예제 #1
0
        private static bool GetGrantedAccess(string sddl, string principal, NtToken token, bool launch, out COMAccessRights maximum_rights)
        {
            GenericMapping mapping = new GenericMapping();

            mapping.GenericExecute = (uint)(COMAccessRights.Execute | COMAccessRights.ExecuteLocal | COMAccessRights.ExecuteRemote);
            if (launch)
            {
                mapping.GenericExecute = mapping.GenericExecute | (uint)(COMAccessRights.ActivateLocal | COMAccessRights.ActivateRemote);
            }

            // If SD is only a NULL DACL we get maximum rights.
            if (sddl == "D:NO_ACCESS_CONTROL")
            {
                maximum_rights = mapping.GenericExecute.ToSpecificAccess <COMAccessRights>();
                return(true);
            }

            if (!String.IsNullOrWhiteSpace(principal))
            {
                maximum_rights = NtSecurity.GetMaximumAccess(new SecurityDescriptor(sddl), token, new Sid(principal), mapping).ToSpecificAccess <COMAccessRights>();
            }
            else
            {
                maximum_rights = NtSecurity.GetMaximumAccess(new SecurityDescriptor(sddl), token, mapping).ToSpecificAccess <COMAccessRights>();
            }

            return(maximum_rights != 0);
        }
        private void CheckAccess(TokenEntry token, NtFile file, AccessMask access_rights, SecurityDescriptor sd, SecurityDescriptor parent_sd)
        {
            NtType     type           = file.NtType;
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            // Determine if the parent gives additonal rights to this file.
            if (!granted_access.IsAllAccessGranted(FileDirectoryAccessRights.ReadAttributes | FileDirectoryAccessRights.Delete) && parent_sd != null)
            {
                AccessMask parent_granted_access = NtSecurity.GetMaximumAccess(parent_sd, token.Token, type.GenericMapping);
                if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.DeleteChild))
                {
                    granted_access |= FileAccessRights.Delete;
                }
                if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.ListDirectory))
                {
                    granted_access |= FileAccessRights.ReadAttributes;
                }
            }

            if (IsAccessGranted(granted_access, access_rights))
            {
                bool is_directory = IsDirectoryNoThrow(file);
                WriteAccessCheckResult(FormatWin32Path ? file.Win32PathName : file.FullPath, type.Name, granted_access, type.GenericMapping,
                                       sd, is_directory ? typeof(FileDirectoryAccessRights) : typeof(FileAccessRights), is_directory, token.Information);
            }
        }
예제 #3
0
        internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            if (CheckScmAccess)
            {
                SecurityDescriptor sd          = ServiceUtils.GetScmSecurityDescriptor();
                GenericMapping     scm_mapping = ServiceUtils.GetScmGenericMapping();
                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, scm_mapping);
                    WriteAccessCheckResult("SCM", "SCM", granted_access, scm_mapping, sd.ToSddl(),
                                           typeof(ServiceControlManagerAccessRights), false, token.Information);
                }
            }
            else
            {
                IEnumerable <RunningService> services = GetServices();

                GenericMapping service_mapping = ServiceUtils.GetServiceGenericMapping();
                AccessMask     access_rights   = service_mapping.MapMask(AccessRights);

                foreach (var service in services.Where(s => s?.SecurityDescriptor != null))
                {
                    foreach (TokenEntry token in tokens)
                    {
                        AccessMask granted_access = NtSecurity.GetMaximumAccess(service.SecurityDescriptor,
                                                                                token.Token, service_mapping);
                        if (IsAccessGranted(granted_access, access_rights))
                        {
                            WriteObject(new ServiceAccessCheckResult(service.Name, granted_access,
                                                                     service.SecurityDescriptor.ToSddl(), token.Information, service.Triggers));
                        }
                    }
                }
            }
        }
예제 #4
0
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            NtType winsta_type = NtType.GetTypeByType <NtWindowStation>();

            AccessMask winsta_access_rights = winsta_type.GenericMapping.MapMask(AccessRights);
            bool       check_winsta         = CheckMode == WindowStationCheckMode.WindowStationOnly || CheckMode == WindowStationCheckMode.WindowStationAndDesktop;
            bool       check_desktop        = CheckMode == WindowStationCheckMode.DesktopOnly || CheckMode == WindowStationCheckMode.WindowStationAndDesktop;

            using (var winstas = NtWindowStation.GetAccessibleWindowStations().ToDisposableList())
            {
                foreach (var winsta in winstas)
                {
                    if (check_winsta && winsta.IsAccessGranted(WindowStationAccessRights.ReadControl))
                    {
                        var sd = winsta.SecurityDescriptor;
                        foreach (TokenEntry token in tokens)
                        {
                            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
                                                                                    token.Token, winsta_type.GenericMapping);
                            if (IsAccessGranted(granted_access, winsta_access_rights))
                            {
                                WriteAccessCheckResult(winsta.FullPath, winsta_type.Name, granted_access, winsta_type.GenericMapping,
                                                       sd, winsta_type.AccessRightsType, true, token.Information);
                            }
                        }
                    }

                    if (check_desktop && winsta.IsAccessGranted(WindowStationAccessRights.EnumDesktops))
                    {
                        RunAccessCheckDesktop(tokens, winsta);
                    }
                }
            }
        }
예제 #5
0
        private void RunAccessCheckDesktop(IEnumerable <TokenEntry> tokens, NtWindowStation winsta)
        {
            NtType     desktop_type          = NtType.GetTypeByType <NtDesktop>();
            AccessMask desktop_access_rights = desktop_type.GenericMapping.MapMask(DesktopAccessRights);

            using (var desktops = winsta.GetAccessibleDesktops().ToDisposableList())
            {
                foreach (var desktop in desktops)
                {
                    if (desktop.IsAccessGranted(DesktopAccessRights.ReadControl))
                    {
                        var sd = desktop.SecurityDescriptor;
                        foreach (TokenEntry token in tokens)
                        {
                            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
                                                                                    token.Token, desktop_type.GenericMapping);
                            if (IsAccessGranted(granted_access, desktop_access_rights))
                            {
                                WriteAccessCheckResult($"{winsta.FullPath}{desktop.FullPath}", desktop_type.Name, granted_access, desktop_type.GenericMapping,
                                                       sd, desktop_type.AccessRightsType, true, token.Information);
                            }
                        }
                    }
                }
            }
        }
예제 #6
0
        private void RunAccessCheck(IEnumerable <TokenEntry> tokens, string name, string description, Guid key, string key_name,
                                    FwObjectType fw_type, bool is_directory, Func <SecurityInformation, bool, NtResult <SecurityDescriptor> > get_sd)
        {
            try
            {
                NtType     type          = FirewallUtils.FirewallType;
                AccessMask access_rights = type.GenericMapping.MapMask(Access);

                var sd = get_sd(SecurityInformation.AllBasic, false);
                if (!sd.IsSuccess)
                {
                    WriteWarning($"Couldn't query security for firewall object '{name}'. Perhaps run as administrator.");
                    return;
                }

                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd.Result,
                                                                            token.Token, type.GenericMapping);
                    if (IsAccessGranted(granted_access, access_rights))
                    {
                        WriteObject(new FwObjectAccessCheckResult(name, description, key,
                                                                  key_name, fw_type, granted_access, type.GenericMapping, sd.Result,
                                                                  is_directory, token.Information));
                    }
                }
            }
            catch (NtException ex)
            {
                WriteError(new ErrorRecord(ex, "Error", ErrorCategory.SecurityError, this));
            }
        }
        static uint GetGrantedAccess(SecurityDescriptor sd, NtToken token, uint specific_rights, GenericMapping generic_mapping)
        {
            uint granted_access = 0;

            specific_rights = generic_mapping.MapMask(specific_rights);

            if (specific_rights != 0)
            {
                granted_access = NtSecurity.GetAllowedAccess(sd, token, (GenericAccessRights)(specific_rights), generic_mapping);
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
            }

            if (granted_access != 0)
            {
                // As we can get all the rights for the key get maximum
                if (specific_rights != 0)
                {
                    granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
                }
            }

            return(granted_access);
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            if (!NtToken.EnableDebugPrivilege())
            {
                WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
            }

            NtType     type               = NtType.GetTypeByType <NtToken>();
            AccessMask access_rights      = type.MapGenericRights(AccessRights);
            int        current_session_id = NtProcess.Current.SessionId;

            using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
            {
                IEnumerable <NtProcess> proc_enum = procs;
                if (CurrentSession)
                {
                    proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
                }
                foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
                {
                    using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
                    {
                        if (!result.IsSuccess)
                        {
                            WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
                            continue;
                        }

                        NtToken primary_token = result.Result;
                        var     sd_result     = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
                        if (!sd_result.IsSuccess)
                        {
                            WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
                            continue;
                        }

                        var    sd              = sd_result.Result;
                        string process_name    = proc.Name;
                        string process_cmdline = proc.CommandLine;
                        string image_path      = proc.FullPath;
                        int    process_id      = proc.ProcessId;

                        foreach (var token in tokens)
                        {
                            if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
                            {
                                AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
                                if (IsAccessGranted(granted_access, access_rights))
                                {
                                    WriteObject(new TokenAccessCheckResult(primary_token, proc,
                                                                           granted_access, sd, token.Information));
                                }
                            }
                        }
                    }
                }
            }
        }
        private void CheckAccess(TokenEntry token, ProcessDetails process, ThreadDetails thread, NtType type, AccessMask access_rights, SecurityDescriptor sd)
        {
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            if (IsAccessGranted(granted_access, access_rights))
            {
                WriteAccessCheckResult(process, thread, granted_access, type.GenericMapping, sd.ToSddl(), token.Information);
            }
        }
        private void CheckAccess(TokenEntry token, NtObject obj, NtType type, bool is_directory, AccessMask access_rights, SecurityDescriptor sd)
        {
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            if (IsAccessGranted(granted_access, access_rights))
            {
                WriteAccessCheckResult(ConvertPath(obj), type.Name, granted_access, type.GenericMapping,
                                       sd.ToSddl(), type.AccessRightsType, is_directory, token.Information);
            }
        }
예제 #11
0
        private void CheckAccess(TokenEntry token, NtKey key, AccessMask access_rights, SecurityDescriptor sd)
        {
            NtType     type           = key.NtType;
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            if (IsAccessGranted(granted_access, access_rights))
            {
                WriteAccessCheckResult(FormatWin32Path ? key.Win32Path : key.FullPath, type.Name, granted_access, type.GenericMapping,
                                       sd, typeof(KeyAccessRights), true, token.Information);
            }
        }
        private void CheckAccess(TokenEntry token, NtFile file, AccessMask access_rights, SecurityDescriptor sd)
        {
            NtType     type           = file.NtType;
            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);

            if (IsAccessGranted(granted_access, access_rights))
            {
                WriteAccessCheckResult(FormatWin32Path ? file.Win32PathName : file.FullPath, type.Name, granted_access, type.GenericMapping,
                                       sd.ToSddl(), IsDirectoryNoThrow(file) ? typeof(FileDirectoryAccessRights) : typeof(FileAccessRights), token.Information);
            }
        }
        internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            foreach (var entry in GetTaskSchedulerEntries())
            {
                string path = entry.Path;
                string sddl = entry.SecurityDescriptor;

                if (string.IsNullOrWhiteSpace(sddl) || string.IsNullOrWhiteSpace(path))
                {
                    continue;
                }

                AccessMask requested_access;
                if (entry.Folder)
                {
                    requested_access = Writable ? FileDirectoryAccessRights.AddSubDirectory : DirectoryAccessRights;
                }
                else
                {
                    requested_access = Executable ? FileAccessRights.ReadData | FileAccessRights.Execute : 0;
                    if (Writable)
                    {
                        requested_access |= FileAccessRights.WriteData;
                    }

                    if (requested_access.IsEmpty)
                    {
                        requested_access = AccessRights;
                    }
                }

                AccessMask access_rights = _file_type.GenericMapping.MapMask(requested_access);
                foreach (TokenEntry token in tokens)
                {
                    SecurityDescriptor sd = new SecurityDescriptor(sddl);
                    if (sd.Owner == null)
                    {
                        sd.Owner = new SecurityDescriptorSid(KnownSids.BuiltinAdministrators, false);
                    }
                    if (sd.Group == null)
                    {
                        sd.Group = new SecurityDescriptorSid(KnownSids.BuiltinAdministrators, false);
                    }

                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
                                                                            token.Token, _file_type.GenericMapping);
                    if (IsAccessGranted(granted_access, access_rights))
                    {
                        WriteObject(entry.CreateResult(granted_access, token.Information));
                    }
                }
            }
        }
        static void CheckAccess(string full_path, NtFile entry)
        {
            try
            {
                if (!entry.IsAccessGranted(FileAccessRights.ReadControl))
                {
                    return;
                }

                SecurityDescriptor sd = entry.SecurityDescriptor;
                bool       is_dir     = entry.IsDirectory;
                AccessMask granted_access;

                if (is_dir && _dir_filter != 0)
                {
                    granted_access = NtSecurity.GetAllowedAccess(_token, _type,
                                                                 _dir_filter, sd.ToByteArray());
                }
                else if (!is_dir && _file_filter != 0)
                {
                    granted_access = NtSecurity.GetAllowedAccess(_token, _type,
                                                                 _file_filter, sd.ToByteArray());
                }
                else
                {
                    granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                }

                if (granted_access.HasAccess)
                {
                    // Now reget maximum access rights
                    if (_dir_filter != 0 || _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (!_show_write_only || _type.HasWritePermission(granted_access))
                    {
                        Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
                                          is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                        if (_print_sddl)
                        {
                            Console.WriteLine("{0}", sd.ToSddl());
                        }
                    }
                }
            }
            catch (NtException)
            {
            }
        }
예제 #15
0
        static void CheckAccess(string path, byte[] sd, NtType type)
        {
            try
            {
                if (_type_filter.Count > 0)
                {
                    if (!_type_filter.Contains(type.Name.ToLower()))
                    {
                        return;
                    }
                }

                if (sd.Length > 0)
                {
                    uint granted_access = 0;

                    if (_dir_rights != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, type, (uint)_dir_rights, sd);
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
                    }

                    if (granted_access != 0)
                    {
                        // As we can get all the rights for the directory get maximum
                        if (_dir_rights != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
                        }

                        if (!_show_write_only || type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, path, granted_access, AccessMaskToString(type, granted_access));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", NtSecurity.SecurityDescriptorToSddl(sd, SecurityInformation.AllBasic));
                            }
                        }
                    }
                }
            }
            catch (Exception)
            {
            }
        }
        internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            if (CheckScmAccess)
            {
                SecurityDescriptor sd          = ServiceUtils.GetScmSecurityDescriptor();
                GenericMapping     scm_mapping = ServiceUtils.GetScmGenericMapping();
                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, scm_mapping);
                    WriteAccessCheckResult("SCM", "SCM", granted_access, scm_mapping, sd.ToSddl(),
                                           typeof(ServiceControlManagerAccessRights), false, token.Information);
                }
            }
            else
            {
                string[] names = Name;
                if (names == null || names.Length == 0)
                {
                    names = ServiceController.GetServices().Select(s => s.ServiceName).ToArray();
                }

                GenericMapping service_mapping = ServiceUtils.GetServiceGenericMapping();
                AccessMask     access_rights   = service_mapping.MapMask(AccessRights);

                foreach (string name in names)
                {
                    try
                    {
                        var service = ServiceUtils.GetServiceInformation(name);
                        foreach (TokenEntry token in tokens)
                        {
                            AccessMask granted_access = NtSecurity.GetMaximumAccess(service.SecurityDescriptor,
                                                                                    token.Token, service_mapping);
                            if (IsAccessGranted(granted_access, access_rights))
                            {
                                WriteObject(new ServiceAccessCheckResult(name, granted_access,
                                                                         service.SecurityDescriptor.ToSddl(), token.Information, service.Triggers));
                            }
                        }
                    }
                    catch (Win32Exception ex)
                    {
                        WriteError(new ErrorRecord(ex, "OpenService", ErrorCategory.OpenError, name));
                    }
                }
            }
        }
예제 #17
0
        static void CheckAccess(FileSystemInfo entry)
        {
            try
            {
                SecurityDescriptor sd = NtSecurity.FromNamedObject(@"\??\" + entry.FullName, "file");
                if (sd != null)
                {
                    bool is_dir = entry is DirectoryInfo;
                    uint granted_access;

                    if (is_dir && _dir_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
                    }
                    else if (!is_dir && _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (granted_access != 0)
                    {
                        // Now reget maximum access rights
                        if (_dir_filter != 0 || _file_filter != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                        }

                        if (!_show_write_only || _type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("{0}{1} : {2:X08} {3}", entry.FullName, is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", sd.ToSddl());
                            }
                        }
                    }
                }
            }
            catch (Exception)
            {
            }
        }
        static void CheckAccess(string full_path, NtFile entry)
        {
            try
            {
                SecurityDescriptor sd = entry.GetSecurityDescriptor(SecurityInformation.AllBasic);
                if (sd != null)
                {
                    bool is_dir = entry.IsDirectory;
                    uint granted_access;

                    if (is_dir && _dir_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
                    }
                    else if (!is_dir && _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (granted_access != 0)
                    {
                        // Now reget maximum access rights
                        if (_dir_filter != 0 || _file_filter != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                        }

                        if (!_show_write_only || _type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
                                              is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", sd.ToSddl());
                            }
                        }
                    }
                }
            }
            catch { }
        }
        private void CheckAccess(TokenEntry token, AccessMask access_rights, string path, NtFile file)
        {
            var sd = file.GetSecurityDescriptor(SecurityInformation.AllBasic, false);

            if (!sd.IsSuccess)
            {
                return;
            }

            AccessMask granted_access = NtSecurity.GetMaximumAccess(sd.Result,
                                                                    token.Token, _file_type.GenericMapping);

            if (IsAccessGranted(granted_access, access_rights))
            {
                WriteAccessCheckResult(FormatPath(path, FormatWin32Path), "NamedPipe",
                                       granted_access, _file_type.GenericMapping,
                                       sd.Result, typeof(FileAccessRights), false, token.Information);
            }
        }
예제 #20
0
        static void CheckAccess(NtToken token, NtKey key)
        {
            NtType type = key.NtType;

            if (!key.IsAccessGranted(KeyAccessRights.ReadControl))
            {
                return;
            }

            SecurityDescriptor sd = key.SecurityDescriptor;
            AccessMask         granted_access;

            if (_key_rights != 0)
            {
                granted_access = NtSecurity.GetAllowedAccess(token, type,
                                                             _key_rights, sd.ToByteArray());
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
            }

            if (!granted_access.IsEmpty)
            {
                // As we can get all the rights for the key get maximum
                if (_key_rights != 0)
                {
                    granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
                }

                if (!_show_write_only || type.HasWritePermission(granted_access))
                {
                    Console.WriteLine("{0} : {1:X08} {2}", key.FullPath, granted_access, AccessMaskToString(granted_access, type));
                    if (_print_sddl)
                    {
                        Console.WriteLine("{0}", sd.ToSddl());
                    }
                }
            }
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            NtType     type          = NtType.GetTypeByType <NtEtwRegistration>();
            AccessMask access_rights = type.GenericMapping.MapMask(Access);
            var        providers     = EventTracing.GetProviders();

            if (ProviderId != null && ProviderId.Length > 0)
            {
                HashSet <Guid> guids = new HashSet <Guid>(ProviderId);
                providers = providers.Where(p => guids.Contains(p.Id));
            }
            else if (Name != null && Name.Length > 0)
            {
                var names = new HashSet <string>(Name, StringComparer.OrdinalIgnoreCase);
                providers = providers.Where(p => names.Contains(p.Name));
            }

            foreach (var provider in providers)
            {
                var sd = provider.SecurityDescriptor;
                if (sd == null)
                {
                    WriteWarning($"Couldn't query security for ETW Provider {provider.Name}. Perhaps run as administrator.");
                    continue;
                }

                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
                                                                            token.Token, type.GenericMapping);
                    if (IsAccessGranted(granted_access, access_rights))
                    {
                        WriteObject(new EventTraceAccessCheckResult(provider, type,
                                                                    granted_access, sd, token.Information));
                    }
                }
            }
        }
예제 #22
0
        static AccessMask GetGrantedAccess(SecurityDescriptor sd, NtToken token,
                                           AccessMask specific_rights, GenericMapping generic_mapping)
        {
            AccessMask granted_access;

            specific_rights = generic_mapping.MapMask(specific_rights);

            if (specific_rights.HasAccess)
            {
                granted_access = NtSecurity.GetAllowedAccess(sd, token, specific_rights, generic_mapping);
                // As we can get all the rights for the key get maximum
                if (granted_access.HasAccess)
                {
                    granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
                }
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
            }

            return(granted_access);
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            GenericMapping generic_mapping = NtWnf.GenericMapping;
            AccessMask     access_rights   = generic_mapping.MapMask(Access);
            var            entries         = NtWnf.GetRegisteredNotifications();

            foreach (var entry in entries)
            {
                var sd = entry.SecurityDescriptor;
                if (sd == null)
                {
                    WriteWarning($"Couldn't query security for WNF Provider {entry.StateName:X016}.");
                    continue;
                }

                if (sd.Owner == null)
                {
                    sd.Owner = new SecurityDescriptorSid(new Sid("SY"), false);
                }

                if (sd.Group == null)
                {
                    sd.Group = new SecurityDescriptorSid(new Sid("SY"), false);
                }

                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
                                                                            token.Token, generic_mapping);
                    if (IsAccessGranted(granted_access, access_rights))
                    {
                        WriteObject(new WnfAccessCheckResult(entry, granted_access, sd, token.Information));
                    }
                }
            }
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            if (CheckScmAccess)
            {
                SecurityDescriptor sd          = ServiceUtils.GetScmSecurityDescriptor();
                GenericMapping     scm_mapping = ServiceUtils.GetScmGenericMapping();
                foreach (TokenEntry token in tokens)
                {
                    AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, scm_mapping);
                    WriteAccessCheckResult("SCM", "SCM", granted_access, scm_mapping, sd,
                                           typeof(ServiceControlManagerAccessRights), false, token.Information);
                }
            }
            else
            {
                IEnumerable <Win32Service>      services    = GetServices();
                InternalGetAccessibleFileCmdlet file_cmdlet = null;
                HashSet <string> checked_files = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
                if (CheckFiles)
                {
                    file_cmdlet = new InternalGetAccessibleFileCmdlet(this)
                    {
                        FormatWin32Path = true
                    };
                }

                GenericMapping service_mapping = ServiceUtils.GetServiceGenericMapping();
                AccessMask     access_rights   = service_mapping.MapMask(Access);

                foreach (var service in services.Where(s => s?.SecurityDescriptor != null))
                {
                    foreach (TokenEntry token in tokens)
                    {
                        AccessMask granted_access = NtSecurity.GetMaximumAccess(service.SecurityDescriptor,
                                                                                token.Token, service_mapping);
                        ServiceAccessRights trigger_access = GetTriggerAccess(service, token.Token);
                        if (IsAccessGranted(granted_access, access_rights))
                        {
                            WriteObject(new ServiceAccessCheckResult(service.Name, granted_access | trigger_access,
                                                                     service.SecurityDescriptor, token.Information, trigger_access,
                                                                     granted_access.ToSpecificAccess <ServiceAccessRights>(), service));
                        }
                    }
                    if (CheckFiles)
                    {
                        if (!string.IsNullOrWhiteSpace(service.ImagePath) &&
                            File.Exists(service.ImagePath) &&
                            checked_files.Add(service.ImagePath))
                        {
                            file_cmdlet.RunAccessCheckPathInternal(tokens, service.ImagePath);
                        }

                        if (!string.IsNullOrWhiteSpace(service.ServiceDll) &&
                            File.Exists(service.ServiceDll) &&
                            checked_files.Add(service.ServiceDll))
                        {
                            file_cmdlet.RunAccessCheckPathInternal(tokens, service.ServiceDll);
                        }
                    }
                }
            }
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            var devices = new Dictionary <string, SecurityDescriptorEntry>(StringComparer.OrdinalIgnoreCase);

            foreach (string path in Path)
            {
                using (var result = OpenDirectory(path, null))
                {
                    if (result.IsSuccess)
                    {
                        FindDevicesInDirectory(result.Result, devices, MaxDepth ?? int.MaxValue);
                    }
                    else
                    {
                        // If failed, it might be an absolute path so just add it.
                        if (!devices.ContainsKey(path))
                        {
                            devices.Add(path, GetSecurityDescriptor(path));
                        }
                    }
                }
            }

            if (devices.Count > 0)
            {
                AccessMask    access_rights   = _file_type.MapGenericRights(Access);
                EaBuffer      ea_buffer       = CheckEaBuffer ? (EaBuffer ?? CreateDummyEaBuffer()) : null;
                List <string> namespace_paths = new List <string>(NamespacePath ?? new[] { "XYZ" });

                foreach (var entry in tokens)
                {
                    foreach (var pair in devices)
                    {
                        if (CheckDevice())
                        {
                            if (pair.Value != null)
                            {
                                AccessMask granted_access = NtSecurity.GetMaximumAccess(pair.Value.SecurityDescriptor, entry.Token, _file_type.GenericMapping);
                                if (IsAccessGranted(granted_access, access_rights))
                                {
                                    WriteObject(new DeviceAccessCheckResult(pair.Key, false, pair.Value.DeviceType,
                                                                            pair.Value.Characteristics, granted_access,
                                                                            pair.Value.SecurityDescriptor, entry.Information));
                                }
                            }
                            else
                            {
                                if (!NoImpersonation)
                                {
                                    CheckAccessUnderImpersonation(entry, pair.Key, false, access_rights, OpenOptions, ea_buffer);
                                }
                            }
                        }

                        if (CheckNamespace() && !NoImpersonation)
                        {
                            foreach (string namespace_path in namespace_paths)
                            {
                                CheckAccessUnderImpersonation(entry, pair.Key + @"\" + namespace_path,
                                                              true, access_rights, OpenOptions, ea_buffer);
                            }
                        }
                    }
                }
            }
            else
            {
                WriteWarning("Couldn't find any devices to check");
            }
        }