internal CommonAccessCheckResult(string name, string type_name, AccessMask granted_access, GenericMapping generic_mapping, SecurityDescriptor sd, Type enum_type, bool is_directory, TokenInformation token_info) { Name = name; TypeName = type_name; GrantedAccess = granted_access; GenericMapping = generic_mapping; TokenInfo = token_info; SecurityDescriptor = sd?.ToSddl(SecurityInformation.All, false).GetResultOrDefault() ?? string.Empty; SecurityDescriptorBase64 = sd?.ToBase64() ?? string.Empty; Owner = sd?.Owner?.Sid.ToString() ?? string.Empty; IsRead = generic_mapping.HasRead(granted_access); IsWrite = generic_mapping.HasWrite(granted_access) || granted_access.IsAccessGranted(GenericAccessRights.WriteDac) || granted_access.IsAccessGranted(GenericAccessRights.WriteOwner) || granted_access.IsAccessGranted(GenericAccessRights.Delete); IsExecute = generic_mapping.HasExecute(granted_access); IsAll = generic_mapping.HasAll(granted_access); GrantedAccessString = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, false); GrantedGenericAccessString = NtSecurity.AccessMaskToString(granted_access, enum_type, generic_mapping, true); TokenId = token_info.TokenId.ToInt64(); IsDirectory = is_directory; if (sd != null) { HasMandatoryLabel = sd.GetMandatoryLabel() != null; HasProcessTrustLabel = sd.ProcessTrustLabel != null; } }
internal SecurityDescriptorInheritanceSource( Ace ace, INHERITED_FROM inherited_from, SeObjectType type, NtType native_type, bool container, bool query_security, bool sacl) { InheritedAce = ace; if (native_type != null) { Access = NtSecurity.AccessMaskToString(ace.Mask, container ? native_type.ContainerAccessRightsType : native_type.AccessRightsType, native_type.GenericMapping, false); GenericAccess = NtSecurity.AccessMaskToString(ace.Mask, container ? native_type.ContainerAccessRightsType : native_type.AccessRightsType, native_type.GenericMapping, true); } else { Access = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess()); GenericAccess = NtSecurity.AccessMaskToString(ace.Mask.ToGenericAccess()); } Depth = inherited_from.GenerationGap; Name = Marshal.PtrToStringUni(inherited_from.AncestorName); if (query_security && Name != null) { SecurityInformation sec_info = sacl ? SecurityInformation.All : SecurityInformation.AllNoSacl; var sd = Win32Security.GetSecurityInfo(Name, type, sec_info, false); if (sd.IsSuccess) { SecurityDescriptor = sd.Result; } } }
private void WriteEnumMask(Enum mask) { if (AsString || AsSDKString) { WriteObject(NtSecurity.AccessMaskToString(mask, AsSDKString)); } else { WriteObject(mask); } }
/// <summary> /// Overridden process record method. /// </summary> protected override void ProcessRecord() { using (NtToken token = GetToken()) { NtType type = GetNtType(); if (type == null) { throw new ArgumentException("Must specify a type."); } var object_types = ObjectType?.ToArray(); // If we have multiple object types and pass result is true then // we don't support any another output format. if (object_types?.Length > 1 && PassResult) { var result_list = NtSecurity.AccessCheckWithResultList(GetSecurityDescriptor(), token, AccessMask, Principal, type.GenericMapping, object_types); WriteObject(result_list.Select(r => r.ToSpecificAccess(type.AccessRightsType)), true); return; } var result = NtSecurity.AccessCheck(GetSecurityDescriptor(), token, AccessMask, Principal, type.GenericMapping, object_types) .ToSpecificAccess(type.AccessRightsType); if (PassResult) { WriteObject(result); return; } var mask = result.SpecificGrantedAccess; if (MapToGeneric) { mask = result.SpecificGenericGrantedAccess; } if (ConvertToString) { string access_string = NtSecurity.AccessMaskToString(mask, type.AccessRightsType, type.GenericMapping, false); WriteObject(access_string); } else { WriteObject(mask); } } }
/// <summary> /// Overridden process record method. /// </summary> protected override void ProcessRecord() { using (NtToken token = GetToken()) { NtType type = GetNtType(); if (type == null) { throw new ArgumentException("Must specify a Type."); } var object_types = ObjectType?.ToArray(); var results = new List <AccessCheckResultGeneric>(); if (ResultList) { results.AddRange(NtSecurity.AccessCheckWithResultList(GetSecurityDescriptor(), token, GetDesiredAccess(), Principal, type.GenericMapping, object_types).Select(r => r.ToSpecificAccess(type.AccessRightsType))); } else { results.Add(NtSecurity.AccessCheck(GetSecurityDescriptor(), token, GetDesiredAccess(), Principal, type.GenericMapping, object_types).ToSpecificAccess(type.AccessRightsType)); } if (PassResult) { WriteObject(results, true); return; } var masks = results.Select(r => MapToGeneric ? r.SpecificGenericGrantedAccess : r.SpecificGrantedAccess); if (ConvertToString) { WriteObject(masks.Select(m => NtSecurity.AccessMaskToString(m, type.AccessRightsType, type.GenericMapping, false)), true); } else { WriteObject(masks, true); } } }
/// <summary> /// Overridden process record method. /// </summary> protected override void ProcessRecord() { using (NtToken token = GetToken()) { NtType type = GetNtType(); if (type == null) { throw new ArgumentException("Must specify a Type."); } Type access_type = Container ? type.ContainerAccessRightsType : type.AccessRightsType; var object_types = ObjectType?.ToArray(); IEnumerable <AccessCheckResultGeneric> results; if (Audit) { results = RunAuditCheck(token, type, object_types).Select(r => r.ToSpecificAccess(access_type)); } else { results = RunCheck(token, type, object_types).Select(r => r.ToSpecificAccess(access_type)); } if (PassResult) { WriteObject(results, true); return; } var masks = results.Select(r => MapToGeneric ? r.SpecificGenericGrantedAccess : r.SpecificGrantedAccess); if (AsString || AsSDKString) { WriteObject(masks.Select(m => NtSecurity.AccessMaskToString(m, access_type, type.GenericMapping, false, AsSDKString)), true); } else { WriteObject(masks, true); } } }
/// <summary> /// Set ACL for control. /// </summary> /// <param name="acl">The ACL to view.</param> /// <param name="access_type">The enum type for the view.</param> /// <param name="mapping">Generic mapping for the type.</param> /// <param name="valid_access">The valid bit mask for access for this type.</param> /// <param name="is_container">True to indicate this object is a container.</param> /// <param name="sdk_names">Show the ACEs using SDK style names.</param> public void SetAcl(Acl acl, Type access_type, GenericMapping mapping, AccessMask valid_access, bool is_container, bool sdk_names) { _acl = acl; _access_type = access_type; _mapping = mapping; _valid_access = valid_access; _is_container = is_container; _sdk_names = sdk_names; showSDKNamesToolStripMenuItem.Checked = sdk_names; bool has_conditional_ace = false; bool has_inherited_object_ace = false; bool has_object_ace = false; List <string> flags = new List <string>(); if (acl.Defaulted) { flags.Add("Defaulted"); } if (acl.Protected) { flags.Add("Protected"); } if (acl.AutoInherited) { flags.Add("AutoInherited"); } if (acl.AutoInheritReq) { flags.Add("AutoInheritReq"); } if (flags.Count > 0) { lblFlags.Text = $"Flags: {string.Join(", ", flags)}"; } else { lblFlags.Text = "Flags: None"; } if (acl.NullAcl) { lblFlags.Text += Environment.NewLine + "NULL ACL"; listViewAcl.Visible = false; listViewAccess.Visible = false; groupBoxAclEntries.Visible = false; groupBoxAccess.Visible = false; return; } listViewAcl.Items.Clear(); listViewAcl.Visible = true; listViewAccess.Visible = true; listViewAccess.Items.Clear(); _current_access_type = null; groupBoxAclEntries.Visible = true; groupBoxAccess.Visible = true; foreach (var ace in acl) { if (ace.IsConditionalAce) { has_conditional_ace = true; } if (ace.IsObjectAce) { if (ace.ObjectType.HasValue) { has_object_ace = true; } if (ace.InheritedObjectType.HasValue) { has_inherited_object_ace = true; } } } if (!has_conditional_ace) { listViewAcl.Columns.Remove(columnHeaderCondition); copyConditionToolStripMenuItem.Visible = false; } if (!has_object_ace) { listViewAcl.Columns.Remove(columnHeaderObject); } if (!has_inherited_object_ace) { listViewAcl.Columns.Remove(columnHeaderInheritedObject); } foreach (var ace in acl) { var item = listViewAcl.Items.Add(sdk_names ? NtSecurity.AceTypeToSDKName(ace.Type) : ace.Type.ToString()); item.SubItems.Add(ace.Sid.Name); string access; if (ace.Type == AceType.MandatoryLabel) { access = NtSecurity.AccessMaskToString(ace.Mask.ToMandatoryLabelPolicy(), sdk_names); } else if (ace.Flags.HasFlag(AceFlags.InheritOnly)) { access = NtSecurity.AccessMaskToString(ace.Mask.ToSpecificAccess(access_type), sdk_names); } else { AccessMask mapped_mask = mapping.MapMask(ace.Mask); mapped_mask = mapping.UnmapMask(mapped_mask); access = NtSecurity.AccessMaskToString(mapped_mask.ToSpecificAccess(access_type), sdk_names); } item.SubItems.Add(access); item.SubItems.Add(sdk_names ? NtSecurity.AceFlagsToSDKName(ace.Flags) : ace.Flags.ToString()); if (has_conditional_ace) { item.SubItems.Add(ace.Condition); } if (has_object_ace) { item.SubItems.Add(ace.ObjectType?.ToString() ?? string.Empty); } if (has_inherited_object_ace) { item.SubItems.Add(ace.InheritedObjectType?.ToString() ?? string.Empty); } item.Tag = ace; switch (ace.Type) { case AceType.Allowed: case AceType.AllowedCallback: case AceType.AllowedCallbackObject: case AceType.AllowedObject: item.BackColor = Color.LightGreen; break; case AceType.Denied: case AceType.DeniedCallback: case AceType.DeniedCallbackObject: case AceType.DeniedObject: item.BackColor = Color.LightSalmon; break; case AceType.ProcessTrustLabel: item.BackColor = Color.LightSkyBlue; break; case AceType.MandatoryLabel: item.BackColor = Color.LightGoldenrodYellow; break; case AceType.Audit: case AceType.AuditCallback: case AceType.AuditCallbackObject: case AceType.AuditObject: item.BackColor = Color.LightCoral; break; } } listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent); listViewAcl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); }