2189 lines
74 KiB
C
2189 lines
74 KiB
C
|
|
|||
|
/*++ BUILD Version: 0003 // Increment this if a change has global effects
|
|||
|
|
|||
|
Copyright (c) 1989-2000 Microsoft Corporation
|
|||
|
|
|||
|
Module Name:
|
|||
|
|
|||
|
ntseapi.h
|
|||
|
|
|||
|
Abstract:
|
|||
|
|
|||
|
This module contains the Security APIs and any public data
|
|||
|
structures needed to call these APIs.
|
|||
|
|
|||
|
This module should be included by including "nt.h".
|
|||
|
|
|||
|
Author:
|
|||
|
|
|||
|
Gary Kimura (GaryKi) 06-Mar-1989
|
|||
|
|
|||
|
Revision History:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
#ifndef _NTSEAPI_
|
|||
|
#define _NTSEAPI_
|
|||
|
|
|||
|
#if _MSC_VER > 1000
|
|||
|
#pragma once
|
|||
|
#endif
|
|||
|
|
|||
|
#ifdef __cplusplus
|
|||
|
extern "C" {
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Pointers to Opaque data types //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Some of these data types may have related data types defined elsewhere
|
|||
|
// in this file.
|
|||
|
//
|
|||
|
|
|||
|
// begin_ntddk begin_wdm begin_nthal begin_ntifs
|
|||
|
//
|
|||
|
// Define an access token from a programmer's viewpoint. The structure is
|
|||
|
// completely opaque and the programer is only allowed to have pointers
|
|||
|
// to tokens.
|
|||
|
//
|
|||
|
|
|||
|
typedef PVOID PACCESS_TOKEN; // winnt
|
|||
|
|
|||
|
//
|
|||
|
// Pointer to a SECURITY_DESCRIPTOR opaque data type.
|
|||
|
//
|
|||
|
|
|||
|
typedef PVOID PSECURITY_DESCRIPTOR; // winnt
|
|||
|
|
|||
|
//
|
|||
|
// Define a pointer to the Security ID data type (an opaque data type)
|
|||
|
//
|
|||
|
|
|||
|
typedef PVOID PSID; // winnt
|
|||
|
|
|||
|
// end_ntddk end_wdm end_nthal end_ntifs
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// ACCESS MASK //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Define the access mask as a longword sized structure divided up as
|
|||
|
// follows:
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------+---------------+-------------------------------+
|
|||
|
// |G|G|G|G|Res'd|A| StandardRights| SpecificRights |
|
|||
|
// |R|W|E|A| |S| | |
|
|||
|
// +-+-------------+---------------+-------------------------------+
|
|||
|
//
|
|||
|
// typedef struct _ACCESS_MASK {
|
|||
|
// USHORT SpecificRights;
|
|||
|
// UCHAR StandardRights;
|
|||
|
// UCHAR AccessSystemAcl : 1;
|
|||
|
// UCHAR Reserved : 3;
|
|||
|
// UCHAR GenericAll : 1;
|
|||
|
// UCHAR GenericExecute : 1;
|
|||
|
// UCHAR GenericWrite : 1;
|
|||
|
// UCHAR GenericRead : 1;
|
|||
|
// } ACCESS_MASK;
|
|||
|
// typedef ACCESS_MASK *PACCESS_MASK;
|
|||
|
//
|
|||
|
// but to make life simple for programmer's we'll allow them to specify
|
|||
|
// a desired access mask by simply OR'ing together mulitple single rights
|
|||
|
// and treat an access mask as a ULONG. For example
|
|||
|
//
|
|||
|
// DesiredAccess = DELETE | READ_CONTROL
|
|||
|
//
|
|||
|
// So we'll declare ACCESS_MASK as ULONG
|
|||
|
//
|
|||
|
|
|||
|
// begin_ntddk begin_wdm begin_nthal begin_ntifs
|
|||
|
typedef ULONG ACCESS_MASK;
|
|||
|
typedef ACCESS_MASK *PACCESS_MASK;
|
|||
|
|
|||
|
// end_winnt
|
|||
|
// end_ntddk end_wdm end_nthal end_ntifs
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// ACCESS TYPES //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
// begin_ntddk begin_wdm begin_nthal begin_ntifs
|
|||
|
//
|
|||
|
// The following are masks for the predefined standard access types
|
|||
|
//
|
|||
|
|
|||
|
#define DELETE (0x00010000L)
|
|||
|
#define READ_CONTROL (0x00020000L)
|
|||
|
#define WRITE_DAC (0x00040000L)
|
|||
|
#define WRITE_OWNER (0x00080000L)
|
|||
|
#define SYNCHRONIZE (0x00100000L)
|
|||
|
|
|||
|
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
|
|||
|
|
|||
|
#define STANDARD_RIGHTS_READ (READ_CONTROL)
|
|||
|
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
|
|||
|
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
|
|||
|
|
|||
|
#define STANDARD_RIGHTS_ALL (0x001F0000L)
|
|||
|
|
|||
|
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
|
|||
|
|
|||
|
//
|
|||
|
// AccessSystemAcl access type
|
|||
|
//
|
|||
|
|
|||
|
#define ACCESS_SYSTEM_SECURITY (0x01000000L)
|
|||
|
|
|||
|
//
|
|||
|
// MaximumAllowed access type
|
|||
|
//
|
|||
|
|
|||
|
#define MAXIMUM_ALLOWED (0x02000000L)
|
|||
|
|
|||
|
//
|
|||
|
// These are the generic rights.
|
|||
|
//
|
|||
|
|
|||
|
#define GENERIC_READ (0x80000000L)
|
|||
|
#define GENERIC_WRITE (0x40000000L)
|
|||
|
#define GENERIC_EXECUTE (0x20000000L)
|
|||
|
#define GENERIC_ALL (0x10000000L)
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Define the generic mapping array. This is used to denote the
|
|||
|
// mapping of each generic access right to a specific access mask.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _GENERIC_MAPPING {
|
|||
|
ACCESS_MASK GenericRead;
|
|||
|
ACCESS_MASK GenericWrite;
|
|||
|
ACCESS_MASK GenericExecute;
|
|||
|
ACCESS_MASK GenericAll;
|
|||
|
} GENERIC_MAPPING;
|
|||
|
typedef GENERIC_MAPPING *PGENERIC_MAPPING;
|
|||
|
|
|||
|
// end_winnt end_ntddk end_wdm end_nthal end_ntifs
|
|||
|
|
|||
|
// begin_ntddk begin_wdm begin_winnt begin_nthal begin_ntifs
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// LUID_AND_ATTRIBUTES //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
//
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
#include <pshpack4.h>
|
|||
|
|
|||
|
typedef struct _LUID_AND_ATTRIBUTES {
|
|||
|
LUID Luid;
|
|||
|
ULONG Attributes;
|
|||
|
} LUID_AND_ATTRIBUTES, * PLUID_AND_ATTRIBUTES;
|
|||
|
typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
|
|||
|
typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;
|
|||
|
|
|||
|
#include <poppack.h>
|
|||
|
|
|||
|
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Security Id (SID) //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
//
|
|||
|
//
|
|||
|
// Pictorially the structure of an SID is as follows:
|
|||
|
//
|
|||
|
// 1 1 1 1 1 1
|
|||
|
// 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | SubAuthorityCount |Reserved1 (SBZ)| Revision |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | IdentifierAuthority[0] |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | IdentifierAuthority[1] |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | IdentifierAuthority[2] |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | |
|
|||
|
// +- - - - - - - - SubAuthority[] - - - - - - - - -+
|
|||
|
// | |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
//
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
// begin_ntifs
|
|||
|
|
|||
|
#ifndef SID_IDENTIFIER_AUTHORITY_DEFINED
|
|||
|
#define SID_IDENTIFIER_AUTHORITY_DEFINED
|
|||
|
typedef struct _SID_IDENTIFIER_AUTHORITY {
|
|||
|
UCHAR Value[6];
|
|||
|
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
#ifndef SID_DEFINED
|
|||
|
#define SID_DEFINED
|
|||
|
typedef struct _SID {
|
|||
|
UCHAR Revision;
|
|||
|
UCHAR SubAuthorityCount;
|
|||
|
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
|
|||
|
#else // MIDL_PASS
|
|||
|
ULONG SubAuthority[ANYSIZE_ARRAY];
|
|||
|
#endif // MIDL_PASS
|
|||
|
} SID, *PISID;
|
|||
|
#endif
|
|||
|
|
|||
|
#define SID_REVISION (1) // Current revision level
|
|||
|
#define SID_MAX_SUB_AUTHORITIES (15)
|
|||
|
#define SID_RECOMMENDED_SUB_AUTHORITIES (1) // Will change to around 6
|
|||
|
|
|||
|
// in a future release.
|
|||
|
#ifndef MIDL_PASS
|
|||
|
#define SECURITY_MAX_SID_SIZE \
|
|||
|
(sizeof(SID) - sizeof(ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof(ULONG)))
|
|||
|
#endif // MIDL_PASS
|
|||
|
|
|||
|
|
|||
|
typedef enum _SID_NAME_USE {
|
|||
|
SidTypeUser = 1,
|
|||
|
SidTypeGroup,
|
|||
|
SidTypeDomain,
|
|||
|
SidTypeAlias,
|
|||
|
SidTypeWellKnownGroup,
|
|||
|
SidTypeDeletedAccount,
|
|||
|
SidTypeInvalid,
|
|||
|
SidTypeUnknown,
|
|||
|
SidTypeComputer
|
|||
|
} SID_NAME_USE, *PSID_NAME_USE;
|
|||
|
|
|||
|
typedef struct _SID_AND_ATTRIBUTES {
|
|||
|
PSID Sid;
|
|||
|
ULONG Attributes;
|
|||
|
} SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;
|
|||
|
|
|||
|
typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
|
|||
|
typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Universal well-known SIDs //
|
|||
|
// //
|
|||
|
// Null SID S-1-0-0 //
|
|||
|
// World S-1-1-0 //
|
|||
|
// Local S-1-2-0 //
|
|||
|
// Creator Owner ID S-1-3-0 //
|
|||
|
// Creator Group ID S-1-3-1 //
|
|||
|
// Creator Owner Server ID S-1-3-2 //
|
|||
|
// Creator Group Server ID S-1-3-3 //
|
|||
|
// //
|
|||
|
// (Non-unique IDs) S-1-4 //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
#define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0}
|
|||
|
#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
|
|||
|
#define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2}
|
|||
|
#define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3}
|
|||
|
#define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4}
|
|||
|
#define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9}
|
|||
|
|
|||
|
#define SECURITY_NULL_RID (0x00000000L)
|
|||
|
#define SECURITY_WORLD_RID (0x00000000L)
|
|||
|
#define SECURITY_LOCAL_RID (0x00000000L)
|
|||
|
|
|||
|
#define SECURITY_CREATOR_OWNER_RID (0x00000000L)
|
|||
|
#define SECURITY_CREATOR_GROUP_RID (0x00000001L)
|
|||
|
|
|||
|
#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
|
|||
|
#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
|
|||
|
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// NT well-known SIDs //
|
|||
|
// //
|
|||
|
// NT Authority S-1-5 //
|
|||
|
// Dialup S-1-5-1 //
|
|||
|
// //
|
|||
|
// Network S-1-5-2 //
|
|||
|
// Batch S-1-5-3 //
|
|||
|
// Interactive S-1-5-4 //
|
|||
|
// (Logon IDs) S-1-5-5-X-Y //
|
|||
|
// Service S-1-5-6 //
|
|||
|
// AnonymousLogon S-1-5-7 (aka null logon session) //
|
|||
|
// Proxy S-1-5-8 //
|
|||
|
// Enterprise DC (EDC) S-1-5-9 (aka domain controller account) //
|
|||
|
// Self S-1-5-10 (self RID) //
|
|||
|
// Authenticated User S-1-5-11 (Authenticated user somewhere) //
|
|||
|
// Restricted Code S-1-5-12 (Running restricted code) //
|
|||
|
// Terminal Server S-1-5-13 (Running on Terminal Server) //
|
|||
|
// Remote Logon S-1-5-14 (Remote Interactive Logon) //
|
|||
|
// This Organization S-1-5-15 //
|
|||
|
// //
|
|||
|
// Local System S-1-5-18 //
|
|||
|
// Local Service S-1-5-19 //
|
|||
|
// Network Service S-1-5-20 //
|
|||
|
// //
|
|||
|
// (NT non-unique IDs) S-1-5-0x15-... (NT Domain Sids) //
|
|||
|
// //
|
|||
|
// (Built-in domain) S-1-5-0x20 //
|
|||
|
// //
|
|||
|
// (Security Package IDs) S-1-5-0x40 //
|
|||
|
// NTLM Authentication S-1-5-0x40-10 //
|
|||
|
// SChannel Authentication S-1-5-0x40-14 //
|
|||
|
// Digest Authentication S-1-5-0x40-21 //
|
|||
|
// //
|
|||
|
// Other Organization S-1-5-1000 (>=1000 can not be filtered) //
|
|||
|
// //
|
|||
|
// //
|
|||
|
// NOTE: the relative identifier values (RIDs) determine which security //
|
|||
|
// boundaries the SID is allowed to cross. Before adding new RIDs, //
|
|||
|
// a determination needs to be made regarding which range they should //
|
|||
|
// be added to in order to ensure proper "SID filtering" //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} // ntifs
|
|||
|
|
|||
|
#define SECURITY_DIALUP_RID (0x00000001L)
|
|||
|
#define SECURITY_NETWORK_RID (0x00000002L)
|
|||
|
#define SECURITY_BATCH_RID (0x00000003L)
|
|||
|
#define SECURITY_INTERACTIVE_RID (0x00000004L)
|
|||
|
#define SECURITY_LOGON_IDS_RID (0x00000005L)
|
|||
|
#define SECURITY_LOGON_IDS_RID_COUNT (3L)
|
|||
|
#define SECURITY_SERVICE_RID (0x00000006L)
|
|||
|
#define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L)
|
|||
|
#define SECURITY_PROXY_RID (0x00000008L)
|
|||
|
#define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L)
|
|||
|
#define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID
|
|||
|
#define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL)
|
|||
|
#define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL)
|
|||
|
#define SECURITY_RESTRICTED_CODE_RID (0x0000000CL)
|
|||
|
#define SECURITY_TERMINAL_SERVER_RID (0x0000000DL)
|
|||
|
#define SECURITY_REMOTE_LOGON_RID (0x0000000EL)
|
|||
|
#define SECURITY_THIS_ORGANIZATION_RID (0x0000000FL)
|
|||
|
|
|||
|
#define SECURITY_LOCAL_SYSTEM_RID (0x00000012L)
|
|||
|
#define SECURITY_LOCAL_SERVICE_RID (0x00000013L)
|
|||
|
#define SECURITY_NETWORK_SERVICE_RID (0x00000014L)
|
|||
|
|
|||
|
#define SECURITY_NT_NON_UNIQUE (0x00000015L)
|
|||
|
#define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L)
|
|||
|
|
|||
|
#define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L)
|
|||
|
|
|||
|
#define SECURITY_PACKAGE_BASE_RID (0x00000040L)
|
|||
|
#define SECURITY_PACKAGE_RID_COUNT (2L)
|
|||
|
#define SECURITY_PACKAGE_NTLM_RID (0x0000000AL)
|
|||
|
#define SECURITY_PACKAGE_SCHANNEL_RID (0x0000000EL)
|
|||
|
#define SECURITY_PACKAGE_DIGEST_RID (0x00000015L)
|
|||
|
|
|||
|
#define SECURITY_MAX_ALWAYS_FILTERED (0x000003E7L)
|
|||
|
#define SECURITY_MIN_NEVER_FILTERED (0x000003E8L)
|
|||
|
|
|||
|
#define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// well-known domain relative sub-authority values (RIDs)... //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// Well-known users ...
|
|||
|
|
|||
|
#define FOREST_USER_RID_MAX (0x000001F3L)
|
|||
|
|
|||
|
#define DOMAIN_USER_RID_ADMIN (0x000001F4L)
|
|||
|
#define DOMAIN_USER_RID_GUEST (0x000001F5L)
|
|||
|
#define DOMAIN_USER_RID_KRBTGT (0x000001F6L)
|
|||
|
|
|||
|
#define DOMAIN_USER_RID_MAX (0x000003E7L)
|
|||
|
|
|||
|
|
|||
|
// well-known groups ...
|
|||
|
|
|||
|
#define DOMAIN_GROUP_RID_ADMINS (0x00000200L)
|
|||
|
#define DOMAIN_GROUP_RID_USERS (0x00000201L)
|
|||
|
#define DOMAIN_GROUP_RID_GUESTS (0x00000202L)
|
|||
|
#define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L)
|
|||
|
#define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L)
|
|||
|
#define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L)
|
|||
|
#define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L)
|
|||
|
#define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L)
|
|||
|
#define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// well-known aliases ...
|
|||
|
|
|||
|
#define DOMAIN_ALIAS_RID_ADMINS (0x00000220L)
|
|||
|
#define DOMAIN_ALIAS_RID_USERS (0x00000221L)
|
|||
|
#define DOMAIN_ALIAS_RID_GUESTS (0x00000222L)
|
|||
|
#define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L)
|
|||
|
|
|||
|
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L)
|
|||
|
#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L)
|
|||
|
#define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L)
|
|||
|
#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L)
|
|||
|
|
|||
|
#define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L)
|
|||
|
#define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L)
|
|||
|
#define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL)
|
|||
|
#define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL)
|
|||
|
#define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL)
|
|||
|
#define DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS (0x0000022DL)
|
|||
|
|
|||
|
#define DOMAIN_ALIAS_RID_MONITORING_USERS (0x0000022EL)
|
|||
|
#define DOMAIN_ALIAS_RID_LOGGING_USERS (0x0000022FL)
|
|||
|
#define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS (0x00000230L)
|
|||
|
#define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS (0x00000231L)
|
|||
|
|
|||
|
|
|||
|
// end_winnt end_ntifs
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Foreign Security Authorities //
|
|||
|
// //
|
|||
|
// SiteServer Authority S-1-6 //
|
|||
|
// Internet Site Authority S-1-7 //
|
|||
|
// Exchange Authority S-1-8 //
|
|||
|
// Resource Manager Authority S-1-9 //
|
|||
|
// Passport Authority S-1-10 //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
#define SECURITY_SITESERVER_AUTHORITY {0,0,0,0,0,6}
|
|||
|
#define SECURITY_INTERNETSITE_AUTHORITY {0,0,0,0,0,7}
|
|||
|
#define SECURITY_EXCHANGE_AUTHORITY {0,0,0,0,0,8}
|
|||
|
|
|||
|
#define SECURITY_PASSPORT_AUTHORITY {0,0,0,0,0,10}
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Well known SID definitions for lookup.
|
|||
|
//
|
|||
|
|
|||
|
// begin_winnt begin_ntddk begin_ntifs
|
|||
|
|
|||
|
typedef enum {
|
|||
|
|
|||
|
WinNullSid = 0,
|
|||
|
WinWorldSid = 1,
|
|||
|
WinLocalSid = 2,
|
|||
|
WinCreatorOwnerSid = 3,
|
|||
|
WinCreatorGroupSid = 4,
|
|||
|
WinCreatorOwnerServerSid = 5,
|
|||
|
WinCreatorGroupServerSid = 6,
|
|||
|
WinNtAuthoritySid = 7,
|
|||
|
WinDialupSid = 8,
|
|||
|
WinNetworkSid = 9,
|
|||
|
WinBatchSid = 10,
|
|||
|
WinInteractiveSid = 11,
|
|||
|
WinServiceSid = 12,
|
|||
|
WinAnonymousSid = 13,
|
|||
|
WinProxySid = 14,
|
|||
|
WinEnterpriseControllersSid = 15,
|
|||
|
WinSelfSid = 16,
|
|||
|
WinAuthenticatedUserSid = 17,
|
|||
|
WinRestrictedCodeSid = 18,
|
|||
|
WinTerminalServerSid = 19,
|
|||
|
WinRemoteLogonIdSid = 20,
|
|||
|
WinLogonIdsSid = 21,
|
|||
|
WinLocalSystemSid = 22,
|
|||
|
WinLocalServiceSid = 23,
|
|||
|
WinNetworkServiceSid = 24,
|
|||
|
WinBuiltinDomainSid = 25,
|
|||
|
WinBuiltinAdministratorsSid = 26,
|
|||
|
WinBuiltinUsersSid = 27,
|
|||
|
WinBuiltinGuestsSid = 28,
|
|||
|
WinBuiltinPowerUsersSid = 29,
|
|||
|
WinBuiltinAccountOperatorsSid = 30,
|
|||
|
WinBuiltinSystemOperatorsSid = 31,
|
|||
|
WinBuiltinPrintOperatorsSid = 32,
|
|||
|
WinBuiltinBackupOperatorsSid = 33,
|
|||
|
WinBuiltinReplicatorSid = 34,
|
|||
|
WinBuiltinPreWindows2000CompatibleAccessSid = 35,
|
|||
|
WinBuiltinRemoteDesktopUsersSid = 36,
|
|||
|
WinBuiltinNetworkConfigurationOperatorsSid = 37,
|
|||
|
WinAccountAdministratorSid = 38,
|
|||
|
WinAccountGuestSid = 39,
|
|||
|
WinAccountKrbtgtSid = 40,
|
|||
|
WinAccountDomainAdminsSid = 41,
|
|||
|
WinAccountDomainUsersSid = 42,
|
|||
|
WinAccountDomainGuestsSid = 43,
|
|||
|
WinAccountComputersSid = 44,
|
|||
|
WinAccountControllersSid = 45,
|
|||
|
WinAccountCertAdminsSid = 46,
|
|||
|
WinAccountSchemaAdminsSid = 47,
|
|||
|
WinAccountEnterpriseAdminsSid = 48,
|
|||
|
WinAccountPolicyAdminsSid = 49,
|
|||
|
WinAccountRasAndIasServersSid = 50,
|
|||
|
WinNTLMAuthenticationSid = 51,
|
|||
|
WinDigestAuthenticationSid = 52,
|
|||
|
WinSChannelAuthenticationSid = 53,
|
|||
|
WinThisOrganizationSid = 54,
|
|||
|
WinOtherOrganizationSid = 55,
|
|||
|
WinBuiltinIncomingForestTrustBuildersSid = 56,
|
|||
|
WinBuiltinPerfMonitoringUsersSid = 57,
|
|||
|
WinBuiltinPerfLoggingUsersSid = 58,
|
|||
|
WinBuiltinAuthorizationAccessSid = 59,
|
|||
|
WinBuiltinTerminalServerLicenseServersSid = 60,
|
|||
|
|
|||
|
} WELL_KNOWN_SID_TYPE;
|
|||
|
|
|||
|
// end_winnt end_ntddk end_ntifs
|
|||
|
|
|||
|
// begin_winnt begin_ntifs
|
|||
|
//
|
|||
|
// Allocate the System Luid. The first 1000 LUIDs are reserved.
|
|||
|
// Use #999 here (0x3E7 = 999)
|
|||
|
//
|
|||
|
|
|||
|
#define SYSTEM_LUID { 0x3E7, 0x0 }
|
|||
|
#define ANONYMOUS_LOGON_LUID { 0x3e6, 0x0 }
|
|||
|
#define LOCALSERVICE_LUID { 0x3e5, 0x0 }
|
|||
|
#define NETWORKSERVICE_LUID { 0x3e4, 0x0 }
|
|||
|
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// User and Group related SID attributes //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Group attributes
|
|||
|
//
|
|||
|
|
|||
|
#define SE_GROUP_MANDATORY (0x00000001L)
|
|||
|
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
|
|||
|
#define SE_GROUP_ENABLED (0x00000004L)
|
|||
|
#define SE_GROUP_OWNER (0x00000008L)
|
|||
|
#define SE_GROUP_USE_FOR_DENY_ONLY (0x00000010L)
|
|||
|
#define SE_GROUP_LOGON_ID (0xC0000000L)
|
|||
|
#define SE_GROUP_RESOURCE (0x20000000L)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// User attributes
|
|||
|
//
|
|||
|
|
|||
|
// (None yet defined.)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// ACL and ACE //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Define an ACL and the ACE format. The structure of an ACL header
|
|||
|
// followed by one or more ACEs. Pictorally the structure of an ACL header
|
|||
|
// is as follows:
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +-------------------------------+---------------+---------------+
|
|||
|
// | AclSize | Sbz1 | AclRevision |
|
|||
|
// +-------------------------------+---------------+---------------+
|
|||
|
// | Sbz2 | AceCount |
|
|||
|
// +-------------------------------+-------------------------------+
|
|||
|
//
|
|||
|
// The current AclRevision is defined to be ACL_REVISION.
|
|||
|
//
|
|||
|
// AclSize is the size, in bytes, allocated for the ACL. This includes
|
|||
|
// the ACL header, ACES, and remaining free space in the buffer.
|
|||
|
//
|
|||
|
// AceCount is the number of ACES in the ACL.
|
|||
|
//
|
|||
|
|
|||
|
// begin_ntddk begin_wdm begin_ntifs
|
|||
|
// This is the *current* ACL revision
|
|||
|
|
|||
|
#define ACL_REVISION (2)
|
|||
|
#define ACL_REVISION_DS (4)
|
|||
|
|
|||
|
// This is the history of ACL revisions. Add a new one whenever
|
|||
|
// ACL_REVISION is updated
|
|||
|
|
|||
|
#define ACL_REVISION1 (1)
|
|||
|
#define MIN_ACL_REVISION ACL_REVISION2
|
|||
|
#define ACL_REVISION2 (2)
|
|||
|
#define ACL_REVISION3 (3)
|
|||
|
#define ACL_REVISION4 (4)
|
|||
|
#define MAX_ACL_REVISION ACL_REVISION4
|
|||
|
|
|||
|
typedef struct _ACL {
|
|||
|
UCHAR AclRevision;
|
|||
|
UCHAR Sbz1;
|
|||
|
USHORT AclSize;
|
|||
|
USHORT AceCount;
|
|||
|
USHORT Sbz2;
|
|||
|
} ACL;
|
|||
|
typedef ACL *PACL;
|
|||
|
|
|||
|
// end_ntddk end_wdm
|
|||
|
|
|||
|
//
|
|||
|
// The structure of an ACE is a common ace header followed by ace type
|
|||
|
// specific data. Pictorally the structure of the common ace header is
|
|||
|
// as follows:
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
// | AceSize | AceFlags | AceType |
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
//
|
|||
|
// AceType denotes the type of the ace, there are some predefined ace
|
|||
|
// types
|
|||
|
//
|
|||
|
// AceSize is the size, in bytes, of ace.
|
|||
|
//
|
|||
|
// AceFlags are the Ace flags for audit and inheritance, defined shortly.
|
|||
|
|
|||
|
typedef struct _ACE_HEADER {
|
|||
|
UCHAR AceType;
|
|||
|
UCHAR AceFlags;
|
|||
|
USHORT AceSize;
|
|||
|
} ACE_HEADER;
|
|||
|
typedef ACE_HEADER *PACE_HEADER;
|
|||
|
|
|||
|
//
|
|||
|
// The following are the predefined ace types that go into the AceType
|
|||
|
// field of an Ace header.
|
|||
|
//
|
|||
|
|
|||
|
#define ACCESS_MIN_MS_ACE_TYPE (0x0)
|
|||
|
#define ACCESS_ALLOWED_ACE_TYPE (0x0)
|
|||
|
#define ACCESS_DENIED_ACE_TYPE (0x1)
|
|||
|
#define SYSTEM_AUDIT_ACE_TYPE (0x2)
|
|||
|
#define SYSTEM_ALARM_ACE_TYPE (0x3)
|
|||
|
#define ACCESS_MAX_MS_V2_ACE_TYPE (0x3)
|
|||
|
|
|||
|
#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4)
|
|||
|
#define ACCESS_MAX_MS_V3_ACE_TYPE (0x4)
|
|||
|
|
|||
|
#define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5)
|
|||
|
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5)
|
|||
|
#define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6)
|
|||
|
#define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7)
|
|||
|
#define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8)
|
|||
|
#define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8)
|
|||
|
|
|||
|
#define ACCESS_MAX_MS_V4_ACE_TYPE (0x8)
|
|||
|
#define ACCESS_MAX_MS_ACE_TYPE (0x8)
|
|||
|
|
|||
|
#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9)
|
|||
|
#define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA)
|
|||
|
#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB)
|
|||
|
#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC)
|
|||
|
#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD)
|
|||
|
#define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE)
|
|||
|
#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF)
|
|||
|
#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10)
|
|||
|
|
|||
|
#define ACCESS_MAX_MS_V5_ACE_TYPE (0x10)
|
|||
|
|
|||
|
// end_winnt
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
//
|
|||
|
// The following are the inherit flags that go into the AceFlags field
|
|||
|
// of an Ace header.
|
|||
|
//
|
|||
|
|
|||
|
#define OBJECT_INHERIT_ACE (0x1)
|
|||
|
#define CONTAINER_INHERIT_ACE (0x2)
|
|||
|
#define NO_PROPAGATE_INHERIT_ACE (0x4)
|
|||
|
#define INHERIT_ONLY_ACE (0x8)
|
|||
|
#define INHERITED_ACE (0x10)
|
|||
|
#define VALID_INHERIT_FLAGS (0x1F)
|
|||
|
|
|||
|
|
|||
|
// The following are the currently defined ACE flags that go into the
|
|||
|
// AceFlags field of an ACE header. Each ACE type has its own set of
|
|||
|
// AceFlags.
|
|||
|
//
|
|||
|
// SUCCESSFUL_ACCESS_ACE_FLAG - used only with system audit and alarm ACE
|
|||
|
// types to indicate that a message is generated for successful accesses.
|
|||
|
//
|
|||
|
// FAILED_ACCESS_ACE_FLAG - used only with system audit and alarm ACE types
|
|||
|
// to indicate that a message is generated for failed accesses.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// SYSTEM_AUDIT and SYSTEM_ALARM AceFlags
|
|||
|
//
|
|||
|
// These control the signaling of audit and alarms for success or failure.
|
|||
|
//
|
|||
|
|
|||
|
#define SUCCESSFUL_ACCESS_ACE_FLAG (0x40)
|
|||
|
#define FAILED_ACCESS_ACE_FLAG (0x80)
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// We'll define the structure of the predefined ACE types. Pictorally
|
|||
|
// the structure of the predefined ACE's is as follows:
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
// | AceFlags | Resd |Inherit| AceSize | AceType |
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
// | Mask |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | |
|
|||
|
// + +
|
|||
|
// | |
|
|||
|
// + Sid +
|
|||
|
// | |
|
|||
|
// + +
|
|||
|
// | |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
//
|
|||
|
// Mask is the access mask associated with the ACE. This is either the
|
|||
|
// access allowed, access denied, audit, or alarm mask.
|
|||
|
//
|
|||
|
// Sid is the Sid associated with the ACE.
|
|||
|
//
|
|||
|
|
|||
|
// The following are the four predefined ACE types.
|
|||
|
|
|||
|
// Examine the AceType field in the Header to determine
|
|||
|
// which structure is appropriate to use for casting.
|
|||
|
|
|||
|
|
|||
|
typedef struct _ACCESS_ALLOWED_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
} ACCESS_ALLOWED_ACE;
|
|||
|
|
|||
|
typedef ACCESS_ALLOWED_ACE *PACCESS_ALLOWED_ACE;
|
|||
|
|
|||
|
typedef struct _ACCESS_DENIED_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
} ACCESS_DENIED_ACE;
|
|||
|
typedef ACCESS_DENIED_ACE *PACCESS_DENIED_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_AUDIT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
} SYSTEM_AUDIT_ACE;
|
|||
|
typedef SYSTEM_AUDIT_ACE *PSYSTEM_AUDIT_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_ALARM_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
} SYSTEM_ALARM_ACE;
|
|||
|
typedef SYSTEM_ALARM_ACE *PSYSTEM_ALARM_ACE;
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
// end_winnt
|
|||
|
//
|
|||
|
// COMPOUND ACE
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
// | AceFlags | Resd |Inherit| AceSize | AceType |
|
|||
|
// +---------------+-------+-------+---------------+---------------+
|
|||
|
// | Mask |
|
|||
|
// +-------------------------------+-------------------------------+
|
|||
|
// | Compound ACE Type | Reserved (SBZ) |
|
|||
|
// +-------------------------------+-------------------------------+
|
|||
|
// | |
|
|||
|
// + +
|
|||
|
// | |
|
|||
|
// + Sid +
|
|||
|
// | |
|
|||
|
// + +
|
|||
|
// | |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
|
|||
|
typedef struct _COMPOUND_ACCESS_ALLOWED_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
USHORT CompoundAceType;
|
|||
|
USHORT Reserved;
|
|||
|
ULONG SidStart;
|
|||
|
} COMPOUND_ACCESS_ALLOWED_ACE;
|
|||
|
|
|||
|
typedef COMPOUND_ACCESS_ALLOWED_ACE *PCOMPOUND_ACCESS_ALLOWED_ACE;
|
|||
|
|
|||
|
//
|
|||
|
// Currently defined Compound ACE types
|
|||
|
//
|
|||
|
|
|||
|
#define COMPOUND_ACE_IMPERSONATION 1
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
} ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _ACCESS_DENIED_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
} ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_AUDIT_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
} SYSTEM_AUDIT_OBJECT_ACE, *PSYSTEM_AUDIT_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_ALARM_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
} SYSTEM_ALARM_OBJECT_ACE, *PSYSTEM_ALARM_OBJECT_ACE;
|
|||
|
|
|||
|
//
|
|||
|
// Callback ace support in post Win2000.
|
|||
|
// Resource managers can put their own data after Sidstart + Length of the sid
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _ACCESS_ALLOWED_CALLBACK_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} ACCESS_ALLOWED_CALLBACK_ACE, *PACCESS_ALLOWED_CALLBACK_ACE;
|
|||
|
|
|||
|
typedef struct _ACCESS_DENIED_CALLBACK_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} ACCESS_DENIED_CALLBACK_ACE, *PACCESS_DENIED_CALLBACK_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_AUDIT_CALLBACK_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} SYSTEM_AUDIT_CALLBACK_ACE, *PSYSTEM_AUDIT_CALLBACK_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_ALARM_CALLBACK_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} SYSTEM_ALARM_CALLBACK_ACE, *PSYSTEM_ALARM_CALLBACK_ACE;
|
|||
|
|
|||
|
typedef struct _ACCESS_ALLOWED_CALLBACK_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, *PACCESS_ALLOWED_CALLBACK_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _ACCESS_DENIED_CALLBACK_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} ACCESS_DENIED_CALLBACK_OBJECT_ACE, *PACCESS_DENIED_CALLBACK_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_AUDIT_CALLBACK_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} SYSTEM_AUDIT_CALLBACK_OBJECT_ACE, *PSYSTEM_AUDIT_CALLBACK_OBJECT_ACE;
|
|||
|
|
|||
|
typedef struct _SYSTEM_ALARM_CALLBACK_OBJECT_ACE {
|
|||
|
ACE_HEADER Header;
|
|||
|
ACCESS_MASK Mask;
|
|||
|
ULONG Flags;
|
|||
|
GUID ObjectType;
|
|||
|
GUID InheritedObjectType;
|
|||
|
ULONG SidStart;
|
|||
|
// Opaque resouce manager specific data
|
|||
|
} SYSTEM_ALARM_CALLBACK_OBJECT_ACE, *PSYSTEM_ALARM_CALLBACK_OBJECT_ACE;
|
|||
|
|
|||
|
//
|
|||
|
// Currently define Flags for "OBJECT" ACE types.
|
|||
|
//
|
|||
|
|
|||
|
#define ACE_OBJECT_TYPE_PRESENT 0x1
|
|||
|
#define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x2
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following declarations are used for setting and querying information
|
|||
|
// about and ACL. First are the various information classes available to
|
|||
|
// the user.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _ACL_INFORMATION_CLASS {
|
|||
|
AclRevisionInformation = 1,
|
|||
|
AclSizeInformation
|
|||
|
} ACL_INFORMATION_CLASS;
|
|||
|
|
|||
|
//
|
|||
|
// This record is returned/sent if the user is requesting/setting the
|
|||
|
// AclRevisionInformation
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _ACL_REVISION_INFORMATION {
|
|||
|
ULONG AclRevision;
|
|||
|
} ACL_REVISION_INFORMATION;
|
|||
|
typedef ACL_REVISION_INFORMATION *PACL_REVISION_INFORMATION;
|
|||
|
|
|||
|
//
|
|||
|
// This record is returned if the user is requesting AclSizeInformation
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _ACL_SIZE_INFORMATION {
|
|||
|
ULONG AceCount;
|
|||
|
ULONG AclBytesInUse;
|
|||
|
ULONG AclBytesFree;
|
|||
|
} ACL_SIZE_INFORMATION;
|
|||
|
typedef ACL_SIZE_INFORMATION *PACL_SIZE_INFORMATION;
|
|||
|
|
|||
|
// end_winnt
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// SECURITY_DESCRIPTOR //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
//
|
|||
|
// Define the Security Descriptor and related data types.
|
|||
|
// This is an opaque data structure.
|
|||
|
//
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_ntifs
|
|||
|
//
|
|||
|
// Current security descriptor revision value
|
|||
|
//
|
|||
|
|
|||
|
#define SECURITY_DESCRIPTOR_REVISION (1)
|
|||
|
#define SECURITY_DESCRIPTOR_REVISION1 (1)
|
|||
|
|
|||
|
// end_wdm end_ntddk
|
|||
|
|
|||
|
|
|||
|
#define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR))
|
|||
|
|
|||
|
|
|||
|
typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
|
|||
|
|
|||
|
#define SE_OWNER_DEFAULTED (0x0001)
|
|||
|
#define SE_GROUP_DEFAULTED (0x0002)
|
|||
|
#define SE_DACL_PRESENT (0x0004)
|
|||
|
#define SE_DACL_DEFAULTED (0x0008)
|
|||
|
#define SE_SACL_PRESENT (0x0010)
|
|||
|
#define SE_SACL_DEFAULTED (0x0020)
|
|||
|
// end_winnt
|
|||
|
#define SE_DACL_UNTRUSTED (0x0040)
|
|||
|
#define SE_SERVER_SECURITY (0x0080)
|
|||
|
// begin_winnt
|
|||
|
#define SE_DACL_AUTO_INHERIT_REQ (0x0100)
|
|||
|
#define SE_SACL_AUTO_INHERIT_REQ (0x0200)
|
|||
|
#define SE_DACL_AUTO_INHERITED (0x0400)
|
|||
|
#define SE_SACL_AUTO_INHERITED (0x0800)
|
|||
|
#define SE_DACL_PROTECTED (0x1000)
|
|||
|
#define SE_SACL_PROTECTED (0x2000)
|
|||
|
#define SE_RM_CONTROL_VALID (0x4000)
|
|||
|
#define SE_SELF_RELATIVE (0x8000)
|
|||
|
|
|||
|
//
|
|||
|
// Where:
|
|||
|
//
|
|||
|
// SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the
|
|||
|
// SID pointed to by the Owner field was provided by a
|
|||
|
// defaulting mechanism rather than explicitly provided by the
|
|||
|
// original provider of the security descriptor. This may
|
|||
|
// affect the treatment of the SID with respect to inheritence
|
|||
|
// of an owner.
|
|||
|
//
|
|||
|
// SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the
|
|||
|
// SID in the Group field was provided by a defaulting mechanism
|
|||
|
// rather than explicitly provided by the original provider of
|
|||
|
// the security descriptor. This may affect the treatment of
|
|||
|
// the SID with respect to inheritence of a primary group.
|
|||
|
//
|
|||
|
// SE_DACL_PRESENT - This boolean flag, when set, indicates that the
|
|||
|
// security descriptor contains a discretionary ACL. If this
|
|||
|
// flag is set and the Dacl field of the SECURITY_DESCRIPTOR is
|
|||
|
// null, then a null ACL is explicitly being specified.
|
|||
|
//
|
|||
|
// SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the
|
|||
|
// ACL pointed to by the Dacl field was provided by a defaulting
|
|||
|
// mechanism rather than explicitly provided by the original
|
|||
|
// provider of the security descriptor. This may affect the
|
|||
|
// treatment of the ACL with respect to inheritence of an ACL.
|
|||
|
// This flag is ignored if the DaclPresent flag is not set.
|
|||
|
//
|
|||
|
// SE_SACL_PRESENT - This boolean flag, when set, indicates that the
|
|||
|
// security descriptor contains a system ACL pointed to by the
|
|||
|
// Sacl field. If this flag is set and the Sacl field of the
|
|||
|
// SECURITY_DESCRIPTOR is null, then an empty (but present)
|
|||
|
// ACL is being specified.
|
|||
|
//
|
|||
|
// SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the
|
|||
|
// ACL pointed to by the Sacl field was provided by a defaulting
|
|||
|
// mechanism rather than explicitly provided by the original
|
|||
|
// provider of the security descriptor. This may affect the
|
|||
|
// treatment of the ACL with respect to inheritence of an ACL.
|
|||
|
// This flag is ignored if the SaclPresent flag is not set.
|
|||
|
//
|
|||
|
// end_winnt
|
|||
|
// SE_DACL_TRUSTED - This boolean flag, when set, indicates that the
|
|||
|
// ACL pointed to by the Dacl field was provided by a trusted source
|
|||
|
// and does not require any editing of compound ACEs. If this flag
|
|||
|
// is not set and a compound ACE is encountered, the system will
|
|||
|
// substitute known valid SIDs for the server SIDs in the ACEs.
|
|||
|
//
|
|||
|
// SE_SERVER_SECURITY - This boolean flag, when set, indicates that the
|
|||
|
// caller wishes the system to create a Server ACL based on the
|
|||
|
// input ACL, regardess of its source (explicit or defaulting.
|
|||
|
// This is done by replacing all of the GRANT ACEs with compound
|
|||
|
// ACEs granting the current server. This flag is only
|
|||
|
// meaningful if the subject is impersonating.
|
|||
|
//
|
|||
|
// begin_winnt
|
|||
|
// SE_SELF_RELATIVE - This boolean flag, when set, indicates that the
|
|||
|
// security descriptor is in self-relative form. In this form,
|
|||
|
// all fields of the security descriptor are contiguous in memory
|
|||
|
// and all pointer fields are expressed as offsets from the
|
|||
|
// beginning of the security descriptor. This form is useful
|
|||
|
// for treating security descriptors as opaque data structures
|
|||
|
// for transmission in communication protocol or for storage on
|
|||
|
// secondary media.
|
|||
|
//
|
|||
|
//
|
|||
|
//
|
|||
|
// Pictorially the structure of a security descriptor is as follows:
|
|||
|
//
|
|||
|
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
|
|||
|
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | Control |Reserved1 (SBZ)| Revision |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | Owner |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | Group |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | Sacl |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
// | Dacl |
|
|||
|
// +---------------------------------------------------------------+
|
|||
|
//
|
|||
|
// In general, this data structure should be treated opaquely to ensure future
|
|||
|
// compatibility.
|
|||
|
//
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _SECURITY_DESCRIPTOR_RELATIVE {
|
|||
|
UCHAR Revision;
|
|||
|
UCHAR Sbz1;
|
|||
|
SECURITY_DESCRIPTOR_CONTROL Control;
|
|||
|
ULONG Owner;
|
|||
|
ULONG Group;
|
|||
|
ULONG Sacl;
|
|||
|
ULONG Dacl;
|
|||
|
} SECURITY_DESCRIPTOR_RELATIVE, *PISECURITY_DESCRIPTOR_RELATIVE;
|
|||
|
|
|||
|
typedef struct _SECURITY_DESCRIPTOR {
|
|||
|
UCHAR Revision;
|
|||
|
UCHAR Sbz1;
|
|||
|
SECURITY_DESCRIPTOR_CONTROL Control;
|
|||
|
PSID Owner;
|
|||
|
PSID Group;
|
|||
|
PACL Sacl;
|
|||
|
PACL Dacl;
|
|||
|
|
|||
|
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
// Where:
|
|||
|
//
|
|||
|
// Revision - Contains the revision level of the security
|
|||
|
// descriptor. This allows this structure to be passed between
|
|||
|
// systems or stored on disk even though it is expected to
|
|||
|
// change in the future.
|
|||
|
//
|
|||
|
// Control - A set of flags which qualify the meaning of the
|
|||
|
// security descriptor or individual fields of the security
|
|||
|
// descriptor.
|
|||
|
//
|
|||
|
// Owner - is a pointer to an SID representing an object's owner.
|
|||
|
// If this field is null, then no owner SID is present in the
|
|||
|
// security descriptor. If the security descriptor is in
|
|||
|
// self-relative form, then this field contains an offset to
|
|||
|
// the SID, rather than a pointer.
|
|||
|
//
|
|||
|
// Group - is a pointer to an SID representing an object's primary
|
|||
|
// group. If this field is null, then no primary group SID is
|
|||
|
// present in the security descriptor. If the security descriptor
|
|||
|
// is in self-relative form, then this field contains an offset to
|
|||
|
// the SID, rather than a pointer.
|
|||
|
//
|
|||
|
// Sacl - is a pointer to a system ACL. This field value is only
|
|||
|
// valid if the DaclPresent control flag is set. If the
|
|||
|
// SaclPresent flag is set and this field is null, then a null
|
|||
|
// ACL is specified. If the security descriptor is in
|
|||
|
// self-relative form, then this field contains an offset to
|
|||
|
// the ACL, rather than a pointer.
|
|||
|
//
|
|||
|
// Dacl - is a pointer to a discretionary ACL. This field value is
|
|||
|
// only valid if the DaclPresent control flag is set. If the
|
|||
|
// DaclPresent flag is set and this field is null, then a null
|
|||
|
// ACL (unconditionally granting access) is specified. If the
|
|||
|
// security descriptor is in self-relative form, then this field
|
|||
|
// contains an offset to the ACL, rather than a pointer.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
// end_winnt
|
|||
|
|
|||
|
|
|||
|
// begin_winnt begin_ntifs
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Object Type list for AccessCheckByType //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
typedef struct _OBJECT_TYPE_LIST {
|
|||
|
USHORT Level;
|
|||
|
USHORT Sbz;
|
|||
|
GUID *ObjectType;
|
|||
|
} OBJECT_TYPE_LIST, *POBJECT_TYPE_LIST;
|
|||
|
|
|||
|
//
|
|||
|
// DS values for Level
|
|||
|
//
|
|||
|
|
|||
|
#define ACCESS_OBJECT_GUID 0
|
|||
|
#define ACCESS_PROPERTY_SET_GUID 1
|
|||
|
#define ACCESS_PROPERTY_GUID 2
|
|||
|
|
|||
|
#define ACCESS_MAX_LEVEL 4
|
|||
|
|
|||
|
//
|
|||
|
// Parameters to NtAccessCheckByTypeAndAditAlarm
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _AUDIT_EVENT_TYPE {
|
|||
|
AuditEventObjectAccess,
|
|||
|
AuditEventDirectoryServiceAccess
|
|||
|
} AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE;
|
|||
|
|
|||
|
#define AUDIT_ALLOW_NO_PRIVILEGE 0x1
|
|||
|
|
|||
|
//
|
|||
|
// DS values for Source and ObjectTypeName
|
|||
|
//
|
|||
|
|
|||
|
#define ACCESS_DS_SOURCE_A "DS"
|
|||
|
#define ACCESS_DS_SOURCE_W L"DS"
|
|||
|
#define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object"
|
|||
|
#define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object"
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Privilege Related Data Structures //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_nthal
|
|||
|
//
|
|||
|
// Privilege attributes
|
|||
|
//
|
|||
|
|
|||
|
#define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
|
|||
|
#define SE_PRIVILEGE_ENABLED (0x00000002L)
|
|||
|
#define SE_PRIVILEGE_REMOVED (0X00000004L)
|
|||
|
#define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L)
|
|||
|
|
|||
|
//
|
|||
|
// Privilege Set Control flags
|
|||
|
//
|
|||
|
|
|||
|
#define PRIVILEGE_SET_ALL_NECESSARY (1)
|
|||
|
|
|||
|
//
|
|||
|
// Privilege Set - This is defined for a privilege set of one.
|
|||
|
// If more than one privilege is needed, then this structure
|
|||
|
// will need to be allocated with more space.
|
|||
|
//
|
|||
|
// Note: don't change this structure without fixing the INITIAL_PRIVILEGE_SET
|
|||
|
// structure (defined in se.h)
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _PRIVILEGE_SET {
|
|||
|
ULONG PrivilegeCount;
|
|||
|
ULONG Control;
|
|||
|
LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY];
|
|||
|
} PRIVILEGE_SET, * PPRIVILEGE_SET;
|
|||
|
|
|||
|
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// NT Defined Privileges //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// end_winnt
|
|||
|
|
|||
|
//
|
|||
|
// ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** **
|
|||
|
//
|
|||
|
// Any additions or deletions to the following list
|
|||
|
// of privileges must have corresponding changes made
|
|||
|
// in the following files:
|
|||
|
// - ntos\se\seglobal.c
|
|||
|
// - ds\security\base\lsa\msprivs\msprivs.rc
|
|||
|
// - ds\security\base\lsa\server\dspolicy\dbpriv.c
|
|||
|
//
|
|||
|
// ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** **
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
#define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege")
|
|||
|
#define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")
|
|||
|
#define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege")
|
|||
|
#define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")
|
|||
|
#define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege")
|
|||
|
#define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege")
|
|||
|
#define SE_TCB_NAME TEXT("SeTcbPrivilege")
|
|||
|
#define SE_SECURITY_NAME TEXT("SeSecurityPrivilege")
|
|||
|
#define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege")
|
|||
|
#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")
|
|||
|
#define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege")
|
|||
|
#define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege")
|
|||
|
#define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege")
|
|||
|
#define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege")
|
|||
|
#define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege")
|
|||
|
#define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege")
|
|||
|
#define SE_BACKUP_NAME TEXT("SeBackupPrivilege")
|
|||
|
#define SE_RESTORE_NAME TEXT("SeRestorePrivilege")
|
|||
|
#define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")
|
|||
|
#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
|
|||
|
#define SE_AUDIT_NAME TEXT("SeAuditPrivilege")
|
|||
|
#define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege")
|
|||
|
#define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege")
|
|||
|
#define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege")
|
|||
|
#define SE_UNDOCK_NAME TEXT("SeUndockPrivilege")
|
|||
|
#define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege")
|
|||
|
#define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege")
|
|||
|
#define SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege")
|
|||
|
#define SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege")
|
|||
|
#define SE_CREATE_GLOBAL_NAME TEXT("SeCreateGlobalPrivilege")
|
|||
|
// end_winnt
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_ntifs
|
|||
|
//
|
|||
|
// These must be converted to LUIDs before use.
|
|||
|
//
|
|||
|
|
|||
|
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
|
|||
|
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
|
|||
|
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
|
|||
|
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
|
|||
|
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
|
|||
|
|
|||
|
// end_wdm
|
|||
|
//
|
|||
|
// Unsolicited Input is obsolete and unused.
|
|||
|
//
|
|||
|
|
|||
|
#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L)
|
|||
|
|
|||
|
// begin_wdm
|
|||
|
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
|
|||
|
#define SE_TCB_PRIVILEGE (7L)
|
|||
|
#define SE_SECURITY_PRIVILEGE (8L)
|
|||
|
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
|
|||
|
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
|
|||
|
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
|
|||
|
#define SE_SYSTEMTIME_PRIVILEGE (12L)
|
|||
|
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
|
|||
|
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
|
|||
|
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
|
|||
|
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
|
|||
|
#define SE_BACKUP_PRIVILEGE (17L)
|
|||
|
#define SE_RESTORE_PRIVILEGE (18L)
|
|||
|
#define SE_SHUTDOWN_PRIVILEGE (19L)
|
|||
|
#define SE_DEBUG_PRIVILEGE (20L)
|
|||
|
#define SE_AUDIT_PRIVILEGE (21L)
|
|||
|
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
|
|||
|
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
|
|||
|
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
|
|||
|
#define SE_UNDOCK_PRIVILEGE (25L)
|
|||
|
#define SE_SYNC_AGENT_PRIVILEGE (26L)
|
|||
|
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
|
|||
|
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
|
|||
|
#define SE_IMPERSONATE_PRIVILEGE (29L)
|
|||
|
#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
|
|||
|
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_CREATE_GLOBAL_PRIVILEGE)
|
|||
|
|
|||
|
// end_wdm end_ntddk end_ntifs
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// begin_winnt
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Security Quality Of Service //
|
|||
|
// //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_nthal begin_ntifs
|
|||
|
//
|
|||
|
// Impersonation Level
|
|||
|
//
|
|||
|
// Impersonation level is represented by a pair of bits in Windows.
|
|||
|
// If a new impersonation level is added or lowest value is changed from
|
|||
|
// 0 to something else, fix the Windows CreateFile call.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _SECURITY_IMPERSONATION_LEVEL {
|
|||
|
SecurityAnonymous,
|
|||
|
SecurityIdentification,
|
|||
|
SecurityImpersonation,
|
|||
|
SecurityDelegation
|
|||
|
} SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL;
|
|||
|
|
|||
|
#define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
|
|||
|
#define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
|
|||
|
#define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
|
|||
|
#define VALID_IMPERSONATION_LEVEL(L) (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL))
|
|||
|
// end_nthal end_wdm end_ntddk end_ntifs end_winnt
|
|||
|
//
|
|||
|
|
|||
|
// begin_winnt begin_ntifs
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Token Object Definitions //
|
|||
|
// //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Token Specific Access Rights.
|
|||
|
//
|
|||
|
|
|||
|
#define TOKEN_ASSIGN_PRIMARY (0x0001)
|
|||
|
#define TOKEN_DUPLICATE (0x0002)
|
|||
|
#define TOKEN_IMPERSONATE (0x0004)
|
|||
|
#define TOKEN_QUERY (0x0008)
|
|||
|
#define TOKEN_QUERY_SOURCE (0x0010)
|
|||
|
#define TOKEN_ADJUST_PRIVILEGES (0x0020)
|
|||
|
#define TOKEN_ADJUST_GROUPS (0x0040)
|
|||
|
#define TOKEN_ADJUST_DEFAULT (0x0080)
|
|||
|
#define TOKEN_ADJUST_SESSIONID (0x0100)
|
|||
|
|
|||
|
#define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\
|
|||
|
TOKEN_ASSIGN_PRIMARY |\
|
|||
|
TOKEN_DUPLICATE |\
|
|||
|
TOKEN_IMPERSONATE |\
|
|||
|
TOKEN_QUERY |\
|
|||
|
TOKEN_QUERY_SOURCE |\
|
|||
|
TOKEN_ADJUST_PRIVILEGES |\
|
|||
|
TOKEN_ADJUST_GROUPS |\
|
|||
|
TOKEN_ADJUST_DEFAULT )
|
|||
|
|
|||
|
#if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT)))
|
|||
|
#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P |\
|
|||
|
TOKEN_ADJUST_SESSIONID )
|
|||
|
#else
|
|||
|
#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P)
|
|||
|
#endif
|
|||
|
|
|||
|
#define TOKEN_READ (STANDARD_RIGHTS_READ |\
|
|||
|
TOKEN_QUERY)
|
|||
|
|
|||
|
|
|||
|
#define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
|
|||
|
TOKEN_ADJUST_PRIVILEGES |\
|
|||
|
TOKEN_ADJUST_GROUPS |\
|
|||
|
TOKEN_ADJUST_DEFAULT)
|
|||
|
|
|||
|
#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
//
|
|||
|
// Token Types
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _TOKEN_TYPE {
|
|||
|
TokenPrimary = 1,
|
|||
|
TokenImpersonation
|
|||
|
} TOKEN_TYPE;
|
|||
|
typedef TOKEN_TYPE *PTOKEN_TYPE;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Token Information Classes.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
typedef enum _TOKEN_INFORMATION_CLASS {
|
|||
|
TokenUser = 1,
|
|||
|
TokenGroups,
|
|||
|
TokenPrivileges,
|
|||
|
TokenOwner,
|
|||
|
TokenPrimaryGroup,
|
|||
|
TokenDefaultDacl,
|
|||
|
TokenSource,
|
|||
|
TokenType,
|
|||
|
TokenImpersonationLevel,
|
|||
|
TokenStatistics,
|
|||
|
TokenRestrictedSids,
|
|||
|
TokenSessionId,
|
|||
|
TokenGroupsAndPrivileges,
|
|||
|
TokenSessionReference,
|
|||
|
TokenSandBoxInert,
|
|||
|
TokenAuditPolicy,
|
|||
|
TokenOrigin,
|
|||
|
MaxTokenInfoClass // MaxTokenInfoClass should always be the last enum
|
|||
|
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
|
|||
|
|
|||
|
//
|
|||
|
// Token information class structures
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_USER {
|
|||
|
SID_AND_ATTRIBUTES User;
|
|||
|
} TOKEN_USER, *PTOKEN_USER;
|
|||
|
|
|||
|
typedef struct _TOKEN_GROUPS {
|
|||
|
ULONG GroupCount;
|
|||
|
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
|
|||
|
} TOKEN_GROUPS, *PTOKEN_GROUPS;
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_PRIVILEGES {
|
|||
|
ULONG PrivilegeCount;
|
|||
|
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
|
|||
|
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_OWNER {
|
|||
|
PSID Owner;
|
|||
|
} TOKEN_OWNER, *PTOKEN_OWNER;
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_PRIMARY_GROUP {
|
|||
|
PSID PrimaryGroup;
|
|||
|
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_DEFAULT_DACL {
|
|||
|
PACL DefaultDacl;
|
|||
|
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
|
|||
|
|
|||
|
typedef struct _TOKEN_GROUPS_AND_PRIVILEGES {
|
|||
|
ULONG SidCount;
|
|||
|
ULONG SidLength;
|
|||
|
PSID_AND_ATTRIBUTES Sids;
|
|||
|
ULONG RestrictedSidCount;
|
|||
|
ULONG RestrictedSidLength;
|
|||
|
PSID_AND_ATTRIBUTES RestrictedSids;
|
|||
|
ULONG PrivilegeCount;
|
|||
|
ULONG PrivilegeLength;
|
|||
|
PLUID_AND_ATTRIBUTES Privileges;
|
|||
|
LUID AuthenticationId;
|
|||
|
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
|
|||
|
|
|||
|
//
|
|||
|
// Valid bits for each TOKEN_AUDIT_POLICY policy mask field.
|
|||
|
//
|
|||
|
|
|||
|
#define TOKEN_AUDIT_SUCCESS_INCLUDE 0x1
|
|||
|
#define TOKEN_AUDIT_SUCCESS_EXCLUDE 0x2
|
|||
|
#define TOKEN_AUDIT_FAILURE_INCLUDE 0x4
|
|||
|
#define TOKEN_AUDIT_FAILURE_EXCLUDE 0x8
|
|||
|
|
|||
|
#define VALID_AUDIT_POLICY_BITS (TOKEN_AUDIT_SUCCESS_INCLUDE | \
|
|||
|
TOKEN_AUDIT_SUCCESS_EXCLUDE | \
|
|||
|
TOKEN_AUDIT_FAILURE_INCLUDE | \
|
|||
|
TOKEN_AUDIT_FAILURE_EXCLUDE)
|
|||
|
|
|||
|
#define VALID_TOKEN_AUDIT_POLICY_ELEMENT(P) ((((P).PolicyMask & ~VALID_AUDIT_POLICY_BITS) == 0) && \
|
|||
|
((P).Category <= AuditEventMaxType))
|
|||
|
|
|||
|
typedef struct _TOKEN_AUDIT_POLICY_ELEMENT {
|
|||
|
ULONG Category;
|
|||
|
ULONG PolicyMask;
|
|||
|
} TOKEN_AUDIT_POLICY_ELEMENT, *PTOKEN_AUDIT_POLICY_ELEMENT;
|
|||
|
|
|||
|
typedef struct _TOKEN_AUDIT_POLICY {
|
|||
|
ULONG PolicyCount;
|
|||
|
TOKEN_AUDIT_POLICY_ELEMENT Policy[ANYSIZE_ARRAY];
|
|||
|
} TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY;
|
|||
|
|
|||
|
#define PER_USER_AUDITING_POLICY_SIZE(p) \
|
|||
|
( sizeof(TOKEN_AUDIT_POLICY) + (((p)->PolicyCount > ANYSIZE_ARRAY) ? (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * ((p)->PolicyCount - ANYSIZE_ARRAY)) : 0) )
|
|||
|
#define PER_USER_AUDITING_POLICY_SIZE_BY_COUNT(C) \
|
|||
|
( sizeof(TOKEN_AUDIT_POLICY) + (((C) > ANYSIZE_ARRAY) ? (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * ((C) - ANYSIZE_ARRAY)) : 0) )
|
|||
|
|
|||
|
// end_winnt end_ntifs
|
|||
|
|
|||
|
typedef enum _PROXY_CLASS {
|
|||
|
ProxyFull,
|
|||
|
ProxyService,
|
|||
|
ProxyTree,
|
|||
|
ProxyDirectory
|
|||
|
} PROXY_CLASS, * PPROXY_CLASS;
|
|||
|
|
|||
|
|
|||
|
typedef struct _SECURITY_TOKEN_PROXY_DATA {
|
|||
|
ULONG Length;
|
|||
|
PROXY_CLASS ProxyClass;
|
|||
|
UNICODE_STRING PathInfo;
|
|||
|
ACCESS_MASK ContainerMask;
|
|||
|
ACCESS_MASK ObjectMask;
|
|||
|
} SECURITY_TOKEN_PROXY_DATA, *PSECURITY_TOKEN_PROXY_DATA;
|
|||
|
|
|||
|
typedef struct _SECURITY_TOKEN_AUDIT_DATA {
|
|||
|
ULONG Length;
|
|||
|
ACCESS_MASK GrantMask;
|
|||
|
ACCESS_MASK DenyMask;
|
|||
|
} SECURITY_TOKEN_AUDIT_DATA, *PSECURITY_TOKEN_AUDIT_DATA;
|
|||
|
|
|||
|
// begin_ntifs begin_winnt
|
|||
|
|
|||
|
#define TOKEN_SOURCE_LENGTH 8
|
|||
|
|
|||
|
typedef struct _TOKEN_SOURCE {
|
|||
|
CHAR SourceName[TOKEN_SOURCE_LENGTH];
|
|||
|
LUID SourceIdentifier;
|
|||
|
} TOKEN_SOURCE, *PTOKEN_SOURCE;
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_STATISTICS {
|
|||
|
LUID TokenId;
|
|||
|
LUID AuthenticationId;
|
|||
|
LARGE_INTEGER ExpirationTime;
|
|||
|
TOKEN_TYPE TokenType;
|
|||
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|||
|
ULONG DynamicCharged;
|
|||
|
ULONG DynamicAvailable;
|
|||
|
ULONG GroupCount;
|
|||
|
ULONG PrivilegeCount;
|
|||
|
LUID ModifiedId;
|
|||
|
} TOKEN_STATISTICS, *PTOKEN_STATISTICS;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
typedef struct _TOKEN_CONTROL {
|
|||
|
LUID TokenId;
|
|||
|
LUID AuthenticationId;
|
|||
|
LUID ModifiedId;
|
|||
|
TOKEN_SOURCE TokenSource;
|
|||
|
} TOKEN_CONTROL, *PTOKEN_CONTROL;
|
|||
|
|
|||
|
typedef struct _TOKEN_ORIGIN {
|
|||
|
LUID OriginatingLogonSession ;
|
|||
|
} TOKEN_ORIGIN, * PTOKEN_ORIGIN ;
|
|||
|
|
|||
|
// end_winnt
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_ntifs begin_winnt
|
|||
|
//
|
|||
|
// Security Tracking Mode
|
|||
|
//
|
|||
|
|
|||
|
#define SECURITY_DYNAMIC_TRACKING (TRUE)
|
|||
|
#define SECURITY_STATIC_TRACKING (FALSE)
|
|||
|
|
|||
|
typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE,
|
|||
|
* PSECURITY_CONTEXT_TRACKING_MODE;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Quality Of Service
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _SECURITY_QUALITY_OF_SERVICE {
|
|||
|
ULONG Length;
|
|||
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|||
|
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode;
|
|||
|
BOOLEAN EffectiveOnly;
|
|||
|
} SECURITY_QUALITY_OF_SERVICE, * PSECURITY_QUALITY_OF_SERVICE;
|
|||
|
|
|||
|
// end_winnt end_wdm end_ntddk end_ntifs
|
|||
|
|
|||
|
//
|
|||
|
// Advanced Quality of Service
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _SECURITY_ADVANCED_QUALITY_OF_SERVICE {
|
|||
|
ULONG Length;
|
|||
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|||
|
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode;
|
|||
|
BOOLEAN EffectiveOnly;
|
|||
|
PSECURITY_TOKEN_PROXY_DATA ProxyData;
|
|||
|
PSECURITY_TOKEN_AUDIT_DATA AuditData;
|
|||
|
} SECURITY_ADVANCED_QUALITY_OF_SERVICE, *PSECURITY_ADVANCED_QUALITY_OF_SERVICE;
|
|||
|
|
|||
|
|
|||
|
// begin_wdm begin_ntddk begin_ntifs begin_winnt
|
|||
|
|
|||
|
//
|
|||
|
// Used to represent information related to a thread impersonation
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _SE_IMPERSONATION_STATE {
|
|||
|
PACCESS_TOKEN Token;
|
|||
|
BOOLEAN CopyOnOpen;
|
|||
|
BOOLEAN EffectiveOnly;
|
|||
|
SECURITY_IMPERSONATION_LEVEL Level;
|
|||
|
} SE_IMPERSONATION_STATE, *PSE_IMPERSONATION_STATE;
|
|||
|
|
|||
|
// end_winnt end_wdm end_ntddk end_ntifs
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Flags for NtFilerToken //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
|
|||
|
#define SANDBOX_INERT 0x2 // winnt
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// General Security definitions //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Security information associated with objects.
|
|||
|
// Used for query operations.
|
|||
|
//
|
|||
|
// This will be extended in the future to include mandatory access control.
|
|||
|
//
|
|||
|
|
|||
|
// begin_winnt begin_wdm begin_ntddk begin_nthal begin_ntifs
|
|||
|
|
|||
|
typedef ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION;
|
|||
|
|
|||
|
#define OWNER_SECURITY_INFORMATION (0x00000001L)
|
|||
|
#define GROUP_SECURITY_INFORMATION (0x00000002L)
|
|||
|
#define DACL_SECURITY_INFORMATION (0x00000004L)
|
|||
|
#define SACL_SECURITY_INFORMATION (0x00000008L)
|
|||
|
|
|||
|
#define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L)
|
|||
|
#define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L)
|
|||
|
#define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L)
|
|||
|
#define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L)
|
|||
|
|
|||
|
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// used for password manipulations
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
typedef struct _SECURITY_SEED_AND_LENGTH {
|
|||
|
UCHAR Length;
|
|||
|
UCHAR Seed;
|
|||
|
} SECURITY_SEED_AND_LENGTH, *PSECURITY_SEED_AND_LENGTH;
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Security System Service Defnitions //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Security check system services
|
|||
|
//
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheck (
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
OUT PPRIVILEGE_SET PrivilegeSet,
|
|||
|
IN OUT PULONG PrivilegeSetLength,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByType (
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN PSID PrincipalSelfSid,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
IN ULONG ObjectTypeListLength,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
OUT PPRIVILEGE_SET PrivilegeSet,
|
|||
|
IN OUT PULONG PrivilegeSetLength,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultList (
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN PSID PrincipalSelfSid,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|||
|
IN ULONG ObjectTypeListLength,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
OUT PPRIVILEGE_SET PrivilegeSet,
|
|||
|
IN OUT PULONG PrivilegeSetLength,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Token Object System Services //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCreateToken(
|
|||
|
OUT PHANDLE TokenHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|||
|
IN TOKEN_TYPE TokenType,
|
|||
|
IN PLUID AuthenticationId,
|
|||
|
IN PLARGE_INTEGER ExpirationTime,
|
|||
|
IN PTOKEN_USER User,
|
|||
|
IN PTOKEN_GROUPS Groups,
|
|||
|
IN PTOKEN_PRIVILEGES Privileges,
|
|||
|
IN PTOKEN_OWNER Owner OPTIONAL,
|
|||
|
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|||
|
IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,
|
|||
|
IN PTOKEN_SOURCE TokenSource
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCompareTokens(
|
|||
|
IN HANDLE FirstTokenHandle,
|
|||
|
IN HANDLE SecondTokenHandle,
|
|||
|
OUT PBOOLEAN Equal
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntifs
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenThreadToken(
|
|||
|
IN HANDLE ThreadHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN BOOLEAN OpenAsSelf,
|
|||
|
OUT PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenThreadTokenEx(
|
|||
|
IN HANDLE ThreadHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN BOOLEAN OpenAsSelf,
|
|||
|
IN ULONG HandleAttributes,
|
|||
|
OUT PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenProcessToken(
|
|||
|
IN HANDLE ProcessHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenProcessTokenEx(
|
|||
|
IN HANDLE ProcessHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN ULONG HandleAttributes,
|
|||
|
OUT PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSYSAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenJobObjectToken(
|
|||
|
IN HANDLE JobHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PHANDLE TokenHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtDuplicateToken(
|
|||
|
IN HANDLE ExistingTokenHandle,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
IN BOOLEAN EffectiveOnly,
|
|||
|
IN TOKEN_TYPE TokenType,
|
|||
|
OUT PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtFilterToken (
|
|||
|
IN HANDLE ExistingTokenHandle,
|
|||
|
IN ULONG Flags,
|
|||
|
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
|
|||
|
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
|
|||
|
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
|
|||
|
OUT PHANDLE NewTokenHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtImpersonateAnonymousToken(
|
|||
|
IN HANDLE ThreadHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtQueryInformationToken (
|
|||
|
IN HANDLE TokenHandle,
|
|||
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
OUT PVOID TokenInformation,
|
|||
|
IN ULONG TokenInformationLength,
|
|||
|
OUT PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtSetInformationToken (
|
|||
|
IN HANDLE TokenHandle,
|
|||
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|||
|
IN PVOID TokenInformation,
|
|||
|
IN ULONG TokenInformationLength
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAdjustPrivilegesToken (
|
|||
|
IN HANDLE TokenHandle,
|
|||
|
IN BOOLEAN DisableAllPrivileges,
|
|||
|
IN PTOKEN_PRIVILEGES NewState OPTIONAL,
|
|||
|
IN ULONG BufferLength OPTIONAL,
|
|||
|
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
|
|||
|
OUT PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAdjustGroupsToken (
|
|||
|
IN HANDLE TokenHandle,
|
|||
|
IN BOOLEAN ResetToDefault,
|
|||
|
IN PTOKEN_GROUPS NewState OPTIONAL,
|
|||
|
IN ULONG BufferLength OPTIONAL,
|
|||
|
OUT PTOKEN_GROUPS PreviousState OPTIONAL,
|
|||
|
OUT PULONG ReturnLength
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegeCheck (
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN OUT PPRIVILEGE_SET RequiredPrivileges,
|
|||
|
OUT PBOOLEAN Result
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckAndAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN PUNICODE_STRING ObjectTypeName,
|
|||
|
IN PUNICODE_STRING ObjectName,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
IN BOOLEAN ObjectCreation,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus,
|
|||
|
OUT PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeAndAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN PUNICODE_STRING ObjectTypeName,
|
|||
|
IN PUNICODE_STRING ObjectName,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN PSID PrincipalSelfSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN AUDIT_EVENT_TYPE AuditType,
|
|||
|
IN ULONG Flags,
|
|||
|
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
|
|||
|
IN ULONG ObjectTypeListLength,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
IN BOOLEAN ObjectCreation,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus,
|
|||
|
OUT PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultListAndAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN PUNICODE_STRING ObjectTypeName,
|
|||
|
IN PUNICODE_STRING ObjectName,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN PSID PrincipalSelfSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN AUDIT_EVENT_TYPE AuditType,
|
|||
|
IN ULONG Flags,
|
|||
|
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
|
|||
|
IN ULONG ObjectTypeListLength,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
IN BOOLEAN ObjectCreation,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus,
|
|||
|
OUT PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtAccessCheckByTypeResultListAndAuditAlarmByHandle (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN PUNICODE_STRING ObjectTypeName,
|
|||
|
IN PUNICODE_STRING ObjectName,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
|
IN PSID PrincipalSelfSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN AUDIT_EVENT_TYPE AuditType,
|
|||
|
IN ULONG Flags,
|
|||
|
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
|
|||
|
IN ULONG ObjectTypeListLength,
|
|||
|
IN PGENERIC_MAPPING GenericMapping,
|
|||
|
IN BOOLEAN ObjectCreation,
|
|||
|
OUT PACCESS_MASK GrantedAccess,
|
|||
|
OUT PNTSTATUS AccessStatus,
|
|||
|
OUT PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtOpenObjectAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId OPTIONAL,
|
|||
|
IN PUNICODE_STRING ObjectTypeName,
|
|||
|
IN PUNICODE_STRING ObjectName,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN ACCESS_MASK GrantedAccess,
|
|||
|
IN PPRIVILEGE_SET Privileges OPTIONAL,
|
|||
|
IN BOOLEAN ObjectCreation,
|
|||
|
IN BOOLEAN AccessGranted,
|
|||
|
OUT PBOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegeObjectAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN PPRIVILEGE_SET Privileges,
|
|||
|
IN BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtCloseObjectAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtDeleteObjectAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PVOID HandleId,
|
|||
|
IN BOOLEAN GenerateOnClose
|
|||
|
);
|
|||
|
|
|||
|
NTSYSCALLAPI
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
NtPrivilegedServiceAuditAlarm (
|
|||
|
IN PUNICODE_STRING SubsystemName,
|
|||
|
IN PUNICODE_STRING ServiceName,
|
|||
|
IN HANDLE ClientToken,
|
|||
|
IN PPRIVILEGE_SET Privileges,
|
|||
|
IN BOOLEAN AccessGranted
|
|||
|
);
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
#ifdef __cplusplus
|
|||
|
}
|
|||
|
#endif
|
|||
|
|
|||
|
#endif // _NTSEAPI_
|