1 #pragma once 2 3 typedef struct _KNOWN_ACE 4 { 5 ACE_HEADER Header; 6 ACCESS_MASK Mask; 7 ULONG SidStart; 8 } KNOWN_ACE, *PKNOWN_ACE; 9 10 typedef struct _KNOWN_OBJECT_ACE 11 { 12 ACE_HEADER Header; 13 ACCESS_MASK Mask; 14 ULONG Flags; 15 ULONG SidStart; 16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 17 18 typedef struct _KNOWN_COMPOUND_ACE 19 { 20 ACE_HEADER Header; 21 ACCESS_MASK Mask; 22 USHORT CompoundAceType; 23 USHORT Reserved; 24 ULONG SidStart; 25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 26 27 FORCEINLINE 28 PSID 29 SepGetGroupFromDescriptor(PVOID _Descriptor) 30 { 31 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 32 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 33 34 if (Descriptor->Control & SE_SELF_RELATIVE) 35 { 36 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 37 if (!SdRel->Group) return NULL; 38 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 39 } 40 else 41 { 42 return Descriptor->Group; 43 } 44 } 45 46 FORCEINLINE 47 PSID 48 SepGetOwnerFromDescriptor(PVOID _Descriptor) 49 { 50 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 51 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 52 53 if (Descriptor->Control & SE_SELF_RELATIVE) 54 { 55 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 56 if (!SdRel->Owner) return NULL; 57 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 58 } 59 else 60 { 61 return Descriptor->Owner; 62 } 63 } 64 65 FORCEINLINE 66 PACL 67 SepGetDaclFromDescriptor(PVOID _Descriptor) 68 { 69 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 70 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 71 72 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 73 74 if (Descriptor->Control & SE_SELF_RELATIVE) 75 { 76 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 77 if (!SdRel->Dacl) return NULL; 78 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 79 } 80 else 81 { 82 return Descriptor->Dacl; 83 } 84 } 85 86 FORCEINLINE 87 PACL 88 SepGetSaclFromDescriptor(PVOID _Descriptor) 89 { 90 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 91 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 92 93 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 94 95 if (Descriptor->Control & SE_SELF_RELATIVE) 96 { 97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 98 if (!SdRel->Sacl) return NULL; 99 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 100 } 101 else 102 { 103 return Descriptor->Sacl; 104 } 105 } 106 107 #ifndef RTL_H 108 109 /* SID Authorities */ 110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 115 116 /* SIDs */ 117 extern PSID SeNullSid; 118 extern PSID SeWorldSid; 119 extern PSID SeLocalSid; 120 extern PSID SeCreatorOwnerSid; 121 extern PSID SeCreatorGroupSid; 122 extern PSID SeCreatorOwnerServerSid; 123 extern PSID SeCreatorGroupServerSid; 124 extern PSID SeNtAuthoritySid; 125 extern PSID SeDialupSid; 126 extern PSID SeNetworkSid; 127 extern PSID SeBatchSid; 128 extern PSID SeInteractiveSid; 129 extern PSID SeServiceSid; 130 extern PSID SeAnonymousLogonSid; 131 extern PSID SePrincipalSelfSid; 132 extern PSID SeLocalSystemSid; 133 extern PSID SeAuthenticatedUserSid; 134 extern PSID SeRestrictedCodeSid; 135 extern PSID SeAliasAdminsSid; 136 extern PSID SeAliasUsersSid; 137 extern PSID SeAliasGuestsSid; 138 extern PSID SeAliasPowerUsersSid; 139 extern PSID SeAliasAccountOpsSid; 140 extern PSID SeAliasSystemOpsSid; 141 extern PSID SeAliasPrintOpsSid; 142 extern PSID SeAliasBackupOpsSid; 143 extern PSID SeAuthenticatedUsersSid; 144 extern PSID SeRestrictedSid; 145 extern PSID SeAnonymousLogonSid; 146 extern PSID SeLocalServiceSid; 147 extern PSID SeNetworkServiceSid; 148 149 /* Privileges */ 150 extern const LUID SeCreateTokenPrivilege; 151 extern const LUID SeAssignPrimaryTokenPrivilege; 152 extern const LUID SeLockMemoryPrivilege; 153 extern const LUID SeIncreaseQuotaPrivilege; 154 extern const LUID SeUnsolicitedInputPrivilege; 155 extern const LUID SeTcbPrivilege; 156 extern const LUID SeSecurityPrivilege; 157 extern const LUID SeTakeOwnershipPrivilege; 158 extern const LUID SeLoadDriverPrivilege; 159 extern const LUID SeSystemProfilePrivilege; 160 extern const LUID SeSystemtimePrivilege; 161 extern const LUID SeProfileSingleProcessPrivilege; 162 extern const LUID SeIncreaseBasePriorityPrivilege; 163 extern const LUID SeCreatePagefilePrivilege; 164 extern const LUID SeCreatePermanentPrivilege; 165 extern const LUID SeBackupPrivilege; 166 extern const LUID SeRestorePrivilege; 167 extern const LUID SeShutdownPrivilege; 168 extern const LUID SeDebugPrivilege; 169 extern const LUID SeAuditPrivilege; 170 extern const LUID SeSystemEnvironmentPrivilege; 171 extern const LUID SeChangeNotifyPrivilege; 172 extern const LUID SeRemoteShutdownPrivilege; 173 extern const LUID SeUndockPrivilege; 174 extern const LUID SeSyncAgentPrivilege; 175 extern const LUID SeEnableDelegationPrivilege; 176 extern const LUID SeManageVolumePrivilege; 177 extern const LUID SeImpersonatePrivilege; 178 extern const LUID SeCreateGlobalPrivilege; 179 extern const LUID SeTrustedCredmanPrivilege; 180 extern const LUID SeRelabelPrivilege; 181 extern const LUID SeIncreaseWorkingSetPrivilege; 182 extern const LUID SeTimeZonePrivilege; 183 extern const LUID SeCreateSymbolicLinkPrivilege; 184 185 /* DACLs */ 186 extern PACL SePublicDefaultUnrestrictedDacl; 187 extern PACL SePublicOpenDacl; 188 extern PACL SePublicOpenUnrestrictedDacl; 189 extern PACL SeUnrestrictedDacl; 190 191 /* SDs */ 192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 194 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 198 199 200 #define SepAcquireTokenLockExclusive(Token) \ 201 { \ 202 KeEnterCriticalRegion(); \ 203 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 204 } 205 #define SepAcquireTokenLockShared(Token) \ 206 { \ 207 KeEnterCriticalRegion(); \ 208 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 209 } 210 211 #define SepReleaseTokenLock(Token) \ 212 { \ 213 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 214 KeLeaveCriticalRegion(); \ 215 } 216 217 // 218 // Token Functions 219 // 220 BOOLEAN 221 NTAPI 222 SepTokenIsOwner( 223 IN PACCESS_TOKEN _Token, 224 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 225 IN BOOLEAN TokenLocked 226 ); 227 228 BOOLEAN 229 NTAPI 230 SepSidInToken( 231 IN PACCESS_TOKEN _Token, 232 IN PSID Sid 233 ); 234 235 BOOLEAN 236 NTAPI 237 SepSidInTokenEx( 238 IN PACCESS_TOKEN _Token, 239 IN PSID PrincipalSelfSid, 240 IN PSID _Sid, 241 IN BOOLEAN Deny, 242 IN BOOLEAN Restricted 243 ); 244 245 /* Functions */ 246 INIT_FUNCTION 247 BOOLEAN 248 NTAPI 249 SeInitSystem(VOID); 250 251 INIT_FUNCTION 252 VOID 253 NTAPI 254 ExpInitLuid(VOID); 255 256 INIT_FUNCTION 257 VOID 258 NTAPI 259 SepInitPrivileges(VOID); 260 261 INIT_FUNCTION 262 BOOLEAN 263 NTAPI 264 SepInitSecurityIDs(VOID); 265 266 INIT_FUNCTION 267 BOOLEAN 268 NTAPI 269 SepInitDACLs(VOID); 270 271 INIT_FUNCTION 272 BOOLEAN 273 NTAPI 274 SepInitSDs(VOID); 275 276 BOOLEAN 277 NTAPI 278 SeRmInitPhase0(VOID); 279 280 BOOLEAN 281 NTAPI 282 SeRmInitPhase1(VOID); 283 284 VOID 285 NTAPI 286 SeDeassignPrimaryToken(struct _EPROCESS *Process); 287 288 NTSTATUS 289 NTAPI 290 SeSubProcessToken( 291 IN PTOKEN Parent, 292 OUT PTOKEN *Token, 293 IN BOOLEAN InUse, 294 IN ULONG SessionId 295 ); 296 297 NTSTATUS 298 NTAPI 299 SeInitializeProcessAuditName( 300 IN PFILE_OBJECT FileObject, 301 IN BOOLEAN DoAudit, 302 OUT POBJECT_NAME_INFORMATION *AuditInfo 303 ); 304 305 NTSTATUS 306 NTAPI 307 SeCreateAccessStateEx( 308 IN PETHREAD Thread, 309 IN PEPROCESS Process, 310 IN OUT PACCESS_STATE AccessState, 311 IN PAUX_ACCESS_DATA AuxData, 312 IN ACCESS_MASK Access, 313 IN PGENERIC_MAPPING GenericMapping 314 ); 315 316 NTSTATUS 317 NTAPI 318 SeIsTokenChild( 319 IN PTOKEN Token, 320 OUT PBOOLEAN IsChild 321 ); 322 323 NTSTATUS 324 NTAPI 325 SeIsTokenSibling( 326 IN PTOKEN Token, 327 OUT PBOOLEAN IsSibling 328 ); 329 330 NTSTATUS 331 NTAPI 332 SepCreateImpersonationTokenDacl( 333 _In_ PTOKEN Token, 334 _In_ PTOKEN PrimaryToken, 335 _Out_ PACL* Dacl 336 ); 337 338 INIT_FUNCTION 339 VOID 340 NTAPI 341 SepInitializeTokenImplementation(VOID); 342 343 PTOKEN 344 NTAPI 345 SepCreateSystemProcessToken(VOID); 346 347 BOOLEAN 348 NTAPI 349 SeDetailedAuditingWithToken(IN PTOKEN Token); 350 351 VOID 352 NTAPI 353 SeAuditProcessExit(IN PEPROCESS Process); 354 355 VOID 356 NTAPI 357 SeAuditProcessCreate(IN PEPROCESS Process); 358 359 NTSTATUS 360 NTAPI 361 SeExchangePrimaryToken( 362 _In_ PEPROCESS Process, 363 _In_ PACCESS_TOKEN NewAccessToken, 364 _Out_ PACCESS_TOKEN* OldAccessToken 365 ); 366 367 VOID 368 NTAPI 369 SeCaptureSubjectContextEx( 370 IN PETHREAD Thread, 371 IN PEPROCESS Process, 372 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext 373 ); 374 375 NTSTATUS 376 NTAPI 377 SeCaptureLuidAndAttributesArray( 378 PLUID_AND_ATTRIBUTES Src, 379 ULONG PrivilegeCount, 380 KPROCESSOR_MODE PreviousMode, 381 PLUID_AND_ATTRIBUTES AllocatedMem, 382 ULONG AllocatedLength, 383 POOL_TYPE PoolType, 384 BOOLEAN CaptureIfKernel, 385 PLUID_AND_ATTRIBUTES* Dest, 386 PULONG Length 387 ); 388 389 VOID 390 NTAPI 391 SeReleaseLuidAndAttributesArray( 392 PLUID_AND_ATTRIBUTES Privilege, 393 KPROCESSOR_MODE PreviousMode, 394 BOOLEAN CaptureIfKernel 395 ); 396 397 BOOLEAN 398 NTAPI 399 SepPrivilegeCheck( 400 PTOKEN Token, 401 PLUID_AND_ATTRIBUTES Privileges, 402 ULONG PrivilegeCount, 403 ULONG PrivilegeControl, 404 KPROCESSOR_MODE PreviousMode 405 ); 406 407 NTSTATUS 408 NTAPI 409 SePrivilegePolicyCheck( 410 _Inout_ PACCESS_MASK DesiredAccess, 411 _Inout_ PACCESS_MASK GrantedAccess, 412 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 413 _In_ PTOKEN Token, 414 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 415 _In_ KPROCESSOR_MODE PreviousMode); 416 417 BOOLEAN 418 NTAPI 419 SeCheckPrivilegedObject( 420 IN LUID PrivilegeValue, 421 IN HANDLE ObjectHandle, 422 IN ACCESS_MASK DesiredAccess, 423 IN KPROCESSOR_MODE PreviousMode 424 ); 425 426 NTSTATUS 427 NTAPI 428 SepDuplicateToken( 429 _In_ PTOKEN Token, 430 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 431 _In_ BOOLEAN EffectiveOnly, 432 _In_ TOKEN_TYPE TokenType, 433 _In_ SECURITY_IMPERSONATION_LEVEL Level, 434 _In_ KPROCESSOR_MODE PreviousMode, 435 _Out_ PTOKEN* NewAccessToken 436 ); 437 438 NTSTATUS 439 NTAPI 440 SepCaptureSecurityQualityOfService( 441 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 442 IN KPROCESSOR_MODE AccessMode, 443 IN POOL_TYPE PoolType, 444 IN BOOLEAN CaptureIfKernel, 445 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 446 OUT PBOOLEAN Present 447 ); 448 449 VOID 450 NTAPI 451 SepReleaseSecurityQualityOfService( 452 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL, 453 IN KPROCESSOR_MODE AccessMode, 454 IN BOOLEAN CaptureIfKernel 455 ); 456 457 NTSTATUS 458 NTAPI 459 SepCaptureSid( 460 IN PSID InputSid, 461 IN KPROCESSOR_MODE AccessMode, 462 IN POOL_TYPE PoolType, 463 IN BOOLEAN CaptureIfKernel, 464 OUT PSID *CapturedSid 465 ); 466 467 VOID 468 NTAPI 469 SepReleaseSid( 470 IN PSID CapturedSid, 471 IN KPROCESSOR_MODE AccessMode, 472 IN BOOLEAN CaptureIfKernel 473 ); 474 475 NTSTATUS 476 NTAPI 477 SeCaptureSidAndAttributesArray( 478 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 479 _In_ ULONG AttributeCount, 480 _In_ KPROCESSOR_MODE PreviousMode, 481 _In_opt_ PVOID AllocatedMem, 482 _In_ ULONG AllocatedLength, 483 _In_ POOL_TYPE PoolType, 484 _In_ BOOLEAN CaptureIfKernel, 485 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 486 _Out_ PULONG ResultLength); 487 488 VOID 489 NTAPI 490 SeReleaseSidAndAttributesArray( 491 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 492 _In_ KPROCESSOR_MODE AccessMode, 493 _In_ BOOLEAN CaptureIfKernel); 494 495 NTSTATUS 496 NTAPI 497 SeComputeQuotaInformationSize( 498 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 499 _Out_ PULONG QuotaInfoSize); 500 501 NTSTATUS 502 NTAPI 503 SepCaptureAcl( 504 IN PACL InputAcl, 505 IN KPROCESSOR_MODE AccessMode, 506 IN POOL_TYPE PoolType, 507 IN BOOLEAN CaptureIfKernel, 508 OUT PACL *CapturedAcl 509 ); 510 511 VOID 512 NTAPI 513 SepReleaseAcl( 514 IN PACL CapturedAcl, 515 IN KPROCESSOR_MODE AccessMode, 516 IN BOOLEAN CaptureIfKernel 517 ); 518 519 NTSTATUS 520 SepPropagateAcl( 521 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 522 _Inout_ PULONG AclLength, 523 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 524 _In_ PSID Owner, 525 _In_ PSID Group, 526 _In_ BOOLEAN IsInherited, 527 _In_ BOOLEAN IsDirectoryObject, 528 _In_ PGENERIC_MAPPING GenericMapping); 529 530 PACL 531 SepSelectAcl( 532 _In_opt_ PACL ExplicitAcl, 533 _In_ BOOLEAN ExplicitPresent, 534 _In_ BOOLEAN ExplicitDefaulted, 535 _In_opt_ PACL ParentAcl, 536 _In_opt_ PACL DefaultAcl, 537 _Out_ PULONG AclLength, 538 _In_ PSID Owner, 539 _In_ PSID Group, 540 _Out_ PBOOLEAN AclPresent, 541 _Out_ PBOOLEAN IsInherited, 542 _In_ BOOLEAN IsDirectoryObject, 543 _In_ PGENERIC_MAPPING GenericMapping); 544 545 NTSTATUS 546 NTAPI 547 SeDefaultObjectMethod( 548 PVOID Object, 549 SECURITY_OPERATION_CODE OperationType, 550 PSECURITY_INFORMATION SecurityInformation, 551 PSECURITY_DESCRIPTOR NewSecurityDescriptor, 552 PULONG ReturnLength, 553 PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 554 POOL_TYPE PoolType, 555 PGENERIC_MAPPING GenericMapping 556 ); 557 558 NTSTATUS 559 NTAPI 560 SeSetWorldSecurityDescriptor( 561 SECURITY_INFORMATION SecurityInformation, 562 PISECURITY_DESCRIPTOR SecurityDescriptor, 563 PULONG BufferLength 564 ); 565 566 NTSTATUS 567 NTAPI 568 SeCopyClientToken( 569 IN PACCESS_TOKEN Token, 570 IN SECURITY_IMPERSONATION_LEVEL Level, 571 IN KPROCESSOR_MODE PreviousMode, 572 OUT PACCESS_TOKEN* NewToken 573 ); 574 575 VOID NTAPI 576 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 577 OUT PACCESS_MASK DesiredAccess); 578 579 VOID NTAPI 580 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, 581 OUT PACCESS_MASK DesiredAccess); 582 583 BOOLEAN 584 NTAPI 585 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, 586 IN PACCESS_STATE AccessState, 587 IN ACCESS_MASK DesiredAccess, 588 IN KPROCESSOR_MODE AccessMode); 589 590 BOOLEAN 591 NTAPI 592 SeCheckAuditPrivilege( 593 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 594 _In_ KPROCESSOR_MODE PreviousMode); 595 596 VOID 597 NTAPI 598 SePrivilegedServiceAuditAlarm( 599 _In_opt_ PUNICODE_STRING ServiceName, 600 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 601 _In_ PPRIVILEGE_SET PrivilegeSet, 602 _In_ BOOLEAN AccessGranted); 603 604 NTSTATUS 605 SepRmReferenceLogonSession( 606 PLUID LogonLuid); 607 608 NTSTATUS 609 SepRmDereferenceLogonSession( 610 PLUID LogonLuid); 611 612 #endif 613 614 /* EOF */ 615