511  {
512  /* SID is present */
513  return TRUE;
514  }
515  else
516  {
517  /* SID is not present */
518  return FALSE;
519  }
520  }
521  }
522 
523  /* Move to the next SID */
524  SidAndAttributes++;
525  }
526 
527  /* SID is not present */
528  return FALSE;
529 }
#define TRUE
Definition: types.h:120
BOOLEAN NTAPI RtlEqualSid(IN PSID Sid1_, IN PSID Sid2_)
Definition: sid.c:132
PSID SePrincipalSelfSid
Definition: sid.c:37
NTSTATUS NTAPI RtlConvertSidToUnicodeString(IN PUNICODE_STRING String, IN PSID Sid_, IN BOOLEAN AllocateBuffer)
Definition: sid.c:342
#define FALSE
Definition: types.h:117
struct _SID * PISID
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
UNICODE_STRING Restricted
Definition: utils.c:24
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
#define SE_GROUP_ENABLED
Definition: setypes.h:92
#define for
Definition: utility.h:88
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
unsigned short USHORT
Definition: pedump.c:61
struct _TOKEN * PTOKEN
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define DPRINT1
Definition: precomp.h:8
unsigned int ULONG
Definition: retypes.h:1
BYTE Revision
Definition: ms-dtyp.idl:199
unsigned short * PUSHORT
Definition: retypes.h:2
#define PAGED_CODE()

Referenced by SepAnalyzeAcesFromDacl(), SepSidInToken(), and SepTokenIsOwner().

◆ SeReleaseSidAndAttributesArray()

VOID NTAPI SeReleaseSidAndAttributesArray ( _In_ _Post_invalid_ PSID_AND_ATTRIBUTES  CapturedSidAndAttributes,
_In_ KPROCESSOR_MODE  AccessMode,
_In_ BOOLEAN  CaptureIfKernel 
)

Releases a captured SID with attributes.

Parameters
[in]CapturedSidAndAttributesThe captured SID with attributes to be released.
[in]AccessModeProcessor access level mode.
[in]CaptureIfKernelIf set to TRUE, the releasing is done within the kernel. Otherwise the releasing is done in a kernel mode driver.
Returns
Nothing.

Definition at line 994 of file sid.c.

998 {
999  PAGED_CODE();
1000 
1001  if ((CapturedSidAndAttributes != NULL) &&
1002  ((AccessMode != KernelMode) || CaptureIfKernel))
1003  {
1004  ExFreePoolWithTag(CapturedSidAndAttributes, TAG_SID_AND_ATTRIBUTES);
1005  }
1006 }
#define TAG_SID_AND_ATTRIBUTES
Definition: tag.h:165
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define NULL
Definition: types.h:112
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by NtAdjustGroupsToken(), NtCreateToken(), and NtFilterToken().

Variable Documentation

◆ SeAliasAccountOpsSid

PSID SeAliasAccountOpsSid = NULL

Definition at line 45 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasAdminsSid

◆ SeAliasBackupOpsSid

PSID SeAliasBackupOpsSid = NULL

Definition at line 48 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasGuestsSid

PSID SeAliasGuestsSid = NULL

Definition at line 43 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasPowerUsersSid

PSID SeAliasPowerUsersSid = NULL

Definition at line 44 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasPrintOpsSid

PSID SeAliasPrintOpsSid = NULL

Definition at line 47 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasSystemOpsSid

PSID SeAliasSystemOpsSid = NULL

Definition at line 46 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAliasUsersSid

PSID SeAliasUsersSid = NULL

Definition at line 42 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeAnonymousLogonSid

◆ SeAuthenticatedUserSid

PSID SeAuthenticatedUserSid = NULL

Definition at line 39 of file sid.c.

Referenced by FreeInitializedSids(), and SepInitSecurityIDs().

◆ SeAuthenticatedUsersSid

PSID SeAuthenticatedUsersSid = NULL

◆ SeBatchSid

PSID SeBatchSid = NULL

Definition at line 34 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeCreatorGroupServerSid

PSID SeCreatorGroupServerSid = NULL

Definition at line 30 of file sid.c.

Referenced by FreeInitializedSids(), and SepInitSecurityIDs().

◆ SeCreatorGroupSid

PSID SeCreatorGroupSid = NULL

Definition at line 28 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), SepInitSecurityIDs(), and SepPropagateAcl().

◆ SeCreatorOwnerServerSid

PSID SeCreatorOwnerServerSid = NULL

Definition at line 29 of file sid.c.

Referenced by FreeInitializedSids(), and SepInitSecurityIDs().

◆ SeCreatorOwnerSid

PSID SeCreatorOwnerSid = NULL

◆ SeCreatorSidAuthority

Definition at line 21 of file sid.c.

Referenced by SepInitSecurityIDs().

◆ SeDialupSid

PSID SeDialupSid = NULL

Definition at line 32 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeInteractiveSid

PSID SeInteractiveSid = NULL

Definition at line 35 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeLocalServiceSid

PSID SeLocalServiceSid = NULL

Definition at line 52 of file sid.c.

Referenced by SepInitExports(), and SepInitSecurityIDs().

◆ SeLocalSid

PSID SeLocalSid = NULL

Definition at line 26 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeLocalSidAuthority

Definition at line 20 of file sid.c.

Referenced by SepInitSecurityIDs().

◆ SeLocalSystemSid

◆ SeNetworkServiceSid

PSID SeNetworkServiceSid = NULL

Definition at line 53 of file sid.c.

Referenced by SepInitExports(), and SepInitSecurityIDs().

◆ SeNetworkSid

PSID SeNetworkSid = NULL

Definition at line 33 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeNtAuthoritySid

PSID SeNtAuthoritySid = NULL

Definition at line 31 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeNtSidAuthority

Definition at line 22 of file sid.c.

Referenced by SepInitSecurityIDs().

◆ SeNullSid

PSID SeNullSid = NULL

Definition at line 24 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeNullSidAuthority

Definition at line 18 of file sid.c.

Referenced by SepInitSecurityIDs().

◆ SePrincipalSelfSid

PSID SePrincipalSelfSid = NULL

Definition at line 37 of file sid.c.

Referenced by FreeInitializedSids(), SepInitSecurityIDs(), and SepSidInTokenEx().

◆ SeRestrictedCodeSid

PSID SeRestrictedCodeSid = NULL

◆ SeRestrictedSid

PSID SeRestrictedSid = NULL

Definition at line 50 of file sid.c.

Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().

◆ SeServiceSid

PSID SeServiceSid = NULL

Definition at line 36 of file sid.c.

Referenced by FreeInitializedSids(), and SepInitSecurityIDs().

◆ SeWorldSid

◆ SeWorldSidAuthority

Definition at line 19 of file sid.c.

Referenced by SepInitSecurityIDs().