-
Notifications
You must be signed in to change notification settings - Fork 3
/
userland.h
133 lines (90 loc) · 2.68 KB
/
userland.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* userland.h
*
* Abstract:
*
* This module defines various types used by userland interacting routines.
*
* Author:
*
* Eugene Tsyrklevich 18-Apr-2004
*
* Revision History:
*
* None.
*/
#ifndef __USERLAND_H__
#define __USERLAND_H__
#include <NTDDK.h>
#include "policy.h"
#include "misc.h"
/* number of seconds to wait for userland agent to reply */
#define USERLAND_REQUEST_TIMEOUT 5
#define USERLAND_SID_RESOLVE_REQUEST 1
#define USERLAND_ASK_USER_REQUEST 2
/*
* all userland requests start with the following header
*/
typedef struct _USERLAND_REQUEST_HEADER
{
struct _USERLAND_REQUEST_HEADER *Next;
USHORT RequestType;
USHORT RequestSize;
ULONG ProcessId;
UCHAR SeqId; /* Sequence id, will roll over but that's fine */
} USERLAND_REQUEST_HEADER, *PUSERLAND_REQUEST_HEADER;
/* binary SID -> ASCII name resolve request */
typedef struct _SID_RESOLVE_REQUEST
{
USERLAND_REQUEST_HEADER RequestHeader;
PSID_AND_ATTRIBUTES PUserSidAndAttributes;
} SID_RESOLVE_REQUEST, *PSID_RESOLVE_REQUEST;
/* Ask user request */
typedef struct _ASK_USER_REQUEST
{
USERLAND_REQUEST_HEADER RequestHeader;
RULE_TYPE RuleType;
UCHAR OperationType;
USHORT ObjectNameLength;
USHORT ProcessNameLength;
WCHAR ObjectName[ANYSIZE_ARRAY];
/* ProcessName follows the zero-terminated ObjectName */
// WCHAR ProcessName[ANYSIZE_ARRAY];
} ASK_USER_REQUEST, *PASK_USER_REQUEST;
/*
* all userland replies start with the following header
*/
typedef struct _USERLAND_REPLY_HEADER
{
ULONG ProcessId;
USHORT ReplySize;
UCHAR SeqId; /* Sequence id, will roll over but that's fine */
} USERLAND_REPLY_HEADER, *PUSERLAND_REPLY_HEADER;
/* binary SID -> ASCII name resolve reply */
typedef struct _SID_RESOLVE_REPLY
{
USERLAND_REPLY_HEADER ReplyHeader;
USHORT UserNameLength;
WCHAR UserName[ANYSIZE_ARRAY];
} SID_RESOLVE_REPLY, *PSID_RESOLVE_REPLY;
/* Ask user reply */
typedef struct _ASK_USER_REPLY
{
USERLAND_REPLY_HEADER ReplyHeader;
ACTION_TYPE Action;
} ASK_USER_REPLY, *PASK_USER_REPLY;
extern BOOLEAN ActiveUserAgent;
extern PUSERLAND_REQUEST_HEADER UserlandRequestList;
extern KSPIN_LOCK gUserlandRequestListSpinLock;
extern PKEVENT UserlandRequestUserEvent;
BOOLEAN InitUserland();
BOOLEAN UserlandPostBootup();
VOID ShutdownUserland();
typedef struct _IMAGE_PID_ENTRY *PIMAGE_PID_ENTRY;
BOOLEAN IssueUserlandSidResolveRequest(PIMAGE_PID_ENTRY Process);
ACTION_TYPE IssueUserlandAskUserRequest(RULE_TYPE RuleType, UCHAR OperationType, PCHAR ObjectName);
#endif /* __USERLAND_H__ */