-
Notifications
You must be signed in to change notification settings - Fork 3
/
token.h
145 lines (116 loc) · 2.49 KB
/
token.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* token.h
*
* Abstract:
*
* This module defines various types used by token hooking routines.
*
* Author:
*
* Eugene Tsyrklevich 25-Mar-2004
*
* Revision History:
*
* None.
*/
#ifndef __TOKEN_H__
#define __TOKEN_H__
#include <NTDDK.h>
#include "policy.h"
#include "pathproc.h"
#include "hookproc.h"
#include "procname.h"
#include "learn.h"
#include "log.h"
/*
ZwAdjustGroupsToken
ZwCreateToken
ZwOpenProcessToken
ZwOpenProcessTokenEx
ZwOpenThreadToken
ZwOpenThreadTokenEx
*/
typedef struct _TOKEN_PRIVILEGES {
DWORD PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
/*
* ZwAdjustPrivilegesToken adjusts the attributes of the privileges in a token. [NAR]
*/
typedef NTSTATUS (*fpZwAdjustPrivilegesToken) (
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN_PRIVILEGES NewState,
IN ULONG BufferLength,
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
NTSTATUS
NTAPI
HookedNtAdjustPrivilegesToken(
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN_PRIVILEGES NewState,
IN ULONG BufferLength,
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
/*
* ZwSetInformationToken sets information affecting a token object. [NAR]
*/
typedef NTSTATUS (*fpZwSetInformationToken) (
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
IN PVOID TokenInformation,
IN ULONG TokenInformationLength
);
NTSTATUS
NTAPI
HookedNtSetInformationToken(
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
IN PVOID TokenInformation,
IN ULONG TokenInformationLength
);
/*
* ZwOpenProcessToken opens the token of a process. [NAR]
*/
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessToken(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE TokenHandle
);
/*
* ZwOpenThreadToken opens the token of a thread. [NAR]
*/
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle
);
/*
* ZwQueryInformationToken retrieves information about a token object. [NAR]
*/
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationToken(
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength
);
BOOLEAN InitTokenHooks();
#endif /* __TOKEN_H__ */