internal WnfServiceTriggerInformation(SERVICE_TRIGGER trigger) : base(trigger) { var data = CustomData.FirstOrDefault(); if (data?.RawData?.Length != 8) { return; } Name = NtWnf.Open(BitConverter.ToUInt64(data.RawData, 0), true, false).GetResultOrDefault(); }
internal WnfAccessCheckResult(NtWnf wnf, AccessMask granted_access, SecurityDescriptor sd, TokenInformation token_info) : base(wnf.Name, "Wnf", granted_access, NtWnf.GenericMapping, sd, typeof(WnfAccessRights), false, token_info) { StateName = wnf.StateName; Lifetime = wnf.Lifetime; SubscribersPresent = wnf.SubscribersPresent; }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { GenericMapping generic_mapping = NtWnf.GenericMapping; AccessMask access_rights = generic_mapping.MapMask(Access); var entries = NtWnf.GetRegisteredNotifications(); foreach (var entry in entries) { var sd = entry.SecurityDescriptor; if (sd == null) { WriteWarning($"Couldn't query security for WNF Provider {entry.StateName:X016}."); continue; } if (sd.Owner == null) { sd.Owner = new SecurityDescriptorSid(new Sid("SY"), false); } if (sd.Group == null) { sd.Group = new SecurityDescriptorSid(new Sid("SY"), false); } foreach (TokenEntry token in tokens) { AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, generic_mapping); if (IsAccessGranted(granted_access, access_rights)) { WriteObject(new WnfAccessCheckResult(entry, granted_access, sd, token.Information)); } } } }