mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
255 lines
7.6 KiB
255 lines
7.6 KiB
/*++
|
|
|
|
Copyright (c) 1997-2000 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
safelog.c (SAFER Event Logging)
|
|
|
|
Abstract:
|
|
|
|
This module implements the internal WinSAFER APIs to write eventlog
|
|
messages. All of our message strings are defined in ntstatus.mc
|
|
and are physically located within ntdll.dll file.
|
|
|
|
Currently we are just reusing the previously existing event source
|
|
called "Application Popup", which already happens to use ntdll.dll
|
|
as its message resource library. Events of this source always go
|
|
into the "System Log".
|
|
|
|
Author:
|
|
|
|
Jeffrey Lawson (JLawson) - Apr 1999
|
|
|
|
Environment:
|
|
|
|
User mode only.
|
|
|
|
Exported Functions:
|
|
|
|
SaferRecordEventLogEntry
|
|
|
|
Revision History:
|
|
|
|
Created - Nov 2000
|
|
|
|
--*/
|
|
|
|
#include "pch.h"
|
|
#pragma hdrstop
|
|
#include <winsafer.h>
|
|
#include <winsaferp.h>
|
|
#include "saferp.h"
|
|
|
|
|
|
|
|
|
|
const static GUID guidTrustedCert = SAFER_GUID_RESULT_TRUSTED_CERT;
|
|
const static GUID guidDefaultRule = SAFER_GUID_RESULT_DEFAULT_LEVEL;
|
|
|
|
|
|
|
|
BOOL WINAPI
|
|
SaferpRecordEventLogEntryHelper(
|
|
IN NTSTATUS LogStatusCode,
|
|
IN LPCWSTR szTargetPath,
|
|
IN REFGUID refRuleGuid,
|
|
IN LPCWSTR szRulePath
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
|
WORD wNumStrings = 0;
|
|
LPWSTR lpszStrings[5];
|
|
HANDLE hEventSource;
|
|
UNICODE_STRING UnicodeGuid;
|
|
|
|
hEventSource = RegisterEventSourceW(NULL, L"Software Restriction Policy");
|
|
|
|
if (hEventSource != NULL) {
|
|
|
|
Status = STATUS_SUCCESS;
|
|
RtlInitEmptyUnicodeString(&UnicodeGuid, NULL, 0);
|
|
|
|
switch (LogStatusCode)
|
|
{
|
|
case STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT:
|
|
if (!ARGUMENT_PRESENT(szTargetPath)) {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
break;
|
|
}
|
|
lpszStrings[0] = (LPWSTR) szTargetPath;
|
|
wNumStrings = 1;
|
|
break;
|
|
|
|
case STATUS_ACCESS_DISABLED_BY_POLICY_OTHER:
|
|
if (!ARGUMENT_PRESENT(szTargetPath) ||
|
|
!ARGUMENT_PRESENT(refRuleGuid)) {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
break;
|
|
}
|
|
|
|
Status = RtlStringFromGUID(refRuleGuid, &UnicodeGuid);
|
|
if (NT_SUCCESS(Status)) {
|
|
ASSERT(UnicodeGuid.Buffer != NULL);
|
|
lpszStrings[0] = (LPWSTR) szTargetPath;
|
|
lpszStrings[1] = UnicodeGuid.Buffer;
|
|
wNumStrings = 2;
|
|
}
|
|
break;
|
|
|
|
case STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER:
|
|
if (!ARGUMENT_PRESENT(szTargetPath)) {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
break;
|
|
}
|
|
lpszStrings[0] = (LPWSTR) szTargetPath;
|
|
wNumStrings = 1;
|
|
break;
|
|
|
|
case STATUS_ACCESS_DISABLED_BY_POLICY_PATH:
|
|
if (!ARGUMENT_PRESENT(szTargetPath) ||
|
|
!ARGUMENT_PRESENT(refRuleGuid) ||
|
|
!ARGUMENT_PRESENT(szRulePath)) {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
break;
|
|
}
|
|
Status = RtlStringFromGUID(refRuleGuid, &UnicodeGuid);
|
|
if (NT_SUCCESS(Status)) {
|
|
ASSERT(UnicodeGuid.Buffer != NULL);
|
|
lpszStrings[0] = (LPWSTR) szTargetPath;
|
|
lpszStrings[1] = UnicodeGuid.Buffer;
|
|
lpszStrings[2] = (LPWSTR) szRulePath;
|
|
wNumStrings = 3;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
ReportEventW(
|
|
hEventSource, // handle to event log
|
|
EVENTLOG_WARNING_TYPE, // event type
|
|
0, // event category
|
|
LogStatusCode, // event ID
|
|
NULL, // current user's SID
|
|
wNumStrings, // strings in lpszStrings
|
|
0, // no bytes of raw data
|
|
lpszStrings, // array of error strings
|
|
NULL); // no raw data
|
|
}
|
|
|
|
DeregisterEventSource(hEventSource);
|
|
|
|
if (UnicodeGuid.Buffer != NULL) {
|
|
RtlFreeUnicodeString(&UnicodeGuid);
|
|
}
|
|
}
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
return TRUE;
|
|
} else {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
BOOL WINAPI
|
|
SaferRecordEventLogEntry(
|
|
IN SAFER_LEVEL_HANDLE hAuthzLevel,
|
|
IN LPCWSTR szTargetPath,
|
|
IN LPVOID lpReserved
|
|
)
|
|
{
|
|
PSAFER_IDENTIFICATION_HEADER pIdentCommon;
|
|
DWORD dwIdentBufferSize;
|
|
BOOL bResult;
|
|
|
|
|
|
//
|
|
// Allocate enough memory for the largest structure we can expect
|
|
// and then query the information about the identifier that matched.
|
|
//
|
|
dwIdentBufferSize = max(sizeof(SAFER_HASH_IDENTIFICATION),
|
|
sizeof(SAFER_PATHNAME_IDENTIFICATION));
|
|
pIdentCommon = (PSAFER_IDENTIFICATION_HEADER)
|
|
HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwIdentBufferSize);
|
|
if (!pIdentCommon) {
|
|
return FALSE;
|
|
}
|
|
pIdentCommon->cbStructSize = sizeof(SAFER_IDENTIFICATION_HEADER);
|
|
if (!SaferGetLevelInformation(
|
|
hAuthzLevel,
|
|
SaferObjectSingleIdentification,
|
|
pIdentCommon,
|
|
dwIdentBufferSize,
|
|
&dwIdentBufferSize)) {
|
|
|
|
if (GetLastError() == ERROR_NOT_ENOUGH_MEMORY) {
|
|
|
|
HeapFree(GetProcessHeap(), 0, pIdentCommon);
|
|
pIdentCommon = (PSAFER_IDENTIFICATION_HEADER)
|
|
HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwIdentBufferSize);
|
|
if (!pIdentCommon) {
|
|
return FALSE;
|
|
}
|
|
pIdentCommon->cbStructSize = sizeof(SAFER_IDENTIFICATION_HEADER);
|
|
if (!SaferGetLevelInformation(
|
|
hAuthzLevel,
|
|
SaferObjectSingleIdentification,
|
|
pIdentCommon,
|
|
dwIdentBufferSize,
|
|
&dwIdentBufferSize)) {
|
|
bResult = FALSE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
bResult = FALSE;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Look at the resulting information about the identifier.
|
|
//
|
|
if (IsEqualGUID(&pIdentCommon->IdentificationGuid, &guidTrustedCert))
|
|
{
|
|
bResult = SaferpRecordEventLogEntryHelper(
|
|
STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER,
|
|
szTargetPath, NULL, NULL);
|
|
}
|
|
else if (IsEqualGUID(&pIdentCommon->IdentificationGuid, &guidDefaultRule))
|
|
{
|
|
bResult = SaferpRecordEventLogEntryHelper(
|
|
STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT,
|
|
szTargetPath, NULL, NULL);
|
|
}
|
|
else if (pIdentCommon->dwIdentificationType == SaferIdentityTypeImageName)
|
|
{
|
|
PSAFER_PATHNAME_IDENTIFICATION pIdentPath =
|
|
(PSAFER_PATHNAME_IDENTIFICATION) pIdentCommon;
|
|
bResult = SaferpRecordEventLogEntryHelper(
|
|
STATUS_ACCESS_DISABLED_BY_POLICY_PATH,
|
|
szTargetPath, &pIdentCommon->IdentificationGuid,
|
|
pIdentPath->ImageName);
|
|
}
|
|
else
|
|
{
|
|
bResult = SaferpRecordEventLogEntryHelper(
|
|
STATUS_ACCESS_DISABLED_BY_POLICY_OTHER,
|
|
szTargetPath, &pIdentCommon->IdentificationGuid,
|
|
NULL);
|
|
}
|
|
|
|
Cleanup:
|
|
HeapFree(GetProcessHeap(), 0, pIdentCommon);
|
|
|
|
return bResult;
|
|
}
|
|
|