1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
ntrmlsa.h
Abstract:
Local Security Authority - Reference Monitor Communication Types
Author:
Scott Birrell (ScottBi) March 18, 1991
Environment:
Revision History:
--*/
#include <ntlsa.h>
#ifndef _NTRMLSA_
#define _NTRMLSA_
//
// Memory type. This defines the type of memory used for a record
// passed between the RM and LSA.
//
// SepRmLsaPortMemory - Memory allocated via RtlAllocateHeap()
// from the shared memory section associated with the
// Lsa command Port.
//
// SepRmLsaVirtualMemory - Memory allocated via ZwAllocateVirtualMemory()
//
// SepRmLsaUnreadableMemory - Memory not readable by the LSA. This
// memory must be copied to another format
// before passage over the link.
//
// SepRmLsaLPCBufferMemory - Memory contained within the LPC buffer
// itself
//
typedef enum _SEP_RM_LSA_MEMORY_TYPE {
SepRmNoMemory = 0,
SepRmImmediateMemory,
SepRmLsaCommandPortSharedMemory,
SepRmLsaCustomSharedMemory,
SepRmPagedPoolMemory,
SepRmUnspecifiedMemory
} SEP_RM_LSA_MEMORY_TYPE, *PSEP_RM_LSA_MEMORY_TYPE;
//
// Reference Monitor Command Message Structure. This structure is used
// by the Local Security Authority to send commands to the Reference Monitor
// via the Reference Monitor Server Command LPC Port.
//
#define RmMinimumCommand RmAuditSetCommand
#define RmMaximumCommand RmDeleteLogonSession
//
// Keep this in sync with SEP_RM_COMMAND_WORKER in se\rmmain.c
//
typedef enum _RM_COMMAND_NUMBER {
RmDummyCommand = 0,
RmAuditSetCommand,
RmSendCommandToLsaCommand,
RmComponentTestCommand,
RmCreateLogonSession,
RmDeleteLogonSession
} RM_COMMAND_NUMBER;
#define RM_MAXIMUM_COMMAND_PARAM_SIZE \
((ULONG) PORT_MAXIMUM_MESSAGE_LENGTH - sizeof(PORT_MESSAGE) - \
sizeof(RM_COMMAND_NUMBER))
typedef struct _RM_COMMAND_MESSAGE {
PORT_MESSAGE MessageHeader;
RM_COMMAND_NUMBER CommandNumber;
UCHAR CommandParams[RM_MAXIMUM_COMMAND_PARAM_SIZE];
} RM_COMMAND_MESSAGE, *PRM_COMMAND_MESSAGE;
//
// Reference Monitor Command Reply Message Structure.
//
#define RM_MAXIMUM_REPLY_BUFFER_SIZE \
((ULONG) PORT_MAXIMUM_MESSAGE_LENGTH - sizeof(PORT_MESSAGE) - \
sizeof(RM_COMMAND_NUMBER))
typedef struct _RM_REPLY_MESSAGE {
PORT_MESSAGE MessageHeader;
NTSTATUS ReturnedStatus;
UCHAR ReplyBuffer[RM_MAXIMUM_REPLY_BUFFER_SIZE];
} RM_REPLY_MESSAGE, *PRM_REPLY_MESSAGE;
#define RM_COMMAND_MESSAGE_HEADER_SIZE \
(sizeof(PORT_MESSAGE) + sizeof(NTSTATUS) + sizeof(RM_COMMAND_NUMBER))
//
// Local Security Authority Command Message Structure. This structure is
// used by the Reference Monitor to send commands to the Local Security
// Authority via the LSA Server Command LPC Port.
//
#define LsapMinimumCommand LsapWriteAuditMessageCommand
#define LsapMaximumCommand LsapLogonSessionDeletedCommand
typedef enum _LSA_COMMAND_NUMBER {
LsapDummyCommand = 0,
LsapWriteAuditMessageCommand,
LsapComponentTestCommand,
LsapLogonSessionDeletedCommand
} LSA_COMMAND_NUMBER;
#define LSA_MAXIMUM_COMMAND_PARAM_SIZE \
((ULONG) PORT_MAXIMUM_MESSAGE_LENGTH - sizeof(PORT_MESSAGE) - \
sizeof(LSA_COMMAND_NUMBER) - sizeof(SEP_RM_LSA_MEMORY_TYPE))
typedef struct _LSA_COMMAND_MESSAGE {
PORT_MESSAGE MessageHeader;
LSA_COMMAND_NUMBER CommandNumber;
SEP_RM_LSA_MEMORY_TYPE CommandParamsMemoryType;
UCHAR CommandParams[LSA_MAXIMUM_COMMAND_PARAM_SIZE];
} LSA_COMMAND_MESSAGE, *PLSA_COMMAND_MESSAGE;
//
// LSA Command Reply Message Structure.
//
#define LSA_MAXIMUM_REPLY_BUFFER_SIZE \
((ULONG) PORT_MAXIMUM_MESSAGE_LENGTH - sizeof(PORT_MESSAGE) - \
sizeof(LSA_COMMAND_NUMBER))
typedef struct _LSA_REPLY_MESSAGE {
PORT_MESSAGE MessageHeader;
NTSTATUS ReturnedStatus;
UCHAR ReplyBuffer[LSA_MAXIMUM_REPLY_BUFFER_SIZE];
} LSA_REPLY_MESSAGE, *PLSA_REPLY_MESSAGE;
//
// Command Parameter format for the special RmSendCommandToLsaCommand
//
typedef struct _RM_SEND_COMMAND_TO_LSA_PARAMS {
LSA_COMMAND_NUMBER LsaCommandNumber;
ULONG LsaCommandParamsLength;
UCHAR LsaCommandParams[LSA_MAXIMUM_COMMAND_PARAM_SIZE];
} RM_SEND_COMMAND_TO_LSA_PARAMS, *PRM_SEND_COMMAND_TO_LSA_PARAMS;
//
// Command Values for the LSA and RM Component Test Commands
//
#define LSA_CT_COMMAND_PARAM_VALUE 0x00823543
#define RM_CT_COMMAND_PARAM_VALUE 0x33554432
//
// Audit Record Pointer Field Type
//
typedef enum _SE_ADT_POINTER_FIELD_TYPE {
NullFieldType,
UnicodeStringType,
SidType,
PrivilegeSetType,
MiscFieldType
} SE_ADT_POINTER_FIELD_TYPE, *PSE_ADT_POINTER_FIELD_TYPE;
//
// Hardwired Audit Event Type counts
//
#define AuditEventMinType (AuditCategorySystem)
#define AuditEventMaxType (AuditCategoryAccountManagement)
#define POLICY_AUDIT_EVENT_TYPE_COUNT \
((ULONG) AuditEventMaxType - AuditEventMinType + 1)
#define LSARM_AUDIT_EVENT_OPTIONS_SIZE \
(((ULONG)(POLICY_AUDIT_EVENT_TYPE_COUNT) * sizeof (POLICY_AUDIT_EVENT_OPTIONS)))
//
// Self-Relative form of POLICY_AUDIT_EVENTS_INFO
//
typedef struct _LSARM_POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
POLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions[POLICY_AUDIT_EVENT_TYPE_COUNT];
ULONG MaximumAuditEventCount;
} LSARM_POLICY_AUDIT_EVENTS_INFO, *PLSARM_POLICY_AUDIT_EVENTS_INFO;
//
// The following symbol defines the value containing whether or not we're supposed
// to crash when an audit fails. It is used in the se and lsasrv directories.
//
#define CRASH_ON_AUDIT_FAIL_VALUE L"CrashOnAuditFail"
//
// These are the possible values for the CrashOnAuditFail flag.
//
#define LSAP_CRASH_ON_AUDIT_FAIL 1
#define LSAP_ALLOW_ADIMIN_LOGONS_ONLY 2
#endif // _NTRMLSA_
|
