1 #pragma once 2 3 typedef struct _KNOWN_ACE 4 { 5 ACE_HEADER Header; 6 ACCESS_MASK Mask; 7 ULONG SidStart; 8 } KNOWN_ACE, *PKNOWN_ACE; 9 10 typedef struct _KNOWN_OBJECT_ACE 11 { 12 ACE_HEADER Header; 13 ACCESS_MASK Mask; 14 ULONG Flags; 15 ULONG SidStart; 16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 17 18 typedef struct _KNOWN_COMPOUND_ACE 19 { 20 ACE_HEADER Header; 21 ACCESS_MASK Mask; 22 USHORT CompoundAceType; 23 USHORT Reserved; 24 ULONG SidStart; 25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 26 27 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION 28 { 29 ULONG PolicyCount; 30 struct 31 { 32 ULONG Category; 33 UCHAR Value; 34 } Policies[1]; 35 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION; 36 37 FORCEINLINE 38 PSID 39 SepGetGroupFromDescriptor(PVOID _Descriptor) 40 { 41 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 42 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 43 44 if (Descriptor->Control & SE_SELF_RELATIVE) 45 { 46 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 47 if (!SdRel->Group) return NULL; 48 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 49 } 50 else 51 { 52 return Descriptor->Group; 53 } 54 } 55 56 FORCEINLINE 57 PSID 58 SepGetOwnerFromDescriptor(PVOID _Descriptor) 59 { 60 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 61 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 62 63 if (Descriptor->Control & SE_SELF_RELATIVE) 64 { 65 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 66 if (!SdRel->Owner) return NULL; 67 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 68 } 69 else 70 { 71 return Descriptor->Owner; 72 } 73 } 74 75 FORCEINLINE 76 PACL 77 SepGetDaclFromDescriptor(PVOID _Descriptor) 78 { 79 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 80 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 81 82 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 83 84 if (Descriptor->Control & SE_SELF_RELATIVE) 85 { 86 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 87 if (!SdRel->Dacl) return NULL; 88 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 89 } 90 else 91 { 92 return Descriptor->Dacl; 93 } 94 } 95 96 FORCEINLINE 97 PACL 98 SepGetSaclFromDescriptor(PVOID _Descriptor) 99 { 100 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 101 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 102 103 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 104 105 if (Descriptor->Control & SE_SELF_RELATIVE) 106 { 107 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 108 if (!SdRel->Sacl) return NULL; 109 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 110 } 111 else 112 { 113 return Descriptor->Sacl; 114 } 115 } 116 117 #ifndef RTL_H 118 119 /* SID Authorities */ 120 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 121 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 122 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 123 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 124 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 125 126 /* SIDs */ 127 extern PSID SeNullSid; 128 extern PSID SeWorldSid; 129 extern PSID SeLocalSid; 130 extern PSID SeCreatorOwnerSid; 131 extern PSID SeCreatorGroupSid; 132 extern PSID SeCreatorOwnerServerSid; 133 extern PSID SeCreatorGroupServerSid; 134 extern PSID SeNtAuthoritySid; 135 extern PSID SeDialupSid; 136 extern PSID SeNetworkSid; 137 extern PSID SeBatchSid; 138 extern PSID SeInteractiveSid; 139 extern PSID SeServiceSid; 140 extern PSID SeAnonymousLogonSid; 141 extern PSID SePrincipalSelfSid; 142 extern PSID SeLocalSystemSid; 143 extern PSID SeAuthenticatedUserSid; 144 extern PSID SeRestrictedCodeSid; 145 extern PSID SeAliasAdminsSid; 146 extern PSID SeAliasUsersSid; 147 extern PSID SeAliasGuestsSid; 148 extern PSID SeAliasPowerUsersSid; 149 extern PSID SeAliasAccountOpsSid; 150 extern PSID SeAliasSystemOpsSid; 151 extern PSID SeAliasPrintOpsSid; 152 extern PSID SeAliasBackupOpsSid; 153 extern PSID SeAuthenticatedUsersSid; 154 extern PSID SeRestrictedSid; 155 extern PSID SeAnonymousLogonSid; 156 extern PSID SeLocalServiceSid; 157 extern PSID SeNetworkServiceSid; 158 159 /* Privileges */ 160 extern const LUID SeCreateTokenPrivilege; 161 extern const LUID SeAssignPrimaryTokenPrivilege; 162 extern const LUID SeLockMemoryPrivilege; 163 extern const LUID SeIncreaseQuotaPrivilege; 164 extern const LUID SeUnsolicitedInputPrivilege; 165 extern const LUID SeTcbPrivilege; 166 extern const LUID SeSecurityPrivilege; 167 extern const LUID SeTakeOwnershipPrivilege; 168 extern const LUID SeLoadDriverPrivilege; 169 extern const LUID SeSystemProfilePrivilege; 170 extern const LUID SeSystemtimePrivilege; 171 extern const LUID SeProfileSingleProcessPrivilege; 172 extern const LUID SeIncreaseBasePriorityPrivilege; 173 extern const LUID SeCreatePagefilePrivilege; 174 extern const LUID SeCreatePermanentPrivilege; 175 extern const LUID SeBackupPrivilege; 176 extern const LUID SeRestorePrivilege; 177 extern const LUID SeShutdownPrivilege; 178 extern const LUID SeDebugPrivilege; 179 extern const LUID SeAuditPrivilege; 180 extern const LUID SeSystemEnvironmentPrivilege; 181 extern const LUID SeChangeNotifyPrivilege; 182 extern const LUID SeRemoteShutdownPrivilege; 183 extern const LUID SeUndockPrivilege; 184 extern const LUID SeSyncAgentPrivilege; 185 extern const LUID SeEnableDelegationPrivilege; 186 extern const LUID SeManageVolumePrivilege; 187 extern const LUID SeImpersonatePrivilege; 188 extern const LUID SeCreateGlobalPrivilege; 189 extern const LUID SeTrustedCredmanPrivilege; 190 extern const LUID SeRelabelPrivilege; 191 extern const LUID SeIncreaseWorkingSetPrivilege; 192 extern const LUID SeTimeZonePrivilege; 193 extern const LUID SeCreateSymbolicLinkPrivilege; 194 195 /* DACLs */ 196 extern PACL SePublicDefaultUnrestrictedDacl; 197 extern PACL SePublicOpenDacl; 198 extern PACL SePublicOpenUnrestrictedDacl; 199 extern PACL SeUnrestrictedDacl; 200 extern PACL SeSystemAnonymousLogonDacl; 201 202 /* SDs */ 203 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 204 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 205 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 206 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 207 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 208 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 209 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd; 210 211 /* Anonymous Logon Tokens */ 212 extern PTOKEN SeAnonymousLogonToken; 213 extern PTOKEN SeAnonymousLogonTokenNoEveryone; 214 215 216 #define SepAcquireTokenLockExclusive(Token) \ 217 { \ 218 KeEnterCriticalRegion(); \ 219 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 220 } 221 #define SepAcquireTokenLockShared(Token) \ 222 { \ 223 KeEnterCriticalRegion(); \ 224 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 225 } 226 227 #define SepReleaseTokenLock(Token) \ 228 { \ 229 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 230 KeLeaveCriticalRegion(); \ 231 } 232 233 // 234 // Token Functions 235 // 236 BOOLEAN 237 NTAPI 238 SepTokenIsOwner( 239 IN PACCESS_TOKEN _Token, 240 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 241 IN BOOLEAN TokenLocked 242 ); 243 244 BOOLEAN 245 NTAPI 246 SepSidInToken( 247 IN PACCESS_TOKEN _Token, 248 IN PSID Sid 249 ); 250 251 BOOLEAN 252 NTAPI 253 SepSidInTokenEx( 254 IN PACCESS_TOKEN _Token, 255 IN PSID PrincipalSelfSid, 256 IN PSID _Sid, 257 IN BOOLEAN Deny, 258 IN BOOLEAN Restricted 259 ); 260 261 BOOLEAN 262 NTAPI 263 SeTokenCanImpersonate( 264 _In_ PTOKEN ProcessToken, 265 _In_ PTOKEN TokenToImpersonate, 266 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); 267 268 /* Functions */ 269 CODE_SEG("INIT") 270 BOOLEAN 271 NTAPI 272 SeInitSystem(VOID); 273 274 CODE_SEG("INIT") 275 VOID 276 NTAPI 277 SepInitPrivileges(VOID); 278 279 CODE_SEG("INIT") 280 BOOLEAN 281 NTAPI 282 SepInitSecurityIDs(VOID); 283 284 CODE_SEG("INIT") 285 BOOLEAN 286 NTAPI 287 SepInitDACLs(VOID); 288 289 CODE_SEG("INIT") 290 BOOLEAN 291 NTAPI 292 SepInitSDs(VOID); 293 294 BOOLEAN 295 NTAPI 296 SeRmInitPhase0(VOID); 297 298 BOOLEAN 299 NTAPI 300 SeRmInitPhase1(VOID); 301 302 VOID 303 NTAPI 304 SeDeassignPrimaryToken(struct _EPROCESS *Process); 305 306 NTSTATUS 307 NTAPI 308 SeSubProcessToken( 309 IN PTOKEN Parent, 310 OUT PTOKEN *Token, 311 IN BOOLEAN InUse, 312 IN ULONG SessionId 313 ); 314 315 NTSTATUS 316 NTAPI 317 SeInitializeProcessAuditName( 318 IN PFILE_OBJECT FileObject, 319 IN BOOLEAN DoAudit, 320 OUT POBJECT_NAME_INFORMATION *AuditInfo 321 ); 322 323 NTSTATUS 324 NTAPI 325 SeCreateAccessStateEx( 326 IN PETHREAD Thread, 327 IN PEPROCESS Process, 328 IN OUT PACCESS_STATE AccessState, 329 IN PAUX_ACCESS_DATA AuxData, 330 IN ACCESS_MASK Access, 331 IN PGENERIC_MAPPING GenericMapping 332 ); 333 334 NTSTATUS 335 NTAPI 336 SeIsTokenChild( 337 IN PTOKEN Token, 338 OUT PBOOLEAN IsChild 339 ); 340 341 NTSTATUS 342 NTAPI 343 SeIsTokenSibling( 344 IN PTOKEN Token, 345 OUT PBOOLEAN IsSibling 346 ); 347 348 NTSTATUS 349 NTAPI 350 SepCreateImpersonationTokenDacl( 351 _In_ PTOKEN Token, 352 _In_ PTOKEN PrimaryToken, 353 _Out_ PACL* Dacl 354 ); 355 356 CODE_SEG("INIT") 357 VOID 358 NTAPI 359 SepInitializeTokenImplementation(VOID); 360 361 CODE_SEG("INIT") 362 PTOKEN 363 NTAPI 364 SepCreateSystemProcessToken(VOID); 365 366 CODE_SEG("INIT") 367 PTOKEN 368 SepCreateSystemAnonymousLogonToken(VOID); 369 370 CODE_SEG("INIT") 371 PTOKEN 372 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); 373 374 BOOLEAN 375 NTAPI 376 SeDetailedAuditingWithToken(IN PTOKEN Token); 377 378 VOID 379 NTAPI 380 SeAuditProcessExit(IN PEPROCESS Process); 381 382 VOID 383 NTAPI 384 SeAuditProcessCreate(IN PEPROCESS Process); 385 386 NTSTATUS 387 NTAPI 388 SeExchangePrimaryToken( 389 _In_ PEPROCESS Process, 390 _In_ PACCESS_TOKEN NewAccessToken, 391 _Out_ PACCESS_TOKEN* OldAccessToken 392 ); 393 394 VOID 395 NTAPI 396 SeCaptureSubjectContextEx( 397 IN PETHREAD Thread, 398 IN PEPROCESS Process, 399 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext 400 ); 401 402 NTSTATUS 403 NTAPI 404 SeCaptureLuidAndAttributesArray( 405 PLUID_AND_ATTRIBUTES Src, 406 ULONG PrivilegeCount, 407 KPROCESSOR_MODE PreviousMode, 408 PLUID_AND_ATTRIBUTES AllocatedMem, 409 ULONG AllocatedLength, 410 POOL_TYPE PoolType, 411 BOOLEAN CaptureIfKernel, 412 PLUID_AND_ATTRIBUTES* Dest, 413 PULONG Length 414 ); 415 416 VOID 417 NTAPI 418 SeReleaseLuidAndAttributesArray( 419 PLUID_AND_ATTRIBUTES Privilege, 420 KPROCESSOR_MODE PreviousMode, 421 BOOLEAN CaptureIfKernel 422 ); 423 424 BOOLEAN 425 NTAPI 426 SepPrivilegeCheck( 427 PTOKEN Token, 428 PLUID_AND_ATTRIBUTES Privileges, 429 ULONG PrivilegeCount, 430 ULONG PrivilegeControl, 431 KPROCESSOR_MODE PreviousMode 432 ); 433 434 NTSTATUS 435 NTAPI 436 SePrivilegePolicyCheck( 437 _Inout_ PACCESS_MASK DesiredAccess, 438 _Inout_ PACCESS_MASK GrantedAccess, 439 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 440 _In_ PTOKEN Token, 441 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 442 _In_ KPROCESSOR_MODE PreviousMode); 443 444 BOOLEAN 445 NTAPI 446 SeCheckPrivilegedObject( 447 IN LUID PrivilegeValue, 448 IN HANDLE ObjectHandle, 449 IN ACCESS_MASK DesiredAccess, 450 IN KPROCESSOR_MODE PreviousMode 451 ); 452 453 NTSTATUS 454 NTAPI 455 SepDuplicateToken( 456 _In_ PTOKEN Token, 457 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 458 _In_ BOOLEAN EffectiveOnly, 459 _In_ TOKEN_TYPE TokenType, 460 _In_ SECURITY_IMPERSONATION_LEVEL Level, 461 _In_ KPROCESSOR_MODE PreviousMode, 462 _Out_ PTOKEN* NewAccessToken 463 ); 464 465 NTSTATUS 466 NTAPI 467 SepCaptureSecurityQualityOfService( 468 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 469 IN KPROCESSOR_MODE AccessMode, 470 IN POOL_TYPE PoolType, 471 IN BOOLEAN CaptureIfKernel, 472 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 473 OUT PBOOLEAN Present 474 ); 475 476 VOID 477 NTAPI 478 SepReleaseSecurityQualityOfService( 479 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL, 480 IN KPROCESSOR_MODE AccessMode, 481 IN BOOLEAN CaptureIfKernel 482 ); 483 484 NTSTATUS 485 NTAPI 486 SepCaptureSid( 487 IN PSID InputSid, 488 IN KPROCESSOR_MODE AccessMode, 489 IN POOL_TYPE PoolType, 490 IN BOOLEAN CaptureIfKernel, 491 OUT PSID *CapturedSid 492 ); 493 494 VOID 495 NTAPI 496 SepReleaseSid( 497 IN PSID CapturedSid, 498 IN KPROCESSOR_MODE AccessMode, 499 IN BOOLEAN CaptureIfKernel 500 ); 501 502 NTSTATUS 503 NTAPI 504 SeCaptureSidAndAttributesArray( 505 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 506 _In_ ULONG AttributeCount, 507 _In_ KPROCESSOR_MODE PreviousMode, 508 _In_opt_ PVOID AllocatedMem, 509 _In_ ULONG AllocatedLength, 510 _In_ POOL_TYPE PoolType, 511 _In_ BOOLEAN CaptureIfKernel, 512 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 513 _Out_ PULONG ResultLength); 514 515 VOID 516 NTAPI 517 SeReleaseSidAndAttributesArray( 518 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 519 _In_ KPROCESSOR_MODE AccessMode, 520 _In_ BOOLEAN CaptureIfKernel); 521 522 NTSTATUS 523 NTAPI 524 SeComputeQuotaInformationSize( 525 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 526 _Out_ PULONG QuotaInfoSize); 527 528 NTSTATUS 529 NTAPI 530 SepCaptureAcl( 531 IN PACL InputAcl, 532 IN KPROCESSOR_MODE AccessMode, 533 IN POOL_TYPE PoolType, 534 IN BOOLEAN CaptureIfKernel, 535 OUT PACL *CapturedAcl 536 ); 537 538 VOID 539 NTAPI 540 SepReleaseAcl( 541 IN PACL CapturedAcl, 542 IN KPROCESSOR_MODE AccessMode, 543 IN BOOLEAN CaptureIfKernel 544 ); 545 546 NTSTATUS 547 SepPropagateAcl( 548 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 549 _Inout_ PULONG AclLength, 550 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 551 _In_ PSID Owner, 552 _In_ PSID Group, 553 _In_ BOOLEAN IsInherited, 554 _In_ BOOLEAN IsDirectoryObject, 555 _In_ PGENERIC_MAPPING GenericMapping); 556 557 PACL 558 SepSelectAcl( 559 _In_opt_ PACL ExplicitAcl, 560 _In_ BOOLEAN ExplicitPresent, 561 _In_ BOOLEAN ExplicitDefaulted, 562 _In_opt_ PACL ParentAcl, 563 _In_opt_ PACL DefaultAcl, 564 _Out_ PULONG AclLength, 565 _In_ PSID Owner, 566 _In_ PSID Group, 567 _Out_ PBOOLEAN AclPresent, 568 _Out_ PBOOLEAN IsInherited, 569 _In_ BOOLEAN IsDirectoryObject, 570 _In_ PGENERIC_MAPPING GenericMapping); 571 572 NTSTATUS 573 NTAPI 574 SeDefaultObjectMethod( 575 PVOID Object, 576 SECURITY_OPERATION_CODE OperationType, 577 PSECURITY_INFORMATION SecurityInformation, 578 PSECURITY_DESCRIPTOR NewSecurityDescriptor, 579 PULONG ReturnLength, 580 PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 581 POOL_TYPE PoolType, 582 PGENERIC_MAPPING GenericMapping 583 ); 584 585 NTSTATUS 586 NTAPI 587 SeSetWorldSecurityDescriptor( 588 SECURITY_INFORMATION SecurityInformation, 589 PISECURITY_DESCRIPTOR SecurityDescriptor, 590 PULONG BufferLength 591 ); 592 593 NTSTATUS 594 NTAPI 595 SeCopyClientToken( 596 IN PACCESS_TOKEN Token, 597 IN SECURITY_IMPERSONATION_LEVEL Level, 598 IN KPROCESSOR_MODE PreviousMode, 599 OUT PACCESS_TOKEN* NewToken 600 ); 601 602 NTSTATUS 603 NTAPI 604 SepRegQueryHelper( 605 _In_ PCWSTR KeyName, 606 _In_ PCWSTR ValueName, 607 _In_ ULONG ValueType, 608 _In_ ULONG DataLength, 609 _Out_ PVOID ValueData); 610 611 VOID NTAPI 612 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 613 OUT PACCESS_MASK DesiredAccess); 614 615 VOID NTAPI 616 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 617 OUT PACCESS_MASK DesiredAccess); 618 619 BOOLEAN 620 NTAPI 621 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, 622 IN PACCESS_STATE AccessState, 623 IN ACCESS_MASK DesiredAccess, 624 IN KPROCESSOR_MODE AccessMode); 625 626 BOOLEAN 627 NTAPI 628 SeCheckAuditPrivilege( 629 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 630 _In_ KPROCESSOR_MODE PreviousMode); 631 632 VOID 633 NTAPI 634 SePrivilegedServiceAuditAlarm( 635 _In_opt_ PUNICODE_STRING ServiceName, 636 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 637 _In_ PPRIVILEGE_SET PrivilegeSet, 638 _In_ BOOLEAN AccessGranted); 639 640 NTSTATUS 641 SepRmReferenceLogonSession( 642 PLUID LogonLuid); 643 644 NTSTATUS 645 SepRmDereferenceLogonSession( 646 PLUID LogonLuid); 647 648 NTSTATUS 649 NTAPI 650 SeGetLogonIdDeviceMap( 651 IN PLUID LogonId, 652 OUT PDEVICE_MAP * DeviceMap); 653 654 #endif 655 656 /* EOF */ 657