ntsec.h
上传用户:xuemeng126
上传日期:2022-07-05
资源大小:454k
文件大小:26k
源码类别:

系统编程

开发平台:

Visual C++

  1. /*--
  2. Copyright (c) 1998 Mark Russinovich
  3. Module Name:
  4.     ntsec.h
  5. Abstract:
  6.     Windows NT kernel-mode security APIs and definitions. Most of 
  7.     this is taken from winnt.h
  8. --*/
  9. #ifndef _NTSEC_
  10. #define _NTSEC_
  11. //
  12. // These typedefs convert Win32 types to DDK types
  13. //
  14. typedef ULONG DWORD;
  15. typedef UCHAR BYTE;
  16. typedef USHORT WORD;
  17. typedef PVOID LPVOID;
  18. typedef BOOLEAN BOOL;
  19. ////////////////////////////////////////////////////////////////////////
  20. //                                                                    //
  21. //              Security Id     (SID)                                 //
  22. //                                                                    //
  23. ////////////////////////////////////////////////////////////////////////
  24. //
  25. //
  26. // Pictorially the structure of an SID is as follows:
  27. //
  28. //         1   1   1   1   1   1
  29. //         5   4   3   2   1   0   9   8   7   6   5   4   3   2   1   0
  30. //      +---------------------------------------------------------------+
  31. //      |      SubAuthorityCount        |Reserved1 (SBZ)|   Revision    |
  32. //      +---------------------------------------------------------------+
  33. //      |                   IdentifierAuthority[0]                      |
  34. //      +---------------------------------------------------------------+
  35. //      |                   IdentifierAuthority[1]                      |
  36. //      +---------------------------------------------------------------+
  37. //      |                   IdentifierAuthority[2]                      |
  38. //      +---------------------------------------------------------------+
  39. //      |                                                               |
  40. //      +- -  -  -  -  -  -  -  SubAuthority[]  -  -  -  -  -  -  -  - -+
  41. //      |                                                               |
  42. //      +---------------------------------------------------------------+
  43. //
  44. //
  45. // typedef struct _SID_IDENTIFIER_AUTHORITY {
  46. //     BYTE  Value[6];
  47. // } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
  48. // typedef struct _SID {
  49. //    BYTE  Revision;
  50. //    BYTE  SubAuthorityCount;
  51. //    SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
  52. // #ifdef MIDL_PASS
  53. //    [size_is(SubAuthorityCount)] DWORD SubAuthority[*];
  54. // #else // MIDL_PASS
  55. //    DWORD SubAuthority[ANYSIZE_ARRAY];
  56. // #endif // MIDL_PASS
  57. // } SID, *PISID;
  58. //#define SID_REVISION                     (1)    // Current revision level
  59. #define SID_MAX_SUB_AUTHORITIES          (15)
  60. #define SID_RECOMMENDED_SUB_AUTHORITIES  (1)    // Will change to around 6
  61.                                                 // in a future release.
  62. // typedef enum _SID_NAME_USE {
  63. //     SidTypeUser = 1,
  64. //     SidTypeGroup,
  65. //     SidTypeDomain,
  66. //     SidTypeAlias,
  67. //     SidTypeWellKnownGroup,
  68. //     SidTypeDeletedAccount,
  69. //     SidTypeInvalid,
  70. //     SidTypeUnknown
  71. // } SID_NAME_USE, *PSID_NAME_USE;
  72. // typedef struct _SID_AND_ATTRIBUTES {
  73. //     PSID Sid;
  74. //     DWORD Attributes;
  75. //     } SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;
  76. typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
  77. typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY;
  78. /////////////////////////////////////////////////////////////////////////////
  79. //                                                                         //
  80. // Universal well-known SIDs                                               //
  81. //                                                                         //
  82. //     Null SID                     S-1-0-0                                //
  83. //     World                        S-1-1-0                                //
  84. //     Local                        S-1-2-0                                //
  85. //     Creator Owner ID             S-1-3-0                                //
  86. //     Creator Group ID             S-1-3-1                                //
  87. //     Creator Owner Server ID      S-1-3-2                                //
  88. //     Creator Group Server ID      S-1-3-3                                //
  89. //                                                                         //
  90. //     (Non-unique IDs)             S-1-4                                  //
  91. //                                                                         //
  92. /////////////////////////////////////////////////////////////////////////////
  93. #define SECURITY_NULL_SID_AUTHORITY       {0,0,0,0,0,0}
  94. #define SECURITY_WORLD_SID_AUTHORITY      {0,0,0,0,0,1}
  95. #define SECURITY_LOCAL_SID_AUTHORITY      {0,0,0,0,0,2}
  96. #define SECURITY_CREATOR_SID_AUTHORITY    {0,0,0,0,0,3}
  97. #define SECURITY_NON_UNIQUE_AUTHORITY     {0,0,0,0,0,4}
  98. #define SECURITY_NULL_RID                 (0x00000000L)
  99. #define SECURITY_WORLD_RID                (0x00000000L)
  100. #define SECURITY_LOCAL_RID                (0X00000000L)
  101. #define SECURITY_CREATOR_OWNER_RID        (0x00000000L)
  102. #define SECURITY_CREATOR_GROUP_RID        (0x00000001L)
  103. #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
  104. #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
  105. /////////////////////////////////////////////////////////////////////////////
  106. //                                                                         //
  107. // NT well-known SIDs                                                      //
  108. //                                                                         //
  109. //     NT Authority          S-1-5                                         //
  110. //     Dialup                S-1-5-1                                       //
  111. //                                                                         //
  112. //     Network               S-1-5-2                                       //
  113. //     Batch                 S-1-5-3                                       //
  114. //     Interactive           S-1-5-4                                       //
  115. //     Service               S-1-5-6                                       //
  116. //     AnonymousLogon        S-1-5-7       (aka null logon session)        //
  117. //     Proxy                 S-1-5-8                                       //
  118. //     ServerLogon           S-1-5-8       (aka domain controller account) //
  119. //                                                                         //
  120. //     (Logon IDs)           S-1-5-5-X-Y                                   //
  121. //                                                                         //
  122. //     (NT non-unique IDs)   S-1-5-0x15-...                                //
  123. //                                                                         //
  124. //     (Built-in domain)     s-1-5-0x20                                    //
  125. //                                                                         //
  126. /////////////////////////////////////////////////////////////////////////////
  127. #define SECURITY_NT_AUTHORITY           {0,0,0,0,0,5}   // ntifs
  128. #define SECURITY_DIALUP_RID             (0x00000001L)
  129. #define SECURITY_NETWORK_RID            (0x00000002L)
  130. #define SECURITY_BATCH_RID              (0x00000003L)
  131. #define SECURITY_INTERACTIVE_RID        (0x00000004L)
  132. #define SECURITY_SERVICE_RID            (0x00000006L)
  133. #define SECURITY_ANONYMOUS_LOGON_RID    (0x00000007L)
  134. #define SECURITY_PROXY_RID              (0x00000008L)
  135. #define SECURITY_SERVER_LOGON_RID       (0x00000009L)
  136. #define SECURITY_LOGON_IDS_RID          (0x00000005L)
  137. #define SECURITY_LOGON_IDS_RID_COUNT    (3L)
  138. #define SECURITY_LOCAL_SYSTEM_RID       (0x00000012L)
  139. #define SECURITY_NT_NON_UNIQUE          (0x00000015L)
  140. #define SECURITY_BUILTIN_DOMAIN_RID     (0x00000020L)
  141. /////////////////////////////////////////////////////////////////////////////
  142. //                                                                         //
  143. // well-known domain relative sub-authority values (RIDs)...               //
  144. //                                                                         //
  145. /////////////////////////////////////////////////////////////////////////////
  146. // Well-known users ...
  147. #define DOMAIN_USER_RID_ADMIN          (0x000001F4L)
  148. #define DOMAIN_USER_RID_GUEST          (0x000001F5L)
  149. // well-known groups ...
  150. #define DOMAIN_GROUP_RID_ADMINS        (0x00000200L)
  151. #define DOMAIN_GROUP_RID_USERS         (0x00000201L)
  152. #define DOMAIN_GROUP_RID_GUESTS        (0x00000202L)
  153. // well-known aliases ...
  154. #define DOMAIN_ALIAS_RID_ADMINS        (0x00000220L)
  155. #define DOMAIN_ALIAS_RID_USERS         (0x00000221L)
  156. #define DOMAIN_ALIAS_RID_GUESTS        (0x00000222L)
  157. #define DOMAIN_ALIAS_RID_POWER_USERS   (0x00000223L)
  158. #define DOMAIN_ALIAS_RID_ACCOUNT_OPS   (0x00000224L)
  159. #define DOMAIN_ALIAS_RID_SYSTEM_OPS    (0x00000225L)
  160. #define DOMAIN_ALIAS_RID_PRINT_OPS     (0x00000226L)
  161. #define DOMAIN_ALIAS_RID_BACKUP_OPS    (0x00000227L)
  162. #define DOMAIN_ALIAS_RID_REPLICATOR    (0x00000228L)
  163. ////////////////////////////////////////////////////////////////////////
  164. //                                                                    //
  165. //                          User and Group related SID attributes     //
  166. //                                                                    //
  167. ////////////////////////////////////////////////////////////////////////
  168. //
  169. // Group attributes
  170. //
  171. #define SE_GROUP_MANDATORY              (0x00000001L)
  172. #define SE_GROUP_ENABLED_BY_DEFAULT     (0x00000002L)
  173. #define SE_GROUP_ENABLED                (0x00000004L)
  174. #define SE_GROUP_OWNER                  (0x00000008L)
  175. #define SE_GROUP_LOGON_ID               (0xC0000000L)
  176. //
  177. //  The structure of an ACE is a common ace header followed by ace type
  178. //  specific data.  Pictorally the structure of the common ace header is
  179. //  as follows:
  180. //
  181. //       3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
  182. //       1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
  183. //      +---------------+-------+-------+---------------+---------------+
  184. //      |            AceSize            |    AceFlags   |     AceType   |
  185. //      +---------------+-------+-------+---------------+---------------+
  186. //
  187. //  AceType denotes the type of the ace, there are some predefined ace
  188. //  types
  189. //
  190. //  AceSize is the size, in bytes, of ace.
  191. //
  192. //  AceFlags are the Ace flags for audit and inheritance, defined shortly.
  193. typedef struct _ACE_HEADER {
  194.     BYTE  AceType;
  195.     BYTE  AceFlags;
  196.     WORD   AceSize;
  197. } ACE_HEADER;
  198. typedef ACE_HEADER *PACE_HEADER;
  199. //
  200. //  The following are the predefined ace types that go into the AceType
  201. //  field of an Ace header.
  202. //
  203. #define ACCESS_ALLOWED_ACE_TYPE          (0x0)
  204. #define ACCESS_DENIED_ACE_TYPE           (0x1)
  205. #define SYSTEM_AUDIT_ACE_TYPE            (0x2)
  206. #define SYSTEM_ALARM_ACE_TYPE            (0x3)
  207. //
  208. //  The following are the inherit flags that go into the AceFlags field
  209. //  of an Ace header.
  210. //
  211. #define OBJECT_INHERIT_ACE                (0x1)
  212. #define CONTAINER_INHERIT_ACE             (0x2)
  213. #define NO_PROPAGATE_INHERIT_ACE          (0x4)
  214. #define INHERIT_ONLY_ACE                  (0x8)
  215. #define VALID_INHERIT_FLAGS               (0xF)
  216. //  The following are the currently defined ACE flags that go into the
  217. //  AceFlags field of an ACE header.  Each ACE type has its own set of
  218. //  AceFlags.
  219. //
  220. //  SUCCESSFUL_ACCESS_ACE_FLAG - used only with system audit and alarm ACE
  221. //  types to indicate that a message is generated for successful accesses.
  222. //
  223. //  FAILED_ACCESS_ACE_FLAG - used only with system audit and alarm ACE types
  224. //  to indicate that a message is generated for failed accesses.
  225. //
  226. //
  227. //  SYSTEM_AUDIT and SYSTEM_ALARM AceFlags
  228. //
  229. //  These control the signaling of audit and alarms for success or failure.
  230. //
  231. #define SUCCESSFUL_ACCESS_ACE_FLAG       (0x40)
  232. #define FAILED_ACCESS_ACE_FLAG           (0x80)
  233. //
  234. //  We'll define the structure of the predefined ACE types.  Pictorally
  235. //  the structure of the predefined ACE's is as follows:
  236. //
  237. //       3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
  238. //       1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
  239. //      +---------------+-------+-------+---------------+---------------+
  240. //      |    AceFlags   | Resd  |Inherit|    AceSize    |     AceType   |
  241. //      +---------------+-------+-------+---------------+---------------+
  242. //      |                              Mask                             |
  243. //      +---------------------------------------------------------------+
  244. //      |                                                               |
  245. //      +                                                               +
  246. //      |                                                               |
  247. //      +                              Sid                              +
  248. //      |                                                               |
  249. //      +                                                               +
  250. //      |                                                               |
  251. //      +---------------------------------------------------------------+
  252. //
  253. //  Mask is the access mask associated with the ACE.  This is either the
  254. //  access allowed, access denied, audit, or alarm mask.
  255. //
  256. //  Sid is the Sid associated with the ACE.
  257. //
  258. //  The following are the four predefined ACE types.
  259. //  Examine the AceType field in the Header to determine
  260. //  which structure is appropriate to use for casting.
  261. typedef struct _ACCESS_ALLOWED_ACE {
  262.     ACE_HEADER Header;
  263.     ACCESS_MASK Mask;
  264.     DWORD SidStart;
  265. } ACCESS_ALLOWED_ACE;
  266. typedef ACCESS_ALLOWED_ACE *PACCESS_ALLOWED_ACE;
  267. typedef struct _ACCESS_DENIED_ACE {
  268.     ACE_HEADER Header;
  269.     ACCESS_MASK Mask;
  270.     DWORD SidStart;
  271. } ACCESS_DENIED_ACE;
  272. typedef ACCESS_DENIED_ACE *PACCESS_DENIED_ACE;
  273. typedef struct _SYSTEM_AUDIT_ACE {
  274.     ACE_HEADER Header;
  275.     ACCESS_MASK Mask;
  276.     DWORD SidStart;
  277. } SYSTEM_AUDIT_ACE;
  278. typedef SYSTEM_AUDIT_ACE *PSYSTEM_AUDIT_ACE;
  279. typedef struct _SYSTEM_ALARM_ACE {
  280.     ACE_HEADER Header;
  281.     ACCESS_MASK Mask;
  282.     DWORD SidStart;
  283. } SYSTEM_ALARM_ACE;
  284. typedef SYSTEM_ALARM_ACE *PSYSTEM_ALARM_ACE;
  285. //
  286. // Minimum length, in bytes, needed to build a security descriptor
  287. // (NOTE: This must manually be kept consistent with the)
  288. // (sizeof(SECURITY_DESCRIPTOR)                         )
  289. //
  290. #define SECURITY_DESCRIPTOR_MIN_LENGTH   (20)
  291. typedef WORD   SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
  292. #define SE_OWNER_DEFAULTED               (0x0001)
  293. #define SE_GROUP_DEFAULTED               (0x0002)
  294. #define SE_DACL_PRESENT                  (0x0004)
  295. #define SE_DACL_DEFAULTED                (0x0008)
  296. #define SE_SACL_PRESENT                  (0x0010)
  297. #define SE_SACL_DEFAULTED                (0x0020)
  298. #define SE_SELF_RELATIVE                 (0x8000)
  299. //
  300. //  Where:
  301. //
  302. //      SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the
  303. //          SID pointed to by the Owner field was provided by a
  304. //          defaulting mechanism rather than explicitly provided by the
  305. //          original provider of the security descriptor.  This may
  306. //          affect the treatment of the SID with respect to inheritence
  307. //          of an owner.
  308. //
  309. //      SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the
  310. //          SID in the Group field was provided by a defaulting mechanism
  311. //          rather than explicitly provided by the original provider of
  312. //          the security descriptor.  This may affect the treatment of
  313. //          the SID with respect to inheritence of a primary group.
  314. //
  315. //      SE_DACL_PRESENT - This boolean flag, when set, indicates that the
  316. //          security descriptor contains a discretionary ACL.  If this
  317. //          flag is set and the Dacl field of the SECURITY_DESCRIPTOR is
  318. //          null, then a null ACL is explicitly being specified.
  319. //
  320. //      SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the
  321. //          ACL pointed to by the Dacl field was provided by a defaulting
  322. //          mechanism rather than explicitly provided by the original
  323. //          provider of the security descriptor.  This may affect the
  324. //          treatment of the ACL with respect to inheritence of an ACL.
  325. //          This flag is ignored if the DaclPresent flag is not set.
  326. //
  327. //      SE_SACL_PRESENT - This boolean flag, when set,  indicates that the
  328. //          security descriptor contains a system ACL pointed to by the
  329. //          Sacl field.  If this flag is set and the Sacl field of the
  330. //          SECURITY_DESCRIPTOR is null, then an empty (but present)
  331. //          ACL is being specified.
  332. //
  333. //      SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the
  334. //          ACL pointed to by the Sacl field was provided by a defaulting
  335. //          mechanism rather than explicitly provided by the original
  336. //          provider of the security descriptor.  This may affect the
  337. //          treatment of the ACL with respect to inheritence of an ACL.
  338. //          This flag is ignored if the SaclPresent flag is not set.
  339. //
  340. //      SE_SELF_RELATIVE - This boolean flag, when set, indicates that the
  341. //          security descriptor is in self-relative form.  In this form,
  342. //          all fields of the security descriptor are contiguous in memory
  343. //          and all pointer fields are expressed as offsets from the
  344. //          beginning of the security descriptor.  This form is useful
  345. //          for treating security descriptors as opaque data structures
  346. //          for transmission in communication protocol or for storage on
  347. //          secondary media.
  348. //
  349. //
  350. //
  351. // Pictorially the structure of a security descriptor is as follows:
  352. //
  353. //       3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
  354. //       1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
  355. //      +---------------------------------------------------------------+
  356. //      |            Control            |Reserved1 (SBZ)|   Revision    |
  357. //      +---------------------------------------------------------------+
  358. //      |                            Owner                              |
  359. //      +---------------------------------------------------------------+
  360. //      |                            Group                              |
  361. //      +---------------------------------------------------------------+
  362. //      |                            Sacl                               |
  363. //      +---------------------------------------------------------------+
  364. //      |                            Dacl                               |
  365. //      +---------------------------------------------------------------+
  366. //
  367. // In general, this data structure should be treated opaquely to ensure future
  368. // compatibility.
  369. //
  370. //
  371. typedef struct _SECURITY_ATTRIBUTES {
  372.     DWORD nLength;
  373.     LPVOID lpSecurityDescriptor;
  374.     BOOL bInheritHandle;
  375. } SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;
  376. ////////////////////////////////////////////////////////////////////
  377. //                                                                //
  378. //           Token Object Definitions                             //
  379. //                                                                //
  380. //                                                                //
  381. ////////////////////////////////////////////////////////////////////
  382. //
  383. // Token Specific Access Rights.
  384. //
  385. #define TOKEN_ASSIGN_PRIMARY    (0x0001)
  386. #define TOKEN_DUPLICATE         (0x0002)
  387. #define TOKEN_IMPERSONATE       (0x0004)
  388. #define TOKEN_QUERY             (0x0008)
  389. #define TOKEN_QUERY_SOURCE      (0x0010)
  390. #define TOKEN_ADJUST_PRIVILEGES (0x0020)
  391. #define TOKEN_ADJUST_GROUPS     (0x0040)
  392. #define TOKEN_ADJUST_DEFAULT    (0x0080)
  393. #define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED  |
  394.                           TOKEN_ASSIGN_PRIMARY      |
  395.                           TOKEN_DUPLICATE           |
  396.                           TOKEN_IMPERSONATE         |
  397.                           TOKEN_QUERY               |
  398.                           TOKEN_QUERY_SOURCE        |
  399.                           TOKEN_ADJUST_PRIVILEGES   |
  400.                           TOKEN_ADJUST_GROUPS       |
  401.                           TOKEN_ADJUST_DEFAULT)
  402. #define TOKEN_READ       (STANDARD_RIGHTS_READ      |
  403.                           TOKEN_QUERY)
  404. #define TOKEN_WRITE      (STANDARD_RIGHTS_WRITE     |
  405.                           TOKEN_ADJUST_PRIVILEGES   |
  406.                           TOKEN_ADJUST_GROUPS       |
  407.                           TOKEN_ADJUST_DEFAULT)
  408. #define TOKEN_EXECUTE    (STANDARD_RIGHTS_EXECUTE)
  409. //
  410. //
  411. // Token Types
  412. //
  413. // typedef enum _TOKEN_TYPE {
  414. //     TokenPrimary = 1,
  415. //     TokenImpersonation
  416. //     } TOKEN_TYPE;
  417. // typedef TOKEN_TYPE *PTOKEN_TYPE;
  418. //
  419. // Token Information Classes.
  420. //
  421. // typedef enum _TOKEN_INFORMATION_CLASS {
  422. //     TokenUser = 1,
  423. //     TokenGroups,
  424. //     TokenPrivileges,
  425. //     TokenOwner,
  426. //     TokenPrimaryGroup,
  427. //     TokenDefaultDacl,
  428. //     TokenSource,
  429. //     TokenType,
  430. //     TokenImpersonationLevel,
  431. //     TokenStatistics
  432. // } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
  433. // typedef struct _TOKEN_USER {
  434. //     SID_AND_ATTRIBUTES User;
  435. // } TOKEN_USER, *PTOKEN_USER;
  436. // typedef struct _TOKEN_GROUPS {
  437. //     DWORD GroupCount;
  438. //     SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
  439. // } TOKEN_GROUPS, *PTOKEN_GROUPS;
  440. // typedef struct _TOKEN_PRIVILEGES {
  441. //     DWORD PrivilegeCount;
  442. //     LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
  443. // } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
  444. // typedef struct _TOKEN_OWNER {
  445. //     PSID Owner;
  446. // } TOKEN_OWNER, *PTOKEN_OWNER;
  447. // typedef struct _TOKEN_PRIMARY_GROUP {
  448. //     PSID PrimaryGroup;
  449. // } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
  450. // typedef struct _TOKEN_DEFAULT_DACL {
  451. //     PACL DefaultDacl;
  452. // } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
  453. #define TOKEN_SOURCE_LENGTH 8
  454. // typedef struct _TOKEN_SOURCE {
  455. //     CHAR SourceName[TOKEN_SOURCE_LENGTH];
  456. //     LUID SourceIdentifier;
  457. // } TOKEN_SOURCE, *PTOKEN_SOURCE;
  458. // typedef struct _TOKEN_STATISTICS {
  459. //     LUID TokenId;
  460. //     LUID AuthenticationId;
  461. //     LARGE_INTEGER ExpirationTime;
  462. //     TOKEN_TYPE TokenType;
  463. //     SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
  464. //     DWORD DynamicCharged;
  465. //     DWORD DynamicAvailable;
  466. //     DWORD GroupCount;
  467. //     DWORD PrivilegeCount;
  468. //     LUID ModifiedId;
  469. // } TOKEN_STATISTICS, *PTOKEN_STATISTICS;
  470. // typedef struct _TOKEN_CONTROL {
  471. //     LUID TokenId;
  472. //     LUID AuthenticationId;
  473. //     LUID ModifiedId;
  474. //     TOKEN_SOURCE TokenSource;
  475. //     } TOKEN_CONTROL, *PTOKEN_CONTROL;
  476. //
  477. // Data structure used to represent client security context for a thread.
  478. // This data structure is used to support impersonation.
  479. //
  480. //  THE FIELDS OF THIS DATA STRUCTURE SHOULD BE CONSIDERED OPAQUE
  481. //  BY ALL EXCEPT THE SECURITY ROUTINES.
  482. //
  483. // typedef struct _SECURITY_CLIENT_CONTEXT {
  484. //     SECURITY_QUALITY_OF_SERVICE SecurityQos;
  485. //     PACCESS_TOKEN ClientToken;
  486. //     BOOLEAN DirectlyAccessClientToken;
  487. //     BOOLEAN DirectAccessEffectiveOnly;
  488. //     BOOLEAN ServerIsRemote;
  489. //     TOKEN_CONTROL ClientTokenControl;
  490. //     } SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
  491. //
  492. // Privileges
  493. //
  494. #define SE_CREATE_TOKEN_NAME              TEXT("SeCreateTokenPrivilege")
  495. #define SE_ASSIGNPRIMARYTOKEN_NAME        TEXT("SeAssignPrimaryTokenPrivilege")
  496. #define SE_LOCK_MEMORY_NAME               TEXT("SeLockMemoryPrivilege")
  497. #define SE_INCREASE_QUOTA_NAME            TEXT("SeIncreaseQuotaPrivilege")
  498. #define SE_UNSOLICITED_INPUT_NAME         TEXT("SeUnsolicitedInputPrivilege")
  499. #define SE_MACHINE_ACCOUNT_NAME           TEXT("SeMachineAccountPrivilege")
  500. #define SE_TCB_NAME                       TEXT("SeTcbPrivilege")
  501. #define SE_SECURITY_NAME                  TEXT("SeSecurityPrivilege")
  502. #define SE_TAKE_OWNERSHIP_NAME            TEXT("SeTakeOwnershipPrivilege")
  503. #define SE_LOAD_DRIVER_NAME               TEXT("SeLoadDriverPrivilege")
  504. #define SE_SYSTEM_PROFILE_NAME            TEXT("SeSystemProfilePrivilege")
  505. #define SE_SYSTEMTIME_NAME                TEXT("SeSystemtimePrivilege")
  506. #define SE_PROF_SINGLE_PROCESS_NAME       TEXT("SeProfileSingleProcessPrivilege")
  507. #define SE_INC_BASE_PRIORITY_NAME         TEXT("SeIncreaseBasePriorityPrivilege")
  508. #define SE_CREATE_PAGEFILE_NAME           TEXT("SeCreatePagefilePrivilege")
  509. #define SE_CREATE_PERMANENT_NAME          TEXT("SeCreatePermanentPrivilege")
  510. #define SE_BACKUP_NAME                    TEXT("SeBackupPrivilege")
  511. #define SE_RESTORE_NAME                   TEXT("SeRestorePrivilege")
  512. #define SE_SHUTDOWN_NAME                  TEXT("SeShutdownPrivilege")
  513. #define SE_DEBUG_NAME                     TEXT("SeDebugPrivilege")
  514. #define SE_AUDIT_NAME                     TEXT("SeAuditPrivilege")
  515. #define SE_SYSTEM_ENVIRONMENT_NAME        TEXT("SeSystemEnvironmentPrivilege")
  516. #define SE_CHANGE_NOTIFY_NAME             TEXT("SeChangeNotifyPrivilege")
  517. #define SE_REMOTE_SHUTDOWN_NAME           TEXT("SeRemoteShutdownPrivilege")
  518. //
  519. // Privilege attributes
  520. //
  521. #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
  522. #define SE_PRIVILEGE_ENABLED            (0x00000002L)
  523. #define SE_PRIVILEGE_USED_FOR_ACCESS    (0x80000000L)
  524. //
  525. // SID Manipulation
  526. //
  527. // Win32: IsEqualSid
  528. // BOOLEAN 
  529. // NTAPI 
  530. // RtlEqualSid(
  531. //     PSID Sid1, 
  532. //     PSID Sid2 
  533. //     );
  534. // Win32: GetLengthSid
  535. // ULONG 
  536. // NTAPI 
  537. // RtlLengthSid(
  538. //     PSID Sid 
  539. //     );
  540. // Win32: CopySid
  541. // NTSTATUS 
  542. // NTAPI 
  543. // RtlCopySid(
  544. //     ULONG nDestinationSidLength, 
  545. //     PSID pDestinationSid, 
  546. //     PSID pSourceSid 
  547. //     );
  548. // Win32: AdjustTokenPrivileges
  549. NTSTATUS 
  550. NTAPI 
  551. NtAdjustPrivilegesToken(
  552.     HANDLE TokenHandle, 
  553.     BOOLEAN DisableAllPrivileges, 
  554.     PTOKEN_PRIVILEGES NewState, 
  555.     ULONG BufferLength, 
  556.     PTOKEN_PRIVILEGES PreviousState, 
  557.     PULONG ReturnLength 
  558.     );
  559. //
  560. // Token manipulation
  561. //
  562. // PVOID 
  563. // NTAPI 
  564. // PsReferencePrimaryToken(
  565. //    PEPROCESS Process 
  566. //    );
  567. // PVOID 
  568. // NTAPI 
  569. // PsReferenceImpersonationToken(
  570. //     PETHREAD Thread, 
  571. //     PBOOLEAN CopyOnOpen, 
  572. //     PBOOLEAN EffectiveOnly, 
  573. //     PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel 
  574. //     );
  575. #endif // _NTSEC_