internal CommonAccessCheckResult(string name, string type_name, AccessMask granted_access,
GenericMapping generic_mapping, SecurityDescriptor sd,
Type enum_type, bool is_directory, TokenInformation token_info)
{
Name = name;
TypeName = type_name;
GrantedAccess = granted_access;
GenericMapping = generic_mapping;
TokenInfo = token_info;
SecurityDescriptor = sd?.ToSddl(SecurityInformation.All, false).GetResultOrDefault() ?? string.Empty;
SecurityDescriptorBase64 = sd?.ToBase64() ?? string.Empty;
Owner = sd?.Owner?.Sid.ToString() ?? string.Empty;
IsRead = generic_mapping.HasRead(granted_access);
IsWrite = generic_mapping.HasWrite(granted_access) ||
granted_access.IsAccessGranted(GenericAccessRights.WriteDac) ||
granted_access.IsAccessGranted(GenericAccessRights.WriteOwner) ||
granted_access.IsAccessGranted(GenericAccessRights.Delete);
IsExecute = generic_mapping.HasExecute(granted_access);
IsAll = generic_mapping.HasAll(granted_access);
GrantedAccessString = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, false);
GrantedGenericAccessString = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, true);
TokenId = token_info.TokenId.ToInt64();
IsDirectory = is_directory;
if (sd != null)
{
HasMandatoryLabel = sd.GetMandatoryLabel() != null;
HasProcessTrustLabel = sd.ProcessTrustLabel != null;
}
}
internal SecurityDescriptorInheritanceSource(
Ace ace, INHERITED_FROM inherited_from, SeObjectType type,
NtType native_type,
bool container,
bool query_security, bool sacl)
{
InheritedAce = ace;
if (native_type != null)
{
Access = NtSecurity.AccessMaskToString(ace.Mask, container
? native_type.ContainerAccessRightsType
: native_type.AccessRightsType,
native_type.GenericMapping, false);
GenericAccess = NtSecurity.AccessMaskToString(ace.Mask, container
? native_type.ContainerAccessRightsType
: native_type.AccessRightsType,
native_type.GenericMapping, true);
}
else
{
Access = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess());
GenericAccess = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess());
}
Depth = inherited_from.GenerationGap;
Name = Marshal.PtrToStringUni(inherited_from.AncestorName);
if (query_security && Name != null)
{
SecurityInformation sec_info = sacl ? SecurityInformation.All : SecurityInformation.AllNoSacl;
var sd = Win32Security.GetSecurityInfo(Name, type, sec_info, false);
if (sd.IsSuccess)
{
SecurityDescriptor = sd.Result;
}
}
}
private void WriteEnumMask(Enum mask)
{
if (AsString || AsSDKString)
{
WriteObject(NtSecurity.AccessMaskToString(mask, AsSDKString));
}
else
{
WriteObject(mask);
}
}
/// <summary>
/// Overridden process record method.
/// </summary>
protected override void ProcessRecord()
{
using (NtToken token = GetToken())
{
NtType type = GetNtType();
if (type == null)
{
throw new ArgumentException("Must specify a type.");
}
var object_types = ObjectType?.ToArray();
// If we have multiple object types and pass result is true then
// we don't support any another output format.
if (object_types?.Length > 1 && PassResult)
{
var result_list = NtSecurity.AccessCheckWithResultList(GetSecurityDescriptor(),
token, AccessMask, Principal, type.GenericMapping, object_types);
WriteObject(result_list.Select(r => r.ToSpecificAccess(type.AccessRightsType)), true);
return;
}
var result = NtSecurity.AccessCheck(GetSecurityDescriptor(),
token, AccessMask, Principal, type.GenericMapping, object_types)
.ToSpecificAccess(type.AccessRightsType);
if (PassResult)
{
WriteObject(result);
return;
}
var mask = result.SpecificGrantedAccess;
if (MapToGeneric)
{
mask = result.SpecificGenericGrantedAccess;
}
if (ConvertToString)
{
string access_string = NtSecurity.AccessMaskToString(mask, type.AccessRightsType, type.GenericMapping, false);
WriteObject(access_string);
}
else
{
WriteObject(mask);
}
}
}
/// <summary>
/// Overridden process record method.
/// </summary>
protected override void ProcessRecord()
{
using (NtToken token = GetToken())
{
NtType type = GetNtType();
if (type == null)
{
throw new ArgumentException("Must specify a Type.");
}
var object_types = ObjectType?.ToArray();
var results = new List <AccessCheckResultGeneric>();
if (ResultList)
{
results.AddRange(NtSecurity.AccessCheckWithResultList(GetSecurityDescriptor(),
token, GetDesiredAccess(), Principal, type.GenericMapping, object_types).Select(r => r.ToSpecificAccess(type.AccessRightsType)));
}
else
{
results.Add(NtSecurity.AccessCheck(GetSecurityDescriptor(),
token, GetDesiredAccess(), Principal, type.GenericMapping, object_types).ToSpecificAccess(type.AccessRightsType));
}
if (PassResult)
{
WriteObject(results, true);
return;
}
var masks = results.Select(r => MapToGeneric ? r.SpecificGenericGrantedAccess : r.SpecificGrantedAccess);
if (ConvertToString)
{
WriteObject(masks.Select(m => NtSecurity.AccessMaskToString(m, type.AccessRightsType, type.GenericMapping, false)), true);
}
else
{
WriteObject(masks, true);
}
}
}
/// <summary>
/// Overridden process record method.
/// </summary>
protected override void ProcessRecord()
{
using (NtToken token = GetToken())
{
NtType type = GetNtType();
if (type == null)
{
throw new ArgumentException("Must specify a Type.");
}
Type access_type = Container ? type.ContainerAccessRightsType : type.AccessRightsType;
var object_types = ObjectType?.ToArray();
IEnumerable <AccessCheckResultGeneric> results;
if (Audit)
{
results = RunAuditCheck(token, type, object_types).Select(r => r.ToSpecificAccess(access_type));
}
else
{
results = RunCheck(token, type, object_types).Select(r => r.ToSpecificAccess(access_type));
}
if (PassResult)
{
WriteObject(results, true);
return;
}
var masks = results.Select(r => MapToGeneric ? r.SpecificGenericGrantedAccess : r.SpecificGrantedAccess);
if (AsString || AsSDKString)
{
WriteObject(masks.Select(m => NtSecurity.AccessMaskToString(m, access_type,
type.GenericMapping, false, AsSDKString)), true);
}
else
{
WriteObject(masks, true);
}
}
}
/// <summary>
/// Set ACL for control.
/// </summary>
/// <param name="acl">The ACL to view.</param>
/// <param name="access_type">The enum type for the view.</param>
/// <param name="mapping">Generic mapping for the type.</param>
/// <param name="valid_access">The valid bit mask for access for this type.</param>
/// <param name="is_container">True to indicate this object is a container.</param>
/// <param name="sdk_names">Show the ACEs using SDK style names.</param>
public void SetAcl(Acl acl, Type access_type, GenericMapping mapping, AccessMask valid_access, bool is_container, bool sdk_names)
{
_acl = acl;
_access_type = access_type;
_mapping = mapping;
_valid_access = valid_access;
_is_container = is_container;
_sdk_names = sdk_names;
showSDKNamesToolStripMenuItem.Checked = sdk_names;
bool has_conditional_ace = false;
bool has_inherited_object_ace = false;
bool has_object_ace = false;
List <string> flags = new List <string>();
if (acl.Defaulted)
{
flags.Add("Defaulted");
}
if (acl.Protected)
{
flags.Add("Protected");
}
if (acl.AutoInherited)
{
flags.Add("AutoInherited");
}
if (acl.AutoInheritReq)
{
flags.Add("AutoInheritReq");
}
if (flags.Count > 0)
{
lblFlags.Text = $"Flags: {string.Join(", ", flags)}";
}
else
{
lblFlags.Text = "Flags: None";
}
if (acl.NullAcl)
{
lblFlags.Text += Environment.NewLine + "NULL ACL";
listViewAcl.Visible = false;
listViewAccess.Visible = false;
groupBoxAclEntries.Visible = false;
groupBoxAccess.Visible = false;
return;
}
listViewAcl.Items.Clear();
listViewAcl.Visible = true;
listViewAccess.Visible = true;
listViewAccess.Items.Clear();
_current_access_type = null;
groupBoxAclEntries.Visible = true;
groupBoxAccess.Visible = true;
foreach (var ace in acl)
{
if (ace.IsConditionalAce)
{
has_conditional_ace = true;
}
if (ace.IsObjectAce)
{
if (ace.ObjectType.HasValue)
{
has_object_ace = true;
}
if (ace.InheritedObjectType.HasValue)
{
has_inherited_object_ace = true;
}
}
}
if (!has_conditional_ace)
{
listViewAcl.Columns.Remove(columnHeaderCondition);
copyConditionToolStripMenuItem.Visible = false;
}
if (!has_object_ace)
{
listViewAcl.Columns.Remove(columnHeaderObject);
}
if (!has_inherited_object_ace)
{
listViewAcl.Columns.Remove(columnHeaderInheritedObject);
}
foreach (var ace in acl)
{
var item = listViewAcl.Items.Add(sdk_names ? NtSecurity.AceTypeToSDKName(ace.Type) : ace.Type.ToString());
item.SubItems.Add(ace.Sid.Name);
string access;
if (ace.Type == AceType.MandatoryLabel)
{
access = NtSecurity.AccessMaskToString(ace.Mask.ToMandatoryLabelPolicy(), sdk_names);
}
else if (ace.Flags.HasFlag(AceFlags.InheritOnly))
{
access = NtSecurity.AccessMaskToString(ace.Mask.ToSpecificAccess(access_type), sdk_names);
}
else
{
AccessMask mapped_mask = mapping.MapMask(ace.Mask);
mapped_mask = mapping.UnmapMask(mapped_mask);
access = NtSecurity.AccessMaskToString(mapped_mask.ToSpecificAccess(access_type), sdk_names);
}
item.SubItems.Add(access);
item.SubItems.Add(sdk_names ? NtSecurity.AceFlagsToSDKName(ace.Flags) : ace.Flags.ToString());
if (has_conditional_ace)
{
item.SubItems.Add(ace.Condition);
}
if (has_object_ace)
{
item.SubItems.Add(ace.ObjectType?.ToString() ?? string.Empty);
}
if (has_inherited_object_ace)
{
item.SubItems.Add(ace.InheritedObjectType?.ToString() ?? string.Empty);
}
item.Tag = ace;
switch (ace.Type)
{
case AceType.Allowed:
case AceType.AllowedCallback:
case AceType.AllowedCallbackObject:
case AceType.AllowedObject:
item.BackColor = Color.LightGreen;
break;
case AceType.Denied:
case AceType.DeniedCallback:
case AceType.DeniedCallbackObject:
case AceType.DeniedObject:
item.BackColor = Color.LightSalmon;
break;
case AceType.ProcessTrustLabel:
item.BackColor = Color.LightSkyBlue;
break;
case AceType.MandatoryLabel:
item.BackColor = Color.LightGoldenrodYellow;
break;
case AceType.Audit:
case AceType.AuditCallback:
case AceType.AuditCallbackObject:
case AceType.AuditObject:
item.BackColor = Color.LightCoral;
break;
}
}
listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
}
