// // Retrieves the 'negotiate' AuthPackage from the LSA. In this case, Kerberos // For more information on auth packages see this msdn page: // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_lm20_logon.asp // HRESULT RetrieveNegotiateAuthPackage(ULONG * pulAuthPackage) { HRESULT hr; HANDLE hLsa; NTSTATUS status = LsaConnectUntrusted(&hLsa); if (SUCCEEDED(HRESULT_FROM_NT(status))) { ULONG ulAuthPackage; LSA_STRING lsaszKerberosName; LsaInitString(&lsaszKerberosName, NEGOSSP_NAME); status = LsaLookupAuthenticationPackage(hLsa, &lsaszKerberosName, &ulAuthPackage); if (SUCCEEDED(HRESULT_FROM_NT(status))) { *pulAuthPackage = ulAuthPackage; hr = S_OK; } else { hr = HRESULT_FROM_NT(status); } LsaDeregisterLogonProcess(hLsa); } else { hr= HRESULT_FROM_NT(status); } return hr; }
HRESULT GetNTObjectSymbolicLinkTarget(LPCWSTR path, LPCWSTR entryName, PUNICODE_STRING LinkTarget) { HANDLE handle; WCHAR buffer[MAX_PATH]; LPWSTR pend = buffer; StringCbCopyExW(buffer, sizeof(buffer), path, &pend, NULL, 0); if (pend[-1] != '\\') { *pend++ = '\\'; *pend = 0; } StringCbCatW(buffer, sizeof(buffer), entryName); DbgPrint("GetNTObjectSymbolicLinkTarget %d\n", buffer); LinkTarget->Length = 0; DWORD err = NtOpenObject(SYMBOLICLINK_OBJECT, &handle, SYMBOLIC_LINK_QUERY, buffer); if (!NT_SUCCESS(err)) return HRESULT_FROM_NT(err); err = NtQuerySymbolicLinkObject(handle, LinkTarget, NULL); if (!NT_SUCCESS(err)) return HRESULT_FROM_NT(err); NtClose(handle); return S_OK; }
HRESULT ReadRegistryValue(HKEY root, PCWSTR path, PCWSTR valueName, PVOID * valueData, PDWORD valueLength) { HKEY hkey; DWORD res; if (root) { res = RegOpenKeyExW(root, *path == '\\' ? path + 1 : path, 0, STANDARD_RIGHTS_READ | KEY_QUERY_VALUE, &hkey); } else { res = NtOpenObject(KEY_OBJECT, (PHANDLE) &hkey, STANDARD_RIGHTS_READ | KEY_QUERY_VALUE, path); } if (!NT_SUCCESS(res)) { ERR("RegOpenKeyExW failed for path %S with status=%x\n", path, res); return HRESULT_FROM_NT(res); } res = RegQueryValueExW(hkey, valueName, NULL, NULL, NULL, valueLength); if (!NT_SUCCESS(res)) { ERR("RegQueryValueExW failed for path %S with status=%x\n", path, res); return HRESULT_FROM_NT(res); } if (*valueLength > 0) { PBYTE data = (PBYTE) CoTaskMemAlloc(*valueLength); *valueData = data; res = RegQueryValueExW(hkey, valueName, NULL, NULL, data, valueLength); if (!NT_SUCCESS(res)) { CoTaskMemFree(data); *valueData = NULL; RegCloseKey(hkey); ERR("RegOpenKeyExW failed for path %S with status=%x\n", path, res); return HRESULT_FROM_NT(res); } } else { *valueData = NULL; } RegCloseKey(hkey); return S_OK; }
/*---------------------------------------------------------------------- * * Methods. * */ static HRESULT JpfsvsStartKernelTraceSession( __in PJPFSV_TRACE_SESSION This, __in UINT BufferCount, __in UINT BufferSize, __in PJPFSV_EVENT_PROESSOR EventProcessor ) { PJPFSVP_KM_TRACE_SESSION Session; NTSTATUS Status; UNREFERENCED_PARAMETER( EventProcessor ); Session = ( PJPFSVP_KM_TRACE_SESSION ) This; if ( Session->TraceActive ) { return E_UNEXPECTED; } Status = JpkfbtInitializeTracing( Session->KfbtSession, Session->TracingType, BufferCount, BufferSize, Session->LogFilePath ); if ( NT_SUCCESS( Status ) ) { Session->TraceActive = TRUE; return S_OK; } else { return HRESULT_FROM_NT( Status ); } }
std::string msgDebugEngineComResult(HRESULT hr) { switch (hr) { case S_OK: return std::string("S_OK"); case S_FALSE: return std::string("S_FALSE"); case E_FAIL: break; case E_INVALIDARG: return std::string("E_INVALIDARG"); case E_NOINTERFACE: return std::string("E_NOINTERFACE"); case E_OUTOFMEMORY: return std::string("E_OUTOFMEMORY"); case E_UNEXPECTED: return std::string("E_UNEXPECTED"); case E_NOTIMPL: return std::string("E_NOTIMPL"); } if (hr == HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED)) return std::string("ERROR_ACCESS_DENIED");; if (hr == HRESULT_FROM_NT(STATUS_CONTROL_C_EXIT)) return std::string("STATUS_CONTROL_C_EXIT"); return std::string("E_FAIL ") + winErrorMessage(HRESULT_CODE(hr)); }
/*---------------------------------------------------------------------- * * Test Kernel. * */ static VOID TestAttachDetachKernel() { HRESULT Hr; JPFSV_HANDLE KernelCtx; JPFSV_TRACING_TYPE TracingType; ULONG TypesTested= 0; for ( TracingType = JpfsvTracingTypeDefault; TracingType <= JpfsvTracingTypeMax; TracingType++ ) { Hr = JpfsvLoadContext( JPFSV_KERNEL, NULL, &KernelCtx ); if ( Hr == JPFSV_E_UNSUP_ON_WOW64 ) { CFIX_INCONCLUSIVE( L"Not supported on WOW64" ); return; } TEST_OK( Hr ); TEST( JPFSV_E_NO_TRACESESSION == JpfsvDetachContext( KernelCtx, TRUE ) ); DeleteFile( L"__kern.log" ); if ( TracingType != JpfsvTracingTypeWmk ) { TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, NULL ) ); Hr = JpfsvAttachContext( KernelCtx, TracingType, L"__kern.log" ); } else { TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, L"__kern.log" ) ); Hr = JpfsvAttachContext( KernelCtx, TracingType, NULL ); } if ( Hr == JPFSV_E_UNSUPPORTED_TRACING_TYPE || Hr == HRESULT_FROM_NT( 0xC0049300L ) ) // STATUS_KFBT_KERNEL_NOT_SUPPORTED { continue; } TEST_OK( Hr ); TEST( S_FALSE == JpfsvAttachContext( KernelCtx, TracingType, NULL ) ); TEST_OK( DetachContextSafe( KernelCtx ) ); TEST( JPFSV_E_NO_TRACESESSION == JpfsvDetachContext( KernelCtx, TRUE ) ); TEST_OK( JpfsvUnloadContext( KernelCtx ) ); TypesTested++; } if ( TypesTested == 0 ) { CFIX_INCONCLUSIVE( L"No TracingTypes supported" ); } }
//***************************************************************************** // Convert a string to UNICODE into the caller's buffer. //***************************************************************************** HRESULT StgPoolReadOnly::GetStringW( // Return code. ULONG iOffset, // Offset of string in pool. LPWSTR szOut, // Output buffer for string. int cchBuffer) // Size of output buffer. { LPCSTR pString; // The string in UTF8. int iChars; pString = GetString(iOffset); iChars = ::WszMultiByteToWideChar(CP_UTF8, 0, pString, -1, szOut, cchBuffer); if (iChars == 0) return (BadError(HRESULT_FROM_NT(GetLastError()))); return (S_OK); }
// ReportResult is completely optional. Its purpose is to allow a credential to customize the string // and the icon displayed in the case of a logon failure. For example, we have chosen to // customize the error shown in the case of bad username/password and in the case of the account // being disabled. HRESULT CardUnlockCredential::ReportResult( NTSTATUS ntsStatus, NTSTATUS ntsSubstatus, PWSTR* ppwszOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon ) { *ppwszOptionalStatusText = NULL; *pcpsiOptionalStatusIcon = CPSI_NONE; DWORD dwStatusInfo = (DWORD)-1; // Look for a match on status and substatus. for (DWORD i = 0; i < ARRAYSIZE(s_rgLogonStatusInfo); i++) { if (s_rgLogonStatusInfo[i].ntsStatus == ntsStatus && s_rgLogonStatusInfo[i].ntsSubstatus == ntsSubstatus) { dwStatusInfo = i; break; } } if ((DWORD)-1 != dwStatusInfo) { if (SUCCEEDED(SHStrDupW(s_rgLogonStatusInfo[dwStatusInfo].pwzMessage, ppwszOptionalStatusText))) { *pcpsiOptionalStatusIcon = s_rgLogonStatusInfo[dwStatusInfo].cpsi; } } // If we failed the logon, try to erase the password field. if (!SUCCEEDED(HRESULT_FROM_NT(ntsStatus))) { if (_pCredProvCredentialEvents) { _pCredProvCredentialEvents->SetFieldString(this, SFI_PASSWORD, L""); } // clear credentials SetUserData(L"", L""); // disconnect listener if login failed if (_rfidListener) _rfidListener->Disconnect(); } // Since NULL is a valid value for *ppwszOptionalStatusText and *pcpsiOptionalStatusIcon // this function can't fail. return S_OK; }
ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length){ ULONG64 addressHit = 0; HRESULT memSearch = S_OK; if((memSearch = g_ExtData->SearchVirtual((ULONG64)0, (ULONG64)-1, byteBuffer, length, 1, &addressHit)) != S_OK){ #if 0 if(memSearch == HRESULT_FROM_NT(STATUS_NO_MORE_ENTRIES)){ dprintf("[J] byte sequence not found in virtual memory\n"); } else{ dprintf("[J] byte search failed for another reason\n"); } #endif return (0); } if (!(addressHit >= disassemblyBuffer && addressHit <= (disassemblyBuffer+0x1000))) return (addressHit); return (0); }
static HRESULT JpfsvsStopKernelTraceSession( __in PJPFSV_TRACE_SESSION This, __in BOOL Wait ) { PJPFSVP_KM_TRACE_SESSION Session; NTSTATUS Status; Session = ( PJPFSVP_KM_TRACE_SESSION ) This; UNREFERENCED_PARAMETER( Wait ); Status = JpkfbtShutdownTracing( Session->KfbtSession ); if ( NT_SUCCESS( Status ) ) { Session->TraceActive = FALSE; return S_OK; } else { return HRESULT_FROM_NT( Status ); } }
static VOID TestTraceKernel() { ULONG BufferCount; ULONG BufferSize; PROC_SET Set; DWORD_PTR FailedProc; UINT Tracepoints, Count; UINT EnumCount; JPFSV_TRACEPOINT Tracepnt; HRESULT Hr; JPFSV_HANDLE KernelCtx; JPFSV_TRACING_TYPE TracingType; ULONG TypesTested = 0; TEST_OK( CdiagCreateSession( NULL, NULL, &DiagSession ) ); for ( TracingType = JpfsvTracingTypeDefault; TracingType <= JpfsvTracingTypeMax; TracingType++ ) { UINT Index; BOOL Instrumentable; WCHAR LogFile[ MAX_PATH ]; UINT PaddingSize; TEST_OK( StringCchPrintf( LogFile, _countof( LogFile ), L"__kern%d.log", TracingType ) ); // // Start a trace. // KernelCtx = NULL; Hr = JpfsvLoadContext( JPFSV_KERNEL, NULL, &KernelCtx ); if ( Hr == JPFSV_E_UNSUP_ON_WOW64 ) { CFIX_INCONCLUSIVE( L"Not supported on WOW64" ); return; } TEST_OK( Hr ); TEST( JPFSV_E_NO_TRACESESSION == JpfsvGetTracepointContext( KernelCtx, 0xF00, &Tracepnt ) ); DeleteFile( LogFile ); if ( TracingType != JpfsvTracingTypeWmk ) { TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, NULL ) ); Hr = JpfsvAttachContext( KernelCtx, TracingType, LogFile ); } else { TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, LogFile ) ); Hr = JpfsvAttachContext( KernelCtx, TracingType, NULL ); } if ( Hr == JPFSV_E_UNSUPPORTED_TRACING_TYPE || Hr == HRESULT_FROM_NT( 0xC0049300L ) ) // STATUS_KFBT_KERNEL_NOT_SUPPORTED { continue; } TEST_OK( Hr ); if ( TracingType == JpfsvTracingTypeWmk ) { BufferCount = 0; BufferSize = 0; } else { BufferCount = 5; BufferSize = 1024; } // // Instrument some procedures. // Set.Count = 0; Set.ContextHandle = KernelCtx; Set.Process = JpfsvGetProcessHandleContext( KernelCtx ); TEST( Set.Process ); // // Not all patchable... // TEST( SymEnumSymbols( Set.Process, 0, L"tcpip!*", AddProcedureSymCallback, &Set ) ); TEST_OK( JpfsvStartTraceContext( KernelCtx, BufferCount, BufferSize, DiagSession ) ); TEST( E_UNEXPECTED == JpfsvStartTraceContext( KernelCtx, BufferCount, BufferSize, DiagSession ) ); TEST( Set.Count > 0 ); TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) ); TEST( 0 == Count ); TEST_STATUS( ( ULONG ) HRESULT_FROM_NT( STATUS_FBT_PROC_NOT_PATCHABLE ), JpfsvSetTracePointsContext( KernelCtx, JpfsvAddTracepoint, Set.Count, Set.Procedures, &FailedProc ) ); // // Instrumentable... // Set.Count = 0; Set.ContextHandle = KernelCtx; Set.Process = JpfsvGetProcessHandleContext( KernelCtx ); TEST( SymEnumSymbols( Set.Process, 0, IsVistaOrLater() ? L"tcpip!IPReg*" : L"tcpip!IPRc*", AddProcedureSymCallback, &Set ) ); TEST( Set.Count > 0 ); for ( Index = 0; Index < Set.Count; Index++ ) { TEST_OK( JpfsvCheckProcedureInstrumentability( KernelCtx, Set.Procedures[ Index ], &Instrumentable, &PaddingSize ) ); TEST( Instrumentable ); TEST( PaddingSize == 5 ); } // // Not instrumentable... // Set.Count = 0; Set.ContextHandle = KernelCtx; Set.Process = JpfsvGetProcessHandleContext( KernelCtx ); TEST( SymEnumSymbols( Set.Process, 0, IsVistaOrLater() ? L"tcpip!__report_gsfailure" : L"tcpip!_wcsicmp", AddProcedureSymCallback, &Set ) ); TEST( Set.Count > 0 ); TEST_OK( JpfsvCheckProcedureInstrumentability( KernelCtx, Set.Procedures[ 0 ], &Instrumentable, &PaddingSize ) ); TEST( ! Instrumentable ); TEST( PaddingSize == 0 ); // // All patchable... // Set.Count = 0; Set.ContextHandle = KernelCtx; Set.Process = JpfsvGetProcessHandleContext( KernelCtx ); TEST( Set.Process ); TEST( SymEnumSymbols( Set.Process, 0, IsVistaOrLater() ? L"tcpip!IPReg*" : L"tcpip!IPRc*", AddProcedureSymCallback, &Set ) ); TEST( Set.Count >= 3 ); TEST_OK( JpfsvSetTracePointsContext( KernelCtx, JpfsvAddTracepoint, Set.Count, Set.Procedures, &FailedProc ) ); // again - should be a noop. TEST_OK( JpfsvSetTracePointsContext( KernelCtx, JpfsvAddTracepoint, Set.Count, Set.Procedures, &FailedProc ) ); TEST( FailedProc == 0 ); TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Tracepoints ) ); TEST( Tracepoints > Set.Count / 2 ); // Duplicate-cleaned! TEST( Tracepoints <= Set.Count ); TEST_OK( JpfsvGetTracepointContext( KernelCtx, Set.Procedures[ 0 ], &Tracepnt ) ); TEST( Tracepnt.Procedure == Set.Procedures[ 0 ] ); TEST( wcslen( Tracepnt.SymbolName ) ); TEST( wcslen( Tracepnt.ModuleName ) ); TEST( JPFSV_E_TRACEPOINT_NOT_FOUND == JpfsvGetTracepointContext( KernelCtx, 0xBA2, &Tracepnt ) ); // // Count enum callbacks. // EnumCount = 0; TEST_OK( JpfsvEnumTracePointsContext( KernelCtx, CountTracepointsCallback, &EnumCount ) ); TEST( EnumCount == Tracepoints ); // // Stop while tracing active -> implicitly revoke all tracepoints. // TEST_OK( JpfsvStopTraceContext( KernelCtx, TRUE ) ); TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) ); TEST( 0 == Count ); // // Trace again. // DeleteFile( LogFile ); TEST_OK( JpfsvStartTraceContext( KernelCtx, BufferCount, BufferSize, DiagSession ) ); TEST_OK( JpfsvSetTracePointsContext( KernelCtx, JpfsvAddTracepoint, Set.Count, Set.Procedures, &FailedProc ) ); TEST( FailedProc == 0 ); TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) ); TEST( Tracepoints == Count ); // // Clean shutdown. // TEST_OK( JpfsvSetTracePointsContext( KernelCtx, JpfsvRemoveTracepoint, Set.Count, Set.Procedures, &FailedProc ) ); TEST( FailedProc == 0 ); TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) ); TEST( 0 == Count ); TEST_OK( JpfsvStopTraceContext( KernelCtx, TRUE ) ); TEST_OK( DetachContextSafe( KernelCtx ) ); TEST_OK( JpfsvUnloadContext( KernelCtx ) ); TypesTested++; } TEST_OK( CdiagDereferenceSession( DiagSession ) ); if ( TypesTested == 0 ) { CFIX_INCONCLUSIVE( L"No TracingTypes supported" ); } }