3 Copyright (c) Alex Ionescu. All rights reserved.
11 Function definitions for the security manager.
15 Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
27 #ifndef NTOS_MODE_USER
30 // Security Descriptors
35 SeCaptureSecurityDescriptor(
36 _In_ PSECURITY_DESCRIPTOR OriginalSecurityDescriptor
,
37 _In_ KPROCESSOR_MODE CurrentMode
,
38 _In_ POOL_TYPE PoolType
,
39 _In_ BOOLEAN CaptureIfKernel
,
40 _Out_ PSECURITY_DESCRIPTOR
*CapturedSecurityDescriptor
46 SeReleaseSecurityDescriptor(
47 _In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor
,
48 _In_ KPROCESSOR_MODE CurrentMode
,
49 _In_ BOOLEAN CaptureIfKernelMode
59 PACCESS_STATE AccessState
,
60 PAUX_ACCESS_DATA AuxData
,
62 PGENERIC_MAPPING GenericMapping
69 _In_ PACCESS_STATE AccessState
76 SECURITY_IMPERSONATION_LEVEL
78 SeTokenImpersonationLevel(
79 _In_ PACCESS_TOKEN Token
91 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
92 _In_ HANDLE ClientToken
,
93 _In_ ACCESS_MASK DesiredAccess
,
94 _In_ PGENERIC_MAPPING GenericMapping
,
95 _Out_ PPRIVILEGE_SET PrivilegeSet
,
96 _Out_ PULONG ReturnLength
,
97 _Out_ PACCESS_MASK GrantedAccess
,
98 _Out_ PNTSTATUS AccessStatus
104 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
105 _In_ PSID PrincipalSelfSid
,
106 _In_ HANDLE ClientToken
,
107 _In_ ACCESS_MASK DesiredAccess
,
108 _In_ POBJECT_TYPE_LIST ObjectTypeList
,
109 _In_ ULONG ObjectTypeLength
,
110 _In_ PGENERIC_MAPPING GenericMapping
,
111 _In_ PPRIVILEGE_SET PrivilegeSet
,
112 _Inout_ PULONG PrivilegeSetLength
,
113 _Out_ PACCESS_MASK GrantedAccess
,
114 _Out_ PNTSTATUS AccessStatus
119 NtAccessCheckByTypeResultList(
120 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
121 _In_ PSID PrincipalSelfSid
,
122 _In_ HANDLE ClientToken
,
123 _In_ ACCESS_MASK DesiredAccess
,
124 _In_ POBJECT_TYPE_LIST ObjectTypeList
,
125 _In_ ULONG ObjectTypeLength
,
126 _In_ PGENERIC_MAPPING GenericMapping
,
127 _In_ PPRIVILEGE_SET PrivilegeSet
,
128 _Inout_ PULONG PrivilegeSetLength
,
129 _Out_ PACCESS_MASK GrantedAccess
,
130 _Out_ PNTSTATUS AccessStatus
133 _Must_inspect_result_
134 __kernel_entry NTSYSCALLAPI
137 NtAccessCheckAndAuditAlarm(
138 _In_ PUNICODE_STRING SubsystemName
,
139 _In_opt_ PVOID HandleId
,
140 _In_ PUNICODE_STRING ObjectTypeName
,
141 _In_ PUNICODE_STRING ObjectName
,
142 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
143 _In_ ACCESS_MASK DesiredAccess
,
144 _In_ PGENERIC_MAPPING GenericMapping
,
145 _In_ BOOLEAN ObjectCreation
,
146 _Out_ PACCESS_MASK GrantedAccess
,
147 _Out_ PNTSTATUS AccessStatus
,
148 _Out_ PBOOLEAN GenerateOnClose
151 _Must_inspect_result_
157 _In_ HANDLE TokenHandle
,
158 _In_ BOOLEAN ResetToDefault
,
159 _In_opt_ PTOKEN_GROUPS NewState
,
160 _In_opt_ ULONG BufferLength
,
161 _Out_writes_bytes_to_opt_(BufferLength
, *ReturnLength
) PTOKEN_GROUPS PreviousState
,
162 _Out_ PULONG ReturnLength
165 _Must_inspect_result_
170 NtAdjustPrivilegesToken(
171 _In_ HANDLE TokenHandle
,
172 _In_ BOOLEAN DisableAllPrivileges
,
173 _In_opt_ PTOKEN_PRIVILEGES NewState
,
174 _In_ ULONG BufferLength
,
175 _Out_writes_bytes_to_opt_(BufferLength
, *ReturnLength
) PTOKEN_PRIVILEGES PreviousState
,
176 _When_(PreviousState
!= NULL
, _Out_
) PULONG ReturnLength
182 NtAllocateLocallyUniqueId(
183 _Out_ LUID
*LocallyUniqueId
190 PULARGE_INTEGER Time
,
200 _In_ HANDLE FirstTokenHandle
,
201 _In_ HANDLE SecondTokenHandle
,
202 _Out_ PBOOLEAN Equal
);
208 _Out_ PHANDLE TokenHandle
,
209 _In_ ACCESS_MASK DesiredAccess
,
210 _In_ POBJECT_ATTRIBUTES ObjectAttributes
,
211 _In_ TOKEN_TYPE TokenType
,
212 _In_ PLUID AuthenticationId
,
213 _In_ PLARGE_INTEGER ExpirationTime
,
214 _In_ PTOKEN_USER TokenUser
,
215 _In_ PTOKEN_GROUPS TokenGroups
,
216 _In_ PTOKEN_PRIVILEGES TokenPrivileges
,
217 _In_ PTOKEN_OWNER TokenOwner
,
218 _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
219 _In_ PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
220 _In_ PTOKEN_SOURCE TokenSource
223 _Must_inspect_result_
229 _In_ HANDLE ExistingTokenHandle
,
230 _In_ ACCESS_MASK DesiredAccess
,
231 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
,
232 _In_ BOOLEAN EffectiveOnly
,
233 _In_ TOKEN_TYPE TokenType
,
234 _Out_ PHANDLE NewTokenHandle
240 NtImpersonateAnonymousToken(
248 NtOpenObjectAuditAlarm(
249 _In_ PUNICODE_STRING SubsystemName
,
250 _In_opt_ PVOID HandleId
,
251 _In_ PUNICODE_STRING ObjectTypeName
,
252 _In_ PUNICODE_STRING ObjectName
,
253 _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
254 _In_ HANDLE ClientToken
,
255 _In_ ACCESS_MASK DesiredAccess
,
256 _In_ ACCESS_MASK GrantedAccess
,
257 _In_opt_ PPRIVILEGE_SET Privileges
,
258 _In_ BOOLEAN ObjectCreation
,
259 _In_ BOOLEAN AccessGranted
,
260 _Out_ PBOOLEAN GenerateOnClose
266 NtOpenProcessTokenEx(
267 _In_ HANDLE ProcessHandle
,
268 _In_ ACCESS_MASK DesiredAccess
,
269 _In_ ULONG HandleAttributes
,
270 _Out_ PHANDLE TokenHandle
273 _Must_inspect_result_
279 _In_ HANDLE ClientToken
,
280 _Inout_ PPRIVILEGE_SET RequiredPrivileges
,
281 _Out_ PBOOLEAN Result
287 NtPrivilegedServiceAuditAlarm(
288 _In_ PUNICODE_STRING SubsystemName
,
289 _In_ PUNICODE_STRING ServiceName
,
290 _In_ HANDLE ClientToken
,
291 _In_ PPRIVILEGE_SET Privileges
,
292 _In_ BOOLEAN AccessGranted
299 NtPrivilegeObjectAuditAlarm(
300 _In_ PUNICODE_STRING SubsystemName
,
301 _In_opt_ PVOID HandleId
,
302 _In_ HANDLE ClientToken
,
303 _In_ ACCESS_MASK DesiredAccess
,
304 _In_ PPRIVILEGE_SET Privileges
,
305 _In_ BOOLEAN AccessGranted
308 _When_(TokenInformationClass
== TokenAccessInformation
,
309 _At_(TokenInformationLength
, _In_range_(>=, sizeof(TOKEN_ACCESS_INFORMATION
))))
310 _Must_inspect_result_
315 NtQueryInformationToken(
316 _In_ HANDLE TokenHandle
,
317 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass
,
318 _Out_writes_bytes_to_opt_(TokenInformationLength
, *ReturnLength
) PVOID TokenInformation
,
319 _In_ ULONG TokenInformationLength
,
320 _Out_ PULONG ReturnLength
323 _Must_inspect_result_
328 NtSetInformationToken(
329 _In_ HANDLE TokenHandle
,
330 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass
,
331 _In_reads_bytes_(TokenInformationLength
) PVOID TokenInformation
,
332 _In_ ULONG TokenInformationLength
339 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
340 _In_ HANDLE ClientToken
,
341 _In_ ACCESS_MASK DesiredAccess
,
342 _In_ PGENERIC_MAPPING GenericMapping
,
343 _Out_ PPRIVILEGE_SET PrivilegeSet
,
344 _Out_ PULONG ReturnLength
,
345 _Out_ PACCESS_MASK GrantedAccess
,
346 _Out_ PNTSTATUS AccessStatus
353 _In_ HANDLE TokenHandle
,
354 _In_ BOOLEAN ResetToDefault
,
355 _In_ PTOKEN_GROUPS NewState
,
356 _In_ ULONG BufferLength
,
357 _Out_opt_ PTOKEN_GROUPS PreviousState
,
358 _Out_ PULONG ReturnLength
361 _Must_inspect_result_
365 ZwAdjustPrivilegesToken(
366 _In_ HANDLE TokenHandle
,
367 _In_ BOOLEAN DisableAllPrivileges
,
368 _In_opt_ PTOKEN_PRIVILEGES NewState
,
369 _In_ ULONG BufferLength
,
370 _Out_writes_bytes_to_opt_(BufferLength
, *ReturnLength
) PTOKEN_PRIVILEGES PreviousState
,
371 _When_(PreviousState
!= NULL
, _Out_
) PULONG ReturnLength
377 ZwAllocateLocallyUniqueId(
378 _Out_ LUID
*LocallyUniqueId
385 PULARGE_INTEGER Time
,
395 _Out_ PHANDLE TokenHandle
,
396 _In_ ACCESS_MASK DesiredAccess
,
397 _In_ POBJECT_ATTRIBUTES ObjectAttributes
,
398 _In_ TOKEN_TYPE TokenType
,
399 _In_ PLUID AuthenticationId
,
400 _In_ PLARGE_INTEGER ExpirationTime
,
401 _In_ PTOKEN_USER TokenUser
,
402 _In_ PTOKEN_GROUPS TokenGroups
,
403 _In_ PTOKEN_PRIVILEGES TokenPrivileges
,
404 _In_ PTOKEN_OWNER TokenOwner
,
405 _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
406 _In_ PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
407 _In_ PTOKEN_SOURCE TokenSource
410 _IRQL_requires_max_(PASSIVE_LEVEL
)
415 _In_ HANDLE ExistingTokenHandle
,
416 _In_ ACCESS_MASK DesiredAccess
,
417 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
,
418 _In_ BOOLEAN EffectiveOnly
,
419 _In_ TOKEN_TYPE TokenType
,
420 _Out_ PHANDLE NewTokenHandle
426 ZwImpersonateAnonymousToken(
433 ZwOpenObjectAuditAlarm(
434 _In_ PUNICODE_STRING SubsystemName
,
436 _In_ PUNICODE_STRING ObjectTypeName
,
437 _In_ PUNICODE_STRING ObjectName
,
438 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
439 _In_ HANDLE ClientToken
,
440 _In_ ULONG DesiredAccess
,
441 _In_ ULONG GrantedAccess
,
442 _In_ PPRIVILEGE_SET Privileges
,
443 _In_ BOOLEAN ObjectCreation
,
444 _In_ BOOLEAN AccessGranted
,
445 _Out_ PBOOLEAN GenerateOnClose
448 _IRQL_requires_max_(PASSIVE_LEVEL
)
453 _In_ HANDLE ProcessHandle
,
454 _In_ ACCESS_MASK DesiredAccess
,
455 _Out_ PHANDLE TokenHandle
461 ZwOpenProcessTokenEx(
462 _In_ HANDLE ProcessHandle
,
463 _In_ ACCESS_MASK DesiredAccess
,
464 _In_ ULONG HandleAttributes
,
465 _Out_ PHANDLE TokenHandle
472 _In_ HANDLE ClientToken
,
473 _In_ PPRIVILEGE_SET RequiredPrivileges
,
480 ZwPrivilegedServiceAuditAlarm(
481 _In_ PUNICODE_STRING SubsystemName
,
482 _In_ PUNICODE_STRING ServiceName
,
483 _In_ HANDLE ClientToken
,
484 _In_ PPRIVILEGE_SET Privileges
,
485 _In_ BOOLEAN AccessGranted
491 ZwPrivilegeObjectAuditAlarm(
492 _In_ PUNICODE_STRING SubsystemName
,
494 _In_ HANDLE ClientToken
,
495 _In_ ULONG DesiredAccess
,
496 _In_ PPRIVILEGE_SET Privileges
,
497 _In_ BOOLEAN AccessGranted
500 _IRQL_requires_max_(PASSIVE_LEVEL
)
504 ZwQueryInformationToken(
505 _In_ HANDLE TokenHandle
,
506 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass
,
507 _Out_writes_bytes_to_opt_(Length
,*ResultLength
) PVOID TokenInformation
,
509 _Out_ PULONG ResultLength
515 ZwSetInformationToken(
516 _In_ HANDLE TokenHandle
,
517 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass
,
518 _Out_ PVOID TokenInformation
,
519 _In_ ULONG TokenInformationLength