mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
339 lines
8.1 KiB
339 lines
8.1 KiB
#include "pch.h"
|
|
|
|
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
|
|
UCHAR Buffer[2048];
|
|
AUTHZ_ACCESS_REQUEST Request = {0};
|
|
PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer;
|
|
BOOL b = TRUE;
|
|
HANDLE hToken = NULL;
|
|
LUID Luid = {0xdead,0xbeef};
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PAUDIT_PARAMS pParams = NULL;
|
|
|
|
PHANDLE pThreads = NULL;
|
|
ACCESS_MASK DesiredAccess = 0;
|
|
DWORD dwThreads = 0;
|
|
DWORD dwThreadsRemaining = 0;
|
|
DWORD dwAuditsPerThread = 0;
|
|
BOOL bAudit = 0;
|
|
DWORD i = 0;
|
|
|
|
PSECURITY_DESCRIPTOR pSD = NULL;
|
|
PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
|
|
|
|
AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent1 = NULL;
|
|
AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent2 = NULL;
|
|
AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE hCC = NULL;
|
|
AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAuthzCache = NULL;
|
|
AUTHZ_AUDIT_QUEUE_HANDLE hAAQ = NULL;
|
|
|
|
|
|
ULONG
|
|
AccessCheckAuditWork(
|
|
LPVOID lpParameter
|
|
)
|
|
{
|
|
|
|
DWORD i = 0;
|
|
DWORD num = *((PDWORD)lpParameter);
|
|
|
|
for (i = 0; i < dwAuditsPerThread; i++)
|
|
{
|
|
b = AuthzAccessCheck(
|
|
0,
|
|
hCC,
|
|
&Request,
|
|
hAuditEvent2,
|
|
pSD,
|
|
NULL,
|
|
0,
|
|
pReply,
|
|
NULL
|
|
);
|
|
|
|
b = AuthzAccessCheck(
|
|
0,
|
|
hCC,
|
|
&Request,
|
|
hAuditEvent1,
|
|
pSD,
|
|
NULL,
|
|
0,
|
|
pReply,
|
|
NULL
|
|
);
|
|
|
|
}
|
|
|
|
InterlockedDecrement(
|
|
&dwThreadsRemaining
|
|
);
|
|
|
|
wprintf(L"Thread Done %d (%d left).\n", num, dwThreadsRemaining);
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
void _cdecl wmain(int argc, WCHAR * argv[])
|
|
{
|
|
if (argc != 5)
|
|
{
|
|
wprintf(L"usage: %s AccessMask dwThreads dwAuditsPerThread bAudit\n", argv[0]);
|
|
exit(0);
|
|
}
|
|
|
|
DesiredAccess = wcstol(argv[1], NULL, 16);
|
|
dwThreads = wcstol(argv[2], NULL, 10);
|
|
dwAuditsPerThread = wcstol(argv[3], NULL, 10);
|
|
bAudit = wcstol(argv[4], NULL, 10);
|
|
|
|
dwThreadsRemaining = dwThreads;
|
|
|
|
pThreads = LocalAlloc(
|
|
0,
|
|
sizeof(HANDLE) * dwThreads
|
|
);
|
|
|
|
if (NULL == pThreads)
|
|
{
|
|
wprintf(L"LocalAlloc failed with %d\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Create the SD for the access checks
|
|
//
|
|
|
|
b = ConvertStringSecurityDescriptorToSecurityDescriptorW(
|
|
StringSD,
|
|
SDDL_REVISION_1,
|
|
&pSD,
|
|
NULL
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
wprintf(L"SDDL failed with %d\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Authz stuff
|
|
//
|
|
|
|
b = AuthzInitializeResourceManager(
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
L"Jeff's RM",
|
|
&hRM
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
wprintf(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
b = AuthziInitializeAuditQueue(
|
|
AUTHZ_MONITOR_AUDIT_QUEUE_SIZE,
|
|
10000,
|
|
500,
|
|
NULL,
|
|
&hAAQ
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
printf("AuthzInitializeAuditQueue failed with %d.\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
b = AuthziInitializeAuditEventType(
|
|
0,
|
|
SE_CATEGID_OBJECT_ACCESS,
|
|
777,
|
|
1,
|
|
&hAET
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
wprintf(L"initaet returned %d\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
b = AuthziAllocateAuditParams(
|
|
&pParams,
|
|
1
|
|
);
|
|
|
|
AuthziInitializeAuditParamsWithRM(
|
|
0,
|
|
hRM,
|
|
1,
|
|
pParams,
|
|
APT_String, L"Hello???"
|
|
);
|
|
|
|
b = AuthziInitializeAuditEvent(
|
|
AUTHZ_NO_ALLOC_STRINGS,
|
|
hRM,
|
|
hAET, //NULL, // event
|
|
pParams, //NULL, // params
|
|
hAAQ, // queue
|
|
INFINITE, // timeout
|
|
L"op type",
|
|
L"object type",
|
|
L"object name",
|
|
L"some additional info",
|
|
&hAuditEvent2
|
|
);
|
|
|
|
b = AuthziInitializeAuditEvent(
|
|
0,
|
|
hRM,
|
|
NULL, // event
|
|
NULL, // params
|
|
NULL, // queue
|
|
INFINITE, // timeout
|
|
L"op type1",
|
|
L"object type1",
|
|
L"object name1",
|
|
L"some additional info1",
|
|
&hAuditEvent1
|
|
);
|
|
if (!b)
|
|
{
|
|
printf("AuthzInitializeAuditInfo failed with %d.\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Create a client context from the current token.
|
|
//
|
|
|
|
OpenProcessToken(
|
|
GetCurrentProcess(),
|
|
TOKEN_QUERY,
|
|
&hToken
|
|
);
|
|
|
|
b = AuthzInitializeContextFromToken(
|
|
0,
|
|
hToken,
|
|
hRM,
|
|
NULL,
|
|
Luid,
|
|
NULL,
|
|
&hCC
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
wprintf(L"AuthzInitializeContextFromToken failed with 0x%x\n", GetLastError());
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Now do the access check.
|
|
//
|
|
|
|
Request.ObjectTypeList = NULL;
|
|
Request.PrincipalSelfSid = NULL;
|
|
Request.DesiredAccess = DesiredAccess;
|
|
|
|
pReply->ResultListLength = 1;
|
|
pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
|
|
pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
|
|
pReply->SaclEvaluationResults = (PDWORD) (pReply->GrantedAccessMask + (pReply->ResultListLength * sizeof(ACCESS_MASK)));
|
|
|
|
wprintf(L"* AccessCheck (PrincipalSelfSid == NULL, ResultListLength == 8)\n");
|
|
|
|
b = AuthzAccessCheck(
|
|
0,
|
|
hCC,
|
|
&Request,
|
|
NULL,
|
|
pSD,
|
|
NULL,
|
|
0,
|
|
pReply,
|
|
&hAuthzCache
|
|
);
|
|
|
|
if (!b)
|
|
{
|
|
wprintf(L"Initial AuthzAccessCheck failed with %d\n", GetLastError());
|
|
return;
|
|
}
|
|
else
|
|
{
|
|
wprintf(L"Initial AuthzAccessCheck succeeded. Here are results:\n");
|
|
|
|
for (i = 0; i < pReply->ResultListLength; i++)
|
|
{
|
|
wprintf(L"ObjectType %d :: AccessMask = 0x%x, Error = %d\n",
|
|
i, pReply->GrantedAccessMask[i], pReply->Error[i]);
|
|
}
|
|
}
|
|
|
|
wprintf(L"\nBeginning creation of audit threads.\n");
|
|
|
|
for (i = 0; i < dwThreads; i++)
|
|
{
|
|
pThreads[i] = CreateThread(
|
|
NULL,
|
|
0,
|
|
AccessCheckAuditWork,
|
|
&i,
|
|
CREATE_SUSPENDED,
|
|
NULL
|
|
);
|
|
|
|
if (pThreads[i] == NULL)
|
|
{
|
|
wprintf(L"CreateThread failed for thread %d with %d\n", i, GetLastError());
|
|
return;
|
|
}
|
|
}
|
|
|
|
for (i = 0; i < dwThreads; i++)
|
|
{
|
|
if (-1 == ResumeThread(
|
|
pThreads[i]
|
|
))
|
|
{
|
|
wprintf(L"ResumeThread failed on thread %d with %d\n", i, GetLastError());
|
|
fflush(stdout);
|
|
}
|
|
}
|
|
|
|
Status = WaitForMultipleObjects(
|
|
i,
|
|
pThreads,
|
|
TRUE,
|
|
INFINITE
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
wprintf(L"Wait failed %d.\n", GetLastError());
|
|
}
|
|
|
|
wprintf(L"Done waiting for all threads.\n");
|
|
|
|
AuthzFreeAuditEvent(
|
|
hAuditEvent2
|
|
);
|
|
|
|
AuthziFreeAuditQueue(hAAQ);
|
|
|
|
AuthzFreeContext(hCC);
|
|
|
|
return;
|
|
}
|