Additional functions.

tyranid · tyranid · commit 400085e50286 · 2020-06-08T22:57:53.000+01:00
diff --git a/NtApiDotNet/Win32/EventTracing.cs b/NtApiDotNet/Win32/EventTracing.cs
@@ -53,6 +53,16 @@ public static NtResult<SecurityDescriptor> QueryTraceSecurity(Guid guid, bool th
             }
         }
 
+        /// <summary>
+        /// Query security of an event.
+        /// </summary>
+        /// <param name="guid">The event GUID to query.</param>
+        /// <returns>The event security descriptor.</returns>
+        public static SecurityDescriptor QueryTraceSecurity(Guid guid)
+        {
+            return QueryTraceSecurity(guid, true).Result;
+        }
+
         /// <summary>
         /// Query the default security for events.
         /// </summary>
@@ -63,6 +73,118 @@ public static NtResult<SecurityDescriptor> QueryDefaultSecurity(bool throw_on_er
             return QueryTraceSecurity(TraceKnownGuids.DefaultTraceSecurity, throw_on_error);
         }
 
+        /// <summary>
+        /// Query the default security for events.
+        /// </summary>
+        /// <returns>The default security descriptor.</returns>
+        public static SecurityDescriptor QueryDefaultSecurity()
+        {
+            return QueryDefaultSecurity(true).Result;
+        }
+
+        /// <summary>
+        /// Modify trace security.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="operation">The operation to perform.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The NT status code.</returns>
+        public static NtStatus ControlTraceSecurity(Guid guid, EventSecurityOperation operation, Sid sid, TraceAccessRights access_mask, bool allow, bool throw_on_error)
+        {
+            using (var buffer = sid.ToSafeBuffer())
+            {
+                return Win32NativeMethods.EventAccessControl(ref guid, operation, buffer, access_mask, allow).ToNtException(throw_on_error);
+            }
+        }
+
+        /// <summary>
+        /// Modify trace security.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="operation">The operation to perform.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        public static void ControlTraceSecurity(Guid guid, EventSecurityOperation operation, Sid sid, TraceAccessRights access_mask, bool allow)
+        {
+            ControlTraceSecurity(guid, operation, sid, access_mask, allow, true);
+        }
+
+        /// <summary>
+        /// Adds DACL ACE for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The NT status code.</returns>
+        public static NtStatus AddTraceSecurityDacl(Guid guid, Sid sid, TraceAccessRights access_mask, bool allow, bool throw_on_error)
+        {
+            return ControlTraceSecurity(guid, EventSecurityOperation.AddDacl, sid, access_mask, allow, throw_on_error);
+        }
+
+        /// <summary>
+        /// Adds DACL ACE for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        public static void AddTraceSecurityDacl(Guid guid, Sid sid, TraceAccessRights access_mask, bool allow)
+        {
+            AddTraceSecurityDacl(guid, sid, access_mask, allow, true);
+        }
+
+        /// <summary>
+        /// Clears DACL and adds ACE for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The NT status code.</returns>
+        public static NtStatus SetTraceSecurityDacl(Guid guid, Sid sid, TraceAccessRights access_mask, bool allow, bool throw_on_error)
+        {
+            return ControlTraceSecurity(guid, EventSecurityOperation.SetDacl, sid, access_mask, allow, throw_on_error);
+        }
+
+        /// <summary>
+        /// lears DACL and adds ACE for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="sid">The SID to set.</param>
+        /// <param name="access_mask">The access mask to set.</param>
+        /// <param name="allow">True to allow, false to deny.</param>
+        public static void SetTraceSecurityDacl(Guid guid, Sid sid, TraceAccessRights access_mask, bool allow)
+        {
+            SetTraceSecurityDacl(guid, sid, access_mask, allow, true);
+        }
+
+        /// <summary>
+        /// Remove security for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The NT status code.</returns>
+        public static NtStatus RemoveTraceSecurity(Guid guid, bool throw_on_error)
+        {
+            return Win32NativeMethods.EventAccessRemove(ref guid).ToNtException(throw_on_error);
+        }
+
+        /// <summary>
+        /// Remove security for an event trace.
+        /// </summary>
+        /// <param name="guid">The event trace GUID.</param>
+        public static void RemoveTraceSecurity(Guid guid)
+        {
+            RemoveTraceSecurity(guid, true);
+        }
+
         /// <summary>
         /// Register an event trace with a specific GUID.
         /// </summary>
diff --git a/NtApiDotNet/Win32/Win32NativeMethods.cs b/NtApiDotNet/Win32/Win32NativeMethods.cs
@@ -269,6 +269,14 @@ internal enum EventControlCode
         CaptureState = 2,
     }
 
+    public enum EventSecurityOperation
+    {
+        SetDacl,
+        SetSacl,
+        AddDacl,
+        AddSacl
+    }
+
     [StructLayout(LayoutKind.Sequential)]
     internal struct PROCESS_INFORMATION
     {
@@ -1041,6 +1049,20 @@ internal static extern Win32Error EventAccessQuery(
           ref int BufferSize
         );
 
+        [DllImport("advapi32.dll", CharSet = CharSet.Unicode)]
+        internal static extern Win32Error EventAccessControl(
+          ref Guid Guid,
+          EventSecurityOperation Operation,
+          SafeSidBufferHandle Sid,
+          AccessMask Rights,
+          [MarshalAs(UnmanagedType.U1)] bool AllowOrDeny
+        );
+
+        [DllImport("advapi32.dll", CharSet = CharSet.Unicode)]
+        internal static extern Win32Error EventAccessRemove(
+          ref Guid Guid
+        );
+
         [DllImport("advapi32.dll", CharSet = CharSet.Unicode)]
         internal static extern Win32Error EventRegister(
           ref Guid ProviderId,
