Security Functions
This section provides documentation for Windows API functions related to system security, access control, cryptography, and authentication.
AccessCheck
BOOL AccessCheck(PSECURITY_DESCRIPTOR SecurityDescriptor, HANDLE ClientToken, DWORD DesiredAccess, POBJECT_TYPE_LIST ObjectTypeList, PCHAR SecurityDescriptorLength, PINT RequiredLength, PULONG AccessStatus, PULONG Failure)
Determines whether a client has been granted a requested access. This function is used to perform access validation for securable objects.
- SecurityDescriptor: A pointer to a SECURITY_DESCRIPTOR structure that contains the security descriptor for the object.
- ClientToken: A handle to the access token for the client that is requesting access.
- DesiredAccess: ACCESS_MASK. A bitmask of access rights to be checked.
- ObjectTypeList: POBJECT_TYPE_LIST. A pointer to an array of OBJECT_TYPE_LIST structures that specify the types of objects and the access rights requested for each type.
- SecurityDescriptorLength: PCHAR. The size, in bytes, of the buffer pointed to by the
SecurityDescriptorparameter. - RequiredLength: PINT. A pointer to a variable that receives the number of bytes required to access the object.
- AccessStatus: PULONG. A pointer to a variable that receives the results of the access check.
- Failure: PULONG. A pointer to a variable that receives a code indicating the reason for access failure.
If the function succeeds, it returns nonzero. If the function fails, it returns zero.
// Simplified example, actual implementation requires more context
HANDLE hToken = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
// Perform access check logic here...
CloseHandle(hToken);
}
SetSecurityInfo
SECURITY_STATUS SetSecurityInfo(HANDLE handle, SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInformation, PSID psidOwner, PSID psidGroup, PACL psidDacl, PACL psidSacl)
Retrieves security information for a specified object and indicates the types of security information to be retrieved.
- handle: A handle to the object whose security information you want to set.
- ObjectType: A SE_OBJECT_TYPE enumeration value that indicates the type of object the handle refers to.
- SecurityInformation: A bitmask of flags that indicate the types of security information to set.
- psidOwner: A pointer to a SECURITY_DESCRIPTOR structure that contains the owner information.
- psidGroup: A pointer to a SECURITY_DESCRIPTOR structure that contains the group information.
- psidDacl: A pointer to an ACL structure that contains the Discretionary Access Control List (DACL).
- psidSacl: A pointer to an ACL structure that contains the System Access Control List (SACL).
If the function succeeds, it returns ERROR_SUCCESS. If the function fails, it returns a nonzero error code.
EncryptMessage
SECURITY_STATUS EncryptMessage(PCtxtHandle phContext, DWORD fQOP, SecPkgContext_Sizes *pMessageBuffer, DWORD MessageOffset)
Encrypts a message or digitally signs a message by using a security context.
- phContext: A handle to the security context to use for encryption.
- fQOP: DWORD. Flags indicating the quality of protection.
- pMessageBuffer: A pointer to a SecPkgContext_Sizes structure containing message buffer information.
- MessageOffset: The offset, in bytes, from the beginning of the buffer to the message data.
If the function succeeds, it returns SEC_E_OK.
DecryptMessage
SECURITY_STATUS DecryptMessage(PCtxtHandle phContext, SecPkgContext_Sizes *pMessageBuffer, DWORD MessageOffset, DWORD *MessageSeqNum)
Decrypts a message or verifies the digital signature of a message.
- phContext: A handle to the security context to use for decryption.
- pMessageBuffer: A pointer to a SecPkgContext_Sizes structure containing message buffer information.
- MessageOffset: The offset, in bytes, from the beginning of the buffer to the message data.
- MessageSeqNum: A pointer to a variable that receives the sequence number of the decrypted message.
If the function succeeds, it returns SEC_E_OK.