49 ULONG ObjectTypeIndex;
50 ULONG ReturnedObjectIndex;
67 DPRINT(
"No object type provided, updating access rights from root\n");
68 ReturnedObjectIndex = 0;
69 goto LoopAndUpdateRightsObjects;
76 &ReturnedObjectIndex))
78LoopAndUpdateRightsObjects:
80 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights |=
81 (
AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights);
82 DPRINT(
"Denied rights 0x%08lx of target object at index %lu\n",
83 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights, ReturnedObjectIndex);
86 for (ObjectTypeIndex = ReturnedObjectIndex + 1;
87 ObjectTypeIndex < ObjectTypeListLength;
94 Level = ObjectTypeList[ObjectTypeIndex].Level;
95 if (
Level <= ObjectTypeList[ReturnedObjectIndex].
Level)
97 DPRINT(
"We looked for all children objects, stop looking\n");
102 ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights |=
103 (
AccessMask & ~ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights);
104 DPRINT(
"Denied rights 0x%08lx of child object at index %lu\n",
105 ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights, ObjectTypeIndex);
141 ULONG ObjectTypeIndex;
142 ULONG ReturnedObjectIndex;
155 DPRINT(
"No object type provided, updating access rights from root\n");
156 ReturnedObjectIndex = 0;
157 goto LoopAndUpdateRightsObjects;
162 ObjectTypeListLength,
164 &ReturnedObjectIndex))
166LoopAndUpdateRightsObjects:
168 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights |=
169 (
AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights);
170 DPRINT(
"Granted rights 0x%08lx of target object at index %lu\n",
171 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights, ReturnedObjectIndex);
174 for (ObjectTypeIndex = ReturnedObjectIndex + 1;
175 ObjectTypeIndex < ObjectTypeListLength;
182 Level = ObjectTypeList[ObjectTypeIndex].Level;
183 if (
Level <= ObjectTypeList[ReturnedObjectIndex].
Level)
189 ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights |=
190 (
AccessMask & ~ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights);
191 DPRINT(
"Granted rights 0x%08lx of child object at index %lu\n",
192 ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights, ObjectTypeIndex);
235 ULONG ReturnedObjectIndex;
252 if (ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights &
AccessMask)
254 DPRINT(
"Root object requests remaining access right that is denied 0x%08lx\n",
AccessMask);
258 ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights |=
259 (
AccessMask & ~ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights);
260 DPRINT(
"Denied rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights);
269 ObjectTypeListLength,
271 &ReturnedObjectIndex))
273 if (ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights &
AccessMask)
275 DPRINT(
"Object at index %lu requests remaining access right that is denied 0x%08lx\n", ReturnedObjectIndex,
AccessMask);
279 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights |=
280 (
AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights);
281 DPRINT(
"Denied rights 0x%08lx of object at index %lu\n",
282 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights, ReturnedObjectIndex);
289 *BreakOnDeny = MustBreak;
331 ULONG ReturnedObjectIndex;
344 if (RemoveRemainingRights)
346 ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights &= ~AccessMask;
347 DPRINT(
"Remaining rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights);
350 ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights |=
351 (
AccessMask & ~ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights);
352 DPRINT(
"Granted rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights);
363 ObjectTypeListLength,
365 &ReturnedObjectIndex))
368 if (RemoveRemainingRights)
370 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights &= ~AccessMask;
371 DPRINT(
"Remaining rights of object 0x%08lx at index %lu\n",
372 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights, ReturnedObjectIndex);
376 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights |=
377 (
AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights);
378 DPRINT(
"Granted rights of object 0x%08lx at index %lu\n",
379 ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights, ReturnedObjectIndex);
477 ULONG ObjectTypeIndex;
479 PGUID ObjectTypeGuid;
526 Access = CurrentAce->AccessMask;
535 AccessCheckRights->DeniedAccessRights |= (Access & ~AccessCheckRights->GrantedAccessRights);
536 DPRINT(
"DeniedAccessRights 0x%08lx\n", AccessCheckRights->DeniedAccessRights);
548 Access = CurrentAce->AccessMask;
557 AccessCheckRights->GrantedAccessRights |= (Access & ~AccessCheckRights->DeniedAccessRights);
558 DPRINT(
"GrantedAccessRights 0x%08lx\n", AccessCheckRights->GrantedAccessRights);
571 Access = CurrentAce->AccessMask;
580 if (!ObjectTypeList && !ObjectTypeListLength)
582 AccessCheckRights->DeniedAccessRights |= (Access & ~AccessCheckRights->GrantedAccessRights);
583 DPRINT(
"DeniedAccessRights 0x%08lx\n", AccessCheckRights->DeniedAccessRights);
585 else if (!UseResultList)
595 ObjectTypeListLength,
604 ObjectTypeListLength,
620 Access = CurrentAce->AccessMask;
629 if (!ObjectTypeList && !ObjectTypeListLength)
631 AccessCheckRights->GrantedAccessRights |= (Access & ~AccessCheckRights->DeniedAccessRights);
632 DPRINT(
"GrantedAccessRights 0x%08lx\n", AccessCheckRights->GrantedAccessRights);
634 else if (!UseResultList)
642 ObjectTypeListLength,
651 ObjectTypeListLength,
659 DPRINT1(
"Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
676 ASSERT(RemainingAccess != 0);
677 AccessCheckRights->RemainingAccessRights = RemainingAccess;
680 if (ObjectTypeList && (ObjectTypeListLength != 0))
682 for (ObjectTypeIndex = 0;
683 ObjectTypeIndex < ObjectTypeListLength;
686 ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights = RemainingAccess;
714 Access = CurrentAce->AccessMask;
727 if (AccessCheckRights->RemainingAccessRights & Access)
729 DPRINT(
"Refuted access 0x%08lx\n", Access);
730 AccessCheckRights->DeniedAccessRights |= Access;
744 Access = CurrentAce->AccessMask;
753 DPRINT(
"RemainingAccessRights 0x%08lx Access 0x%08lx\n", AccessCheckRights->RemainingAccessRights, Access);
754 AccessCheckRights->RemainingAccessRights &= ~Access;
755 DPRINT(
"RemainingAccessRights 0x%08lx\n", AccessCheckRights->RemainingAccessRights);
758 AccessCheckRights->GrantedAccessRights |= Access;
771 Access = CurrentAce->AccessMask;
780 if (!ObjectTypeList && !ObjectTypeListLength)
782 if (AccessCheckRights->RemainingAccessRights & Access)
784 DPRINT(
"Refuted access 0x%08lx\n", Access);
785 AccessCheckRights->DeniedAccessRights |= Access;
797 ObjectTypeListLength,
805 DPRINT(
"Refuted access 0x%08lx\n", Access);
821 Access = CurrentAce->AccessMask;
830 if (!ObjectTypeList && !ObjectTypeListLength)
833 DPRINT(
"RemainingAccessRights 0x%08lx Access 0x%08lx\n", AccessCheckRights->RemainingAccessRights, Access);
834 AccessCheckRights->RemainingAccessRights &= ~Access;
835 DPRINT(
"RemainingAccessRights 0x%08lx\n", AccessCheckRights->RemainingAccessRights);
838 AccessCheckRights->GrantedAccessRights |= Access;
844 ObjectTypeListLength,
853 DPRINT1(
"Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
962 ULONG ResultListIndex;
963 ULONG ObjectTypeIndex;
984 DPRINT1(
"The caller has no previously granted access gained!\n");
986 goto ReturnCommonStatus;
992 goto ReturnCommonStatus;
1012 MaskDesired = ~MAXIMUM_ALLOWED;
1029 Token = ClientAccessToken ? ClientAccessToken : PrimaryAccessToken;
1051 goto ReturnCommonStatus;
1055 if (RemainingAccess == 0)
1058 goto ReturnCommonStatus;
1080 goto ReturnCommonStatus;
1086 goto ReturnCommonStatus;
1096 goto ReturnCommonStatus;
1110 goto ReturnCommonStatus;
1114 if (
Dacl->AceCount == 0)
1122 DPRINT1(
"The DACL has no ACEs and the caller has no previously granted access!\n");
1126 goto ReturnCommonStatus;
1146 ObjectTypeListLength,
1148 &AccessCheckRights);
1165 ObjectTypeListLength,
1167 &AccessCheckRights);
1171 if (!ObjectTypeList && !ObjectTypeListLength)
1175 if (RemainingAccess != 0)
1177 DPRINT(
"Failed to grant access rights, access denied. RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n", RemainingAccess,
DesiredAccess);
1180 goto ReturnCommonStatus;
1191 DPRINT(
"Failed to grant access rights, access denied. PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n",
DesiredAccess);
1196 goto ReturnCommonStatus;
1198 else if (!UseResultList)
1206 for (ObjectTypeIndex = 0;
1207 ObjectTypeIndex < ObjectTypeListLength;
1210 if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights != 0)
1212 GrantedRights |= ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights;
1218 if (RemainingAccess != 0)
1220 DPRINT(
"Failed to grant access rights to the whole object hierarchy list, access denied. RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n",
1224 goto ReturnCommonStatus;
1235 DPRINT(
"Failed to grant access rights to the whole object hierarchy list, access denied. PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n",
1241 goto ReturnCommonStatus;
1250 for (ObjectTypeIndex = 0;
1251 ObjectTypeIndex < ObjectTypeListLength;
1255 GrantedRights = (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights |
PreviouslyGrantedAccess) & MaskDesired;
1256 if (GrantedRights != 0)
1262 RemainingAccess = (~GrantedRights & WantedRights);
1263 if (RemainingAccess != 0)
1265 DPRINT(
"Failed to grant access rights at specific object at index %lu, access denied. RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n",
1277 DPRINT(
"Failed to grant access rights at specific object at index %lu. No access is given\n", ObjectTypeIndex);
1282 GrantedAccessList[ObjectTypeIndex] = GrantedRights;
1292 for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
1297 Status = AccessStatusList[ResultListIndex];
1303 goto ReturnCommonStatus;
1317 ObjectTypeListLength,
1319 &AccessCheckRights);
1322 if (!ObjectTypeList && !ObjectTypeListLength)
1330 goto ReturnCommonStatus;
1339 for (ObjectTypeIndex = 0;
1340 ObjectTypeIndex < ObjectTypeListLength;
1343 if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights == 0)
1345 AccessIsGranted =
TRUE;
1350 if (!AccessIsGranted)
1352 DPRINT(
"Failed to grant access rights to the whole object hierarchy list, access denied. DesiredAccess = 0x%08lx\n",
DesiredAccess);
1355 goto ReturnCommonStatus;
1374 ObjectTypeListLength,
1376 &AccessCheckRights);
1379 if (!ObjectTypeList && !ObjectTypeListLength)
1387 goto ReturnCommonStatus;
1399 AccessIsGranted =
FALSE;
1400 for (ObjectTypeIndex = 0;
1401 ObjectTypeIndex < ObjectTypeListLength;
1404 if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights == 0)
1406 AccessIsGranted =
TRUE;
1411 if (!AccessIsGranted)
1413 DPRINT(
"Failed to grant access rights to the whole object hierarchy list, access denied. DesiredAccess = 0x%08lx\n",
DesiredAccess);
1416 goto ReturnCommonStatus;
1427 DPRINT(
"Failed to grant access rights, access denied. PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n",
DesiredAccess);
1429 goto ReturnCommonStatus;
1442 *AccessStatusList =
Status;
1452 if (ObjectTypeList && (ObjectTypeListLength != 0))
1458 ObjectTypeListLength);
1485 if (PrivilegeSet ==
NULL)
1488 if (PrivilegeSet->PrivilegeCount == 0)
1608 PSID CapturedPrincipalSelfSid =
NULL;
1613 ULONG CapturedPrivilegeSetLength, RequiredPrivilegeSetLength;
1614 ULONG ResultListIndex;
1656 if (!ObjectTypeListLength)
1658 DPRINT1(
"The object type list is empty\n");
1672 CapturedPrivilegeSetLength = *PrivilegeSetLength;
1684 DPRINT1(
"Some generic rights are not mapped\n");
1697 DPRINT1(
"Failed to reference token (Status 0x%08lx)\n",
Status);
1704 DPRINT(
"No impersonation token\n");
1712 DPRINT1(
"Impersonation level < SecurityIdentification\n");
1719 ObjectTypeListLength,
1721 &CapturedObjectTypeList);
1724 DPRINT1(
"Failed to capture the object type list (Status 0x%08lx)\n",
Status);
1738 DPRINT1(
"SePrivilegePolicyCheck failed (Status 0x%08lx)\n",
Status);
1749 for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
1767 DPRINT(
"Privileges != NULL\n");
1773 if (CapturedPrivilegeSetLength < RequiredPrivilegeSetLength)
1778 *PrivilegeSetLength = RequiredPrivilegeSetLength;
1785 RequiredPrivilegeSetLength);
1792 DPRINT(
"Privileges == NULL\n");
1804 PrivilegeSet->PrivilegeCount = 0;
1805 PrivilegeSet->Control = 0;
1813 &CapturedSecurityDescriptor);
1816 DPRINT1(
"Failed to capture the Security Descriptor\n");
1823 if (CapturedSecurityDescriptor ==
NULL)
1825 DPRINT1(
"Security Descriptor is NULL\n");
1835 DPRINT1(
"Security Descriptor does not have a valid group or owner\n");
1845 if (PrincipalSelfSid)
1851 &CapturedPrincipalSelfSid);
1854 DPRINT1(
"Failed to capture the principal self SID (Status 0x%08lx)\n",
Status);
1892 for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
1910 CapturedPrincipalSelfSid,
1912 CapturedObjectTypeList,
1913 ObjectTypeListLength,
2076 DPRINT1(
"Request for zero access to an object. Denying.\n");
2162 if (!
Dacl->AceCount)
2278 ObjectTypeListLength,
2321 ObjectTypeListLength,
static GENERIC_MAPPING GenericMapping
static VOID SepAnalyzeAcesFromDacl(_In_ ACCESS_CHECK_RIGHT_TYPE ActionType, _In_ ACCESS_MASK RemainingAccess, _In_ PACL Dacl, _In_ PACCESS_TOKEN AccessToken, _In_ PACCESS_TOKEN PrimaryAccessToken, _In_ BOOLEAN IsTokenRestricted, _In_opt_ PSID PrincipalSelfSid, _In_ PGENERIC_MAPPING GenericMapping, _In_opt_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ BOOLEAN UseResultList, _Inout_ PACCESS_CHECK_RIGHTS AccessCheckRights)
Analyzes an access control entry that is present in a discretionary access control list (DACL) for ac...
static VOID SepDenyAccessObjectTypeList(_Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid, _Out_opt_ PBOOLEAN BreakOnDeny)
Denies access of a target object in the object type list. This access is denied for the whole hierarc...
static NTSTATUS SepAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ BOOLEAN UseResultList, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Internal function that performs a security check against the client who requests access on a resource...
NTSTATUS NTAPI NtAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on an object.
static BOOLEAN SepAccessCheckWorker(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PACCESS_TOKEN ClientAccessToken, _In_ PACCESS_TOKEN PrimaryAccessToken, _In_opt_ PSID PrincipalSelfSid, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ ACCESS_MASK PreviouslyGrantedAccess, _In_ PGENERIC_MAPPING GenericMapping, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN UseResultList, _Out_opt_ PPRIVILEGE_SET *Privileges, _Out_ PACCESS_MASK GrantedAccessList, _Out_ PNTSTATUS AccessStatusList)
Private worker function that determines whether security access rights can be givento the calling thr...
BOOLEAN NTAPI SeAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, _In_ BOOLEAN SubjectContextLocked, _In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK PreviouslyGrantedAccess, _Out_ PPRIVILEGE_SET *Privileges, _In_ PGENERIC_MAPPING GenericMapping, _In_ KPROCESSOR_MODE AccessMode, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access rights can be given to an object depending on the security descrip...
NTSTATUS NTAPI NtAccessCheckByType(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on the object...
static VOID SepDenyAccessObjectTypeResultList(_Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid)
Denies access of a target object and the children objects in an object type list.
BOOLEAN NTAPI SeFastTraverseCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PACCESS_STATE AccessState, _In_ ACCESS_MASK DesiredAccess, _In_ KPROCESSOR_MODE AccessMode)
Determines whether security access rights can be given to an object depending on the security descrip...
static VOID SepAllowAccessObjectTypeList(_Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ ACCESS_MASK AccessMask, _In_ BOOLEAN RemoveRemainingRights, _In_opt_ PGUID ObjectTypeGuid)
Allows access of a target object in the object type list. This access is allowed for the whole hierar...
NTSTATUS NTAPI NtAccessCheckByTypeResultList(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on the object...
static VOID SepAllowAccessObjectTypeResultList(_Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid)
Allows access of a target object and the children objects in an object type list.
static ULONG SepGetPrivilegeSetLength(_In_ PPRIVILEGE_SET PrivilegeSet)
Retrieves the length size of a set list of privileges structure.
#define NT_SUCCESS(StatCode)
BOOL WINAPI IsTokenRestricted(HANDLE TokenHandle)
#define ExGetPreviousMode
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
#define EXCEPTION_EXECUTE_HANDLER
#define _Out_writes_bytes_(size)
#define _Out_writes_(size)
#define _In_reads_opt_(size)
_In_ ACCESS_MASK AccessMask
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
NTSYSAPI NTSTATUS NTAPI RtlGetAce(PACL Acl, ULONG AceIndex, PVOID *Ace)
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
ACCESS_MASK * PACCESS_MASK
#define DEFAULT_UNREACHABLE
#define DBG_UNREFERENCED_PARAMETER(P)
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
PGUID SepGetObjectTypeGuidFromAce(_In_ PACE Ace, _In_ BOOLEAN IsAceDenied)
Captures an object type GUID from an object access control entry (ACE).
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
VOID SeReleaseObjectTypeList(_In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, _In_ KPROCESSOR_MODE PreviousMode)
Releases a buffer list of object types.
NTSTATUS SeCaptureObjectTypeList(_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ KPROCESSOR_MODE PreviousMode, _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList)
Captures a list of object types and converts it to an internal form for use by the kernel....
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
#define SepAcquireTokenLockShared(Token)
enum _ACCESS_CHECK_RIGHT_TYPE ACCESS_CHECK_RIGHT_TYPE
NTSTATUS NTAPI SePrivilegePolicyCheck(_Inout_ PACCESS_MASK DesiredAccess, _Inout_ PACCESS_MASK GrantedAccess, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PTOKEN Token, _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, _In_ KPROCESSOR_MODE PreviousMode)
Checks the security policy and returns a set of privileges based upon the said security policy contex...
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
PSID NTAPI SepGetSidFromAce(_In_ PACE Ace)
Captures a security identifier from a given access control entry. This identifier is valid for the wh...
BOOLEAN SepObjectTypeGuidInList(_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGUID ObjectTypeGuid, _Out_ PULONG ObjectIndex)
Searches for an object type GUID if it exists on an object type list.
FORCEINLINE PACL SepGetDaclFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
BOOLEAN NTAPI SepTokenIsOwner(_In_ PACCESS_TOKEN _Token, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN TokenLocked)
Checks if a token belongs to the main user, being the owner.
#define SepReleaseTokenLock(Token)
struct _KNOWN_ACE * PKNOWN_ACE
BOOLEAN NTAPI SepSidInTokenEx(_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
Checks if a SID is present in a token.
VOID SepDumpTokenDebugInfo(_In_opt_ PTOKEN Token)
Dumps debug information of an access token to the debugger.
VOID SepDumpAccessAndStatusList(_In_ PACCESS_MASK GrantedAccessList, _In_ PNTSTATUS AccessStatusList, _In_ BOOLEAN IsResultList, _In_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, _In_ ULONG ObjectTypeListLength)
Dumps access and status values of each object type in the result list.
VOID SepDumpAccessRightsStats(_In_ PACCESS_CHECK_RIGHTS AccessRights)
Dumps security access rights to the debugger.
VOID SepDumpSdDebugInfo(_In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor)
Dumps debug information of a security descriptor to the debugger.
VOID NTAPI SeFreePrivileges(_In_ PPRIVILEGE_SET Privileges)
Frees a set of privileges.
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
BOOLEAN NTAPI SeTokenIsAdmin(_In_ PACCESS_TOKEN Token)
Determines if a token is either an admin token or not. Such condition is checked based upon TOKEN_HAS...
POBJECT_TYPE SeTokenObjectType
BOOLEAN NTAPI SeTokenIsRestricted(_In_ PACCESS_TOKEN Token)
Determines if a token is restricted or not, based upon the token flags.
#define STATUS_NO_IMPERSONATION_TOKEN
#define STATUS_INVALID_SECURITY_DESCR
#define STATUS_GENERIC_NOT_MAPPED
#define STATUS_BAD_IMPERSONATION_LEVEL
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
#define _SEH2_GetExceptionCode()
#define _SEH2_EXCEPT(...)
#define _SEH2_YIELD(__stmt)
#define STATUS_BUFFER_TOO_SMALL
ACCESS_MASK RemainingAccessRights
ACCESS_MASK GrantedAccessRights
ACCESS_MASK GenericExecute
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
PACCESS_TOKEN ClientToken
PACCESS_TOKEN PrimaryToken
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
#define RtlCopyMemory(Destination, Source, Length)
#define STATUS_ACCESS_DENIED
#define STATUS_INVALID_PARAMETER
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
_IRQL_requires_same_ typedef _In_ ULONG _In_ UCHAR Level
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
#define ObDereferenceObject
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN SubjectContextLocked
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
_In_ KPROCESSOR_MODE PreviousMode
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
#define ACCESS_DENIED_OBJECT_ACE_TYPE
#define ACCESS_ALLOWED_ACE_TYPE
struct _LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES
#define ACCESS_DENIED_ACE_TYPE
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE
#define TOKEN_IS_RESTRICTED
struct _PRIVILEGE_SET PRIVILEGE_SET