diff --git a/include/ntapi/nt_debug.h b/include/ntapi/nt_debug.h index f5a1d40..7e62af5 100644 --- a/include/ntapi/nt_debug.h +++ b/include/ntapi/nt_debug.h @@ -333,11 +333,11 @@ typedef int32_t __stdcall ntapi_zw_set_debug_filter_state( __in int32_t dbg_state); /* extension interfaces */ -typedef int32_t __stdcall ntapi_tt_create_debug_object( +typedef int32_t __stdcall ntapi_tt_debug_create_object( __out void ** hdbobj, __in uint32_t flags); -typedef int32_t __stdcall ntapi_tt_create_attach_debug_object( +typedef int32_t __stdcall ntapi_tt_debug_create_attach_object( __out void ** hdbgobj, __in void * hprocess, __in uint32_t flags); diff --git a/include/ntapi/ntapi.h b/include/ntapi/ntapi.h index 96b0974..634dd56 100644 --- a/include/ntapi/ntapi.h +++ b/include/ntapi/ntapi.h @@ -667,8 +667,8 @@ typedef struct _ntapi_vtbl { ntapi_log_msg * log_msg; /* nt_debug.h */ - ntapi_tt_create_debug_object * tt_create_debug_object; - ntapi_tt_create_attach_debug_object * tt_create_attach_debug_object; + ntapi_tt_debug_create_object * tt_debug_create_object; + ntapi_tt_debug_create_attach_object * tt_debug_create_attach_object; ntapi_tt_debug_execution_flow * tt_debug_execution_flow; ntapi_tt_debug_break_process * tt_debug_break_process; } ntapi_vtbl; diff --git a/project/common.mk b/project/common.mk index 508cc13..e581e9d 100644 --- a/project/common.mk +++ b/project/common.mk @@ -15,7 +15,7 @@ COMMON_SRCS = \ src/blitter/ntapi_blt_free.c \ src/daemon/ntapi_dsr_init.c \ src/daemon/ntapi_dsr_internal_connection.c \ - src/debug/ntapi_tt_create_debug_object.c \ + src/debug/ntapi_tt_debug_create_object.c \ src/debug/ntapi_tt_debug_break_process.c \ src/debug/ntapi_tt_debug_execution_flow.c \ src/fs/ntapi_tt_get_file_handle_type.c \ diff --git a/src/debug/ntapi_tt_create_debug_object.c b/src/debug/ntapi_tt_create_debug_object.c deleted file mode 100644 index b091d37..0000000 --- a/src/debug/ntapi_tt_create_debug_object.c +++ /dev/null @@ -1,120 +0,0 @@ -/********************************************************/ -/* ntapi: Native API core library */ -/* Copyright (C) 2013--2019 Z. Gilboa */ -/* Released under GPLv2 and GPLv3; see COPYING.NTAPI. */ -/********************************************************/ - -#include -#include -#include -#include -#include -#include "ntapi_impl.h" - -static nt_access_allowed_ace * __dbg_ace_init( - nt_access_allowed_ace * ace, - uint32_t mask, - const nt_sid * sid) -{ - ace->mask = mask; - ace->header.ace_type = NT_ACE_TYPE_ACCESS_ALLOWED; - ace->header.ace_flags = 0; - ace->header.ace_size = sizeof(uint32_t) * sid->sub_authority_count - + __offsetof(nt_access_allowed_ace,sid_start) - + __offsetof(nt_sid,sub_authority); - - __ntapi->tt_sid_copy( - (nt_sid *)&ace->sid_start, - sid); - - return (nt_access_allowed_ace *)((size_t)ace + ace->header.ace_size); -} - -static void __dbg_sd_init(nt_sd_common_buffer * sd) -{ - nt_access_allowed_ace * ace; - uint32_t mask_system; - uint32_t mask_owner; - uint32_t mask_other; - - /* access mask */ - mask_system = NT_DEBUG_ALL_ACCESS; - mask_owner = NT_DEBUG_ALL_ACCESS; - mask_other = NT_SEC_READ_CONTROL | NT_SEC_SYNCHRONIZE; - - /* sd header */ - sd->sd.revision = 1; - sd->sd.sbz_1st = 0; - sd->sd.control = NT_SE_SELF_RELATIVE | NT_SE_DACL_PRESENT; - sd->sd.offset_owner = __offsetof(nt_sd_common_buffer,owner); - sd->sd.offset_group = 0; - sd->sd.offset_dacl = __offsetof(nt_sd_common_buffer,dacl); - sd->sd.offset_sacl = 0; - - /* owner sid */ - __ntapi->tt_sid_copy( - (nt_sid *)&sd->owner, - __ntapi_internals()->user); - - - /* ace's for LOCAL_SYSTEM, AUTHENTICATED_USERS, and process token user */ - ace = (nt_access_allowed_ace *)&sd->buffer; - ace = __dbg_ace_init(ace,mask_system,&(nt_sid){1,1,{{0,0,0,0,0,5}},{18}}); - ace = __dbg_ace_init(ace,mask_other,&(nt_sid){1,1,{{0,0,0,0,0,5}},{11}}); - ace = __dbg_ace_init(ace,mask_owner,(nt_sid *)&sd->owner); - - sd->dacl.acl_revision = 0x02; - sd->dacl.sbz_1st = 0; - sd->dacl.acl_size = (uint16_t)((char *)ace - (char *)&sd->dacl); - sd->dacl.ace_count = 3; - sd->dacl.sbz_2nd = 0; - -} - -int32_t __stdcall __ntapi_tt_create_debug_object( - __out void ** hdbgobj, - __in uint32_t flags) -{ - nt_oa oa; - nt_sd_common_buffer sd; - nt_sqos sqos = { - sizeof(sqos), - NT_SECURITY_IMPERSONATION, - NT_SECURITY_TRACKING_DYNAMIC, - 1}; - - __dbg_sd_init(&sd); - - oa.len = sizeof(oa); - oa.root_dir = 0; - oa.obj_name = 0; - oa.obj_attr = 0; - oa.sec_desc = &sd.sd; - oa.sec_qos = &sqos; - - return __ntapi->zw_create_debug_object( - hdbgobj, - NT_DEBUG_ALL_ACCESS, - &oa,flags); -} - -int32_t __stdcall __ntapi_tt_create_attach_debug_object( - __out void ** hdbgobj, - __in void * hprocess, - __in uint32_t flags) -{ - int32_t status; - void * hdebug; - - if ((status = __ntapi_tt_create_debug_object(&hdebug,flags))) - return status; - - if ((status = __ntapi->zw_debug_active_process(hprocess,hdebug))) { - __ntapi->zw_close(hdebug); - return status; - } - - *hdbgobj = hdebug; - - return NT_STATUS_SUCCESS; -} diff --git a/src/debug/ntapi_tt_debug_create_object.c b/src/debug/ntapi_tt_debug_create_object.c new file mode 100644 index 0000000..836943e --- /dev/null +++ b/src/debug/ntapi_tt_debug_create_object.c @@ -0,0 +1,120 @@ +/********************************************************/ +/* ntapi: Native API core library */ +/* Copyright (C) 2013--2019 Z. Gilboa */ +/* Released under GPLv2 and GPLv3; see COPYING.NTAPI. */ +/********************************************************/ + +#include +#include +#include +#include +#include +#include "ntapi_impl.h" + +static nt_access_allowed_ace * __dbg_ace_init( + nt_access_allowed_ace * ace, + uint32_t mask, + const nt_sid * sid) +{ + ace->mask = mask; + ace->header.ace_type = NT_ACE_TYPE_ACCESS_ALLOWED; + ace->header.ace_flags = 0; + ace->header.ace_size = sizeof(uint32_t) * sid->sub_authority_count + + __offsetof(nt_access_allowed_ace,sid_start) + + __offsetof(nt_sid,sub_authority); + + __ntapi->tt_sid_copy( + (nt_sid *)&ace->sid_start, + sid); + + return (nt_access_allowed_ace *)((size_t)ace + ace->header.ace_size); +} + +static void __dbg_sd_init(nt_sd_common_buffer * sd) +{ + nt_access_allowed_ace * ace; + uint32_t mask_system; + uint32_t mask_owner; + uint32_t mask_other; + + /* access mask */ + mask_system = NT_DEBUG_ALL_ACCESS; + mask_owner = NT_DEBUG_ALL_ACCESS; + mask_other = NT_SEC_READ_CONTROL | NT_SEC_SYNCHRONIZE; + + /* sd header */ + sd->sd.revision = 1; + sd->sd.sbz_1st = 0; + sd->sd.control = NT_SE_SELF_RELATIVE | NT_SE_DACL_PRESENT; + sd->sd.offset_owner = __offsetof(nt_sd_common_buffer,owner); + sd->sd.offset_group = 0; + sd->sd.offset_dacl = __offsetof(nt_sd_common_buffer,dacl); + sd->sd.offset_sacl = 0; + + /* owner sid */ + __ntapi->tt_sid_copy( + (nt_sid *)&sd->owner, + __ntapi_internals()->user); + + + /* ace's for LOCAL_SYSTEM, AUTHENTICATED_USERS, and process token user */ + ace = (nt_access_allowed_ace *)&sd->buffer; + ace = __dbg_ace_init(ace,mask_system,&(nt_sid){1,1,{{0,0,0,0,0,5}},{18}}); + ace = __dbg_ace_init(ace,mask_other,&(nt_sid){1,1,{{0,0,0,0,0,5}},{11}}); + ace = __dbg_ace_init(ace,mask_owner,(nt_sid *)&sd->owner); + + sd->dacl.acl_revision = 0x02; + sd->dacl.sbz_1st = 0; + sd->dacl.acl_size = (uint16_t)((char *)ace - (char *)&sd->dacl); + sd->dacl.ace_count = 3; + sd->dacl.sbz_2nd = 0; + +} + +int32_t __stdcall __ntapi_tt_debug_create_object( + __out void ** hdbgobj, + __in uint32_t flags) +{ + nt_oa oa; + nt_sd_common_buffer sd; + nt_sqos sqos = { + sizeof(sqos), + NT_SECURITY_IMPERSONATION, + NT_SECURITY_TRACKING_DYNAMIC, + 1}; + + __dbg_sd_init(&sd); + + oa.len = sizeof(oa); + oa.root_dir = 0; + oa.obj_name = 0; + oa.obj_attr = 0; + oa.sec_desc = &sd.sd; + oa.sec_qos = &sqos; + + return __ntapi->zw_create_debug_object( + hdbgobj, + NT_DEBUG_ALL_ACCESS, + &oa,flags); +} + +int32_t __stdcall __ntapi_tt_debug_create_attach_object( + __out void ** hdbgobj, + __in void * hprocess, + __in uint32_t flags) +{ + int32_t status; + void * hdebug; + + if ((status = __ntapi_tt_debug_create_object(&hdebug,flags))) + return status; + + if ((status = __ntapi->zw_debug_active_process(hprocess,hdebug))) { + __ntapi->zw_close(hdebug); + return status; + } + + *hdbgobj = hdebug; + + return NT_STATUS_SUCCESS; +} diff --git a/src/internal/ntapi.c b/src/internal/ntapi.c index eff7eb1..94b6604 100644 --- a/src/internal/ntapi.c +++ b/src/internal/ntapi.c @@ -444,8 +444,8 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl) __ntapi->log_msg = __ntapi_log_msg; /* nt_debug.h */ - __ntapi->tt_create_debug_object = __ntapi_tt_create_debug_object; - __ntapi->tt_create_attach_debug_object = __ntapi_tt_create_attach_debug_object; + __ntapi->tt_debug_create_object = __ntapi_tt_debug_create_object; + __ntapi->tt_debug_create_attach_object = __ntapi_tt_debug_create_attach_object; __ntapi->tt_debug_execution_flow = __ntapi_tt_debug_execution_flow; __ntapi->tt_debug_break_process = __ntapi_tt_debug_break_process; diff --git a/src/internal/ntapi_fnapi.h b/src/internal/ntapi_fnapi.h index 2f79a57..5d5f0f6 100644 --- a/src/internal/ntapi_fnapi.h +++ b/src/internal/ntapi_fnapi.h @@ -335,8 +335,8 @@ NTAPI_UFN(log_fn_call); NTAPI_UFN(log_msg); /* debug */ -NTAPI_UFN(tt_create_debug_object); -NTAPI_UFN(tt_create_attach_debug_object); +NTAPI_UFN(tt_debug_create_object); +NTAPI_UFN(tt_debug_create_attach_object); NTAPI_UFN(tt_debug_execution_flow); NTAPI_UFN(tt_debug_break_process); diff --git a/src/process/ntapi_tt_spawn_foreign_process.c b/src/process/ntapi_tt_spawn_foreign_process.c index 6f12f6a..1b63c23 100644 --- a/src/process/ntapi_tt_spawn_foreign_process.c +++ b/src/process/ntapi_tt_spawn_foreign_process.c @@ -384,7 +384,7 @@ int32_t __stdcall __ntapi_tt_spawn_foreign_process(nt_spawn_process_params * spa /* debug */ if (sparams->spawnflags & NT_PROCESS_SPAWN_FLAG_DEBUG_MASK) - if ((status = __ntapi->tt_create_attach_debug_object( + if ((status = __ntapi->tt_debug_create_attach_object( &sparams->hdbgobj, cparams.hprocess, NT_DEBUG_KILL_ON_EXIT)))