-
Notifications
You must be signed in to change notification settings - Fork 219
Expand file tree
/
Copy pathntseapi.h
More file actions
1454 lines (1362 loc) · 72.5 KB
/
Copy pathntseapi.h
File metadata and controls
1454 lines (1362 loc) · 72.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Authorization functions
*
* This file is part of System Informer.
*/
#ifndef _NTSEAPI_H
#define _NTSEAPI_H
//
// Privileges
//
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
#define SE_CREATE_TOKEN_PRIVILEGE (2L) // Required to create a primary token.
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) // Required to assign the primary token of a process.
#define SE_LOCK_MEMORY_PRIVILEGE (4L) // Required to lock physical pages in memory.
#define SE_INCREASE_QUOTA_PRIVILEGE (5L) // Required to increase the quota assigned to a process.
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) // Required to create a computer account.
#define SE_TCB_PRIVILEGE (7L) // Required to act as part of the Trusted Computer Base.
#define SE_SECURITY_PRIVILEGE (8L) // Required to perform a number of security-related functions, such as controlling and viewing audit messages. // Security operator.
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) // Required to take ownership of an object without being granted discretionary access.
#define SE_LOAD_DRIVER_PRIVILEGE (10L) // Required to load or unload a device driver.
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L) // Required to gather profiling information for the entire system.
#define SE_SYSTEMTIME_PRIVILEGE (12L) // Required to modify the system time.
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) // Required to gather profiling information for a single process.
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) // Required to increase the base priority of a process.
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) // Required to create a paging file.
#define SE_CREATE_PERMANENT_PRIVILEGE (16L) // Required to create a permanent object.
#define SE_BACKUP_PRIVILEGE (17L) // Required to perform backup operations. This privilege causes the system to grant all read access control to any file.
#define SE_RESTORE_PRIVILEGE (18L) // Required to perform restore operations. This privilege causes the system to grant all write access control to any file.
#define SE_SHUTDOWN_PRIVILEGE (19L) // Required to shut down a local system.
#define SE_DEBUG_PRIVILEGE (20L) // Required to debug and adjust memory of any process, ignoring the DACL for the process.
#define SE_AUDIT_PRIVILEGE (21L) // Required to generate audit-log entries.
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) // Required to modify UEFI variables of systems that use this type of memory to store configuration information.
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) // Required to receive notifications of changes to files or directories and skip all traversal access checks. It is enabled by default for all users.
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) // Required to shut down a system using a network request.
#define SE_UNDOCK_PRIVILEGE (25L) // Required to undock a laptop.
#define SE_SYNC_AGENT_PRIVILEGE (26L) // Required for a domain controller to use the Lightweight Directory Access Protocol (LDAP) directory synchronization services.
#define SE_ENABLE_DELEGATION_PRIVILEGE (27L) // Required to mark user and computer accounts as trusted for delegation.
#define SE_MANAGE_VOLUME_PRIVILEGE (28L) // Required to enable volume management privileges.
#define SE_IMPERSONATE_PRIVILEGE (29L) // Required to impersonate a client after authentication.
#define SE_CREATE_GLOBAL_PRIVILEGE (30L) // Required to create named file mapping objects in the global namespace during Terminal Services sessions. It is enabled by default for all administrators.
#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) // Required to access Credential Manager as a trusted caller.
#define SE_RELABEL_PRIVILEGE (32L) // Required to modify the mandatory integrity level of an object.
#define SE_INC_WORKING_SET_PRIVILEGE (33L) // Required to allocate more memory for applications that run in the context of users.
#define SE_TIME_ZONE_PRIVILEGE (34L) // Required to adjust the time zone associated with the computer's internal clock.
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) // Required to create a symbolic link.
#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L) // Required to obtain an impersonation token for another user in the same session.
#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE
//
// Authz
//
// begin_rev
#if (PHNT_MODE == PHNT_MODE_KERNEL)
/**
* The TOKEN_INFORMATION_CLASS enumeration contains values that specify the type of information
* being assigned to or retrieved from an access token.
*
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_information_class
*/
typedef enum _TOKEN_INFORMATION_CLASS
{
TokenUser = 1, // q: TOKEN_USER, SE_TOKEN_USER
TokenGroups, // q: TOKEN_GROUPS
TokenPrivileges, // q: TOKEN_PRIVILEGES
TokenOwner, // qs: TOKEN_OWNER
TokenPrimaryGroup, // qs: TOKEN_PRIMARY_GROUP
TokenDefaultDacl, // qs: TOKEN_DEFAULT_DACL
TokenSource, // q: TOKEN_SOURCE
TokenType, // q: TOKEN_TYPE
TokenImpersonationLevel, // q: SECURITY_IMPERSONATION_LEVEL
TokenStatistics, // q: TOKEN_STATISTICS // 10
TokenRestrictedSids, // q: TOKEN_GROUPS
TokenSessionId, // qs: ULONG (requires SeTcbPrivilege)
TokenGroupsAndPrivileges, // q: TOKEN_GROUPS_AND_PRIVILEGES
TokenSessionReference, // s: ULONG (requires SeTcbPrivilege)
TokenSandBoxInert, // q: ULONG
TokenAuditPolicy, // qs: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege)
TokenOrigin, // qs: TOKEN_ORIGIN (requires SeTcbPrivilege)
TokenElevationType, // q: TOKEN_ELEVATION_TYPE
TokenLinkedToken, // qs: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege)
TokenElevation, // q: TOKEN_ELEVATION // 20
TokenHasRestrictions, // q: ULONG
TokenAccessInformation, // q: TOKEN_ACCESS_INFORMATION
TokenVirtualizationAllowed, // qs: ULONG (requires SeCreateTokenPrivilege)
TokenVirtualizationEnabled, // qs: ULONG
TokenIntegrityLevel, // qs: TOKEN_MANDATORY_LABEL
TokenUIAccess, // qs: ULONG (requires SeTcbPrivilege)
TokenMandatoryPolicy, // qs: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege)
TokenLogonSid, // q: TOKEN_GROUPS
TokenIsAppContainer, // q: ULONG // since WIN8
TokenCapabilities, // q: TOKEN_GROUPS // 30
TokenAppContainerSid, // q: TOKEN_APPCONTAINER_INFORMATION
TokenAppContainerNumber, // q: ULONG
TokenUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenRestrictedUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenRestrictedDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenDeviceGroups, // q: TOKEN_GROUPS
TokenRestrictedDeviceGroups, // q: TOKEN_GROUPS
TokenSecurityAttributes, // qs: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege)
TokenIsRestricted, // q: ULONG // 40
TokenProcessTrustLevel, // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE
TokenPrivateNameSpace, // qs: ULONG (requires SeTcbPrivilege) // since THRESHOLD
TokenSingletonAttributes, // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE
TokenBnoIsolation, // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2
TokenChildProcessFlags, // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3
TokenIsLessPrivilegedAppContainer, // q: ULONG // since REDSTONE5
TokenIsSandboxed, // q: ULONG // since 19H1
TokenIsAppSilo, // q: ULONG // since WIN11 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL
TokenLoggingInformation, // q: TOKEN_LOGGING_INFORMATION // since 24H2
TokenLearningMode, // q: // since 25H2
MaxTokenInfoClass
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
//
// Token information structures
//
/**
* The TOKEN_USER structure identifies the user associated with an access token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_user
*/
typedef struct _TOKEN_USER
{
SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;
typedef struct _SE_TOKEN_USER
{
union
{
TOKEN_USER TokenUser;
SID_AND_ATTRIBUTES User;
} DUMMYUNIONNAME;
union
{
SID Sid;
BYTE Buffer[SECURITY_MAX_SID_SIZE];
} DUMMYUNIONNAME2;
} SE_TOKEN_USER, PSE_TOKEN_USER;
#define TOKEN_USER_MAX_SIZE (sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE)
/**
* The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_groups
*/
typedef struct _TOKEN_GROUPS
{
ULONG GroupCount;
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
} TOKEN_GROUPS, *PTOKEN_GROUPS;
/**
* The TOKEN_PRIVILEGES structure contains information about a set of privileges for an access token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_privileges
*/
typedef struct _TOKEN_PRIVILEGES
{
ULONG PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
/**
* The TOKEN_OWNER structure contains the default owner security identifier (SID) that will be applied to newly created objects.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_owner
*/
typedef struct _TOKEN_OWNER
{
PSID Owner;
} TOKEN_OWNER, *PTOKEN_OWNER;
#define TOKEN_OWNER_MAX_SIZE (sizeof(TOKEN_OWNER) + SECURITY_MAX_SID_SIZE)
/**
* The TOKEN_PRIMARY_GROUP structure specifies a group security identifier (SID) for an access token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_primary_group
*/
typedef struct _TOKEN_PRIMARY_GROUP
{
PSID PrimaryGroup;
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
/**
* The TOKEN_DEFAULT_DACL structure specifies a discretionary access control list (DACL).
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_default_dacl
*/
typedef struct _TOKEN_DEFAULT_DACL
{
PACL DefaultDacl;
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
#define TOKEN_SOURCE_LENGTH 8
/**
* The TOKEN_SOURCE structure identifies the source of an access token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_source
*/
typedef struct _TOKEN_SOURCE
{
CHAR SourceName[TOKEN_SOURCE_LENGTH];
LUID SourceIdentifier;
} TOKEN_SOURCE, *PTOKEN_SOURCE;
/**
* The TOKEN_TYPE enumeration contains values that differentiate between a primary token and an impersonation token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_type
*/
typedef enum _TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
} TOKEN_TYPE;
typedef struct _TOKEN_USER_CLAIMS
{
PCLAIMS_BLOB UserClaims;
} TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS;
typedef struct _TOKEN_DEVICE_CLAIMS
{
PCLAIMS_BLOB DeviceClaims;
} TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS;
typedef struct _TOKEN_GROUPS_AND_PRIVILEGES
{
ULONG SidCount;
ULONG SidLength;
PSID_AND_ATTRIBUTES Sids;
ULONG RestrictedSidCount;
ULONG RestrictedSidLength;
PSID_AND_ATTRIBUTES RestrictedSids;
ULONG PrivilegeCount;
ULONG PrivilegeLength;
PLUID_AND_ATTRIBUTES Privileges;
LUID AuthenticationId;
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
typedef struct _TOKEN_LINKED_TOKEN
{
HANDLE LinkedToken;
} TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN;
typedef struct _TOKEN_ELEVATION
{
ULONG TokenIsElevated;
} TOKEN_ELEVATION, *PTOKEN_ELEVATION;
/**
* The TOKEN_MANDATORY_POLICY structure specifies the mandatory integrity policy for a token.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_policy
*/
typedef struct _TOKEN_MANDATORY_LABEL
{
SID_AND_ATTRIBUTES Label;
} TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL;
#define TOKEN_MANDATORY_POLICY_OFF 0x0
#define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1
#define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2
#define TOKEN_MANDATORY_POLICY_VALID_MASK (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | \
TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)
#define TOKEN_INTEGRITY_LEVEL_MAX_SIZE \
((((ULONG)(sizeof(TOKEN_MANDATORY_LABEL)) + sizeof(PVOID) - 1) & ~(sizeof(PVOID)-1)) + SECURITY_MAX_SID_SIZE)
typedef struct _TOKEN_MANDATORY_POLICY
{
ULONG Policy;
} TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY;
typedef PVOID PSECURITY_ATTRIBUTES_OPAQUE;
typedef struct _TOKEN_ACCESS_INFORMATION
{
PSID_AND_ATTRIBUTES_HASH SidHash;
PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;
PTOKEN_PRIVILEGES Privileges;
LUID AuthenticationId;
TOKEN_TYPE TokenType;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
TOKEN_MANDATORY_POLICY MandatoryPolicy;
ULONG Flags;
ULONG AppContainerNumber;
PSID PackageSid;
PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;
PSID TrustLevelSid;
PSECURITY_ATTRIBUTES_OPAQUE SecurityAttributes;
} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;
typedef struct _TOKEN_LOGGING_INFORMATION
{
TOKEN_TYPE TokenType;
TOKEN_ELEVATION TokenElevation;
TOKEN_ELEVATION_TYPE TokenElevationType;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
ULONG IntegrityLevel;
SID_AND_ATTRIBUTES User;
PSID TrustLevelSid;
ULONG SessionId;
ULONG AppContainerNumber;
LUID AuthenticationId;
ULONG GroupCount;
ULONG GroupsLength;
PSID_AND_ATTRIBUTES Groups;
} TOKEN_LOGGING_INFORMATION, *PTOKEN_LOGGING_INFORMATION;
#endif // (PHNT_MODE == PHNT_MODE_KERNEL)
//
// Types
//
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03 // Case insensitive attribute value string by default. Unless the flag TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE is set.
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04 // Fully-qualified binary name.
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
//
// Flags
//
// Attribute must not be inherited across process spawns.
#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
// Attribute value is compared in a case sensitive way. It is valid with string value
// or composite type containing string value. For other types of value, this flag
// will be ignored. Currently, it is valid with the two types:
// TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING and TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN.
#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 // Attribute is considered only for Deny Aces.
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 // Attribute is disabled by default.
#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 // Attribute is disabled.
#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 // Attribute is mandatory.
#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 // Attribute is ignored.
#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
// Reserve upper 16 bits for custom flags. These should be preserved but not
// validated as they do not affect security in any way.
#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
// end_rev
// private // CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
{
ULONG64 Version;
UNICODE_STRING Name;
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
// private // CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
{
PVOID Value; // Pointer is BYTE aligned.
ULONG ValueLength; // In bytes
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
// private
typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
{
UNICODE_STRING Name;
USHORT ValueType;
USHORT Reserved;
ULONG Flags;
ULONG ValueCount;
union
{
PLONG64 Int64;
PULONG64 Uint64;
PUNICODE_STRING String;
PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE Fqbn;
PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE OctetString;
} Values;
} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
// private
typedef struct _TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1
{
UNICODE_STRING Name;
USHORT ValueType;
USHORT Reserved;
ULONG Flags;
ULONG ValueCount;
union
{
ULONG Int64[ANYSIZE_ARRAY];
ULONG Uint64[ANYSIZE_ARRAY];
ULONG String[ANYSIZE_ARRAY];
ULONG Fqbn[ANYSIZE_ARRAY];
ULONG OctetString[ANYSIZE_ARRAY];
} Values;
} TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1, *PTOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1;
// rev
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
// rev
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
// private
typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
{
USHORT Version;
USHORT Reserved;
ULONG AttributeCount;
union
{
PTOKEN_SECURITY_ATTRIBUTE_V1 AttributeV1;
};
} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
// private
typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION
{
TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE,
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL,
TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD,
TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE,
TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE
} TOKEN_SECURITY_ATTRIBUTE_OPERATION, *PTOKEN_SECURITY_ATTRIBUTE_OPERATION;
// private
typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION
{
PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes;
PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations;
} TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION;
// rev
/**
* The TOKEN_PROCESS_TRUST_LEVEL structure contains information about
* the trust level assigned to a process token. The trust level is
* represented by a SID (Security Identifier) pointed to by TrustLevelSid.
*/
typedef struct _TOKEN_PROCESS_TRUST_LEVEL
{
PSID TrustLevelSid;
} TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL;
#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE)
typedef struct _TOKEN_LOGGING_INFORMATION
{
TOKEN_TYPE TokenType;
TOKEN_ELEVATION TokenElevation;
TOKEN_ELEVATION_TYPE TokenElevationType;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
ULONG IntegrityLevel;
SID_AND_ATTRIBUTES User;
PSID TrustLevelSid;
ULONG SessionId;
ULONG AppContainerNumber;
LUID AuthenticationId;
ULONG GroupCount;
ULONG GroupsLength;
PSID_AND_ATTRIBUTES Groups;
} TOKEN_LOGGING_INFORMATION, *PTOKEN_LOGGING_INFORMATION;
#endif // !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE)
//
// Tokens
//
/**
* The NtCreateToken routine creates a new access token.
*
* \param TokenHandle Pointer to a variable that receives the handle to the newly created token.
* \param DesiredAccess Specifies the requested access rights for the new token.
* \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* \param Type Specifies the type of token to be created (primary or impersonation).
* \param AuthenticationId Pointer to a locally unique identifier (LUID) for the token.
* \param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token.
* \param User Pointer to a TOKEN_USER structure specifying the user account for the token.
* \param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token.
* \param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token.
* \param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token.
* \param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token.
* \param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token.
* \param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token.
* \return NTSTATUS code indicating success or failure.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateToken(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtCreateLowBoxToken routine creates a new lowbox access token based on an existing token.
*
* \param TokenHandle Pointer to a variable that receives the handle to the newly created lowbox token.
* \param ExistingTokenHandle Handle to an existing token to base the new token on.
* \param DesiredAccess Specifies the requested access rights for the new token.
* \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* \param PackageSid Pointer to a SID structure specifying the package SID for the lowbox token.
* \param CapabilityCount Number of capabilities in the Capabilities array.
* \param Capabilities Optional pointer to an array of SID_AND_ATTRIBUTES structures specifying capabilities.
* \param HandleCount Number of handles in the Handles array.
* \param Handles Optional pointer to an array of handles to be associated with the token.
* \return NTSTATUS code indicating success or failure.
* \sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcreatelowboxtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateLowBoxToken(
_Out_ PHANDLE TokenHandle,
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PSID PackageSid,
_In_ ULONG CapabilityCount,
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
_In_ ULONG HandleCount,
_In_reads_opt_(HandleCount) HANDLE *Handles
);
#endif // (PHNT_VERSION >= PHNT_WINDOWS_8)
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtCreateTokenEx routine creates a new access token with extended attributes.
*
* \param TokenHandle Pointer to a variable that receives the handle to the newly created token.
* \param DesiredAccess Specifies the requested access rights for the new token.
* \param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* \param Type Specifies the type of token to be created (primary or impersonation).
* \param AuthenticationId Pointer to a locally unique identifier (LUID) for the token.
* \param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token.
* \param User Pointer to a TOKEN_USER structure specifying the user account for the token.
* \param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token.
* \param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token.
* \param UserAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying user claims.
* \param DeviceAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying device claims.
* \param DeviceGroups Optional pointer to a TOKEN_GROUPS structure specifying device groups.
* \param MandatoryPolicy Optional pointer to a TOKEN_MANDATORY_POLICY structure specifying the mandatory policy.
* \param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token.
* \param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token.
* \param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token.
* \param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token.
* \return NTSTATUS code indicating success or failure.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateTokenEx(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
_In_opt_ PTOKEN_GROUPS DeviceGroups,
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
#endif // (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token.
*
* \param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access.
* \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessToken(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE TokenHandle
);
/**
* The NtOpenProcessTokenEx routine opens the access token associated with a process, and returns a handle that can be used to access that token.
*
* \param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access.
* \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* \param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported.
* \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstokenex
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessTokenEx(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle
);
/**
* The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
*
* \param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access.
* \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* \param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
* \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle
);
/**
* The NtOpenThreadTokenEx routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
*
* \param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access.
* \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* \param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
* \param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported.
* \param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtokenex
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle
);
/**
* The NtDuplicateToken function creates a handle to a new access token that duplicates an existing token.
*
* \param ExistingTokenHandle A handle to an existing access token that was opened with the TOKEN_DUPLICATE access right.
* \param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* \param ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that describes the requested properties for the new token.
* \param EffectiveOnly A Boolean value that indicates whether the entire existing token should be duplicated into the new token or just the effective (currently enabled) part of the token.
* \param Type Specifies the type of token to create either a primary token or an impersonation token.
* \param NewTokenHandle Pointer to a caller-allocated variable that receives a handle to the newly duplicated token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDuplicateToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN EffectiveOnly,
_In_ TOKEN_TYPE Type,
_Out_ PHANDLE NewTokenHandle
);
/**
* The NtQueryInformationToken routine retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
*
* \param TokenHandle A handle to an existing access token from which information is to be retrieved. If TokenInformationClass is set to TokenSource, the handle must have TOKEN_QUERY_SOURCE access.
* For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.
* \param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be retrieved.
* \param TokenInformation Pointer to a caller-allocated buffer that receives the requested information about the token.
* \param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer.
* \param ReturnLength Pointer to a caller-allocated variable that receives the actual length, in bytes, of the information returned in the TokenInformation buffer.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
_In_ ULONG TokenInformationLength,
_Out_ PULONG ReturnLength
);
/**
* The NtSetInformationToken routine modifies information in a specified token. The calling process must have appropriate access rights to set the information.
*
* \param TokenHandle A handle to an existing access token which information is to be modified.
* \param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be modified.
* \param TokenInformation Pointer to a caller-allocated buffer containing the information to be modified in the token.
* \param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
_In_ ULONG TokenInformationLength
);
/**
* The NtAdjustPrivilegesToken routine enables or disables privileges in the specified access token.
*
* \param TokenHandle Handle to the token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access.
* \param DisableAllPrivileges Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all privileges and ignores the NewState parameter.
* If it is FALSE, the function modifies privileges based on the information pointed to by the NewState parameter.
* \param NewState A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is TRUE, the function ignores this parameter.
* \param BufferLength Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL.
* \param PreviousState A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any privileges that the function modifies.
* \param ReturnLength A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAdjustPrivilegesToken(
_In_ HANDLE TokenHandle,
_In_ BOOLEAN DisableAllPrivileges,
_In_opt_ PTOKEN_PRIVILEGES NewState,
_In_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
_Out_opt_ PULONG ReturnLength
);
/**
* The NtAdjustGroupsToken routine enables or disables groups in the specified access token.
*
* \param TokenHandle Handle to the token that contains the groups to be modified. The handle must have TOKEN_ADJUST_GROUPS access.
* \param ResetToDefault Specifies whether the function resets the groups to the default state. If this value is TRUE, the function resets all groups to their default state and ignores the NewState parameter.
* \param NewState A pointer to a TOKEN_GROUPS structure that specifies an array of groups and their attributes. If ResetToDefault is TRUE, the function ignores this parameter.
* \param BufferLength Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL.
* \param PreviousState A pointer to a buffer that the function fills with a TOKEN_GROUPS structure that contains the previous state of any groups that the function modifies.
* \param ReturnLength A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAdjustGroupsToken(
_In_ HANDLE TokenHandle,
_In_ BOOLEAN ResetToDefault,
_In_opt_ PTOKEN_GROUPS NewState,
_In_opt_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
_Out_opt_ PULONG ReturnLength
);
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAdjustTokenClaimsAndDeviceGroups(
_In_ HANDLE TokenHandle,
_In_ BOOLEAN UserResetToDefault,
_In_ BOOLEAN DeviceResetToDefault,
_In_ BOOLEAN DeviceGroupsResetToDefault,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
_In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
_In_ ULONG UserBufferLength,
_Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
_In_ ULONG DeviceBufferLength,
_Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
_In_ ULONG DeviceGroupsBufferLength,
_Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
_Out_opt_ PULONG UserReturnLength,
_Out_opt_ PULONG DeviceReturnLength,
_Out_opt_ PULONG DeviceGroupsReturnBufferLength
);
#endif // (PHNT_VERSION >= PHNT_WINDOWS_8)
// NtFilterToken Flags
#define DISABLE_MAX_PRIVILEGE 0x1 // Disables all privileges in the new token except SE_CHANGE_NOTIFY_PRIVILEGE.
#define SANDBOX_INERT 0x2 // Stores the TOKEN_SANDBOX_INERT flag in the token.
#define LUA_TOKEN 0x4
#define WRITE_RESTRICTED 0x8
/**
* The NtFilterToken routine creates a new access token that is a restricted version of an existing access token.
*
* \param ExistingTokenHandle Handle to a primary or impersonation token. The token can also be a restricted token. This token must already be open for TOKEN_DUPLICATE access.
* \param Flags Specifies additional privilege options.
* \param SidsToDisable The deny-only SIDs to include in the restricted token. The system uses a deny-only SID to deny access to a securable object. The absence of a deny-only SID does not allow access.
* \param PrivilegesToDelete The privileges to delete in the restricted token. This parameter is optional and can be NULL.
* \param RestrictedSids The list of restricting SIDs for the new token. This parameter is optional and can be NULL.
* \param NewTokenHandle The new restricted token. The new token is the same type, primary or impersonation, as the existing token.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-sefiltertoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_Out_ PHANDLE NewTokenHandle
);
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFilterTokenEx(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_In_ ULONG DisableUserClaimsCount,
_In_opt_ PCUNICODE_STRING UserClaimsToDisable,
_In_ ULONG DisableDeviceClaimsCount,
_In_opt_ PCUNICODE_STRING DeviceClaimsToDisable,
_In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
_In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
_Out_ PHANDLE NewTokenHandle
);
#endif // (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtCompareTokens routine compares two access tokens to determine whether they are equivalent.
*
* \param FirstTokenHandle Handle to the first access token to compare. The handle must have TOKEN_QUERY access.
* \param SecondTokenHandle Handle to the second access token to compare. The handle must have TOKEN_QUERY access.
* \param Equal Pointer to a BOOLEAN variable that receives TRUE if the tokens are equivalent, or FALSE otherwise.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcomparetokens
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCompareTokens(
_In_ HANDLE FirstTokenHandle,
_In_ HANDLE SecondTokenHandle,
_Out_ PBOOLEAN Equal
);
/**
* The NtPrivilegeCheck routine determines whether a specified set of privileges are enabled in the access token of a client.
*
* \param ClientToken Handle to the access token of the client whose privileges are to be checked. The handle must have TOKEN_QUERY access.
* \param RequiredPrivileges Pointer to a PRIVILEGE_SET structure that specifies the set of privileges to be checked. On input, this structure contains the privileges to check.
* \param Result Pointer to a BOOLEAN variable that receives TRUE if all specified privileges are enabled, or FALSE otherwise.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-privilegecheck
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegeCheck(
_In_ HANDLE ClientToken,
_Inout_ PPRIVILEGE_SET RequiredPrivileges,
_Out_ PBOOLEAN Result
);
/**
* The NtImpersonateAnonymousToken routine causes a thread to impersonate the anonymous token.
*
* \param ThreadHandle Handle to the thread that will impersonate the anonymous token. The handle must have THREAD_DIRECT_IMPERSONATION access.
* \return NTSTATUS Successful or errant status.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtImpersonateAnonymousToken(
_In_ HANDLE ThreadHandle
);
/**
* The NtQuerySecurityAttributesToken routine retrieves security attribute information from an access token.
*
* \param TokenHandle Handle to the access token from which to retrieve security attributes. The handle must have TOKEN_QUERY access.
* \param Attributes Pointer to an array of UNICODE_STRING structures specifying the names of the attributes to query. This parameter can be NULL if NumberOfAttributes is zero.
* \param NumberOfAttributes The number of attributes specified in the Attributes array.
* \param Buffer Pointer to a buffer that receives the security attribute information. The buffer receives a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure.
* \param Length The size, in bytes, of the Buffer parameter.
* \param ReturnLength Pointer to a variable that receives the number of bytes required to store the complete security attribute information.
* \return NTSTATUS Successful or errant status.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySecurityAttributesToken(
_In_ HANDLE TokenHandle,
_In_reads_opt_(NumberOfAttributes) PCUNICODE_STRING Attributes,
_In_ ULONG NumberOfAttributes,
_Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
_In_ ULONG Length,
_Out_ PULONG ReturnLength
);
//
// Access checking
//
/**
* The NtAccessCheck routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token.
*
* \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
* \param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access.
* \param DesiredAccess Access mask that specifies the access rights to check.
* \param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
* \param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set.
* \param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required.
* \param GrantedAccess Pointer to an access mask that receives the granted access rights.
* \param AccessStatus Pointer to a variable that receives the results of the access check.
* \return NTSTATUS code indicating success or failure.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheck
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheck(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus
);
/**
* The NtAccessCheckByType routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token, taking into account object type information.
*
* \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
* \param PrincipalSelfSid Optional pointer to a SID structure representing the principal self SID, or NULL.
* \param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access.
* \param DesiredAccess Access mask that specifies the access rights to check.
* \param ObjectTypeList Pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed.
* \param ObjectTypeListLength The number of elements in the ObjectTypeList array.
* \param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
* \param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set.
* \param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required.
* \param GrantedAccess Pointer to an access mask that receives the granted access rights.
* \param AccessStatus Pointer to a variable that receives the results of the access check.
* \return NTSTATUS code indicating success or failure.
* \sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheckbytype
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByType(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_opt_ PSID PrincipalSelfSid,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
_In_ ULONG ObjectTypeListLength,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus
);