1349 lines
36 KiB
C
1349 lines
36 KiB
C
/*
|
||
* PROJECT: Veil
|
||
* FILE: Veil.h
|
||
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
|
||
* samlib.dll and winsta.dll
|
||
*
|
||
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
|
||
*
|
||
* DEVELOPER: MiroKaku (50670906+MiroKaku@users.noreply.github.com)
|
||
*/
|
||
|
||
/*
|
||
* PROJECT: Mouri's Internal NT API Collections (MINT)
|
||
* FILE: MINT.h
|
||
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
|
||
* samlib.dll and winsta.dll
|
||
*
|
||
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
|
||
*
|
||
* DEVELOPER: Mouri_Naruto (Mouri_Naruto AT Outlook.com)
|
||
*/
|
||
|
||
/*
|
||
* This file is part of the Process Hacker project - https://processhacker.sf.io/
|
||
*
|
||
* You can redistribute this file and/or modify it under the terms of the
|
||
* Attribution 4.0 International (CC BY 4.0) license.
|
||
*
|
||
* You must give appropriate credit, provide a link to the license, and
|
||
* indicate if changes were made. You may do so in any reasonable manner, but
|
||
* not in any way that suggests the licensor endorses you or your use.
|
||
*/
|
||
|
||
#pragma once
|
||
|
||
// Warnings which disabled for compiling
|
||
#if _MSC_VER >= 1200
|
||
#pragma warning(push)
|
||
// nonstandard extension used : nameless struct/union
|
||
#pragma warning(disable:4201)
|
||
// 'struct_name' : structure was padded due to __declspec(align())
|
||
#pragma warning(disable:4324)
|
||
// 'enumeration': a forward declaration of an unscoped enumeration must have an
|
||
// underlying type (int assumed)
|
||
#pragma warning(disable:4471)
|
||
#endif
|
||
|
||
VEIL_BEGIN()
|
||
|
||
//
|
||
// Privileges
|
||
//
|
||
|
||
#ifndef _KERNEL_MODE
|
||
|
||
//
|
||
// These must be converted to LUIDs before use.
|
||
//
|
||
|
||
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
|
||
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
|
||
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
|
||
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
|
||
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
|
||
|
||
|
||
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
|
||
#define SE_TCB_PRIVILEGE (7L)
|
||
#define SE_SECURITY_PRIVILEGE (8L)
|
||
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
|
||
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
|
||
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
|
||
#define SE_SYSTEMTIME_PRIVILEGE (12L)
|
||
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
|
||
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
|
||
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
|
||
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
|
||
#define SE_BACKUP_PRIVILEGE (17L)
|
||
#define SE_RESTORE_PRIVILEGE (18L)
|
||
#define SE_SHUTDOWN_PRIVILEGE (19L)
|
||
#define SE_DEBUG_PRIVILEGE (20L)
|
||
#define SE_AUDIT_PRIVILEGE (21L)
|
||
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
|
||
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
|
||
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
|
||
#define SE_UNDOCK_PRIVILEGE (25L)
|
||
#define SE_SYNC_AGENT_PRIVILEGE (26L)
|
||
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
|
||
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
|
||
#define SE_IMPERSONATE_PRIVILEGE (29L)
|
||
#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
|
||
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
|
||
#define SE_RELABEL_PRIVILEGE (32L)
|
||
#define SE_INC_WORKING_SET_PRIVILEGE (33L)
|
||
#define SE_TIME_ZONE_PRIVILEGE (34L)
|
||
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
|
||
#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)
|
||
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE)
|
||
|
||
#endif // !_KERNEL_MODE
|
||
|
||
//
|
||
// Authz
|
||
//
|
||
|
||
// begin_rev
|
||
|
||
// Types
|
||
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
|
||
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
|
||
|
||
// Flags
|
||
|
||
#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
|
||
#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
|
||
#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
|
||
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
|
||
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
|
||
#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
|
||
#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
|
||
|
||
#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
|
||
TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
|
||
TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
|
||
TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
|
||
TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
|
||
TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
|
||
TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
|
||
|
||
#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
|
||
|
||
// end_rev
|
||
|
||
// private
|
||
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
|
||
{
|
||
ULONG64 Version;
|
||
UNICODE_STRING Name;
|
||
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
|
||
|
||
// private
|
||
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
|
||
{
|
||
PVOID pValue;
|
||
ULONG ValueLength;
|
||
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
|
||
|
||
// private
|
||
typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
|
||
{
|
||
UNICODE_STRING Name;
|
||
USHORT ValueType;
|
||
USHORT Reserved;
|
||
ULONG Flags;
|
||
ULONG ValueCount;
|
||
union
|
||
{
|
||
PLONG64 pInt64;
|
||
PULONG64 pUint64;
|
||
PUNICODE_STRING pString;
|
||
PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
|
||
PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
|
||
} Values;
|
||
} TOKEN_SECURITY_ATTRIBUTE_V1, * PTOKEN_SECURITY_ATTRIBUTE_V1;
|
||
|
||
// rev
|
||
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
|
||
// rev
|
||
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
|
||
|
||
// private
|
||
typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
||
{
|
||
USHORT Version;
|
||
USHORT Reserved;
|
||
ULONG AttributeCount;
|
||
union
|
||
{
|
||
PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
|
||
} Attribute;
|
||
} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
|
||
|
||
// private
|
||
typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION
|
||
{
|
||
TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE,
|
||
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL,
|
||
TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD,
|
||
TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE,
|
||
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE
|
||
} TOKEN_SECURITY_ATTRIBUTE_OPERATION, * PTOKEN_SECURITY_ATTRIBUTE_OPERATION;
|
||
|
||
// private
|
||
typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION
|
||
{
|
||
PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes;
|
||
PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations;
|
||
} TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION;
|
||
|
||
// rev
|
||
typedef struct _TOKEN_PROCESS_TRUST_LEVEL
|
||
{
|
||
PSID TrustLevelSid;
|
||
} TOKEN_PROCESS_TRUST_LEVEL, * PTOKEN_PROCESS_TRUST_LEVEL;
|
||
|
||
//
|
||
// Tokens
|
||
//
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCreateToken(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ TOKEN_TYPE Type,
|
||
_In_ PLUID AuthenticationId,
|
||
_In_ PLARGE_INTEGER ExpirationTime,
|
||
_In_ PTOKEN_USER User,
|
||
_In_ PTOKEN_GROUPS Groups,
|
||
_In_ PTOKEN_PRIVILEGES Privileges,
|
||
_In_opt_ PTOKEN_OWNER Owner,
|
||
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
||
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
||
_In_ PTOKEN_SOURCE Source
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCreateToken(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ TOKEN_TYPE Type,
|
||
_In_ PLUID AuthenticationId,
|
||
_In_ PLARGE_INTEGER ExpirationTime,
|
||
_In_ PTOKEN_USER User,
|
||
_In_ PTOKEN_GROUPS Groups,
|
||
_In_ PTOKEN_PRIVILEGES Privileges,
|
||
_In_opt_ PTOKEN_OWNER Owner,
|
||
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
||
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
||
_In_ PTOKEN_SOURCE Source
|
||
);
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCreateLowBoxToken(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ PSID PackageSid,
|
||
_In_ ULONG CapabilityCount,
|
||
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
|
||
_In_ ULONG HandleCount,
|
||
_In_reads_opt_(HandleCount) HANDLE* Handles
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCreateLowBoxToken(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ PSID PackageSid,
|
||
_In_ ULONG CapabilityCount,
|
||
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
|
||
_In_ ULONG HandleCount,
|
||
_In_reads_opt_(HandleCount) HANDLE* Handles
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCreateTokenEx(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ TOKEN_TYPE Type,
|
||
_In_ PLUID AuthenticationId,
|
||
_In_ PLARGE_INTEGER ExpirationTime,
|
||
_In_ PTOKEN_USER User,
|
||
_In_ PTOKEN_GROUPS Groups,
|
||
_In_ PTOKEN_PRIVILEGES Privileges,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
|
||
_In_opt_ PTOKEN_GROUPS DeviceGroups,
|
||
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
|
||
_In_opt_ PTOKEN_OWNER Owner,
|
||
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
||
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
||
_In_ PTOKEN_SOURCE Source
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCreateTokenEx(
|
||
_Out_ PHANDLE TokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ TOKEN_TYPE Type,
|
||
_In_ PLUID AuthenticationId,
|
||
_In_ PLARGE_INTEGER ExpirationTime,
|
||
_In_ PTOKEN_USER User,
|
||
_In_ PTOKEN_GROUPS Groups,
|
||
_In_ PTOKEN_PRIVILEGES Privileges,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
|
||
_In_opt_ PTOKEN_GROUPS DeviceGroups,
|
||
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
|
||
_In_opt_ PTOKEN_OWNER Owner,
|
||
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
||
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
|
||
_In_ PTOKEN_SOURCE Source
|
||
);
|
||
#endif
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtOpenProcessToken(
|
||
_In_ HANDLE ProcessHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwOpenProcessToken(
|
||
_In_ HANDLE ProcessHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtOpenProcessTokenEx(
|
||
_In_ HANDLE ProcessHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ ULONG HandleAttributes,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwOpenProcessTokenEx(
|
||
_In_ HANDLE ProcessHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ ULONG HandleAttributes,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtOpenThreadToken(
|
||
_In_ HANDLE ThreadHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ BOOLEAN OpenAsSelf,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwOpenThreadToken(
|
||
_In_ HANDLE ThreadHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ BOOLEAN OpenAsSelf,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtOpenThreadTokenEx(
|
||
_In_ HANDLE ThreadHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ BOOLEAN OpenAsSelf,
|
||
_In_ ULONG HandleAttributes,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwOpenThreadTokenEx(
|
||
_In_ HANDLE ThreadHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ BOOLEAN OpenAsSelf,
|
||
_In_ ULONG HandleAttributes,
|
||
_Out_ PHANDLE TokenHandle
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtDuplicateToken(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ BOOLEAN EffectiveOnly,
|
||
_In_ TOKEN_TYPE TokenType,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwDuplicateToken(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
_In_ BOOLEAN EffectiveOnly,
|
||
_In_ TOKEN_TYPE Type,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
|
||
|
||
_When_(TokenInformationClass == TokenAccessInformation,
|
||
_At_(TokenInformationLength,
|
||
_In_range_(>= , sizeof(TOKEN_ACCESS_INFORMATION))))
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtQueryInformationToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
||
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
|
||
_In_ ULONG TokenInformationLength,
|
||
_Out_ PULONG ReturnLength
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwQueryInformationToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
||
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
|
||
_In_ ULONG TokenInformationLength,
|
||
_Out_ PULONG ReturnLength
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtSetInformationToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
||
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
|
||
_In_ ULONG TokenInformationLength
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwSetInformationToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
|
||
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
|
||
_In_ ULONG TokenInformationLength
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAdjustPrivilegesToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN DisableAllPrivileges,
|
||
_In_opt_ PTOKEN_PRIVILEGES NewState,
|
||
_In_ ULONG BufferLength,
|
||
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
|
||
_Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAdjustPrivilegesToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN DisableAllPrivileges,
|
||
_In_opt_ PTOKEN_PRIVILEGES NewState,
|
||
_In_ ULONG BufferLength,
|
||
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
|
||
_Out_opt_ PULONG ReturnLength
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAdjustGroupsToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN ResetToDefault,
|
||
_In_opt_ PTOKEN_GROUPS NewState,
|
||
_In_range_(>= , sizeof(TOKEN_GROUPS)) ULONG BufferLength,
|
||
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
|
||
_Out_ PULONG ReturnLength
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAdjustGroupsToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN ResetToDefault,
|
||
_In_opt_ PTOKEN_GROUPS NewState,
|
||
_In_opt_ ULONG BufferLength,
|
||
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
|
||
_Out_opt_ PULONG ReturnLength
|
||
);
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAdjustTokenClaimsAndDeviceGroups(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN UserResetToDefault,
|
||
_In_ BOOLEAN DeviceResetToDefault,
|
||
_In_ BOOLEAN DeviceGroupsResetToDefault,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
|
||
_In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
|
||
_In_ ULONG UserBufferLength,
|
||
_Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
|
||
_In_ ULONG DeviceBufferLength,
|
||
_Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
|
||
_In_ ULONG DeviceGroupsBufferLength,
|
||
_Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
|
||
_Out_opt_ PULONG UserReturnLength,
|
||
_Out_opt_ PULONG DeviceReturnLength,
|
||
_Out_opt_ PULONG DeviceGroupsReturnBufferLength
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAdjustTokenClaimsAndDeviceGroups(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_ BOOLEAN UserResetToDefault,
|
||
_In_ BOOLEAN DeviceResetToDefault,
|
||
_In_ BOOLEAN DeviceGroupsResetToDefault,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
|
||
_In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
|
||
_In_ ULONG UserBufferLength,
|
||
_Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
|
||
_In_ ULONG DeviceBufferLength,
|
||
_Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
|
||
_In_ ULONG DeviceGroupsBufferLength,
|
||
_Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
|
||
_Out_opt_ PULONG UserReturnLength,
|
||
_Out_opt_ PULONG DeviceReturnLength,
|
||
_Out_opt_ PULONG DeviceGroupsReturnBufferLength
|
||
);
|
||
#endif
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtFilterToken(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ULONG Flags,
|
||
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
||
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwFilterToken(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ULONG Flags,
|
||
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
||
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_WIN8)
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtFilterTokenEx(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ULONG Flags,
|
||
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
||
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
||
_In_ ULONG DisableUserClaimsCount,
|
||
_In_opt_ PUNICODE_STRING UserClaimsToDisable,
|
||
_In_ ULONG DisableDeviceClaimsCount,
|
||
_In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
|
||
_In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwFilterTokenEx(
|
||
_In_ HANDLE ExistingTokenHandle,
|
||
_In_ ULONG Flags,
|
||
_In_opt_ PTOKEN_GROUPS SidsToDisable,
|
||
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedSids,
|
||
_In_ ULONG DisableUserClaimsCount,
|
||
_In_opt_ PUNICODE_STRING UserClaimsToDisable,
|
||
_In_ ULONG DisableDeviceClaimsCount,
|
||
_In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
|
||
_In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
|
||
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
|
||
_In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
|
||
_Out_ PHANDLE NewTokenHandle
|
||
);
|
||
#endif
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCompareTokens(
|
||
_In_ HANDLE FirstTokenHandle,
|
||
_In_ HANDLE SecondTokenHandle,
|
||
_Out_ PBOOLEAN Equal
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCompareTokens(
|
||
_In_ HANDLE FirstTokenHandle,
|
||
_In_ HANDLE SecondTokenHandle,
|
||
_Out_ PBOOLEAN Equal
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtPrivilegeCheck(
|
||
_In_ HANDLE ClientToken,
|
||
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
|
||
_Out_ PBOOLEAN Result
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwPrivilegeCheck(
|
||
_In_ HANDLE ClientToken,
|
||
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
|
||
_Out_ PBOOLEAN Result
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtImpersonateAnonymousToken(
|
||
_In_ HANDLE ThreadHandle
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwImpersonateAnonymousToken(
|
||
_In_ HANDLE ThreadHandle
|
||
);
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_WIN7)
|
||
// rev
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtQuerySecurityAttributesToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
|
||
_In_ ULONG NumberOfAttributes,
|
||
_Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
||
_In_ ULONG Length,
|
||
_Out_ PULONG ReturnLength
|
||
);
|
||
|
||
// rev
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwQuerySecurityAttributesToken(
|
||
_In_ HANDLE TokenHandle,
|
||
_In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
|
||
_In_ ULONG NumberOfAttributes,
|
||
_Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
|
||
_In_ ULONG Length,
|
||
_Out_ PULONG ReturnLength
|
||
);
|
||
#endif
|
||
|
||
//
|
||
// Access checking
|
||
//
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheck(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheck(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckByType(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckByType(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckByTypeResultList(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckByTypeResultList(
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
|
||
_Inout_ PULONG PrivilegeSetLength,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
|
||
);
|
||
|
||
//
|
||
// Signing
|
||
//
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_WIN10_RS2)
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtSetCachedSigningLevel(
|
||
_In_ ULONG Flags,
|
||
_In_ SE_SIGNING_LEVEL InputSigningLevel,
|
||
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
|
||
_In_ ULONG SourceFileCount,
|
||
_In_opt_ HANDLE TargetFile
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwSetCachedSigningLevel(
|
||
_In_ ULONG Flags,
|
||
_In_ SE_SIGNING_LEVEL InputSigningLevel,
|
||
_In_reads_(SourceFileCount) PHANDLE SourceFiles,
|
||
_In_ ULONG SourceFileCount,
|
||
_In_opt_ HANDLE TargetFile
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtGetCachedSigningLevel(
|
||
_In_ HANDLE File,
|
||
_Out_ PULONG Flags,
|
||
_Out_ PSE_SIGNING_LEVEL SigningLevel,
|
||
_Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
|
||
_Inout_opt_ PULONG ThumbprintSize,
|
||
_Out_opt_ PULONG ThumbprintAlgorithm
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwGetCachedSigningLevel(
|
||
_In_ HANDLE File,
|
||
_Out_ PULONG Flags,
|
||
_Out_ PSE_SIGNING_LEVEL SigningLevel,
|
||
_Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
|
||
_Inout_opt_ PULONG ThumbprintSize,
|
||
_Out_opt_ PULONG ThumbprintAlgorithm
|
||
);
|
||
|
||
// rev
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCompareSigningLevels(
|
||
_In_ SE_SIGNING_LEVEL FirstSigningLevel,
|
||
_In_ SE_SIGNING_LEVEL SecondSigningLevel
|
||
);
|
||
|
||
// rev
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCompareSigningLevels(
|
||
_In_ SE_SIGNING_LEVEL FirstSigningLevel,
|
||
_In_ SE_SIGNING_LEVEL SecondSigningLevel
|
||
);
|
||
#endif // NTDDI_VERSION >= NTDDI_WIN10_RS2
|
||
|
||
//
|
||
// Audit alarm
|
||
//
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckByTypeAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckByTypeAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_ PACCESS_MASK GrantedAccess,
|
||
_Out_ PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckByTypeResultListAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckByTypeResultListAndAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_Must_inspect_result_
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_opt_ PSID PrincipalSelfSid,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ AUDIT_EVENT_TYPE AuditType,
|
||
_In_ ULONG Flags,
|
||
_In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
|
||
_In_ ULONG ObjectTypeListLength,
|
||
_In_ PGENERIC_MAPPING GenericMapping,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
|
||
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtOpenObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ ACCESS_MASK GrantedAccess,
|
||
_In_opt_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_In_ BOOLEAN AccessGranted,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwOpenObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ PUNICODE_STRING ObjectTypeName,
|
||
_In_ PUNICODE_STRING ObjectName,
|
||
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ ACCESS_MASK GrantedAccess,
|
||
_In_opt_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN ObjectCreation,
|
||
_In_ BOOLEAN AccessGranted,
|
||
_Out_ PBOOLEAN GenerateOnClose
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtPrivilegeObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN AccessGranted
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwPrivilegeObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ ACCESS_MASK DesiredAccess,
|
||
_In_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN AccessGranted
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtCloseObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ BOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwCloseObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ BOOLEAN GenerateOnClose
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtDeleteObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ BOOLEAN GenerateOnClose
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwDeleteObjectAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_opt_ PVOID HandleId,
|
||
_In_ BOOLEAN GenerateOnClose
|
||
);
|
||
|
||
__kernel_entry NTSYSCALLAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
NtPrivilegedServiceAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_ PUNICODE_STRING ServiceName,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN AccessGranted
|
||
);
|
||
|
||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||
NTSYSAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
ZwPrivilegedServiceAuditAlarm(
|
||
_In_ PUNICODE_STRING SubsystemName,
|
||
_In_ PUNICODE_STRING ServiceName,
|
||
_In_ HANDLE ClientToken,
|
||
_In_ PPRIVILEGE_SET Privileges,
|
||
_In_ BOOLEAN AccessGranted
|
||
);
|
||
|
||
// LSA
|
||
|
||
#ifndef _KERNEL_MODE
|
||
|
||
#include <NTSecAPI.h>
|
||
|
||
#else // _KERNEL_MODE
|
||
|
||
//#pragma comment(lib, "ksecdd.lib")
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_VISTA)
|
||
typedef struct _LSA_LAST_INTER_LOGON_INFO {
|
||
LARGE_INTEGER LastSuccessfulLogon;
|
||
LARGE_INTEGER LastFailedLogon;
|
||
ULONG FailedAttemptCountSinceLastSuccessfulLogon;
|
||
} LSA_LAST_INTER_LOGON_INFO, * PLSA_LAST_INTER_LOGON_INFO;
|
||
#endif // NTDDI_VERSION >= NTDDI_VISTA
|
||
|
||
typedef struct _SECURITY_LOGON_SESSION_DATA {
|
||
ULONG Size;
|
||
LUID LogonId;
|
||
LSA_UNICODE_STRING UserName;
|
||
LSA_UNICODE_STRING LogonDomain;
|
||
LSA_UNICODE_STRING AuthenticationPackage;
|
||
ULONG LogonType;
|
||
ULONG Session;
|
||
PSID Sid;
|
||
LARGE_INTEGER LogonTime;
|
||
|
||
//
|
||
// new for whistler:
|
||
//
|
||
|
||
LSA_UNICODE_STRING LogonServer;
|
||
LSA_UNICODE_STRING DnsDomainName;
|
||
LSA_UNICODE_STRING Upn;
|
||
|
||
#if (NTDDI_VERSION >= NTDDI_VISTA)
|
||
|
||
//
|
||
// new for LH
|
||
//
|
||
|
||
ULONG UserFlags;
|
||
|
||
LSA_LAST_INTER_LOGON_INFO LastLogonInfo;
|
||
LSA_UNICODE_STRING LogonScript;
|
||
LSA_UNICODE_STRING ProfilePath;
|
||
LSA_UNICODE_STRING HomeDirectory;
|
||
LSA_UNICODE_STRING HomeDirectoryDrive;
|
||
|
||
LARGE_INTEGER LogoffTime;
|
||
LARGE_INTEGER KickOffTime;
|
||
LARGE_INTEGER PasswordLastSet;
|
||
LARGE_INTEGER PasswordCanChange;
|
||
LARGE_INTEGER PasswordMustChange;
|
||
|
||
#endif
|
||
} SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA;
|
||
|
||
NTKERNELAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaEnumerateLogonSessions(
|
||
_Out_ PULONG LogonSessionCount,
|
||
_Out_ PLUID* LogonSessionList
|
||
);
|
||
|
||
NTKERNELAPI
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaGetLogonSessionData(
|
||
_In_ PLUID LogonId,
|
||
_Out_ PSECURITY_LOGON_SESSION_DATA* LogonSessionData
|
||
);
|
||
|
||
FORCEINLINE
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaFreeReturnBuffer(
|
||
_In_ PVOID Buffer
|
||
)
|
||
{
|
||
if (Buffer)
|
||
return ExFreePool(Buffer), STATUS_SUCCESS;
|
||
else
|
||
return STATUS_INVALID_ADDRESS;
|
||
}
|
||
|
||
#endif // <20><>_KERNEL_MODE
|
||
|
||
//
|
||
// Only Kernel
|
||
//
|
||
|
||
#ifdef _KERNEL_MODE
|
||
|
||
// Dacl
|
||
|
||
extern PACL SeSystemDefaultDacl;
|
||
|
||
// Token
|
||
|
||
NTKERNELAPI
|
||
SECURITY_IMPERSONATION_LEVEL
|
||
NTAPI
|
||
SeTokenImpersonationLevel(
|
||
__in PACCESS_TOKEN Token
|
||
);
|
||
|
||
#endif // _KERNEL_MODE
|
||
|
||
|
||
VEIL_END()
|
||
|
||
#if _MSC_VER >= 1200
|
||
#pragma warning(pop)
|
||
#endif
|