/// <summary>
/// Convert to a string
/// </summary>
/// <returns>The account name if available or the SDDL SID</returns>
public override string ToString()
{
string ret = null;
try {
ret = Sid.Name;
} catch {
}
return(ret ?? Sid.ToString());
}
/// <summary>
/// Default constructor
/// </summary>
private COMRegistry(COMRegistryMode mode, Sid user, IProgress <Tuple <string, int> > progress)
: this(mode)
{
using (RegistryKey classes_key = OpenClassesKey(mode, user))
{
const int total_count = 9;
LoadDefaultSecurity();
Report(progress, "CLSIDs", 1, total_count);
LoadCLSIDs(classes_key);
Report(progress, "AppIDs", 2, total_count);
LoadAppIDs(classes_key);
Report(progress, "ProgIDs", 3, total_count);
LoadProgIDs(classes_key);
Report(progress, "Interfaces", 4, total_count);
LoadInterfaces(classes_key);
Report(progress, "MIME Types", 5, total_count);
LoadMimeTypes(classes_key);
Report(progress, "PreApproved", 6, total_count);
LoadPreApproved(mode, user);
Report(progress, "LowRights", 7, total_count);
LoadLowRights(mode, user);
Report(progress, "TypeLibs", 8, total_count);
LoadTypelibs(classes_key);
Report(progress, "Runtime Classes", 9, total_count);
m_runtime_classes = new SortedDictionary <string, COMRuntimeClassEntry>();
m_runtime_servers = new SortedDictionary <string, COMRuntimeServerEntry>();
if (mode == COMRegistryMode.MachineOnly || mode == COMRegistryMode.Merged)
{
using (RegistryKey runtime_key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\WindowsRuntime"))
{
if (runtime_key != null)
{
LoadRuntimeClasses(runtime_key);
LoadRuntimeServers(runtime_key);
}
}
}
}
try
{
CreatedUser = user.Name;
}
catch
{
CreatedUser = user.ToString();
}
}
/// <summary>
/// Generate the necessary parameters
/// </summary>
public List <KeyValuePair <string, string> > GetParams()
{
var p = new List <KeyValuePair <string, string> >();
if (Sid != null)
{
p.Add(new KeyValuePair <string, string>("Sid", Sid.ToString()));
}
if (PhoneNumber != null)
{
p.Add(new KeyValuePair <string, string>("PhoneNumber", PhoneNumber.ToString()));
}
return(p);
}
public void ToString_Should_ReturnExpectedResult_When_ByteProvided()
{
// Arrange
var expected = "S-1-5-21-1085031214-1563985344-725345543";
var sid = new byte[]
{
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
0x15, 0x00, 0x00, 0x00, 0x2E, 0x43, 0xAC, 0x40,
0xC0, 0x85, 0x38, 0x5D, 0x07, 0xE5, 0x3B, 0x2B
};
// Act
var actual = Sid.ToString(sid);
// Assert
Assert.Equal(expected, actual);
}
void LoadPreApproved(COMRegistryMode mode, Sid user)
{
m_preapproved = new List <Guid>();
if (mode == COMRegistryMode.Merged || mode == COMRegistryMode.MachineOnly)
{
m_preapproved.AddRange(ReadPreApproved(Registry.LocalMachine));
}
if (mode == COMRegistryMode.Merged || mode == COMRegistryMode.UserOnly)
{
using (RegistryKey key = Registry.Users.OpenSubKey(user.ToString()))
{
if (key != null)
{
m_preapproved.AddRange(ReadPreApproved(key));
}
}
}
}
/// <summary>
/// Default constructor
/// </summary>
private COMRegistry(COMRegistryMode mode, Sid user, IProgress <Tuple <string, int> > progress)
: this(mode)
{
using (RegistryKey classes_key = OpenClassesKey(mode, user))
{
const int total_count = 9;
LoadDefaultSecurity();
ActivationContext actctx = null;
if (mode == COMRegistryMode.Merged)
{
actctx = ActivationContext.FromProcess();
}
Report(progress, "CLSIDs", 1, total_count);
LoadCLSIDs(classes_key, actctx);
Report(progress, "AppIDs", 2, total_count);
LoadAppIDs(classes_key);
Report(progress, "ProgIDs", 3, total_count);
LoadProgIDs(classes_key, actctx);
Report(progress, "Interfaces", 4, total_count);
LoadInterfaces(classes_key, actctx,
mode == COMRegistryMode.Merged || mode == COMRegistryMode.MachineOnly);
Report(progress, "MIME Types", 5, total_count);
LoadMimeTypes(classes_key);
Report(progress, "PreApproved", 6, total_count);
LoadPreApproved(mode, user);
Report(progress, "LowRights", 7, total_count);
LoadLowRights(mode, user);
Report(progress, "TypeLibs", 8, total_count);
LoadTypelibs(classes_key, actctx);
Report(progress, "Runtime Classes", 9, total_count);
LoadWindowsRuntime(classes_key, mode);
}
try
{
CreatedUser = user.Name;
}
catch
{
CreatedUser = user.ToString();
}
}
private void LoadLowRights(COMRegistryMode mode, Sid user)
{
m_lowrights = new List <COMIELowRightsElevationPolicy>();
if (mode == COMRegistryMode.Merged || mode == COMRegistryMode.MachineOnly)
{
LoadLowRightsKey(Registry.LocalMachine);
}
if (mode == COMRegistryMode.Merged || mode == COMRegistryMode.UserOnly)
{
using (RegistryKey key = Registry.Users.OpenSubKey(user.ToString()))
{
if (key != null)
{
LoadLowRightsKey(key);
}
}
}
m_lowrights.Sort();
}
public static COMProcessEntry ParseProcess(int pid, string dbghelp_path, string symbol_path)
{
using (var result = NtProcess.Open(pid, ProcessAccessRights.VmRead | ProcessAccessRights.QueryInformation, false))
{
if (!result.IsSuccess)
{
return(null);
}
NtProcess process = result.Result;
if (process.Is64Bit && !Environment.Is64BitProcess)
{
return(null);
}
using (ISymbolResolver resolver = SymbolResolver.Create(process, dbghelp_path, symbol_path))
{
Sid user = process.User;
return(new COMProcessEntry(
pid,
GetProcessFileName(process),
ParseIPIDEntries(process, resolver),
process.Is64Bit,
GetProcessAppId(process, resolver),
GetProcessAccessSecurityDescriptor(process, resolver),
GetLrpcSecurityDescriptor(process, resolver),
user.Name,
user.ToString(),
ReadString(process, resolver, "gwszLRPCEndPoint"),
ReadEnum <EOLE_AUTHENTICATION_CAPABILITIES>(process, resolver, "gCapabilities"),
ReadEnum <RPC_AUTHN_LEVEL>(process, resolver, "gAuthnLevel"),
ReadEnum <RPC_IMP_LEVEL>(process, resolver, "gImpLevel"),
ReadPointer(process, resolver, "gAccessControl"),
ReadPointer(process, resolver, "ghwndOleMainThread")));
}
}
}
private T CreateObject <T>(SafeSamHandle handle, uint user_id, string name, Func <string, Sid, T> func)
{
try
{
Sid sid = RidToSid(user_id, false).GetResultOrDefault();
if (sid == null)
{
sid = DomainId.CreateRelative(user_id);
}
if (name == null)
{
name = LookupId(user_id, false).GetResultOrDefault()?.Name ?? sid.ToString();
}
return(func(name, sid));
}
catch
{
handle.Dispose();
throw;
}
}
private SamUser CreateUserObject(SafeSamHandle user_handle, SamUserAccessRights desired_access, string name, uint user_id)
{
try
{
Sid sid = RidToSid(user_id, false).GetResultOrDefault();
if (sid == null)
{
sid = DomainId.CreateRelative(user_id);
}
if (name == null)
{
name = LookupId(user_id, false).GetResultOrDefault()?.Name ?? sid.ToString();
}
return(new SamUser(user_handle, desired_access, ServerName, name, sid));
}
catch
{
user_handle.Dispose();
throw;
}
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
Sid sid;
switch (ParameterSetName)
{
case "sddl":
sid = new Sid(Sddl);
break;
case "name":
sid = NtSecurity.LookupAccountName(Name);
break;
case "service":
sid = NtSecurity.GetServiceSid(ServiceName);
break;
case "il":
sid = NtSecurity.GetIntegritySid(IntegrityLevel);
break;
case "il_raw":
sid = NtSecurity.GetIntegritySidRaw(IntegrityLevelRaw);
break;
case "package":
sid = TokenUtils.DerivePackageSidFromName(PackageName);
if (RestrictedPackageName != null)
{
sid = TokenUtils.DeriveRestrictedPackageSidFromSid(sid, RestrictedPackageName);
}
break;
case "known":
sid = KnownSids.GetKnownSid(KnownSid);
break;
case "token":
using (NtToken token = NtToken.OpenProcessToken())
{
if (PrimaryGroup)
{
sid = token.PrimaryGroup;
}
else if (Owner)
{
sid = token.Owner;
}
else if (LogonGroup)
{
sid = token.LogonSid.Sid;
}
else if (AppContainer)
{
sid = token.AppContainerSid;
}
else if (Label)
{
sid = token.IntegrityLevelSid.Sid;
}
else
{
sid = token.User.Sid;
}
}
break;
case "cap":
sid = CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(CapabilityName)
: NtSecurity.GetCapabilitySid(CapabilityName);
break;
case "sid":
sid = new Sid(SecurityAuthority, RelativeIdentifier);
break;
case "logon":
sid = NtSecurity.GetLogonSessionSid();
break;
case "trust":
sid = NtSecurity.GetTrustLevelSid(TrustType, TrustLevel);
break;
case "ace":
sid = AccessControlEntry.Sid;
break;
default:
throw new ArgumentException("No SID type specified");
}
if (ToSddl)
{
WriteObject(sid.ToString());
}
else if (ToName)
{
WriteObject(sid.Name);
}
else
{
WriteObject(sid);
}
}
internal SamDomain(SafeSamHandle handle, SamDomainAccessRights granted_access, string server_name, string domain_name, Sid domain_sid)
: base(handle, granted_access, SamUtils.SAM_DOMAIN_NT_TYPE_NAME, $"SAM Domain ({domain_name ?? domain_sid.ToString()})", server_name)
{
DomainId = domain_sid;
if (domain_name != null)
{
_name = new Lazy <string>(() => domain_name);
}
else
{
_name = new Lazy <string>(() => string.Empty);
}
}
internal SamDomain(SafeSamHandle handle, SamDomainAccessRights granted_access, string server_name, string domain_name, Sid domain_sid)
: base(handle, granted_access, SamUtils.SAM_DOMAIN_NT_TYPE_NAME, $"SAM Domain ({domain_name ?? domain_sid.ToString()})", server_name)
{
DomainId = domain_sid;
Name = domain_name ?? string.Empty;
}
