Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

339 lines
8.1 KiB

  1. #include "pch.h"
  2. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
  3. UCHAR Buffer[2048];
  4. AUTHZ_ACCESS_REQUEST Request = {0};
  5. PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer;
  6. BOOL b = TRUE;
  7. HANDLE hToken = NULL;
  8. LUID Luid = {0xdead,0xbeef};
  9. NTSTATUS Status = STATUS_SUCCESS;
  10. PAUDIT_PARAMS pParams = NULL;
  11. PHANDLE pThreads = NULL;
  12. ACCESS_MASK DesiredAccess = 0;
  13. DWORD dwThreads = 0;
  14. DWORD dwThreadsRemaining = 0;
  15. DWORD dwAuditsPerThread = 0;
  16. BOOL bAudit = 0;
  17. DWORD i = 0;
  18. PSECURITY_DESCRIPTOR pSD = NULL;
  19. PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
  20. AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent1 = NULL;
  21. AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent2 = NULL;
  22. AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
  23. AUTHZ_CLIENT_CONTEXT_HANDLE hCC = NULL;
  24. AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAuthzCache = NULL;
  25. AUTHZ_AUDIT_QUEUE_HANDLE hAAQ = NULL;
  26. ULONG
  27. AccessCheckAuditWork(
  28. LPVOID lpParameter
  29. )
  30. {
  31. DWORD i = 0;
  32. DWORD num = *((PDWORD)lpParameter);
  33. for (i = 0; i < dwAuditsPerThread; i++)
  34. {
  35. b = AuthzAccessCheck(
  36. 0,
  37. hCC,
  38. &Request,
  39. hAuditEvent2,
  40. pSD,
  41. NULL,
  42. 0,
  43. pReply,
  44. NULL
  45. );
  46. b = AuthzAccessCheck(
  47. 0,
  48. hCC,
  49. &Request,
  50. hAuditEvent1,
  51. pSD,
  52. NULL,
  53. 0,
  54. pReply,
  55. NULL
  56. );
  57. }
  58. InterlockedDecrement(
  59. &dwThreadsRemaining
  60. );
  61. wprintf(L"Thread Done %d (%d left).\n", num, dwThreadsRemaining);
  62. return TRUE;
  63. }
  64. void _cdecl wmain(int argc, WCHAR * argv[])
  65. {
  66. if (argc != 5)
  67. {
  68. wprintf(L"usage: %s AccessMask dwThreads dwAuditsPerThread bAudit\n", argv[0]);
  69. exit(0);
  70. }
  71. DesiredAccess = wcstol(argv[1], NULL, 16);
  72. dwThreads = wcstol(argv[2], NULL, 10);
  73. dwAuditsPerThread = wcstol(argv[3], NULL, 10);
  74. bAudit = wcstol(argv[4], NULL, 10);
  75. dwThreadsRemaining = dwThreads;
  76. pThreads = LocalAlloc(
  77. 0,
  78. sizeof(HANDLE) * dwThreads
  79. );
  80. if (NULL == pThreads)
  81. {
  82. wprintf(L"LocalAlloc failed with %d\n", GetLastError());
  83. return;
  84. }
  85. //
  86. // Create the SD for the access checks
  87. //
  88. b = ConvertStringSecurityDescriptorToSecurityDescriptorW(
  89. StringSD,
  90. SDDL_REVISION_1,
  91. &pSD,
  92. NULL
  93. );
  94. if (!b)
  95. {
  96. wprintf(L"SDDL failed with %d\n", GetLastError());
  97. return;
  98. }
  99. //
  100. // Authz stuff
  101. //
  102. b = AuthzInitializeResourceManager(
  103. 0,
  104. NULL,
  105. NULL,
  106. NULL,
  107. L"Jeff's RM",
  108. &hRM
  109. );
  110. if (!b)
  111. {
  112. wprintf(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
  113. return;
  114. }
  115. b = AuthziInitializeAuditQueue(
  116. AUTHZ_MONITOR_AUDIT_QUEUE_SIZE,
  117. 10000,
  118. 500,
  119. NULL,
  120. &hAAQ
  121. );
  122. if (!b)
  123. {
  124. printf("AuthzInitializeAuditQueue failed with %d.\n", GetLastError());
  125. return;
  126. }
  127. b = AuthziInitializeAuditEventType(
  128. 0,
  129. SE_CATEGID_OBJECT_ACCESS,
  130. 777,
  131. 1,
  132. &hAET
  133. );
  134. if (!b)
  135. {
  136. wprintf(L"initaet returned %d\n", GetLastError());
  137. return;
  138. }
  139. b = AuthziAllocateAuditParams(
  140. &pParams,
  141. 1
  142. );
  143. AuthziInitializeAuditParamsWithRM(
  144. 0,
  145. hRM,
  146. 1,
  147. pParams,
  148. APT_String, L"Hello???"
  149. );
  150. b = AuthziInitializeAuditEvent(
  151. AUTHZ_NO_ALLOC_STRINGS,
  152. hRM,
  153. hAET, //NULL, // event
  154. pParams, //NULL, // params
  155. hAAQ, // queue
  156. INFINITE, // timeout
  157. L"op type",
  158. L"object type",
  159. L"object name",
  160. L"some additional info",
  161. &hAuditEvent2
  162. );
  163. b = AuthziInitializeAuditEvent(
  164. 0,
  165. hRM,
  166. NULL, // event
  167. NULL, // params
  168. NULL, // queue
  169. INFINITE, // timeout
  170. L"op type1",
  171. L"object type1",
  172. L"object name1",
  173. L"some additional info1",
  174. &hAuditEvent1
  175. );
  176. if (!b)
  177. {
  178. printf("AuthzInitializeAuditInfo failed with %d.\n", GetLastError());
  179. return;
  180. }
  181. //
  182. // Create a client context from the current token.
  183. //
  184. OpenProcessToken(
  185. GetCurrentProcess(),
  186. TOKEN_QUERY,
  187. &hToken
  188. );
  189. b = AuthzInitializeContextFromToken(
  190. 0,
  191. hToken,
  192. hRM,
  193. NULL,
  194. Luid,
  195. NULL,
  196. &hCC
  197. );
  198. if (!b)
  199. {
  200. wprintf(L"AuthzInitializeContextFromToken failed with 0x%x\n", GetLastError());
  201. return;
  202. }
  203. //
  204. // Now do the access check.
  205. //
  206. Request.ObjectTypeList = NULL;
  207. Request.PrincipalSelfSid = NULL;
  208. Request.DesiredAccess = DesiredAccess;
  209. pReply->ResultListLength = 1;
  210. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  211. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  212. pReply->SaclEvaluationResults = (PDWORD) (pReply->GrantedAccessMask + (pReply->ResultListLength * sizeof(ACCESS_MASK)));
  213. wprintf(L"* AccessCheck (PrincipalSelfSid == NULL, ResultListLength == 8)\n");
  214. b = AuthzAccessCheck(
  215. 0,
  216. hCC,
  217. &Request,
  218. NULL,
  219. pSD,
  220. NULL,
  221. 0,
  222. pReply,
  223. &hAuthzCache
  224. );
  225. if (!b)
  226. {
  227. wprintf(L"Initial AuthzAccessCheck failed with %d\n", GetLastError());
  228. return;
  229. }
  230. else
  231. {
  232. wprintf(L"Initial AuthzAccessCheck succeeded. Here are results:\n");
  233. for (i = 0; i < pReply->ResultListLength; i++)
  234. {
  235. wprintf(L"ObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  236. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  237. }
  238. }
  239. wprintf(L"\nBeginning creation of audit threads.\n");
  240. for (i = 0; i < dwThreads; i++)
  241. {
  242. pThreads[i] = CreateThread(
  243. NULL,
  244. 0,
  245. AccessCheckAuditWork,
  246. &i,
  247. CREATE_SUSPENDED,
  248. NULL
  249. );
  250. if (pThreads[i] == NULL)
  251. {
  252. wprintf(L"CreateThread failed for thread %d with %d\n", i, GetLastError());
  253. return;
  254. }
  255. }
  256. for (i = 0; i < dwThreads; i++)
  257. {
  258. if (-1 == ResumeThread(
  259. pThreads[i]
  260. ))
  261. {
  262. wprintf(L"ResumeThread failed on thread %d with %d\n", i, GetLastError());
  263. fflush(stdout);
  264. }
  265. }
  266. Status = WaitForMultipleObjects(
  267. i,
  268. pThreads,
  269. TRUE,
  270. INFINITE
  271. );
  272. if (!NT_SUCCESS(Status))
  273. {
  274. wprintf(L"Wait failed %d.\n", GetLastError());
  275. }
  276. wprintf(L"Done waiting for all threads.\n");
  277. AuthzFreeAuditEvent(
  278. hAuditEvent2
  279. );
  280. AuthziFreeAuditQueue(hAAQ);
  281. AuthzFreeContext(hCC);
  282. return;
  283. }