public override object Transform(EngineIntrinsics engineIntrinsics, object inputData)
        {
            if (inputData is string var_name && var_name.StartsWith("$"))
            {
                // Work around a weird bug, if this starts with a $ it's probably a variable.
                // Query for it from the session state.
                inputData = engineIntrinsics.SessionState.PSVariable.GetValue(var_name.Substring(1));
            }

            if (inputData is string s)
            {
                var result = Sid.Parse(s, false);
                if (result.IsSuccess)
                {
                    return(result.Result);
                }
            }

            if (inputData is PSObject obj)
            {
                if (obj.BaseObject is Sid sd)
                {
                    return(sd);
                }
            }

            return(new Sid(SecurityAuthority.Null, 0));
        }
Esempio n. 2
0
        /// <summary>
        /// Get the object SID from a directory object.
        /// </summary>
        /// <param name="entry">The directory entry.</param>
        /// <returns>The object SID. Returns null if no object SID exists.</returns>
        public static Sid GetObjectSid(DirectoryEntry entry)
        {
            var sid = entry.ToPropertyClass().GetPropertyValue <byte[]>(kObjectSid);

            if (sid == null)
            {
                return(null);
            }
            return(Sid.Parse(sid, false).GetResultOrDefault());
        }
        private static Sid GetObjectSid(SearchResult result)
        {
            var sid = GetPropertyValue <byte[]>(result, kObjectSid);

            if (sid == null)
            {
                return(null);
            }
            return(Sid.Parse(sid, false).GetResultOrDefault());
        }
Esempio n. 4
0
 internal FirewallSession(FWPM_SESSION0 session)
 {
     SessionKey           = session.sessionKey;
     Name                 = string.IsNullOrEmpty(session.displayData.name) ? SessionKey.ToString() : session.displayData.name;
     Description          = session.displayData.description ?? string.Empty;
     Flags                = session.flags;
     TxnWaitTimeoutInMSec = session.txnWaitTimeoutInMSec;
     ProcessId            = session.processId;
     Sid        = Sid.Parse(session.sid, false).GetResultOrDefault();
     UserName   = session.username ?? string.Empty;
     KernelMode = session.kernelMode;
 }
Esempio n. 5
0
 /// <summary>
 /// Get the AppContainer SID from the AuthZ context.
 /// </summary>
 /// <param name="throw_on_error">True to throw on error.</param>
 /// <returns>The AppContainer SID.</returns>
 public NtResult <Sid> GetAppContainerSid(bool throw_on_error)
 {
     using (var acsid = QueryBuffer <TokenAppContainerInformation>(AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoAppContainerSid, throw_on_error)) {
         if (!acsid.IsSuccess)
         {
             return(acsid.Cast <Sid>());
         }
         IntPtr ptr = acsid.Result.Result.TokenAppContainer;
         if (ptr == IntPtr.Zero)
         {
             return(NtStatus.STATUS_INVALID_SID.CreateResultFromError <Sid>(throw_on_error));
         }
         return(Sid.Parse(acsid.Result.Result.TokenAppContainer, throw_on_error));
     }
 }
        private protected FirewallNetEvent(IFwNetEvent net_event)
        {
            Type = net_event.Type;
            var header = net_event.Header;

            Flags          = header.flags;
            Timestamp      = new LargeInteger(header.timeStamp.ToInt64()).ToDateTime();
            IPProtocol     = (ProtocolType)header.ipProtocol;
            LocalEndpoint  = FirewallUtils.GetEndpoint(header.ipVersion, header.localAddrV4, header.localAddrV6, header.localPort);
            RemoteEndpoint = FirewallUtils.GetEndpoint(header.ipVersion, header.remoteAddrV4, header.remoteAddrV6, header.remotePort);
            ScopeId        = header.scopeId;
            AppId          = Encoding.Unicode.GetString(header.appId.ToArray()).TrimEnd('\0');
            UserId         = Sid.Parse(header.userId, false).GetResultOrDefault();
            AddressFamily  = header.addressFamily;
            PackageSid     = Sid.Parse(header.packageSid, false).GetResultOrDefault();
        }
Esempio n. 7
0
        /// <summary>
        /// Get the package SID from a name.
        /// </summary>
        /// <param name="name">The name of the package, can be either an SDDL SID or a package name.</param>
        /// <returns>The derived SID.</returns>
        public static Sid GetPackageSidFromName(string name)
        {
            var package_sid = Sid.Parse(name, false);

            if (package_sid.IsSuccess)
            {
                if (!NtSecurity.IsPackageSid(package_sid.Result))
                {
                    throw new ArgumentException($"Invalid package SID {name}");
                }
                return(package_sid.Result);
            }
            else
            {
                return(DerivePackageSidFromName(name));
            }
        }
        /// <summary>
        /// Open an alias by name.
        /// </summary>
        /// <param name="name">The name for the alias.</param>
        /// <param name="desired_access">The desired access for the alias object.</param>
        /// <param name="throw_on_error">True to throw on error.</param>
        /// <returns>The SAM alias object.</returns>
        public NtResult <SamAlias> OpenAlias(string name, SamAliasAccessRights desired_access, bool throw_on_error)
        {
            var sid_name = LookupName(name, throw_on_error);

            if (!sid_name.IsSuccess)
            {
                return(sid_name.Cast <SamAlias>());
            }

            var sid = Sid.Parse(sid_name.Result.Sddl, throw_on_error);

            if (!sid.IsSuccess)
            {
                return(sid.Cast <SamAlias>());
            }

            return(OpenAlias(sid.Result, desired_access, throw_on_error));
        }
Esempio n. 9
0
 protected override NtResult <object> Parse(string value, bool throw_on_error)
 {
     return(Sid.Parse(value, false).Cast <object>());
 }
Esempio n. 10
0
        private static bool Parse(byte[] data, bool expression, out List <ConditionalOperand> operands)
        {
            operands = new List <ConditionalOperand>();
            BinaryReader reader = new BinaryReader(new MemoryStream(data));

            if (expression && reader.ReadUInt32() != BINARY_MAGIC)
            {
                return(false);
            }

            while (reader.BaseStream.Position < reader.BaseStream.Length)
            {
                byte token = reader.ReadByte();
                switch (token)
                {
                case 0x00:
                    break;

                case 0x01:
                case 0x02:
                case 0x03:
                case 0x04:
                    if (!ConditionalIntegerOperand.Parse(token, reader, out ConditionalIntegerOperand int_op))
                    {
                        return(false);
                    }
                    operands.Add(int_op);
                    break;

                case 0x10:
                    operands.Add(new ConditionalStringOperand(ReadString(reader)));
                    break;

                case 0x18:
                    operands.Add(new ConditionalOctetStringOperand(ReadBytes(reader)));
                    break;

                case 0x50:
                    if (!Parse(ReadBytes(reader), false, out List <ConditionalOperand> comp_ops))
                    {
                        return(false);
                    }
                    operands.Add(new ConditionalCompositeOperand(comp_ops));
                    break;

                case 0x51:
                    var sid = Sid.Parse(ReadBytes(reader), false);
                    if (!sid.IsSuccess)
                    {
                        return(false);
                    }
                    operands.Add(new ConditionalSidOperand(sid.Result));
                    break;

                default:
                    if (!expression || !Parse(token, reader, operands))
                    {
                        return(false);
                    }
                    break;
                }
            }
            return(true);
        }
Esempio n. 11
0
        internal static NtResult <CentralAccessPolicy> FromRegistry(NtKey key, Dictionary <int, CentralAccessRule> rules, bool throw_on_error)
        {
            List <CentralAccessRule> capes = new List <CentralAccessRule>();
            string name        = string.Empty;
            string description = string.Empty;
            Sid    capid       = null;
            string change_id   = string.Empty;
            uint   flags       = 0;

            foreach (var value in key.QueryValues())
            {
                switch (value.Name.ToLower())
                {
                case "capes":
                    var idxs = ParseCapeNumbers(value, throw_on_error);
                    if (!idxs.IsSuccess)
                    {
                        return(idxs.Cast <CentralAccessPolicy>());
                    }
                    foreach (var idx in idxs.Result)
                    {
                        if (rules.ContainsKey(idx))
                        {
                            capes.Add(rules[idx]);
                        }
                        else
                        {
                            return(NtStatus.STATUS_INVALID_PARAMETER.CreateResultFromError <CentralAccessPolicy>(throw_on_error));
                        }
                    }
                    break;

                case "capid":
                    var sid = Sid.Parse(value.Data, false);
                    if (!sid.IsSuccess)
                    {
                        return(sid.Cast <CentralAccessPolicy>());
                    }
                    capid = sid.Result;
                    break;

                case "changeid":
                    change_id = value.ToString().TrimEnd('\0');
                    break;

                case "description":
                    description = value.ToString().TrimEnd('\0');
                    break;

                case "flags":
                    if (value.Type == RegistryValueType.Dword)
                    {
                        flags = (uint)value.ToObject();
                    }
                    break;

                case "name":
                    name = value.ToString().TrimEnd('\0');
                    break;
                }
            }
            return(new CentralAccessPolicy(capid, flags, name, description, change_id, capes).CreateResult());
        }
Esempio n. 12
0
        /// <summary>
        /// Parse the policy from the Local Security Authority.
        /// </summary>
        /// <param name="throw_on_error">True to throw on error.</param>
        /// <returns>The list of Central Access Policies.</returns>
        public static NtResult <CentralAccessPolicy[]> ParseFromLsa(bool throw_on_error)
        {
            NtStatus status = SecurityNativeMethods.LsaGetAppliedCAPIDs(null, out SafeLsaMemoryBuffer capids, out int capid_count);

            if (!status.IsSuccess())
            {
                return(status.CreateResultFromError <CentralAccessPolicy[]>(throw_on_error));
            }
            List <CentralAccessPolicy> ret = new List <CentralAccessPolicy>();

            using (capids) {
                status = SecurityNativeMethods.LsaQueryCAPs(capids.DangerousGetHandle(), capid_count, out SafeLsaMemoryBuffer caps, out uint cap_count);
                if (!status.IsSuccess())
                {
                    return(status.CreateResultFromError <CentralAccessPolicy[]>(throw_on_error));
                }
                caps.Initialize <CENTRAL_ACCESS_POLICY>(cap_count);
                CENTRAL_ACCESS_POLICY[] policies = new CENTRAL_ACCESS_POLICY[cap_count];
                caps.ReadArray(0, policies, 0, policies.Length);
                foreach (var policy in policies)
                {
                    SafeHGlobalBuffer buffer       = new SafeHGlobalBuffer(policy.CAPEs, policy.CAPECount * IntPtr.Size, false);
                    IntPtr[]          rule_entries = new IntPtr[policy.CAPECount];
                    buffer.ReadArray(0, rule_entries, 0, policy.CAPECount);
                    List <CentralAccessRule> rules = new List <CentralAccessRule>();
                    foreach (var ptr in rule_entries)
                    {
                        var entry                     = new SafeStructureInOutBuffer <CENTRAL_ACCESS_POLICY_ENTRY>(ptr, Marshal.SizeOf(typeof(CENTRAL_ACCESS_POLICY_ENTRY)), false);
                        var r                         = entry.Result;
                        SecurityDescriptor sd         = null;
                        SecurityDescriptor staged_sd  = null;
                        string             applies_to = string.Empty;
                        if (r.LengthSD > 0)
                        {
                            var result = SecurityDescriptor.Parse(r.SD, throw_on_error);
                            if (!result.IsSuccess)
                            {
                                return(result.Cast <CentralAccessPolicy[]>());
                            }
                            sd = result.Result;
                        }
                        if (r.LengthStagedSD > 0)
                        {
                            var result = SecurityDescriptor.Parse(r.StagedSD, throw_on_error);
                            if (!result.IsSuccess)
                            {
                                return(result.Cast <CentralAccessPolicy[]>());
                            }
                            staged_sd = result.Result;
                        }
                        if (r.LengthAppliesTo > 0)
                        {
                            byte[] condition = new byte[r.LengthAppliesTo];
                            Marshal.Copy(r.AppliesTo, condition, 0, r.LengthAppliesTo);
                            var result = NtSecurity.ConditionalAceToString(condition, throw_on_error);
                            if (!result.IsSuccess)
                            {
                                return(result.Cast <CentralAccessPolicy[]>());
                            }
                            applies_to = result.Result;
                        }

                        rules.Add(new CentralAccessRule(r.Name.ToString(), r.Description.ToString(),
                                                        sd, staged_sd, applies_to, r.ChangeId.ToString(), r.Flags));
                    }
                    var capid = Sid.Parse(policy.CAPID, throw_on_error);
                    if (!capid.IsSuccess)
                    {
                        return(capid.Cast <CentralAccessPolicy[]>());
                    }
                    ret.Add(new CentralAccessPolicy(capid.Result, policy.Flags, policy.Name.ToString(),
                                                    policy.Description.ToString(), policy.ChangeId.ToString(), rules));
                }
            }
            return(ret.ToArray().CreateResult());
        }