1 #pragma once 2 3 typedef struct _KNOWN_ACE 4 { 5 ACE_HEADER Header; 6 ACCESS_MASK Mask; 7 ULONG SidStart; 8 } KNOWN_ACE, *PKNOWN_ACE; 9 10 typedef struct _KNOWN_OBJECT_ACE 11 { 12 ACE_HEADER Header; 13 ACCESS_MASK Mask; 14 ULONG Flags; 15 ULONG SidStart; 16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 17 18 typedef struct _KNOWN_COMPOUND_ACE 19 { 20 ACE_HEADER Header; 21 ACCESS_MASK Mask; 22 USHORT CompoundAceType; 23 USHORT Reserved; 24 ULONG SidStart; 25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 26 27 FORCEINLINE 28 PSID 29 SepGetGroupFromDescriptor(PVOID _Descriptor) 30 { 31 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 32 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 33 34 if (Descriptor->Control & SE_SELF_RELATIVE) 35 { 36 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 37 if (!SdRel->Group) return NULL; 38 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 39 } 40 else 41 { 42 return Descriptor->Group; 43 } 44 } 45 46 FORCEINLINE 47 PSID 48 SepGetOwnerFromDescriptor(PVOID _Descriptor) 49 { 50 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 51 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 52 53 if (Descriptor->Control & SE_SELF_RELATIVE) 54 { 55 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 56 if (!SdRel->Owner) return NULL; 57 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 58 } 59 else 60 { 61 return Descriptor->Owner; 62 } 63 } 64 65 FORCEINLINE 66 PACL 67 SepGetDaclFromDescriptor(PVOID _Descriptor) 68 { 69 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 70 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 71 72 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 73 74 if (Descriptor->Control & SE_SELF_RELATIVE) 75 { 76 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 77 if (!SdRel->Dacl) return NULL; 78 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 79 } 80 else 81 { 82 return Descriptor->Dacl; 83 } 84 } 85 86 FORCEINLINE 87 PACL 88 SepGetSaclFromDescriptor(PVOID _Descriptor) 89 { 90 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 91 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 92 93 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 94 95 if (Descriptor->Control & SE_SELF_RELATIVE) 96 { 97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 98 if (!SdRel->Sacl) return NULL; 99 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 100 } 101 else 102 { 103 return Descriptor->Sacl; 104 } 105 } 106 107 #ifndef RTL_H 108 109 /* SID Authorities */ 110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 115 116 /* SIDs */ 117 extern PSID SeNullSid; 118 extern PSID SeWorldSid; 119 extern PSID SeLocalSid; 120 extern PSID SeCreatorOwnerSid; 121 extern PSID SeCreatorGroupSid; 122 extern PSID SeCreatorOwnerServerSid; 123 extern PSID SeCreatorGroupServerSid; 124 extern PSID SeNtAuthoritySid; 125 extern PSID SeDialupSid; 126 extern PSID SeNetworkSid; 127 extern PSID SeBatchSid; 128 extern PSID SeInteractiveSid; 129 extern PSID SeServiceSid; 130 extern PSID SeAnonymousLogonSid; 131 extern PSID SePrincipalSelfSid; 132 extern PSID SeLocalSystemSid; 133 extern PSID SeAuthenticatedUserSid; 134 extern PSID SeRestrictedCodeSid; 135 extern PSID SeAliasAdminsSid; 136 extern PSID SeAliasUsersSid; 137 extern PSID SeAliasGuestsSid; 138 extern PSID SeAliasPowerUsersSid; 139 extern PSID SeAliasAccountOpsSid; 140 extern PSID SeAliasSystemOpsSid; 141 extern PSID SeAliasPrintOpsSid; 142 extern PSID SeAliasBackupOpsSid; 143 extern PSID SeAuthenticatedUsersSid; 144 extern PSID SeRestrictedSid; 145 extern PSID SeAnonymousLogonSid; 146 extern PSID SeLocalServiceSid; 147 extern PSID SeNetworkServiceSid; 148 149 /* Privileges */ 150 extern const LUID SeCreateTokenPrivilege; 151 extern const LUID SeAssignPrimaryTokenPrivilege; 152 extern const LUID SeLockMemoryPrivilege; 153 extern const LUID SeIncreaseQuotaPrivilege; 154 extern const LUID SeUnsolicitedInputPrivilege; 155 extern const LUID SeTcbPrivilege; 156 extern const LUID SeSecurityPrivilege; 157 extern const LUID SeTakeOwnershipPrivilege; 158 extern const LUID SeLoadDriverPrivilege; 159 extern const LUID SeSystemProfilePrivilege; 160 extern const LUID SeSystemtimePrivilege; 161 extern const LUID SeProfileSingleProcessPrivilege; 162 extern const LUID SeIncreaseBasePriorityPrivilege; 163 extern const LUID SeCreatePagefilePrivilege; 164 extern const LUID SeCreatePermanentPrivilege; 165 extern const LUID SeBackupPrivilege; 166 extern const LUID SeRestorePrivilege; 167 extern const LUID SeShutdownPrivilege; 168 extern const LUID SeDebugPrivilege; 169 extern const LUID SeAuditPrivilege; 170 extern const LUID SeSystemEnvironmentPrivilege; 171 extern const LUID SeChangeNotifyPrivilege; 172 extern const LUID SeRemoteShutdownPrivilege; 173 extern const LUID SeUndockPrivilege; 174 extern const LUID SeSyncAgentPrivilege; 175 extern const LUID SeEnableDelegationPrivilege; 176 extern const LUID SeManageVolumePrivilege; 177 extern const LUID SeImpersonatePrivilege; 178 extern const LUID SeCreateGlobalPrivilege; 179 extern const LUID SeTrustedCredmanPrivilege; 180 extern const LUID SeRelabelPrivilege; 181 extern const LUID SeIncreaseWorkingSetPrivilege; 182 extern const LUID SeTimeZonePrivilege; 183 extern const LUID SeCreateSymbolicLinkPrivilege; 184 185 /* DACLs */ 186 extern PACL SePublicDefaultUnrestrictedDacl; 187 extern PACL SePublicOpenDacl; 188 extern PACL SePublicOpenUnrestrictedDacl; 189 extern PACL SeUnrestrictedDacl; 190 191 /* SDs */ 192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 194 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 198 199 200 #define SepAcquireTokenLockExclusive(Token) \ 201 { \ 202 KeEnterCriticalRegion(); \ 203 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 204 } 205 #define SepAcquireTokenLockShared(Token) \ 206 { \ 207 KeEnterCriticalRegion(); \ 208 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 209 } 210 211 #define SepReleaseTokenLock(Token) \ 212 { \ 213 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 214 KeLeaveCriticalRegion(); \ 215 } 216 217 // 218 // Token Functions 219 // 220 BOOLEAN 221 NTAPI 222 SepTokenIsOwner( 223 IN PACCESS_TOKEN _Token, 224 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 225 IN BOOLEAN TokenLocked 226 ); 227 228 BOOLEAN 229 NTAPI 230 SepSidInToken( 231 IN PACCESS_TOKEN _Token, 232 IN PSID Sid 233 ); 234 235 BOOLEAN 236 NTAPI 237 SepSidInTokenEx( 238 IN PACCESS_TOKEN _Token, 239 IN PSID PrincipalSelfSid, 240 IN PSID _Sid, 241 IN BOOLEAN Deny, 242 IN BOOLEAN Restricted 243 ); 244 245 /* Functions */ 246 INIT_FUNCTION 247 BOOLEAN 248 NTAPI 249 SeInitSystem(VOID); 250 251 INIT_FUNCTION 252 VOID 253 NTAPI 254 SepInitPrivileges(VOID); 255 256 INIT_FUNCTION 257 BOOLEAN 258 NTAPI 259 SepInitSecurityIDs(VOID); 260 261 INIT_FUNCTION 262 BOOLEAN 263 NTAPI 264 SepInitDACLs(VOID); 265 266 INIT_FUNCTION 267 BOOLEAN 268 NTAPI 269 SepInitSDs(VOID); 270 271 BOOLEAN 272 NTAPI 273 SeRmInitPhase0(VOID); 274 275 BOOLEAN 276 NTAPI 277 SeRmInitPhase1(VOID); 278 279 VOID 280 NTAPI 281 SeDeassignPrimaryToken(struct _EPROCESS *Process); 282 283 NTSTATUS 284 NTAPI 285 SeSubProcessToken( 286 IN PTOKEN Parent, 287 OUT PTOKEN *Token, 288 IN BOOLEAN InUse, 289 IN ULONG SessionId 290 ); 291 292 NTSTATUS 293 NTAPI 294 SeInitializeProcessAuditName( 295 IN PFILE_OBJECT FileObject, 296 IN BOOLEAN DoAudit, 297 OUT POBJECT_NAME_INFORMATION *AuditInfo 298 ); 299 300 NTSTATUS 301 NTAPI 302 SeCreateAccessStateEx( 303 IN PETHREAD Thread, 304 IN PEPROCESS Process, 305 IN OUT PACCESS_STATE AccessState, 306 IN PAUX_ACCESS_DATA AuxData, 307 IN ACCESS_MASK Access, 308 IN PGENERIC_MAPPING GenericMapping 309 ); 310 311 NTSTATUS 312 NTAPI 313 SeIsTokenChild( 314 IN PTOKEN Token, 315 OUT PBOOLEAN IsChild 316 ); 317 318 NTSTATUS 319 NTAPI 320 SeIsTokenSibling( 321 IN PTOKEN Token, 322 OUT PBOOLEAN IsSibling 323 ); 324 325 NTSTATUS 326 NTAPI 327 SepCreateImpersonationTokenDacl( 328 _In_ PTOKEN Token, 329 _In_ PTOKEN PrimaryToken, 330 _Out_ PACL* Dacl 331 ); 332 333 INIT_FUNCTION 334 VOID 335 NTAPI 336 SepInitializeTokenImplementation(VOID); 337 338 PTOKEN 339 NTAPI 340 SepCreateSystemProcessToken(VOID); 341 342 BOOLEAN 343 NTAPI 344 SeDetailedAuditingWithToken(IN PTOKEN Token); 345 346 VOID 347 NTAPI 348 SeAuditProcessExit(IN PEPROCESS Process); 349 350 VOID 351 NTAPI 352 SeAuditProcessCreate(IN PEPROCESS Process); 353 354 NTSTATUS 355 NTAPI 356 SeExchangePrimaryToken( 357 _In_ PEPROCESS Process, 358 _In_ PACCESS_TOKEN NewAccessToken, 359 _Out_ PACCESS_TOKEN* OldAccessToken 360 ); 361 362 VOID 363 NTAPI 364 SeCaptureSubjectContextEx( 365 IN PETHREAD Thread, 366 IN PEPROCESS Process, 367 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext 368 ); 369 370 NTSTATUS 371 NTAPI 372 SeCaptureLuidAndAttributesArray( 373 PLUID_AND_ATTRIBUTES Src, 374 ULONG PrivilegeCount, 375 KPROCESSOR_MODE PreviousMode, 376 PLUID_AND_ATTRIBUTES AllocatedMem, 377 ULONG AllocatedLength, 378 POOL_TYPE PoolType, 379 BOOLEAN CaptureIfKernel, 380 PLUID_AND_ATTRIBUTES* Dest, 381 PULONG Length 382 ); 383 384 VOID 385 NTAPI 386 SeReleaseLuidAndAttributesArray( 387 PLUID_AND_ATTRIBUTES Privilege, 388 KPROCESSOR_MODE PreviousMode, 389 BOOLEAN CaptureIfKernel 390 ); 391 392 BOOLEAN 393 NTAPI 394 SepPrivilegeCheck( 395 PTOKEN Token, 396 PLUID_AND_ATTRIBUTES Privileges, 397 ULONG PrivilegeCount, 398 ULONG PrivilegeControl, 399 KPROCESSOR_MODE PreviousMode 400 ); 401 402 NTSTATUS 403 NTAPI 404 SePrivilegePolicyCheck( 405 _Inout_ PACCESS_MASK DesiredAccess, 406 _Inout_ PACCESS_MASK GrantedAccess, 407 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 408 _In_ PTOKEN Token, 409 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 410 _In_ KPROCESSOR_MODE PreviousMode); 411 412 BOOLEAN 413 NTAPI 414 SeCheckPrivilegedObject( 415 IN LUID PrivilegeValue, 416 IN HANDLE ObjectHandle, 417 IN ACCESS_MASK DesiredAccess, 418 IN KPROCESSOR_MODE PreviousMode 419 ); 420 421 NTSTATUS 422 NTAPI 423 SepDuplicateToken( 424 _In_ PTOKEN Token, 425 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 426 _In_ BOOLEAN EffectiveOnly, 427 _In_ TOKEN_TYPE TokenType, 428 _In_ SECURITY_IMPERSONATION_LEVEL Level, 429 _In_ KPROCESSOR_MODE PreviousMode, 430 _Out_ PTOKEN* NewAccessToken 431 ); 432 433 NTSTATUS 434 NTAPI 435 SepCaptureSecurityQualityOfService( 436 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 437 IN KPROCESSOR_MODE AccessMode, 438 IN POOL_TYPE PoolType, 439 IN BOOLEAN CaptureIfKernel, 440 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 441 OUT PBOOLEAN Present 442 ); 443 444 VOID 445 NTAPI 446 SepReleaseSecurityQualityOfService( 447 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL, 448 IN KPROCESSOR_MODE AccessMode, 449 IN BOOLEAN CaptureIfKernel 450 ); 451 452 NTSTATUS 453 NTAPI 454 SepCaptureSid( 455 IN PSID InputSid, 456 IN KPROCESSOR_MODE AccessMode, 457 IN POOL_TYPE PoolType, 458 IN BOOLEAN CaptureIfKernel, 459 OUT PSID *CapturedSid 460 ); 461 462 VOID 463 NTAPI 464 SepReleaseSid( 465 IN PSID CapturedSid, 466 IN KPROCESSOR_MODE AccessMode, 467 IN BOOLEAN CaptureIfKernel 468 ); 469 470 NTSTATUS 471 NTAPI 472 SeCaptureSidAndAttributesArray( 473 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 474 _In_ ULONG AttributeCount, 475 _In_ KPROCESSOR_MODE PreviousMode, 476 _In_opt_ PVOID AllocatedMem, 477 _In_ ULONG AllocatedLength, 478 _In_ POOL_TYPE PoolType, 479 _In_ BOOLEAN CaptureIfKernel, 480 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 481 _Out_ PULONG ResultLength); 482 483 VOID 484 NTAPI 485 SeReleaseSidAndAttributesArray( 486 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 487 _In_ KPROCESSOR_MODE AccessMode, 488 _In_ BOOLEAN CaptureIfKernel); 489 490 NTSTATUS 491 NTAPI 492 SeComputeQuotaInformationSize( 493 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 494 _Out_ PULONG QuotaInfoSize); 495 496 NTSTATUS 497 NTAPI 498 SepCaptureAcl( 499 IN PACL InputAcl, 500 IN KPROCESSOR_MODE AccessMode, 501 IN POOL_TYPE PoolType, 502 IN BOOLEAN CaptureIfKernel, 503 OUT PACL *CapturedAcl 504 ); 505 506 VOID 507 NTAPI 508 SepReleaseAcl( 509 IN PACL CapturedAcl, 510 IN KPROCESSOR_MODE AccessMode, 511 IN BOOLEAN CaptureIfKernel 512 ); 513 514 NTSTATUS 515 SepPropagateAcl( 516 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 517 _Inout_ PULONG AclLength, 518 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 519 _In_ PSID Owner, 520 _In_ PSID Group, 521 _In_ BOOLEAN IsInherited, 522 _In_ BOOLEAN IsDirectoryObject, 523 _In_ PGENERIC_MAPPING GenericMapping); 524 525 PACL 526 SepSelectAcl( 527 _In_opt_ PACL ExplicitAcl, 528 _In_ BOOLEAN ExplicitPresent, 529 _In_ BOOLEAN ExplicitDefaulted, 530 _In_opt_ PACL ParentAcl, 531 _In_opt_ PACL DefaultAcl, 532 _Out_ PULONG AclLength, 533 _In_ PSID Owner, 534 _In_ PSID Group, 535 _Out_ PBOOLEAN AclPresent, 536 _Out_ PBOOLEAN IsInherited, 537 _In_ BOOLEAN IsDirectoryObject, 538 _In_ PGENERIC_MAPPING GenericMapping); 539 540 NTSTATUS 541 NTAPI 542 SeDefaultObjectMethod( 543 PVOID Object, 544 SECURITY_OPERATION_CODE OperationType, 545 PSECURITY_INFORMATION SecurityInformation, 546 PSECURITY_DESCRIPTOR NewSecurityDescriptor, 547 PULONG ReturnLength, 548 PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 549 POOL_TYPE PoolType, 550 PGENERIC_MAPPING GenericMapping 551 ); 552 553 NTSTATUS 554 NTAPI 555 SeSetWorldSecurityDescriptor( 556 SECURITY_INFORMATION SecurityInformation, 557 PISECURITY_DESCRIPTOR SecurityDescriptor, 558 PULONG BufferLength 559 ); 560 561 NTSTATUS 562 NTAPI 563 SeCopyClientToken( 564 IN PACCESS_TOKEN Token, 565 IN SECURITY_IMPERSONATION_LEVEL Level, 566 IN KPROCESSOR_MODE PreviousMode, 567 OUT PACCESS_TOKEN* NewToken 568 ); 569 570 VOID NTAPI 571 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 572 OUT PACCESS_MASK DesiredAccess); 573 574 VOID NTAPI 575 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 576 OUT PACCESS_MASK DesiredAccess); 577 578 BOOLEAN 579 NTAPI 580 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, 581 IN PACCESS_STATE AccessState, 582 IN ACCESS_MASK DesiredAccess, 583 IN KPROCESSOR_MODE AccessMode); 584 585 BOOLEAN 586 NTAPI 587 SeCheckAuditPrivilege( 588 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 589 _In_ KPROCESSOR_MODE PreviousMode); 590 591 VOID 592 NTAPI 593 SePrivilegedServiceAuditAlarm( 594 _In_opt_ PUNICODE_STRING ServiceName, 595 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 596 _In_ PPRIVILEGE_SET PrivilegeSet, 597 _In_ BOOLEAN AccessGranted); 598 599 NTSTATUS 600 SepRmReferenceLogonSession( 601 PLUID LogonLuid); 602 603 NTSTATUS 604 SepRmDereferenceLogonSession( 605 PLUID LogonLuid); 606 607 #endif 608 609 /* EOF */ 610