1349 lines
36 KiB
C
1349 lines
36 KiB
C
|
/*
|
|||
|
* PROJECT: Veil
|
|||
|
* FILE: Veil.h
|
|||
|
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
|
|||
|
* samlib.dll and winsta.dll
|
|||
|
*
|
|||
|
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
|
|||
|
*
|
|||
|
* DEVELOPER: MiroKaku (50670906+MiroKaku@users.noreply.github.com)
|
|||
|
*/
|
|||
|
|
|||
|
/*
|
|||
|
* PROJECT: Mouri's Internal NT API Collections (MINT)
|
|||
|
* FILE: MINT.h
|
|||
|
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
|
|||
|
* samlib.dll and winsta.dll
|
|||
|
*
|
|||
|
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
|
|||
|
*
|
|||
|
* DEVELOPER: Mouri_Naruto (Mouri_Naruto AT Outlook.com)
|
|||
|
*/
|
|||
|
|
|||
|
/*
|
|||
|
* This file is part of the Process Hacker project - https://processhacker.sf.io/
|
|||
|
*
|
|||
|
* You can redistribute this file and/or modify it under the terms of the
|
|||
|
* Attribution 4.0 International (CC BY 4.0) license.
|
|||
|
*
|
|||
|
* You must give appropriate credit, provide a link to the license, and
|
|||
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
|||
|
* not in any way that suggests the licensor endorses you or your use.
|
|||
|
*/
|
|||
|
|
|||
|
#pragma once
|
|||
|
|
|||
|
// Warnings which disabled for compiling
|
|||
|
#if _MSC_VER >= 1200
|
|||
|
#pragma warning(push)
|
|||
|
// nonstandard extension used : nameless struct/union
|
|||
|
#pragma warning(disable:4201)
|
|||
|
// 'struct_name' : structure was padded due to __declspec(align())
|
|||
|
#pragma warning(disable:4324)
|
|||
|
// 'enumeration': a forward declaration of an unscoped enumeration must have an
|
|||
|
// underlying type (int assumed)
|
|||
|
#pragma warning(disable:4471)
|
|||
|
#endif
|
|||
|
|
|||
|
VEIL_BEGIN()
|
|||
|
|
|||
|
//
|
|||
|
// Privileges
|
|||
|
//
|
|||
|
|
|||
|
#ifndef _KERNEL_MODE
|
|||
|
|
|||
|
//
|
|||
|
// These must be converted to LUIDs before use.
|
|||
|
//
|
|||
|
|
|||
|
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
|
|||
|
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
|
|||
|
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
|
|||
|
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
|
|||
|
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
|
|||
|
|
|||
|
|
|||
|
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
|
|||
|
#define SE_TCB_PRIVILEGE (7L)
|
|||
|
#define SE_SECURITY_PRIVILEGE (8L)
|
|||
|
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
|
|||
|
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
|
|||
|
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
|
|||
|
#define SE_SYSTEMTIME_PRIVILEGE (12L)
|
|||
|
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
|
|||
|
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
|
|||
|
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
|
|||
|
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
|
|||
|
#define SE_BACKUP_PRIVILEGE (17L)
|
|||
|
#define SE_RESTORE_PRIVILEGE (18L)
|
|||
|
#define SE_SHUTDOWN_PRIVILEGE (19L)
|
|||
|
#define SE_DEBUG_PRIVILEGE (20L)
|
|||
|
#define SE_AUDIT_PRIVILEGE (21L)
|
|||
|
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
|
|||
|
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
|
|||
|
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
|
|||
|
#define SE_UNDOCK_PRIVILEGE (25L)
|
|||
|
#define SE_SYNC_AGENT_PRIVILEGE (26L)
|
|||
|
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
|
|||
|
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
|
|||
|
#define SE_IMPERSONATE_PRIVILEGE (29L)
|
|||
|
#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
|
|||
|
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
|
|||
|
#define SE_RELABEL_PRIVILEGE (32L)
|
|||
|
#define SE_INC_WORKING_SET_PRIVILEGE (33L)
|
|||
|
#define SE_TIME_ZONE_PRIVILEGE (34L)
|
|||
|
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
|
|||
|
#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)
|
|||
|
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE)
|
|||
|
|
|||
|
#endif // !_KERNEL_MODE
|
|||
|
|
|||
|
//
|
|||
|
// Authz
|
|||
|
//
|
|||
|
|
|||
|
// begin_rev
|
|||
|
|
|||
|
// Types
|
|||
|
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
|
|||
|
|
|||
|
// Flags
|
|||
|
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
|
|||
|
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
|
|||
|
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
|
|||
|
|
|||
|
// end_rev
|
|||
|
|
|||
|
// private
|
|||
|
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
|
|||
|
{
|
|||
|
ULONG64 Version;
|
|||
|
UNICODE_STRING Name;
|
|||
|
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
|
|||
|
|
|||
|
// private
|
|||
|
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
|
|||
|
{
|
|||
|
PVOID pValue;
|
|||
|
ULONG ValueLength;
|
|||
|
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
|
|||
|
|
|||
|
// private
|
|||
|
typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
|
|||
|
{
|
|||
|
UNICODE_STRING Name;
|
|||
|
USHORT ValueType;
|
|||
|
USHORT Reserved;
|
|||
|
ULONG Flags;
|
|||
|
ULONG ValueCount;
|
|||
|
union
|
|||
|
{
|
|||
|
PLONG64 pInt64;
|
|||
|
PULONG64 pUint64;
|
|||
|
PUNICODE_STRING pString;
|
|||
|
PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
|
|||
|
PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
|
|||
|
} Values;
|
|||
|
} TOKEN_SECURITY_ATTRIBUTE_V1, * PTOKEN_SECURITY_ATTRIBUTE_V1;
|
|||
|
|
|||
|
// rev
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
|
|||
|
// rev
|
|||
|
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
|
|||
|
|
|||
|
// private
|
|||
|
typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
|||
|
{
|
|||
|
USHORT Version;
|
|||
|
USHORT Reserved;
|
|||
|
ULONG AttributeCount;
|
|||
|
union
|
|||
|
{
|
|||
|
PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
|
|||
|
} Attribute;
|
|||
|
} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
|
|||
|
|
|||
|
// private
|
|||
|
typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION
|
|||
|
{
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE,
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL,
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD,
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE,
|
|||
|
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE
|
|||
|
} TOKEN_SECURITY_ATTRIBUTE_OPERATION, * PTOKEN_SECURITY_ATTRIBUTE_OPERATION;
|
|||
|
|
|||
|
// private
|
|||
|
typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION
|
|||
|
{
|
|||
|
PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes;
|
|||
|
PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations;
|
|||
|
} TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION;
|
|||
|
|
|||
|
// rev
|
|||
|
typedef struct _TOKEN_PROCESS_TRUST_LEVEL
|
|||
|
{
|
|||
|
PSID TrustLevelSid;
|
|||
|
} TOKEN_PROCESS_TRUST_LEVEL, * PTOKEN_PROCESS_TRUST_LEVEL;
|
|||
|
|
|||
|
//
|
|||
|
// Tokens
|
|||
|
//
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCreateToken(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ TOKEN_TYPE Type,
|
|||
|
_In_ PLUID AuthenticationId,
|
|||
|
_In_ PLARGE_INTEGER ExpirationTime,
|
|||
|
_In_ PTOKEN_USER User,
|
|||
|
_In_ PTOKEN_GROUPS Groups,
|
|||
|
_In_ PTOKEN_PRIVILEGES Privileges,
|
|||
|
_In_opt_ PTOKEN_OWNER Owner,
|
|||
|
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|||
|
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
|||
|
_In_ PTOKEN_SOURCE Source
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCreateToken(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ TOKEN_TYPE Type,
|
|||
|
_In_ PLUID AuthenticationId,
|
|||
|
_In_ PLARGE_INTEGER ExpirationTime,
|
|||
|
_In_ PTOKEN_USER User,
|
|||
|
_In_ PTOKEN_GROUPS Groups,
|
|||
|
_In_ PTOKEN_PRIVILEGES Privileges,
|
|||
|
_In_opt_ PTOKEN_OWNER Owner,
|
|||
|
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|||
|
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
|||
|
_In_ PTOKEN_SOURCE Source
|
|||
|
);
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCreateLowBoxToken(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ PSID PackageSid,
|
|||
|
_In_ ULONG CapabilityCount,
|
|||
|
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
|
|||
|
_In_ ULONG HandleCount,
|
|||
|
_In_reads_opt_(HandleCount) HANDLE* Handles
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCreateLowBoxToken(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ PSID PackageSid,
|
|||
|
_In_ ULONG CapabilityCount,
|
|||
|
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
|
|||
|
_In_ ULONG HandleCount,
|
|||
|
_In_reads_opt_(HandleCount) HANDLE* Handles
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCreateTokenEx(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ TOKEN_TYPE Type,
|
|||
|
_In_ PLUID AuthenticationId,
|
|||
|
_In_ PLARGE_INTEGER ExpirationTime,
|
|||
|
_In_ PTOKEN_USER User,
|
|||
|
_In_ PTOKEN_GROUPS Groups,
|
|||
|
_In_ PTOKEN_PRIVILEGES Privileges,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
|
|||
|
_In_opt_ PTOKEN_GROUPS DeviceGroups,
|
|||
|
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
|
|||
|
_In_opt_ PTOKEN_OWNER Owner,
|
|||
|
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|||
|
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
|||
|
_In_ PTOKEN_SOURCE Source
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCreateTokenEx(
|
|||
|
_Out_ PHANDLE TokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ TOKEN_TYPE Type,
|
|||
|
_In_ PLUID AuthenticationId,
|
|||
|
_In_ PLARGE_INTEGER ExpirationTime,
|
|||
|
_In_ PTOKEN_USER User,
|
|||
|
_In_ PTOKEN_GROUPS Groups,
|
|||
|
_In_ PTOKEN_PRIVILEGES Privileges,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
|
|||
|
_In_opt_ PTOKEN_GROUPS DeviceGroups,
|
|||
|
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
|
|||
|
_In_opt_ PTOKEN_OWNER Owner,
|
|||
|
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|||
|
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
|||
|
_In_ PTOKEN_SOURCE Source
|
|||
|
);
|
|||
|
#endif
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenProcessToken(
|
|||
|
_In_ HANDLE ProcessHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwOpenProcessToken(
|
|||
|
_In_ HANDLE ProcessHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenProcessTokenEx(
|
|||
|
_In_ HANDLE ProcessHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ ULONG HandleAttributes,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwOpenProcessTokenEx(
|
|||
|
_In_ HANDLE ProcessHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ ULONG HandleAttributes,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenThreadToken(
|
|||
|
_In_ HANDLE ThreadHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ BOOLEAN OpenAsSelf,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwOpenThreadToken(
|
|||
|
_In_ HANDLE ThreadHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ BOOLEAN OpenAsSelf,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenThreadTokenEx(
|
|||
|
_In_ HANDLE ThreadHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ BOOLEAN OpenAsSelf,
|
|||
|
_In_ ULONG HandleAttributes,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwOpenThreadTokenEx(
|
|||
|
_In_ HANDLE ThreadHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ BOOLEAN OpenAsSelf,
|
|||
|
_In_ ULONG HandleAttributes,
|
|||
|
_Out_ PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtDuplicateToken(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ BOOLEAN EffectiveOnly,
|
|||
|
_In_ TOKEN_TYPE TokenType,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwDuplicateToken(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
_In_ BOOLEAN EffectiveOnly,
|
|||
|
_In_ TOKEN_TYPE Type,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
_When_(TokenInformationClass == TokenAccessInformation,
|
|||
|
_At_(TokenInformationLength,
|
|||
|
_In_range_(>= , sizeof(TOKEN_ACCESS_INFORMATION))))
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtQueryInformationToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
|
|||
|
_In_ ULONG TokenInformationLength,
|
|||
|
_Out_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwQueryInformationToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
|
|||
|
_In_ ULONG TokenInformationLength,
|
|||
|
_Out_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtSetInformationToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
|
|||
|
_In_ ULONG TokenInformationLength
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwSetInformationToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
|
|||
|
_In_ ULONG TokenInformationLength
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAdjustPrivilegesToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN DisableAllPrivileges,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES NewState,
|
|||
|
_In_ ULONG BufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
|
|||
|
_Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAdjustPrivilegesToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN DisableAllPrivileges,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES NewState,
|
|||
|
_In_ ULONG BufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
|
|||
|
_Out_opt_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAdjustGroupsToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN ResetToDefault,
|
|||
|
_In_opt_ PTOKEN_GROUPS NewState,
|
|||
|
_In_range_(>= , sizeof(TOKEN_GROUPS)) ULONG BufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
|
|||
|
_Out_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAdjustGroupsToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN ResetToDefault,
|
|||
|
_In_opt_ PTOKEN_GROUPS NewState,
|
|||
|
_In_opt_ ULONG BufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
|
|||
|
_Out_opt_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAdjustTokenClaimsAndDeviceGroups(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN UserResetToDefault,
|
|||
|
_In_ BOOLEAN DeviceResetToDefault,
|
|||
|
_In_ BOOLEAN DeviceGroupsResetToDefault,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
|
|||
|
_In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
|
|||
|
_In_ ULONG UserBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
|
|||
|
_In_ ULONG DeviceBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
|
|||
|
_In_ ULONG DeviceGroupsBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
|
|||
|
_Out_opt_ PULONG UserReturnLength,
|
|||
|
_Out_opt_ PULONG DeviceReturnLength,
|
|||
|
_Out_opt_ PULONG DeviceGroupsReturnBufferLength
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAdjustTokenClaimsAndDeviceGroups(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_ BOOLEAN UserResetToDefault,
|
|||
|
_In_ BOOLEAN DeviceResetToDefault,
|
|||
|
_In_ BOOLEAN DeviceGroupsResetToDefault,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
|
|||
|
_In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
|
|||
|
_In_ ULONG UserBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
|
|||
|
_In_ ULONG DeviceBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
|
|||
|
_In_ ULONG DeviceGroupsBufferLength,
|
|||
|
_Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
|
|||
|
_Out_opt_ PULONG UserReturnLength,
|
|||
|
_Out_opt_ PULONG DeviceReturnLength,
|
|||
|
_Out_opt_ PULONG DeviceGroupsReturnBufferLength
|
|||
|
);
|
|||
|
#endif
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtFilterToken(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwFilterToken(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtFilterTokenEx(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
|||
|
_In_ ULONG DisableUserClaimsCount,
|
|||
|
_In_opt_ PUNICODE_STRING UserClaimsToDisable,
|
|||
|
_In_ ULONG DisableDeviceClaimsCount,
|
|||
|
_In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
|
|||
|
_In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwFilterTokenEx(
|
|||
|
_In_ HANDLE ExistingTokenHandle,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
|||
|
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
|||
|
_In_ ULONG DisableUserClaimsCount,
|
|||
|
_In_opt_ PUNICODE_STRING UserClaimsToDisable,
|
|||
|
_In_ ULONG DisableDeviceClaimsCount,
|
|||
|
_In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
|
|||
|
_In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
|
|||
|
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
|
|||
|
_In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
|
|||
|
_Out_ PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
#endif
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCompareTokens(
|
|||
|
_In_ HANDLE FirstTokenHandle,
|
|||
|
_In_ HANDLE SecondTokenHandle,
|
|||
|
_Out_ PBOOLEAN Equal
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCompareTokens(
|
|||
|
_In_ HANDLE FirstTokenHandle,
|
|||
|
_In_ HANDLE SecondTokenHandle,
|
|||
|
_Out_ PBOOLEAN Equal
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegeCheck(
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
|
|||
|
_Out_ PBOOLEAN Result
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwPrivilegeCheck(
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
|
|||
|
_Out_ PBOOLEAN Result
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtImpersonateAnonymousToken(
|
|||
|
_In_ HANDLE ThreadHandle
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwImpersonateAnonymousToken(
|
|||
|
_In_ HANDLE ThreadHandle
|
|||
|
);
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_WIN7)
|
|||
|
// rev
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtQuerySecurityAttributesToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
|
|||
|
_In_ ULONG NumberOfAttributes,
|
|||
|
_Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
|||
|
_In_ ULONG Length,
|
|||
|
_Out_ PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
// rev
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwQuerySecurityAttributesToken(
|
|||
|
_In_ HANDLE TokenHandle,
|
|||
|
_In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
|
|||
|
_In_ ULONG NumberOfAttributes,
|
|||
|
_Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
|||
|
_In_ ULONG Length,
|
|||
|
_Out_ PULONG ReturnLength
|
|||
|
);
|
|||
|
#endif
|
|||
|
|
|||
|
//
|
|||
|
// Access checking
|
|||
|
//
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheck(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheck(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByType(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckByType(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultList(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckByTypeResultList(
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
|||
|
_Inout_ PULONG PrivilegeSetLength,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
//
|
|||
|
// Signing
|
|||
|
//
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_WIN10_RS2)
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtSetCachedSigningLevel(
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_ SE_SIGNING_LEVEL InputSigningLevel,
|
|||
|
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
|
|||
|
_In_ ULONG SourceFileCount,
|
|||
|
_In_opt_ HANDLE TargetFile
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwSetCachedSigningLevel(
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_ SE_SIGNING_LEVEL InputSigningLevel,
|
|||
|
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
|
|||
|
_In_ ULONG SourceFileCount,
|
|||
|
_In_opt_ HANDLE TargetFile
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtGetCachedSigningLevel(
|
|||
|
_In_ HANDLE File,
|
|||
|
_Out_ PULONG Flags,
|
|||
|
_Out_ PSE_SIGNING_LEVEL SigningLevel,
|
|||
|
_Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
|
|||
|
_Inout_opt_ PULONG ThumbprintSize,
|
|||
|
_Out_opt_ PULONG ThumbprintAlgorithm
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwGetCachedSigningLevel(
|
|||
|
_In_ HANDLE File,
|
|||
|
_Out_ PULONG Flags,
|
|||
|
_Out_ PSE_SIGNING_LEVEL SigningLevel,
|
|||
|
_Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
|
|||
|
_Inout_opt_ PULONG ThumbprintSize,
|
|||
|
_Out_opt_ PULONG ThumbprintAlgorithm
|
|||
|
);
|
|||
|
|
|||
|
// rev
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCompareSigningLevels(
|
|||
|
_In_ SE_SIGNING_LEVEL FirstSigningLevel,
|
|||
|
_In_ SE_SIGNING_LEVEL SecondSigningLevel
|
|||
|
);
|
|||
|
|
|||
|
// rev
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCompareSigningLevels(
|
|||
|
_In_ SE_SIGNING_LEVEL FirstSigningLevel,
|
|||
|
_In_ SE_SIGNING_LEVEL SecondSigningLevel
|
|||
|
);
|
|||
|
#endif // NTDDI_VERSION >= NTDDI_WIN10_RS2
|
|||
|
|
|||
|
//
|
|||
|
// Audit alarm
|
|||
|
//
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckByTypeAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_ PACCESS_MASK GrantedAccess,
|
|||
|
_Out_ PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultListAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckByTypeResultListAndAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_Must_inspect_result_
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_opt_ PSID PrincipalSelfSid,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ AUDIT_EVENT_TYPE AuditType,
|
|||
|
_In_ ULONG Flags,
|
|||
|
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
_In_ ULONG ObjectTypeListLength,
|
|||
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
|||
|
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ ACCESS_MASK GrantedAccess,
|
|||
|
_In_opt_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_In_ BOOLEAN AccessGranted,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwOpenObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ PUNICODE_STRING ObjectTypeName,
|
|||
|
_In_ PUNICODE_STRING ObjectName,
|
|||
|
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ ACCESS_MASK GrantedAccess,
|
|||
|
_In_opt_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN ObjectCreation,
|
|||
|
_In_ BOOLEAN AccessGranted,
|
|||
|
_Out_ PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegeObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwPrivilegeObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ ACCESS_MASK DesiredAccess,
|
|||
|
_In_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCloseObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwCloseObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtDeleteObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwDeleteObjectAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_opt_ PVOID HandleId,
|
|||
|
_In_ BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
__kernel_entry NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegedServiceAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_ PUNICODE_STRING ServiceName,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
ZwPrivilegedServiceAuditAlarm(
|
|||
|
_In_ PUNICODE_STRING SubsystemName,
|
|||
|
_In_ PUNICODE_STRING ServiceName,
|
|||
|
_In_ HANDLE ClientToken,
|
|||
|
_In_ PPRIVILEGE_SET Privileges,
|
|||
|
_In_ BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
// LSA
|
|||
|
|
|||
|
#ifndef _KERNEL_MODE
|
|||
|
|
|||
|
#include <NTSecAPI.h>
|
|||
|
|
|||
|
#else // _KERNEL_MODE
|
|||
|
|
|||
|
//#pragma comment(lib, "ksecdd.lib")
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_VISTA)
|
|||
|
typedef struct _LSA_LAST_INTER_LOGON_INFO {
|
|||
|
LARGE_INTEGER LastSuccessfulLogon;
|
|||
|
LARGE_INTEGER LastFailedLogon;
|
|||
|
ULONG FailedAttemptCountSinceLastSuccessfulLogon;
|
|||
|
} LSA_LAST_INTER_LOGON_INFO, * PLSA_LAST_INTER_LOGON_INFO;
|
|||
|
#endif // NTDDI_VERSION >= NTDDI_VISTA
|
|||
|
|
|||
|
typedef struct _SECURITY_LOGON_SESSION_DATA {
|
|||
|
ULONG Size;
|
|||
|
LUID LogonId;
|
|||
|
LSA_UNICODE_STRING UserName;
|
|||
|
LSA_UNICODE_STRING LogonDomain;
|
|||
|
LSA_UNICODE_STRING AuthenticationPackage;
|
|||
|
ULONG LogonType;
|
|||
|
ULONG Session;
|
|||
|
PSID Sid;
|
|||
|
LARGE_INTEGER LogonTime;
|
|||
|
|
|||
|
//
|
|||
|
// new for whistler:
|
|||
|
//
|
|||
|
|
|||
|
LSA_UNICODE_STRING LogonServer;
|
|||
|
LSA_UNICODE_STRING DnsDomainName;
|
|||
|
LSA_UNICODE_STRING Upn;
|
|||
|
|
|||
|
#if (NTDDI_VERSION >= NTDDI_VISTA)
|
|||
|
|
|||
|
//
|
|||
|
// new for LH
|
|||
|
//
|
|||
|
|
|||
|
ULONG UserFlags;
|
|||
|
|
|||
|
LSA_LAST_INTER_LOGON_INFO LastLogonInfo;
|
|||
|
LSA_UNICODE_STRING LogonScript;
|
|||
|
LSA_UNICODE_STRING ProfilePath;
|
|||
|
LSA_UNICODE_STRING HomeDirectory;
|
|||
|
LSA_UNICODE_STRING HomeDirectoryDrive;
|
|||
|
|
|||
|
LARGE_INTEGER LogoffTime;
|
|||
|
LARGE_INTEGER KickOffTime;
|
|||
|
LARGE_INTEGER PasswordLastSet;
|
|||
|
LARGE_INTEGER PasswordCanChange;
|
|||
|
LARGE_INTEGER PasswordMustChange;
|
|||
|
|
|||
|
#endif
|
|||
|
} SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA;
|
|||
|
|
|||
|
NTKERNELAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateLogonSessions(
|
|||
|
_Out_ PULONG LogonSessionCount,
|
|||
|
_Out_ PLUID* LogonSessionList
|
|||
|
);
|
|||
|
|
|||
|
NTKERNELAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaGetLogonSessionData(
|
|||
|
_In_ PLUID LogonId,
|
|||
|
_Out_ PSECURITY_LOGON_SESSION_DATA* LogonSessionData
|
|||
|
);
|
|||
|
|
|||
|
FORCEINLINE
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaFreeReturnBuffer(
|
|||
|
_In_ PVOID Buffer
|
|||
|
)
|
|||
|
{
|
|||
|
if (Buffer)
|
|||
|
return ExFreePool(Buffer), STATUS_SUCCESS;
|
|||
|
else
|
|||
|
return STATUS_INVALID_ADDRESS;
|
|||
|
}
|
|||
|
|
|||
|
#endif // <20><>_KERNEL_MODE
|
|||
|
|
|||
|
//
|
|||
|
// Only Kernel
|
|||
|
//
|
|||
|
|
|||
|
#ifdef _KERNEL_MODE
|
|||
|
|
|||
|
// Dacl
|
|||
|
|
|||
|
extern PACL SeSystemDefaultDacl;
|
|||
|
|
|||
|
// Token
|
|||
|
|
|||
|
NTKERNELAPI
|
|||
|
SECURITY_IMPERSONATION_LEVEL
|
|||
|
NTAPI
|
|||
|
SeTokenImpersonationLevel(
|
|||
|
__in PACCESS_TOKEN Token
|
|||
|
);
|
|||
|
|
|||
|
#endif // _KERNEL_MODE
|
|||
|
|
|||
|
|
|||
|
VEIL_END()
|
|||
|
|
|||
|
#if _MSC_VER >= 1200
|
|||
|
#pragma warning(pop)
|
|||
|
#endif
|