#ifndef _NTSEAPI_H
//
// Access checking
//
/**
* The NtAccessCheck routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token.
*
* @param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
* @param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access.
* @param DesiredAccess Access mask that specifies the access rights to check.
* @param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
* @param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set.
* @param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required.
* @param GrantedAccess Pointer to an access mask that receives the granted access rights.
* @param AccessStatus Pointer to a variable that receives the results of the access check.
* @return NTSTATUS code indicating success or failure.
* @sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheck
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheck(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus
);
View code on GitHub
#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwAccessCheck(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ PGENERIC_MAPPING GenericMapping,
_Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
_Inout_ PULONG PrivilegeSetLength,
_Out_ PACCESS_MASK GrantedAccess,
_Out_ PNTSTATUS AccessStatus
);
View code on GitHub
Function NtAccessCheck
should be used by server applications working in SYSTEM
context for check access to object for connected client's token. See similar Win32 API AccessCheck in Microsoft SDK.
Pointer to SECURITY_DESCRIPTOR
structure.
HANDLE
to client's Token Object opened with TOKEN_QUERY
access.
ACCESS_MASK
required by client.
Pointer to GENERIC_MAPPING
structure. Caller can take it in a call to NtQueryObject
.
Function fills this buffer with structure PRIVILEGE_SET
contains required privileges.
Pointer to ULONG
value. On input this value means size of RequiredPrivilegesBuffer
buffer. If buffer was to small, required buffer size is available on output.
Pointer to ACCESS_MASK
value receiving granted access for object.
Result of access check, in typical NTSTATUS
format.