#include "pch.h"
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
UCHAR Buffer[2048];
AUTHZ_ACCESS_REQUEST Request = {0};
PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer;
BOOL b = TRUE;
HANDLE hToken = NULL;
LUID Luid = {0xdead,0xbeef};
NTSTATUS Status = STATUS_SUCCESS;
PAUDIT_PARAMS pParams = NULL;
PHANDLE pThreads = NULL;
ACCESS_MASK DesiredAccess = 0;
DWORD dwThreads = 0;
DWORD dwThreadsRemaining = 0;
DWORD dwAuditsPerThread = 0;
BOOL bAudit = 0;
DWORD i = 0;
PSECURITY_DESCRIPTOR pSD = NULL;
PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent1 = NULL;
AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent2 = NULL;
AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
AUTHZ_CLIENT_CONTEXT_HANDLE hCC = NULL;
AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAuthzCache = NULL;
AUTHZ_AUDIT_QUEUE_HANDLE hAAQ = NULL;
�
ULONG
AccessCheckAuditWork(
LPVOID lpParameter
)
{
DWORD i = 0;
DWORD num = *((PDWORD)lpParameter);
for (i = 0; i < dwAuditsPerThread; i++)
{
b = AuthzAccessCheck(
0,
hCC,
&Request,
hAuditEvent2,
pSD,
NULL,
0,
pReply,
NULL
);
b = AuthzAccessCheck(
0,
hCC,
&Request,
hAuditEvent1,
pSD,
NULL,
0,
pReply,
NULL
);
}
InterlockedDecrement(
&dwThreadsRemaining
);
wprintf(L"Thread Done %d (%d left).\n", num, dwThreadsRemaining);
return TRUE;
}
�
void _cdecl wmain(int argc, WCHAR * argv[])
{
if (argc != 5)
{
wprintf(L"usage: %s AccessMask dwThreads dwAuditsPerThread bAudit\n", argv[0]);
exit(0);
}
DesiredAccess = wcstol(argv[1], NULL, 16);
dwThreads = wcstol(argv[2], NULL, 10);
dwAuditsPerThread = wcstol(argv[3], NULL, 10);
bAudit = wcstol(argv[4], NULL, 10);
dwThreadsRemaining = dwThreads;
pThreads = LocalAlloc(
0,
sizeof(HANDLE) * dwThreads
);
if (NULL == pThreads)
{
wprintf(L"LocalAlloc failed with %d\n", GetLastError());
return;
}
//
// Create the SD for the access checks
//
b = ConvertStringSecurityDescriptorToSecurityDescriptorW(
StringSD,
SDDL_REVISION_1,
&pSD,
NULL
);
if (!b)
{
wprintf(L"SDDL failed with %d\n", GetLastError());
return;
}
//
// Authz stuff
//
b = AuthzInitializeResourceManager(
0,
NULL,
NULL,
NULL,
L"Jeff's RM",
&hRM
);
if (!b)
{
wprintf(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
return;
}
b = AuthziInitializeAuditQueue(
AUTHZ_MONITOR_AUDIT_QUEUE_SIZE,
10000,
500,
NULL,
&hAAQ
);
if (!b)
{
printf("AuthzInitializeAuditQueue failed with %d.\n", GetLastError());
return;
}
b = AuthziInitializeAuditEventType(
0,
SE_CATEGID_OBJECT_ACCESS,
777,
1,
&hAET
);
if (!b)
{
wprintf(L"initaet returned %d\n", GetLastError());
return;
}
b = AuthziAllocateAuditParams(
&pParams,
1
);
AuthziInitializeAuditParamsWithRM(
0,
hRM,
1,
pParams,
APT_String, L"Hello???"
);
b = AuthziInitializeAuditEvent(
AUTHZ_NO_ALLOC_STRINGS,
hRM,
hAET, //NULL, // event
pParams, //NULL, // params
hAAQ, // queue
INFINITE, // timeout
L"op type",
L"object type",
L"object name",
L"some additional info",
&hAuditEvent2
);
b = AuthziInitializeAuditEvent(
0,
hRM,
NULL, // event
NULL, // params
NULL, // queue
INFINITE, // timeout
L"op type1",
L"object type1",
L"object name1",
L"some additional info1",
&hAuditEvent1
);
if (!b)
{
printf("AuthzInitializeAuditInfo failed with %d.\n", GetLastError());
return;
}
//
// Create a client context from the current token.
//
OpenProcessToken(
GetCurrentProcess(),
TOKEN_QUERY,
&hToken
);
b = AuthzInitializeContextFromToken(
0,
hToken,
hRM,
NULL,
Luid,
NULL,
&hCC
);
if (!b)
{
wprintf(L"AuthzInitializeContextFromToken failed with 0x%x\n", GetLastError());
return;
}
//
// Now do the access check.
//
Request.ObjectTypeList = NULL;
Request.PrincipalSelfSid = NULL;
Request.DesiredAccess = DesiredAccess;
pReply->ResultListLength = 1;
pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
pReply->SaclEvaluationResults = (PDWORD) (pReply->GrantedAccessMask + (pReply->ResultListLength * sizeof(ACCESS_MASK)));
wprintf(L"* AccessCheck (PrincipalSelfSid == NULL, ResultListLength == 8)\n");
b = AuthzAccessCheck(
0,
hCC,
&Request,
NULL,
pSD,
NULL,
0,
pReply,
&hAuthzCache
);
if (!b)
{
wprintf(L"Initial AuthzAccessCheck failed with %d\n", GetLastError());
return;
}
else
{
wprintf(L"Initial AuthzAccessCheck succeeded. Here are results:\n");
for (i = 0; i < pReply->ResultListLength; i++)
{
wprintf(L"ObjectType %d :: AccessMask = 0x%x, Error = %d\n",
i, pReply->GrantedAccessMask[i], pReply->Error[i]);
}
}
wprintf(L"\nBeginning creation of audit threads.\n");
for (i = 0; i < dwThreads; i++)
{
pThreads[i] = CreateThread(
NULL,
0,
AccessCheckAuditWork,
&i,
CREATE_SUSPENDED,
NULL
);
if (pThreads[i] == NULL)
{
wprintf(L"CreateThread failed for thread %d with %d\n", i, GetLastError());
return;
}
}
for (i = 0; i < dwThreads; i++)
{
if (-1 == ResumeThread(
pThreads[i]
))
{
wprintf(L"ResumeThread failed on thread %d with %d\n", i, GetLastError());
fflush(stdout);
}
}
Status = WaitForMultipleObjects(
i,
pThreads,
TRUE,
INFINITE
);
if (!NT_SUCCESS(Status))
{
wprintf(L"Wait failed %d.\n", GetLastError());
}
wprintf(L"Done waiting for all threads.\n");
AuthzFreeAuditEvent(
hAuditEvent2
);
AuthziFreeAuditQueue(hAAQ);
AuthzFreeContext(hCC);
return;
}