#include "pch.h" #pragma hdrstop #include "ntaccess.h" #include "azaccess.h" #include "bmcommon.h" #include "benchmrk.h" EXTERN_C AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager; EXTERN_C AUTHZ_RM_AUDIT_INFO_HANDLE hRmAuditInfo; double az_time, nt_time; EXTERN_C PAUTHZ_ACCESS_REPLY pReply, pReplyOT; EXTERN_C AUTHZ_AUDIT_INFO_HANDLE hAuditInfo; void DoBenchMarks( IN ULONG NumIter, IN DWORD Flags ) { DWORD dwError=NO_ERROR; // // do NT access checks // dwError = InitNtAccessChecks(); if ( dwError != NO_ERROR ) { goto Cleanup; } wprintf(L"NtAccessChecks : "); fflush(stdout); timer_start(); dwError = DoNtAccessChecks( NumIter, Flags ); if ( dwError != NO_ERROR ) { goto Cleanup; } timer_stop(); nt_time = timer_time(); wprintf(L"%.2f sec\n", nt_time); // // do authz access checks // dwError = InitAuthzAccessChecks(); if ( dwError != NO_ERROR ) { goto Cleanup; } wprintf(L"AzAccessChecks : "); fflush(stdout); timer_start(); dwError = AuthzDoAccessCheck( NumIter, Flags ); if ( dwError != NO_ERROR ) { goto Cleanup; } timer_stop(); az_time = timer_time(); wprintf(L"%.2f sec\n", az_time); wprintf(L"perf ratio : %2.2f \n", nt_time/az_time); // // make sure that both az and nt returned the same results // UINT len; if ( Flags & BMF_UseObjTypeList ) { len = ObjectTypeListLength; for (UINT i=0; i < len; i++) { if ((pReplyOT->Error[i] != fNtAccessCheckResult[i]) || ((pReplyOT->Error[i] == ERROR_SUCCESS) && (pReplyOT->GrantedAccessMask[i] != dwNtGrantedAccess[i]))) { wprintf(L"AccessCheck mismatch @ %d\n", i); wprintf(L"AGA: %08lx\tAE: %08lx\nNGA: %08lx\tNE: %08lx\n", pReplyOT->GrantedAccessMask[i], pReplyOT->Error[i], dwNtGrantedAccess[i], fNtAccessCheckResult[i]); } } } else { if ( ((pReply->Error[0] == ERROR_SUCCESS) && (0 == fNtAccessCheckResult[0])) || ((pReply->Error[0] != ERROR_SUCCESS) && (1 == fNtAccessCheckResult[0])) || ((pReply->Error[0] == ERROR_SUCCESS) && (pReply->GrantedAccessMask[0] != dwNtGrantedAccess[0])) ) { wprintf(L"AccessCheck mismatch\n"); wprintf(L"AGA: %08lx\tAE: %08lx\nNGA: %08lx\tNE: %08lx\n", pReply->GrantedAccessMask[0], pReply->Error[0], dwNtGrantedAccess[0], fNtAccessCheckResult[0]); } } // // make sure that both az and nt returned the same results // if ( Flags & BMF_UseObjTypeList ) { len = ObjectTypeListLength; for (UINT i=0; i < len; i++) { if ((pReplyOT->Error[i] != fNtAccessCheckResult[i]) || ((pReplyOT->Error[i] == ERROR_SUCCESS) && (pReplyOT->GrantedAccessMask[i] != dwNtGrantedAccess[i]))) { wprintf(L"AccessCheck mismatch @ %d\n", i); wprintf(L"AGA: %08lx\tAE: %08lx\nNGA: %08lx\tNE: %08lx\n", pReplyOT->GrantedAccessMask[i], pReplyOT->Error[i], dwNtGrantedAccess[i], fNtAccessCheckResult[i]); } } } else { if ( ((pReply->Error[0] == ERROR_SUCCESS) && (0 == fNtAccessCheckResult[0])) || ((pReply->Error[0] != ERROR_SUCCESS) && (1 == fNtAccessCheckResult[0])) || ((pReply->Error[0] == ERROR_SUCCESS) && (pReply->GrantedAccessMask[0] != dwNtGrantedAccess[0])) ) { wprintf(L"AccessCheck mismatch\n"); wprintf(L"AGA: %08lx\tAE: %08lx\nNGA: %08lx\tNE: %08lx\n", pReply->GrantedAccessMask[0], pReply->Error[0], dwNtGrantedAccess[0], fNtAccessCheckResult[0]); } } return; Cleanup: wprintf(L"DoBenchMarks failed: %lx\n", dwError); } #define OTO_OT 1 #define OTO_SO 2 #define OTO_OTSO 3 PWCHAR szUsage = L"Usage: azbm iter-count ot-option access-mask sd-index audit-flag"; extern "C" int __cdecl wmain(int argc, PWSTR argv[]) { NTSTATUS Status; ULONG NumChecks = 10000; BOOLEAN WasEnabled; ULONG OtOptions; ACCESS_MASK DesiredAccess; ULONG SdIndex; DWORD fGenAudit; if ( argc != 6 ) { wprintf(szUsage); exit(-1); } if (1 != swscanf(argv[1], L"%d", &NumChecks)) { wprintf(L"Bad iteration-count"); exit(-1); } if (1 != swscanf(argv[2], L"%d", &OtOptions)) { wprintf(L"Bad ot-option"); exit(-1); } if (1 != swscanf(argv[3], L"%x", &DesiredAccess)) { wprintf(L"Bad access-mask"); exit(-1); } g_DesiredAccess = DesiredAccess; if (1 != swscanf(argv[4], L"%d", &SdIndex)) { wprintf(L"Bad sd-index"); exit(-1); } g_szSd = g_aszSd[SdIndex]; if (1 != swscanf(argv[5], L"%d", &fGenAudit)) { wprintf(L"Bad audit-flag"); exit(-1); } Status = RtlAdjustPrivilege( SE_AUDIT_PRIVILEGE, TRUE, // enable FALSE, // do it on the thread token &WasEnabled ); if (!NT_SUCCESS(Status)) { wprintf(L"RtlAdjustPrivilege: %lx\n", Status); } if ( fGenAudit ) { if ( OtOptions & OTO_SO ) { wprintf(L"regular access checks with audit\n"); wprintf(L"---------------------\n"); DoBenchMarks( NumChecks, BMF_GenerateAudit ); } if ( OtOptions & OTO_OT ) { wprintf(L"\n\naccess checks with obj-type list with audit\n"); wprintf(L"--------------------------------\n"); DoBenchMarks( NumChecks, BMF_UseObjTypeList | BMF_GenerateAudit ); } } else { if ( OtOptions & OTO_SO ) { wprintf(L"regular access checks\n"); wprintf(L"---------------------\n"); DoBenchMarks( NumChecks, 0 ); } if ( OtOptions & OTO_OT ) { wprintf(L"\n\naccess checks with obj-type list\n"); wprintf(L"--------------------------------\n"); DoBenchMarks( NumChecks, BMF_UseObjTypeList ); } } AuthzFreeAuditInfo(hAuditInfo); AuthzFreeAuditQueue(NULL); AuthzFreeResourceManager(hAuthzResourceManager); UNREFERENCED_PARAMETER(argc); UNREFERENCED_PARAMETER(argv); return 0; }