New subject: [PATCH v3 2/3] kernelbase: Implement AccessCheckByTypeAndAuditAlarmW.

8 Mar 2022

Signed-off-by: Mohamad Al-Jaf mohamadaljaf@gmail.com
---
v2: - Add entries to ntdll/unix/loader and ntdll/ntdll.spec.
    - Add entry to ntoskrnl.exe/ntoskrnl.exe.spec.
    - Add function to wow64/security.
v3: - Add missing parameter.
    - Fix formatting.
    - Fix access_status type.
---
 dlls/ntdll/ntdll.spec               |  4 ++--
 dlls/ntdll/unix/loader.c            |  1 +
 dlls/ntdll/unix/security.c          | 18 +++++++++++++++
 dlls/ntoskrnl.exe/ntoskrnl.exe.spec |  1 +
 dlls/wow64/security.c               | 34 +++++++++++++++++++++++++++++
 dlls/wow64/syscall.h                |  1 +
 include/winnt.h                     |  7 ++++++
 include/winternl.h                  |  1 +
 8 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
index d514bca5e11..90c0f3fb649 100644
--- a/dlls/ntdll/ntdll.spec
+++ b/dlls/ntdll/ntdll.spec
@@ -131,7 +131,7 @@
 @ stdcall -syscall NtAccessCheck(ptr long long ptr ptr ptr ptr ptr)
 @ stdcall -syscall NtAccessCheckAndAuditAlarm(ptr long ptr ptr ptr long ptr long ptr ptr ptr)
 # @ stub NtAccessCheckByType
-# @ stub NtAccessCheckByTypeAndAuditAlarm
+@ stdcall -syscall NtAccessCheckByTypeAndAuditAlarm(ptr long ptr ptr ptr ptr long long long ptr long ptr long ptr ptr ptr)
 # @ stub NtAccessCheckByTypeResultList
 # @ stub NtAccessCheckByTypeResultListAndAuditAlarm
 # @ stub NtAccessCheckByTypeResultListAndAuditAlarmByHandle
@@ -1155,7 +1155,7 @@
 @ stdcall -private -syscall ZwAccessCheck(ptr long long ptr ptr ptr ptr ptr) NtAccessCheck
 @ stdcall -private -syscall ZwAccessCheckAndAuditAlarm(ptr long ptr ptr ptr long ptr long ptr ptr ptr) NtAccessCheckAndAuditAlarm
 # @ stub ZwAccessCheckByType
-# @ stub ZwAccessCheckByTypeAndAuditAlarm
+@ stdcall -private -syscall ZwAccessCheckByTypeAndAuditAlarm(ptr long ptr ptr ptr ptr long long long ptr long ptr long ptr ptr ptr) NtAccessCheckByTypeAndAuditAlarm
 # @ stub ZwAccessCheckByTypeResultList
 # @ stub ZwAccessCheckByTypeResultListAndAuditAlarm
 # @ stub ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
diff --git a/dlls/ntdll/unix/loader.c b/dlls/ntdll/unix/loader.c
index 5eb201bd90b..4a0c70d5a2c 100644
--- a/dlls/ntdll/unix/loader.c
+++ b/dlls/ntdll/unix/loader.c
@@ -124,6 +124,7 @@ static void * const syscalls[] =
     NtAcceptConnectPort,
     NtAccessCheck,
     NtAccessCheckAndAuditAlarm,
+    NtAccessCheckByTypeAndAuditAlarm,
     NtAddAtom,
     NtAdjustGroupsToken,
     NtAdjustPrivilegesToken,
diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
index 2955355353e..728ee961aa2 100644
--- a/dlls/ntdll/unix/security.c
+++ b/dlls/ntdll/unix/security.c
@@ -796,6 +796,24 @@ NTSTATUS WINAPI NtAccessCheckAndAuditAlarm( UNICODE_STRING *subsystem, HANDLE ha
 }
+/***********************************************************************
+ *             NtAccessCheckByTypeAndAuditAlarm  (NTDLL.@)
+ */
+NTSTATUS WINAPI NtAccessCheckByTypeAndAuditAlarm( UNICODE_STRING *subsystem, HANDLE handle,
+                                                  UNICODE_STRING *type_name, UNICODE_STRING *name,
+                                                  PSECURITY_DESCRIPTOR descr, PSID sid, ACCESS_MASK access,
+                                                  AUDIT_EVENT_TYPE type, ULONG flags, POBJECT_TYPE_LIST list,
+                                                  ULONG length, GENERIC_MAPPING *mapping, BOOLEAN creation,
+                                                  ACCESS_MASK *access_granted, NTSTATUS *access_status,
+                                                  BOOLEAN *on_close )
+{
+    FIXME( "(%s, %p, %s, %s, %p, %p, 0x%08x, %u, 0x%08x, %p, %u, %p, %d, %p, %p, %p), stub\n",
+           debugstr_us(subsystem), handle, debugstr_us(type_name), debugstr_us(name), descr, sid,
+           access, type, flags, list, length, mapping, creation, access_granted, access_status, on_close );
+    return STATUS_NOT_IMPLEMENTED;
+}
+
+
 /***********************************************************************
  *             NtQuerySecurityObject  (NTDLL.@)
  */
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
index d445c5a5557..19b27adc891 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
+++ b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
@@ -1383,6 +1383,7 @@
 @ stub WmiUpdateTrace
 @ stub XIPDispatch
 @ stdcall -private ZwAccessCheckAndAuditAlarm(ptr long ptr ptr ptr long ptr long ptr ptr ptr) NtAccessCheckAndAuditAlarm
+@ stdcall -private ZwAccessCheckByTypeAndAuditAlarm(ptr long ptr ptr ptr ptr long long long ptr long ptr long ptr ptr ptr) NtAccessCheckByTypeAndAuditAlarm
 @ stub ZwAddBootEntry
 @ stdcall -private ZwAdjustPrivilegesToken(long long ptr long ptr ptr) NtAdjustPrivilegesToken
 @ stdcall -private ZwAlertThread(long) NtAlertThread
diff --git a/dlls/wow64/security.c b/dlls/wow64/security.c
index 680f5a6ec56..2d0ef1cd008 100644
--- a/dlls/wow64/security.c
+++ b/dlls/wow64/security.c
@@ -98,6 +98,40 @@ NTSTATUS WINAPI wow64_NtAccessCheckAndAuditAlarm( UINT *args )
 }
+/**********************************************************************
+ *           wow64_NtAccessCheckByTypeAndAuditAlarm
+ */
+NTSTATUS WINAPI wow64_NtAccessCheckByTypeAndAuditAlarm( UINT *args )
+{
+    UNICODE_STRING32 *subsystem32 = get_ptr( &args );
+    HANDLE handle = get_handle( &args );
+    UNICODE_STRING32 *typename32 = get_ptr( &args );
+    UNICODE_STRING32 *objname32 = get_ptr( &args );
+    SECURITY_DESCRIPTOR *sd32 = get_ptr( &args );
+    SID *sid = get_ptr( &args );
+    ACCESS_MASK access = get_ulong( &args );
+    AUDIT_EVENT_TYPE type = get_ulong( &args );
+    ULONG flags = get_ulong( &args );
+    OBJECT_TYPE_LIST *list = get_ptr( &args );
+    ULONG length = get_ulong( &args );
+    GENERIC_MAPPING *mapping = get_ptr( &args );
+    BOOLEAN creation = get_ulong( &args );
+    ACCESS_MASK *access_granted = get_ptr( &args );
+    NTSTATUS *access_status = get_ptr( &args );
+    BOOLEAN *onclose = get_ptr( &args );
+
+    UNICODE_STRING subsystem, typename, objname;
+    SECURITY_DESCRIPTOR sd;
+
+    return NtAccessCheckByTypeAndAuditAlarm( unicode_str_32to64( &subsystem, subsystem32 ), handle,
+                                             unicode_str_32to64( &typename, typename32 ),
+                                             unicode_str_32to64( &objname, objname32 ),
+                                             secdesc_32to64( &sd, sd32 ), sid, access, type, flags,
+                                             list, length, mapping, creation, access_granted,
+                                             access_status, onclose );
+}
+
+
 /**********************************************************************
  *           wow64_NtAdjustGroupsToken
  */
diff --git a/dlls/wow64/syscall.h b/dlls/wow64/syscall.h
index 0c2ba574031..17ebde65826 100644
--- a/dlls/wow64/syscall.h
+++ b/dlls/wow64/syscall.h
@@ -25,6 +25,7 @@
     SYSCALL_ENTRY( NtAcceptConnectPort ) \
     SYSCALL_ENTRY( NtAccessCheck ) \
     SYSCALL_ENTRY( NtAccessCheckAndAuditAlarm ) \
+    SYSCALL_ENTRY( NtAccessCheckByTypeAndAuditAlarm ) \
     SYSCALL_ENTRY( NtAddAtom ) \
     SYSCALL_ENTRY( NtAdjustGroupsToken ) \
     SYSCALL_ENTRY( NtAdjustPrivilegesToken ) \
diff --git a/include/winnt.h b/include/winnt.h
index 079858d2f7d..939c2f8d7dd 100644
--- a/include/winnt.h
+++ b/include/winnt.h
@@ -3633,6 +3633,13 @@ typedef PVOID PACCESS_TOKEN;
 typedef PVOID PSECURITY_DESCRIPTOR;
 typedef PVOID PSID;
+typedef enum _AUDIT_EVENT_TYPE {
+  AuditEventObjectAccess,
+  AuditEventDirectoryServiceAccess
+} AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE;
+
+#define AUDIT_ALLOW_NO_PRIVILEGE 0x1
+
 typedef enum _TOKEN_ELEVATION_TYPE {
   TokenElevationTypeDefault = 1,
   TokenElevationTypeFull,
diff --git a/include/winternl.h b/include/winternl.h
index 6a95c4e0fdc..8e236f9d97d 100644
--- a/include/winternl.h
+++ b/include/winternl.h
@@ -3912,6 +3912,7 @@ NTSYSAPI NTSTATUS  WINAPI LdrUnregisterDllNotification(void*);
 NTSYSAPI NTSTATUS  WINAPI NtAcceptConnectPort(PHANDLE,ULONG,PLPC_MESSAGE,BOOLEAN,PLPC_SECTION_WRITE,PLPC_SECTION_READ);
 NTSYSAPI NTSTATUS  WINAPI NtAccessCheck(PSECURITY_DESCRIPTOR,HANDLE,ACCESS_MASK,PGENERIC_MAPPING,PPRIVILEGE_SET,PULONG,PULONG,NTSTATUS*);
 NTSYSAPI NTSTATUS  WINAPI NtAccessCheckAndAuditAlarm(PUNICODE_STRING,HANDLE,PUNICODE_STRING,PUNICODE_STRING,PSECURITY_DESCRIPTOR,ACCESS_MASK,PGENERIC_MAPPING,BOOLEAN,PACCESS_MASK,PBOOLEAN,PBOOLEAN);
+NTSYSAPI NTSTATUS  WINAPI NtAccessCheckByTypeAndAuditAlarm(PUNICODE_STRING,HANDLE,PUNICODE_STRING,PUNICODE_STRING,PSECURITY_DESCRIPTOR,PSID,ACCESS_MASK,AUDIT_EVENT_TYPE,ULONG,POBJECT_TYPE_LIST,ULONG,PGENERIC_MAPPING,BOOLEAN,PACCESS_MASK,NTSTATUS*,PBOOLEAN);
 NTSYSAPI NTSTATUS  WINAPI NtAddAtom(const WCHAR*,ULONG,RTL_ATOM*);
 NTSYSAPI NTSTATUS  WINAPI NtAdjustGroupsToken(HANDLE,BOOLEAN,PTOKEN_GROUPS,ULONG,PTOKEN_GROUPS,PULONG);
 NTSYSAPI NTSTATUS  WINAPI NtAdjustPrivilegesToken(HANDLE,BOOLEAN,PTOKEN_PRIVILEGES,DWORD,PTOKEN_PRIVILEGES,PDWORD);
-- 
2.35.1



    

[PATCH v3 1/3] ntdll: Add NtAccessCheckByTypeAndAuditAlarm stub.