able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/ds/published/inc/ntseapi.w
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

2035 lines
65 KiB
OpenEdge ABL
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++ BUILD Version: 0003 // Increment this if a change has global effects
Copyright (c) 1989-2000 Microsoft Corporation
Module Name:
ntseapi.h
Abstract:
This module contains the Security APIs and any public data
structures needed to call these APIs.
This module should be included by including "nt.h".
Author:
Gary Kimura (GaryKi) 06-Mar-1989
Revision History:
--*/
#ifndef _NTSEAPI_
#define _NTSEAPI_
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" {
#endif
////////////////////////////////////////////////////////////////////////
// //
// Pointers to Opaque data types //
// //
////////////////////////////////////////////////////////////////////////
//
// Some of these data types may have related data types defined elsewhere
// in this file.
//
// begin_ntddk begin_wdm begin_nthal begin_ntifs
//
// Define an access token from a programmer's viewpoint. The structure is
// completely opaque and the programer is only allowed to have pointers
// to tokens.
//
typedef PVOID PACCESS_TOKEN; // winnt
//
// Pointer to a SECURITY_DESCRIPTOR opaque data type.
//
typedef PVOID PSECURITY_DESCRIPTOR; // winnt
//
// Define a pointer to the Security ID data type (an opaque data type)
//
typedef PVOID PSID; // winnt
// end_ntddk end_wdm end_nthal end_ntifs
// begin_winnt
////////////////////////////////////////////////////////////////////////
// //
// ACCESS MASK //
// //
////////////////////////////////////////////////////////////////////////
//
// Define the access mask as a longword sized structure divided up as
// follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------+---------------+-------------------------------+
// |G|G|G|G|Res'd|A| StandardRights| SpecificRights |
// |R|W|E|A| |S| | |
// +-+-------------+---------------+-------------------------------+
//
// typedef struct _ACCESS_MASK {
// USHORT SpecificRights;
// UCHAR StandardRights;
// UCHAR AccessSystemAcl : 1;
// UCHAR Reserved : 3;
// UCHAR GenericAll : 1;
// UCHAR GenericExecute : 1;
// UCHAR GenericWrite : 1;
// UCHAR GenericRead : 1;
// } ACCESS_MASK;
// typedef ACCESS_MASK *PACCESS_MASK;
//
// but to make life simple for programmer's we'll allow them to specify
// a desired access mask by simply OR'ing together mulitple single rights
// and treat an access mask as a ULONG. For example
//
// DesiredAccess = DELETE | READ_CONTROL
//
// So we'll declare ACCESS_MASK as ULONG
//
// begin_ntddk begin_wdm begin_nthal begin_ntifs
typedef ULONG ACCESS_MASK;
typedef ACCESS_MASK *PACCESS_MASK;
// end_winnt
// end_ntddk end_wdm end_nthal end_ntifs
// begin_winnt
////////////////////////////////////////////////////////////////////////
// //
// ACCESS TYPES //
// //
////////////////////////////////////////////////////////////////////////
// begin_ntddk begin_wdm begin_nthal begin_ntifs
//
// The following are masks for the predefined standard access types
//
#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
//
// AccessSystemAcl access type
//
#define ACCESS_SYSTEM_SECURITY (0x01000000L)
//
// MaximumAllowed access type
//
#define MAXIMUM_ALLOWED (0x02000000L)
//
// These are the generic rights.
//
#define GENERIC_READ (0x80000000L)
#define GENERIC_WRITE (0x40000000L)
#define GENERIC_EXECUTE (0x20000000L)
#define GENERIC_ALL (0x10000000L)
//
// Define the generic mapping array. This is used to denote the
// mapping of each generic access right to a specific access mask.
//
typedef struct _GENERIC_MAPPING {
ACCESS_MASK GenericRead;
ACCESS_MASK GenericWrite;
ACCESS_MASK GenericExecute;
ACCESS_MASK GenericAll;
} GENERIC_MAPPING;
typedef GENERIC_MAPPING *PGENERIC_MAPPING;
// end_winnt end_ntddk end_wdm end_nthal end_ntifs
// begin_ntddk begin_wdm begin_winnt begin_nthal begin_ntifs
////////////////////////////////////////////////////////////////////////
// //
// LUID_AND_ATTRIBUTES //
// //
////////////////////////////////////////////////////////////////////////
//
//
#include <pshpack4.h>
typedef struct _LUID_AND_ATTRIBUTES {
LUID Luid;
ULONG Attributes;
} LUID_AND_ATTRIBUTES, * PLUID_AND_ATTRIBUTES;
typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;
#include <poppack.h>
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
// begin_winnt
////////////////////////////////////////////////////////////////////////
// //
// Security Id (SID) //
// //
////////////////////////////////////////////////////////////////////////
//
//
// Pictorially the structure of an SID is as follows:
//
// 1 1 1 1 1 1
// 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------------------------------------------------------+
// | SubAuthorityCount |Reserved1 (SBZ)| Revision |
// +---------------------------------------------------------------+
// | IdentifierAuthority[0] |
// +---------------------------------------------------------------+
// | IdentifierAuthority[1] |
// +---------------------------------------------------------------+
// | IdentifierAuthority[2] |
// +---------------------------------------------------------------+
// | |
// +- - - - - - - - SubAuthority[] - - - - - - - - -+
// | |
// +---------------------------------------------------------------+
//
//
// begin_ntifs
#ifndef SID_IDENTIFIER_AUTHORITY_DEFINED
#define SID_IDENTIFIER_AUTHORITY_DEFINED
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
#endif
#ifndef SID_DEFINED
#define SID_DEFINED
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
#ifdef MIDL_PASS
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
#else // MIDL_PASS
ULONG SubAuthority[ANYSIZE_ARRAY];
#endif // MIDL_PASS
} SID, *PISID;
#endif
#define SID_REVISION (1) // Current revision level
#define SID_MAX_SUB_AUTHORITIES (15)
#define SID_RECOMMENDED_SUB_AUTHORITIES (1) // Will change to around 6
// in a future release.
#ifndef MIDL_PASS
#define SECURITY_MAX_SID_SIZE \
(sizeof(SID) - sizeof(ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof(ULONG)))
#endif // MIDL_PASS
typedef enum _SID_NAME_USE {
SidTypeUser = 1,
SidTypeGroup,
SidTypeDomain,
SidTypeAlias,
SidTypeWellKnownGroup,
SidTypeDeletedAccount,
SidTypeInvalid,
SidTypeUnknown,
SidTypeComputer
} SID_NAME_USE, *PSID_NAME_USE;
typedef struct _SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;
typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY;
/////////////////////////////////////////////////////////////////////////////
// //
// Universal well-known SIDs //
// //
// Null SID S-1-0-0 //
// World S-1-1-0 //
// Local S-1-2-0 //
// Creator Owner ID S-1-3-0 //
// Creator Group ID S-1-3-1 //
// Creator Owner Server ID S-1-3-2 //
// Creator Group Server ID S-1-3-3 //
// //
// (Non-unique IDs) S-1-4 //
// //
/////////////////////////////////////////////////////////////////////////////
#define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0}
#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
#define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2}
#define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3}
#define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4}
#define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9}
#define SECURITY_NULL_RID (0x00000000L)
#define SECURITY_WORLD_RID (0x00000000L)
#define SECURITY_LOCAL_RID (0x00000000L)
#define SECURITY_CREATOR_OWNER_RID (0x00000000L)
#define SECURITY_CREATOR_GROUP_RID (0x00000001L)
#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
/////////////////////////////////////////////////////////////////////////////
// //
// NT well-known SIDs //
// //
// NT Authority S-1-5 //
// Dialup S-1-5-1 //
// //
// Network S-1-5-2 //
// Batch S-1-5-3 //
// Interactive S-1-5-4 //
// Service S-1-5-6 //
// AnonymousLogon S-1-5-7 (aka null logon session) //
// Proxy S-1-5-8 //
// ServerLogon S-1-5-9 (aka domain controller account) //
// Self S-1-5-10 (self RID) //
// Authenticated User S-1-5-11 (Authenticated user somewhere) //
// Restricted Code S-1-5-12 (Running restricted code) //
// Terminal Server S-1-5-13 (Running on Terminal Server) //
// Remote Logon S-1-5-14 (Remote Interactive Logon) //
// //
// (Logon IDs) S-1-5-5-X-Y //
// //
// (NT non-unique IDs) S-1-5-0x15-... //
// //
// (Built-in domain) s-1-5-0x20 //
// //
/////////////////////////////////////////////////////////////////////////////
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} // ntifs
#define SECURITY_DIALUP_RID (0x00000001L)
#define SECURITY_NETWORK_RID (0x00000002L)
#define SECURITY_BATCH_RID (0x00000003L)
#define SECURITY_INTERACTIVE_RID (0x00000004L)
#define SECURITY_SERVICE_RID (0x00000006L)
#define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L)
#define SECURITY_PROXY_RID (0x00000008L)
#define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L)
#define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID
#define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL)
#define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL)
#define SECURITY_RESTRICTED_CODE_RID (0x0000000CL)
#define SECURITY_TERMINAL_SERVER_RID (0x0000000DL)
#define SECURITY_REMOTE_LOGON_RID (0x0000000EL)
#define SECURITY_LOGON_IDS_RID (0x00000005L)
#define SECURITY_LOGON_IDS_RID_COUNT (3L)
#define SECURITY_LOCAL_SYSTEM_RID (0x00000012L)
#define SECURITY_LOCAL_SERVICE_RID (0x00000013L)
#define SECURITY_NETWORK_SERVICE_RID (0x00000014L)
#define SECURITY_NT_NON_UNIQUE (0x00000015L)
#define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L)
#define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L)
/////////////////////////////////////////////////////////////////////////////
// //
// well-known domain relative sub-authority values (RIDs)... //
// //
/////////////////////////////////////////////////////////////////////////////
// Well-known users ...
#define DOMAIN_USER_RID_ADMIN (0x000001F4L)
#define DOMAIN_USER_RID_GUEST (0x000001F5L)
#define DOMAIN_USER_RID_KRBTGT (0x000001F6L)
// well-known groups ...
#define DOMAIN_GROUP_RID_ADMINS (0x00000200L)
#define DOMAIN_GROUP_RID_USERS (0x00000201L)
#define DOMAIN_GROUP_RID_GUESTS (0x00000202L)
#define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L)
#define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L)
#define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L)
#define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L)
#define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L)
#define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L)
// well-known aliases ...
#define DOMAIN_ALIAS_RID_ADMINS (0x00000220L)
#define DOMAIN_ALIAS_RID_USERS (0x00000221L)
#define DOMAIN_ALIAS_RID_GUESTS (0x00000222L)
#define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L)
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L)
#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L)
#define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L)
#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L)
#define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L)
#define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L)
#define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL)
#define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL)
#define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL)
// end_winnt end_ntifs
/////////////////////////////////////////////////////////////////////////////
// //
// Foreign Security Authorities //
// //
// SiteServer Authority S-1-6 //
// Internet Site Authority S-1-7 //
// Exchange Authority S-1-8 //
// Resource Manager Authority S-1-9 //
// //
/////////////////////////////////////////////////////////////////////////////
#define SECURITY_SITESERVER_AUTHORITY {0,0,0,0,0,6}
#define SECURITY_INTERNETSITE_AUTHORITY {0,0,0,0,0,7}
#define SECURITY_EXCHANGE_AUTHORITY {0,0,0,0,0,8}
// begin_winnt begin_ntifs
//
// Allocate the System Luid. The first 1000 LUIDs are reserved.
// Use #999 here (0x3E7 = 999)
//
#define SYSTEM_LUID { 0x3E7, 0x0 }
#define ANONYMOUS_LOGON_LUID { 0x3e6, 0x0 }
#define LOCALSERVICE_LUID { 0x3e5, 0x0 }
#define NETWORKSERVICE_LUID { 0x3e4, 0x0 }
// end_ntifs
////////////////////////////////////////////////////////////////////////
// //
// User and Group related SID attributes //
// //
////////////////////////////////////////////////////////////////////////
//
// Group attributes
//
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
#define SE_GROUP_OWNER (0x00000008L)
#define SE_GROUP_USE_FOR_DENY_ONLY (0x00000010L)
#define SE_GROUP_LOGON_ID (0xC0000000L)
#define SE_GROUP_RESOURCE (0x20000000L)
//
// User attributes
//
// (None yet defined.)
////////////////////////////////////////////////////////////////////////
// //
// ACL and ACE //
// //
////////////////////////////////////////////////////////////////////////
//
// Define an ACL and the ACE format. The structure of an ACL header
// followed by one or more ACEs. Pictorally the structure of an ACL header
// is as follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +-------------------------------+---------------+---------------+
// | AclSize | Sbz1 | AclRevision |
// +-------------------------------+---------------+---------------+
// | Sbz2 | AceCount |
// +-------------------------------+-------------------------------+
//
// The current AclRevision is defined to be ACL_REVISION.
//
// AclSize is the size, in bytes, allocated for the ACL. This includes
// the ACL header, ACES, and remaining free space in the buffer.
//
// AceCount is the number of ACES in the ACL.
//
// begin_ntddk begin_wdm begin_ntifs
// This is the *current* ACL revision
#define ACL_REVISION (2)
#define ACL_REVISION_DS (4)
// This is the history of ACL revisions. Add a new one whenever
// ACL_REVISION is updated
#define ACL_REVISION1 (1)
#define MIN_ACL_REVISION ACL_REVISION2
#define ACL_REVISION2 (2)
#define ACL_REVISION3 (3)
#define ACL_REVISION4 (4)
#define MAX_ACL_REVISION ACL_REVISION4
typedef struct _ACL {
UCHAR AclRevision;
UCHAR Sbz1;
USHORT AclSize;
USHORT AceCount;
USHORT Sbz2;
} ACL;
typedef ACL *PACL;
// end_ntddk end_wdm
//
// The structure of an ACE is a common ace header followed by ace type
// specific data. Pictorally the structure of the common ace header is
// as follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------+-------+-------+---------------+---------------+
// | AceSize | AceFlags | AceType |
// +---------------+-------+-------+---------------+---------------+
//
// AceType denotes the type of the ace, there are some predefined ace
// types
//
// AceSize is the size, in bytes, of ace.
//
// AceFlags are the Ace flags for audit and inheritance, defined shortly.
typedef struct _ACE_HEADER {
UCHAR AceType;
UCHAR AceFlags;
USHORT AceSize;
} ACE_HEADER;
typedef ACE_HEADER *PACE_HEADER;
//
// The following are the predefined ace types that go into the AceType
// field of an Ace header.
//
#define ACCESS_MIN_MS_ACE_TYPE (0x0)
#define ACCESS_ALLOWED_ACE_TYPE (0x0)
#define ACCESS_DENIED_ACE_TYPE (0x1)
#define SYSTEM_AUDIT_ACE_TYPE (0x2)
#define SYSTEM_ALARM_ACE_TYPE (0x3)
#define ACCESS_MAX_MS_V2_ACE_TYPE (0x3)
#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4)
#define ACCESS_MAX_MS_V3_ACE_TYPE (0x4)
#define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5)
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5)
#define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6)
#define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7)
#define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8)
#define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8)
#define ACCESS_MAX_MS_V4_ACE_TYPE (0x8)
#define ACCESS_MAX_MS_ACE_TYPE (0x8)
#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9)
#define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA)
#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB)
#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC)
#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD)
#define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE)
#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF)
#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10)
#define ACCESS_MAX_MS_V5_ACE_TYPE (0x10)
// end_winnt
// begin_winnt
//
// The following are the inherit flags that go into the AceFlags field
// of an Ace header.
//
#define OBJECT_INHERIT_ACE (0x1)
#define CONTAINER_INHERIT_ACE (0x2)
#define NO_PROPAGATE_INHERIT_ACE (0x4)
#define INHERIT_ONLY_ACE (0x8)
#define INHERITED_ACE (0x10)
#define VALID_INHERIT_FLAGS (0x1F)
// The following are the currently defined ACE flags that go into the
// AceFlags field of an ACE header. Each ACE type has its own set of
// AceFlags.
//
// SUCCESSFUL_ACCESS_ACE_FLAG - used only with system audit and alarm ACE
// types to indicate that a message is generated for successful accesses.
//
// FAILED_ACCESS_ACE_FLAG - used only with system audit and alarm ACE types
// to indicate that a message is generated for failed accesses.
//
//
// SYSTEM_AUDIT and SYSTEM_ALARM AceFlags
//
// These control the signaling of audit and alarms for success or failure.
//
#define SUCCESSFUL_ACCESS_ACE_FLAG (0x40)
#define FAILED_ACCESS_ACE_FLAG (0x80)
//
// We'll define the structure of the predefined ACE types. Pictorally
// the structure of the predefined ACE's is as follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------+-------+-------+---------------+---------------+
// | AceFlags | Resd |Inherit| AceSize | AceType |
// +---------------+-------+-------+---------------+---------------+
// | Mask |
// +---------------------------------------------------------------+
// | |
// + +
// | |
// + Sid +
// | |
// + +
// | |
// +---------------------------------------------------------------+
//
// Mask is the access mask associated with the ACE. This is either the
// access allowed, access denied, audit, or alarm mask.
//
// Sid is the Sid associated with the ACE.
//
// The following are the four predefined ACE types.
// Examine the AceType field in the Header to determine
// which structure is appropriate to use for casting.
typedef struct _ACCESS_ALLOWED_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
} ACCESS_ALLOWED_ACE;
typedef ACCESS_ALLOWED_ACE *PACCESS_ALLOWED_ACE;
typedef struct _ACCESS_DENIED_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
} ACCESS_DENIED_ACE;
typedef ACCESS_DENIED_ACE *PACCESS_DENIED_ACE;
typedef struct _SYSTEM_AUDIT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
} SYSTEM_AUDIT_ACE;
typedef SYSTEM_AUDIT_ACE *PSYSTEM_AUDIT_ACE;
typedef struct _SYSTEM_ALARM_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
} SYSTEM_ALARM_ACE;
typedef SYSTEM_ALARM_ACE *PSYSTEM_ALARM_ACE;
// end_ntifs
// end_winnt
//
// COMPOUND ACE
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------+-------+-------+---------------+---------------+
// | AceFlags | Resd |Inherit| AceSize | AceType |
// +---------------+-------+-------+---------------+---------------+
// | Mask |
// +-------------------------------+-------------------------------+
// | Compound ACE Type | Reserved (SBZ) |
// +-------------------------------+-------------------------------+
// | |
// + +
// | |
// + Sid +
// | |
// + +
// | |
// +---------------------------------------------------------------+
//
typedef struct _COMPOUND_ACCESS_ALLOWED_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
USHORT CompoundAceType;
USHORT Reserved;
ULONG SidStart;
} COMPOUND_ACCESS_ALLOWED_ACE;
typedef COMPOUND_ACCESS_ALLOWED_ACE *PCOMPOUND_ACCESS_ALLOWED_ACE;
//
// Currently defined Compound ACE types
//
#define COMPOUND_ACE_IMPERSONATION 1
// begin_winnt
typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
} ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE;
typedef struct _ACCESS_DENIED_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
} ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE;
typedef struct _SYSTEM_AUDIT_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
} SYSTEM_AUDIT_OBJECT_ACE, *PSYSTEM_AUDIT_OBJECT_ACE;
typedef struct _SYSTEM_ALARM_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
} SYSTEM_ALARM_OBJECT_ACE, *PSYSTEM_ALARM_OBJECT_ACE;
//
// Callback ace support in post Win2000.
// Resource managers can put their own data after Sidstart + Length of the sid
//
typedef struct _ACCESS_ALLOWED_CALLBACK_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
// Opaque resouce manager specific data
} ACCESS_ALLOWED_CALLBACK_ACE, *PACCESS_ALLOWED_CALLBACK_ACE;
typedef struct _ACCESS_DENIED_CALLBACK_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
// Opaque resouce manager specific data
} ACCESS_DENIED_CALLBACK_ACE, *PACCESS_DENIED_CALLBACK_ACE;
typedef struct _SYSTEM_AUDIT_CALLBACK_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
// Opaque resouce manager specific data
} SYSTEM_AUDIT_CALLBACK_ACE, *PSYSTEM_AUDIT_CALLBACK_ACE;
typedef struct _SYSTEM_ALARM_CALLBACK_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG SidStart;
// Opaque resouce manager specific data
} SYSTEM_ALARM_CALLBACK_ACE, *PSYSTEM_ALARM_CALLBACK_ACE;
typedef struct _ACCESS_ALLOWED_CALLBACK_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
// Opaque resouce manager specific data
} ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, *PACCESS_ALLOWED_CALLBACK_OBJECT_ACE;
typedef struct _ACCESS_DENIED_CALLBACK_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
// Opaque resouce manager specific data
} ACCESS_DENIED_CALLBACK_OBJECT_ACE, *PACCESS_DENIED_CALLBACK_OBJECT_ACE;
typedef struct _SYSTEM_AUDIT_CALLBACK_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
// Opaque resouce manager specific data
} SYSTEM_AUDIT_CALLBACK_OBJECT_ACE, *PSYSTEM_AUDIT_CALLBACK_OBJECT_ACE;
typedef struct _SYSTEM_ALARM_CALLBACK_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
ULONG Flags;
GUID ObjectType;
GUID InheritedObjectType;
ULONG SidStart;
// Opaque resouce manager specific data
} SYSTEM_ALARM_CALLBACK_OBJECT_ACE, *PSYSTEM_ALARM_CALLBACK_OBJECT_ACE;
//
// Currently define Flags for "OBJECT" ACE types.
//
#define ACE_OBJECT_TYPE_PRESENT 0x1
#define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x2
//
// The following declarations are used for setting and querying information
// about and ACL. First are the various information classes available to
// the user.
//
typedef enum _ACL_INFORMATION_CLASS {
AclRevisionInformation = 1,
AclSizeInformation
} ACL_INFORMATION_CLASS;
//
// This record is returned/sent if the user is requesting/setting the
// AclRevisionInformation
//
typedef struct _ACL_REVISION_INFORMATION {
ULONG AclRevision;
} ACL_REVISION_INFORMATION;
typedef ACL_REVISION_INFORMATION *PACL_REVISION_INFORMATION;
//
// This record is returned if the user is requesting AclSizeInformation
//
typedef struct _ACL_SIZE_INFORMATION {
ULONG AceCount;
ULONG AclBytesInUse;
ULONG AclBytesFree;
} ACL_SIZE_INFORMATION;
typedef ACL_SIZE_INFORMATION *PACL_SIZE_INFORMATION;
// end_winnt
// begin_winnt
////////////////////////////////////////////////////////////////////////
// //
// SECURITY_DESCRIPTOR //
// //
////////////////////////////////////////////////////////////////////////
//
// Define the Security Descriptor and related data types.
// This is an opaque data structure.
//
// begin_wdm begin_ntddk begin_ntifs
//
// Current security descriptor revision value
//
#define SECURITY_DESCRIPTOR_REVISION (1)
#define SECURITY_DESCRIPTOR_REVISION1 (1)
// end_wdm end_ntddk
#define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR))
typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
#define SE_OWNER_DEFAULTED (0x0001)
#define SE_GROUP_DEFAULTED (0x0002)
#define SE_DACL_PRESENT (0x0004)
#define SE_DACL_DEFAULTED (0x0008)
#define SE_SACL_PRESENT (0x0010)
#define SE_SACL_DEFAULTED (0x0020)
// end_winnt
#define SE_DACL_UNTRUSTED (0x0040)
#define SE_SERVER_SECURITY (0x0080)
// begin_winnt
#define SE_DACL_AUTO_INHERIT_REQ (0x0100)
#define SE_SACL_AUTO_INHERIT_REQ (0x0200)
#define SE_DACL_AUTO_INHERITED (0x0400)
#define SE_SACL_AUTO_INHERITED (0x0800)
#define SE_DACL_PROTECTED (0x1000)
#define SE_SACL_PROTECTED (0x2000)
#define SE_RM_CONTROL_VALID (0x4000)
#define SE_SELF_RELATIVE (0x8000)
//
// Where:
//
// SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the
// SID pointed to by the Owner field was provided by a
// defaulting mechanism rather than explicitly provided by the
// original provider of the security descriptor. This may
// affect the treatment of the SID with respect to inheritence
// of an owner.
//
// SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the
// SID in the Group field was provided by a defaulting mechanism
// rather than explicitly provided by the original provider of
// the security descriptor. This may affect the treatment of
// the SID with respect to inheritence of a primary group.
//
// SE_DACL_PRESENT - This boolean flag, when set, indicates that the
// security descriptor contains a discretionary ACL. If this
// flag is set and the Dacl field of the SECURITY_DESCRIPTOR is
// null, then a null ACL is explicitly being specified.
//
// SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the
// ACL pointed to by the Dacl field was provided by a defaulting
// mechanism rather than explicitly provided by the original
// provider of the security descriptor. This may affect the
// treatment of the ACL with respect to inheritence of an ACL.
// This flag is ignored if the DaclPresent flag is not set.
//
// SE_SACL_PRESENT - This boolean flag, when set, indicates that the
// security descriptor contains a system ACL pointed to by the
// Sacl field. If this flag is set and the Sacl field of the
// SECURITY_DESCRIPTOR is null, then an empty (but present)
// ACL is being specified.
//
// SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the
// ACL pointed to by the Sacl field was provided by a defaulting
// mechanism rather than explicitly provided by the original
// provider of the security descriptor. This may affect the
// treatment of the ACL with respect to inheritence of an ACL.
// This flag is ignored if the SaclPresent flag is not set.
//
// end_winnt
// SE_DACL_TRUSTED - This boolean flag, when set, indicates that the
// ACL pointed to by the Dacl field was provided by a trusted source
// and does not require any editing of compound ACEs. If this flag
// is not set and a compound ACE is encountered, the system will
// substitute known valid SIDs for the server SIDs in the ACEs.
//
// SE_SERVER_SECURITY - This boolean flag, when set, indicates that the
// caller wishes the system to create a Server ACL based on the
// input ACL, regardess of its source (explicit or defaulting.
// This is done by replacing all of the GRANT ACEs with compound
// ACEs granting the current server. This flag is only
// meaningful if the subject is impersonating.
//
// begin_winnt
// SE_SELF_RELATIVE - This boolean flag, when set, indicates that the
// security descriptor is in self-relative form. In this form,
// all fields of the security descriptor are contiguous in memory
// and all pointer fields are expressed as offsets from the
// beginning of the security descriptor. This form is useful
// for treating security descriptors as opaque data structures
// for transmission in communication protocol or for storage on
// secondary media.
//
//
//
// Pictorially the structure of a security descriptor is as follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
// +---------------------------------------------------------------+
// | Control |Reserved1 (SBZ)| Revision |
// +---------------------------------------------------------------+
// | Owner |
// +---------------------------------------------------------------+
// | Group |
// +---------------------------------------------------------------+
// | Sacl |
// +---------------------------------------------------------------+
// | Dacl |
// +---------------------------------------------------------------+
//
// In general, this data structure should be treated opaquely to ensure future
// compatibility.
//
//
typedef struct _SECURITY_DESCRIPTOR_RELATIVE {
UCHAR Revision;
UCHAR Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
ULONG Owner;
ULONG Group;
ULONG Sacl;
ULONG Dacl;
} SECURITY_DESCRIPTOR_RELATIVE, *PISECURITY_DESCRIPTOR_RELATIVE;
typedef struct _SECURITY_DESCRIPTOR {
UCHAR Revision;
UCHAR Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;
// end_ntifs
// Where:
//
// Revision - Contains the revision level of the security
// descriptor. This allows this structure to be passed between
// systems or stored on disk even though it is expected to
// change in the future.
//
// Control - A set of flags which qualify the meaning of the
// security descriptor or individual fields of the security
// descriptor.
//
// Owner - is a pointer to an SID representing an object's owner.
// If this field is null, then no owner SID is present in the
// security descriptor. If the security descriptor is in
// self-relative form, then this field contains an offset to
// the SID, rather than a pointer.
//
// Group - is a pointer to an SID representing an object's primary
// group. If this field is null, then no primary group SID is
// present in the security descriptor. If the security descriptor
// is in self-relative form, then this field contains an offset to
// the SID, rather than a pointer.
//
// Sacl - is a pointer to a system ACL. This field value is only
// valid if the DaclPresent control flag is set. If the
// SaclPresent flag is set and this field is null, then a null
// ACL is specified. If the security descriptor is in
// self-relative form, then this field contains an offset to
// the ACL, rather than a pointer.
//
// Dacl - is a pointer to a discretionary ACL. This field value is
// only valid if the DaclPresent control flag is set. If the
// DaclPresent flag is set and this field is null, then a null
// ACL (unconditionally granting access) is specified. If the
// security descriptor is in self-relative form, then this field
// contains an offset to the ACL, rather than a pointer.
//
// end_winnt
// begin_winnt begin_ntifs
////////////////////////////////////////////////////////////////////////
// //
// Object Type list for AccessCheckByType //
// //
////////////////////////////////////////////////////////////////////////
typedef struct _OBJECT_TYPE_LIST {
USHORT Level;
USHORT Sbz;
GUID *ObjectType;
} OBJECT_TYPE_LIST, *POBJECT_TYPE_LIST;
//
// DS values for Level
//
#define ACCESS_OBJECT_GUID 0
#define ACCESS_PROPERTY_SET_GUID 1
#define ACCESS_PROPERTY_GUID 2
#define ACCESS_MAX_LEVEL 4
//
// Parameters to NtAccessCheckByTypeAndAditAlarm
//
typedef enum _AUDIT_EVENT_TYPE {
AuditEventObjectAccess,
AuditEventDirectoryServiceAccess
} AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE;
#define AUDIT_ALLOW_NO_PRIVILEGE 0x1
//
// DS values for Source and ObjectTypeName
//
#define ACCESS_DS_SOURCE_A "DS"
#define ACCESS_DS_SOURCE_W L"DS"
#define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object"
#define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object"
////////////////////////////////////////////////////////////////////////
// //
// Privilege Related Data Structures //
// //
////////////////////////////////////////////////////////////////////////
// begin_wdm begin_ntddk begin_nthal
//
// Privilege attributes
//
#define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
#define SE_PRIVILEGE_ENABLED (0x00000002L)
#define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L)
//
// Privilege Set Control flags
//
#define PRIVILEGE_SET_ALL_NECESSARY (1)
//
// Privilege Set - This is defined for a privilege set of one.
// If more than one privilege is needed, then this structure
// will need to be allocated with more space.
//
// Note: don't change this structure without fixing the INITIAL_PRIVILEGE_SET
// structure (defined in se.h)
//
typedef struct _PRIVILEGE_SET {
ULONG PrivilegeCount;
ULONG Control;
LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY];
} PRIVILEGE_SET, * PPRIVILEGE_SET;
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
// begin_winnt
////////////////////////////////////////////////////////////////////////
// //
// NT Defined Privileges //
// //
////////////////////////////////////////////////////////////////////////
// end_winnt
//
// ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** **
//
// Any additions or deletions to the following list
// of privileges must have corresponding changes made
// in the following files:
// - ntos\se\seglobal.c
// - ds\security\base\lsa\msprivs\msprivs.rc
// - ds\security\base\lsa\server\dspolicy\dbpriv.c
//
// ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** **
//
// begin_winnt
#define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege")
#define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")
#define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege")
#define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")
#define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege")
#define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege")
#define SE_TCB_NAME TEXT("SeTcbPrivilege")
#define SE_SECURITY_NAME TEXT("SeSecurityPrivilege")
#define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege")
#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")
#define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege")
#define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege")
#define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege")
#define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege")
#define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege")
#define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege")
#define SE_BACKUP_NAME TEXT("SeBackupPrivilege")
#define SE_RESTORE_NAME TEXT("SeRestorePrivilege")
#define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")
#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
#define SE_AUDIT_NAME TEXT("SeAuditPrivilege")
#define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege")
#define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege")
#define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege")
#define SE_UNDOCK_NAME TEXT("SeUndockPrivilege")
#define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege")
#define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege")
#define SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege")
// end_winnt
// begin_wdm begin_ntddk begin_ntifs
//
// These must be converted to LUIDs before use.
//
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
// end_wdm
//
// Unsolicited Input is obsolete and unused.
//
#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L)
// begin_wdm
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
#define SE_TCB_PRIVILEGE (7L)
#define SE_SECURITY_PRIVILEGE (8L)
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
#define SE_SYSTEMTIME_PRIVILEGE (12L)
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
#define SE_BACKUP_PRIVILEGE (17L)
#define SE_RESTORE_PRIVILEGE (18L)
#define SE_SHUTDOWN_PRIVILEGE (19L)
#define SE_DEBUG_PRIVILEGE (20L)
#define SE_AUDIT_PRIVILEGE (21L)
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
#define SE_UNDOCK_PRIVILEGE (25L)
#define SE_SYNC_AGENT_PRIVILEGE (26L)
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_MANAGE_VOLUME_PRIVILEGE)
// end_wdm end_ntddk end_ntifs
// begin_winnt
////////////////////////////////////////////////////////////////////
// //
// Security Quality Of Service //
// //
// //
////////////////////////////////////////////////////////////////////
// begin_wdm begin_ntddk begin_nthal begin_ntifs
//
// Impersonation Level
//
// Impersonation level is represented by a pair of bits in Windows.
// If a new impersonation level is added or lowest value is changed from
// 0 to something else, fix the Windows CreateFile call.
//
typedef enum _SECURITY_IMPERSONATION_LEVEL {
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
} SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL;
#define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
#define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
#define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
#define VALID_IMPERSONATION_LEVEL(L) (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL))
// end_nthal end_wdm end_ntddk end_ntifs end_winnt
//
// begin_winnt begin_ntifs
////////////////////////////////////////////////////////////////////
// //
// Token Object Definitions //
// //
// //
////////////////////////////////////////////////////////////////////
//
// Token Specific Access Rights.
//
#define TOKEN_ASSIGN_PRIMARY (0x0001)
#define TOKEN_DUPLICATE (0x0002)
#define TOKEN_IMPERSONATE (0x0004)
#define TOKEN_QUERY (0x0008)
#define TOKEN_QUERY_SOURCE (0x0010)
#define TOKEN_ADJUST_PRIVILEGES (0x0020)
#define TOKEN_ADJUST_GROUPS (0x0040)
#define TOKEN_ADJUST_DEFAULT (0x0080)
#define TOKEN_ADJUST_SESSIONID (0x0100)
#define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\
TOKEN_ASSIGN_PRIMARY |\
TOKEN_DUPLICATE |\
TOKEN_IMPERSONATE |\
TOKEN_QUERY |\
TOKEN_QUERY_SOURCE |\
TOKEN_ADJUST_PRIVILEGES |\
TOKEN_ADJUST_GROUPS |\
TOKEN_ADJUST_DEFAULT )
#if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT)))
#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P |\
TOKEN_ADJUST_SESSIONID )
#else
#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P)
#endif
#define TOKEN_READ (STANDARD_RIGHTS_READ |\
TOKEN_QUERY)
#define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
TOKEN_ADJUST_PRIVILEGES |\
TOKEN_ADJUST_GROUPS |\
TOKEN_ADJUST_DEFAULT)
#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
//
//
// Token Types
//
typedef enum _TOKEN_TYPE {
TokenPrimary = 1,
TokenImpersonation
} TOKEN_TYPE;
typedef TOKEN_TYPE *PTOKEN_TYPE;
//
// Token Information Classes.
//
typedef enum _TOKEN_INFORMATION_CLASS {
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
//
// Token information class structures
//
typedef struct _TOKEN_USER {
SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;
typedef struct _TOKEN_GROUPS {
ULONG GroupCount;
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
} TOKEN_GROUPS, *PTOKEN_GROUPS;
typedef struct _TOKEN_PRIVILEGES {
ULONG PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
typedef struct _TOKEN_OWNER {
PSID Owner;
} TOKEN_OWNER, *PTOKEN_OWNER;
typedef struct _TOKEN_PRIMARY_GROUP {
PSID PrimaryGroup;
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
typedef struct _TOKEN_DEFAULT_DACL {
PACL DefaultDacl;
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
typedef struct _TOKEN_GROUPS_AND_PRIVILEGES {
ULONG SidCount;
ULONG SidLength;
PSID_AND_ATTRIBUTES Sids;
ULONG RestrictedSidCount;
ULONG RestrictedSidLength;
PSID_AND_ATTRIBUTES RestrictedSids;
ULONG PrivilegeCount;
ULONG PrivilegeLength;
PLUID_AND_ATTRIBUTES Privileges;
LUID AuthenticationId;
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
// end_winnt end_ntifs
typedef enum _PROXY_CLASS {
ProxyFull,
ProxyService,
ProxyTree,
ProxyDirectory
} PROXY_CLASS, * PPROXY_CLASS;
typedef struct _SECURITY_TOKEN_PROXY_DATA {
ULONG Length;
PROXY_CLASS ProxyClass;
UNICODE_STRING PathInfo;
ACCESS_MASK ContainerMask;
ACCESS_MASK ObjectMask;
} SECURITY_TOKEN_PROXY_DATA, *PSECURITY_TOKEN_PROXY_DATA;
typedef struct _SECURITY_TOKEN_AUDIT_DATA {
ULONG Length;
ACCESS_MASK GrantMask;
ACCESS_MASK DenyMask;
} SECURITY_TOKEN_AUDIT_DATA, *PSECURITY_TOKEN_AUDIT_DATA;
// begin_ntifs begin_winnt
#define TOKEN_SOURCE_LENGTH 8
typedef struct _TOKEN_SOURCE {
CHAR SourceName[TOKEN_SOURCE_LENGTH];
LUID SourceIdentifier;
} TOKEN_SOURCE, *PTOKEN_SOURCE;
typedef struct _TOKEN_STATISTICS {
LUID TokenId;
LUID AuthenticationId;
LARGE_INTEGER ExpirationTime;
TOKEN_TYPE TokenType;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
ULONG DynamicCharged;
ULONG DynamicAvailable;
ULONG GroupCount;
ULONG PrivilegeCount;
LUID ModifiedId;
} TOKEN_STATISTICS, *PTOKEN_STATISTICS;
typedef struct _TOKEN_CONTROL {
LUID TokenId;
LUID AuthenticationId;
LUID ModifiedId;
TOKEN_SOURCE TokenSource;
} TOKEN_CONTROL, *PTOKEN_CONTROL;
// end_winnt
// end_ntifs
// begin_wdm begin_ntddk begin_ntifs begin_winnt
//
// Security Tracking Mode
//
#define SECURITY_DYNAMIC_TRACKING (TRUE)
#define SECURITY_STATIC_TRACKING (FALSE)
typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE,
* PSECURITY_CONTEXT_TRACKING_MODE;
//
// Quality Of Service
//
typedef struct _SECURITY_QUALITY_OF_SERVICE {
ULONG Length;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode;
BOOLEAN EffectiveOnly;
} SECURITY_QUALITY_OF_SERVICE, * PSECURITY_QUALITY_OF_SERVICE;
// end_winnt end_wdm end_ntddk end_ntifs
//
// Advanced Quality of Service
//
typedef struct _SECURITY_ADVANCED_QUALITY_OF_SERVICE {
ULONG Length;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode;
BOOLEAN EffectiveOnly;
PSECURITY_TOKEN_PROXY_DATA ProxyData;
PSECURITY_TOKEN_AUDIT_DATA AuditData;
} SECURITY_ADVANCED_QUALITY_OF_SERVICE, *PSECURITY_ADVANCED_QUALITY_OF_SERVICE;
// begin_wdm begin_ntddk begin_ntifs begin_winnt
//
// Used to represent information related to a thread impersonation
//
typedef struct _SE_IMPERSONATION_STATE {
PACCESS_TOKEN Token;
BOOLEAN CopyOnOpen;
BOOLEAN EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL Level;
} SE_IMPERSONATION_STATE, *PSE_IMPERSONATION_STATE;
// end_winnt end_wdm end_ntddk end_ntifs
////////////////////////////////////////////////////////////////////////
// //
// Flags for NtFilerToken //
// //
////////////////////////////////////////////////////////////////////////
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
#define SANDBOX_INERT 0x2 // winnt
////////////////////////////////////////////////////////////////////////
// //
// General Security definitions //
// //
////////////////////////////////////////////////////////////////////////
//
// Security information associated with objects.
// Used for query operations.
//
// This will be extended in the future to include mandatory access control.
//
// begin_winnt begin_wdm begin_ntddk begin_nthal begin_ntifs
typedef ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION;
#define OWNER_SECURITY_INFORMATION (0x00000001L)
#define GROUP_SECURITY_INFORMATION (0x00000002L)
#define DACL_SECURITY_INFORMATION (0x00000004L)
#define SACL_SECURITY_INFORMATION (0x00000008L)
#define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L)
#define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L)
#define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L)
#define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L)
// end_winnt end_wdm end_ntddk end_nthal end_ntifs
//
// used for password manipulations
//
typedef struct _SECURITY_SEED_AND_LENGTH {
UCHAR Length;
UCHAR Seed;
} SECURITY_SEED_AND_LENGTH, *PSECURITY_SEED_AND_LENGTH;
////////////////////////////////////////////////////////////////////////
// //
// Security System Service Defnitions //
// //
////////////////////////////////////////////////////////////////////////
//
// Security check system services
//
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheck (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByType (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeResultList (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus
);
///////////////////////////////////////////////////////////////////////
// //
// Token Object System Services //
// //
///////////////////////////////////////////////////////////////////////
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateToken(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TOKEN_TYPE TokenType,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner OPTIONAL,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,
IN PTOKEN_SOURCE TokenSource
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCompareTokens(
IN HANDLE FirstTokenHandle,
IN HANDLE SecondTokenHandle,
OUT PBOOLEAN Equal
);
// begin_ntifs
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessToken(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessTokenEx(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenJobObjectToken(
IN HANDLE JobHandle,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDuplicateToken(
IN HANDLE ExistingTokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN_TYPE TokenType,
OUT PHANDLE NewTokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFilterToken (
IN HANDLE ExistingTokenHandle,
IN ULONG Flags,
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
OUT PHANDLE NewTokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtImpersonateAnonymousToken(
IN HANDLE ThreadHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationToken (
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationToken (
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
IN PVOID TokenInformation,
IN ULONG TokenInformationLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAdjustPrivilegesToken (
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN_PRIVILEGES NewState OPTIONAL,
IN ULONG BufferLength OPTIONAL,
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAdjustGroupsToken (
IN HANDLE TokenHandle,
IN BOOLEAN ResetToDefault,
IN PTOKEN_GROUPS NewState OPTIONAL,
IN ULONG BufferLength OPTIONAL,
OUT PTOKEN_GROUPS PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegeCheck (
IN HANDLE ClientToken,
IN OUT PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckAndAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ACCESS_MASK DesiredAccess,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeAndAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeResultListAndAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeResultListAndAuditAlarmByHandle (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN HANDLE ClientToken,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenObjectAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK GrantedAccess,
IN PPRIVILEGE_SET Privileges OPTIONAL,
IN BOOLEAN ObjectCreation,
IN BOOLEAN AccessGranted,
OUT PBOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegeObjectAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCloseObjectAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN BOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteObjectAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN BOOLEAN GenerateOnClose
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegedServiceAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PUNICODE_STRING ServiceName,
IN HANDLE ClientToken,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted
);
// end_ntifs
#ifdef __cplusplus
}
#endif
#endif // _NTSEAPI_
Reference in a new issue View git blame Copy permalink