[NTOS:SE] Implement logon session termination notification

Note to SELF and EVERYONE: the commit implements the initial logon session termination notification implementation, the SeMarkLogonSessionForTerminationNotification function, but as it currently stands there are several other tasks to be addressed in the future in order for the logon termination notification to be fully completed. The tasks as of which are. 1. Our SepRmDereferenceLogonSession is not fully implemented, as it doesn't inform the LSA and filesystems of logon deletion notification 2. Implement two worker routines that are actually in charge of such tasks of informing LSA and FSDs 3. Perform logon deletion 4. Do further investigations and check whatever that is left to address, if any
2024-12-28 01:55:19 +00:00 · 2021-06-17 18:11:14 +02:00 · 2021-06-17 18:11:14 +02:00 · 506cee3219
commit 506cee3219
parent 34d5d1dbd4
2 changed files with 59 additions and 5 deletions
--- a/ntoskrnl/se/srm.c
+++ b/ntoskrnl/se/srm.c
@ -814,6 +814,8 @@ SepRmDereferenceLogonSession(
                    SepCleanupLUIDDeviceMapDirectory(LogonLuid);
                    ObfDereferenceDeviceMap(DeviceMap);
                }
+
+                /* FIXME: Alert LSA and filesystems that a logon is about to be deleted */
            }

            return STATUS_SUCCESS;
@ -1226,16 +1228,64 @@ SeGetLogonIdDeviceMap(
    return Status;
 }

-/*
- * @unimplemented
+/**
+ * @brief
+ * Marks a logon session for future termination, given its logon ID. This triggers
+ * a callout (the registered callback) when the logon is no longer used by anyone,
+ * that is, no token is still referencing the speciffied logon session.
+ *
+ * @param[in] LogonId
+ * The ID of the logon session.
+ *
+ * @return
+ * STATUS_SUCCESS if the logon session is marked for termination notification successfully,
+ * STATUS_NOT_FOUND if the logon session couldn't be found otherwise.
 */
 NTSTATUS
 NTAPI
 SeMarkLogonSessionForTerminationNotification(
-    IN PLUID LogonId)
+    _In_ PLUID LogonId)
 {
-    UNIMPLEMENTED;
-    return STATUS_NOT_IMPLEMENTED;
+    PSEP_LOGON_SESSION_REFERENCES SessionToMark;
+    PAGED_CODE();
+
+    DPRINT("SeMarkLogonSessionForTerminationNotification(%08lx:%08lx)\n",
+           LogonId->HighPart, LogonId->LowPart);
+
+    /* Acquire the database lock */
+    KeAcquireGuardedMutex(&SepRmDbLock);
+
+    /* Loop over the existing logon sessions */
+    for (SessionToMark = SepLogonSessions;
+         SessionToMark != NULL;
+         SessionToMark = SessionToMark->Next)
+    {
+        /* Does the logon with the given ID exist? */
+        if (RtlEqualLuid(&SessionToMark->LogonId, LogonId))
+        {
+            /* We found it */
+            break;
+        }
+    }
+
+    /*
+     * We've exhausted all the remaining logon sessions and
+     * couldn't find one with the provided ID.
+     */
+    if (SessionToMark == NULL)
+    {
+        DPRINT1("SeMarkLogonSessionForTerminationNotification(): Logon session couldn't be found!\n");
+        KeReleaseGuardedMutex(&SepRmDbLock);
+        return STATUS_NOT_FOUND;
+    }
+
+    /* Mark the logon session for termination */
+    SessionToMark->Flags |= SEP_LOGON_SESSION_TERMINATION_NOTIFY;
+    DPRINT("SeMarkLogonSessionForTerminationNotification(): Logon session marked for termination with success!\n");
+
+    /* Release the database lock */
+    KeReleaseGuardedMutex(&SepRmDbLock);
+    return STATUS_SUCCESS;
 }


--- a/sdk/include/xdk/setypes.h
+++ b/sdk/include/xdk/setypes.h
@ -675,6 +675,10 @@ typedef struct _SID_AND_ATTRIBUTES_HASH {
 #define NETWORKSERVICE_LUID  {0x3e4, 0x0}
 #define IUSER_LUID           {0x3e3, 0x0}

+/* Logon session reference flags */
+
+#define SEP_LOGON_SESSION_TERMINATION_NOTIFY   0x0001
+
 typedef struct _ACE_HEADER {
  $UCHAR AceType;
  $UCHAR AceFlags;